Edit tour

Windows Analysis Report
b6AGgIJ87g.exe

Overview

General Information

Sample name:	b6AGgIJ87g.exe renamed because original name is a hash value
Original sample name:	03da1152cc2fc2bcfafc441c76ddcda09e4df84adb27bda9b267694b4a840cf7.exe
Analysis ID:	1588941
MD5:	04a2cce147e8b29d89ef24af80d493ce
SHA1:	5e24a62c496a9726bb924c1bb0f3b5e33963b0c6
SHA256:	03da1152cc2fc2bcfafc441c76ddcda09e4df84adb27bda9b267694b4a840cf7
Tags:	exeSnakeKeyloggeruser-adrian__luca
Infos:

Detection

Snake Keylogger

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: Drops script at startup location

Yara detected Snake Keylogger

AI detected suspicious sample

Binary is likely a compiled AutoIt script file

Drops VBS files to the startup folder

Machine Learning detection for dropped file

Machine Learning detection for sample

Maps a DLL or memory area into another process

Sigma detected: WScript or CScript Dropper

Switches to a custom stack to bypass stack traces

Tries to detect the country of the analysis system (by using the IP)

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Writes to foreign memory regions

Yara detected Generic Downloader

Contains functionality for read data from the clipboard

Contains functionality to block mouse and keyboard input (often used to hinder debugging)

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to communicate with device drivers

Contains functionality to dynamically determine API calls

Contains functionality to execute programs as a different user

Contains functionality to launch a process as a different user

Contains functionality to launch a program with higher privileges

Contains functionality to modify clipboard data

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to shutdown / reboot the system

Contains functionality to simulate keystroke presses

Contains functionality to simulate mouse events

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates a start menu entry (Start Menu\Programs\Startup)

Detected potential crypto function

Drops PE files

Extensive use of GetProcAddress (often used to hide API calls)

Found WSH timer for Javascript or VBS script (likely evasive script)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found evasive API chain (date check)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May check the online IP address of the machine

OS version to string mapping found (often used in BOTs)

Potential key logger detected (key state polling based)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript

Stores files to the Windows start menu directory

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Uses insecure TLS / SSL version for HTTPS connection

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

b6AGgIJ87g.exe (PID: 7420 cmdline: "C:\Users\user\Desktop\b6AGgIJ87g.exe" MD5: 04A2CCE147E8B29D89EF24AF80D493CE)

biopsies.exe (PID: 7480 cmdline: "C:\Users\user\Desktop\b6AGgIJ87g.exe" MD5: 04A2CCE147E8B29D89EF24AF80D493CE)

RegSvcs.exe (PID: 7500 cmdline: "C:\Users\user\Desktop\b6AGgIJ87g.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)

cmd.exe (PID: 7668 cmdline: "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 7680 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

choice.exe (PID: 7720 cmdline: choice /C Y /N /D Y /T 3 MD5: FCE0E41C87DC4ABBE976998AD26C27E4)

wscript.exe (PID: 7800 cmdline: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\biopsies.vbs" MD5: A47CBE969EA935BDD3AB568BB126BC80)

biopsies.exe (PID: 7872 cmdline: "C:\Users\user\AppData\Local\Maianthemum\biopsies.exe" MD5: 04A2CCE147E8B29D89EF24AF80D493CE)

biopsies.exe (PID: 7944 cmdline: "C:\Users\user\AppData\Local\Maianthemum\biopsies.exe" MD5: 04A2CCE147E8B29D89EF24AF80D493CE)

biopsies.exe (PID: 8028 cmdline: "C:\Users\user\AppData\Local\Maianthemum\biopsies.exe" MD5: 04A2CCE147E8B29D89EF24AF80D493CE)

biopsies.exe (PID: 8048 cmdline: "C:\Users\user\AppData\Local\Maianthemum\biopsies.exe" MD5: 04A2CCE147E8B29D89EF24AF80D493CE)

biopsies.exe (PID: 8064 cmdline: "C:\Users\user\AppData\Local\Maianthemum\biopsies.exe" MD5: 04A2CCE147E8B29D89EF24AF80D493CE)

biopsies.exe (PID: 8096 cmdline: "C:\Users\user\AppData\Local\Maianthemum\biopsies.exe" MD5: 04A2CCE147E8B29D89EF24AF80D493CE)

biopsies.exe (PID: 8124 cmdline: "C:\Users\user\AppData\Local\Maianthemum\biopsies.exe" MD5: 04A2CCE147E8B29D89EF24AF80D493CE)

biopsies.exe (PID: 8140 cmdline: "C:\Users\user\AppData\Local\Maianthemum\biopsies.exe" MD5: 04A2CCE147E8B29D89EF24AF80D493CE)

biopsies.exe (PID: 8168 cmdline: "C:\Users\user\AppData\Local\Maianthemum\biopsies.exe" MD5: 04A2CCE147E8B29D89EF24AF80D493CE)

biopsies.exe (PID: 7172 cmdline: "C:\Users\user\AppData\Local\Maianthemum\biopsies.exe" MD5: 04A2CCE147E8B29D89EF24AF80D493CE)

biopsies.exe (PID: 7196 cmdline: "C:\Users\user\AppData\Local\Maianthemum\biopsies.exe" MD5: 04A2CCE147E8B29D89EF24AF80D493CE)

biopsies.exe (PID: 3004 cmdline: "C:\Users\user\AppData\Local\Maianthemum\biopsies.exe" MD5: 04A2CCE147E8B29D89EF24AF80D493CE)

biopsies.exe (PID: 2308 cmdline: "C:\Users\user\AppData\Local\Maianthemum\biopsies.exe" MD5: 04A2CCE147E8B29D89EF24AF80D493CE)

biopsies.exe (PID: 3548 cmdline: "C:\Users\user\AppData\Local\Maianthemum\biopsies.exe" MD5: 04A2CCE147E8B29D89EF24AF80D493CE)

biopsies.exe (PID: 5448 cmdline: "C:\Users\user\AppData\Local\Maianthemum\biopsies.exe" MD5: 04A2CCE147E8B29D89EF24AF80D493CE)

biopsies.exe (PID: 2800 cmdline: "C:\Users\user\AppData\Local\Maianthemum\biopsies.exe" MD5: 04A2CCE147E8B29D89EF24AF80D493CE)

biopsies.exe (PID: 7332 cmdline: "C:\Users\user\AppData\Local\Maianthemum\biopsies.exe" MD5: 04A2CCE147E8B29D89EF24AF80D493CE)

biopsies.exe (PID: 3320 cmdline: "C:\Users\user\AppData\Local\Maianthemum\biopsies.exe" MD5: 04A2CCE147E8B29D89EF24AF80D493CE)

biopsies.exe (PID: 4444 cmdline: "C:\Users\user\AppData\Local\Maianthemum\biopsies.exe" MD5: 04A2CCE147E8B29D89EF24AF80D493CE)

biopsies.exe (PID: 7300 cmdline: "C:\Users\user\AppData\Local\Maianthemum\biopsies.exe" MD5: 04A2CCE147E8B29D89EF24AF80D493CE)

biopsies.exe (PID: 1696 cmdline: "C:\Users\user\AppData\Local\Maianthemum\biopsies.exe" MD5: 04A2CCE147E8B29D89EF24AF80D493CE)

biopsies.exe (PID: 4852 cmdline: "C:\Users\user\AppData\Local\Maianthemum\biopsies.exe" MD5: 04A2CCE147E8B29D89EF24AF80D493CE)

biopsies.exe (PID: 6488 cmdline: "C:\Users\user\AppData\Local\Maianthemum\biopsies.exe" MD5: 04A2CCE147E8B29D89EF24AF80D493CE)

biopsies.exe (PID: 744 cmdline: "C:\Users\user\AppData\Local\Maianthemum\biopsies.exe" MD5: 04A2CCE147E8B29D89EF24AF80D493CE)

biopsies.exe (PID: 5228 cmdline: "C:\Users\user\AppData\Local\Maianthemum\biopsies.exe" MD5: 04A2CCE147E8B29D89EF24AF80D493CE)

biopsies.exe (PID: 7592 cmdline: "C:\Users\user\AppData\Local\Maianthemum\biopsies.exe" MD5: 04A2CCE147E8B29D89EF24AF80D493CE)

biopsies.exe (PID: 4324 cmdline: "C:\Users\user\AppData\Local\Maianthemum\biopsies.exe" MD5: 04A2CCE147E8B29D89EF24AF80D493CE)

biopsies.exe (PID: 2536 cmdline: "C:\Users\user\AppData\Local\Maianthemum\biopsies.exe" MD5: 04A2CCE147E8B29D89EF24AF80D493CE)

biopsies.exe (PID: 1436 cmdline: "C:\Users\user\AppData\Local\Maianthemum\biopsies.exe" MD5: 04A2CCE147E8B29D89EF24AF80D493CE)

biopsies.exe (PID: 2588 cmdline: "C:\Users\user\AppData\Local\Maianthemum\biopsies.exe" MD5: 04A2CCE147E8B29D89EF24AF80D493CE)

biopsies.exe (PID: 7516 cmdline: "C:\Users\user\AppData\Local\Maianthemum\biopsies.exe" MD5: 04A2CCE147E8B29D89EF24AF80D493CE)

biopsies.exe (PID: 7616 cmdline: "C:\Users\user\AppData\Local\Maianthemum\biopsies.exe" MD5: 04A2CCE147E8B29D89EF24AF80D493CE)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
404 Keylogger, Snake Keylogger	Snake Keylogger (aka 404 Keylogger) is a subscription-based keylogger that has many capabilities. The infostealer can steal a victims sensitive information, log keyboard strokes, take screenshots and extract information from the system clipboard. It was initially released on a Russian hacking forum in August 2019. It is notable for its relatively unusual methods of data exfiltration, including via email, FTP, SMTP, Pastebin or the messaging app Telegram.	No Attribution	https://any.run/cybersecurity-blog/analyzing-snake-keylogger/ https://any.run/cybersecurity-blog/reverse-engineering-snake-keylogger/ https://blog.netlab.360.com/purecrypter https://blog.nviso.eu/2022/04/06/analyzing-a-multilayer-maldoc-a-beginners-guide/ https://blogs.blackberry.com/en/2022/05/dot-net-stubs-sowing-the-seeds-of-discord	https://malpedia.caad.fkie.fraunhofer.de/details/win.404keylogger

Malware Configuration

Threatname: Snake Keylogger

{"Exfil Mode": "Telegram", "Telegram URL": "https://api.telegram.org/bot7767004773:AAG_mBqrFYZNr81F28ktwLAJ3brPq5BTRzg/sendMessage?chat_id=1217600190", "Token": "7767004773:AAG_mBqrFYZNr81F28ktwLAJ3brPq5BTRzg", "Chat_id": "1217600190", "Version": "5.1"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000010.00000002.2064854133.00000000018E0000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000010.00000002.2064854133.00000000018E0000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
00000010.00000002.2064854133.00000000018E0000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
00000010.00000002.2064854133.00000000018E0000.00000004.00001000.00020000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x14c35:$a1: get_encryptedPassword 0x14f21:$a2: get_encryptedUsername 0x14a41:$a3: get_timePasswordChanged 0x14b3c:$a4: get_passwordField 0x14c4b:$a5: set_encryptedPassword 0x162f7:$a7: get_logins 0x1625a:$a10: KeyLoggerEventArgs 0x15ec5:$a11: KeyLoggerEventArgsEventHandler
00000010.00000002.2064854133.00000000018E0000.00000004.00001000.00020000.00000000.sdmp	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x1c5b2:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x1b7e4:$a3: \Google\Chrome\User Data\Default\Login Data 0x1bc17:$a4: \Orbitum\User Data\Default\Login Data 0x1cc56:$a5: \Kometa\User Data\Default\Login Data
00000010.00000002.2064854133.00000000018E0000.00000004.00001000.00020000.00000000.sdmp	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x15832:$s1: UnHook 0x15839:$s2: SetHook 0x15841:$s3: CallNextHook 0x1584e:$s4: _hook
00000010.00000002.2064854133.00000000018E0000.00000004.00001000.00020000.00000000.sdmp	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x19be0:$x1: $%SMTPDV$ 0x185c4:$x2: $#TheHashHere%& 0x19b88:$x3: %FTPDV$ 0x18564:$x4: $%TelegramDv$ 0x15ec5:$x5: KeyLoggerEventArgs 0x1625a:$x5: KeyLoggerEventArgs 0x19bac:$m2: Clipboard Logs ID 0x19dea:$m2: Screenshot Logs ID 0x19efa:$m2: keystroke Logs ID 0x1a1d4:$m3: SnakePW 0x19dc2:$m4: \SnakeKeylogger\
0000000D.00000002.1976305286.0000000001F10000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000000D.00000002.1976305286.0000000001F10000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
0000000D.00000002.1976305286.0000000001F10000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
0000000D.00000002.1976305286.0000000001F10000.00000004.00001000.00020000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x14c35:$a1: get_encryptedPassword 0x14f21:$a2: get_encryptedUsername 0x14a41:$a3: get_timePasswordChanged 0x14b3c:$a4: get_passwordField 0x14c4b:$a5: set_encryptedPassword 0x162f7:$a7: get_logins 0x1625a:$a10: KeyLoggerEventArgs 0x15ec5:$a11: KeyLoggerEventArgsEventHandler
0000000D.00000002.1976305286.0000000001F10000.00000004.00001000.00020000.00000000.sdmp	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x1c5b2:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x1b7e4:$a3: \Google\Chrome\User Data\Default\Login Data 0x1bc17:$a4: \Orbitum\User Data\Default\Login Data 0x1cc56:$a5: \Kometa\User Data\Default\Login Data
0000000D.00000002.1976305286.0000000001F10000.00000004.00001000.00020000.00000000.sdmp	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x15832:$s1: UnHook 0x15839:$s2: SetHook 0x15841:$s3: CallNextHook 0x1584e:$s4: _hook
0000000D.00000002.1976305286.0000000001F10000.00000004.00001000.00020000.00000000.sdmp	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x19be0:$x1: $%SMTPDV$ 0x185c4:$x2: $#TheHashHere%& 0x19b88:$x3: %FTPDV$ 0x18564:$x4: $%TelegramDv$ 0x15ec5:$x5: KeyLoggerEventArgs 0x1625a:$x5: KeyLoggerEventArgs 0x19bac:$m2: Clipboard Logs ID 0x19dea:$m2: Screenshot Logs ID 0x19efa:$m2: keystroke Logs ID 0x1a1d4:$m3: SnakePW 0x19dc2:$m4: \SnakeKeylogger\
00000002.00000002.1838731692.0000000000402000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000002.00000002.1838731692.0000000000402000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
00000002.00000002.1838731692.0000000000402000.00000040.80000000.00040000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x14a35:$a1: get_encryptedPassword 0x14d21:$a2: get_encryptedUsername 0x14841:$a3: get_timePasswordChanged 0x1493c:$a4: get_passwordField 0x14a4b:$a5: set_encryptedPassword 0x160f7:$a7: get_logins 0x1605a:$a10: KeyLoggerEventArgs 0x15cc5:$a11: KeyLoggerEventArgsEventHandler
00000002.00000002.1838731692.0000000000402000.00000040.80000000.00040000.00000000.sdmp	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x199e0:$x1: $%SMTPDV$ 0x183c4:$x2: $#TheHashHere%& 0x19988:$x3: %FTPDV$ 0x18364:$x4: $%TelegramDv$ 0x15cc5:$x5: KeyLoggerEventArgs 0x1605a:$x5: KeyLoggerEventArgs 0x199ac:$m2: Clipboard Logs ID 0x19bea:$m2: Screenshot Logs ID 0x19cfa:$m2: keystroke Logs ID 0x19fd4:$m3: SnakePW 0x19bc2:$m4: \SnakeKeylogger\
00000002.00000002.1840357737.0000000002C31000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
0000000E.00000002.2006886217.0000000000E30000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000000E.00000002.2006886217.0000000000E30000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
0000000E.00000002.2006886217.0000000000E30000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
0000000E.00000002.2006886217.0000000000E30000.00000004.00001000.00020000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x14c35:$a1: get_encryptedPassword 0x14f21:$a2: get_encryptedUsername 0x14a41:$a3: get_timePasswordChanged 0x14b3c:$a4: get_passwordField 0x14c4b:$a5: set_encryptedPassword 0x162f7:$a7: get_logins 0x1625a:$a10: KeyLoggerEventArgs 0x15ec5:$a11: KeyLoggerEventArgsEventHandler
0000000E.00000002.2006886217.0000000000E30000.00000004.00001000.00020000.00000000.sdmp	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x1c5b2:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x1b7e4:$a3: \Google\Chrome\User Data\Default\Login Data 0x1bc17:$a4: \Orbitum\User Data\Default\Login Data 0x1cc56:$a5: \Kometa\User Data\Default\Login Data
0000000E.00000002.2006886217.0000000000E30000.00000004.00001000.00020000.00000000.sdmp	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x15832:$s1: UnHook 0x15839:$s2: SetHook 0x15841:$s3: CallNextHook 0x1584e:$s4: _hook
0000000E.00000002.2006886217.0000000000E30000.00000004.00001000.00020000.00000000.sdmp	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x19be0:$x1: $%SMTPDV$ 0x185c4:$x2: $#TheHashHere%& 0x19b88:$x3: %FTPDV$ 0x18564:$x4: $%TelegramDv$ 0x15ec5:$x5: KeyLoggerEventArgs 0x1625a:$x5: KeyLoggerEventArgs 0x19bac:$m2: Clipboard Logs ID 0x19dea:$m2: Screenshot Logs ID 0x19efa:$m2: keystroke Logs ID 0x1a1d4:$m3: SnakePW 0x19dc2:$m4: \SnakeKeylogger\
00000002.00000002.1840357737.0000000002DE5000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
00000013.00000002.2170261177.0000000000E80000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000013.00000002.2170261177.0000000000E80000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
00000013.00000002.2170261177.0000000000E80000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
00000013.00000002.2170261177.0000000000E80000.00000004.00001000.00020000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x14c35:$a1: get_encryptedPassword 0x14f21:$a2: get_encryptedUsername 0x14a41:$a3: get_timePasswordChanged 0x14b3c:$a4: get_passwordField 0x14c4b:$a5: set_encryptedPassword 0x162f7:$a7: get_logins 0x1625a:$a10: KeyLoggerEventArgs 0x15ec5:$a11: KeyLoggerEventArgsEventHandler
00000013.00000002.2170261177.0000000000E80000.00000004.00001000.00020000.00000000.sdmp	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x1c5b2:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x1b7e4:$a3: \Google\Chrome\User Data\Default\Login Data 0x1bc17:$a4: \Orbitum\User Data\Default\Login Data 0x1cc56:$a5: \Kometa\User Data\Default\Login Data
00000013.00000002.2170261177.0000000000E80000.00000004.00001000.00020000.00000000.sdmp	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x15832:$s1: UnHook 0x15839:$s2: SetHook 0x15841:$s3: CallNextHook 0x1584e:$s4: _hook
00000013.00000002.2170261177.0000000000E80000.00000004.00001000.00020000.00000000.sdmp	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x19be0:$x1: $%SMTPDV$ 0x185c4:$x2: $#TheHashHere%& 0x19b88:$x3: %FTPDV$ 0x18564:$x4: $%TelegramDv$ 0x15ec5:$x5: KeyLoggerEventArgs 0x1625a:$x5: KeyLoggerEventArgs 0x19bac:$m2: Clipboard Logs ID 0x19dea:$m2: Screenshot Logs ID 0x19efa:$m2: keystroke Logs ID 0x1a1d4:$m3: SnakePW 0x19dc2:$m4: \SnakeKeylogger\
0000000F.00000002.2038464121.00000000011F0000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000000F.00000002.2038464121.00000000011F0000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
0000000F.00000002.2038464121.00000000011F0000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
0000000F.00000002.2038464121.00000000011F0000.00000004.00001000.00020000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x14c35:$a1: get_encryptedPassword 0x14f21:$a2: get_encryptedUsername 0x14a41:$a3: get_timePasswordChanged 0x14b3c:$a4: get_passwordField 0x14c4b:$a5: set_encryptedPassword 0x162f7:$a7: get_logins 0x1625a:$a10: KeyLoggerEventArgs 0x15ec5:$a11: KeyLoggerEventArgsEventHandler
0000000F.00000002.2038464121.00000000011F0000.00000004.00001000.00020000.00000000.sdmp	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x1c5b2:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x1b7e4:$a3: \Google\Chrome\User Data\Default\Login Data 0x1bc17:$a4: \Orbitum\User Data\Default\Login Data 0x1cc56:$a5: \Kometa\User Data\Default\Login Data
0000000F.00000002.2038464121.00000000011F0000.00000004.00001000.00020000.00000000.sdmp	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x15832:$s1: UnHook 0x15839:$s2: SetHook 0x15841:$s3: CallNextHook 0x1584e:$s4: _hook
0000000F.00000002.2038464121.00000000011F0000.00000004.00001000.00020000.00000000.sdmp	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x19be0:$x1: $%SMTPDV$ 0x185c4:$x2: $#TheHashHere%& 0x19b88:$x3: %FTPDV$ 0x18564:$x4: $%TelegramDv$ 0x15ec5:$x5: KeyLoggerEventArgs 0x1625a:$x5: KeyLoggerEventArgs 0x19bac:$m2: Clipboard Logs ID 0x19dea:$m2: Screenshot Logs ID 0x19efa:$m2: keystroke Logs ID 0x1a1d4:$m3: SnakePW 0x19dc2:$m4: \SnakeKeylogger\
00000012.00000002.2133278262.0000000001070000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000012.00000002.2133278262.0000000001070000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
00000012.00000002.2133278262.0000000001070000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
00000012.00000002.2133278262.0000000001070000.00000004.00001000.00020000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x14c35:$a1: get_encryptedPassword 0x14f21:$a2: get_encryptedUsername 0x14a41:$a3: get_timePasswordChanged 0x14b3c:$a4: get_passwordField 0x14c4b:$a5: set_encryptedPassword 0x162f7:$a7: get_logins 0x1625a:$a10: KeyLoggerEventArgs 0x15ec5:$a11: KeyLoggerEventArgsEventHandler
00000012.00000002.2133278262.0000000001070000.00000004.00001000.00020000.00000000.sdmp	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x1c5b2:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x1b7e4:$a3: \Google\Chrome\User Data\Default\Login Data 0x1bc17:$a4: \Orbitum\User Data\Default\Login Data 0x1cc56:$a5: \Kometa\User Data\Default\Login Data
00000012.00000002.2133278262.0000000001070000.00000004.00001000.00020000.00000000.sdmp	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x15832:$s1: UnHook 0x15839:$s2: SetHook 0x15841:$s3: CallNextHook 0x1584e:$s4: _hook
00000012.00000002.2133278262.0000000001070000.00000004.00001000.00020000.00000000.sdmp	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x19be0:$x1: $%SMTPDV$ 0x185c4:$x2: $#TheHashHere%& 0x19b88:$x3: %FTPDV$ 0x18564:$x4: $%TelegramDv$ 0x15ec5:$x5: KeyLoggerEventArgs 0x1625a:$x5: KeyLoggerEventArgs 0x19bac:$m2: Clipboard Logs ID 0x19dea:$m2: Screenshot Logs ID 0x19efa:$m2: keystroke Logs ID 0x1a1d4:$m3: SnakePW 0x19dc2:$m4: \SnakeKeylogger\
0000000C.00000002.1957580721.00000000009D0000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000000C.00000002.1957580721.00000000009D0000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
0000000C.00000002.1957580721.00000000009D0000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
0000000C.00000002.1957580721.00000000009D0000.00000004.00001000.00020000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x14c35:$a1: get_encryptedPassword 0x14f21:$a2: get_encryptedUsername 0x14a41:$a3: get_timePasswordChanged 0x14b3c:$a4: get_passwordField 0x14c4b:$a5: set_encryptedPassword 0x162f7:$a7: get_logins 0x1625a:$a10: KeyLoggerEventArgs 0x15ec5:$a11: KeyLoggerEventArgsEventHandler
0000000C.00000002.1957580721.00000000009D0000.00000004.00001000.00020000.00000000.sdmp	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x1c5b2:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x1b7e4:$a3: \Google\Chrome\User Data\Default\Login Data 0x1bc17:$a4: \Orbitum\User Data\Default\Login Data 0x1cc56:$a5: \Kometa\User Data\Default\Login Data
0000000C.00000002.1957580721.00000000009D0000.00000004.00001000.00020000.00000000.sdmp	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x15832:$s1: UnHook 0x15839:$s2: SetHook 0x15841:$s3: CallNextHook 0x1584e:$s4: _hook
0000000C.00000002.1957580721.00000000009D0000.00000004.00001000.00020000.00000000.sdmp	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x19be0:$x1: $%SMTPDV$ 0x185c4:$x2: $#TheHashHere%& 0x19b88:$x3: %FTPDV$ 0x18564:$x4: $%TelegramDv$ 0x15ec5:$x5: KeyLoggerEventArgs 0x1625a:$x5: KeyLoggerEventArgs 0x19bac:$m2: Clipboard Logs ID 0x19dea:$m2: Screenshot Logs ID 0x19efa:$m2: keystroke Logs ID 0x1a1d4:$m3: SnakePW 0x19dc2:$m4: \SnakeKeylogger\
00000008.00000002.1903450528.0000000003EB0000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000008.00000002.1903450528.0000000003EB0000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
00000008.00000002.1903450528.0000000003EB0000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
00000008.00000002.1903450528.0000000003EB0000.00000004.00001000.00020000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x14c35:$a1: get_encryptedPassword 0x14f21:$a2: get_encryptedUsername 0x14a41:$a3: get_timePasswordChanged 0x14b3c:$a4: get_passwordField 0x14c4b:$a5: set_encryptedPassword 0x162f7:$a7: get_logins 0x1625a:$a10: KeyLoggerEventArgs 0x15ec5:$a11: KeyLoggerEventArgsEventHandler
00000008.00000002.1903450528.0000000003EB0000.00000004.00001000.00020000.00000000.sdmp	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x1c5b2:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x1b7e4:$a3: \Google\Chrome\User Data\Default\Login Data 0x1bc17:$a4: \Orbitum\User Data\Default\Login Data 0x1cc56:$a5: \Kometa\User Data\Default\Login Data
00000008.00000002.1903450528.0000000003EB0000.00000004.00001000.00020000.00000000.sdmp	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x15832:$s1: UnHook 0x15839:$s2: SetHook 0x15841:$s3: CallNextHook 0x1584e:$s4: _hook
00000008.00000002.1903450528.0000000003EB0000.00000004.00001000.00020000.00000000.sdmp	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x19be0:$x1: $%SMTPDV$ 0x185c4:$x2: $#TheHashHere%& 0x19b88:$x3: %FTPDV$ 0x18564:$x4: $%TelegramDv$ 0x15ec5:$x5: KeyLoggerEventArgs 0x1625a:$x5: KeyLoggerEventArgs 0x19bac:$m2: Clipboard Logs ID 0x19dea:$m2: Screenshot Logs ID 0x19efa:$m2: keystroke Logs ID 0x1a1d4:$m3: SnakePW 0x19dc2:$m4: \SnakeKeylogger\
00000001.00000002.1744008189.0000000000F50000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000001.00000002.1744008189.0000000000F50000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
00000001.00000002.1744008189.0000000000F50000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
00000001.00000002.1744008189.0000000000F50000.00000004.00001000.00020000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x14c35:$a1: get_encryptedPassword 0x14f21:$a2: get_encryptedUsername 0x14a41:$a3: get_timePasswordChanged 0x14b3c:$a4: get_passwordField 0x14c4b:$a5: set_encryptedPassword 0x162f7:$a7: get_logins 0x1625a:$a10: KeyLoggerEventArgs 0x15ec5:$a11: KeyLoggerEventArgsEventHandler
00000001.00000002.1744008189.0000000000F50000.00000004.00001000.00020000.00000000.sdmp	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x1c5b2:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x1b7e4:$a3: \Google\Chrome\User Data\Default\Login Data 0x1bc17:$a4: \Orbitum\User Data\Default\Login Data 0x1cc56:$a5: \Kometa\User Data\Default\Login Data
00000001.00000002.1744008189.0000000000F50000.00000004.00001000.00020000.00000000.sdmp	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x15832:$s1: UnHook 0x15839:$s2: SetHook 0x15841:$s3: CallNextHook 0x1584e:$s4: _hook
00000001.00000002.1744008189.0000000000F50000.00000004.00001000.00020000.00000000.sdmp	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x19be0:$x1: $%SMTPDV$ 0x185c4:$x2: $#TheHashHere%& 0x19b88:$x3: %FTPDV$ 0x18564:$x4: $%TelegramDv$ 0x15ec5:$x5: KeyLoggerEventArgs 0x1625a:$x5: KeyLoggerEventArgs 0x19bac:$m2: Clipboard Logs ID 0x19dea:$m2: Screenshot Logs ID 0x19efa:$m2: keystroke Logs ID 0x1a1d4:$m3: SnakePW 0x19dc2:$m4: \SnakeKeylogger\
00000009.00000002.1930630182.0000000001100000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000009.00000002.1930630182.0000000001100000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
00000009.00000002.1930630182.0000000001100000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
00000009.00000002.1930630182.0000000001100000.00000004.00001000.00020000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x14c35:$a1: get_encryptedPassword 0x14f21:$a2: get_encryptedUsername 0x14a41:$a3: get_timePasswordChanged 0x14b3c:$a4: get_passwordField 0x14c4b:$a5: set_encryptedPassword 0x162f7:$a7: get_logins 0x1625a:$a10: KeyLoggerEventArgs 0x15ec5:$a11: KeyLoggerEventArgsEventHandler
00000009.00000002.1930630182.0000000001100000.00000004.00001000.00020000.00000000.sdmp	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x1c5b2:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x1b7e4:$a3: \Google\Chrome\User Data\Default\Login Data 0x1bc17:$a4: \Orbitum\User Data\Default\Login Data 0x1cc56:$a5: \Kometa\User Data\Default\Login Data
00000009.00000002.1930630182.0000000001100000.00000004.00001000.00020000.00000000.sdmp	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x15832:$s1: UnHook 0x15839:$s2: SetHook 0x15841:$s3: CallNextHook 0x1584e:$s4: _hook
00000009.00000002.1930630182.0000000001100000.00000004.00001000.00020000.00000000.sdmp	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x19be0:$x1: $%SMTPDV$ 0x185c4:$x2: $#TheHashHere%& 0x19b88:$x3: %FTPDV$ 0x18564:$x4: $%TelegramDv$ 0x15ec5:$x5: KeyLoggerEventArgs 0x1625a:$x5: KeyLoggerEventArgs 0x19bac:$m2: Clipboard Logs ID 0x19dea:$m2: Screenshot Logs ID 0x19efa:$m2: keystroke Logs ID 0x1a1d4:$m3: SnakePW 0x19dc2:$m4: \SnakeKeylogger\
00000011.00000002.2100230907.0000000003EC0000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000011.00000002.2100230907.0000000003EC0000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
00000011.00000002.2100230907.0000000003EC0000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
00000011.00000002.2100230907.0000000003EC0000.00000004.00001000.00020000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x14c35:$a1: get_encryptedPassword 0x14f21:$a2: get_encryptedUsername 0x14a41:$a3: get_timePasswordChanged 0x14b3c:$a4: get_passwordField 0x14c4b:$a5: set_encryptedPassword 0x162f7:$a7: get_logins 0x1625a:$a10: KeyLoggerEventArgs 0x15ec5:$a11: KeyLoggerEventArgsEventHandler
00000011.00000002.2100230907.0000000003EC0000.00000004.00001000.00020000.00000000.sdmp	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x1c5b2:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x1b7e4:$a3: \Google\Chrome\User Data\Default\Login Data 0x1bc17:$a4: \Orbitum\User Data\Default\Login Data 0x1cc56:$a5: \Kometa\User Data\Default\Login Data
00000011.00000002.2100230907.0000000003EC0000.00000004.00001000.00020000.00000000.sdmp	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x15832:$s1: UnHook 0x15839:$s2: SetHook 0x15841:$s3: CallNextHook 0x1584e:$s4: _hook
00000011.00000002.2100230907.0000000003EC0000.00000004.00001000.00020000.00000000.sdmp	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x19be0:$x1: $%SMTPDV$ 0x185c4:$x2: $#TheHashHere%& 0x19b88:$x3: %FTPDV$ 0x18564:$x4: $%TelegramDv$ 0x15ec5:$x5: KeyLoggerEventArgs 0x1625a:$x5: KeyLoggerEventArgs 0x19bac:$m2: Clipboard Logs ID 0x19dea:$m2: Screenshot Logs ID 0x19efa:$m2: keystroke Logs ID 0x1a1d4:$m3: SnakePW 0x19dc2:$m4: \SnakeKeylogger\
Process Memory Space: biopsies.exe PID: 7480	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: biopsies.exe PID: 7480	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
Process Memory Space: biopsies.exe PID: 7480	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x7a26d9:$a1: get_encryptedPassword 0x7a29bb:$a2: get_encryptedUsername 0x7a24ef:$a3: get_timePasswordChanged 0x7a25ea:$a4: get_passwordField 0x7a26ef:$a5: set_encryptedPassword 0x7a4bc5:$a7: get_logins 0x7a4b28:$a10: KeyLoggerEventArgs 0x7a4793:$a11: KeyLoggerEventArgsEventHandler
Process Memory Space: biopsies.exe PID: 7480	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x7a4793:$x5: KeyLoggerEventArgs 0x7a4b28:$x5: KeyLoggerEventArgs 0x7a542f:$x5: KeyLoggerEventArgs 0x7a5790:$x5: KeyLoggerEventArgs 0x7a6d53:$m2: Clipboard Logs ID 0x7a6e59:$m2: Screenshot Logs ID 0x7a6eaf:$m2: keystroke Logs ID 0x7a6fe4:$m3: SnakePW 0x7a6e45:$m4: \SnakeKeylogger\
Process Memory Space: RegSvcs.exe PID: 7500	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: RegSvcs.exe PID: 7500	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
Process Memory Space: RegSvcs.exe PID: 7500	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0xad6c:$a1: get_encryptedPassword 0xb04e:$a2: get_encryptedUsername 0xab82:$a3: get_timePasswordChanged 0xac7d:$a4: get_passwordField 0xad82:$a5: set_encryptedPassword 0xd258:$a7: get_logins 0xd1bb:$a10: KeyLoggerEventArgs 0xce26:$a11: KeyLoggerEventArgsEventHandler
Process Memory Space: RegSvcs.exe PID: 7500	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0xce26:$x5: KeyLoggerEventArgs 0xd1bb:$x5: KeyLoggerEventArgs 0xdac2:$x5: KeyLoggerEventArgs 0xde23:$x5: KeyLoggerEventArgs 0xf3e6:$m2: Clipboard Logs ID 0xf4ec:$m2: Screenshot Logs ID 0xf542:$m2: keystroke Logs ID 0xf677:$m3: SnakePW 0xf4d8:$m4: \SnakeKeylogger\
Process Memory Space: biopsies.exe PID: 7872	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: biopsies.exe PID: 7872	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
Process Memory Space: biopsies.exe PID: 7872	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0xb155e5:$a1: get_encryptedPassword 0xb158c7:$a2: get_encryptedUsername 0xb153fb:$a3: get_timePasswordChanged 0xb154f6:$a4: get_passwordField 0xb155fb:$a5: set_encryptedPassword 0xb17ad1:$a7: get_logins 0xb17a34:$a10: KeyLoggerEventArgs 0xb1769f:$a11: KeyLoggerEventArgsEventHandler
Process Memory Space: biopsies.exe PID: 7872	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0xb1769f:$x5: KeyLoggerEventArgs 0xb17a34:$x5: KeyLoggerEventArgs 0xb1833b:$x5: KeyLoggerEventArgs 0xb1869c:$x5: KeyLoggerEventArgs 0xb19c5f:$m2: Clipboard Logs ID 0xb19d65:$m2: Screenshot Logs ID 0xb19dbb:$m2: keystroke Logs ID 0xb19ef0:$m3: SnakePW 0xb19d51:$m4: \SnakeKeylogger\
Process Memory Space: biopsies.exe PID: 7944	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: biopsies.exe PID: 7944	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
Process Memory Space: biopsies.exe PID: 7944	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0xf045ef:$a1: get_encryptedPassword 0xf048d1:$a2: get_encryptedUsername 0xf04405:$a3: get_timePasswordChanged 0xf04500:$a4: get_passwordField 0xf04605:$a5: set_encryptedPassword 0xf06adb:$a7: get_logins 0xf06a3e:$a10: KeyLoggerEventArgs 0xf066a9:$a11: KeyLoggerEventArgsEventHandler
Process Memory Space: biopsies.exe PID: 7944	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0xf066a9:$x5: KeyLoggerEventArgs 0xf06a3e:$x5: KeyLoggerEventArgs 0xf07345:$x5: KeyLoggerEventArgs 0xf076a6:$x5: KeyLoggerEventArgs 0xf08c69:$m2: Clipboard Logs ID 0xf08d6f:$m2: Screenshot Logs ID 0xf08dc5:$m2: keystroke Logs ID 0xf08efa:$m3: SnakePW 0xf08d5b:$m4: \SnakeKeylogger\
Process Memory Space: biopsies.exe PID: 8028	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: biopsies.exe PID: 8028	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
Process Memory Space: biopsies.exe PID: 8028	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0xac84cb:$a1: get_encryptedPassword 0xac87ad:$a2: get_encryptedUsername 0xac82e1:$a3: get_timePasswordChanged 0xac83dc:$a4: get_passwordField 0xac84e1:$a5: set_encryptedPassword 0xaca9b7:$a7: get_logins 0xaca91a:$a10: KeyLoggerEventArgs 0xaca585:$a11: KeyLoggerEventArgsEventHandler
Process Memory Space: biopsies.exe PID: 8028	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0xaca585:$x5: KeyLoggerEventArgs 0xaca91a:$x5: KeyLoggerEventArgs 0xacb221:$x5: KeyLoggerEventArgs 0xacb582:$x5: KeyLoggerEventArgs 0xaccb45:$m2: Clipboard Logs ID 0xaccc4b:$m2: Screenshot Logs ID 0xaccca1:$m2: keystroke Logs ID 0xaccdd6:$m3: SnakePW 0xaccc37:$m4: \SnakeKeylogger\
Process Memory Space: biopsies.exe PID: 8048	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: biopsies.exe PID: 8048	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
Process Memory Space: biopsies.exe PID: 8048	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x1a984f:$a1: get_encryptedPassword 0x1a9b31:$a2: get_encryptedUsername 0x1a9665:$a3: get_timePasswordChanged 0x1a9760:$a4: get_passwordField 0x1a9865:$a5: set_encryptedPassword 0x1abd3b:$a7: get_logins 0x1abc9e:$a10: KeyLoggerEventArgs 0x1ab909:$a11: KeyLoggerEventArgsEventHandler
Process Memory Space: biopsies.exe PID: 8048	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x1ab909:$x5: KeyLoggerEventArgs 0x1abc9e:$x5: KeyLoggerEventArgs 0x1ac5a5:$x5: KeyLoggerEventArgs 0x1ac906:$x5: KeyLoggerEventArgs 0x1adec9:$m2: Clipboard Logs ID 0x1adfcf:$m2: Screenshot Logs ID 0x1ae025:$m2: keystroke Logs ID 0x1ae15a:$m3: SnakePW 0x1adfbb:$m4: \SnakeKeylogger\
Process Memory Space: biopsies.exe PID: 8064	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: biopsies.exe PID: 8064	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
Process Memory Space: biopsies.exe PID: 8064	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x7487e3:$a1: get_encryptedPassword 0x748ac5:$a2: get_encryptedUsername 0x7485f9:$a3: get_timePasswordChanged 0x7486f4:$a4: get_passwordField 0x7487f9:$a5: set_encryptedPassword 0x74accf:$a7: get_logins 0x74ac32:$a10: KeyLoggerEventArgs 0x74a89d:$a11: KeyLoggerEventArgsEventHandler
Process Memory Space: biopsies.exe PID: 8064	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x74a89d:$x5: KeyLoggerEventArgs 0x74ac32:$x5: KeyLoggerEventArgs 0x74b539:$x5: KeyLoggerEventArgs 0x74b89a:$x5: KeyLoggerEventArgs 0x74ce5d:$m2: Clipboard Logs ID 0x74cf63:$m2: Screenshot Logs ID 0x74cfb9:$m2: keystroke Logs ID 0x74d0ee:$m3: SnakePW 0x74cf4f:$m4: \SnakeKeylogger\
Process Memory Space: biopsies.exe PID: 8096	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: biopsies.exe PID: 8096	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
Process Memory Space: biopsies.exe PID: 8096	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x83b5b7:$a1: get_encryptedPassword 0x83b899:$a2: get_encryptedUsername 0x83b3cd:$a3: get_timePasswordChanged 0x83b4c8:$a4: get_passwordField 0x83b5cd:$a5: set_encryptedPassword 0x83daa3:$a7: get_logins 0x83da06:$a10: KeyLoggerEventArgs 0x83d671:$a11: KeyLoggerEventArgsEventHandler
Process Memory Space: biopsies.exe PID: 8096	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x83d671:$x5: KeyLoggerEventArgs 0x83da06:$x5: KeyLoggerEventArgs 0x83e30d:$x5: KeyLoggerEventArgs 0x83e66e:$x5: KeyLoggerEventArgs 0x83fc31:$m2: Clipboard Logs ID 0x83fd37:$m2: Screenshot Logs ID 0x83fd8d:$m2: keystroke Logs ID 0x83fec2:$m3: SnakePW 0x83fd23:$m4: \SnakeKeylogger\
Process Memory Space: biopsies.exe PID: 8124	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: biopsies.exe PID: 8124	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
Process Memory Space: biopsies.exe PID: 8124	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x31c77:$a1: get_encryptedPassword 0x31f59:$a2: get_encryptedUsername 0x31a8d:$a3: get_timePasswordChanged 0x31b88:$a4: get_passwordField 0x31c8d:$a5: set_encryptedPassword 0x34163:$a7: get_logins 0x340c6:$a10: KeyLoggerEventArgs 0x33d31:$a11: KeyLoggerEventArgsEventHandler
Process Memory Space: biopsies.exe PID: 8124	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x33d31:$x5: KeyLoggerEventArgs 0x340c6:$x5: KeyLoggerEventArgs 0x349cd:$x5: KeyLoggerEventArgs 0x34d2e:$x5: KeyLoggerEventArgs 0x362f1:$m2: Clipboard Logs ID 0x363f7:$m2: Screenshot Logs ID 0x3644d:$m2: keystroke Logs ID 0x36582:$m3: SnakePW 0x363e3:$m4: \SnakeKeylogger\
Process Memory Space: biopsies.exe PID: 8140	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: biopsies.exe PID: 8140	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
Process Memory Space: biopsies.exe PID: 8140	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0xfbe007:$a1: get_encryptedPassword 0xfbe2e9:$a2: get_encryptedUsername 0xfbde1d:$a3: get_timePasswordChanged 0xfbdf18:$a4: get_passwordField 0xfbe01d:$a5: set_encryptedPassword 0xfc04f3:$a7: get_logins 0xfc0456:$a10: KeyLoggerEventArgs 0xfc00c1:$a11: KeyLoggerEventArgsEventHandler
Process Memory Space: biopsies.exe PID: 8140	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0xfc00c1:$x5: KeyLoggerEventArgs 0xfc0456:$x5: KeyLoggerEventArgs 0xfc0d5d:$x5: KeyLoggerEventArgs 0xfc10be:$x5: KeyLoggerEventArgs 0xfc2681:$m2: Clipboard Logs ID 0xfc2787:$m2: Screenshot Logs ID 0xfc27dd:$m2: keystroke Logs ID 0xfc2912:$m3: SnakePW 0xfc2773:$m4: \SnakeKeylogger\
Process Memory Space: biopsies.exe PID: 8168	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: biopsies.exe PID: 8168	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
Process Memory Space: biopsies.exe PID: 8168	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x8cd992:$a1: get_encryptedPassword 0x8cdc74:$a2: get_encryptedUsername 0x8cd7a8:$a3: get_timePasswordChanged 0x8cd8a3:$a4: get_passwordField 0x8cd9a8:$a5: set_encryptedPassword 0x8cfe7e:$a7: get_logins 0x8cfde1:$a10: KeyLoggerEventArgs 0x8cfa4c:$a11: KeyLoggerEventArgsEventHandler
Process Memory Space: biopsies.exe PID: 8168	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x8cfa4c:$x5: KeyLoggerEventArgs 0x8cfde1:$x5: KeyLoggerEventArgs 0x8d06e8:$x5: KeyLoggerEventArgs 0x8d0a49:$x5: KeyLoggerEventArgs 0x8d200c:$m2: Clipboard Logs ID 0x8d2112:$m2: Screenshot Logs ID 0x8d2168:$m2: keystroke Logs ID 0x8d229d:$m3: SnakePW 0x8d20fe:$m4: \SnakeKeylogger\
Process Memory Space: biopsies.exe PID: 7172	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: biopsies.exe PID: 7172	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
Process Memory Space: biopsies.exe PID: 7172	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x6ca7c2:$a1: get_encryptedPassword 0x6caaa4:$a2: get_encryptedUsername 0x6ca5d8:$a3: get_timePasswordChanged 0x6ca6d3:$a4: get_passwordField 0x6ca7d8:$a5: set_encryptedPassword 0x6cccae:$a7: get_logins 0x6ccc11:$a10: KeyLoggerEventArgs 0x6cc87c:$a11: KeyLoggerEventArgsEventHandler
Process Memory Space: biopsies.exe PID: 7172	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x6cc87c:$x5: KeyLoggerEventArgs 0x6ccc11:$x5: KeyLoggerEventArgs 0x6cd518:$x5: KeyLoggerEventArgs 0x6cd879:$x5: KeyLoggerEventArgs 0x6cee3c:$m2: Clipboard Logs ID 0x6cef42:$m2: Screenshot Logs ID 0x6cef98:$m2: keystroke Logs ID 0x6cf0cd:$m3: SnakePW 0x6cef2e:$m4: \SnakeKeylogger\
Click to see the 126 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
19.2.biopsies.exe.e80000.1.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
19.2.biopsies.exe.e80000.1.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
19.2.biopsies.exe.e80000.1.raw.unpack	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
19.2.biopsies.exe.e80000.1.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x14c35:$a1: get_encryptedPassword 0x14f21:$a2: get_encryptedUsername 0x14a41:$a3: get_timePasswordChanged 0x14b3c:$a4: get_passwordField 0x14c4b:$a5: set_encryptedPassword 0x162f7:$a7: get_logins 0x1625a:$a10: KeyLoggerEventArgs 0x15ec5:$a11: KeyLoggerEventArgsEventHandler
19.2.biopsies.exe.e80000.1.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x1c5b2:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x1b7e4:$a3: \Google\Chrome\User Data\Default\Login Data 0x1bc17:$a4: \Orbitum\User Data\Default\Login Data 0x1cc56:$a5: \Kometa\User Data\Default\Login Data
19.2.biopsies.exe.e80000.1.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x15832:$s1: UnHook 0x15839:$s2: SetHook 0x15841:$s3: CallNextHook 0x1584e:$s4: _hook
19.2.biopsies.exe.e80000.1.raw.unpack	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x19be0:$x1: $%SMTPDV$ 0x185c4:$x2: $#TheHashHere%& 0x19b88:$x3: %FTPDV$ 0x18564:$x4: $%TelegramDv$ 0x15ec5:$x5: KeyLoggerEventArgs 0x1625a:$x5: KeyLoggerEventArgs 0x19bac:$m2: Clipboard Logs ID 0x19dea:$m2: Screenshot Logs ID 0x19efa:$m2: keystroke Logs ID 0x1a1d4:$m3: SnakePW 0x19dc2:$m4: \SnakeKeylogger\
12.2.biopsies.exe.9d0000.1.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
12.2.biopsies.exe.9d0000.1.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
12.2.biopsies.exe.9d0000.1.raw.unpack	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
12.2.biopsies.exe.9d0000.1.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x14c35:$a1: get_encryptedPassword 0x14f21:$a2: get_encryptedUsername 0x14a41:$a3: get_timePasswordChanged 0x14b3c:$a4: get_passwordField 0x14c4b:$a5: set_encryptedPassword 0x162f7:$a7: get_logins 0x1625a:$a10: KeyLoggerEventArgs 0x15ec5:$a11: KeyLoggerEventArgsEventHandler
12.2.biopsies.exe.9d0000.1.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x1c5b2:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x1b7e4:$a3: \Google\Chrome\User Data\Default\Login Data 0x1bc17:$a4: \Orbitum\User Data\Default\Login Data 0x1cc56:$a5: \Kometa\User Data\Default\Login Data
12.2.biopsies.exe.9d0000.1.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x15832:$s1: UnHook 0x15839:$s2: SetHook 0x15841:$s3: CallNextHook 0x1584e:$s4: _hook
12.2.biopsies.exe.9d0000.1.raw.unpack	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x19be0:$x1: $%SMTPDV$ 0x185c4:$x2: $#TheHashHere%& 0x19b88:$x3: %FTPDV$ 0x18564:$x4: $%TelegramDv$ 0x15ec5:$x5: KeyLoggerEventArgs 0x1625a:$x5: KeyLoggerEventArgs 0x19bac:$m2: Clipboard Logs ID 0x19dea:$m2: Screenshot Logs ID 0x19efa:$m2: keystroke Logs ID 0x1a1d4:$m3: SnakePW 0x19dc2:$m4: \SnakeKeylogger\
16.2.biopsies.exe.18e0000.1.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
16.2.biopsies.exe.18e0000.1.unpack	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
16.2.biopsies.exe.18e0000.1.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x12e35:$a1: get_encryptedPassword 0x13121:$a2: get_encryptedUsername 0x12c41:$a3: get_timePasswordChanged 0x12d3c:$a4: get_passwordField 0x12e4b:$a5: set_encryptedPassword 0x144f7:$a7: get_logins 0x1445a:$a10: KeyLoggerEventArgs 0x140c5:$a11: KeyLoggerEventArgsEventHandler
16.2.biopsies.exe.18e0000.1.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x1a7b2:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x199e4:$a3: \Google\Chrome\User Data\Default\Login Data 0x19e17:$a4: \Orbitum\User Data\Default\Login Data 0x1ae56:$a5: \Kometa\User Data\Default\Login Data
16.2.biopsies.exe.18e0000.1.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x13a32:$s1: UnHook 0x13a39:$s2: SetHook 0x13a41:$s3: CallNextHook 0x13a4e:$s4: _hook
16.2.biopsies.exe.18e0000.1.unpack	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x17de0:$x1: $%SMTPDV$ 0x167c4:$x2: $#TheHashHere%& 0x17d88:$x3: %FTPDV$ 0x16764:$x4: $%TelegramDv$ 0x140c5:$x5: KeyLoggerEventArgs 0x1445a:$x5: KeyLoggerEventArgs 0x17dac:$m2: Clipboard Logs ID 0x17fea:$m2: Screenshot Logs ID 0x180fa:$m2: keystroke Logs ID 0x183d4:$m3: SnakePW 0x17fc2:$m4: \SnakeKeylogger\
9.2.biopsies.exe.1100000.1.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
9.2.biopsies.exe.1100000.1.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
9.2.biopsies.exe.1100000.1.raw.unpack	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
9.2.biopsies.exe.1100000.1.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x14c35:$a1: get_encryptedPassword 0x14f21:$a2: get_encryptedUsername 0x14a41:$a3: get_timePasswordChanged 0x14b3c:$a4: get_passwordField 0x14c4b:$a5: set_encryptedPassword 0x162f7:$a7: get_logins 0x1625a:$a10: KeyLoggerEventArgs 0x15ec5:$a11: KeyLoggerEventArgsEventHandler
9.2.biopsies.exe.1100000.1.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x1c5b2:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x1b7e4:$a3: \Google\Chrome\User Data\Default\Login Data 0x1bc17:$a4: \Orbitum\User Data\Default\Login Data 0x1cc56:$a5: \Kometa\User Data\Default\Login Data
9.2.biopsies.exe.1100000.1.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x15832:$s1: UnHook 0x15839:$s2: SetHook 0x15841:$s3: CallNextHook 0x1584e:$s4: _hook
9.2.biopsies.exe.1100000.1.raw.unpack	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x19be0:$x1: $%SMTPDV$ 0x185c4:$x2: $#TheHashHere%& 0x19b88:$x3: %FTPDV$ 0x18564:$x4: $%TelegramDv$ 0x15ec5:$x5: KeyLoggerEventArgs 0x1625a:$x5: KeyLoggerEventArgs 0x19bac:$m2: Clipboard Logs ID 0x19dea:$m2: Screenshot Logs ID 0x19efa:$m2: keystroke Logs ID 0x1a1d4:$m3: SnakePW 0x19dc2:$m4: \SnakeKeylogger\
9.2.biopsies.exe.1100000.1.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
9.2.biopsies.exe.1100000.1.unpack	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
9.2.biopsies.exe.1100000.1.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x12e35:$a1: get_encryptedPassword 0x13121:$a2: get_encryptedUsername 0x12c41:$a3: get_timePasswordChanged 0x12d3c:$a4: get_passwordField 0x12e4b:$a5: set_encryptedPassword 0x144f7:$a7: get_logins 0x1445a:$a10: KeyLoggerEventArgs 0x140c5:$a11: KeyLoggerEventArgsEventHandler
9.2.biopsies.exe.1100000.1.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x1a7b2:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x199e4:$a3: \Google\Chrome\User Data\Default\Login Data 0x19e17:$a4: \Orbitum\User Data\Default\Login Data 0x1ae56:$a5: \Kometa\User Data\Default\Login Data
9.2.biopsies.exe.1100000.1.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x13a32:$s1: UnHook 0x13a39:$s2: SetHook 0x13a41:$s3: CallNextHook 0x13a4e:$s4: _hook
9.2.biopsies.exe.1100000.1.unpack	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x17de0:$x1: $%SMTPDV$ 0x167c4:$x2: $#TheHashHere%& 0x17d88:$x3: %FTPDV$ 0x16764:$x4: $%TelegramDv$ 0x140c5:$x5: KeyLoggerEventArgs 0x1445a:$x5: KeyLoggerEventArgs 0x17dac:$m2: Clipboard Logs ID 0x17fea:$m2: Screenshot Logs ID 0x180fa:$m2: keystroke Logs ID 0x183d4:$m3: SnakePW 0x17fc2:$m4: \SnakeKeylogger\
13.2.biopsies.exe.1f10000.1.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
13.2.biopsies.exe.1f10000.1.unpack	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
13.2.biopsies.exe.1f10000.1.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x12e35:$a1: get_encryptedPassword 0x13121:$a2: get_encryptedUsername 0x12c41:$a3: get_timePasswordChanged 0x12d3c:$a4: get_passwordField 0x12e4b:$a5: set_encryptedPassword 0x144f7:$a7: get_logins 0x1445a:$a10: KeyLoggerEventArgs 0x140c5:$a11: KeyLoggerEventArgsEventHandler
13.2.biopsies.exe.1f10000.1.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x1a7b2:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x199e4:$a3: \Google\Chrome\User Data\Default\Login Data 0x19e17:$a4: \Orbitum\User Data\Default\Login Data 0x1ae56:$a5: \Kometa\User Data\Default\Login Data
13.2.biopsies.exe.1f10000.1.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
13.2.biopsies.exe.1f10000.1.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
13.2.biopsies.exe.1f10000.1.raw.unpack	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
13.2.biopsies.exe.1f10000.1.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x14c35:$a1: get_encryptedPassword 0x14f21:$a2: get_encryptedUsername 0x14a41:$a3: get_timePasswordChanged 0x14b3c:$a4: get_passwordField 0x14c4b:$a5: set_encryptedPassword 0x162f7:$a7: get_logins 0x1625a:$a10: KeyLoggerEventArgs 0x15ec5:$a11: KeyLoggerEventArgsEventHandler
8.2.biopsies.exe.3eb0000.1.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
8.2.biopsies.exe.3eb0000.1.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
13.2.biopsies.exe.1f10000.1.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x13a32:$s1: UnHook 0x13a39:$s2: SetHook 0x13a41:$s3: CallNextHook 0x13a4e:$s4: _hook
8.2.biopsies.exe.3eb0000.1.raw.unpack	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
8.2.biopsies.exe.3eb0000.1.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x14c35:$a1: get_encryptedPassword 0x14f21:$a2: get_encryptedUsername 0x14a41:$a3: get_timePasswordChanged 0x14b3c:$a4: get_passwordField 0x14c4b:$a5: set_encryptedPassword 0x162f7:$a7: get_logins 0x1625a:$a10: KeyLoggerEventArgs 0x15ec5:$a11: KeyLoggerEventArgsEventHandler
13.2.biopsies.exe.1f10000.1.unpack	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x17de0:$x1: $%SMTPDV$ 0x167c4:$x2: $#TheHashHere%& 0x17d88:$x3: %FTPDV$ 0x16764:$x4: $%TelegramDv$ 0x140c5:$x5: KeyLoggerEventArgs 0x1445a:$x5: KeyLoggerEventArgs 0x17dac:$m2: Clipboard Logs ID 0x17fea:$m2: Screenshot Logs ID 0x180fa:$m2: keystroke Logs ID 0x183d4:$m3: SnakePW 0x17fc2:$m4: \SnakeKeylogger\
8.2.biopsies.exe.3eb0000.1.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x1c5b2:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x1b7e4:$a3: \Google\Chrome\User Data\Default\Login Data 0x1bc17:$a4: \Orbitum\User Data\Default\Login Data 0x1cc56:$a5: \Kometa\User Data\Default\Login Data
8.2.biopsies.exe.3eb0000.1.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x15832:$s1: UnHook 0x15839:$s2: SetHook 0x15841:$s3: CallNextHook 0x1584e:$s4: _hook
8.2.biopsies.exe.3eb0000.1.raw.unpack	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x19be0:$x1: $%SMTPDV$ 0x185c4:$x2: $#TheHashHere%& 0x19b88:$x3: %FTPDV$ 0x18564:$x4: $%TelegramDv$ 0x15ec5:$x5: KeyLoggerEventArgs 0x1625a:$x5: KeyLoggerEventArgs 0x19bac:$m2: Clipboard Logs ID 0x19dea:$m2: Screenshot Logs ID 0x19efa:$m2: keystroke Logs ID 0x1a1d4:$m3: SnakePW 0x19dc2:$m4: \SnakeKeylogger\
13.2.biopsies.exe.1f10000.1.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x1c5b2:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x1b7e4:$a3: \Google\Chrome\User Data\Default\Login Data 0x1bc17:$a4: \Orbitum\User Data\Default\Login Data 0x1cc56:$a5: \Kometa\User Data\Default\Login Data
13.2.biopsies.exe.1f10000.1.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x15832:$s1: UnHook 0x15839:$s2: SetHook 0x15841:$s3: CallNextHook 0x1584e:$s4: _hook
13.2.biopsies.exe.1f10000.1.raw.unpack	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x19be0:$x1: $%SMTPDV$ 0x185c4:$x2: $#TheHashHere%& 0x19b88:$x3: %FTPDV$ 0x18564:$x4: $%TelegramDv$ 0x15ec5:$x5: KeyLoggerEventArgs 0x1625a:$x5: KeyLoggerEventArgs 0x19bac:$m2: Clipboard Logs ID 0x19dea:$m2: Screenshot Logs ID 0x19efa:$m2: keystroke Logs ID 0x1a1d4:$m3: SnakePW 0x19dc2:$m4: \SnakeKeylogger\
14.2.biopsies.exe.e30000.1.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
14.2.biopsies.exe.e30000.1.unpack	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
14.2.biopsies.exe.e30000.1.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x12e35:$a1: get_encryptedPassword 0x13121:$a2: get_encryptedUsername 0x12c41:$a3: get_timePasswordChanged 0x12d3c:$a4: get_passwordField 0x12e4b:$a5: set_encryptedPassword 0x144f7:$a7: get_logins 0x1445a:$a10: KeyLoggerEventArgs 0x140c5:$a11: KeyLoggerEventArgsEventHandler
14.2.biopsies.exe.e30000.1.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x1a7b2:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x199e4:$a3: \Google\Chrome\User Data\Default\Login Data 0x19e17:$a4: \Orbitum\User Data\Default\Login Data 0x1ae56:$a5: \Kometa\User Data\Default\Login Data
14.2.biopsies.exe.e30000.1.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x13a32:$s1: UnHook 0x13a39:$s2: SetHook 0x13a41:$s3: CallNextHook 0x13a4e:$s4: _hook
14.2.biopsies.exe.e30000.1.unpack	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x17de0:$x1: $%SMTPDV$ 0x167c4:$x2: $#TheHashHere%& 0x17d88:$x3: %FTPDV$ 0x16764:$x4: $%TelegramDv$ 0x140c5:$x5: KeyLoggerEventArgs 0x1445a:$x5: KeyLoggerEventArgs 0x17dac:$m2: Clipboard Logs ID 0x17fea:$m2: Screenshot Logs ID 0x180fa:$m2: keystroke Logs ID 0x183d4:$m3: SnakePW 0x17fc2:$m4: \SnakeKeylogger\
17.2.biopsies.exe.3ec0000.1.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
17.2.biopsies.exe.3ec0000.1.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
17.2.biopsies.exe.3ec0000.1.raw.unpack	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
17.2.biopsies.exe.3ec0000.1.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x14c35:$a1: get_encryptedPassword 0x14f21:$a2: get_encryptedUsername 0x14a41:$a3: get_timePasswordChanged 0x14b3c:$a4: get_passwordField 0x14c4b:$a5: set_encryptedPassword 0x162f7:$a7: get_logins 0x1625a:$a10: KeyLoggerEventArgs 0x15ec5:$a11: KeyLoggerEventArgsEventHandler
17.2.biopsies.exe.3ec0000.1.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x1c5b2:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x1b7e4:$a3: \Google\Chrome\User Data\Default\Login Data 0x1bc17:$a4: \Orbitum\User Data\Default\Login Data 0x1cc56:$a5: \Kometa\User Data\Default\Login Data
17.2.biopsies.exe.3ec0000.1.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x15832:$s1: UnHook 0x15839:$s2: SetHook 0x15841:$s3: CallNextHook 0x1584e:$s4: _hook
17.2.biopsies.exe.3ec0000.1.raw.unpack	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x19be0:$x1: $%SMTPDV$ 0x185c4:$x2: $#TheHashHere%& 0x19b88:$x3: %FTPDV$ 0x18564:$x4: $%TelegramDv$ 0x15ec5:$x5: KeyLoggerEventArgs 0x1625a:$x5: KeyLoggerEventArgs 0x19bac:$m2: Clipboard Logs ID 0x19dea:$m2: Screenshot Logs ID 0x19efa:$m2: keystroke Logs ID 0x1a1d4:$m3: SnakePW 0x19dc2:$m4: \SnakeKeylogger\
18.2.biopsies.exe.1070000.1.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
18.2.biopsies.exe.1070000.1.unpack	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
18.2.biopsies.exe.1070000.1.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x12e35:$a1: get_encryptedPassword 0x13121:$a2: get_encryptedUsername 0x12c41:$a3: get_timePasswordChanged 0x12d3c:$a4: get_passwordField 0x12e4b:$a5: set_encryptedPassword 0x144f7:$a7: get_logins 0x1445a:$a10: KeyLoggerEventArgs 0x140c5:$a11: KeyLoggerEventArgsEventHandler
18.2.biopsies.exe.1070000.1.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x1a7b2:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x199e4:$a3: \Google\Chrome\User Data\Default\Login Data 0x19e17:$a4: \Orbitum\User Data\Default\Login Data 0x1ae56:$a5: \Kometa\User Data\Default\Login Data
18.2.biopsies.exe.1070000.1.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x13a32:$s1: UnHook 0x13a39:$s2: SetHook 0x13a41:$s3: CallNextHook 0x13a4e:$s4: _hook
18.2.biopsies.exe.1070000.1.unpack	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x17de0:$x1: $%SMTPDV$ 0x167c4:$x2: $#TheHashHere%& 0x17d88:$x3: %FTPDV$ 0x16764:$x4: $%TelegramDv$ 0x140c5:$x5: KeyLoggerEventArgs 0x1445a:$x5: KeyLoggerEventArgs 0x17dac:$m2: Clipboard Logs ID 0x17fea:$m2: Screenshot Logs ID 0x180fa:$m2: keystroke Logs ID 0x183d4:$m3: SnakePW 0x17fc2:$m4: \SnakeKeylogger\
1.2.biopsies.exe.f50000.1.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
1.2.biopsies.exe.f50000.1.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
1.2.biopsies.exe.f50000.1.raw.unpack	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
1.2.biopsies.exe.f50000.1.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x14c35:$a1: get_encryptedPassword 0x14f21:$a2: get_encryptedUsername 0x14a41:$a3: get_timePasswordChanged 0x14b3c:$a4: get_passwordField 0x14c4b:$a5: set_encryptedPassword 0x162f7:$a7: get_logins 0x1625a:$a10: KeyLoggerEventArgs 0x15ec5:$a11: KeyLoggerEventArgsEventHandler
1.2.biopsies.exe.f50000.1.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x1c5b2:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x1b7e4:$a3: \Google\Chrome\User Data\Default\Login Data 0x1bc17:$a4: \Orbitum\User Data\Default\Login Data 0x1cc56:$a5: \Kometa\User Data\Default\Login Data
1.2.biopsies.exe.f50000.1.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x15832:$s1: UnHook 0x15839:$s2: SetHook 0x15841:$s3: CallNextHook 0x1584e:$s4: _hook
1.2.biopsies.exe.f50000.1.raw.unpack	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x19be0:$x1: $%SMTPDV$ 0x185c4:$x2: $#TheHashHere%& 0x19b88:$x3: %FTPDV$ 0x18564:$x4: $%TelegramDv$ 0x15ec5:$x5: KeyLoggerEventArgs 0x1625a:$x5: KeyLoggerEventArgs 0x19bac:$m2: Clipboard Logs ID 0x19dea:$m2: Screenshot Logs ID 0x19efa:$m2: keystroke Logs ID 0x1a1d4:$m3: SnakePW 0x19dc2:$m4: \SnakeKeylogger\
19.2.biopsies.exe.e80000.1.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
19.2.biopsies.exe.e80000.1.unpack	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
19.2.biopsies.exe.e80000.1.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x12e35:$a1: get_encryptedPassword 0x13121:$a2: get_encryptedUsername 0x12c41:$a3: get_timePasswordChanged 0x12d3c:$a4: get_passwordField 0x12e4b:$a5: set_encryptedPassword 0x144f7:$a7: get_logins 0x1445a:$a10: KeyLoggerEventArgs 0x140c5:$a11: KeyLoggerEventArgsEventHandler
19.2.biopsies.exe.e80000.1.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x1a7b2:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x199e4:$a3: \Google\Chrome\User Data\Default\Login Data 0x19e17:$a4: \Orbitum\User Data\Default\Login Data 0x1ae56:$a5: \Kometa\User Data\Default\Login Data
19.2.biopsies.exe.e80000.1.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x13a32:$s1: UnHook 0x13a39:$s2: SetHook 0x13a41:$s3: CallNextHook 0x13a4e:$s4: _hook
19.2.biopsies.exe.e80000.1.unpack	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x17de0:$x1: $%SMTPDV$ 0x167c4:$x2: $#TheHashHere%& 0x17d88:$x3: %FTPDV$ 0x16764:$x4: $%TelegramDv$ 0x140c5:$x5: KeyLoggerEventArgs 0x1445a:$x5: KeyLoggerEventArgs 0x17dac:$m2: Clipboard Logs ID 0x17fea:$m2: Screenshot Logs ID 0x180fa:$m2: keystroke Logs ID 0x183d4:$m3: SnakePW 0x17fc2:$m4: \SnakeKeylogger\
8.2.biopsies.exe.3eb0000.1.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
8.2.biopsies.exe.3eb0000.1.unpack	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
8.2.biopsies.exe.3eb0000.1.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x12e35:$a1: get_encryptedPassword 0x13121:$a2: get_encryptedUsername 0x12c41:$a3: get_timePasswordChanged 0x12d3c:$a4: get_passwordField 0x12e4b:$a5: set_encryptedPassword 0x144f7:$a7: get_logins 0x1445a:$a10: KeyLoggerEventArgs 0x140c5:$a11: KeyLoggerEventArgsEventHandler
8.2.biopsies.exe.3eb0000.1.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x1a7b2:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x199e4:$a3: \Google\Chrome\User Data\Default\Login Data 0x19e17:$a4: \Orbitum\User Data\Default\Login Data 0x1ae56:$a5: \Kometa\User Data\Default\Login Data
8.2.biopsies.exe.3eb0000.1.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x13a32:$s1: UnHook 0x13a39:$s2: SetHook 0x13a41:$s3: CallNextHook 0x13a4e:$s4: _hook
8.2.biopsies.exe.3eb0000.1.unpack	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x17de0:$x1: $%SMTPDV$ 0x167c4:$x2: $#TheHashHere%& 0x17d88:$x3: %FTPDV$ 0x16764:$x4: $%TelegramDv$ 0x140c5:$x5: KeyLoggerEventArgs 0x1445a:$x5: KeyLoggerEventArgs 0x17dac:$m2: Clipboard Logs ID 0x17fea:$m2: Screenshot Logs ID 0x180fa:$m2: keystroke Logs ID 0x183d4:$m3: SnakePW 0x17fc2:$m4: \SnakeKeylogger\
2.2.RegSvcs.exe.400000.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
2.2.RegSvcs.exe.400000.0.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
2.2.RegSvcs.exe.400000.0.unpack	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
2.2.RegSvcs.exe.400000.0.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x14c35:$a1: get_encryptedPassword 0x14f21:$a2: get_encryptedUsername 0x14a41:$a3: get_timePasswordChanged 0x14b3c:$a4: get_passwordField 0x14c4b:$a5: set_encryptedPassword 0x162f7:$a7: get_logins 0x1625a:$a10: KeyLoggerEventArgs 0x15ec5:$a11: KeyLoggerEventArgsEventHandler
2.2.RegSvcs.exe.400000.0.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x1c5b2:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x1b7e4:$a3: \Google\Chrome\User Data\Default\Login Data 0x1bc17:$a4: \Orbitum\User Data\Default\Login Data 0x1cc56:$a5: \Kometa\User Data\Default\Login Data
2.2.RegSvcs.exe.400000.0.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x15832:$s1: UnHook 0x15839:$s2: SetHook 0x15841:$s3: CallNextHook 0x1584e:$s4: _hook
2.2.RegSvcs.exe.400000.0.unpack	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x19be0:$x1: $%SMTPDV$ 0x185c4:$x2: $#TheHashHere%& 0x19b88:$x3: %FTPDV$ 0x18564:$x4: $%TelegramDv$ 0x15ec5:$x5: KeyLoggerEventArgs 0x1625a:$x5: KeyLoggerEventArgs 0x19bac:$m2: Clipboard Logs ID 0x19dea:$m2: Screenshot Logs ID 0x19efa:$m2: keystroke Logs ID 0x1a1d4:$m3: SnakePW 0x19dc2:$m4: \SnakeKeylogger\
1.2.biopsies.exe.f50000.1.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
1.2.biopsies.exe.f50000.1.unpack	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
1.2.biopsies.exe.f50000.1.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x12e35:$a1: get_encryptedPassword 0x13121:$a2: get_encryptedUsername 0x12c41:$a3: get_timePasswordChanged 0x12d3c:$a4: get_passwordField 0x12e4b:$a5: set_encryptedPassword 0x144f7:$a7: get_logins 0x1445a:$a10: KeyLoggerEventArgs 0x140c5:$a11: KeyLoggerEventArgsEventHandler
1.2.biopsies.exe.f50000.1.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x1a7b2:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x199e4:$a3: \Google\Chrome\User Data\Default\Login Data 0x19e17:$a4: \Orbitum\User Data\Default\Login Data 0x1ae56:$a5: \Kometa\User Data\Default\Login Data
1.2.biopsies.exe.f50000.1.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x13a32:$s1: UnHook 0x13a39:$s2: SetHook 0x13a41:$s3: CallNextHook 0x13a4e:$s4: _hook
1.2.biopsies.exe.f50000.1.unpack	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x17de0:$x1: $%SMTPDV$ 0x167c4:$x2: $#TheHashHere%& 0x17d88:$x3: %FTPDV$ 0x16764:$x4: $%TelegramDv$ 0x140c5:$x5: KeyLoggerEventArgs 0x1445a:$x5: KeyLoggerEventArgs 0x17dac:$m2: Clipboard Logs ID 0x17fea:$m2: Screenshot Logs ID 0x180fa:$m2: keystroke Logs ID 0x183d4:$m3: SnakePW 0x17fc2:$m4: \SnakeKeylogger\
18.2.biopsies.exe.1070000.1.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
18.2.biopsies.exe.1070000.1.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
18.2.biopsies.exe.1070000.1.raw.unpack	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
18.2.biopsies.exe.1070000.1.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x14c35:$a1: get_encryptedPassword 0x14f21:$a2: get_encryptedUsername 0x14a41:$a3: get_timePasswordChanged 0x14b3c:$a4: get_passwordField 0x14c4b:$a5: set_encryptedPassword 0x162f7:$a7: get_logins 0x1625a:$a10: KeyLoggerEventArgs 0x15ec5:$a11: KeyLoggerEventArgsEventHandler
18.2.biopsies.exe.1070000.1.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x1c5b2:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x1b7e4:$a3: \Google\Chrome\User Data\Default\Login Data 0x1bc17:$a4: \Orbitum\User Data\Default\Login Data 0x1cc56:$a5: \Kometa\User Data\Default\Login Data
18.2.biopsies.exe.1070000.1.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x15832:$s1: UnHook 0x15839:$s2: SetHook 0x15841:$s3: CallNextHook 0x1584e:$s4: _hook
18.2.biopsies.exe.1070000.1.raw.unpack	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x19be0:$x1: $%SMTPDV$ 0x185c4:$x2: $#TheHashHere%& 0x19b88:$x3: %FTPDV$ 0x18564:$x4: $%TelegramDv$ 0x15ec5:$x5: KeyLoggerEventArgs 0x1625a:$x5: KeyLoggerEventArgs 0x19bac:$m2: Clipboard Logs ID 0x19dea:$m2: Screenshot Logs ID 0x19efa:$m2: keystroke Logs ID 0x1a1d4:$m3: SnakePW 0x19dc2:$m4: \SnakeKeylogger\
16.2.biopsies.exe.18e0000.1.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
16.2.biopsies.exe.18e0000.1.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
16.2.biopsies.exe.18e0000.1.raw.unpack	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
16.2.biopsies.exe.18e0000.1.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x14c35:$a1: get_encryptedPassword 0x14f21:$a2: get_encryptedUsername 0x14a41:$a3: get_timePasswordChanged 0x14b3c:$a4: get_passwordField 0x14c4b:$a5: set_encryptedPassword 0x162f7:$a7: get_logins 0x1625a:$a10: KeyLoggerEventArgs 0x15ec5:$a11: KeyLoggerEventArgsEventHandler
16.2.biopsies.exe.18e0000.1.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x1c5b2:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x1b7e4:$a3: \Google\Chrome\User Data\Default\Login Data 0x1bc17:$a4: \Orbitum\User Data\Default\Login Data 0x1cc56:$a5: \Kometa\User Data\Default\Login Data
16.2.biopsies.exe.18e0000.1.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x15832:$s1: UnHook 0x15839:$s2: SetHook 0x15841:$s3: CallNextHook 0x1584e:$s4: _hook
16.2.biopsies.exe.18e0000.1.raw.unpack	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x19be0:$x1: $%SMTPDV$ 0x185c4:$x2: $#TheHashHere%& 0x19b88:$x3: %FTPDV$ 0x18564:$x4: $%TelegramDv$ 0x15ec5:$x5: KeyLoggerEventArgs 0x1625a:$x5: KeyLoggerEventArgs 0x19bac:$m2: Clipboard Logs ID 0x19dea:$m2: Screenshot Logs ID 0x19efa:$m2: keystroke Logs ID 0x1a1d4:$m3: SnakePW 0x19dc2:$m4: \SnakeKeylogger\
14.2.biopsies.exe.e30000.1.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
14.2.biopsies.exe.e30000.1.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
14.2.biopsies.exe.e30000.1.raw.unpack	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
14.2.biopsies.exe.e30000.1.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x14c35:$a1: get_encryptedPassword 0x14f21:$a2: get_encryptedUsername 0x14a41:$a3: get_timePasswordChanged 0x14b3c:$a4: get_passwordField 0x14c4b:$a5: set_encryptedPassword 0x162f7:$a7: get_logins 0x1625a:$a10: KeyLoggerEventArgs 0x15ec5:$a11: KeyLoggerEventArgsEventHandler
14.2.biopsies.exe.e30000.1.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x1c5b2:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x1b7e4:$a3: \Google\Chrome\User Data\Default\Login Data 0x1bc17:$a4: \Orbitum\User Data\Default\Login Data 0x1cc56:$a5: \Kometa\User Data\Default\Login Data
14.2.biopsies.exe.e30000.1.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x15832:$s1: UnHook 0x15839:$s2: SetHook 0x15841:$s3: CallNextHook 0x1584e:$s4: _hook
14.2.biopsies.exe.e30000.1.raw.unpack	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x19be0:$x1: $%SMTPDV$ 0x185c4:$x2: $#TheHashHere%& 0x19b88:$x3: %FTPDV$ 0x18564:$x4: $%TelegramDv$ 0x15ec5:$x5: KeyLoggerEventArgs 0x1625a:$x5: KeyLoggerEventArgs 0x19bac:$m2: Clipboard Logs ID 0x19dea:$m2: Screenshot Logs ID 0x19efa:$m2: keystroke Logs ID 0x1a1d4:$m3: SnakePW 0x19dc2:$m4: \SnakeKeylogger\
17.2.biopsies.exe.3ec0000.1.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
17.2.biopsies.exe.3ec0000.1.unpack	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
17.2.biopsies.exe.3ec0000.1.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x12e35:$a1: get_encryptedPassword 0x13121:$a2: get_encryptedUsername 0x12c41:$a3: get_timePasswordChanged 0x12d3c:$a4: get_passwordField 0x12e4b:$a5: set_encryptedPassword 0x144f7:$a7: get_logins 0x1445a:$a10: KeyLoggerEventArgs 0x140c5:$a11: KeyLoggerEventArgsEventHandler
17.2.biopsies.exe.3ec0000.1.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x1a7b2:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x199e4:$a3: \Google\Chrome\User Data\Default\Login Data 0x19e17:$a4: \Orbitum\User Data\Default\Login Data 0x1ae56:$a5: \Kometa\User Data\Default\Login Data
17.2.biopsies.exe.3ec0000.1.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x13a32:$s1: UnHook 0x13a39:$s2: SetHook 0x13a41:$s3: CallNextHook 0x13a4e:$s4: _hook
17.2.biopsies.exe.3ec0000.1.unpack	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x17de0:$x1: $%SMTPDV$ 0x167c4:$x2: $#TheHashHere%& 0x17d88:$x3: %FTPDV$ 0x16764:$x4: $%TelegramDv$ 0x140c5:$x5: KeyLoggerEventArgs 0x1445a:$x5: KeyLoggerEventArgs 0x17dac:$m2: Clipboard Logs ID 0x17fea:$m2: Screenshot Logs ID 0x180fa:$m2: keystroke Logs ID 0x183d4:$m3: SnakePW 0x17fc2:$m4: \SnakeKeylogger\
15.2.biopsies.exe.11f0000.1.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
15.2.biopsies.exe.11f0000.1.unpack	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
15.2.biopsies.exe.11f0000.1.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x12e35:$a1: get_encryptedPassword 0x13121:$a2: get_encryptedUsername 0x12c41:$a3: get_timePasswordChanged 0x12d3c:$a4: get_passwordField 0x12e4b:$a5: set_encryptedPassword 0x144f7:$a7: get_logins 0x1445a:$a10: KeyLoggerEventArgs 0x140c5:$a11: KeyLoggerEventArgsEventHandler
15.2.biopsies.exe.11f0000.1.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x1a7b2:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x199e4:$a3: \Google\Chrome\User Data\Default\Login Data 0x19e17:$a4: \Orbitum\User Data\Default\Login Data 0x1ae56:$a5: \Kometa\User Data\Default\Login Data
15.2.biopsies.exe.11f0000.1.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x13a32:$s1: UnHook 0x13a39:$s2: SetHook 0x13a41:$s3: CallNextHook 0x13a4e:$s4: _hook
15.2.biopsies.exe.11f0000.1.unpack	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x17de0:$x1: $%SMTPDV$ 0x167c4:$x2: $#TheHashHere%& 0x17d88:$x3: %FTPDV$ 0x16764:$x4: $%TelegramDv$ 0x140c5:$x5: KeyLoggerEventArgs 0x1445a:$x5: KeyLoggerEventArgs 0x17dac:$m2: Clipboard Logs ID 0x17fea:$m2: Screenshot Logs ID 0x180fa:$m2: keystroke Logs ID 0x183d4:$m3: SnakePW 0x17fc2:$m4: \SnakeKeylogger\
15.2.biopsies.exe.11f0000.1.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
15.2.biopsies.exe.11f0000.1.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
15.2.biopsies.exe.11f0000.1.raw.unpack	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
15.2.biopsies.exe.11f0000.1.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x14c35:$a1: get_encryptedPassword 0x14f21:$a2: get_encryptedUsername 0x14a41:$a3: get_timePasswordChanged 0x14b3c:$a4: get_passwordField 0x14c4b:$a5: set_encryptedPassword 0x162f7:$a7: get_logins 0x1625a:$a10: KeyLoggerEventArgs 0x15ec5:$a11: KeyLoggerEventArgsEventHandler
15.2.biopsies.exe.11f0000.1.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x1c5b2:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x1b7e4:$a3: \Google\Chrome\User Data\Default\Login Data 0x1bc17:$a4: \Orbitum\User Data\Default\Login Data 0x1cc56:$a5: \Kometa\User Data\Default\Login Data
15.2.biopsies.exe.11f0000.1.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x15832:$s1: UnHook 0x15839:$s2: SetHook 0x15841:$s3: CallNextHook 0x1584e:$s4: _hook
15.2.biopsies.exe.11f0000.1.raw.unpack	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x19be0:$x1: $%SMTPDV$ 0x185c4:$x2: $#TheHashHere%& 0x19b88:$x3: %FTPDV$ 0x18564:$x4: $%TelegramDv$ 0x15ec5:$x5: KeyLoggerEventArgs 0x1625a:$x5: KeyLoggerEventArgs 0x19bac:$m2: Clipboard Logs ID 0x19dea:$m2: Screenshot Logs ID 0x19efa:$m2: keystroke Logs ID 0x1a1d4:$m3: SnakePW 0x19dc2:$m4: \SnakeKeylogger\
12.2.biopsies.exe.9d0000.1.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
12.2.biopsies.exe.9d0000.1.unpack	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
12.2.biopsies.exe.9d0000.1.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x12e35:$a1: get_encryptedPassword 0x13121:$a2: get_encryptedUsername 0x12c41:$a3: get_timePasswordChanged 0x12d3c:$a4: get_passwordField 0x12e4b:$a5: set_encryptedPassword 0x144f7:$a7: get_logins 0x1445a:$a10: KeyLoggerEventArgs 0x140c5:$a11: KeyLoggerEventArgsEventHandler
12.2.biopsies.exe.9d0000.1.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x1a7b2:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x199e4:$a3: \Google\Chrome\User Data\Default\Login Data 0x19e17:$a4: \Orbitum\User Data\Default\Login Data 0x1ae56:$a5: \Kometa\User Data\Default\Login Data
12.2.biopsies.exe.9d0000.1.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x13a32:$s1: UnHook 0x13a39:$s2: SetHook 0x13a41:$s3: CallNextHook 0x13a4e:$s4: _hook
12.2.biopsies.exe.9d0000.1.unpack	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x17de0:$x1: $%SMTPDV$ 0x167c4:$x2: $#TheHashHere%& 0x17d88:$x3: %FTPDV$ 0x16764:$x4: $%TelegramDv$ 0x140c5:$x5: KeyLoggerEventArgs 0x1445a:$x5: KeyLoggerEventArgs 0x17dac:$m2: Clipboard Logs ID 0x17fea:$m2: Screenshot Logs ID 0x180fa:$m2: keystroke Logs ID 0x183d4:$m3: SnakePW 0x17fc2:$m4: \SnakeKeylogger\
Click to see the 145 entries

Sigma Signatures

System Summary

Sigma detected: WScript or CScript Dropper

Source: Process started

Author: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\biopsies.vbs" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\biopsies.vbs" , CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 2580, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\biopsies.vbs" , ProcessId: 7800, ProcessName: wscript.exe

Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript

Source: Process started

Author: Michael Haag: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\biopsies.vbs" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\biopsies.vbs" , CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 2580, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\biopsies.vbs" , ProcessId: 7800, ProcessName: wscript.exe

Data Obfuscation

Sigma detected: Drops script at startup location

Source: File created

Author: Joe Security: Data: EventID: 11, Image: C:\Users\user\AppData\Local\Maianthemum\biopsies.exe, ProcessId: 7480, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\biopsies.vbs

Suricata Signatures

ETPRO MALWARE Common Downloader Header Pattern H

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-11T07:27:05.094000+0100	2803305	3	Unknown Traffic	192.168.2.4	49732	104.21.80.1	443	TCP
2025-01-11T07:27:10.892364+0100	2803305	3	Unknown Traffic	192.168.2.4	49742	104.21.80.1	443	TCP

ETPRO MALWARE Common Downloader Header Pattern UH

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-11T07:27:03.608558+0100	2803274	2	Potentially Bad Traffic	192.168.2.4	49730	193.122.130.0	80	TCP
2025-01-11T07:27:04.452305+0100	2803274	2	Potentially Bad Traffic	192.168.2.4	49730	193.122.130.0	80	TCP
2025-01-11T07:27:05.624208+0100	2803274	2	Potentially Bad Traffic	192.168.2.4	49733	193.122.130.0	80	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: 00000010.00000002.2064854133.00000000018E0000.00000004.00001000.00020000.00000000.sdmp

Malware Configuration Extractor: Snake Keylogger {"Exfil Mode": "Telegram", "Telegram URL": "https://api.telegram.org/bot7767004773:AAG_mBqrFYZNr81F28ktwLAJ3brPq5BTRzg/sendMessage?chat_id=1217600190", "Token": "7767004773:AAG_mBqrFYZNr81F28ktwLAJ3brPq5BTRzg", "Chat_id": "1217600190", "Version": "5.1"}

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Local\Maianthemum\biopsies.exe

ReversingLabs: Detection: 75%

Multi AV Scanner detection for submitted file

Source: b6AGgIJ87g.exe	Virustotal: Detection: 55%			Perma Link
Source: b6AGgIJ87g.exe	ReversingLabs: Detection: 75%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 99.9% probability

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Local\Maianthemum\biopsies.exe

Joe Sandbox ML: detected

Machine Learning detection for sample

Source: b6AGgIJ87g.exe

Joe Sandbox ML: detected

Location Tracking

Tries to detect the country of the analysis system (by using the IP)

Source: unknown

DNS query: name: reallyfreegeoip.org

Source: b6AGgIJ87g.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: unknown

HTTPS traffic detected: 104.21.80.1:443 -> 192.168.2.4:49731 version: TLS 1.0

Source:	Binary string: wntdll.pdbUGP source: biopsies.exe, 00000001.00000003.1740824247.0000000003800000.00000004.00001000.00020000.00000000.sdmp, biopsies.exe, 00000001.00000003.1741225848.0000000003660000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: biopsies.exe, 00000001.00000003.1740824247.0000000003800000.00000004.00001000.00020000.00000000.sdmp, biopsies.exe, 00000001.00000003.1741225848.0000000003660000.00000004.00001000.00020000.00000000.sdmp

Source: C:\Users\user\Desktop\b6AGgIJ87g.exe	Code function: 0_2_0058445A GetFileAttributesW,FindFirstFileW,FindClose,	0_2_0058445A
Source: C:\Users\user\Desktop\b6AGgIJ87g.exe	Code function: 0_2_0058C6D1 FindFirstFileW,FindClose,	0_2_0058C6D1
Source: C:\Users\user\Desktop\b6AGgIJ87g.exe	Code function: 0_2_0058C75C FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,	0_2_0058C75C
Source: C:\Users\user\Desktop\b6AGgIJ87g.exe	Code function: 0_2_0058EF95 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_0058EF95
Source: C:\Users\user\Desktop\b6AGgIJ87g.exe	Code function: 0_2_0058F0F2 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_0058F0F2
Source: C:\Users\user\Desktop\b6AGgIJ87g.exe	Code function: 0_2_0058F3F3 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_0058F3F3
Source: C:\Users\user\Desktop\b6AGgIJ87g.exe	Code function: 0_2_005837EF FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_005837EF
Source: C:\Users\user\Desktop\b6AGgIJ87g.exe	Code function: 0_2_00583B12 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_00583B12
Source: C:\Users\user\Desktop\b6AGgIJ87g.exe	Code function: 0_2_0058BCBC FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_0058BCBC
Source: C:\Users\user\AppData\Local\Maianthemum\biopsies.exe	Code function: 1_2_0091445A GetFileAttributesW,FindFirstFileW,FindClose,	1_2_0091445A
Source: C:\Users\user\AppData\Local\Maianthemum\biopsies.exe	Code function: 1_2_0091C6D1 FindFirstFileW,FindClose,	1_2_0091C6D1
Source: C:\Users\user\AppData\Local\Maianthemum\biopsies.exe	Code function: 1_2_0091C75C FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,	1_2_0091C75C
Source: C:\Users\user\AppData\Local\Maianthemum\biopsies.exe	Code function: 1_2_0091EF95 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	1_2_0091EF95
Source: C:\Users\user\AppData\Local\Maianthemum\biopsies.exe	Code function: 1_2_0091F0F2 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	1_2_0091F0F2
Source: C:\Users\user\AppData\Local\Maianthemum\biopsies.exe	Code function: 1_2_0091F3F3 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,	1_2_0091F3F3
Source: C:\Users\user\AppData\Local\Maianthemum\biopsies.exe	Code function: 1_2_009137EF FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	1_2_009137EF
Source: C:\Users\user\AppData\Local\Maianthemum\biopsies.exe	Code function: 1_2_00913B12 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	1_2_00913B12
Source: C:\Users\user\AppData\Local\Maianthemum\biopsies.exe	Code function: 1_2_0091BCBC FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,	1_2_0091BCBC

Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData\	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\	Jump to behavior

Networking

Yara detected Generic Downloader

Source: Yara match	File source: 19.2.biopsies.exe.e80000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.biopsies.exe.9d0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.biopsies.exe.1100000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.biopsies.exe.1f10000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.biopsies.exe.3eb0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.biopsies.exe.3ec0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.biopsies.exe.f50000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.biopsies.exe.1070000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.biopsies.exe.18e0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.biopsies.exe.e30000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.biopsies.exe.11f0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000010.00000002.2064854133.00000000018E0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.1976305286.0000000001F10000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.2006886217.0000000000E30000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.2170261177.0000000000E80000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.2038464121.00000000011F0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.2133278262.0000000001070000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.1957580721.00000000009D0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.1903450528.0000000003EB0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.1744008189.0000000000F50000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.1930630182.0000000001100000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.2100230907.0000000003EC0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive

Source: Joe Sandbox View	IP Address: 193.122.130.0 193.122.130.0
Source: Joe Sandbox View	IP Address: 104.21.80.1 104.21.80.1
Source: Joe Sandbox View	IP Address: 104.21.80.1 104.21.80.1

Source: Joe Sandbox View

JA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad

Source: unknown	DNS query: name: checkip.dyndns.org
Source: unknown	DNS query: name: reallyfreegeoip.org

Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:49733 -> 193.122.130.0:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:49730 -> 193.122.130.0:80
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49732 -> 104.21.80.1:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49742 -> 104.21.80.1:443

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive

Source: unknown

HTTPS traffic detected: 104.21.80.1:443 -> 192.168.2.4:49731 version: TLS 1.0

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: C:\Users\user\Desktop\b6AGgIJ87g.exe

Code function: 0_2_005922EE InternetReadFile,InternetQueryDataAvailable,InternetReadFile,

0_2_005922EE

Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive

Source: global traffic	DNS traffic detected: DNS query: checkip.dyndns.org
Source: global traffic	DNS traffic detected: DNS query: reallyfreegeoip.org

Source: RegSvcs.exe, 00000002.00000002.1840357737.0000000002DB7000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.1840357737.0000000002DE5000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.1840357737.0000000002CFA000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.1840357737.0000000002DA9000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.1840357737.0000000002D8E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.com
Source: RegSvcs.exe, 00000002.00000002.1840357737.0000000002CE8000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.1840357737.0000000002DB7000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.1840357737.0000000002DC5000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.1840357737.0000000002DE5000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.1840357737.0000000002CFA000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.1840357737.0000000002D3E000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.1840357737.0000000002DA9000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.1840357737.0000000002D8E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org
Source: RegSvcs.exe, 00000002.00000002.1840357737.0000000002C31000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/
Source: biopsies.exe, 00000001.00000002.1744008189.0000000000F50000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.1838731692.0000000000402000.00000040.80000000.00040000.00000000.sdmp, biopsies.exe, 00000008.00000002.1903450528.0000000003EB0000.00000004.00001000.00020000.00000000.sdmp, biopsies.exe, 00000009.00000002.1930630182.0000000001100000.00000004.00001000.00020000.00000000.sdmp, biopsies.exe, 0000000C.00000002.1957580721.00000000009D0000.00000004.00001000.00020000.00000000.sdmp, biopsies.exe, 0000000D.00000002.1976305286.0000000001F10000.00000004.00001000.00020000.00000000.sdmp, biopsies.exe, 0000000E.00000002.2006886217.0000000000E30000.00000004.00001000.00020000.00000000.sdmp, biopsies.exe, 0000000F.00000002.2038464121.00000000011F0000.00000004.00001000.00020000.00000000.sdmp, biopsies.exe, 00000010.00000002.2064854133.00000000018E0000.00000004.00001000.00020000.00000000.sdmp, biopsies.exe, 00000011.00000002.2100230907.0000000003EC0000.00000004.00001000.00020000.00000000.sdmp, biopsies.exe, 00000012.00000002.2133278262.0000000001070000.00000004.00001000.00020000.00000000.sdmp, biopsies.exe, 00000013.00000002.2170261177.0000000000E80000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/q
Source: RegSvcs.exe, 00000002.00000002.1847084620.0000000006250000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.mn
Source: RegSvcs.exe, 00000002.00000002.1840357737.0000000002DB7000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.1840357737.0000000002D13000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.1840357737.0000000002DE5000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.1840357737.0000000002DA9000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.1840357737.0000000002D8E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://reallyfreegeoip.org
Source: RegSvcs.exe, 00000002.00000002.1840357737.0000000002C31000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: RegSvcs.exe, 00000002.00000002.1840357737.0000000002DB7000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.1840357737.0000000002DE5000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.1840357737.0000000002CFA000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.1840357737.0000000002D3E000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.1840357737.0000000002DA9000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.1840357737.0000000002D8E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org
Source: biopsies.exe, 00000001.00000002.1744008189.0000000000F50000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.1838731692.0000000000402000.00000040.80000000.00040000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.1840357737.0000000002CFA000.00000004.00000800.00020000.00000000.sdmp, biopsies.exe, 00000008.00000002.1903450528.0000000003EB0000.00000004.00001000.00020000.00000000.sdmp, biopsies.exe, 00000009.00000002.1930630182.0000000001100000.00000004.00001000.00020000.00000000.sdmp, biopsies.exe, 0000000C.00000002.1957580721.00000000009D0000.00000004.00001000.00020000.00000000.sdmp, biopsies.exe, 0000000D.00000002.1976305286.0000000001F10000.00000004.00001000.00020000.00000000.sdmp, biopsies.exe, 0000000E.00000002.2006886217.0000000000E30000.00000004.00001000.00020000.00000000.sdmp, biopsies.exe, 0000000F.00000002.2038464121.00000000011F0000.00000004.00001000.00020000.00000000.sdmp, biopsies.exe, 00000010.00000002.2064854133.00000000018E0000.00000004.00001000.00020000.00000000.sdmp, biopsies.exe, 00000011.00000002.2100230907.0000000003EC0000.00000004.00001000.00020000.00000000.sdmp, biopsies.exe, 00000012.00000002.2133278262.0000000001070000.00000004.00001000.00020000.00000000.sdmp, biopsies.exe, 00000013.00000002.2170261177.0000000000E80000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/
Source: RegSvcs.exe, 00000002.00000002.1840357737.0000000002D8E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.189
Source: RegSvcs.exe, 00000002.00000002.1840357737.0000000002DB7000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.1840357737.0000000002DE5000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.1840357737.0000000002D3E000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.1840357737.0000000002DA9000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.1840357737.0000000002D8E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.189$

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49744
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49732
Source: unknown	Network traffic detected: HTTP traffic on port 49734 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49731
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49742
Source: unknown	Network traffic detected: HTTP traffic on port 49731 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49732 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49740
Source: unknown	Network traffic detected: HTTP traffic on port 49740 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49742 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49744 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49738
Source: unknown	Network traffic detected: HTTP traffic on port 49736 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49736
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49734
Source: unknown	Network traffic detected: HTTP traffic on port 49738 -> 443

Source: C:\Users\user\Desktop\b6AGgIJ87g.exe

Code function: 0_2_00594164 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,

0_2_00594164

Source: C:\Users\user\Desktop\b6AGgIJ87g.exe	Code function: 0_2_00594164 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,		0_2_00594164
Source: C:\Users\user\AppData\Local\Maianthemum\biopsies.exe	Code function: 1_2_00924164 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,		1_2_00924164

Source: C:\Users\user\Desktop\b6AGgIJ87g.exe

Code function: 0_2_00593F66 OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,

0_2_00593F66

Source: C:\Users\user\Desktop\b6AGgIJ87g.exe

Code function: 0_2_0058001C GetKeyboardState,SetKeyboardState,GetAsyncKeyState,GetAsyncKeyState,GetKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,

0_2_0058001C

Source: C:\Users\user\Desktop\b6AGgIJ87g.exe	Code function: 0_2_005ACABC DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,		0_2_005ACABC
Source: C:\Users\user\AppData\Local\Maianthemum\biopsies.exe	Code function: 1_2_0093CABC DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,		1_2_0093CABC

System Summary

Malicious sample detected (through community Yara rule)

Source: 19.2.biopsies.exe.e80000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 19.2.biopsies.exe.e80000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 19.2.biopsies.exe.e80000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 19.2.biopsies.exe.e80000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 12.2.biopsies.exe.9d0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 12.2.biopsies.exe.9d0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 12.2.biopsies.exe.9d0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 12.2.biopsies.exe.9d0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 16.2.biopsies.exe.18e0000.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 16.2.biopsies.exe.18e0000.1.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 16.2.biopsies.exe.18e0000.1.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 16.2.biopsies.exe.18e0000.1.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 9.2.biopsies.exe.1100000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 9.2.biopsies.exe.1100000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 9.2.biopsies.exe.1100000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 9.2.biopsies.exe.1100000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 9.2.biopsies.exe.1100000.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 9.2.biopsies.exe.1100000.1.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 9.2.biopsies.exe.1100000.1.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 9.2.biopsies.exe.1100000.1.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 13.2.biopsies.exe.1f10000.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 13.2.biopsies.exe.1f10000.1.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 13.2.biopsies.exe.1f10000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 13.2.biopsies.exe.1f10000.1.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 8.2.biopsies.exe.3eb0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 13.2.biopsies.exe.1f10000.1.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 8.2.biopsies.exe.3eb0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 8.2.biopsies.exe.3eb0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 8.2.biopsies.exe.3eb0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 13.2.biopsies.exe.1f10000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 13.2.biopsies.exe.1f10000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 13.2.biopsies.exe.1f10000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 14.2.biopsies.exe.e30000.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 14.2.biopsies.exe.e30000.1.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 14.2.biopsies.exe.e30000.1.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 14.2.biopsies.exe.e30000.1.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 17.2.biopsies.exe.3ec0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 17.2.biopsies.exe.3ec0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 17.2.biopsies.exe.3ec0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 17.2.biopsies.exe.3ec0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 18.2.biopsies.exe.1070000.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 18.2.biopsies.exe.1070000.1.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 18.2.biopsies.exe.1070000.1.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 18.2.biopsies.exe.1070000.1.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 1.2.biopsies.exe.f50000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 1.2.biopsies.exe.f50000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 1.2.biopsies.exe.f50000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 1.2.biopsies.exe.f50000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 19.2.biopsies.exe.e80000.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 19.2.biopsies.exe.e80000.1.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 19.2.biopsies.exe.e80000.1.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 19.2.biopsies.exe.e80000.1.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 8.2.biopsies.exe.3eb0000.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 8.2.biopsies.exe.3eb0000.1.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 8.2.biopsies.exe.3eb0000.1.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 8.2.biopsies.exe.3eb0000.1.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 2.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 2.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 2.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 2.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 1.2.biopsies.exe.f50000.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 1.2.biopsies.exe.f50000.1.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 1.2.biopsies.exe.f50000.1.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 1.2.biopsies.exe.f50000.1.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 18.2.biopsies.exe.1070000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 18.2.biopsies.exe.1070000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 18.2.biopsies.exe.1070000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 18.2.biopsies.exe.1070000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 16.2.biopsies.exe.18e0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 16.2.biopsies.exe.18e0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 16.2.biopsies.exe.18e0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 16.2.biopsies.exe.18e0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 14.2.biopsies.exe.e30000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 14.2.biopsies.exe.e30000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 14.2.biopsies.exe.e30000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 14.2.biopsies.exe.e30000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 17.2.biopsies.exe.3ec0000.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 17.2.biopsies.exe.3ec0000.1.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 17.2.biopsies.exe.3ec0000.1.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 17.2.biopsies.exe.3ec0000.1.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 15.2.biopsies.exe.11f0000.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 15.2.biopsies.exe.11f0000.1.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 15.2.biopsies.exe.11f0000.1.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 15.2.biopsies.exe.11f0000.1.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 15.2.biopsies.exe.11f0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 15.2.biopsies.exe.11f0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 15.2.biopsies.exe.11f0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 15.2.biopsies.exe.11f0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 12.2.biopsies.exe.9d0000.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 12.2.biopsies.exe.9d0000.1.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 12.2.biopsies.exe.9d0000.1.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 12.2.biopsies.exe.9d0000.1.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 00000010.00000002.2064854133.00000000018E0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000010.00000002.2064854133.00000000018E0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 00000010.00000002.2064854133.00000000018E0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 00000010.00000002.2064854133.00000000018E0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 0000000D.00000002.1976305286.0000000001F10000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0000000D.00000002.1976305286.0000000001F10000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0000000D.00000002.1976305286.0000000001F10000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0000000D.00000002.1976305286.0000000001F10000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 00000002.00000002.1838731692.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000002.00000002.1838731692.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 0000000E.00000002.2006886217.0000000000E30000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0000000E.00000002.2006886217.0000000000E30000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0000000E.00000002.2006886217.0000000000E30000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0000000E.00000002.2006886217.0000000000E30000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 00000013.00000002.2170261177.0000000000E80000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000013.00000002.2170261177.0000000000E80000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 00000013.00000002.2170261177.0000000000E80000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 00000013.00000002.2170261177.0000000000E80000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 0000000F.00000002.2038464121.00000000011F0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0000000F.00000002.2038464121.00000000011F0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0000000F.00000002.2038464121.00000000011F0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0000000F.00000002.2038464121.00000000011F0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 00000012.00000002.2133278262.0000000001070000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000012.00000002.2133278262.0000000001070000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 00000012.00000002.2133278262.0000000001070000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 00000012.00000002.2133278262.0000000001070000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 0000000C.00000002.1957580721.00000000009D0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0000000C.00000002.1957580721.00000000009D0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0000000C.00000002.1957580721.00000000009D0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0000000C.00000002.1957580721.00000000009D0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 00000008.00000002.1903450528.0000000003EB0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000008.00000002.1903450528.0000000003EB0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 00000008.00000002.1903450528.0000000003EB0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 00000008.00000002.1903450528.0000000003EB0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 00000001.00000002.1744008189.0000000000F50000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000001.00000002.1744008189.0000000000F50000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 00000001.00000002.1744008189.0000000000F50000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 00000001.00000002.1744008189.0000000000F50000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 00000009.00000002.1930630182.0000000001100000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000009.00000002.1930630182.0000000001100000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 00000009.00000002.1930630182.0000000001100000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 00000009.00000002.1930630182.0000000001100000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 00000011.00000002.2100230907.0000000003EC0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000011.00000002.2100230907.0000000003EC0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 00000011.00000002.2100230907.0000000003EC0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 00000011.00000002.2100230907.0000000003EC0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: Process Memory Space: biopsies.exe PID: 7480, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: biopsies.exe PID: 7480, type: MEMORYSTR	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: Process Memory Space: RegSvcs.exe PID: 7500, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: RegSvcs.exe PID: 7500, type: MEMORYSTR	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: Process Memory Space: biopsies.exe PID: 7872, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: biopsies.exe PID: 7872, type: MEMORYSTR	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: Process Memory Space: biopsies.exe PID: 7944, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: biopsies.exe PID: 7944, type: MEMORYSTR	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: Process Memory Space: biopsies.exe PID: 8028, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: biopsies.exe PID: 8028, type: MEMORYSTR	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: Process Memory Space: biopsies.exe PID: 8048, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: biopsies.exe PID: 8048, type: MEMORYSTR	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: Process Memory Space: biopsies.exe PID: 8064, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: biopsies.exe PID: 8064, type: MEMORYSTR	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: Process Memory Space: biopsies.exe PID: 8096, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: biopsies.exe PID: 8096, type: MEMORYSTR	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: Process Memory Space: biopsies.exe PID: 8124, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: biopsies.exe PID: 8124, type: MEMORYSTR	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: Process Memory Space: biopsies.exe PID: 8140, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: biopsies.exe PID: 8140, type: MEMORYSTR	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: Process Memory Space: biopsies.exe PID: 8168, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: biopsies.exe PID: 8168, type: MEMORYSTR	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: Process Memory Space: biopsies.exe PID: 7172, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: biopsies.exe PID: 7172, type: MEMORYSTR	Matched rule: Detects Snake Keylogger Author: ditekSHen

Binary is likely a compiled AutoIt script file

Source: C:\Users\user\Desktop\b6AGgIJ87g.exe	Code function: This is a third-party compiled AutoIt script.	0_2_00523B3A
Source: b6AGgIJ87g.exe	String found in binary or memory: This is a third-party compiled AutoIt script.
Source: b6AGgIJ87g.exe, 00000000.00000000.1684127288.00000000005D4000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_5b98426a-9
Source: b6AGgIJ87g.exe, 00000000.00000000.1684127288.00000000005D4000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox\|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer`	memstr_0f88b752-5
Source: b6AGgIJ87g.exe, 00000000.00000003.1719982679.0000000003C03000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_b7c5436b-d
Source: b6AGgIJ87g.exe, 00000000.00000003.1719982679.0000000003C03000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox\|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer`	memstr_2a6b3427-2
Source: C:\Users\user\AppData\Local\Maianthemum\biopsies.exe	Code function: This is a third-party compiled AutoIt script.	1_2_008B3B3A
Source: biopsies.exe	String found in binary or memory: This is a third-party compiled AutoIt script.
Source: biopsies.exe, 00000001.00000002.1743800850.0000000000964000.00000002.00000001.01000000.00000004.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_d4d90594-e
Source: biopsies.exe, 00000001.00000002.1743800850.0000000000964000.00000002.00000001.01000000.00000004.sdmp	String found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox\|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer`	memstr_ee7b5e67-5
Source: biopsies.exe, 00000008.00000002.1901031836.0000000000964000.00000002.00000001.01000000.00000004.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_ecaff640-2
Source: biopsies.exe, 00000008.00000002.1901031836.0000000000964000.00000002.00000001.01000000.00000004.sdmp	String found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox\|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer`	memstr_32b03bdc-c
Source: biopsies.exe, 00000009.00000002.1930309967.0000000000964000.00000002.00000001.01000000.00000004.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_584aee5f-2
Source: biopsies.exe, 00000009.00000002.1930309967.0000000000964000.00000002.00000001.01000000.00000004.sdmp	String found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox\|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer`	memstr_9114122a-2
Source: biopsies.exe, 0000000C.00000000.1929762623.0000000000964000.00000002.00000001.01000000.00000004.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_fd0b84b7-3
Source: biopsies.exe, 0000000C.00000000.1929762623.0000000000964000.00000002.00000001.01000000.00000004.sdmp	String found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox\|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer`	memstr_13359f2f-b
Source: biopsies.exe, 0000000D.00000002.1975576194.0000000000964000.00000002.00000001.01000000.00000004.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_84348839-0
Source: biopsies.exe, 0000000D.00000002.1975576194.0000000000964000.00000002.00000001.01000000.00000004.sdmp	String found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox\|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer`	memstr_98a4da1c-8
Source: biopsies.exe, 0000000E.00000000.1975206361.0000000000964000.00000002.00000001.01000000.00000004.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_1c5ed709-3
Source: biopsies.exe, 0000000E.00000000.1975206361.0000000000964000.00000002.00000001.01000000.00000004.sdmp	String found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox\|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer`	memstr_af9bd1de-b
Source: biopsies.exe, 0000000F.00000002.2038106756.0000000000964000.00000002.00000001.01000000.00000004.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_0def014c-b
Source: biopsies.exe, 0000000F.00000002.2038106756.0000000000964000.00000002.00000001.01000000.00000004.sdmp	String found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox\|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer`	memstr_168836ee-1
Source: biopsies.exe, 00000010.00000000.2037701175.0000000000964000.00000002.00000001.01000000.00000004.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_735edf85-f
Source: biopsies.exe, 00000010.00000000.2037701175.0000000000964000.00000002.00000001.01000000.00000004.sdmp	String found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox\|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer`	memstr_1a859626-3
Source: biopsies.exe, 00000011.00000000.2063873708.0000000000964000.00000002.00000001.01000000.00000004.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_f299bce3-b
Source: biopsies.exe, 00000011.00000000.2063873708.0000000000964000.00000002.00000001.01000000.00000004.sdmp	String found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox\|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer`	memstr_6b5e20c7-3
Source: biopsies.exe, 00000012.00000000.2096705242.0000000000964000.00000002.00000001.01000000.00000004.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_b4e3d908-0
Source: biopsies.exe, 00000012.00000000.2096705242.0000000000964000.00000002.00000001.01000000.00000004.sdmp	String found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox\|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer`	memstr_45ceea45-7
Source: biopsies.exe, 00000013.00000002.2169669003.0000000000964000.00000002.00000001.01000000.00000004.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_6e7987b8-a
Source: biopsies.exe, 00000013.00000002.2169669003.0000000000964000.00000002.00000001.01000000.00000004.sdmp	String found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox\|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer`	memstr_284e1a8f-b
Source: biopsies.exe, 00000014.00000000.2167748104.0000000000964000.00000002.00000001.01000000.00000004.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_96f9c874-b
Source: biopsies.exe, 00000014.00000000.2167748104.0000000000964000.00000002.00000001.01000000.00000004.sdmp	String found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox\|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer`	memstr_b6e3d507-d
Source: b6AGgIJ87g.exe	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_ae4577a0-4
Source: b6AGgIJ87g.exe	String found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox\|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer`	memstr_6d999338-7
Source: biopsies.exe.0.dr	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_a8d6829a-9
Source: biopsies.exe.0.dr	String found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox\|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer`	memstr_2ea2c93a-d

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Source: C:\Windows\System32\wscript.exe

COM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}

Jump to behavior

Source: C:\Users\user\Desktop\b6AGgIJ87g.exe

Code function: 0_2_0058A1EF: GetFullPathNameW,__swprintf,CreateDirectoryW,CreateFileW,_memset,_wcsncpy,DeviceIoControl,CloseHandle,RemoveDirectoryW,CloseHandle,

0_2_0058A1EF

Source: C:\Users\user\Desktop\b6AGgIJ87g.exe

Code function: 0_2_00578310 _memset,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcscpy,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,

0_2_00578310

Source: C:\Users\user\Desktop\b6AGgIJ87g.exe	Code function: 0_2_005851BD ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,		0_2_005851BD
Source: C:\Users\user\AppData\Local\Maianthemum\biopsies.exe	Code function: 1_2_009151BD ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,		1_2_009151BD

Source: C:\Users\user\Desktop\b6AGgIJ87g.exe	Code function: 0_2_0052E6A0	0_2_0052E6A0
Source: C:\Users\user\Desktop\b6AGgIJ87g.exe	Code function: 0_2_0054D975	0_2_0054D975
Source: C:\Users\user\Desktop\b6AGgIJ87g.exe	Code function: 0_2_0052FCE0	0_2_0052FCE0
Source: C:\Users\user\Desktop\b6AGgIJ87g.exe	Code function: 0_2_005421C5	0_2_005421C5
Source: C:\Users\user\Desktop\b6AGgIJ87g.exe	Code function: 0_2_005562D2	0_2_005562D2
Source: C:\Users\user\Desktop\b6AGgIJ87g.exe	Code function: 0_2_005A03DA	0_2_005A03DA
Source: C:\Users\user\Desktop\b6AGgIJ87g.exe	Code function: 0_2_0055242E	0_2_0055242E
Source: C:\Users\user\Desktop\b6AGgIJ87g.exe	Code function: 0_2_005425FA	0_2_005425FA
Source: C:\Users\user\Desktop\b6AGgIJ87g.exe	Code function: 0_2_0057E616	0_2_0057E616
Source: C:\Users\user\Desktop\b6AGgIJ87g.exe	Code function: 0_2_005366E1	0_2_005366E1
Source: C:\Users\user\Desktop\b6AGgIJ87g.exe	Code function: 0_2_0055878F	0_2_0055878F
Source: C:\Users\user\Desktop\b6AGgIJ87g.exe	Code function: 0_2_005A0857	0_2_005A0857
Source: C:\Users\user\Desktop\b6AGgIJ87g.exe	Code function: 0_2_00556844	0_2_00556844
Source: C:\Users\user\Desktop\b6AGgIJ87g.exe	Code function: 0_2_00538808	0_2_00538808
Source: C:\Users\user\Desktop\b6AGgIJ87g.exe	Code function: 0_2_00588889	0_2_00588889
Source: C:\Users\user\Desktop\b6AGgIJ87g.exe	Code function: 0_2_0054CB21	0_2_0054CB21
Source: C:\Users\user\Desktop\b6AGgIJ87g.exe	Code function: 0_2_00556DB6	0_2_00556DB6
Source: C:\Users\user\Desktop\b6AGgIJ87g.exe	Code function: 0_2_00536F9E	0_2_00536F9E
Source: C:\Users\user\Desktop\b6AGgIJ87g.exe	Code function: 0_2_00533030	0_2_00533030
Source: C:\Users\user\Desktop\b6AGgIJ87g.exe	Code function: 0_2_0054F1D9	0_2_0054F1D9
Source: C:\Users\user\Desktop\b6AGgIJ87g.exe	Code function: 0_2_00543187	0_2_00543187
Source: C:\Users\user\Desktop\b6AGgIJ87g.exe	Code function: 0_2_00521287	0_2_00521287
Source: C:\Users\user\Desktop\b6AGgIJ87g.exe	Code function: 0_2_00541484	0_2_00541484
Source: C:\Users\user\Desktop\b6AGgIJ87g.exe	Code function: 0_2_00535520	0_2_00535520
Source: C:\Users\user\Desktop\b6AGgIJ87g.exe	Code function: 0_2_00547696	0_2_00547696
Source: C:\Users\user\Desktop\b6AGgIJ87g.exe	Code function: 0_2_00535760	0_2_00535760
Source: C:\Users\user\Desktop\b6AGgIJ87g.exe	Code function: 0_2_00541978	0_2_00541978
Source: C:\Users\user\Desktop\b6AGgIJ87g.exe	Code function: 0_2_00559AB5	0_2_00559AB5
Source: C:\Users\user\Desktop\b6AGgIJ87g.exe	Code function: 0_2_005A7DDB	0_2_005A7DDB
Source: C:\Users\user\Desktop\b6AGgIJ87g.exe	Code function: 0_2_00541D90	0_2_00541D90
Source: C:\Users\user\Desktop\b6AGgIJ87g.exe	Code function: 0_2_0054BDA6	0_2_0054BDA6
Source: C:\Users\user\Desktop\b6AGgIJ87g.exe	Code function: 0_2_0052DF00	0_2_0052DF00
Source: C:\Users\user\Desktop\b6AGgIJ87g.exe	Code function: 0_2_00533FE0	0_2_00533FE0
Source: C:\Users\user\Desktop\b6AGgIJ87g.exe	Code function: 0_2_01365C38	0_2_01365C38
Source: C:\Users\user\AppData\Local\Maianthemum\biopsies.exe	Code function: 1_2_008BE6A0	1_2_008BE6A0
Source: C:\Users\user\AppData\Local\Maianthemum\biopsies.exe	Code function: 1_2_008DD975	1_2_008DD975
Source: C:\Users\user\AppData\Local\Maianthemum\biopsies.exe	Code function: 1_2_008BFCE0	1_2_008BFCE0
Source: C:\Users\user\AppData\Local\Maianthemum\biopsies.exe	Code function: 1_2_008D21C5	1_2_008D21C5
Source: C:\Users\user\AppData\Local\Maianthemum\biopsies.exe	Code function: 1_2_008E62D2	1_2_008E62D2
Source: C:\Users\user\AppData\Local\Maianthemum\biopsies.exe	Code function: 1_2_009303DA	1_2_009303DA
Source: C:\Users\user\AppData\Local\Maianthemum\biopsies.exe	Code function: 1_2_008E242E	1_2_008E242E
Source: C:\Users\user\AppData\Local\Maianthemum\biopsies.exe	Code function: 1_2_008D25FA	1_2_008D25FA
Source: C:\Users\user\AppData\Local\Maianthemum\biopsies.exe	Code function: 1_2_008C66E1	1_2_008C66E1
Source: C:\Users\user\AppData\Local\Maianthemum\biopsies.exe	Code function: 1_2_0090E616	1_2_0090E616
Source: C:\Users\user\AppData\Local\Maianthemum\biopsies.exe	Code function: 1_2_008E878F	1_2_008E878F
Source: C:\Users\user\AppData\Local\Maianthemum\biopsies.exe	Code function: 1_2_00918889	1_2_00918889
Source: C:\Users\user\AppData\Local\Maianthemum\biopsies.exe	Code function: 1_2_008C8808	1_2_008C8808
Source: C:\Users\user\AppData\Local\Maianthemum\biopsies.exe	Code function: 1_2_00930857	1_2_00930857
Source: C:\Users\user\AppData\Local\Maianthemum\biopsies.exe	Code function: 1_2_008E6844	1_2_008E6844
Source: C:\Users\user\AppData\Local\Maianthemum\biopsies.exe	Code function: 1_2_008DCB21	1_2_008DCB21
Source: C:\Users\user\AppData\Local\Maianthemum\biopsies.exe	Code function: 1_2_008E6DB6	1_2_008E6DB6
Source: C:\Users\user\AppData\Local\Maianthemum\biopsies.exe	Code function: 1_2_008C6F9E	1_2_008C6F9E
Source: C:\Users\user\AppData\Local\Maianthemum\biopsies.exe	Code function: 1_2_008C3030	1_2_008C3030
Source: C:\Users\user\AppData\Local\Maianthemum\biopsies.exe	Code function: 1_2_008D3187	1_2_008D3187
Source: C:\Users\user\AppData\Local\Maianthemum\biopsies.exe	Code function: 1_2_008DF1D9	1_2_008DF1D9
Source: C:\Users\user\AppData\Local\Maianthemum\biopsies.exe	Code function: 1_2_008B1287	1_2_008B1287
Source: C:\Users\user\AppData\Local\Maianthemum\biopsies.exe	Code function: 1_2_008D1484	1_2_008D1484
Source: C:\Users\user\AppData\Local\Maianthemum\biopsies.exe	Code function: 1_2_008C5520	1_2_008C5520
Source: C:\Users\user\AppData\Local\Maianthemum\biopsies.exe	Code function: 1_2_008D7696	1_2_008D7696
Source: C:\Users\user\AppData\Local\Maianthemum\biopsies.exe	Code function: 1_2_008C5760	1_2_008C5760
Source: C:\Users\user\AppData\Local\Maianthemum\biopsies.exe	Code function: 1_2_008D1978	1_2_008D1978
Source: C:\Users\user\AppData\Local\Maianthemum\biopsies.exe	Code function: 1_2_008E9AB5	1_2_008E9AB5
Source: C:\Users\user\AppData\Local\Maianthemum\biopsies.exe	Code function: 1_2_008D1D90	1_2_008D1D90
Source: C:\Users\user\AppData\Local\Maianthemum\biopsies.exe	Code function: 1_2_008DBDA6	1_2_008DBDA6
Source: C:\Users\user\AppData\Local\Maianthemum\biopsies.exe	Code function: 1_2_00937DDB	1_2_00937DDB
Source: C:\Users\user\AppData\Local\Maianthemum\biopsies.exe	Code function: 1_2_008C3FE0	1_2_008C3FE0
Source: C:\Users\user\AppData\Local\Maianthemum\biopsies.exe	Code function: 1_2_008BDF00	1_2_008BDF00
Source: C:\Users\user\AppData\Local\Maianthemum\biopsies.exe	Code function: 1_2_01037950	1_2_01037950
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_02BFB328	2_2_02BFB328
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_02BFC190	2_2_02BFC190
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_02BF6108	2_2_02BF6108
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_02BFC753	2_2_02BFC753
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_02BFC470	2_2_02BFC470
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_02BF4AD9	2_2_02BF4AD9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_02BFCA33	2_2_02BFCA33
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_02BFBBD3	2_2_02BFBBD3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_02BF6880	2_2_02BF6880
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_02BF9858	2_2_02BF9858
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_02BFBEB3	2_2_02BFBEB3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_02BFB4F3	2_2_02BFB4F3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_02BF3573	2_2_02BF3573
Source: C:\Users\user\AppData\Local\Maianthemum\biopsies.exe	Code function: 8_2_01522FE0	8_2_01522FE0
Source: C:\Users\user\AppData\Local\Maianthemum\biopsies.exe	Code function: 9_2_011B6098	9_2_011B6098
Source: C:\Users\user\AppData\Local\Maianthemum\biopsies.exe	Code function: 12_2_00AD6600	12_2_00AD6600
Source: C:\Users\user\AppData\Local\Maianthemum\biopsies.exe	Code function: 13_2_012A76D0	13_2_012A76D0
Source: C:\Users\user\AppData\Local\Maianthemum\biopsies.exe	Code function: 14_2_00FF6610	14_2_00FF6610
Source: C:\Users\user\AppData\Local\Maianthemum\biopsies.exe	Code function: 15_2_0130AFE8	15_2_0130AFE8
Source: C:\Users\user\AppData\Local\Maianthemum\biopsies.exe	Code function: 16_2_01A27A80	16_2_01A27A80
Source: C:\Users\user\AppData\Local\Maianthemum\biopsies.exe	Code function: 17_2_01604928	17_2_01604928
Source: C:\Users\user\AppData\Local\Maianthemum\biopsies.exe	Code function: 18_2_011663B0	18_2_011663B0
Source: C:\Users\user\AppData\Local\Maianthemum\biopsies.exe	Code function: 19_2_00FE6528	19_2_00FE6528

Source: C:\Users\user\Desktop\b6AGgIJ87g.exe	Code function: String function: 00548900 appears 42 times
Source: C:\Users\user\Desktop\b6AGgIJ87g.exe	Code function: String function: 00540AE3 appears 70 times
Source: C:\Users\user\Desktop\b6AGgIJ87g.exe	Code function: String function: 00527DE1 appears 36 times
Source: C:\Users\user\AppData\Local\Maianthemum\biopsies.exe	Code function: String function: 008B7DE1 appears 35 times
Source: C:\Users\user\AppData\Local\Maianthemum\biopsies.exe	Code function: String function: 008D8900 appears 42 times
Source: C:\Users\user\AppData\Local\Maianthemum\biopsies.exe	Code function: String function: 008D0AE3 appears 70 times

Source: b6AGgIJ87g.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: 19.2.biopsies.exe.e80000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 19.2.biopsies.exe.e80000.1.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 19.2.biopsies.exe.e80000.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 19.2.biopsies.exe.e80000.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 12.2.biopsies.exe.9d0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 12.2.biopsies.exe.9d0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 12.2.biopsies.exe.9d0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 12.2.biopsies.exe.9d0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 16.2.biopsies.exe.18e0000.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 16.2.biopsies.exe.18e0000.1.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 16.2.biopsies.exe.18e0000.1.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 16.2.biopsies.exe.18e0000.1.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 9.2.biopsies.exe.1100000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 9.2.biopsies.exe.1100000.1.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 9.2.biopsies.exe.1100000.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 9.2.biopsies.exe.1100000.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 9.2.biopsies.exe.1100000.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 9.2.biopsies.exe.1100000.1.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 9.2.biopsies.exe.1100000.1.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 9.2.biopsies.exe.1100000.1.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 13.2.biopsies.exe.1f10000.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 13.2.biopsies.exe.1f10000.1.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 13.2.biopsies.exe.1f10000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 13.2.biopsies.exe.1f10000.1.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 8.2.biopsies.exe.3eb0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 13.2.biopsies.exe.1f10000.1.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 8.2.biopsies.exe.3eb0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 8.2.biopsies.exe.3eb0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 8.2.biopsies.exe.3eb0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 13.2.biopsies.exe.1f10000.1.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 13.2.biopsies.exe.1f10000.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 13.2.biopsies.exe.1f10000.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 14.2.biopsies.exe.e30000.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 14.2.biopsies.exe.e30000.1.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 14.2.biopsies.exe.e30000.1.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 14.2.biopsies.exe.e30000.1.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 17.2.biopsies.exe.3ec0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 17.2.biopsies.exe.3ec0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 17.2.biopsies.exe.3ec0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 17.2.biopsies.exe.3ec0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 18.2.biopsies.exe.1070000.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 18.2.biopsies.exe.1070000.1.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 18.2.biopsies.exe.1070000.1.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 18.2.biopsies.exe.1070000.1.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 1.2.biopsies.exe.f50000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 1.2.biopsies.exe.f50000.1.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 1.2.biopsies.exe.f50000.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 1.2.biopsies.exe.f50000.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 19.2.biopsies.exe.e80000.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 19.2.biopsies.exe.e80000.1.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 19.2.biopsies.exe.e80000.1.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 19.2.biopsies.exe.e80000.1.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 8.2.biopsies.exe.3eb0000.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 8.2.biopsies.exe.3eb0000.1.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 8.2.biopsies.exe.3eb0000.1.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 8.2.biopsies.exe.3eb0000.1.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 2.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 2.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 2.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 2.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 1.2.biopsies.exe.f50000.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 1.2.biopsies.exe.f50000.1.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 1.2.biopsies.exe.f50000.1.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 1.2.biopsies.exe.f50000.1.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 18.2.biopsies.exe.1070000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 18.2.biopsies.exe.1070000.1.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 18.2.biopsies.exe.1070000.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 18.2.biopsies.exe.1070000.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 16.2.biopsies.exe.18e0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 16.2.biopsies.exe.18e0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 16.2.biopsies.exe.18e0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 16.2.biopsies.exe.18e0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 14.2.biopsies.exe.e30000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 14.2.biopsies.exe.e30000.1.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 14.2.biopsies.exe.e30000.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 14.2.biopsies.exe.e30000.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 17.2.biopsies.exe.3ec0000.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 17.2.biopsies.exe.3ec0000.1.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 17.2.biopsies.exe.3ec0000.1.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 17.2.biopsies.exe.3ec0000.1.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 15.2.biopsies.exe.11f0000.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 15.2.biopsies.exe.11f0000.1.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 15.2.biopsies.exe.11f0000.1.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 15.2.biopsies.exe.11f0000.1.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 15.2.biopsies.exe.11f0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 15.2.biopsies.exe.11f0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 15.2.biopsies.exe.11f0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 15.2.biopsies.exe.11f0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 12.2.biopsies.exe.9d0000.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 12.2.biopsies.exe.9d0000.1.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 12.2.biopsies.exe.9d0000.1.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 12.2.biopsies.exe.9d0000.1.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 00000010.00000002.2064854133.00000000018E0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000010.00000002.2064854133.00000000018E0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000010.00000002.2064854133.00000000018E0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 00000010.00000002.2064854133.00000000018E0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 0000000D.00000002.1976305286.0000000001F10000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0000000D.00000002.1976305286.0000000001F10000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0000000D.00000002.1976305286.0000000001F10000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0000000D.00000002.1976305286.0000000001F10000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 00000002.00000002.1838731692.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000002.00000002.1838731692.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 0000000E.00000002.2006886217.0000000000E30000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0000000E.00000002.2006886217.0000000000E30000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0000000E.00000002.2006886217.0000000000E30000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0000000E.00000002.2006886217.0000000000E30000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 00000013.00000002.2170261177.0000000000E80000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000013.00000002.2170261177.0000000000E80000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000013.00000002.2170261177.0000000000E80000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 00000013.00000002.2170261177.0000000000E80000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 0000000F.00000002.2038464121.00000000011F0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0000000F.00000002.2038464121.00000000011F0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0000000F.00000002.2038464121.00000000011F0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0000000F.00000002.2038464121.00000000011F0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 00000012.00000002.2133278262.0000000001070000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000012.00000002.2133278262.0000000001070000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000012.00000002.2133278262.0000000001070000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 00000012.00000002.2133278262.0000000001070000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 0000000C.00000002.1957580721.00000000009D0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0000000C.00000002.1957580721.00000000009D0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0000000C.00000002.1957580721.00000000009D0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0000000C.00000002.1957580721.00000000009D0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 00000008.00000002.1903450528.0000000003EB0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000008.00000002.1903450528.0000000003EB0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000008.00000002.1903450528.0000000003EB0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 00000008.00000002.1903450528.0000000003EB0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 00000001.00000002.1744008189.0000000000F50000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000001.00000002.1744008189.0000000000F50000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000001.00000002.1744008189.0000000000F50000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 00000001.00000002.1744008189.0000000000F50000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 00000009.00000002.1930630182.0000000001100000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000009.00000002.1930630182.0000000001100000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000009.00000002.1930630182.0000000001100000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 00000009.00000002.1930630182.0000000001100000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 00000011.00000002.2100230907.0000000003EC0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000011.00000002.2100230907.0000000003EC0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000011.00000002.2100230907.0000000003EC0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 00000011.00000002.2100230907.0000000003EC0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: Process Memory Space: biopsies.exe PID: 7480, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: biopsies.exe PID: 7480, type: MEMORYSTR	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: Process Memory Space: RegSvcs.exe PID: 7500, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: RegSvcs.exe PID: 7500, type: MEMORYSTR	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: Process Memory Space: biopsies.exe PID: 7872, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: biopsies.exe PID: 7872, type: MEMORYSTR	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: Process Memory Space: biopsies.exe PID: 7944, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: biopsies.exe PID: 7944, type: MEMORYSTR	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: Process Memory Space: biopsies.exe PID: 8028, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: biopsies.exe PID: 8028, type: MEMORYSTR	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: Process Memory Space: biopsies.exe PID: 8048, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: biopsies.exe PID: 8048, type: MEMORYSTR	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: Process Memory Space: biopsies.exe PID: 8064, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: biopsies.exe PID: 8064, type: MEMORYSTR	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: Process Memory Space: biopsies.exe PID: 8096, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: biopsies.exe PID: 8096, type: MEMORYSTR	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: Process Memory Space: biopsies.exe PID: 8124, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: biopsies.exe PID: 8124, type: MEMORYSTR	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: Process Memory Space: biopsies.exe PID: 8140, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: biopsies.exe PID: 8140, type: MEMORYSTR	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: Process Memory Space: biopsies.exe PID: 8168, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: biopsies.exe PID: 8168, type: MEMORYSTR	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: Process Memory Space: biopsies.exe PID: 7172, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: biopsies.exe PID: 7172, type: MEMORYSTR	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger

Source: classification engine

Classification label: mal100.troj.expl.evad.winEXE@108/38@2/2

Source: C:\Users\user\Desktop\b6AGgIJ87g.exe

Code function: 0_2_0058A06A GetLastError,FormatMessageW,

0_2_0058A06A

Source: C:\Users\user\Desktop\b6AGgIJ87g.exe	Code function: 0_2_005781CB AdjustTokenPrivileges,CloseHandle,	0_2_005781CB
Source: C:\Users\user\Desktop\b6AGgIJ87g.exe	Code function: 0_2_005787E1 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,	0_2_005787E1
Source: C:\Users\user\AppData\Local\Maianthemum\biopsies.exe	Code function: 1_2_009081CB AdjustTokenPrivileges,CloseHandle,	1_2_009081CB
Source: C:\Users\user\AppData\Local\Maianthemum\biopsies.exe	Code function: 1_2_009087E1 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,	1_2_009087E1

Source: C:\Users\user\Desktop\b6AGgIJ87g.exe

Code function: 0_2_0058B333 SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,

0_2_0058B333

Source: C:\Users\user\Desktop\b6AGgIJ87g.exe

Code function: 0_2_0059EE0D CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,

0_2_0059EE0D

Source: C:\Users\user\Desktop\b6AGgIJ87g.exe

Code function: 0_2_0058C397 CoInitialize,CoCreateInstance,CoUninitialize,

0_2_0058C397

Source: C:\Users\user\Desktop\b6AGgIJ87g.exe

Code function: 0_2_00524E89 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,

0_2_00524E89

Source: C:\Users\user\Desktop\b6AGgIJ87g.exe

File created: C:\Users\user\AppData\Local\Maianthemum

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7680:120:WilError_03

Source: C:\Users\user\Desktop\b6AGgIJ87g.exe

File created: C:\Users\user\AppData\Local\Temp\aut8047.tmp

Jump to behavior

Source: unknown

Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\biopsies.vbs"

Source: b6AGgIJ87g.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\b6AGgIJ87g.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: b6AGgIJ87g.exe	Virustotal: Detection: 55%
Source: b6AGgIJ87g.exe	ReversingLabs: Detection: 75%

Source: C:\Users\user\Desktop\b6AGgIJ87g.exe

File read: C:\Users\user\Desktop\b6AGgIJ87g.exe

Jump to behavior

Source: C:\Users\user\Desktop\b6AGgIJ87g.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\Desktop\b6AGgIJ87g.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\b6AGgIJ87g.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\b6AGgIJ87g.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\b6AGgIJ87g.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\b6AGgIJ87g.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\b6AGgIJ87g.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\b6AGgIJ87g.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\b6AGgIJ87g.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\b6AGgIJ87g.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\b6AGgIJ87g.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\b6AGgIJ87g.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\b6AGgIJ87g.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\b6AGgIJ87g.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\b6AGgIJ87g.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Maianthemum\biopsies.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Maianthemum\biopsies.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Maianthemum\biopsies.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Maianthemum\biopsies.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Maianthemum\biopsies.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Maianthemum\biopsies.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Maianthemum\biopsies.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Maianthemum\biopsies.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Maianthemum\biopsies.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Maianthemum\biopsies.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Maianthemum\biopsies.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\choice.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: vbscript.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: scrobj.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: mlang.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: scrrun.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Maianthemum\biopsies.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Maianthemum\biopsies.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Maianthemum\biopsies.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Maianthemum\biopsies.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Maianthemum\biopsies.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Maianthemum\biopsies.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Maianthemum\biopsies.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Maianthemum\biopsies.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Maianthemum\biopsies.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Maianthemum\biopsies.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Maianthemum\biopsies.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Maianthemum\biopsies.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Maianthemum\biopsies.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Maianthemum\biopsies.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Maianthemum\biopsies.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Maianthemum\biopsies.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Maianthemum\biopsies.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Maianthemum\biopsies.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Maianthemum\biopsies.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Maianthemum\biopsies.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Maianthemum\biopsies.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Maianthemum\biopsies.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Maianthemum\biopsies.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Maianthemum\biopsies.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Maianthemum\biopsies.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Maianthemum\biopsies.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Maianthemum\biopsies.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Maianthemum\biopsies.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Maianthemum\biopsies.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Maianthemum\biopsies.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Maianthemum\biopsies.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Maianthemum\biopsies.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Maianthemum\biopsies.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Maianthemum\biopsies.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Maianthemum\biopsies.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Maianthemum\biopsies.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Maianthemum\biopsies.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Maianthemum\biopsies.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Maianthemum\biopsies.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Maianthemum\biopsies.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Maianthemum\biopsies.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Maianthemum\biopsies.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Maianthemum\biopsies.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Maianthemum\biopsies.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Maianthemum\biopsies.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Maianthemum\biopsies.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Maianthemum\biopsies.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Maianthemum\biopsies.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Maianthemum\biopsies.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Maianthemum\biopsies.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Maianthemum\biopsies.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Maianthemum\biopsies.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Maianthemum\biopsies.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Maianthemum\biopsies.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Maianthemum\biopsies.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Maianthemum\biopsies.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Maianthemum\biopsies.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Maianthemum\biopsies.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Maianthemum\biopsies.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Maianthemum\biopsies.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Maianthemum\biopsies.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Maianthemum\biopsies.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Maianthemum\biopsies.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Maianthemum\biopsies.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Maianthemum\biopsies.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Maianthemum\biopsies.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Maianthemum\biopsies.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Maianthemum\biopsies.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Maianthemum\biopsies.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Maianthemum\biopsies.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Maianthemum\biopsies.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Maianthemum\biopsies.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Maianthemum\biopsies.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Maianthemum\biopsies.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Maianthemum\biopsies.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Maianthemum\biopsies.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Maianthemum\biopsies.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Maianthemum\biopsies.exe	Section loaded: wsock32.dll
Source: C:\Users\user\AppData\Local\Maianthemum\biopsies.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Maianthemum\biopsies.exe	Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Maianthemum\biopsies.exe	Section loaded: mpr.dll
Source: C:\Users\user\AppData\Local\Maianthemum\biopsies.exe	Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\Maianthemum\biopsies.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Maianthemum\biopsies.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Maianthemum\biopsies.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Maianthemum\biopsies.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Maianthemum\biopsies.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Maianthemum\biopsies.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Maianthemum\biopsies.exe	Section loaded: wsock32.dll
Source: C:\Users\user\AppData\Local\Maianthemum\biopsies.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Maianthemum\biopsies.exe	Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Maianthemum\biopsies.exe	Section loaded: mpr.dll
Source: C:\Users\user\AppData\Local\Maianthemum\biopsies.exe	Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\Maianthemum\biopsies.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Maianthemum\biopsies.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Maianthemum\biopsies.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Maianthemum\biopsies.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Maianthemum\biopsies.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Maianthemum\biopsies.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Maianthemum\biopsies.exe	Section loaded: wsock32.dll
Source: C:\Users\user\AppData\Local\Maianthemum\biopsies.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Maianthemum\biopsies.exe	Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Maianthemum\biopsies.exe	Section loaded: mpr.dll
Source: C:\Users\user\AppData\Local\Maianthemum\biopsies.exe	Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\Maianthemum\biopsies.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Maianthemum\biopsies.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Maianthemum\biopsies.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Maianthemum\biopsies.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Maianthemum\biopsies.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Maianthemum\biopsies.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Maianthemum\biopsies.exe	Section loaded: wsock32.dll
Source: C:\Users\user\AppData\Local\Maianthemum\biopsies.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Maianthemum\biopsies.exe	Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Maianthemum\biopsies.exe	Section loaded: mpr.dll
Source: C:\Users\user\AppData\Local\Maianthemum\biopsies.exe	Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\Maianthemum\biopsies.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Maianthemum\biopsies.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Maianthemum\biopsies.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Maianthemum\biopsies.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Maianthemum\biopsies.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Maianthemum\biopsies.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Maianthemum\biopsies.exe	Section loaded: wsock32.dll
Source: C:\Users\user\AppData\Local\Maianthemum\biopsies.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Maianthemum\biopsies.exe	Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Maianthemum\biopsies.exe	Section loaded: mpr.dll
Source: C:\Users\user\AppData\Local\Maianthemum\biopsies.exe	Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\Maianthemum\biopsies.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Maianthemum\biopsies.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Maianthemum\biopsies.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Maianthemum\biopsies.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Maianthemum\biopsies.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Maianthemum\biopsies.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Maianthemum\biopsies.exe	Section loaded: wsock32.dll
Source: C:\Users\user\AppData\Local\Maianthemum\biopsies.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Maianthemum\biopsies.exe	Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Maianthemum\biopsies.exe	Section loaded: mpr.dll
Source: C:\Users\user\AppData\Local\Maianthemum\biopsies.exe	Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\Maianthemum\biopsies.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Maianthemum\biopsies.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Maianthemum\biopsies.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Maianthemum\biopsies.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Maianthemum\biopsies.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Maianthemum\biopsies.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Maianthemum\biopsies.exe	Section loaded: wsock32.dll
Source: C:\Users\user\AppData\Local\Maianthemum\biopsies.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Maianthemum\biopsies.exe	Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Maianthemum\biopsies.exe	Section loaded: mpr.dll
Source: C:\Users\user\AppData\Local\Maianthemum\biopsies.exe	Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\Maianthemum\biopsies.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Maianthemum\biopsies.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Maianthemum\biopsies.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Maianthemum\biopsies.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Maianthemum\biopsies.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Maianthemum\biopsies.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Maianthemum\biopsies.exe	Section loaded: wsock32.dll
Source: C:\Users\user\AppData\Local\Maianthemum\biopsies.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Maianthemum\biopsies.exe	Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Maianthemum\biopsies.exe	Section loaded: mpr.dll
Source: C:\Users\user\AppData\Local\Maianthemum\biopsies.exe	Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\Maianthemum\biopsies.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Maianthemum\biopsies.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Maianthemum\biopsies.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Maianthemum\biopsies.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Maianthemum\biopsies.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Maianthemum\biopsies.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Maianthemum\biopsies.exe	Section loaded: wsock32.dll
Source: C:\Users\user\AppData\Local\Maianthemum\biopsies.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Maianthemum\biopsies.exe	Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Maianthemum\biopsies.exe	Section loaded: mpr.dll
Source: C:\Users\user\AppData\Local\Maianthemum\biopsies.exe	Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\Maianthemum\biopsies.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Maianthemum\biopsies.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Maianthemum\biopsies.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Maianthemum\biopsies.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Maianthemum\biopsies.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Maianthemum\biopsies.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Maianthemum\biopsies.exe	Section loaded: wsock32.dll
Source: C:\Users\user\AppData\Local\Maianthemum\biopsies.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Maianthemum\biopsies.exe	Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Maianthemum\biopsies.exe	Section loaded: mpr.dll
Source: C:\Users\user\AppData\Local\Maianthemum\biopsies.exe	Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\Maianthemum\biopsies.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Maianthemum\biopsies.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Maianthemum\biopsies.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Maianthemum\biopsies.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Maianthemum\biopsies.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Maianthemum\biopsies.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Maianthemum\biopsies.exe	Section loaded: wsock32.dll
Source: C:\Users\user\AppData\Local\Maianthemum\biopsies.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Maianthemum\biopsies.exe	Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Maianthemum\biopsies.exe	Section loaded: mpr.dll
Source: C:\Users\user\AppData\Local\Maianthemum\biopsies.exe	Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\Maianthemum\biopsies.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Maianthemum\biopsies.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Maianthemum\biopsies.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Maianthemum\biopsies.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Maianthemum\biopsies.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Maianthemum\biopsies.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Maianthemum\biopsies.exe	Section loaded: wsock32.dll
Source: C:\Users\user\AppData\Local\Maianthemum\biopsies.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Maianthemum\biopsies.exe	Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Maianthemum\biopsies.exe	Section loaded: mpr.dll
Source: C:\Users\user\AppData\Local\Maianthemum\biopsies.exe	Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\Maianthemum\biopsies.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Maianthemum\biopsies.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Maianthemum\biopsies.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Maianthemum\biopsies.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Maianthemum\biopsies.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Maianthemum\biopsies.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Maianthemum\biopsies.exe	Section loaded: wsock32.dll
Source: C:\Users\user\AppData\Local\Maianthemum\biopsies.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Maianthemum\biopsies.exe	Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Maianthemum\biopsies.exe	Section loaded: mpr.dll
Source: C:\Users\user\AppData\Local\Maianthemum\biopsies.exe	Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\Maianthemum\biopsies.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Maianthemum\biopsies.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Maianthemum\biopsies.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Maianthemum\biopsies.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Maianthemum\biopsies.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Maianthemum\biopsies.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Maianthemum\biopsies.exe	Section loaded: wsock32.dll
Source: C:\Users\user\AppData\Local\Maianthemum\biopsies.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Maianthemum\biopsies.exe	Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Maianthemum\biopsies.exe	Section loaded: mpr.dll
Source: C:\Users\user\AppData\Local\Maianthemum\biopsies.exe	Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\Maianthemum\biopsies.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Maianthemum\biopsies.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Maianthemum\biopsies.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Maianthemum\biopsies.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Maianthemum\biopsies.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Maianthemum\biopsies.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Maianthemum\biopsies.exe	Section loaded: wsock32.dll
Source: C:\Users\user\AppData\Local\Maianthemum\biopsies.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Maianthemum\biopsies.exe	Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Maianthemum\biopsies.exe	Section loaded: mpr.dll
Source: C:\Users\user\AppData\Local\Maianthemum\biopsies.exe	Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\Maianthemum\biopsies.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Maianthemum\biopsies.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Maianthemum\biopsies.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Maianthemum\biopsies.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Maianthemum\biopsies.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Maianthemum\biopsies.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Maianthemum\biopsies.exe	Section loaded: wsock32.dll
Source: C:\Users\user\AppData\Local\Maianthemum\biopsies.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Maianthemum\biopsies.exe	Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Maianthemum\biopsies.exe	Section loaded: mpr.dll
Source: C:\Users\user\AppData\Local\Maianthemum\biopsies.exe	Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\Maianthemum\biopsies.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Maianthemum\biopsies.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Maianthemum\biopsies.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Maianthemum\biopsies.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Maianthemum\biopsies.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Maianthemum\biopsies.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Maianthemum\biopsies.exe	Section loaded: wsock32.dll
Source: C:\Users\user\AppData\Local\Maianthemum\biopsies.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Maianthemum\biopsies.exe	Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Maianthemum\biopsies.exe	Section loaded: mpr.dll
Source: C:\Users\user\AppData\Local\Maianthemum\biopsies.exe	Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\Maianthemum\biopsies.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Maianthemum\biopsies.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Maianthemum\biopsies.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Maianthemum\biopsies.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Maianthemum\biopsies.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Maianthemum\biopsies.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Maianthemum\biopsies.exe	Section loaded: wsock32.dll
Source: C:\Users\user\AppData\Local\Maianthemum\biopsies.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Maianthemum\biopsies.exe	Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Maianthemum\biopsies.exe	Section loaded: mpr.dll
Source: C:\Users\user\AppData\Local\Maianthemum\biopsies.exe	Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\Maianthemum\biopsies.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Maianthemum\biopsies.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Maianthemum\biopsies.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Maianthemum\biopsies.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Maianthemum\biopsies.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Maianthemum\biopsies.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Maianthemum\biopsies.exe	Section loaded: wsock32.dll
Source: C:\Users\user\AppData\Local\Maianthemum\biopsies.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Maianthemum\biopsies.exe	Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Maianthemum\biopsies.exe	Section loaded: mpr.dll
Source: C:\Users\user\AppData\Local\Maianthemum\biopsies.exe	Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\Maianthemum\biopsies.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Maianthemum\biopsies.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Maianthemum\biopsies.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Maianthemum\biopsies.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Maianthemum\biopsies.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Maianthemum\biopsies.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Maianthemum\biopsies.exe	Section loaded: wsock32.dll
Source: C:\Users\user\AppData\Local\Maianthemum\biopsies.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Maianthemum\biopsies.exe	Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Maianthemum\biopsies.exe	Section loaded: mpr.dll
Source: C:\Users\user\AppData\Local\Maianthemum\biopsies.exe	Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\Maianthemum\biopsies.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Maianthemum\biopsies.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Maianthemum\biopsies.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Maianthemum\biopsies.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Maianthemum\biopsies.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Maianthemum\biopsies.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Maianthemum\biopsies.exe	Section loaded: wsock32.dll
Source: C:\Users\user\AppData\Local\Maianthemum\biopsies.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Maianthemum\biopsies.exe	Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Maianthemum\biopsies.exe	Section loaded: mpr.dll
Source: C:\Users\user\AppData\Local\Maianthemum\biopsies.exe	Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\Maianthemum\biopsies.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Maianthemum\biopsies.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Maianthemum\biopsies.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Maianthemum\biopsies.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Maianthemum\biopsies.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Maianthemum\biopsies.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Maianthemum\biopsies.exe	Section loaded: wsock32.dll
Source: C:\Users\user\AppData\Local\Maianthemum\biopsies.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Maianthemum\biopsies.exe	Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Maianthemum\biopsies.exe	Section loaded: mpr.dll
Source: C:\Users\user\AppData\Local\Maianthemum\biopsies.exe	Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\Maianthemum\biopsies.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Maianthemum\biopsies.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Maianthemum\biopsies.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Maianthemum\biopsies.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Maianthemum\biopsies.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Maianthemum\biopsies.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Maianthemum\biopsies.exe	Section loaded: wsock32.dll
Source: C:\Users\user\AppData\Local\Maianthemum\biopsies.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Maianthemum\biopsies.exe	Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Maianthemum\biopsies.exe	Section loaded: mpr.dll
Source: C:\Users\user\AppData\Local\Maianthemum\biopsies.exe	Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\Maianthemum\biopsies.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Maianthemum\biopsies.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Maianthemum\biopsies.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Maianthemum\biopsies.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Maianthemum\biopsies.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Maianthemum\biopsies.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Maianthemum\biopsies.exe	Section loaded: wsock32.dll
Source: C:\Users\user\AppData\Local\Maianthemum\biopsies.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Maianthemum\biopsies.exe	Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Maianthemum\biopsies.exe	Section loaded: mpr.dll
Source: C:\Users\user\AppData\Local\Maianthemum\biopsies.exe	Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\Maianthemum\biopsies.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Maianthemum\biopsies.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Maianthemum\biopsies.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Maianthemum\biopsies.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Maianthemum\biopsies.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Maianthemum\biopsies.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Maianthemum\biopsies.exe	Section loaded: wsock32.dll
Source: C:\Users\user\AppData\Local\Maianthemum\biopsies.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Maianthemum\biopsies.exe	Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Maianthemum\biopsies.exe	Section loaded: mpr.dll
Source: C:\Users\user\AppData\Local\Maianthemum\biopsies.exe	Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\Maianthemum\biopsies.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Maianthemum\biopsies.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Maianthemum\biopsies.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Maianthemum\biopsies.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Maianthemum\biopsies.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Maianthemum\biopsies.exe	Section loaded: wldp.dll

Source: C:\Windows\System32\wscript.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B54F3741-5B07-11cf-A4B0-00AA004A55E8}\InprocServer32

Jump to behavior

Source: b6AGgIJ87g.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: b6AGgIJ87g.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: b6AGgIJ87g.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: b6AGgIJ87g.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: b6AGgIJ87g.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: b6AGgIJ87g.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: b6AGgIJ87g.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: wntdll.pdbUGP source: biopsies.exe, 00000001.00000003.1740824247.0000000003800000.00000004.00001000.00020000.00000000.sdmp, biopsies.exe, 00000001.00000003.1741225848.0000000003660000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: biopsies.exe, 00000001.00000003.1740824247.0000000003800000.00000004.00001000.00020000.00000000.sdmp, biopsies.exe, 00000001.00000003.1741225848.0000000003660000.00000004.00001000.00020000.00000000.sdmp

Source: b6AGgIJ87g.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: b6AGgIJ87g.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: b6AGgIJ87g.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: b6AGgIJ87g.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: b6AGgIJ87g.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: C:\Users\user\Desktop\b6AGgIJ87g.exe

Code function: 0_2_00524B37 LoadLibraryA,GetProcAddress,

0_2_00524B37

Source: C:\Users\user\Desktop\b6AGgIJ87g.exe	Code function: 0_2_0052C4C6 push A30052BAh; retn 0052h	0_2_0052C50D
Source: C:\Users\user\Desktop\b6AGgIJ87g.exe	Code function: 0_2_0058848F push FFFFFF8Bh; iretd	0_2_00588491
Source: C:\Users\user\Desktop\b6AGgIJ87g.exe	Code function: 0_2_0054E70F push edi; ret	0_2_0054E711
Source: C:\Users\user\Desktop\b6AGgIJ87g.exe	Code function: 0_2_0054E828 push esi; ret	0_2_0054E82A
Source: C:\Users\user\Desktop\b6AGgIJ87g.exe	Code function: 0_2_00548945 push ecx; ret	0_2_00548958
Source: C:\Users\user\Desktop\b6AGgIJ87g.exe	Code function: 0_2_0054EA03 push esi; ret	0_2_0054EA05
Source: C:\Users\user\Desktop\b6AGgIJ87g.exe	Code function: 0_2_0054EAEC push edi; ret	0_2_0054EAEE
Source: C:\Users\user\AppData\Local\Maianthemum\biopsies.exe	Code function: 1_2_0091848F push FFFFFF8Bh; iretd	1_2_00918491
Source: C:\Users\user\AppData\Local\Maianthemum\biopsies.exe	Code function: 1_2_008DE70F push edi; ret	1_2_008DE711
Source: C:\Users\user\AppData\Local\Maianthemum\biopsies.exe	Code function: 1_2_008DE828 push esi; ret	1_2_008DE82A
Source: C:\Users\user\AppData\Local\Maianthemum\biopsies.exe	Code function: 1_2_008D8945 push ecx; ret	1_2_008D8958
Source: C:\Users\user\AppData\Local\Maianthemum\biopsies.exe	Code function: 1_2_008DEAEC push edi; ret	1_2_008DEAEE
Source: C:\Users\user\AppData\Local\Maianthemum\biopsies.exe	Code function: 1_2_008DEA03 push esi; ret	1_2_008DEA05

Source: C:\Users\user\Desktop\b6AGgIJ87g.exe

File created: C:\Users\user\AppData\Local\Maianthemum\biopsies.exe

Jump to dropped file

Boot Survival

Drops VBS files to the startup folder

Source: C:\Users\user\AppData\Local\Maianthemum\biopsies.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\biopsies.vbs

Jump to dropped file

Source: C:\Users\user\AppData\Local\Maianthemum\biopsies.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\biopsies.vbs

Jump to behavior

Source: C:\Users\user\AppData\Local\Maianthemum\biopsies.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\biopsies.vbs

Jump to behavior

Source: C:\Users\user\Desktop\b6AGgIJ87g.exe	Code function: 0_2_005248D7 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,	0_2_005248D7
Source: C:\Users\user\Desktop\b6AGgIJ87g.exe	Code function: 0_2_005A5376 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,	0_2_005A5376
Source: C:\Users\user\AppData\Local\Maianthemum\biopsies.exe	Code function: 1_2_008B48D7 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,	1_2_008B48D7
Source: C:\Users\user\AppData\Local\Maianthemum\biopsies.exe	Code function: 1_2_00935376 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,	1_2_00935376

Source: C:\Users\user\Desktop\b6AGgIJ87g.exe

Code function: 0_2_00543187 EncodePointer,__initp_misc_winsig,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

0_2_00543187

Source: C:\Users\user\Desktop\b6AGgIJ87g.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\b6AGgIJ87g.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Maianthemum\biopsies.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Maianthemum\biopsies.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Maianthemum\biopsies.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Maianthemum\biopsies.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Maianthemum\biopsies.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Maianthemum\biopsies.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Maianthemum\biopsies.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Maianthemum\biopsies.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Maianthemum\biopsies.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Maianthemum\biopsies.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Maianthemum\biopsies.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Maianthemum\biopsies.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Maianthemum\biopsies.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Maianthemum\biopsies.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Maianthemum\biopsies.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Maianthemum\biopsies.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Maianthemum\biopsies.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Maianthemum\biopsies.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Maianthemum\biopsies.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Maianthemum\biopsies.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Maianthemum\biopsies.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Maianthemum\biopsies.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Maianthemum\biopsies.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Maianthemum\biopsies.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Maianthemum\biopsies.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Maianthemum\biopsies.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Maianthemum\biopsies.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Maianthemum\biopsies.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Maianthemum\biopsies.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Maianthemum\biopsies.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Maianthemum\biopsies.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Maianthemum\biopsies.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Maianthemum\biopsies.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Maianthemum\biopsies.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Maianthemum\biopsies.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Maianthemum\biopsies.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Maianthemum\biopsies.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Maianthemum\biopsies.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Maianthemum\biopsies.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Maianthemum\biopsies.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Maianthemum\biopsies.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Maianthemum\biopsies.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Maianthemum\biopsies.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Maianthemum\biopsies.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Maianthemum\biopsies.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Maianthemum\biopsies.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Maianthemum\biopsies.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Maianthemum\biopsies.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Maianthemum\biopsies.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Maianthemum\biopsies.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Maianthemum\biopsies.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Maianthemum\biopsies.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Maianthemum\biopsies.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Maianthemum\biopsies.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Maianthemum\biopsies.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Maianthemum\biopsies.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Maianthemum\biopsies.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Maianthemum\biopsies.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Maianthemum\biopsies.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Maianthemum\biopsies.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Maianthemum\biopsies.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Maianthemum\biopsies.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Maianthemum\biopsies.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Maianthemum\biopsies.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Maianthemum\biopsies.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Maianthemum\biopsies.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Switches to a custom stack to bypass stack traces

Source: C:\Users\user\AppData\Local\Maianthemum\biopsies.exe

API/Special instruction interceptor: Address: 1037574

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599811	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599397	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599281	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599172	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599062	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598953	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598844	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598734	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598625	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598515	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598406	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598297	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598187	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598078	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597968	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597844	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597734	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597625	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597515	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597406	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597280	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597166	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597017	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596885	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596766	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596640	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596531	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596422	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596312	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596203	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596094	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595984	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595875	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595766	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595656	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595545	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595437	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595328	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595219	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595109	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594890	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594781	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594672	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594562	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594436	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594326	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594134	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594016	Jump to behavior

Source: C:\Windows\System32\wscript.exe

Window found: window name: WSH-Timer

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Window / User API: threadDelayed 2916			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Window / User API: threadDelayed 6937			Jump to behavior

Source: C:\Users\user\Desktop\b6AGgIJ87g.exe	Evasive API call chain: GetSystemTimeAsFileTime,DecisionNodes			graph_0-101467
Source: C:\Users\user\AppData\Local\Maianthemum\biopsies.exe	Evasive API call chain: GetSystemTimeAsFileTime,DecisionNodes

Source: C:\Users\user\Desktop\b6AGgIJ87g.exe	API coverage: 4.7 %
Source: C:\Users\user\AppData\Local\Maianthemum\biopsies.exe	API coverage: 4.9 %

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: C:\Users\user\Desktop\b6AGgIJ87g.exe	Code function: 0_2_0058445A GetFileAttributesW,FindFirstFileW,FindClose,	0_2_0058445A
Source: C:\Users\user\Desktop\b6AGgIJ87g.exe	Code function: 0_2_0058C6D1 FindFirstFileW,FindClose,	0_2_0058C6D1
Source: C:\Users\user\Desktop\b6AGgIJ87g.exe	Code function: 0_2_0058C75C FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,	0_2_0058C75C
Source: C:\Users\user\Desktop\b6AGgIJ87g.exe	Code function: 0_2_0058EF95 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_0058EF95
Source: C:\Users\user\Desktop\b6AGgIJ87g.exe	Code function: 0_2_0058F0F2 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_0058F0F2
Source: C:\Users\user\Desktop\b6AGgIJ87g.exe	Code function: 0_2_0058F3F3 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_0058F3F3
Source: C:\Users\user\Desktop\b6AGgIJ87g.exe	Code function: 0_2_005837EF FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_005837EF
Source: C:\Users\user\Desktop\b6AGgIJ87g.exe	Code function: 0_2_00583B12 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_00583B12
Source: C:\Users\user\Desktop\b6AGgIJ87g.exe	Code function: 0_2_0058BCBC FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_0058BCBC
Source: C:\Users\user\AppData\Local\Maianthemum\biopsies.exe	Code function: 1_2_0091445A GetFileAttributesW,FindFirstFileW,FindClose,	1_2_0091445A
Source: C:\Users\user\AppData\Local\Maianthemum\biopsies.exe	Code function: 1_2_0091C6D1 FindFirstFileW,FindClose,	1_2_0091C6D1
Source: C:\Users\user\AppData\Local\Maianthemum\biopsies.exe	Code function: 1_2_0091C75C FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,	1_2_0091C75C
Source: C:\Users\user\AppData\Local\Maianthemum\biopsies.exe	Code function: 1_2_0091EF95 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	1_2_0091EF95
Source: C:\Users\user\AppData\Local\Maianthemum\biopsies.exe	Code function: 1_2_0091F0F2 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	1_2_0091F0F2
Source: C:\Users\user\AppData\Local\Maianthemum\biopsies.exe	Code function: 1_2_0091F3F3 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,	1_2_0091F3F3
Source: C:\Users\user\AppData\Local\Maianthemum\biopsies.exe	Code function: 1_2_009137EF FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	1_2_009137EF
Source: C:\Users\user\AppData\Local\Maianthemum\biopsies.exe	Code function: 1_2_00913B12 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	1_2_00913B12
Source: C:\Users\user\AppData\Local\Maianthemum\biopsies.exe	Code function: 1_2_0091BCBC FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,	1_2_0091BCBC

Source: C:\Users\user\Desktop\b6AGgIJ87g.exe

Code function: 0_2_005249A0 GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_005249A0

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599811	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599397	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599281	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599172	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599062	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598953	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598844	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598734	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598625	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598515	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598406	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598297	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598187	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598078	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597968	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597844	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597734	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597625	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597515	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597406	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597280	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597166	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597017	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596885	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596766	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596640	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596531	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596422	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596312	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596203	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596094	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595984	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595875	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595766	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595656	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595545	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595437	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595328	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595219	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595109	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594890	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594781	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594672	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594562	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594436	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594326	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594134	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594016	Jump to behavior

Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData\	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\	Jump to behavior

Source: wscript.exe, 00000007.00000002.1866520633.000002CDDC133000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}=Q
Source: RegSvcs.exe, 00000002.00000002.1839175581.0000000000F08000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\b6AGgIJ87g.exe	API call chain: ExitProcess graph end node	graph_0-100462
Source: C:\Users\user\AppData\Local\Maianthemum\biopsies.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\AppData\Local\Maianthemum\biopsies.exe	API call chain: ExitProcess graph end node

Source: C:\Users\user\Desktop\b6AGgIJ87g.exe

Code function: 0_2_00593F09 BlockInput,

0_2_00593F09

Source: C:\Users\user\Desktop\b6AGgIJ87g.exe

Code function: 0_2_00523B3A GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

0_2_00523B3A

Source: C:\Users\user\Desktop\b6AGgIJ87g.exe

Code function: 0_2_00555A7C EncodePointer,EncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,

0_2_00555A7C

Source: C:\Users\user\Desktop\b6AGgIJ87g.exe

Code function: 0_2_00524B37 LoadLibraryA,GetProcAddress,

0_2_00524B37

Source: C:\Users\user\Desktop\b6AGgIJ87g.exe	Code function: 0_2_01364488 mov eax, dword ptr fs:[00000030h]	0_2_01364488
Source: C:\Users\user\Desktop\b6AGgIJ87g.exe	Code function: 0_2_01365B28 mov eax, dword ptr fs:[00000030h]	0_2_01365B28
Source: C:\Users\user\Desktop\b6AGgIJ87g.exe	Code function: 0_2_01365AC8 mov eax, dword ptr fs:[00000030h]	0_2_01365AC8
Source: C:\Users\user\AppData\Local\Maianthemum\biopsies.exe	Code function: 1_2_010361A0 mov eax, dword ptr fs:[00000030h]	1_2_010361A0
Source: C:\Users\user\AppData\Local\Maianthemum\biopsies.exe	Code function: 1_2_010377E0 mov eax, dword ptr fs:[00000030h]	1_2_010377E0
Source: C:\Users\user\AppData\Local\Maianthemum\biopsies.exe	Code function: 1_2_01037840 mov eax, dword ptr fs:[00000030h]	1_2_01037840
Source: C:\Users\user\AppData\Local\Maianthemum\biopsies.exe	Code function: 8_2_01522ED0 mov eax, dword ptr fs:[00000030h]	8_2_01522ED0
Source: C:\Users\user\AppData\Local\Maianthemum\biopsies.exe	Code function: 8_2_01522E70 mov eax, dword ptr fs:[00000030h]	8_2_01522E70
Source: C:\Users\user\AppData\Local\Maianthemum\biopsies.exe	Code function: 8_2_01521830 mov eax, dword ptr fs:[00000030h]	8_2_01521830
Source: C:\Users\user\AppData\Local\Maianthemum\biopsies.exe	Code function: 9_2_011B5F88 mov eax, dword ptr fs:[00000030h]	9_2_011B5F88
Source: C:\Users\user\AppData\Local\Maianthemum\biopsies.exe	Code function: 9_2_011B5F28 mov eax, dword ptr fs:[00000030h]	9_2_011B5F28
Source: C:\Users\user\AppData\Local\Maianthemum\biopsies.exe	Code function: 9_2_011B48E8 mov eax, dword ptr fs:[00000030h]	9_2_011B48E8
Source: C:\Users\user\AppData\Local\Maianthemum\biopsies.exe	Code function: 12_2_00AD6490 mov eax, dword ptr fs:[00000030h]	12_2_00AD6490
Source: C:\Users\user\AppData\Local\Maianthemum\biopsies.exe	Code function: 12_2_00AD64F0 mov eax, dword ptr fs:[00000030h]	12_2_00AD64F0
Source: C:\Users\user\AppData\Local\Maianthemum\biopsies.exe	Code function: 12_2_00AD4E50 mov eax, dword ptr fs:[00000030h]	12_2_00AD4E50
Source: C:\Users\user\AppData\Local\Maianthemum\biopsies.exe	Code function: 13_2_012A5F20 mov eax, dword ptr fs:[00000030h]	13_2_012A5F20
Source: C:\Users\user\AppData\Local\Maianthemum\biopsies.exe	Code function: 13_2_012A7560 mov eax, dword ptr fs:[00000030h]	13_2_012A7560
Source: C:\Users\user\AppData\Local\Maianthemum\biopsies.exe	Code function: 13_2_012A75C0 mov eax, dword ptr fs:[00000030h]	13_2_012A75C0
Source: C:\Users\user\AppData\Local\Maianthemum\biopsies.exe	Code function: 14_2_00FF4E60 mov eax, dword ptr fs:[00000030h]	14_2_00FF4E60
Source: C:\Users\user\AppData\Local\Maianthemum\biopsies.exe	Code function: 14_2_00FF64A0 mov eax, dword ptr fs:[00000030h]	14_2_00FF64A0
Source: C:\Users\user\AppData\Local\Maianthemum\biopsies.exe	Code function: 14_2_00FF6500 mov eax, dword ptr fs:[00000030h]	14_2_00FF6500
Source: C:\Users\user\AppData\Local\Maianthemum\biopsies.exe	Code function: 15_2_01309838 mov eax, dword ptr fs:[00000030h]	15_2_01309838
Source: C:\Users\user\AppData\Local\Maianthemum\biopsies.exe	Code function: 15_2_0130AE78 mov eax, dword ptr fs:[00000030h]	15_2_0130AE78
Source: C:\Users\user\AppData\Local\Maianthemum\biopsies.exe	Code function: 15_2_0130AED8 mov eax, dword ptr fs:[00000030h]	15_2_0130AED8
Source: C:\Users\user\AppData\Local\Maianthemum\biopsies.exe	Code function: 16_2_01A27910 mov eax, dword ptr fs:[00000030h]	16_2_01A27910
Source: C:\Users\user\AppData\Local\Maianthemum\biopsies.exe	Code function: 16_2_01A27970 mov eax, dword ptr fs:[00000030h]	16_2_01A27970
Source: C:\Users\user\AppData\Local\Maianthemum\biopsies.exe	Code function: 16_2_01A262D0 mov eax, dword ptr fs:[00000030h]	16_2_01A262D0
Source: C:\Users\user\AppData\Local\Maianthemum\biopsies.exe	Code function: 17_2_01603178 mov eax, dword ptr fs:[00000030h]	17_2_01603178
Source: C:\Users\user\AppData\Local\Maianthemum\biopsies.exe	Code function: 17_2_016047B8 mov eax, dword ptr fs:[00000030h]	17_2_016047B8
Source: C:\Users\user\AppData\Local\Maianthemum\biopsies.exe	Code function: 17_2_01604818 mov eax, dword ptr fs:[00000030h]	17_2_01604818
Source: C:\Users\user\AppData\Local\Maianthemum\biopsies.exe	Code function: 18_2_01164C00 mov eax, dword ptr fs:[00000030h]	18_2_01164C00
Source: C:\Users\user\AppData\Local\Maianthemum\biopsies.exe	Code function: 18_2_011662A0 mov eax, dword ptr fs:[00000030h]	18_2_011662A0
Source: C:\Users\user\AppData\Local\Maianthemum\biopsies.exe	Code function: 18_2_01166240 mov eax, dword ptr fs:[00000030h]	18_2_01166240
Source: C:\Users\user\AppData\Local\Maianthemum\biopsies.exe	Code function: 19_2_00FE4D78 mov eax, dword ptr fs:[00000030h]	19_2_00FE4D78
Source: C:\Users\user\AppData\Local\Maianthemum\biopsies.exe	Code function: 19_2_00FE63B8 mov eax, dword ptr fs:[00000030h]	19_2_00FE63B8
Source: C:\Users\user\AppData\Local\Maianthemum\biopsies.exe	Code function: 19_2_00FE6418 mov eax, dword ptr fs:[00000030h]	19_2_00FE6418

Source: C:\Users\user\Desktop\b6AGgIJ87g.exe

Code function: 0_2_005780A9 GetTokenInformation,GetLastError,GetProcessHeap,HeapAlloc,GetTokenInformation,

0_2_005780A9

Source: C:\Users\user\Desktop\b6AGgIJ87g.exe	Code function: 0_2_0054A155 SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_0054A155
Source: C:\Users\user\Desktop\b6AGgIJ87g.exe	Code function: 0_2_0054A124 SetUnhandledExceptionFilter,	0_2_0054A124
Source: C:\Users\user\AppData\Local\Maianthemum\biopsies.exe	Code function: 1_2_008DA124 SetUnhandledExceptionFilter,	1_2_008DA124
Source: C:\Users\user\AppData\Local\Maianthemum\biopsies.exe	Code function: 1_2_008DA155 SetUnhandledExceptionFilter,UnhandledExceptionFilter,	1_2_008DA155

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Maps a DLL or memory area into another process

Source: C:\Users\user\AppData\Local\Maianthemum\biopsies.exe

Section loaded: NULL target: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe protection: execute and read and write

Jump to behavior

Writes to foreign memory regions

Source: C:\Users\user\AppData\Local\Maianthemum\biopsies.exe

Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: A02008

Jump to behavior

Source: C:\Users\user\Desktop\b6AGgIJ87g.exe

Code function: 0_2_005787B1 LogonUserW,

0_2_005787B1

Source: C:\Users\user\Desktop\b6AGgIJ87g.exe

Code function: 0_2_00523B3A GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

0_2_00523B3A

Source: C:\Users\user\Desktop\b6AGgIJ87g.exe

Code function: 0_2_005248D7 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,

0_2_005248D7

Source: C:\Users\user\Desktop\b6AGgIJ87g.exe

Code function: 0_2_00584C53 mouse_event,

0_2_00584C53

Source: C:\Users\user\AppData\Local\Maianthemum\biopsies.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\b6AGgIJ87g.exe"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\choice.exe choice /C Y /N /D Y /T 3	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process created: C:\Users\user\AppData\Local\Maianthemum\biopsies.exe "C:\Users\user\AppData\Local\Maianthemum\biopsies.exe"	Jump to behavior

Source: C:\Users\user\Desktop\b6AGgIJ87g.exe

Code function: 0_2_00577CAF GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,

0_2_00577CAF

Source: C:\Users\user\Desktop\b6AGgIJ87g.exe

Code function: 0_2_0057874B AllocateAndInitializeSid,CheckTokenMembership,FreeSid,

0_2_0057874B

Source: b6AGgIJ87g.exe, biopsies.exe.0.dr	Binary or memory string: Run Script:AutoIt script files (.au3, .a3x).au3;.a3xAll files (.).au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: b6AGgIJ87g.exe, biopsies.exe	Binary or memory string: Shell_TrayWnd

Source: C:\Users\user\Desktop\b6AGgIJ87g.exe

Code function: 0_2_0054862B cpuid

0_2_0054862B

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\b6AGgIJ87g.exe

Code function: 0_2_00554E87 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

0_2_00554E87

Source: C:\Users\user\Desktop\b6AGgIJ87g.exe

Code function: 0_2_00561E06 GetUserNameW,

0_2_00561E06

Source: C:\Users\user\Desktop\b6AGgIJ87g.exe

Code function: 0_2_00553F3A __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,

0_2_00553F3A

Source: C:\Users\user\Desktop\b6AGgIJ87g.exe

Code function: 0_2_005249A0 GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_005249A0

Source: C:\Users\user\Desktop\b6AGgIJ87g.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected Snake Keylogger

Source: Yara match	File source: 19.2.biopsies.exe.e80000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.biopsies.exe.9d0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.biopsies.exe.18e0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.biopsies.exe.1100000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.biopsies.exe.1100000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.biopsies.exe.1f10000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.biopsies.exe.1f10000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.biopsies.exe.3eb0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.biopsies.exe.e30000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.biopsies.exe.3ec0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.biopsies.exe.1070000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.biopsies.exe.f50000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.2.biopsies.exe.e80000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.biopsies.exe.3eb0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.biopsies.exe.f50000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.biopsies.exe.1070000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.biopsies.exe.18e0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.biopsies.exe.e30000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.biopsies.exe.3ec0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.biopsies.exe.11f0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.biopsies.exe.11f0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.biopsies.exe.9d0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000010.00000002.2064854133.00000000018E0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.1976305286.0000000001F10000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1838731692.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1840357737.0000000002C31000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.2006886217.0000000000E30000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1840357737.0000000002DE5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.2170261177.0000000000E80000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.2038464121.00000000011F0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.2133278262.0000000001070000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.1957580721.00000000009D0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.1903450528.0000000003EB0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.1744008189.0000000000F50000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.1930630182.0000000001100000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.2100230907.0000000003EC0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: biopsies.exe PID: 7480, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 7500, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: biopsies.exe PID: 7872, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: biopsies.exe PID: 7944, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: biopsies.exe PID: 8028, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: biopsies.exe PID: 8048, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: biopsies.exe PID: 8064, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: biopsies.exe PID: 8096, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: biopsies.exe PID: 8124, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: biopsies.exe PID: 8140, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: biopsies.exe PID: 8168, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: biopsies.exe PID: 7172, type: MEMORYSTR

Source: biopsies.exe	Binary or memory string: WIN_81
Source: biopsies.exe	Binary or memory string: WIN_XP
Source: biopsies.exe	Binary or memory string: WIN_XPe
Source: biopsies.exe	Binary or memory string: WIN_VISTA
Source: biopsies.exe	Binary or memory string: WIN_7
Source: biopsies.exe	Binary or memory string: WIN_8
Source: biopsies.exe.0.dr	Binary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_10WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\Appearance3, 3, 14, 0USERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte

Source: Yara match	File source: 19.2.biopsies.exe.e80000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.biopsies.exe.9d0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.biopsies.exe.18e0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.biopsies.exe.1100000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.biopsies.exe.1100000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.biopsies.exe.1f10000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.biopsies.exe.1f10000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.biopsies.exe.3eb0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.biopsies.exe.e30000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.biopsies.exe.3ec0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.biopsies.exe.1070000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.biopsies.exe.f50000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.2.biopsies.exe.e80000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.biopsies.exe.3eb0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.biopsies.exe.f50000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.biopsies.exe.1070000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.biopsies.exe.18e0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.biopsies.exe.e30000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.biopsies.exe.3ec0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.biopsies.exe.11f0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.biopsies.exe.11f0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.biopsies.exe.9d0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000010.00000002.2064854133.00000000018E0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.1976305286.0000000001F10000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1838731692.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.2006886217.0000000000E30000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.2170261177.0000000000E80000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.2038464121.00000000011F0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.2133278262.0000000001070000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.1957580721.00000000009D0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.1903450528.0000000003EB0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.1744008189.0000000000F50000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.1930630182.0000000001100000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.2100230907.0000000003EC0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: biopsies.exe PID: 7480, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 7500, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: biopsies.exe PID: 7872, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: biopsies.exe PID: 7944, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: biopsies.exe PID: 8028, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: biopsies.exe PID: 8048, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: biopsies.exe PID: 8064, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: biopsies.exe PID: 8096, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: biopsies.exe PID: 8124, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: biopsies.exe PID: 8140, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: biopsies.exe PID: 8168, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: biopsies.exe PID: 7172, type: MEMORYSTR

Remote Access Functionality

Yara detected Snake Keylogger

Source: Yara match	File source: 19.2.biopsies.exe.e80000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.biopsies.exe.9d0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.biopsies.exe.18e0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.biopsies.exe.1100000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.biopsies.exe.1100000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.biopsies.exe.1f10000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.biopsies.exe.1f10000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.biopsies.exe.3eb0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.biopsies.exe.e30000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.biopsies.exe.3ec0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.biopsies.exe.1070000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.biopsies.exe.f50000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.2.biopsies.exe.e80000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.biopsies.exe.3eb0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.biopsies.exe.f50000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.biopsies.exe.1070000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.biopsies.exe.18e0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.biopsies.exe.e30000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.biopsies.exe.3ec0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.biopsies.exe.11f0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.biopsies.exe.11f0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.biopsies.exe.9d0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000010.00000002.2064854133.00000000018E0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.1976305286.0000000001F10000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1838731692.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1840357737.0000000002C31000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.2006886217.0000000000E30000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1840357737.0000000002DE5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.2170261177.0000000000E80000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.2038464121.00000000011F0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.2133278262.0000000001070000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.1957580721.00000000009D0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.1903450528.0000000003EB0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.1744008189.0000000000F50000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.1930630182.0000000001100000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.2100230907.0000000003EC0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: biopsies.exe PID: 7480, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 7500, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: biopsies.exe PID: 7872, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: biopsies.exe PID: 7944, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: biopsies.exe PID: 8028, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: biopsies.exe PID: 8048, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: biopsies.exe PID: 8064, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: biopsies.exe PID: 8096, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: biopsies.exe PID: 8124, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: biopsies.exe PID: 8140, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: biopsies.exe PID: 8168, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: biopsies.exe PID: 7172, type: MEMORYSTR

Source: C:\Users\user\Desktop\b6AGgIJ87g.exe	Code function: 0_2_00596283 socket,WSAGetLastError,bind,listen,WSAGetLastError,closesocket,	0_2_00596283
Source: C:\Users\user\Desktop\b6AGgIJ87g.exe	Code function: 0_2_00596747 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,	0_2_00596747
Source: C:\Users\user\AppData\Local\Maianthemum\biopsies.exe	Code function: 1_2_00926283 socket,WSAGetLastError,bind,listen,WSAGetLastError,closesocket,	1_2_00926283
Source: C:\Users\user\AppData\Local\Maianthemum\biopsies.exe	Code function: 1_2_00926747 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,	1_2_00926747

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	111 Scripting	2 Valid Accounts	2 Native API	111 Scripting	1 Exploitation for Privilege Escalation	11 Disable or Modify Tools	21 Input Capture	2 System Time Discovery	Remote Services	1 Archive Collected Data	2 Ingress Tool Transfer	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	Scheduled Task/Job	1 DLL Side-Loading	1 DLL Side-Loading	1 Deobfuscate/Decode Files or Information	LSASS Memory	1 Account Discovery	Remote Desktop Protocol	21 Input Capture	11 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	2 Valid Accounts	2 Valid Accounts	2 Obfuscated Files or Information	Security Account Manager	3 File and Directory Discovery	SMB/Windows Admin Shares	3 Clipboard Data	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	2 Registry Run Keys / Startup Folder	21 Access Token Manipulation	1 DLL Side-Loading	NTDS	126 System Information Discovery	Distributed Component Object Model	Input Capture	13 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	212 Process Injection	1 Masquerading	LSA Secrets	231 Security Software Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	2 Registry Run Keys / Startup Folder	2 Valid Accounts	Cached Domain Credentials	11 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	11 Virtualization/Sandbox Evasion	DCSync	2 Process Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	21 Access Token Manipulation	Proc Filesystem	11 Application Window Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	212 Process Injection	/etc/passwd and /etc/shadow	1 System Owner/User Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	Dynamic API Resolution	Network Sniffing	1 System Network Configuration Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
b6AGgIJ87g.exe	56%	Virustotal		Browse
b6AGgIJ87g.exe	75%	ReversingLabs	Win32.Trojan.AutoitInject
b6AGgIJ87g.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Local\Maianthemum\biopsies.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Maianthemum\biopsies.exe	75%	ReversingLabs	Win32.Trojan.AutoitInject

Source	Detection	Scanner	Label	Link
http://crl.mn	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
reallyfreegeoip.org	104.21.80.1	true	false	high
checkip.dyndns.com	193.122.130.0	true	false	high
checkip.dyndns.org	unknown	unknown	false	high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://checkip.dyndns.org/	false		high
https://reallyfreegeoip.org/xml/8.46.123.189	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://reallyfreegeoip.org	RegSvcs.exe, 00000002.00000002.1840357737.0000000002DB7000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.1840357737.0000000002DE5000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.1840357737.0000000002CFA000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.1840357737.0000000002D3E000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.1840357737.0000000002DA9000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.1840357737.0000000002D8E000.00000004.00000800.00020000.00000000.sdmp	false		high
http://checkip.dyndns.org	RegSvcs.exe, 00000002.00000002.1840357737.0000000002CE8000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.1840357737.0000000002DB7000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.1840357737.0000000002DC5000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.1840357737.0000000002DE5000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.1840357737.0000000002CFA000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.1840357737.0000000002D3E000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.1840357737.0000000002DA9000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.1840357737.0000000002D8E000.00000004.00000800.00020000.00000000.sdmp	false		high
http://crl.mn	RegSvcs.exe, 00000002.00000002.1847084620.0000000006250000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://checkip.dyndns.com	RegSvcs.exe, 00000002.00000002.1840357737.0000000002DB7000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.1840357737.0000000002DE5000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.1840357737.0000000002CFA000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.1840357737.0000000002DA9000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.1840357737.0000000002D8E000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	RegSvcs.exe, 00000002.00000002.1840357737.0000000002C31000.00000004.00000800.00020000.00000000.sdmp	false		high
http://checkip.dyndns.org/q	biopsies.exe, 00000001.00000002.1744008189.0000000000F50000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.1838731692.0000000000402000.00000040.80000000.00040000.00000000.sdmp, biopsies.exe, 00000008.00000002.1903450528.0000000003EB0000.00000004.00001000.00020000.00000000.sdmp, biopsies.exe, 00000009.00000002.1930630182.0000000001100000.00000004.00001000.00020000.00000000.sdmp, biopsies.exe, 0000000C.00000002.1957580721.00000000009D0000.00000004.00001000.00020000.00000000.sdmp, biopsies.exe, 0000000D.00000002.1976305286.0000000001F10000.00000004.00001000.00020000.00000000.sdmp, biopsies.exe, 0000000E.00000002.2006886217.0000000000E30000.00000004.00001000.00020000.00000000.sdmp, biopsies.exe, 0000000F.00000002.2038464121.00000000011F0000.00000004.00001000.00020000.00000000.sdmp, biopsies.exe, 00000010.00000002.2064854133.00000000018E0000.00000004.00001000.00020000.00000000.sdmp, biopsies.exe, 00000011.00000002.2100230907.0000000003EC0000.00000004.00001000.00020000.00000000.sdmp, biopsies.exe, 00000012.00000002.2133278262.0000000001070000.00000004.00001000.00020000.00000000.sdmp, biopsies.exe, 00000013.00000002.2170261177.0000000000E80000.00000004.00001000.00020000.00000000.sdmp	false		high
https://reallyfreegeoip.org/xml/8.46.123.189$	RegSvcs.exe, 00000002.00000002.1840357737.0000000002DB7000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.1840357737.0000000002DE5000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.1840357737.0000000002D3E000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.1840357737.0000000002DA9000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.1840357737.0000000002D8E000.00000004.00000800.00020000.00000000.sdmp	false		high
http://reallyfreegeoip.org	RegSvcs.exe, 00000002.00000002.1840357737.0000000002DB7000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.1840357737.0000000002D13000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.1840357737.0000000002DE5000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.1840357737.0000000002DA9000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.1840357737.0000000002D8E000.00000004.00000800.00020000.00000000.sdmp	false		high
https://reallyfreegeoip.org/xml/	biopsies.exe, 00000001.00000002.1744008189.0000000000F50000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.1838731692.0000000000402000.00000040.80000000.00040000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.1840357737.0000000002CFA000.00000004.00000800.00020000.00000000.sdmp, biopsies.exe, 00000008.00000002.1903450528.0000000003EB0000.00000004.00001000.00020000.00000000.sdmp, biopsies.exe, 00000009.00000002.1930630182.0000000001100000.00000004.00001000.00020000.00000000.sdmp, biopsies.exe, 0000000C.00000002.1957580721.00000000009D0000.00000004.00001000.00020000.00000000.sdmp, biopsies.exe, 0000000D.00000002.1976305286.0000000001F10000.00000004.00001000.00020000.00000000.sdmp, biopsies.exe, 0000000E.00000002.2006886217.0000000000E30000.00000004.00001000.00020000.00000000.sdmp, biopsies.exe, 0000000F.00000002.2038464121.00000000011F0000.00000004.00001000.00020000.00000000.sdmp, biopsies.exe, 00000010.00000002.2064854133.00000000018E0000.00000004.00001000.00020000.00000000.sdmp, biopsies.exe, 00000011.00000002.2100230907.0000000003EC0000.00000004.00001000.00020000.00000000.sdmp, biopsies.exe, 00000012.00000002.2133278262.0000000001070000.00000004.00001000.00020000.00000000.sdmp, biopsies.exe, 00000013.00000002.2170261177.0000000000E80000.00000004.00001000.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
193.122.130.0	checkip.dyndns.com	United States		31898	ORACLE-BMC-31898US	false
104.21.80.1	reallyfreegeoip.org	United States		13335	CLOUDFLARENETUS	false

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1588941
Start date and time:	2025-01-11 07:26:04 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 10m 39s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	43
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	b6AGgIJ87g.exe renamed because original name is a hash value
Original Sample Name:	03da1152cc2fc2bcfafc441c76ddcda09e4df84adb27bda9b267694b4a840cf7.exe
Detection:	MAL
Classification:	mal100.troj.expl.evad.winEXE@108/38@2/2
EGA Information:	Successful, ratio: 92.3%
HCA Information:	Successful, ratio: 100% Number of executed functions: 54 Number of non-executed functions: 285
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
Excluded IPs from analysis (whitelisted): 4.245.163.56, 13.107.246.45
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target RegSvcs.exe, PID 7500 because it is empty
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.

Simulations

Behavior and APIs

Time	Type	Description
01:27:03	API Interceptor	66x Sleep call for process: RegSvcs.exe modified
06:27:04	Autostart	Run: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\biopsies.vbs

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
193.122.130.0	Qg79mitNvD.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	checkip.dyndns.org/
	dZMT94YYwO.exe	Get hash	malicious	MassLogger RAT	Browse	checkip.dyndns.org/
	n0nsAzvYNd.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
	rwlPT9YJt0.exe	Get hash	malicious	Snake Keylogger	Browse	checkip.dyndns.org/
	YDg44STseR.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
	VCU262Y2QB.exe	Get hash	malicious	Snake Keylogger	Browse	checkip.dyndns.org/
	h1HIe1rt4D.exe	Get hash	malicious	Snake Keylogger	Browse	checkip.dyndns.org/
	4AMVusDMPP.exe	Get hash	malicious	GuLoader	Browse	checkip.dyndns.org/
	tVuAoupHhZ.exe	Get hash	malicious	Snake Keylogger	Browse	checkip.dyndns.org/
	WGi85dsMNp.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	checkip.dyndns.org/
104.21.80.1	NFhRxwbegd.exe	Get hash	malicious	FormBook	Browse	www.aziziyeescortg.xyz/2pcx/
	qlG7x91YXH.exe	Get hash	malicious	FormBook	Browse	www.mzkd6gp5.top/0hqe/
	6uHfmjGMfL.exe	Get hash	malicious	Amadey	Browse	clientservices.sgoogleapis.observer/api/index.php
	http://l.instagram.com/?0bfd7a413579bfc47b11c1f19890162e=f171d759fb3a033e4eb430517cad3aef&e=ATP3gbWvTZYJbEDeh7rUkhPx4FjctqZcqx8JLHQOt3eCFNBI8ssZ853B2RmMWetLJ63KaZJU&s=1&u=https%3A%2F%2Fbusiness.instagram.com%2Fmicro_site%2Furl%2F%3Fevent_type%3Dclick%26site%3Digb%26destination%3Dhttps%253A%252F%252Fwww.facebook.com%252Fads%252Fig_redirect%252F%253Fd%253DAd8U5WMN2AM7K-NrvRBs3gyfr9DHeZ3ist33ENX9eJBJWMRBAaOOij4rbjtu42P4dXhL8YyD-jl0LZtS1wkFu-DRtZrPI1zyuzAYXXYv3uJfsc2GuuhHJZr0iVcLluY7-XzYStW8tPCtY7q5OaN0ZR5NezqONJHNCe212u1Fk3V5I6c8mMsj53lfF9nQIFCpMtE%2526a%253D1%2526hash%253DAd_y5usHyEC86F8X	Get hash	malicious	Unknown	Browse	my.cradaygo.com/smmylet
	SW_48912.scr.exe	Get hash	malicious	FormBook	Browse	www.dejikenkyu.cyou/pmpa/
	SH8ZyOWNi2.exe	Get hash	malicious	CMSBrute	Browse	hiranetwork.com/administrator/index.php
	downloader2.hta	Get hash	malicious	XWorm	Browse	2k8u3.org/wininit.exe

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
checkip.dyndns.com	grrezORe7h.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	193.122.6.168
	14lVOjBoI2.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	132.226.247.73
	Qg79mitNvD.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	193.122.130.0
	ty1nyFUMlo.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	193.122.6.168
	sS7Jrsk0Z7.exe	Get hash	malicious	DarkTortilla, Snake Keylogger, VIP Keylogger	Browse	158.101.44.242
	3qr7JBuNuX.exe	Get hash	malicious	MassLogger RAT	Browse	158.101.44.242
	lkETeneRL3.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	158.101.44.242
	5qJ6QQTcRS.exe	Get hash	malicious	DarkTortilla, Snake Keylogger, VIP Keylogger	Browse	158.101.44.242
	prgNb8YFEA.exe	Get hash	malicious	Snake Keylogger	Browse	193.122.6.168
	rlPy5vt1Dg.exe	Get hash	malicious	MassLogger RAT	Browse	132.226.247.73
reallyfreegeoip.org	grrezORe7h.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	104.21.96.1
	14lVOjBoI2.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	104.21.32.1
	Qg79mitNvD.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	104.21.64.1
	ty1nyFUMlo.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.21.32.1
	sS7Jrsk0Z7.exe	Get hash	malicious	DarkTortilla, Snake Keylogger, VIP Keylogger	Browse	104.21.64.1
	3qr7JBuNuX.exe	Get hash	malicious	MassLogger RAT	Browse	104.21.16.1
	lkETeneRL3.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.21.112.1
	5qJ6QQTcRS.exe	Get hash	malicious	DarkTortilla, Snake Keylogger, VIP Keylogger	Browse	104.21.112.1
	prgNb8YFEA.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.112.1
	rlPy5vt1Dg.exe	Get hash	malicious	MassLogger RAT	Browse	104.21.48.1

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CLOUDFLARENETUS	grrezORe7h.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	104.21.96.1
	14lVOjBoI2.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	104.21.32.1
	Qg79mitNvD.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	104.21.64.1
	fqbVL4XxCr.exe	Get hash	malicious	FormBook	Browse	104.21.112.1
	JuIZye2xKX.exe	Get hash	malicious	AgentTesla	Browse	172.67.74.152
	ty1nyFUMlo.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.21.32.1
	962Zrwh5bU.exe	Get hash	malicious	Azorult	Browse	104.21.75.48
	sS7Jrsk0Z7.exe	Get hash	malicious	DarkTortilla, Snake Keylogger, VIP Keylogger	Browse	104.21.64.1
	3qr7JBuNuX.exe	Get hash	malicious	MassLogger RAT	Browse	104.21.16.1
	lkETeneRL3.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.21.112.1
ORACLE-BMC-31898US	grrezORe7h.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	193.122.6.168
	Qg79mitNvD.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	193.122.130.0
	ty1nyFUMlo.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	193.122.6.168
	sS7Jrsk0Z7.exe	Get hash	malicious	DarkTortilla, Snake Keylogger, VIP Keylogger	Browse	158.101.44.242
	3qr7JBuNuX.exe	Get hash	malicious	MassLogger RAT	Browse	158.101.44.242
	lkETeneRL3.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	158.101.44.242
	5qJ6QQTcRS.exe	Get hash	malicious	DarkTortilla, Snake Keylogger, VIP Keylogger	Browse	158.101.44.242
	prgNb8YFEA.exe	Get hash	malicious	Snake Keylogger	Browse	193.122.6.168
	prlsqnzspl.exe	Get hash	malicious	MassLogger RAT	Browse	158.101.44.242
	dZMT94YYwO.exe	Get hash	malicious	MassLogger RAT	Browse	193.122.130.0

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
54328bd36c14bd82ddaa0c04b25ed9ad	grrezORe7h.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	104.21.80.1
	14lVOjBoI2.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	104.21.80.1
	Qg79mitNvD.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	104.21.80.1
	ty1nyFUMlo.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.21.80.1
	sS7Jrsk0Z7.exe	Get hash	malicious	DarkTortilla, Snake Keylogger, VIP Keylogger	Browse	104.21.80.1
	3qr7JBuNuX.exe	Get hash	malicious	MassLogger RAT	Browse	104.21.80.1
	lkETeneRL3.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.21.80.1
	5qJ6QQTcRS.exe	Get hash	malicious	DarkTortilla, Snake Keylogger, VIP Keylogger	Browse	104.21.80.1
	prgNb8YFEA.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.80.1
	rlPy5vt1Dg.exe	Get hash	malicious	MassLogger RAT	Browse	104.21.80.1

Process:	C:\Users\user\Desktop\b6AGgIJ87g.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1021952
Entropy (8bit):	6.946572609644125
Encrypted:	false
SSDEEP:	24576:+u6J33O0c+JY5UZ+XC0kGso6Faei2PbeZqC/pO0WY:Qu0c++OCvkGs9FaeTP6MY
MD5:	04A2CCE147E8B29D89EF24AF80D493CE
SHA1:	5E24A62C496A9726BB924C1BB0F3B5E33963B0C6
SHA-256:	03DA1152CC2FC2BCFAFC441C76DDCDA09E4DF84ADB27BDA9B267694B4A840CF7
SHA-512:	5C623045F3B388F150FE1659D55DA24D89C35AEF09D74A3A5FC90431608241213C9E9A64AF118CC1CAF1601A3EFFB1FB572D1C98C2C6695DB1349E54FB2E1B22
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 75%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......6...r}.r}.r}.4,".p}.....s}../..A}../#..}../".G}.{.@.{}.{.P.W}.r}.R....)."}.....s}../..s}.r}T.s}.....s}.Richr}.................PE..L...^.Xg.........."..................}............@.......................................@...@.......@.....................L...\|....p...........................q...+..............................pH..@............................................text............................... ..`.rdata..............................@..@.data...t........R..................@....rsrc........p......................@..@.reloc...q.......r...&..............@..B........................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\RegSvcs.exe.log

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1039
Entropy (8bit):	5.353332853270839
Encrypted:	false
SSDEEP:	24:ML9E4KiE4Ko84qXKDE4KhKiKhPKIE4oKNzKoZAE4KzeR:MxHKiHKoviYHKh3oPtHo6hAHKzeR
MD5:	A4AF0F36EC4E0C69DC0F860C891E8BBE
SHA1:	28DD81A1EDDF71CBCBF86DA986E047279EF097CD
SHA-256:	B038D4342E4DD96217BD90CFE32581FCCB381C5C2E6FF257CD32854F840D1FDE
SHA-512:	A675D3E9DB5BDD325A22E82C6BCDBD5409D7A34453DAAEB0E37206BE982C388547E1BDF22DC70393C69D0CE55635E2364502572C3AD2E6753A56A5C3893F6D69
Malicious:	false
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..2,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e

C:\Users\user\AppData\Local\Temp\aut14A7.tmp

Download File

Process:	C:\Users\user\AppData\Local\Maianthemum\biopsies.exe
File Type:	data
Category:	dropped
Size (bytes):	82162
Entropy (8bit):	7.878716095413827
Encrypted:	false
SSDEEP:	1536:Rr94sbBaeH2qFRgR/CavTSHqc7JrCNuE15Xc2bG2:34sNaa2qRgRqaLStKrXB
MD5:	7F331E0174A60A73C35C70F646F7EA27
SHA1:	6A16A24150FBBA6079AB42CBC10CBBCBEF63BF9A
SHA-256:	DFB7F6E93E30EBC643FB6D2F4BED75E2CB99CBCCBB50BA76D5E3611A0766854A
SHA-512:	16E42F1093FBDAC3AA39FA82F513BD26C2A2F07F1BA728E0251C1A06ED222EDE2C15F896664DCF1C60078A967EA16880DBEFFE89CD26066ADDA13CB8A197EBF3
Malicious:	false
Preview:	EA06......:.z.>.8...-..O..' .E........Q...8..E~...NpT....P..6....e.....Ub.f..'3...1[......M)._o1X..q5.Zf.I...6...e..T.........3.U.4.?:q6.I..1..Q&T[..Q...A.Z.F...M(...fh@.....P.LQ&P^.F.W.Nd..M..G.._b......w6...6.,.&.....I.$.......(....i.-^2.Q.M2.N....]..q9......>.:.F.l.z...J.Q$......(E.7.(......\|.!.>.J.V.5.-^..i..Je;.(..._..S......N.B.Yb.y.gMQ.......Q..h......kh.._F.5...17.Lh5.....R..B....}..P......B:.(N......"..$`..`.P......BP.y.<....V....=g.Qk...&...Q..Z.F.C.......K.P'.Z..S...j`.L\|.)....+....j4..^..(Qj....q9..".Z...G.L...@....Z.F..@G"...^.I...3je..W..x. 'b1[..a`.Dr.L...4.d.'..H.z.......-N.O...P..Q..h...mn...4]..So...@.Dv....h..<.%6.D't...'9.V&.P..%?.I&S{u6.7...i......"5`...{.....b.8......beG..i.y..iE...#.,...x/.z}....M...>.....0.f.:..(.}..<..'3.40...g..EN@..Sh.[...S.@.>.d....U....J...3z4.q6..'R.\.....h...T...X.V...[...TZ......,...n.....(..o.0..f.0.jsNd.s2...Z.2u..hluYW...5Z...<[".ygp..4z....T.&.....,..4...<D..JO(.k4I.........&@4....m.N.p...

C:\Users\user\AppData\Local\Temp\aut21F6.tmp

Download File

Process:	C:\Users\user\AppData\Local\Maianthemum\biopsies.exe
File Type:	data
Category:	dropped
Size (bytes):	82162
Entropy (8bit):	7.878716095413827
Encrypted:	false
SSDEEP:	1536:Rr94sbBaeH2qFRgR/CavTSHqc7JrCNuE15Xc2bG2:34sNaa2qRgRqaLStKrXB
MD5:	7F331E0174A60A73C35C70F646F7EA27
SHA1:	6A16A24150FBBA6079AB42CBC10CBBCBEF63BF9A
SHA-256:	DFB7F6E93E30EBC643FB6D2F4BED75E2CB99CBCCBB50BA76D5E3611A0766854A
SHA-512:	16E42F1093FBDAC3AA39FA82F513BD26C2A2F07F1BA728E0251C1A06ED222EDE2C15F896664DCF1C60078A967EA16880DBEFFE89CD26066ADDA13CB8A197EBF3
Malicious:	false
Preview:	EA06......:.z.>.8...-..O..' .E........Q...8..E~...NpT....P..6....e.....Ub.f..'3...1[......M)._o1X..q5.Zf.I...6...e..T.........3.U.4.?:q6.I..1..Q&T[..Q...A.Z.F...M(...fh@.....P.LQ&P^.F.W.Nd..M..G.._b......w6...6.,.&.....I.$.......(....i.-^2.Q.M2.N....]..q9......>.:.F.l.z...J.Q$......(E.7.(......\|.!.>.J.V.5.-^..i..Je;.(..._..S......N.B.Yb.y.gMQ.......Q..h......kh.._F.5...17.Lh5.....R..B....}..P......B:.(N......"..$`..`.P......BP.y.<....V....=g.Qk...&...Q..Z.F.C.......K.P'.Z..S...j`.L\|.)....+....j4..^..(Qj....q9..".Z...G.L...@....Z.F..@G"...^.I...3je..W..x. 'b1[..a`.Dr.L...4.d.'..H.z.......-N.O...P..Q..h...mn...4]..So...@.Dv....h..<.%6.D't...'9.V&.P..%?.I&S{u6.7...i......"5`...{.....b.8......beG..i.y..iE...#.,...x/.z}....M...>.....0.f.:..(.}..<..'3.40...g..EN@..Sh.[...S.@.>.d....U....J...3z4.q6..'R.\.....h...T...X.V...[...TZ......,...n.....(..o.0..f.0.jsNd.s2...Z.2u..hluYW...5Z...<[".ygp..4z....T.&.....,..4...<D..JO(.k4I.........&@4....m.N.p...

C:\Users\user\AppData\Local\Temp\aut2F63.tmp

Download File

Process:	C:\Users\user\AppData\Local\Maianthemum\biopsies.exe
File Type:	data
Category:	dropped
Size (bytes):	82162
Entropy (8bit):	7.878716095413827
Encrypted:	false
SSDEEP:	1536:Rr94sbBaeH2qFRgR/CavTSHqc7JrCNuE15Xc2bG2:34sNaa2qRgRqaLStKrXB
MD5:	7F331E0174A60A73C35C70F646F7EA27
SHA1:	6A16A24150FBBA6079AB42CBC10CBBCBEF63BF9A
SHA-256:	DFB7F6E93E30EBC643FB6D2F4BED75E2CB99CBCCBB50BA76D5E3611A0766854A
SHA-512:	16E42F1093FBDAC3AA39FA82F513BD26C2A2F07F1BA728E0251C1A06ED222EDE2C15F896664DCF1C60078A967EA16880DBEFFE89CD26066ADDA13CB8A197EBF3
Malicious:	false
Preview:	EA06......:.z.>.8...-..O..' .E........Q...8..E~...NpT....P..6....e.....Ub.f..'3...1[......M)._o1X..q5.Zf.I...6...e..T.........3.U.4.?:q6.I..1..Q&T[..Q...A.Z.F...M(...fh@.....P.LQ&P^.F.W.Nd..M..G.._b......w6...6.,.&.....I.$.......(....i.-^2.Q.M2.N....]..q9......>.:.F.l.z...J.Q$......(E.7.(......\|.!.>.J.V.5.-^..i..Je;.(..._..S......N.B.Yb.y.gMQ.......Q..h......kh.._F.5...17.Lh5.....R..B....}..P......B:.(N......"..$`..`.P......BP.y.<....V....=g.Qk...&...Q..Z.F.C.......K.P'.Z..S...j`.L\|.)....+....j4..^..(Qj....q9..".Z...G.L...@....Z.F..@G"...^.I...3je..W..x. 'b1[..a`.Dr.L...4.d.'..H.z.......-N.O...P..Q..h...mn...4]..So...@.Dv....h..<.%6.D't...'9.V&.P..%?.I&S{u6.7...i......"5`...{.....b.8......beG..i.y..iE...#.,...x/.z}....M...>.....0.f.:..(.}..<..'3.40...g..EN@..Sh.[...S.@.>.d....U....J...3z4.q6..'R.\.....h...T...X.V...[...TZ......,...n.....(..o.0..f.0.jsNd.s2...Z.2u..hluYW...5Z...<[".ygp..4z....T.&.....,..4...<D..JO(.k4I.........&@4....m.N.p...

C:\Users\user\AppData\Local\Temp\aut3E09.tmp

Download File

Process:	C:\Users\user\AppData\Local\Maianthemum\biopsies.exe
File Type:	data
Category:	dropped
Size (bytes):	82162
Entropy (8bit):	7.878716095413827
Encrypted:	false
SSDEEP:	1536:Rr94sbBaeH2qFRgR/CavTSHqc7JrCNuE15Xc2bG2:34sNaa2qRgRqaLStKrXB
MD5:	7F331E0174A60A73C35C70F646F7EA27
SHA1:	6A16A24150FBBA6079AB42CBC10CBBCBEF63BF9A
SHA-256:	DFB7F6E93E30EBC643FB6D2F4BED75E2CB99CBCCBB50BA76D5E3611A0766854A
SHA-512:	16E42F1093FBDAC3AA39FA82F513BD26C2A2F07F1BA728E0251C1A06ED222EDE2C15F896664DCF1C60078A967EA16880DBEFFE89CD26066ADDA13CB8A197EBF3
Malicious:	false
Preview:	EA06......:.z.>.8...-..O..' .E........Q...8..E~...NpT....P..6....e.....Ub.f..'3...1[......M)._o1X..q5.Zf.I...6...e..T.........3.U.4.?:q6.I..1..Q&T[..Q...A.Z.F...M(...fh@.....P.LQ&P^.F.W.Nd..M..G.._b......w6...6.,.&.....I.$.......(....i.-^2.Q.M2.N....]..q9......>.:.F.l.z...J.Q$......(E.7.(......\|.!.>.J.V.5.-^..i..Je;.(..._..S......N.B.Yb.y.gMQ.......Q..h......kh.._F.5...17.Lh5.....R..B....}..P......B:.(N......"..$`..`.P......BP.y.<....V....=g.Qk...&...Q..Z.F.C.......K.P'.Z..S...j`.L\|.)....+....j4..^..(Qj....q9..".Z...G.L...@....Z.F..@G"...^.I...3je..W..x. 'b1[..a`.Dr.L...4.d.'..H.z.......-N.O...P..Q..h...mn...4]..So...@.Dv....h..<.%6.D't...'9.V&.P..%?.I&S{u6.7...i......"5`...{.....b.8......beG..i.y..iE...#.,...x/.z}....M...>.....0.f.:..(.}..<..'3.40...g..EN@..Sh.[...S.@.>.d....U....J...3z4.q6..'R.\.....h...T...X.V...[...TZ......,...n.....(..o.0..f.0.jsNd.s2...Z.2u..hluYW...5Z...<[".ygp..4z....T.&.....,..4...<D..JO(.k4I.........&@4....m.N.p...

C:\Users\user\AppData\Local\Temp\aut45F8.tmp

Download File

Process:	C:\Users\user\AppData\Local\Maianthemum\biopsies.exe
File Type:	data
Category:	dropped
Size (bytes):	82162
Entropy (8bit):	7.878716095413827
Encrypted:	false
SSDEEP:	1536:Rr94sbBaeH2qFRgR/CavTSHqc7JrCNuE15Xc2bG2:34sNaa2qRgRqaLStKrXB
MD5:	7F331E0174A60A73C35C70F646F7EA27
SHA1:	6A16A24150FBBA6079AB42CBC10CBBCBEF63BF9A
SHA-256:	DFB7F6E93E30EBC643FB6D2F4BED75E2CB99CBCCBB50BA76D5E3611A0766854A
SHA-512:	16E42F1093FBDAC3AA39FA82F513BD26C2A2F07F1BA728E0251C1A06ED222EDE2C15F896664DCF1C60078A967EA16880DBEFFE89CD26066ADDA13CB8A197EBF3
Malicious:	false
Preview:	EA06......:.z.>.8...-..O..' .E........Q...8..E~...NpT....P..6....e.....Ub.f..'3...1[......M)._o1X..q5.Zf.I...6...e..T.........3.U.4.?:q6.I..1..Q&T[..Q...A.Z.F...M(...fh@.....P.LQ&P^.F.W.Nd..M..G.._b......w6...6.,.&.....I.$.......(....i.-^2.Q.M2.N....]..q9......>.:.F.l.z...J.Q$......(E.7.(......\|.!.>.J.V.5.-^..i..Je;.(..._..S......N.B.Yb.y.gMQ.......Q..h......kh.._F.5...17.Lh5.....R..B....}..P......B:.(N......"..$`..`.P......BP.y.<....V....=g.Qk...&...Q..Z.F.C.......K.P'.Z..S...j`.L\|.)....+....j4..^..(Qj....q9..".Z...G.L...@....Z.F..@G"...^.I...3je..W..x. 'b1[..a`.Dr.L...4.d.'..H.z.......-N.O...P..Q..h...mn...4]..So...@.Dv....h..<.%6.D't...'9.V&.P..%?.I&S{u6.7...i......"5`...{.....b.8......beG..i.y..iE...#.,...x/.z}....M...>.....0.f.:..(.}..<..'3.40...g..EN@..Sh.[...S.@.>.d....U....J...3z4.q6..'R.\.....h...T...X.V...[...TZ......,...n.....(..o.0..f.0.jsNd.s2...Z.2u..hluYW...5Z...<[".ygp..4z....T.&.....,..4...<D..JO(.k4I.........&@4....m.N.p...

C:\Users\user\AppData\Local\Temp\aut4BF4.tmp

Download File

Process:	C:\Users\user\AppData\Local\Maianthemum\biopsies.exe
File Type:	data
Category:	dropped
Size (bytes):	82162
Entropy (8bit):	7.878716095413827
Encrypted:	false
SSDEEP:	1536:Rr94sbBaeH2qFRgR/CavTSHqc7JrCNuE15Xc2bG2:34sNaa2qRgRqaLStKrXB
MD5:	7F331E0174A60A73C35C70F646F7EA27
SHA1:	6A16A24150FBBA6079AB42CBC10CBBCBEF63BF9A
SHA-256:	DFB7F6E93E30EBC643FB6D2F4BED75E2CB99CBCCBB50BA76D5E3611A0766854A
SHA-512:	16E42F1093FBDAC3AA39FA82F513BD26C2A2F07F1BA728E0251C1A06ED222EDE2C15F896664DCF1C60078A967EA16880DBEFFE89CD26066ADDA13CB8A197EBF3
Malicious:	false
Preview:	EA06......:.z.>.8...-..O..' .E........Q...8..E~...NpT....P..6....e.....Ub.f..'3...1[......M)._o1X..q5.Zf.I...6...e..T.........3.U.4.?:q6.I..1..Q&T[..Q...A.Z.F...M(...fh@.....P.LQ&P^.F.W.Nd..M..G.._b......w6...6.,.&.....I.$.......(....i.-^2.Q.M2.N....]..q9......>.:.F.l.z...J.Q$......(E.7.(......\|.!.>.J.V.5.-^..i..Je;.(..._..S......N.B.Yb.y.gMQ.......Q..h......kh.._F.5...17.Lh5.....R..B....}..P......B:.(N......"..$`..`.P......BP.y.<....V....=g.Qk...&...Q..Z.F.C.......K.P'.Z..S...j`.L\|.)....+....j4..^..(Qj....q9..".Z...G.L...@....Z.F..@G"...^.I...3je..W..x. 'b1[..a`.Dr.L...4.d.'..H.z.......-N.O...P..Q..h...mn...4]..So...@.Dv....h..<.%6.D't...'9.V&.P..%?.I&S{u6.7...i......"5`...{.....b.8......beG..i.y..iE...#.,...x/.z}....M...>.....0.f.:..(.}..<..'3.40...g..EN@..Sh.[...S.@.>.d....U....J...3z4.q6..'R.\.....h...T...X.V...[...TZ......,...n.....(..o.0..f.0.jsNd.s2...Z.2u..hluYW...5Z...<[".ygp..4z....T.&.....,..4...<D..JO(.k4I.........&@4....m.N.p...

C:\Users\user\AppData\Local\Temp\aut53F2.tmp

Download File

Process:	C:\Users\user\AppData\Local\Maianthemum\biopsies.exe
File Type:	data
Category:	dropped
Size (bytes):	82162
Entropy (8bit):	7.878716095413827
Encrypted:	false
SSDEEP:	1536:Rr94sbBaeH2qFRgR/CavTSHqc7JrCNuE15Xc2bG2:34sNaa2qRgRqaLStKrXB
MD5:	7F331E0174A60A73C35C70F646F7EA27
SHA1:	6A16A24150FBBA6079AB42CBC10CBBCBEF63BF9A
SHA-256:	DFB7F6E93E30EBC643FB6D2F4BED75E2CB99CBCCBB50BA76D5E3611A0766854A
SHA-512:	16E42F1093FBDAC3AA39FA82F513BD26C2A2F07F1BA728E0251C1A06ED222EDE2C15F896664DCF1C60078A967EA16880DBEFFE89CD26066ADDA13CB8A197EBF3
Malicious:	false
Preview:	EA06......:.z.>.8...-..O..' .E........Q...8..E~...NpT....P..6....e.....Ub.f..'3...1[......M)._o1X..q5.Zf.I...6...e..T.........3.U.4.?:q6.I..1..Q&T[..Q...A.Z.F...M(...fh@.....P.LQ&P^.F.W.Nd..M..G.._b......w6...6.,.&.....I.$.......(....i.-^2.Q.M2.N....]..q9......>.:.F.l.z...J.Q$......(E.7.(......\|.!.>.J.V.5.-^..i..Je;.(..._..S......N.B.Yb.y.gMQ.......Q..h......kh.._F.5...17.Lh5.....R..B....}..P......B:.(N......"..$`..`.P......BP.y.<....V....=g.Qk...&...Q..Z.F.C.......K.P'.Z..S...j`.L\|.)....+....j4..^..(Qj....q9..".Z...G.L...@....Z.F..@G"...^.I...3je..W..x. 'b1[..a`.Dr.L...4.d.'..H.z.......-N.O...P..Q..h...mn...4]..So...@.Dv....h..<.%6.D't...'9.V&.P..%?.I&S{u6.7...i......"5`...{.....b.8......beG..i.y..iE...#.,...x/.z}....M...>.....0.f.:..(.}..<..'3.40...g..EN@..Sh.[...S.@.>.d....U....J...3z4.q6..'R.\.....h...T...X.V...[...TZ......,...n.....(..o.0..f.0.jsNd.s2...Z.2u..hluYW...5Z...<[".ygp..4z....T.&.....,..4...<D..JO(.k4I.........&@4....m.N.p...

C:\Users\user\AppData\Local\Temp\aut5BC2.tmp

Download File

Process:	C:\Users\user\AppData\Local\Maianthemum\biopsies.exe
File Type:	data
Category:	dropped
Size (bytes):	82162
Entropy (8bit):	7.878716095413827
Encrypted:	false
SSDEEP:	1536:Rr94sbBaeH2qFRgR/CavTSHqc7JrCNuE15Xc2bG2:34sNaa2qRgRqaLStKrXB
MD5:	7F331E0174A60A73C35C70F646F7EA27
SHA1:	6A16A24150FBBA6079AB42CBC10CBBCBEF63BF9A
SHA-256:	DFB7F6E93E30EBC643FB6D2F4BED75E2CB99CBCCBB50BA76D5E3611A0766854A
SHA-512:	16E42F1093FBDAC3AA39FA82F513BD26C2A2F07F1BA728E0251C1A06ED222EDE2C15F896664DCF1C60078A967EA16880DBEFFE89CD26066ADDA13CB8A197EBF3
Malicious:	false
Preview:	EA06......:.z.>.8...-..O..' .E........Q...8..E~...NpT....P..6....e.....Ub.f..'3...1[......M)._o1X..q5.Zf.I...6...e..T.........3.U.4.?:q6.I..1..Q&T[..Q...A.Z.F...M(...fh@.....P.LQ&P^.F.W.Nd..M..G.._b......w6...6.,.&.....I.$.......(....i.-^2.Q.M2.N....]..q9......>.:.F.l.z...J.Q$......(E.7.(......\|.!.>.J.V.5.-^..i..Je;.(..._..S......N.B.Yb.y.gMQ.......Q..h......kh.._F.5...17.Lh5.....R..B....}..P......B:.(N......"..$`..`.P......BP.y.<....V....=g.Qk...&...Q..Z.F.C.......K.P'.Z..S...j`.L\|.)....+....j4..^..(Qj....q9..".Z...G.L...@....Z.F..@G"...^.I...3je..W..x. 'b1[..a`.Dr.L...4.d.'..H.z.......-N.O...P..Q..h...mn...4]..So...@.Dv....h..<.%6.D't...'9.V&.P..%?.I&S{u6.7...i......"5`...{.....b.8......beG..i.y..iE...#.,...x/.z}....M...>.....0.f.:..(.}..<..'3.40...g..EN@..Sh.[...S.@.>.d....U....J...3z4.q6..'R.\.....h...T...X.V...[...TZ......,...n.....(..o.0..f.0.jsNd.s2...Z.2u..hluYW...5Z...<[".ygp..4z....T.&.....,..4...<D..JO(.k4I.........&@4....m.N.p...

C:\Users\user\AppData\Local\Temp\aut6652.tmp

Download File

Process:	C:\Users\user\AppData\Local\Maianthemum\biopsies.exe
File Type:	data
Category:	dropped
Size (bytes):	82162
Entropy (8bit):	7.878716095413827
Encrypted:	false
SSDEEP:	1536:Rr94sbBaeH2qFRgR/CavTSHqc7JrCNuE15Xc2bG2:34sNaa2qRgRqaLStKrXB
MD5:	7F331E0174A60A73C35C70F646F7EA27
SHA1:	6A16A24150FBBA6079AB42CBC10CBBCBEF63BF9A
SHA-256:	DFB7F6E93E30EBC643FB6D2F4BED75E2CB99CBCCBB50BA76D5E3611A0766854A
SHA-512:	16E42F1093FBDAC3AA39FA82F513BD26C2A2F07F1BA728E0251C1A06ED222EDE2C15F896664DCF1C60078A967EA16880DBEFFE89CD26066ADDA13CB8A197EBF3
Malicious:	false
Preview:	EA06......:.z.>.8...-..O..' .E........Q...8..E~...NpT....P..6....e.....Ub.f..'3...1[......M)._o1X..q5.Zf.I...6...e..T.........3.U.4.?:q6.I..1..Q&T[..Q...A.Z.F...M(...fh@.....P.LQ&P^.F.W.Nd..M..G.._b......w6...6.,.&.....I.$.......(....i.-^2.Q.M2.N....]..q9......>.:.F.l.z...J.Q$......(E.7.(......\|.!.>.J.V.5.-^..i..Je;.(..._..S......N.B.Yb.y.gMQ.......Q..h......kh.._F.5...17.Lh5.....R..B....}..P......B:.(N......"..$`..`.P......BP.y.<....V....=g.Qk...&...Q..Z.F.C.......K.P'.Z..S...j`.L\|.)....+....j4..^..(Qj....q9..".Z...G.L...@....Z.F..@G"...^.I...3je..W..x. 'b1[..a`.Dr.L...4.d.'..H.z.......-N.O...P..Q..h...mn...4]..So...@.Dv....h..<.%6.D't...'9.V&.P..%?.I&S{u6.7...i......"5`...{.....b.8......beG..i.y..iE...#.,...x/.z}....M...>.....0.f.:..(.}..<..'3.40...g..EN@..Sh.[...S.@.>.d....U....J...3z4.q6..'R.\.....h...T...X.V...[...TZ......,...n.....(..o.0..f.0.jsNd.s2...Z.2u..hluYW...5Z...<[".ygp..4z....T.&.....,..4...<D..JO(.k4I.........&@4....m.N.p...

C:\Users\user\AppData\Local\Temp\aut6E60.tmp

Download File

Process:	C:\Users\user\AppData\Local\Maianthemum\biopsies.exe
File Type:	data
Category:	dropped
Size (bytes):	82162
Entropy (8bit):	7.878716095413827
Encrypted:	false
SSDEEP:	1536:Rr94sbBaeH2qFRgR/CavTSHqc7JrCNuE15Xc2bG2:34sNaa2qRgRqaLStKrXB
MD5:	7F331E0174A60A73C35C70F646F7EA27
SHA1:	6A16A24150FBBA6079AB42CBC10CBBCBEF63BF9A
SHA-256:	DFB7F6E93E30EBC643FB6D2F4BED75E2CB99CBCCBB50BA76D5E3611A0766854A
SHA-512:	16E42F1093FBDAC3AA39FA82F513BD26C2A2F07F1BA728E0251C1A06ED222EDE2C15F896664DCF1C60078A967EA16880DBEFFE89CD26066ADDA13CB8A197EBF3
Malicious:	false
Preview:	EA06......:.z.>.8...-..O..' .E........Q...8..E~...NpT....P..6....e.....Ub.f..'3...1[......M)._o1X..q5.Zf.I...6...e..T.........3.U.4.?:q6.I..1..Q&T[..Q...A.Z.F...M(...fh@.....P.LQ&P^.F.W.Nd..M..G.._b......w6...6.,.&.....I.$.......(....i.-^2.Q.M2.N....]..q9......>.:.F.l.z...J.Q$......(E.7.(......\|.!.>.J.V.5.-^..i..Je;.(..._..S......N.B.Yb.y.gMQ.......Q..h......kh.._F.5...17.Lh5.....R..B....}..P......B:.(N......"..$`..`.P......BP.y.<....V....=g.Qk...&...Q..Z.F.C.......K.P'.Z..S...j`.L\|.)....+....j4..^..(Qj....q9..".Z...G.L...@....Z.F..@G"...^.I...3je..W..x. 'b1[..a`.Dr.L...4.d.'..H.z.......-N.O...P..Q..h...mn...4]..So...@.Dv....h..<.%6.D't...'9.V&.P..%?.I&S{u6.7...i......"5`...{.....b.8......beG..i.y..iE...#.,...x/.z}....M...>.....0.f.:..(.}..<..'3.40...g..EN@..Sh.[...S.@.>.d....U....J...3z4.q6..'R.\.....h...T...X.V...[...TZ......,...n.....(..o.0..f.0.jsNd.s2...Z.2u..hluYW...5Z...<[".ygp..4z....T.&.....,..4...<D..JO(.k4I.........&@4....m.N.p...

C:\Users\user\AppData\Local\Temp\aut76CC.tmp

Download File

Process:	C:\Users\user\AppData\Local\Maianthemum\biopsies.exe
File Type:	data
Category:	dropped
Size (bytes):	82162
Entropy (8bit):	7.878716095413827
Encrypted:	false
SSDEEP:	1536:Rr94sbBaeH2qFRgR/CavTSHqc7JrCNuE15Xc2bG2:34sNaa2qRgRqaLStKrXB
MD5:	7F331E0174A60A73C35C70F646F7EA27
SHA1:	6A16A24150FBBA6079AB42CBC10CBBCBEF63BF9A
SHA-256:	DFB7F6E93E30EBC643FB6D2F4BED75E2CB99CBCCBB50BA76D5E3611A0766854A
SHA-512:	16E42F1093FBDAC3AA39FA82F513BD26C2A2F07F1BA728E0251C1A06ED222EDE2C15F896664DCF1C60078A967EA16880DBEFFE89CD26066ADDA13CB8A197EBF3
Malicious:	false
Preview:	EA06......:.z.>.8...-..O..' .E........Q...8..E~...NpT....P..6....e.....Ub.f..'3...1[......M)._o1X..q5.Zf.I...6...e..T.........3.U.4.?:q6.I..1..Q&T[..Q...A.Z.F...M(...fh@.....P.LQ&P^.F.W.Nd..M..G.._b......w6...6.,.&.....I.$.......(....i.-^2.Q.M2.N....]..q9......>.:.F.l.z...J.Q$......(E.7.(......\|.!.>.J.V.5.-^..i..Je;.(..._..S......N.B.Yb.y.gMQ.......Q..h......kh.._F.5...17.Lh5.....R..B....}..P......B:.(N......"..$`..`.P......BP.y.<....V....=g.Qk...&...Q..Z.F.C.......K.P'.Z..S...j`.L\|.)....+....j4..^..(Qj....q9..".Z...G.L...@....Z.F..@G"...^.I...3je..W..x. 'b1[..a`.Dr.L...4.d.'..H.z.......-N.O...P..Q..h...mn...4]..So...@.Dv....h..<.%6.D't...'9.V&.P..%?.I&S{u6.7...i......"5`...{.....b.8......beG..i.y..iE...#.,...x/.z}....M...>.....0.f.:..(.}..<..'3.40...g..EN@..Sh.[...S.@.>.d....U....J...3z4.q6..'R.\.....h...T...X.V...[...TZ......,...n.....(..o.0..f.0.jsNd.s2...Z.2u..hluYW...5Z...<[".ygp..4z....T.&.....,..4...<D..JO(.k4I.........&@4....m.N.p...

C:\Users\user\AppData\Local\Temp\aut7F48.tmp

Download File

Process:	C:\Users\user\AppData\Local\Maianthemum\biopsies.exe
File Type:	data
Category:	dropped
Size (bytes):	82162
Entropy (8bit):	7.878716095413827
Encrypted:	false
SSDEEP:	1536:Rr94sbBaeH2qFRgR/CavTSHqc7JrCNuE15Xc2bG2:34sNaa2qRgRqaLStKrXB
MD5:	7F331E0174A60A73C35C70F646F7EA27
SHA1:	6A16A24150FBBA6079AB42CBC10CBBCBEF63BF9A
SHA-256:	DFB7F6E93E30EBC643FB6D2F4BED75E2CB99CBCCBB50BA76D5E3611A0766854A
SHA-512:	16E42F1093FBDAC3AA39FA82F513BD26C2A2F07F1BA728E0251C1A06ED222EDE2C15F896664DCF1C60078A967EA16880DBEFFE89CD26066ADDA13CB8A197EBF3
Malicious:	false
Preview:	EA06......:.z.>.8...-..O..' .E........Q...8..E~...NpT....P..6....e.....Ub.f..'3...1[......M)._o1X..q5.Zf.I...6...e..T.........3.U.4.?:q6.I..1..Q&T[..Q...A.Z.F...M(...fh@.....P.LQ&P^.F.W.Nd..M..G.._b......w6...6.,.&.....I.$.......(....i.-^2.Q.M2.N....]..q9......>.:.F.l.z...J.Q$......(E.7.(......\|.!.>.J.V.5.-^..i..Je;.(..._..S......N.B.Yb.y.gMQ.......Q..h......kh.._F.5...17.Lh5.....R..B....}..P......B:.(N......"..$`..`.P......BP.y.<....V....=g.Qk...&...Q..Z.F.C.......K.P'.Z..S...j`.L\|.)....+....j4..^..(Qj....q9..".Z...G.L...@....Z.F..@G"...^.I...3je..W..x. 'b1[..a`.Dr.L...4.d.'..H.z.......-N.O...P..Q..h...mn...4]..So...@.Dv....h..<.%6.D't...'9.V&.P..%?.I&S{u6.7...i......"5`...{.....b.8......beG..i.y..iE...#.,...x/.z}....M...>.....0.f.:..(.}..<..'3.40...g..EN@..Sh.[...S.@.>.d....U....J...3z4.q6..'R.\.....h...T...X.V...[...TZ......,...n.....(..o.0..f.0.jsNd.s2...Z.2u..hluYW...5Z...<[".ygp..4z....T.&.....,..4...<D..JO(.k4I.........&@4....m.N.p...

C:\Users\user\AppData\Local\Temp\aut8047.tmp

Download File

Process:	C:\Users\user\Desktop\b6AGgIJ87g.exe
File Type:	data
Category:	dropped
Size (bytes):	82162
Entropy (8bit):	7.878716095413827
Encrypted:	false
SSDEEP:	1536:Rr94sbBaeH2qFRgR/CavTSHqc7JrCNuE15Xc2bG2:34sNaa2qRgRqaLStKrXB
MD5:	7F331E0174A60A73C35C70F646F7EA27
SHA1:	6A16A24150FBBA6079AB42CBC10CBBCBEF63BF9A
SHA-256:	DFB7F6E93E30EBC643FB6D2F4BED75E2CB99CBCCBB50BA76D5E3611A0766854A
SHA-512:	16E42F1093FBDAC3AA39FA82F513BD26C2A2F07F1BA728E0251C1A06ED222EDE2C15F896664DCF1C60078A967EA16880DBEFFE89CD26066ADDA13CB8A197EBF3
Malicious:	false
Preview:	EA06......:.z.>.8...-..O..' .E........Q...8..E~...NpT....P..6....e.....Ub.f..'3...1[......M)._o1X..q5.Zf.I...6...e..T.........3.U.4.?:q6.I..1..Q&T[..Q...A.Z.F...M(...fh@.....P.LQ&P^.F.W.Nd..M..G.._b......w6...6.,.&.....I.$.......(....i.-^2.Q.M2.N....]..q9......>.:.F.l.z...J.Q$......(E.7.(......\|.!.>.J.V.5.-^..i..Je;.(..._..S......N.B.Yb.y.gMQ.......Q..h......kh.._F.5...17.Lh5.....R..B....}..P......B:.(N......"..$`..`.P......BP.y.<....V....=g.Qk...&...Q..Z.F.C.......K.P'.Z..S...j`.L\|.)....+....j4..^..(Qj....q9..".Z...G.L...@....Z.F..@G"...^.I...3je..W..x. 'b1[..a`.Dr.L...4.d.'..H.z.......-N.O...P..Q..h...mn...4]..So...@.Dv....h..<.%6.D't...'9.V&.P..%?.I&S{u6.7...i......"5`...{.....b.8......beG..i.y..iE...#.,...x/.z}....M...>.....0.f.:..(.}..<..'3.40...g..EN@..Sh.[...S.@.>.d....U....J...3z4.q6..'R.\.....h...T...X.V...[...TZ......,...n.....(..o.0..f.0.jsNd.s2...Z.2u..hluYW...5Z...<[".ygp..4z....T.&.....,..4...<D..JO(.k4I.........&@4....m.N.p...

C:\Users\user\AppData\Local\Temp\aut890C.tmp

Download File

Process:	C:\Users\user\AppData\Local\Maianthemum\biopsies.exe
File Type:	data
Category:	dropped
Size (bytes):	82162
Entropy (8bit):	7.878716095413827
Encrypted:	false
SSDEEP:	1536:Rr94sbBaeH2qFRgR/CavTSHqc7JrCNuE15Xc2bG2:34sNaa2qRgRqaLStKrXB
MD5:	7F331E0174A60A73C35C70F646F7EA27
SHA1:	6A16A24150FBBA6079AB42CBC10CBBCBEF63BF9A
SHA-256:	DFB7F6E93E30EBC643FB6D2F4BED75E2CB99CBCCBB50BA76D5E3611A0766854A
SHA-512:	16E42F1093FBDAC3AA39FA82F513BD26C2A2F07F1BA728E0251C1A06ED222EDE2C15F896664DCF1C60078A967EA16880DBEFFE89CD26066ADDA13CB8A197EBF3
Malicious:	false
Preview:	EA06......:.z.>.8...-..O..' .E........Q...8..E~...NpT....P..6....e.....Ub.f..'3...1[......M)._o1X..q5.Zf.I...6...e..T.........3.U.4.?:q6.I..1..Q&T[..Q...A.Z.F...M(...fh@.....P.LQ&P^.F.W.Nd..M..G.._b......w6...6.,.&.....I.$.......(....i.-^2.Q.M2.N....]..q9......>.:.F.l.z...J.Q$......(E.7.(......\|.!.>.J.V.5.-^..i..Je;.(..._..S......N.B.Yb.y.gMQ.......Q..h......kh.._F.5...17.Lh5.....R..B....}..P......B:.(N......"..$`..`.P......BP.y.<....V....=g.Qk...&...Q..Z.F.C.......K.P'.Z..S...j`.L\|.)....+....j4..^..(Qj....q9..".Z...G.L...@....Z.F..@G"...^.I...3je..W..x. 'b1[..a`.Dr.L...4.d.'..H.z.......-N.O...P..Q..h...mn...4]..So...@.Dv....h..<.%6.D't...'9.V&.P..%?.I&S{u6.7...i......"5`...{.....b.8......beG..i.y..iE...#.,...x/.z}....M...>.....0.f.:..(.}..<..'3.40...g..EN@..Sh.[...S.@.>.d....U....J...3z4.q6..'R.\.....h...T...X.V...[...TZ......,...n.....(..o.0..f.0.jsNd.s2...Z.2u..hluYW...5Z...<[".ygp..4z....T.&.....,..4...<D..JO(.k4I.........&@4....m.N.p...

C:\Users\user\AppData\Local\Temp\aut8E70.tmp

Download File

Process:	C:\Users\user\AppData\Local\Maianthemum\biopsies.exe
File Type:	data
Category:	dropped
Size (bytes):	82162
Entropy (8bit):	7.878716095413827
Encrypted:	false
SSDEEP:	1536:Rr94sbBaeH2qFRgR/CavTSHqc7JrCNuE15Xc2bG2:34sNaa2qRgRqaLStKrXB
MD5:	7F331E0174A60A73C35C70F646F7EA27
SHA1:	6A16A24150FBBA6079AB42CBC10CBBCBEF63BF9A
SHA-256:	DFB7F6E93E30EBC643FB6D2F4BED75E2CB99CBCCBB50BA76D5E3611A0766854A
SHA-512:	16E42F1093FBDAC3AA39FA82F513BD26C2A2F07F1BA728E0251C1A06ED222EDE2C15F896664DCF1C60078A967EA16880DBEFFE89CD26066ADDA13CB8A197EBF3
Malicious:	false
Preview:	EA06......:.z.>.8...-..O..' .E........Q...8..E~...NpT....P..6....e.....Ub.f..'3...1[......M)._o1X..q5.Zf.I...6...e..T.........3.U.4.?:q6.I..1..Q&T[..Q...A.Z.F...M(...fh@.....P.LQ&P^.F.W.Nd..M..G.._b......w6...6.,.&.....I.$.......(....i.-^2.Q.M2.N....]..q9......>.:.F.l.z...J.Q$......(E.7.(......\|.!.>.J.V.5.-^..i..Je;.(..._..S......N.B.Yb.y.gMQ.......Q..h......kh.._F.5...17.Lh5.....R..B....}..P......B:.(N......"..$`..`.P......BP.y.<....V....=g.Qk...&...Q..Z.F.C.......K.P'.Z..S...j`.L\|.)....+....j4..^..(Qj....q9..".Z...G.L...@....Z.F..@G"...^.I...3je..W..x. 'b1[..a`.Dr.L...4.d.'..H.z.......-N.O...P..Q..h...mn...4]..So...@.Dv....h..<.%6.D't...'9.V&.P..%?.I&S{u6.7...i......"5`...{.....b.8......beG..i.y..iE...#.,...x/.z}....M...>.....0.f.:..(.}..<..'3.40...g..EN@..Sh.[...S.@.>.d....U....J...3z4.q6..'R.\.....h...T...X.V...[...TZ......,...n.....(..o.0..f.0.jsNd.s2...Z.2u..hluYW...5Z...<[".ygp..4z....T.&.....,..4...<D..JO(.k4I.........&@4....m.N.p...

C:\Users\user\AppData\Local\Temp\aut9030.tmp

Download File

Process:	C:\Users\user\AppData\Local\Maianthemum\biopsies.exe
File Type:	data
Category:	dropped
Size (bytes):	82162
Entropy (8bit):	7.878716095413827
Encrypted:	false
SSDEEP:	1536:Rr94sbBaeH2qFRgR/CavTSHqc7JrCNuE15Xc2bG2:34sNaa2qRgRqaLStKrXB
MD5:	7F331E0174A60A73C35C70F646F7EA27
SHA1:	6A16A24150FBBA6079AB42CBC10CBBCBEF63BF9A
SHA-256:	DFB7F6E93E30EBC643FB6D2F4BED75E2CB99CBCCBB50BA76D5E3611A0766854A
SHA-512:	16E42F1093FBDAC3AA39FA82F513BD26C2A2F07F1BA728E0251C1A06ED222EDE2C15F896664DCF1C60078A967EA16880DBEFFE89CD26066ADDA13CB8A197EBF3
Malicious:	false
Preview:	EA06......:.z.>.8...-..O..' .E........Q...8..E~...NpT....P..6....e.....Ub.f..'3...1[......M)._o1X..q5.Zf.I...6...e..T.........3.U.4.?:q6.I..1..Q&T[..Q...A.Z.F...M(...fh@.....P.LQ&P^.F.W.Nd..M..G.._b......w6...6.,.&.....I.$.......(....i.-^2.Q.M2.N....]..q9......>.:.F.l.z...J.Q$......(E.7.(......\|.!.>.J.V.5.-^..i..Je;.(..._..S......N.B.Yb.y.gMQ.......Q..h......kh.._F.5...17.Lh5.....R..B....}..P......B:.(N......"..$`..`.P......BP.y.<....V....=g.Qk...&...Q..Z.F.C.......K.P'.Z..S...j`.L\|.)....+....j4..^..(Qj....q9..".Z...G.L...@....Z.F..@G"...^.I...3je..W..x. 'b1[..a`.Dr.L...4.d.'..H.z.......-N.O...P..Q..h...mn...4]..So...@.Dv....h..<.%6.D't...'9.V&.P..%?.I&S{u6.7...i......"5`...{.....b.8......beG..i.y..iE...#.,...x/.z}....M...>.....0.f.:..(.}..<..'3.40...g..EN@..Sh.[...S.@.>.d....U....J...3z4.q6..'R.\.....h...T...X.V...[...TZ......,...n.....(..o.0..f.0.jsNd.s2...Z.2u..hluYW...5Z...<[".ygp..4z....T.&.....,..4...<D..JO(.k4I.........&@4....m.N.p...

C:\Users\user\AppData\Local\Temp\aut9958.tmp

Download File

Process:	C:\Users\user\AppData\Local\Maianthemum\biopsies.exe
File Type:	data
Category:	dropped
Size (bytes):	82162
Entropy (8bit):	7.878716095413827
Encrypted:	false
SSDEEP:	1536:Rr94sbBaeH2qFRgR/CavTSHqc7JrCNuE15Xc2bG2:34sNaa2qRgRqaLStKrXB
MD5:	7F331E0174A60A73C35C70F646F7EA27
SHA1:	6A16A24150FBBA6079AB42CBC10CBBCBEF63BF9A
SHA-256:	DFB7F6E93E30EBC643FB6D2F4BED75E2CB99CBCCBB50BA76D5E3611A0766854A
SHA-512:	16E42F1093FBDAC3AA39FA82F513BD26C2A2F07F1BA728E0251C1A06ED222EDE2C15F896664DCF1C60078A967EA16880DBEFFE89CD26066ADDA13CB8A197EBF3
Malicious:	false
Preview:	EA06......:.z.>.8...-..O..' .E........Q...8..E~...NpT....P..6....e.....Ub.f..'3...1[......M)._o1X..q5.Zf.I...6...e..T.........3.U.4.?:q6.I..1..Q&T[..Q...A.Z.F...M(...fh@.....P.LQ&P^.F.W.Nd..M..G.._b......w6...6.,.&.....I.$.......(....i.-^2.Q.M2.N....]..q9......>.:.F.l.z...J.Q$......(E.7.(......\|.!.>.J.V.5.-^..i..Je;.(..._..S......N.B.Yb.y.gMQ.......Q..h......kh.._F.5...17.Lh5.....R..B....}..P......B:.(N......"..$`..`.P......BP.y.<....V....=g.Qk...&...Q..Z.F.C.......K.P'.Z..S...j`.L\|.)....+....j4..^..(Qj....q9..".Z...G.L...@....Z.F..@G"...^.I...3je..W..x. 'b1[..a`.Dr.L...4.d.'..H.z.......-N.O...P..Q..h...mn...4]..So...@.Dv....h..<.%6.D't...'9.V&.P..%?.I&S{u6.7...i......"5`...{.....b.8......beG..i.y..iE...#.,...x/.z}....M...>.....0.f.:..(.}..<..'3.40...g..EN@..Sh.[...S.@.>.d....U....J...3z4.q6..'R.\.....h...T...X.V...[...TZ......,...n.....(..o.0..f.0.jsNd.s2...Z.2u..hluYW...5Z...<[".ygp..4z....T.&.....,..4...<D..JO(.k4I.........&@4....m.N.p...

C:\Users\user\AppData\Local\Temp\autA09B.tmp

Download File

Process:	C:\Users\user\AppData\Local\Maianthemum\biopsies.exe
File Type:	data
Category:	dropped
Size (bytes):	82162
Entropy (8bit):	7.878716095413827
Encrypted:	false
SSDEEP:	1536:Rr94sbBaeH2qFRgR/CavTSHqc7JrCNuE15Xc2bG2:34sNaa2qRgRqaLStKrXB
MD5:	7F331E0174A60A73C35C70F646F7EA27
SHA1:	6A16A24150FBBA6079AB42CBC10CBBCBEF63BF9A
SHA-256:	DFB7F6E93E30EBC643FB6D2F4BED75E2CB99CBCCBB50BA76D5E3611A0766854A
SHA-512:	16E42F1093FBDAC3AA39FA82F513BD26C2A2F07F1BA728E0251C1A06ED222EDE2C15F896664DCF1C60078A967EA16880DBEFFE89CD26066ADDA13CB8A197EBF3
Malicious:	false
Preview:	EA06......:.z.>.8...-..O..' .E........Q...8..E~...NpT....P..6....e.....Ub.f..'3...1[......M)._o1X..q5.Zf.I...6...e..T.........3.U.4.?:q6.I..1..Q&T[..Q...A.Z.F...M(...fh@.....P.LQ&P^.F.W.Nd..M..G.._b......w6...6.,.&.....I.$.......(....i.-^2.Q.M2.N....]..q9......>.:.F.l.z...J.Q$......(E.7.(......\|.!.>.J.V.5.-^..i..Je;.(..._..S......N.B.Yb.y.gMQ.......Q..h......kh.._F.5...17.Lh5.....R..B....}..P......B:.(N......"..$`..`.P......BP.y.<....V....=g.Qk...&...Q..Z.F.C.......K.P'.Z..S...j`.L\|.)....+....j4..^..(Qj....q9..".Z...G.L...@....Z.F..@G"...^.I...3je..W..x. 'b1[..a`.Dr.L...4.d.'..H.z.......-N.O...P..Q..h...mn...4]..So...@.Dv....h..<.%6.D't...'9.V&.P..%?.I&S{u6.7...i......"5`...{.....b.8......beG..i.y..iE...#.,...x/.z}....M...>.....0.f.:..(.}..<..'3.40...g..EN@..Sh.[...S.@.>.d....U....J...3z4.q6..'R.\.....h...T...X.V...[...TZ......,...n.....(..o.0..f.0.jsNd.s2...Z.2u..hluYW...5Z...<[".ygp..4z....T.&.....,..4...<D..JO(.k4I.........&@4....m.N.p...

C:\Users\user\AppData\Local\Temp\autA57.tmp

Download File

Process:	C:\Users\user\AppData\Local\Maianthemum\biopsies.exe
File Type:	data
Category:	dropped
Size (bytes):	82162
Entropy (8bit):	7.878716095413827
Encrypted:	false
SSDEEP:	1536:Rr94sbBaeH2qFRgR/CavTSHqc7JrCNuE15Xc2bG2:34sNaa2qRgRqaLStKrXB
MD5:	7F331E0174A60A73C35C70F646F7EA27
SHA1:	6A16A24150FBBA6079AB42CBC10CBBCBEF63BF9A
SHA-256:	DFB7F6E93E30EBC643FB6D2F4BED75E2CB99CBCCBB50BA76D5E3611A0766854A
SHA-512:	16E42F1093FBDAC3AA39FA82F513BD26C2A2F07F1BA728E0251C1A06ED222EDE2C15F896664DCF1C60078A967EA16880DBEFFE89CD26066ADDA13CB8A197EBF3
Malicious:	false
Preview:	EA06......:.z.>.8...-..O..' .E........Q...8..E~...NpT....P..6....e.....Ub.f..'3...1[......M)._o1X..q5.Zf.I...6...e..T.........3.U.4.?:q6.I..1..Q&T[..Q...A.Z.F...M(...fh@.....P.LQ&P^.F.W.Nd..M..G.._b......w6...6.,.&.....I.$.......(....i.-^2.Q.M2.N....]..q9......>.:.F.l.z...J.Q$......(E.7.(......\|.!.>.J.V.5.-^..i..Je;.(..._..S......N.B.Yb.y.gMQ.......Q..h......kh.._F.5...17.Lh5.....R..B....}..P......B:.(N......"..$`..`.P......BP.y.<....V....=g.Qk...&...Q..Z.F.C.......K.P'.Z..S...j`.L\|.)....+....j4..^..(Qj....q9..".Z...G.L...@....Z.F..@G"...^.I...3je..W..x. 'b1[..a`.Dr.L...4.d.'..H.z.......-N.O...P..Q..h...mn...4]..So...@.Dv....h..<.%6.D't...'9.V&.P..%?.I&S{u6.7...i......"5`...{.....b.8......beG..i.y..iE...#.,...x/.z}....M...>.....0.f.:..(.}..<..'3.40...g..EN@..Sh.[...S.@.>.d....U....J...3z4.q6..'R.\.....h...T...X.V...[...TZ......,...n.....(..o.0..f.0.jsNd.s2...Z.2u..hluYW...5Z...<[".ygp..4z....T.&.....,..4...<D..JO(.k4I.........&@4....m.N.p...

C:\Users\user\AppData\Local\Temp\autA791.tmp

Download File

Process:	C:\Users\user\AppData\Local\Maianthemum\biopsies.exe
File Type:	data
Category:	dropped
Size (bytes):	82162
Entropy (8bit):	7.878716095413827
Encrypted:	false
SSDEEP:	1536:Rr94sbBaeH2qFRgR/CavTSHqc7JrCNuE15Xc2bG2:34sNaa2qRgRqaLStKrXB
MD5:	7F331E0174A60A73C35C70F646F7EA27
SHA1:	6A16A24150FBBA6079AB42CBC10CBBCBEF63BF9A
SHA-256:	DFB7F6E93E30EBC643FB6D2F4BED75E2CB99CBCCBB50BA76D5E3611A0766854A
SHA-512:	16E42F1093FBDAC3AA39FA82F513BD26C2A2F07F1BA728E0251C1A06ED222EDE2C15F896664DCF1C60078A967EA16880DBEFFE89CD26066ADDA13CB8A197EBF3
Malicious:	false
Preview:	EA06......:.z.>.8...-..O..' .E........Q...8..E~...NpT....P..6....e.....Ub.f..'3...1[......M)._o1X..q5.Zf.I...6...e..T.........3.U.4.?:q6.I..1..Q&T[..Q...A.Z.F...M(...fh@.....P.LQ&P^.F.W.Nd..M..G.._b......w6...6.,.&.....I.$.......(....i.-^2.Q.M2.N....]..q9......>.:.F.l.z...J.Q$......(E.7.(......\|.!.>.J.V.5.-^..i..Je;.(..._..S......N.B.Yb.y.gMQ.......Q..h......kh.._F.5...17.Lh5.....R..B....}..P......B:.(N......"..$`..`.P......BP.y.<....V....=g.Qk...&...Q..Z.F.C.......K.P'.Z..S...j`.L\|.)....+....j4..^..(Qj....q9..".Z...G.L...@....Z.F..@G"...^.I...3je..W..x. 'b1[..a`.Dr.L...4.d.'..H.z.......-N.O...P..Q..h...mn...4]..So...@.Dv....h..<.%6.D't...'9.V&.P..%?.I&S{u6.7...i......"5`...{.....b.8......beG..i.y..iE...#.,...x/.z}....M...>.....0.f.:..(.}..<..'3.40...g..EN@..Sh.[...S.@.>.d....U....J...3z4.q6..'R.\.....h...T...X.V...[...TZ......,...n.....(..o.0..f.0.jsNd.s2...Z.2u..hluYW...5Z...<[".ygp..4z....T.&.....,..4...<D..JO(.k4I.........&@4....m.N.p...

C:\Users\user\AppData\Local\Temp\autB30A.tmp

Download File

Process:	C:\Users\user\AppData\Local\Maianthemum\biopsies.exe
File Type:	data
Category:	dropped
Size (bytes):	82162
Entropy (8bit):	7.878716095413827
Encrypted:	false
SSDEEP:	1536:Rr94sbBaeH2qFRgR/CavTSHqc7JrCNuE15Xc2bG2:34sNaa2qRgRqaLStKrXB
MD5:	7F331E0174A60A73C35C70F646F7EA27
SHA1:	6A16A24150FBBA6079AB42CBC10CBBCBEF63BF9A
SHA-256:	DFB7F6E93E30EBC643FB6D2F4BED75E2CB99CBCCBB50BA76D5E3611A0766854A
SHA-512:	16E42F1093FBDAC3AA39FA82F513BD26C2A2F07F1BA728E0251C1A06ED222EDE2C15F896664DCF1C60078A967EA16880DBEFFE89CD26066ADDA13CB8A197EBF3
Malicious:	false
Preview:	EA06......:.z.>.8...-..O..' .E........Q...8..E~...NpT....P..6....e.....Ub.f..'3...1[......M)._o1X..q5.Zf.I...6...e..T.........3.U.4.?:q6.I..1..Q&T[..Q...A.Z.F...M(...fh@.....P.LQ&P^.F.W.Nd..M..G.._b......w6...6.,.&.....I.$.......(....i.-^2.Q.M2.N....]..q9......>.:.F.l.z...J.Q$......(E.7.(......\|.!.>.J.V.5.-^..i..Je;.(..._..S......N.B.Yb.y.gMQ.......Q..h......kh.._F.5...17.Lh5.....R..B....}..P......B:.(N......"..$`..`.P......BP.y.<....V....=g.Qk...&...Q..Z.F.C.......K.P'.Z..S...j`.L\|.)....+....j4..^..(Qj....q9..".Z...G.L...@....Z.F..@G"...^.I...3je..W..x. 'b1[..a`.Dr.L...4.d.'..H.z.......-N.O...P..Q..h...mn...4]..So...@.Dv....h..<.%6.D't...'9.V&.P..%?.I&S{u6.7...i......"5`...{.....b.8......beG..i.y..iE...#.,...x/.z}....M...>.....0.f.:..(.}..<..'3.40...g..EN@..Sh.[...S.@.>.d....U....J...3z4.q6..'R.\.....h...T...X.V...[...TZ......,...n.....(..o.0..f.0.jsNd.s2...Z.2u..hluYW...5Z...<[".ygp..4z....T.&.....,..4...<D..JO(.k4I.........&@4....m.N.p...

C:\Users\user\AppData\Local\Temp\autBD2C.tmp

Download File

Process:	C:\Users\user\AppData\Local\Maianthemum\biopsies.exe
File Type:	data
Category:	dropped
Size (bytes):	82162
Entropy (8bit):	7.878716095413827
Encrypted:	false
SSDEEP:	1536:Rr94sbBaeH2qFRgR/CavTSHqc7JrCNuE15Xc2bG2:34sNaa2qRgRqaLStKrXB
MD5:	7F331E0174A60A73C35C70F646F7EA27
SHA1:	6A16A24150FBBA6079AB42CBC10CBBCBEF63BF9A
SHA-256:	DFB7F6E93E30EBC643FB6D2F4BED75E2CB99CBCCBB50BA76D5E3611A0766854A
SHA-512:	16E42F1093FBDAC3AA39FA82F513BD26C2A2F07F1BA728E0251C1A06ED222EDE2C15F896664DCF1C60078A967EA16880DBEFFE89CD26066ADDA13CB8A197EBF3
Malicious:	false
Preview:	EA06......:.z.>.8...-..O..' .E........Q...8..E~...NpT....P..6....e.....Ub.f..'3...1[......M)._o1X..q5.Zf.I...6...e..T.........3.U.4.?:q6.I..1..Q&T[..Q...A.Z.F...M(...fh@.....P.LQ&P^.F.W.Nd..M..G.._b......w6...6.,.&.....I.$.......(....i.-^2.Q.M2.N....]..q9......>.:.F.l.z...J.Q$......(E.7.(......\|.!.>.J.V.5.-^..i..Je;.(..._..S......N.B.Yb.y.gMQ.......Q..h......kh.._F.5...17.Lh5.....R..B....}..P......B:.(N......"..$`..`.P......BP.y.<....V....=g.Qk...&...Q..Z.F.C.......K.P'.Z..S...j`.L\|.)....+....j4..^..(Qj....q9..".Z...G.L...@....Z.F..@G"...^.I...3je..W..x. 'b1[..a`.Dr.L...4.d.'..H.z.......-N.O...P..Q..h...mn...4]..So...@.Dv....h..<.%6.D't...'9.V&.P..%?.I&S{u6.7...i......"5`...{.....b.8......beG..i.y..iE...#.,...x/.z}....M...>.....0.f.:..(.}..<..'3.40...g..EN@..Sh.[...S.@.>.d....U....J...3z4.q6..'R.\.....h...T...X.V...[...TZ......,...n.....(..o.0..f.0.jsNd.s2...Z.2u..hluYW...5Z...<[".ygp..4z....T.&.....,..4...<D..JO(.k4I.........&@4....m.N.p...

C:\Users\user\AppData\Local\Temp\autC615.tmp

Download File

Process:	C:\Users\user\AppData\Local\Maianthemum\biopsies.exe
File Type:	data
Category:	dropped
Size (bytes):	82162
Entropy (8bit):	7.878716095413827
Encrypted:	false
SSDEEP:	1536:Rr94sbBaeH2qFRgR/CavTSHqc7JrCNuE15Xc2bG2:34sNaa2qRgRqaLStKrXB
MD5:	7F331E0174A60A73C35C70F646F7EA27
SHA1:	6A16A24150FBBA6079AB42CBC10CBBCBEF63BF9A
SHA-256:	DFB7F6E93E30EBC643FB6D2F4BED75E2CB99CBCCBB50BA76D5E3611A0766854A
SHA-512:	16E42F1093FBDAC3AA39FA82F513BD26C2A2F07F1BA728E0251C1A06ED222EDE2C15F896664DCF1C60078A967EA16880DBEFFE89CD26066ADDA13CB8A197EBF3
Malicious:	false
Preview:	EA06......:.z.>.8...-..O..' .E........Q...8..E~...NpT....P..6....e.....Ub.f..'3...1[......M)._o1X..q5.Zf.I...6...e..T.........3.U.4.?:q6.I..1..Q&T[..Q...A.Z.F...M(...fh@.....P.LQ&P^.F.W.Nd..M..G.._b......w6...6.,.&.....I.$.......(....i.-^2.Q.M2.N....]..q9......>.:.F.l.z...J.Q$......(E.7.(......\|.!.>.J.V.5.-^..i..Je;.(..._..S......N.B.Yb.y.gMQ.......Q..h......kh.._F.5...17.Lh5.....R..B....}..P......B:.(N......"..$`..`.P......BP.y.<....V....=g.Qk...&...Q..Z.F.C.......K.P'.Z..S...j`.L\|.)....+....j4..^..(Qj....q9..".Z...G.L...@....Z.F..@G"...^.I...3je..W..x. 'b1[..a`.Dr.L...4.d.'..H.z.......-N.O...P..Q..h...mn...4]..So...@.Dv....h..<.%6.D't...'9.V&.P..%?.I&S{u6.7...i......"5`...{.....b.8......beG..i.y..iE...#.,...x/.z}....M...>.....0.f.:..(.}..<..'3.40...g..EN@..Sh.[...S.@.>.d....U....J...3z4.q6..'R.\.....h...T...X.V...[...TZ......,...n.....(..o.0..f.0.jsNd.s2...Z.2u..hluYW...5Z...<[".ygp..4z....T.&.....,..4...<D..JO(.k4I.........&@4....m.N.p...

C:\Users\user\AppData\Local\Temp\autC733.tmp

Download File

Process:	C:\Users\user\AppData\Local\Maianthemum\biopsies.exe
File Type:	data
Category:	dropped
Size (bytes):	82162
Entropy (8bit):	7.878716095413827
Encrypted:	false
SSDEEP:	1536:Rr94sbBaeH2qFRgR/CavTSHqc7JrCNuE15Xc2bG2:34sNaa2qRgRqaLStKrXB
MD5:	7F331E0174A60A73C35C70F646F7EA27
SHA1:	6A16A24150FBBA6079AB42CBC10CBBCBEF63BF9A
SHA-256:	DFB7F6E93E30EBC643FB6D2F4BED75E2CB99CBCCBB50BA76D5E3611A0766854A
SHA-512:	16E42F1093FBDAC3AA39FA82F513BD26C2A2F07F1BA728E0251C1A06ED222EDE2C15F896664DCF1C60078A967EA16880DBEFFE89CD26066ADDA13CB8A197EBF3
Malicious:	false
Preview:	EA06......:.z.>.8...-..O..' .E........Q...8..E~...NpT....P..6....e.....Ub.f..'3...1[......M)._o1X..q5.Zf.I...6...e..T.........3.U.4.?:q6.I..1..Q&T[..Q...A.Z.F...M(...fh@.....P.LQ&P^.F.W.Nd..M..G.._b......w6...6.,.&.....I.$.......(....i.-^2.Q.M2.N....]..q9......>.:.F.l.z...J.Q$......(E.7.(......\|.!.>.J.V.5.-^..i..Je;.(..._..S......N.B.Yb.y.gMQ.......Q..h......kh.._F.5...17.Lh5.....R..B....}..P......B:.(N......"..$`..`.P......BP.y.<....V....=g.Qk...&...Q..Z.F.C.......K.P'.Z..S...j`.L\|.)....+....j4..^..(Qj....q9..".Z...G.L...@....Z.F..@G"...^.I...3je..W..x. 'b1[..a`.Dr.L...4.d.'..H.z.......-N.O...P..Q..h...mn...4]..So...@.Dv....h..<.%6.D't...'9.V&.P..%?.I&S{u6.7...i......"5`...{.....b.8......beG..i.y..iE...#.,...x/.z}....M...>.....0.f.:..(.}..<..'3.40...g..EN@..Sh.[...S.@.>.d....U....J...3z4.q6..'R.\.....h...T...X.V...[...TZ......,...n.....(..o.0..f.0.jsNd.s2...Z.2u..hluYW...5Z...<[".ygp..4z....T.&.....,..4...<D..JO(.k4I.........&@4....m.N.p...

C:\Users\user\AppData\Local\Temp\autCEA1.tmp

Download File

Process:	C:\Users\user\AppData\Local\Maianthemum\biopsies.exe
File Type:	data
Category:	dropped
Size (bytes):	82162
Entropy (8bit):	7.878716095413827
Encrypted:	false
SSDEEP:	1536:Rr94sbBaeH2qFRgR/CavTSHqc7JrCNuE15Xc2bG2:34sNaa2qRgRqaLStKrXB
MD5:	7F331E0174A60A73C35C70F646F7EA27
SHA1:	6A16A24150FBBA6079AB42CBC10CBBCBEF63BF9A
SHA-256:	DFB7F6E93E30EBC643FB6D2F4BED75E2CB99CBCCBB50BA76D5E3611A0766854A
SHA-512:	16E42F1093FBDAC3AA39FA82F513BD26C2A2F07F1BA728E0251C1A06ED222EDE2C15F896664DCF1C60078A967EA16880DBEFFE89CD26066ADDA13CB8A197EBF3
Malicious:	false
Preview:	EA06......:.z.>.8...-..O..' .E........Q...8..E~...NpT....P..6....e.....Ub.f..'3...1[......M)._o1X..q5.Zf.I...6...e..T.........3.U.4.?:q6.I..1..Q&T[..Q...A.Z.F...M(...fh@.....P.LQ&P^.F.W.Nd..M..G.._b......w6...6.,.&.....I.$.......(....i.-^2.Q.M2.N....]..q9......>.:.F.l.z...J.Q$......(E.7.(......\|.!.>.J.V.5.-^..i..Je;.(..._..S......N.B.Yb.y.gMQ.......Q..h......kh.._F.5...17.Lh5.....R..B....}..P......B:.(N......"..$`..`.P......BP.y.<....V....=g.Qk...&...Q..Z.F.C.......K.P'.Z..S...j`.L\|.)....+....j4..^..(Qj....q9..".Z...G.L...@....Z.F..@G"...^.I...3je..W..x. 'b1[..a`.Dr.L...4.d.'..H.z.......-N.O...P..Q..h...mn...4]..So...@.Dv....h..<.%6.D't...'9.V&.P..%?.I&S{u6.7...i......"5`...{.....b.8......beG..i.y..iE...#.,...x/.z}....M...>.....0.f.:..(.}..<..'3.40...g..EN@..Sh.[...S.@.>.d....U....J...3z4.q6..'R.\.....h...T...X.V...[...TZ......,...n.....(..o.0..f.0.jsNd.s2...Z.2u..hluYW...5Z...<[".ygp..4z....T.&.....,..4...<D..JO(.k4I.........&@4....m.N.p...

C:\Users\user\AppData\Local\Temp\autD4DF.tmp

Download File

Process:	C:\Users\user\AppData\Local\Maianthemum\biopsies.exe
File Type:	data
Category:	dropped
Size (bytes):	82162
Entropy (8bit):	7.878716095413827
Encrypted:	false
SSDEEP:	1536:Rr94sbBaeH2qFRgR/CavTSHqc7JrCNuE15Xc2bG2:34sNaa2qRgRqaLStKrXB
MD5:	7F331E0174A60A73C35C70F646F7EA27
SHA1:	6A16A24150FBBA6079AB42CBC10CBBCBEF63BF9A
SHA-256:	DFB7F6E93E30EBC643FB6D2F4BED75E2CB99CBCCBB50BA76D5E3611A0766854A
SHA-512:	16E42F1093FBDAC3AA39FA82F513BD26C2A2F07F1BA728E0251C1A06ED222EDE2C15F896664DCF1C60078A967EA16880DBEFFE89CD26066ADDA13CB8A197EBF3
Malicious:	false
Preview:	EA06......:.z.>.8...-..O..' .E........Q...8..E~...NpT....P..6....e.....Ub.f..'3...1[......M)._o1X..q5.Zf.I...6...e..T.........3.U.4.?:q6.I..1..Q&T[..Q...A.Z.F...M(...fh@.....P.LQ&P^.F.W.Nd..M..G.._b......w6...6.,.&.....I.$.......(....i.-^2.Q.M2.N....]..q9......>.:.F.l.z...J.Q$......(E.7.(......\|.!.>.J.V.5.-^..i..Je;.(..._..S......N.B.Yb.y.gMQ.......Q..h......kh.._F.5...17.Lh5.....R..B....}..P......B:.(N......"..$`..`.P......BP.y.<....V....=g.Qk...&...Q..Z.F.C.......K.P'.Z..S...j`.L\|.)....+....j4..^..(Qj....q9..".Z...G.L...@....Z.F..@G"...^.I...3je..W..x. 'b1[..a`.Dr.L...4.d.'..H.z.......-N.O...P..Q..h...mn...4]..So...@.Dv....h..<.%6.D't...'9.V&.P..%?.I&S{u6.7...i......"5`...{.....b.8......beG..i.y..iE...#.,...x/.z}....M...>.....0.f.:..(.}..<..'3.40...g..EN@..Sh.[...S.@.>.d....U....J...3z4.q6..'R.\.....h...T...X.V...[...TZ......,...n.....(..o.0..f.0.jsNd.s2...Z.2u..hluYW...5Z...<[".ygp..4z....T.&.....,..4...<D..JO(.k4I.........&@4....m.N.p...

C:\Users\user\AppData\Local\Temp\autD70D.tmp

Download File

Process:	C:\Users\user\AppData\Local\Maianthemum\biopsies.exe
File Type:	data
Category:	dropped
Size (bytes):	82162
Entropy (8bit):	7.878716095413827
Encrypted:	false
SSDEEP:	1536:Rr94sbBaeH2qFRgR/CavTSHqc7JrCNuE15Xc2bG2:34sNaa2qRgRqaLStKrXB
MD5:	7F331E0174A60A73C35C70F646F7EA27
SHA1:	6A16A24150FBBA6079AB42CBC10CBBCBEF63BF9A
SHA-256:	DFB7F6E93E30EBC643FB6D2F4BED75E2CB99CBCCBB50BA76D5E3611A0766854A
SHA-512:	16E42F1093FBDAC3AA39FA82F513BD26C2A2F07F1BA728E0251C1A06ED222EDE2C15F896664DCF1C60078A967EA16880DBEFFE89CD26066ADDA13CB8A197EBF3
Malicious:	false
Preview:	EA06......:.z.>.8...-..O..' .E........Q...8..E~...NpT....P..6....e.....Ub.f..'3...1[......M)._o1X..q5.Zf.I...6...e..T.........3.U.4.?:q6.I..1..Q&T[..Q...A.Z.F...M(...fh@.....P.LQ&P^.F.W.Nd..M..G.._b......w6...6.,.&.....I.$.......(....i.-^2.Q.M2.N....]..q9......>.:.F.l.z...J.Q$......(E.7.(......\|.!.>.J.V.5.-^..i..Je;.(..._..S......N.B.Yb.y.gMQ.......Q..h......kh.._F.5...17.Lh5.....R..B....}..P......B:.(N......"..$`..`.P......BP.y.<....V....=g.Qk...&...Q..Z.F.C.......K.P'.Z..S...j`.L\|.)....+....j4..^..(Qj....q9..".Z...G.L...@....Z.F..@G"...^.I...3je..W..x. 'b1[..a`.Dr.L...4.d.'..H.z.......-N.O...P..Q..h...mn...4]..So...@.Dv....h..<.%6.D't...'9.V&.P..%?.I&S{u6.7...i......"5`...{.....b.8......beG..i.y..iE...#.,...x/.z}....M...>.....0.f.:..(.}..<..'3.40...g..EN@..Sh.[...S.@.>.d....U....J...3z4.q6..'R.\.....h...T...X.V...[...TZ......,...n.....(..o.0..f.0.jsNd.s2...Z.2u..hluYW...5Z...<[".ygp..4z....T.&.....,..4...<D..JO(.k4I.........&@4....m.N.p...

C:\Users\user\AppData\Local\Temp\autE02A.tmp

Download File

Process:	C:\Users\user\AppData\Local\Maianthemum\biopsies.exe
File Type:	data
Category:	dropped
Size (bytes):	82162
Entropy (8bit):	7.878716095413827
Encrypted:	false
SSDEEP:	1536:Rr94sbBaeH2qFRgR/CavTSHqc7JrCNuE15Xc2bG2:34sNaa2qRgRqaLStKrXB
MD5:	7F331E0174A60A73C35C70F646F7EA27
SHA1:	6A16A24150FBBA6079AB42CBC10CBBCBEF63BF9A
SHA-256:	DFB7F6E93E30EBC643FB6D2F4BED75E2CB99CBCCBB50BA76D5E3611A0766854A
SHA-512:	16E42F1093FBDAC3AA39FA82F513BD26C2A2F07F1BA728E0251C1A06ED222EDE2C15F896664DCF1C60078A967EA16880DBEFFE89CD26066ADDA13CB8A197EBF3
Malicious:	false
Preview:	EA06......:.z.>.8...-..O..' .E........Q...8..E~...NpT....P..6....e.....Ub.f..'3...1[......M)._o1X..q5.Zf.I...6...e..T.........3.U.4.?:q6.I..1..Q&T[..Q...A.Z.F...M(...fh@.....P.LQ&P^.F.W.Nd..M..G.._b......w6...6.,.&.....I.$.......(....i.-^2.Q.M2.N....]..q9......>.:.F.l.z...J.Q$......(E.7.(......\|.!.>.J.V.5.-^..i..Je;.(..._..S......N.B.Yb.y.gMQ.......Q..h......kh.._F.5...17.Lh5.....R..B....}..P......B:.(N......"..$`..`.P......BP.y.<....V....=g.Qk...&...Q..Z.F.C.......K.P'.Z..S...j`.L\|.)....+....j4..^..(Qj....q9..".Z...G.L...@....Z.F..@G"...^.I...3je..W..x. 'b1[..a`.Dr.L...4.d.'..H.z.......-N.O...P..Q..h...mn...4]..So...@.Dv....h..<.%6.D't...'9.V&.P..%?.I&S{u6.7...i......"5`...{.....b.8......beG..i.y..iE...#.,...x/.z}....M...>.....0.f.:..(.}..<..'3.40...g..EN@..Sh.[...S.@.>.d....U....J...3z4.q6..'R.\.....h...T...X.V...[...TZ......,...n.....(..o.0..f.0.jsNd.s2...Z.2u..hluYW...5Z...<[".ygp..4z....T.&.....,..4...<D..JO(.k4I.........&@4....m.N.p...

C:\Users\user\AppData\Local\Temp\autE10F.tmp

Download File

Process:	C:\Users\user\AppData\Local\Maianthemum\biopsies.exe
File Type:	data
Category:	dropped
Size (bytes):	82162
Entropy (8bit):	7.878716095413827
Encrypted:	false
SSDEEP:	1536:Rr94sbBaeH2qFRgR/CavTSHqc7JrCNuE15Xc2bG2:34sNaa2qRgRqaLStKrXB
MD5:	7F331E0174A60A73C35C70F646F7EA27
SHA1:	6A16A24150FBBA6079AB42CBC10CBBCBEF63BF9A
SHA-256:	DFB7F6E93E30EBC643FB6D2F4BED75E2CB99CBCCBB50BA76D5E3611A0766854A
SHA-512:	16E42F1093FBDAC3AA39FA82F513BD26C2A2F07F1BA728E0251C1A06ED222EDE2C15F896664DCF1C60078A967EA16880DBEFFE89CD26066ADDA13CB8A197EBF3
Malicious:	false
Preview:	EA06......:.z.>.8...-..O..' .E........Q...8..E~...NpT....P..6....e.....Ub.f..'3...1[......M)._o1X..q5.Zf.I...6...e..T.........3.U.4.?:q6.I..1..Q&T[..Q...A.Z.F...M(...fh@.....P.LQ&P^.F.W.Nd..M..G.._b......w6...6.,.&.....I.$.......(....i.-^2.Q.M2.N....]..q9......>.:.F.l.z...J.Q$......(E.7.(......\|.!.>.J.V.5.-^..i..Je;.(..._..S......N.B.Yb.y.gMQ.......Q..h......kh.._F.5...17.Lh5.....R..B....}..P......B:.(N......"..$`..`.P......BP.y.<....V....=g.Qk...&...Q..Z.F.C.......K.P'.Z..S...j`.L\|.)....+....j4..^..(Qj....q9..".Z...G.L...@....Z.F..@G"...^.I...3je..W..x. 'b1[..a`.Dr.L...4.d.'..H.z.......-N.O...P..Q..h...mn...4]..So...@.Dv....h..<.%6.D't...'9.V&.P..%?.I&S{u6.7...i......"5`...{.....b.8......beG..i.y..iE...#.,...x/.z}....M...>.....0.f.:..(.}..<..'3.40...g..EN@..Sh.[...S.@.>.d....U....J...3z4.q6..'R.\.....h...T...X.V...[...TZ......,...n.....(..o.0..f.0.jsNd.s2...Z.2u..hluYW...5Z...<[".ygp..4z....T.&.....,..4...<D..JO(.k4I.........&@4....m.N.p...

C:\Users\user\AppData\Local\Temp\autEAC9.tmp

Download File

Process:	C:\Users\user\AppData\Local\Maianthemum\biopsies.exe
File Type:	data
Category:	dropped
Size (bytes):	82162
Entropy (8bit):	7.878716095413827
Encrypted:	false
SSDEEP:	1536:Rr94sbBaeH2qFRgR/CavTSHqc7JrCNuE15Xc2bG2:34sNaa2qRgRqaLStKrXB
MD5:	7F331E0174A60A73C35C70F646F7EA27
SHA1:	6A16A24150FBBA6079AB42CBC10CBBCBEF63BF9A
SHA-256:	DFB7F6E93E30EBC643FB6D2F4BED75E2CB99CBCCBB50BA76D5E3611A0766854A
SHA-512:	16E42F1093FBDAC3AA39FA82F513BD26C2A2F07F1BA728E0251C1A06ED222EDE2C15F896664DCF1C60078A967EA16880DBEFFE89CD26066ADDA13CB8A197EBF3
Malicious:	false
Preview:	EA06......:.z.>.8...-..O..' .E........Q...8..E~...NpT....P..6....e.....Ub.f..'3...1[......M)._o1X..q5.Zf.I...6...e..T.........3.U.4.?:q6.I..1..Q&T[..Q...A.Z.F...M(...fh@.....P.LQ&P^.F.W.Nd..M..G.._b......w6...6.,.&.....I.$.......(....i.-^2.Q.M2.N....]..q9......>.:.F.l.z...J.Q$......(E.7.(......\|.!.>.J.V.5.-^..i..Je;.(..._..S......N.B.Yb.y.gMQ.......Q..h......kh.._F.5...17.Lh5.....R..B....}..P......B:.(N......"..$`..`.P......BP.y.<....V....=g.Qk...&...Q..Z.F.C.......K.P'.Z..S...j`.L\|.)....+....j4..^..(Qj....q9..".Z...G.L...@....Z.F..@G"...^.I...3je..W..x. 'b1[..a`.Dr.L...4.d.'..H.z.......-N.O...P..Q..h...mn...4]..So...@.Dv....h..<.%6.D't...'9.V&.P..%?.I&S{u6.7...i......"5`...{.....b.8......beG..i.y..iE...#.,...x/.z}....M...>.....0.f.:..(.}..<..'3.40...g..EN@..Sh.[...S.@.>.d....U....J...3z4.q6..'R.\.....h...T...X.V...[...TZ......,...n.....(..o.0..f.0.jsNd.s2...Z.2u..hluYW...5Z...<[".ygp..4z....T.&.....,..4...<D..JO(.k4I.........&@4....m.N.p...

C:\Users\user\AppData\Local\Temp\autEBBE.tmp

Download File

Process:	C:\Users\user\AppData\Local\Maianthemum\biopsies.exe
File Type:	data
Category:	dropped
Size (bytes):	82162
Entropy (8bit):	7.878716095413827
Encrypted:	false
SSDEEP:	1536:Rr94sbBaeH2qFRgR/CavTSHqc7JrCNuE15Xc2bG2:34sNaa2qRgRqaLStKrXB
MD5:	7F331E0174A60A73C35C70F646F7EA27
SHA1:	6A16A24150FBBA6079AB42CBC10CBBCBEF63BF9A
SHA-256:	DFB7F6E93E30EBC643FB6D2F4BED75E2CB99CBCCBB50BA76D5E3611A0766854A
SHA-512:	16E42F1093FBDAC3AA39FA82F513BD26C2A2F07F1BA728E0251C1A06ED222EDE2C15F896664DCF1C60078A967EA16880DBEFFE89CD26066ADDA13CB8A197EBF3
Malicious:	false
Preview:	EA06......:.z.>.8...-..O..' .E........Q...8..E~...NpT....P..6....e.....Ub.f..'3...1[......M)._o1X..q5.Zf.I...6...e..T.........3.U.4.?:q6.I..1..Q&T[..Q...A.Z.F...M(...fh@.....P.LQ&P^.F.W.Nd..M..G.._b......w6...6.,.&.....I.$.......(....i.-^2.Q.M2.N....]..q9......>.:.F.l.z...J.Q$......(E.7.(......\|.!.>.J.V.5.-^..i..Je;.(..._..S......N.B.Yb.y.gMQ.......Q..h......kh.._F.5...17.Lh5.....R..B....}..P......B:.(N......"..$`..`.P......BP.y.<....V....=g.Qk...&...Q..Z.F.C.......K.P'.Z..S...j`.L\|.)....+....j4..^..(Qj....q9..".Z...G.L...@....Z.F..@G"...^.I...3je..W..x. 'b1[..a`.Dr.L...4.d.'..H.z.......-N.O...P..Q..h...mn...4]..So...@.Dv....h..<.%6.D't...'9.V&.P..%?.I&S{u6.7...i......"5`...{.....b.8......beG..i.y..iE...#.,...x/.z}....M...>.....0.f.:..(.}..<..'3.40...g..EN@..Sh.[...S.@.>.d....U....J...3z4.q6..'R.\.....h...T...X.V...[...TZ......,...n.....(..o.0..f.0.jsNd.s2...Z.2u..hluYW...5Z...<[".ygp..4z....T.&.....,..4...<D..JO(.k4I.........&@4....m.N.p...

C:\Users\user\AppData\Local\Temp\autF1DD.tmp

Download File

Process:	C:\Users\user\AppData\Local\Maianthemum\biopsies.exe
File Type:	data
Category:	dropped
Size (bytes):	82162
Entropy (8bit):	7.878716095413827
Encrypted:	false
SSDEEP:	1536:Rr94sbBaeH2qFRgR/CavTSHqc7JrCNuE15Xc2bG2:34sNaa2qRgRqaLStKrXB
MD5:	7F331E0174A60A73C35C70F646F7EA27
SHA1:	6A16A24150FBBA6079AB42CBC10CBBCBEF63BF9A
SHA-256:	DFB7F6E93E30EBC643FB6D2F4BED75E2CB99CBCCBB50BA76D5E3611A0766854A
SHA-512:	16E42F1093FBDAC3AA39FA82F513BD26C2A2F07F1BA728E0251C1A06ED222EDE2C15F896664DCF1C60078A967EA16880DBEFFE89CD26066ADDA13CB8A197EBF3
Malicious:	false
Preview:	EA06......:.z.>.8...-..O..' .E........Q...8..E~...NpT....P..6....e.....Ub.f..'3...1[......M)._o1X..q5.Zf.I...6...e..T.........3.U.4.?:q6.I..1..Q&T[..Q...A.Z.F...M(...fh@.....P.LQ&P^.F.W.Nd..M..G.._b......w6...6.,.&.....I.$.......(....i.-^2.Q.M2.N....]..q9......>.:.F.l.z...J.Q$......(E.7.(......\|.!.>.J.V.5.-^..i..Je;.(..._..S......N.B.Yb.y.gMQ.......Q..h......kh.._F.5...17.Lh5.....R..B....}..P......B:.(N......"..$`..`.P......BP.y.<....V....=g.Qk...&...Q..Z.F.C.......K.P'.Z..S...j`.L\|.)....+....j4..^..(Qj....q9..".Z...G.L...@....Z.F..@G"...^.I...3je..W..x. 'b1[..a`.Dr.L...4.d.'..H.z.......-N.O...P..Q..h...mn...4]..So...@.Dv....h..<.%6.D't...'9.V&.P..%?.I&S{u6.7...i......"5`...{.....b.8......beG..i.y..iE...#.,...x/.z}....M...>.....0.f.:..(.}..<..'3.40...g..EN@..Sh.[...S.@.>.d....U....J...3z4.q6..'R.\.....h...T...X.V...[...TZ......,...n.....(..o.0..f.0.jsNd.s2...Z.2u..hluYW...5Z...<[".ygp..4z....T.&.....,..4...<D..JO(.k4I.........&@4....m.N.p...

C:\Users\user\AppData\Local\Temp\autF67C.tmp

Download File

Process:	C:\Users\user\AppData\Local\Maianthemum\biopsies.exe
File Type:	data
Category:	dropped
Size (bytes):	82162
Entropy (8bit):	7.878716095413827
Encrypted:	false
SSDEEP:	1536:Rr94sbBaeH2qFRgR/CavTSHqc7JrCNuE15Xc2bG2:34sNaa2qRgRqaLStKrXB
MD5:	7F331E0174A60A73C35C70F646F7EA27
SHA1:	6A16A24150FBBA6079AB42CBC10CBBCBEF63BF9A
SHA-256:	DFB7F6E93E30EBC643FB6D2F4BED75E2CB99CBCCBB50BA76D5E3611A0766854A
SHA-512:	16E42F1093FBDAC3AA39FA82F513BD26C2A2F07F1BA728E0251C1A06ED222EDE2C15F896664DCF1C60078A967EA16880DBEFFE89CD26066ADDA13CB8A197EBF3
Malicious:	false
Preview:	EA06......:.z.>.8...-..O..' .E........Q...8..E~...NpT....P..6....e.....Ub.f..'3...1[......M)._o1X..q5.Zf.I...6...e..T.........3.U.4.?:q6.I..1..Q&T[..Q...A.Z.F...M(...fh@.....P.LQ&P^.F.W.Nd..M..G.._b......w6...6.,.&.....I.$.......(....i.-^2.Q.M2.N....]..q9......>.:.F.l.z...J.Q$......(E.7.(......\|.!.>.J.V.5.-^..i..Je;.(..._..S......N.B.Yb.y.gMQ.......Q..h......kh.._F.5...17.Lh5.....R..B....}..P......B:.(N......"..$`..`.P......BP.y.<....V....=g.Qk...&...Q..Z.F.C.......K.P'.Z..S...j`.L\|.)....+....j4..^..(Qj....q9..".Z...G.L...@....Z.F..@G"...^.I...3je..W..x. 'b1[..a`.Dr.L...4.d.'..H.z.......-N.O...P..Q..h...mn...4]..So...@.Dv....h..<.%6.D't...'9.V&.P..%?.I&S{u6.7...i......"5`...{.....b.8......beG..i.y..iE...#.,...x/.z}....M...>.....0.f.:..(.}..<..'3.40...g..EN@..Sh.[...S.@.>.d....U....J...3z4.q6..'R.\.....h...T...X.V...[...TZ......,...n.....(..o.0..f.0.jsNd.s2...Z.2u..hluYW...5Z...<[".ygp..4z....T.&.....,..4...<D..JO(.k4I.........&@4....m.N.p...

C:\Users\user\AppData\Local\Temp\autFDF3.tmp

Download File

Process:	C:\Users\user\AppData\Local\Maianthemum\biopsies.exe
File Type:	data
Category:	dropped
Size (bytes):	82162
Entropy (8bit):	7.878716095413827
Encrypted:	false
SSDEEP:	1536:Rr94sbBaeH2qFRgR/CavTSHqc7JrCNuE15Xc2bG2:34sNaa2qRgRqaLStKrXB
MD5:	7F331E0174A60A73C35C70F646F7EA27
SHA1:	6A16A24150FBBA6079AB42CBC10CBBCBEF63BF9A
SHA-256:	DFB7F6E93E30EBC643FB6D2F4BED75E2CB99CBCCBB50BA76D5E3611A0766854A
SHA-512:	16E42F1093FBDAC3AA39FA82F513BD26C2A2F07F1BA728E0251C1A06ED222EDE2C15F896664DCF1C60078A967EA16880DBEFFE89CD26066ADDA13CB8A197EBF3
Malicious:	false
Preview:	EA06......:.z.>.8...-..O..' .E........Q...8..E~...NpT....P..6....e.....Ub.f..'3...1[......M)._o1X..q5.Zf.I...6...e..T.........3.U.4.?:q6.I..1..Q&T[..Q...A.Z.F...M(...fh@.....P.LQ&P^.F.W.Nd..M..G.._b......w6...6.,.&.....I.$.......(....i.-^2.Q.M2.N....]..q9......>.:.F.l.z...J.Q$......(E.7.(......\|.!.>.J.V.5.-^..i..Je;.(..._..S......N.B.Yb.y.gMQ.......Q..h......kh.._F.5...17.Lh5.....R..B....}..P......B:.(N......"..$`..`.P......BP.y.<....V....=g.Qk...&...Q..Z.F.C.......K.P'.Z..S...j`.L\|.)....+....j4..^..(Qj....q9..".Z...G.L...@....Z.F..@G"...^.I...3je..W..x. 'b1[..a`.Dr.L...4.d.'..H.z.......-N.O...P..Q..h...mn...4]..So...@.Dv....h..<.%6.D't...'9.V&.P..%?.I&S{u6.7...i......"5`...{.....b.8......beG..i.y..iE...#.,...x/.z}....M...>.....0.f.:..(.}..<..'3.40...g..EN@..Sh.[...S.@.>.d....U....J...3z4.q6..'R.\.....h...T...X.V...[...TZ......,...n.....(..o.0..f.0.jsNd.s2...Z.2u..hluYW...5Z...<[".ygp..4z....T.&.....,..4...<D..JO(.k4I.........&@4....m.N.p...

C:\Users\user\AppData\Local\Temp\semispinalis

Download File

Process:	C:\Users\user\Desktop\b6AGgIJ87g.exe
File Type:	data
Category:	modified
Size (bytes):	134144
Entropy (8bit):	6.859977104025967
Encrypted:	false
SSDEEP:	3072:LlZBOQ3rfHp7zNDH+oJtKQTSMQfGmu/ZzsJ9ytaJ+A:/BOQ3r/pdL+otT/QfGmGwJ9MA
MD5:	4F37E4E9C4BD4C79202030A737497566
SHA1:	6C291F2F41C226374AA99B5F7B83354472714BDA
SHA-256:	9AD18A9C1119304E2C04A7B368FCDC975C5BAF8D421AE2FCB8E3972264A15377
SHA-512:	144212A446DE28701F17B8EAED71922328B11B128036C9ABE30798239D9309375E8852F595A605074A05AF521FD35EDDF9E053566BDA631780727C83D3498B8A
Malicious:	false
Preview:	.h.WROG8=6F2..QO.896F2EW.OG896F2EWQOG896F2EWQOG896F2EWQOG896.2EW_P.69.O.d.P...m^/Ae'# JX[fQ$9? 3.[Sf@09q&).}y..(85i54<b2EWQOG8isF2.VRO...PF2EWQOG8.6D3NV.OG.86F&EWQOG8."D2EwQOG.;6F2.WQoG894F2AWQOG896B2EWQOG89VD2EUQOG896D2..QOW89&F2EWAOG(96F2EWAOG896F2EWQO?,;6.2EWQoE8V&F2EWQOG896F2EWQOG89vD2IWQOG896F2EWQOG896F2EWQOG896F2EWQOG896F2EWQOG896F2EWQoG816F2EWQOG896N.EW.OG896F2EWQOiL\N22EW..F89.F2E.POG:96F2EWQOG896F2eWQ/iJJD%2EW>_G89.D2EEQOG.86F2EWQOG896F2.WQ.iJ\Z)QEW]OG89vD2EUQOG2;6F2EWQOG896F2.WQ.G896F2EWQOG896F2.CSOG896.2EWSOB8e.G2Y.QOD896.2EQ.mF8.6F2EWQOG896F2EWQOG896F2EWQOG896F2EWQOG896F2..@.._5..WQOG897D1AQYGG896F2EW/OG8.6F2.WQOp896c2EW<OG8.6F2;WQO9896"2EW#OG8X6F2.WQO(896(2EW/OG8'4n.EW[ea8;.g2E]Qe.K.6F8.VQOCK.6F8.UQOCK.6F8.TQOCK.6F8.SQOCK.6F8.RQOC.c6E.SQQO\W.6F8ET.ZA89-l.EUyuG836l.ET.ZA89-l.EU.FG8=..AXWQIo{96LFLWQM.296B.[Uy.G83.dLUWQKl8..8#EWUdG..HT2ESzOm.G%F2A\|QeeF-6F6nW{QE.-6F6ou/ZG8=.F.g)GOG<.6l.;@QOC.9.X0.@QOC.?.$27nMO7;V.F2C..OG2.VF2CW{uGF.6F6G8.OG2...2G.UNG294EOsWQKE<D.F2A}.OEC.6

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\biopsies.vbs

Download File

Process:	C:\Users\user\AppData\Local\Maianthemum\biopsies.exe
File Type:	data
Category:	dropped
Size (bytes):	280
Entropy (8bit):	3.4183478159502085
Encrypted:	false
SSDEEP:	6:DMM8lfm3OOQdUfcloRKUEZ+lX1ol3MeYNUZim6nriIM8lfQVn:DsO+vNloRKQ1ol3MeYi4mA2n
MD5:	08C26C4580F8A1AC070E7C5468EBD8F8
SHA1:	3AB97944B6B843AC61E2C703715DE2B1D3928C00
SHA-256:	200735B7374ED69D68EBE1F0B15DED30BBE9D1040814DC9461F2C2A0E21EE5B3
SHA-512:	EB1DA8F1B6FF433B5C239A681FAF203CE286305E136E9F8471BC840252A0F9B935D1A367BCE78E6C52053FB4028CC2F97C20F746BBD9042C4C46D286312373EC
Malicious:	true
Preview:	S.e.t. .W.s.h.S.h.e.l.l. .=. .C.r.e.a.t.e.O.b.j.e.c.t.(.".W.S.c.r.i.p.t...S.h.e.l.l.".)...W.s.h.S.h.e.l.l...R.u.n. .".C.:.\.U.s.e.r.s.\.j.o.n.e.s.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.M.a.i.a.n.t.h.e.m.u.m.\.b.i.o.p.s.i.e.s...e.x.e.".,. .1...S.e.t. .W.s.h.S.h.e.l.l. .=. .N.o.t.h.i.n.g...

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.946572609644125
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	b6AGgIJ87g.exe
File size:	1'021'952 bytes
MD5:	04a2cce147e8b29d89ef24af80d493ce
SHA1:	5e24a62c496a9726bb924c1bb0f3b5e33963b0c6
SHA256:	03da1152cc2fc2bcfafc441c76ddcda09e4df84adb27bda9b267694b4a840cf7
SHA512:	5c623045f3b388f150fe1659d55da24d89c35aef09d74a3a5fc90431608241213c9e9a64af118cc1caf1601a3effb1fb572d1c98c2c6695db1349e54fb2e1b22
SSDEEP:	24576:+u6J33O0c+JY5UZ+XC0kGso6Faei2PbeZqC/pO0WY:Qu0c++OCvkGs9FaeTP6MY
TLSH:	AC25BE2273DDC360CB669173BF69B7056EBF3C614630B85B2F880D7DA950162262D7A3
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......6...r}..r}..r}..4,".p}......s}.../..A}.../#..}.../".G}..{.@.{}..{.P.W}..r}..R.....)."}......s}.../..s}..r}T.s}......s}..Richr}.

File Icon


Icon Hash:	aaf3e3e3938382a0

Static PE Info

General

Entrypoint:	0x427dcd
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, TERMINAL_SERVER_AWARE
Time Stamp:	0x6758DC5E [Wed Dec 11 00:27:10 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	afcdf79be1557326c854b6e20cb900a7

Entrypoint Preview

Instruction
call 00007FE1091DBFAAh
jmp 00007FE1091CED74h
int3
int3
int3
int3
int3
int3
int3
int3
int3
push edi
push esi
mov esi, dword ptr [esp+10h]
mov ecx, dword ptr [esp+14h]
mov edi, dword ptr [esp+0Ch]
mov eax, ecx
mov edx, ecx
add eax, esi
cmp edi, esi
jbe 00007FE1091CEEFAh
cmp edi, eax
jc 00007FE1091CF25Eh
bt dword ptr [004C31FCh], 01h
jnc 00007FE1091CEEF9h
rep movsb
jmp 00007FE1091CF20Ch
cmp ecx, 00000080h
jc 00007FE1091CF0C4h
mov eax, edi
xor eax, esi
test eax, 0000000Fh
jne 00007FE1091CEF00h
bt dword ptr [004BE324h], 01h
jc 00007FE1091CF3D0h
bt dword ptr [004C31FCh], 00000000h
jnc 00007FE1091CF09Dh
test edi, 00000003h
jne 00007FE1091CF0AEh
test esi, 00000003h
jne 00007FE1091CF08Dh
bt edi, 02h
jnc 00007FE1091CEEFFh
mov eax, dword ptr [esi]
sub ecx, 04h
lea esi, dword ptr [esi+04h]
mov dword ptr [edi], eax
lea edi, dword ptr [edi+04h]
bt edi, 03h
jnc 00007FE1091CEF03h
movq xmm1, qword ptr [esi]
sub ecx, 08h
lea esi, dword ptr [esi+08h]
movq qword ptr [edi], xmm1
lea edi, dword ptr [edi+08h]
test esi, 00000007h
je 00007FE1091CEF55h
bt esi, 03h
jnc 00007FE1091CEFA8h

Rich Headers

Programming Language:

[ASM] VS2013 build 21005
[ C ] VS2013 build 21005
[C++] VS2013 build 21005
[ C ] VS2008 SP1 build 30729
[IMP] VS2008 SP1 build 30729
[ASM] VS2013 UPD4 build 31101
[RES] VS2013 build 21005
[LNK] VS2013 UPD4 build 31101

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xba44c	0x17c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xc7000	0x30f18	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xf8000	0x711c	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x92bc0	0x1c	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0xa4870	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x8f000	0x884	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x8dcc4	0x8de00	d28a820a1d9ff26cda02d12b888ba4b4	False	0.5728679102422908	data	6.676118058520316	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x8f000	0x2e10e	0x2e200	79b14b254506b0dbc8cd0ad67fb70ad9	False	0.33535526761517614	OpenPGP Public Key	5.76010872795207	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xbe000	0x8f74	0x5200	9f9d6f746f1a415a63de45f8b7983d33	False	0.1017530487804878	data	1.198745897703538	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0xc7000	0x30f18	0x31000	08ddda6cc5c502bc1a13c3694d098614	False	0.8656877790178571	data	7.735664951883174	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xf8000	0x711c	0x7200	6fcae3cbbf6bfbabf5ec5bbe7cf612c3	False	0.7650767543859649	data	6.779031650454199	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0xc75a8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.7466216216216216
RT_ICON	0xc76d0	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colors	English	Great Britain	0.3277027027027027
RT_ICON	0xc77f8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.3885135135135135
RT_ICON	0xc7920	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 0	English	Great Britain	0.3333333333333333
RT_ICON	0xc7c08	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 0	English	Great Britain	0.5
RT_ICON	0xc7d30	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0	English	Great Britain	0.2835820895522388
RT_ICON	0xc8bd8	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0	English	Great Britain	0.37906137184115524
RT_ICON	0xc9480	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0	English	Great Britain	0.23699421965317918
RT_ICON	0xc99e8	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	English	Great Britain	0.13858921161825727
RT_ICON	0xcbf90	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	English	Great Britain	0.25070356472795496
RT_ICON	0xcd038	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	English	Great Britain	0.3173758865248227
RT_MENU	0xcd4a0	0x50	data	English	Great Britain	0.9
RT_STRING	0xcd4f0	0x594	data	English	Great Britain	0.3333333333333333
RT_STRING	0xcda84	0x68a	data	English	Great Britain	0.2747909199522103
RT_STRING	0xce110	0x490	data	English	Great Britain	0.3715753424657534
RT_STRING	0xce5a0	0x5fc	data	English	Great Britain	0.3087467362924282
RT_STRING	0xceb9c	0x65c	data	English	Great Britain	0.34336609336609336
RT_STRING	0xcf1f8	0x466	data	English	Great Britain	0.3605683836589698
RT_STRING	0xcf660	0x158	Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0	English	Great Britain	0.502906976744186
RT_RCDATA	0xcf7b8	0x281dd	data			1.0003712336520263
RT_GROUP_ICON	0xf7998	0x76	data	English	Great Britain	0.6610169491525424
RT_GROUP_ICON	0xf7a10	0x14	data	English	Great Britain	1.25
RT_GROUP_ICON	0xf7a24	0x14	data	English	Great Britain	1.15
RT_GROUP_ICON	0xf7a38	0x14	data	English	Great Britain	1.25
RT_VERSION	0xf7a4c	0xdc	data	English	Great Britain	0.6181818181818182
RT_MANIFEST	0xf7b28	0x3ef	ASCII text, with CRLF line terminators	English	Great Britain	0.5074478649453823

Imports

DLL	Import
WSOCK32.dll	WSACleanup, socket, inet_ntoa, setsockopt, ntohs, recvfrom, ioctlsocket, htons, WSAStartup, __WSAFDIsSet, select, accept, listen, bind, closesocket, WSAGetLastError, recv, sendto, send, inet_addr, gethostbyname, gethostname, connect
VERSION.dll	GetFileVersionInfoW, GetFileVersionInfoSizeW, VerQueryValueW
WINMM.dll	timeGetTime, waveOutSetVolume, mciSendStringW
COMCTL32.dll	ImageList_ReplaceIcon, ImageList_Destroy, ImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, InitCommonControlsEx, ImageList_Create
MPR.dll	WNetUseConnectionW, WNetCancelConnection2W, WNetGetConnectionW, WNetAddConnection2W
WININET.dll	InternetQueryDataAvailable, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetQueryOptionW, HttpOpenRequestW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetReadFile, InternetConnectW
PSAPI.DLL	GetProcessMemoryInfo
IPHLPAPI.DLL	IcmpCreateFile, IcmpCloseHandle, IcmpSendEcho
USERENV.dll	DestroyEnvironmentBlock, UnloadUserProfile, CreateEnvironmentBlock, LoadUserProfileW
UxTheme.dll	IsThemeActive
KERNEL32.dll	DuplicateHandle, CreateThread, WaitForSingleObject, HeapAlloc, GetProcessHeap, HeapFree, Sleep, GetCurrentThreadId, MultiByteToWideChar, MulDiv, GetVersionExW, IsWow64Process, GetSystemInfo, FreeLibrary, LoadLibraryA, GetProcAddress, SetErrorMode, GetModuleFileNameW, WideCharToMultiByte, lstrcpyW, lstrlenW, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, SetFilePointerEx, SetEndOfFile, ReadFile, WriteFile, FlushFileBuffers, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, SetCurrentDirectoryW, GetLongPathNameW, GetShortPathNameW, DeleteFileW, FindNextFileW, CopyFileExW, MoveFileW, CreateDirectoryW, RemoveDirectoryW, SetSystemPowerState, QueryPerformanceFrequency, FindResourceW, LoadResource, LockResource, SizeofResource, EnumResourceNamesW, OutputDebugStringW, GetTempPathW, GetTempFileNameW, DeviceIoControl, GetLocalTime, CompareStringW, GetCurrentProcess, EnterCriticalSection, LeaveCriticalSection, GetStdHandle, CreatePipe, InterlockedExchange, TerminateThread, LoadLibraryExW, FindResourceExW, CopyFileW, VirtualFree, FormatMessageW, GetExitCodeProcess, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, SetFileAttributesW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetSystemDirectoryW, HeapReAlloc, HeapSize, GetComputerNameW, GetWindowsDirectoryW, GetCurrentProcessId, GetProcessIoCounters, CreateProcessW, GetProcessId, SetPriorityClass, LoadLibraryW, VirtualAlloc, IsDebuggerPresent, GetCurrentDirectoryW, lstrcmpiW, DecodePointer, GetLastError, RaiseException, InitializeCriticalSectionAndSpinCount, DeleteCriticalSection, InterlockedDecrement, InterlockedIncrement, GetCurrentThread, CloseHandle, GetFullPathNameW, EncodePointer, ExitProcess, GetModuleHandleExW, ExitThread, GetSystemTimeAsFileTime, ResumeThread, GetCommandLineW, IsProcessorFeaturePresent, IsValidCodePage, GetACP, GetOEMCP, GetCPInfo, SetLastError, UnhandledExceptionFilter, SetUnhandledExceptionFilter, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, GetStartupInfoW, GetStringTypeW, SetStdHandle, GetFileType, GetConsoleCP, GetConsoleMode, RtlUnwind, ReadConsoleW, GetTimeZoneInformation, GetDateFormatW, GetTimeFormatW, LCMapStringW, GetEnvironmentStringsW, FreeEnvironmentStringsW, WriteConsoleW, FindClose, SetEnvironmentVariableA
USER32.dll	AdjustWindowRectEx, CopyImage, SetWindowPos, GetCursorInfo, RegisterHotKey, ClientToScreen, GetKeyboardLayoutNameW, IsCharAlphaW, IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, MonitorFromPoint, GetMonitorInfoW, SetWindowLongW, SetLayeredWindowAttributes, FlashWindow, GetClassLongW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DrawMenuBar, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, CallWindowProcW, ReleaseCapture, SetCapture, CreateIconFromResourceEx, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, SetMenuDefaultItem, InsertMenuItemW, IsMenu, TrackPopupMenuEx, GetCursorPos, DeleteMenu, SetRect, GetMenuItemID, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, FindWindowW, MonitorFromRect, keybd_event, SendInput, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, VkKeyScanW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, ReleaseDC, GetDC, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowLongW, GetWindowThreadProcessId, AttachThreadInput, GetFocus, GetWindowTextW, ScreenToClient, SendMessageTimeoutW, EnumChildWindows, CharUpperBuffW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, GetWindowRect, SetUserObjectSecurity, CloseDesktop, CloseWindowStation, OpenDesktopW, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, GetUserObjectSecurity, MessageBoxW, DefWindowProcW, SetClipboardData, EmptyClipboard, CountClipboardFormats, CloseClipboard, GetClipboardData, IsClipboardFormatAvailable, OpenClipboard, BlockInput, GetMessageW, LockWindowUpdate, DispatchMessageW, TranslateMessage, PeekMessageW, UnregisterHotKey, CheckMenuRadioItem, CharLowerBuffW, MoveWindow, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, SystemParametersInfoW, LoadImageW, GetClassNameW
GDI32.dll	StrokePath, DeleteObject, GetTextExtentPoint32W, ExtCreatePen, GetDeviceCaps, EndPath, SetPixel, CloseFigure, CreateCompatibleBitmap, CreateCompatibleDC, SelectObject, StretchBlt, GetDIBits, LineTo, AngleArc, MoveToEx, Ellipse, DeleteDC, GetPixel, CreateDCW, GetStockObject, GetTextFaceW, CreateFontW, SetTextColor, PolyDraw, BeginPath, Rectangle, SetViewportOrgEx, GetObjectW, SetBkMode, RoundRect, SetBkColor, CreatePen, CreateSolidBrush, StrokeAndFillPath
COMDLG32.dll	GetOpenFileNameW, GetSaveFileNameW
ADVAPI32.dll	GetAce, RegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegEnumKeyExW, RegSetValueExW, RegOpenKeyExW, RegCloseKey, RegQueryValueExW, RegConnectRegistryW, InitializeSecurityDescriptor, InitializeAcl, AdjustTokenPrivileges, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, DuplicateTokenEx, CreateProcessAsUserW, CreateProcessWithLogonW, GetLengthSid, CopySid, LogonUserW, AllocateAndInitializeSid, CheckTokenMembership, RegCreateKeyExW, FreeSid, GetTokenInformation, GetSecurityDescriptorDacl, GetAclInformation, AddAce, SetSecurityDescriptorDacl, GetUserNameW, InitiateSystemShutdownExW
SHELL32.dll	DragQueryPoint, ShellExecuteExW, DragQueryFileW, SHEmptyRecycleBinW, SHGetPathFromIDListW, SHBrowseForFolderW, SHCreateShellItem, SHGetDesktopFolder, SHGetSpecialFolderLocation, SHGetFolderPathW, SHFileOperationW, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW, DragFinish
ole32.dll	CoTaskMemAlloc, CoTaskMemFree, CLSIDFromString, ProgIDFromCLSID, CLSIDFromProgID, OleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CoCreateInstance, IIDFromString, StringFromGUID2, CreateStreamOnHGlobal, OleInitialize, OleUninitialize, CoInitialize, CoUninitialize, GetRunningObjectTable, CoGetInstanceFromFile, CoGetObject, CoSetProxyBlanket, CoCreateInstanceEx, CoInitializeSecurity
OLEAUT32.dll	LoadTypeLibEx, VariantCopyInd, SysReAllocString, SysFreeString, SafeArrayDestroyDescriptor, SafeArrayDestroyData, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayAllocData, SafeArrayAllocDescriptorEx, SafeArrayCreateVector, RegisterTypeLib, CreateStdDispatch, DispCallFunc, VariantChangeType, SysStringLen, VariantTimeToSystemTime, VarR8FromDec, SafeArrayGetVartype, VariantCopy, VariantClear, OleLoadPicture, QueryPathOfRegTypeLib, RegisterTypeLibForUser, UnRegisterTypeLibForUser, UnRegisterTypeLib, CreateDispTypeInfo, SysAllocString, VariantInit

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	Great Britain

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2025-01-11T07:27:03.608558+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.4	49730	193.122.130.0	80	TCP
2025-01-11T07:27:04.452305+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.4	49730	193.122.130.0	80	TCP
2025-01-11T07:27:05.094000+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.4	49732	104.21.80.1	443	TCP
2025-01-11T07:27:05.624208+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.4	49733	193.122.130.0	80	TCP
2025-01-11T07:27:10.892364+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.4	49742	104.21.80.1	443	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 11, 2025 07:27:02.946239948 CET	49730	80	192.168.2.4	193.122.130.0
Jan 11, 2025 07:27:02.951245070 CET	80	49730	193.122.130.0	192.168.2.4
Jan 11, 2025 07:27:02.951342106 CET	49730	80	192.168.2.4	193.122.130.0
Jan 11, 2025 07:27:02.951585054 CET	49730	80	192.168.2.4	193.122.130.0
Jan 11, 2025 07:27:02.956506014 CET	80	49730	193.122.130.0	192.168.2.4
Jan 11, 2025 07:27:03.459893942 CET	80	49730	193.122.130.0	192.168.2.4
Jan 11, 2025 07:27:03.463999987 CET	49730	80	192.168.2.4	193.122.130.0
Jan 11, 2025 07:27:03.468838930 CET	80	49730	193.122.130.0	192.168.2.4
Jan 11, 2025 07:27:03.563694000 CET	80	49730	193.122.130.0	192.168.2.4
Jan 11, 2025 07:27:03.608557940 CET	49730	80	192.168.2.4	193.122.130.0
Jan 11, 2025 07:27:03.612848043 CET	49731	443	192.168.2.4	104.21.80.1
Jan 11, 2025 07:27:03.612879992 CET	443	49731	104.21.80.1	192.168.2.4
Jan 11, 2025 07:27:03.613229990 CET	49731	443	192.168.2.4	104.21.80.1
Jan 11, 2025 07:27:03.623064995 CET	49731	443	192.168.2.4	104.21.80.1
Jan 11, 2025 07:27:03.623076916 CET	443	49731	104.21.80.1	192.168.2.4
Jan 11, 2025 07:27:04.107842922 CET	443	49731	104.21.80.1	192.168.2.4
Jan 11, 2025 07:27:04.108110905 CET	49731	443	192.168.2.4	104.21.80.1
Jan 11, 2025 07:27:04.120913982 CET	49731	443	192.168.2.4	104.21.80.1
Jan 11, 2025 07:27:04.120925903 CET	443	49731	104.21.80.1	192.168.2.4
Jan 11, 2025 07:27:04.121212006 CET	443	49731	104.21.80.1	192.168.2.4
Jan 11, 2025 07:27:04.171036959 CET	49731	443	192.168.2.4	104.21.80.1
Jan 11, 2025 07:27:04.173916101 CET	49731	443	192.168.2.4	104.21.80.1
Jan 11, 2025 07:27:04.219332933 CET	443	49731	104.21.80.1	192.168.2.4
Jan 11, 2025 07:27:04.286864996 CET	443	49731	104.21.80.1	192.168.2.4
Jan 11, 2025 07:27:04.287030935 CET	443	49731	104.21.80.1	192.168.2.4
Jan 11, 2025 07:27:04.287348032 CET	49731	443	192.168.2.4	104.21.80.1
Jan 11, 2025 07:27:04.293831110 CET	49731	443	192.168.2.4	104.21.80.1
Jan 11, 2025 07:27:04.297352076 CET	49730	80	192.168.2.4	193.122.130.0
Jan 11, 2025 07:27:04.302149057 CET	80	49730	193.122.130.0	192.168.2.4
Jan 11, 2025 07:27:04.397514105 CET	80	49730	193.122.130.0	192.168.2.4
Jan 11, 2025 07:27:04.400530100 CET	49732	443	192.168.2.4	104.21.80.1
Jan 11, 2025 07:27:04.400576115 CET	443	49732	104.21.80.1	192.168.2.4
Jan 11, 2025 07:27:04.400648117 CET	49732	443	192.168.2.4	104.21.80.1
Jan 11, 2025 07:27:04.401060104 CET	49732	443	192.168.2.4	104.21.80.1
Jan 11, 2025 07:27:04.401071072 CET	443	49732	104.21.80.1	192.168.2.4
Jan 11, 2025 07:27:04.452305079 CET	49730	80	192.168.2.4	193.122.130.0
Jan 11, 2025 07:27:04.855823040 CET	443	49732	104.21.80.1	192.168.2.4
Jan 11, 2025 07:27:04.905426025 CET	49732	443	192.168.2.4	104.21.80.1
Jan 11, 2025 07:27:04.983752012 CET	49732	443	192.168.2.4	104.21.80.1
Jan 11, 2025 07:27:04.983774900 CET	443	49732	104.21.80.1	192.168.2.4
Jan 11, 2025 07:27:05.094070911 CET	443	49732	104.21.80.1	192.168.2.4
Jan 11, 2025 07:27:05.094223976 CET	443	49732	104.21.80.1	192.168.2.4
Jan 11, 2025 07:27:05.094271898 CET	49732	443	192.168.2.4	104.21.80.1
Jan 11, 2025 07:27:05.094798088 CET	49732	443	192.168.2.4	104.21.80.1
Jan 11, 2025 07:27:05.098767042 CET	49730	80	192.168.2.4	193.122.130.0
Jan 11, 2025 07:27:05.099883080 CET	49733	80	192.168.2.4	193.122.130.0
Jan 11, 2025 07:27:05.103849888 CET	80	49730	193.122.130.0	192.168.2.4
Jan 11, 2025 07:27:05.103905916 CET	49730	80	192.168.2.4	193.122.130.0
Jan 11, 2025 07:27:05.104795933 CET	80	49733	193.122.130.0	192.168.2.4
Jan 11, 2025 07:27:05.104881048 CET	49733	80	192.168.2.4	193.122.130.0
Jan 11, 2025 07:27:05.105036974 CET	49733	80	192.168.2.4	193.122.130.0
Jan 11, 2025 07:27:05.109932899 CET	80	49733	193.122.130.0	192.168.2.4
Jan 11, 2025 07:27:05.577349901 CET	80	49733	193.122.130.0	192.168.2.4
Jan 11, 2025 07:27:05.578915119 CET	49734	443	192.168.2.4	104.21.80.1
Jan 11, 2025 07:27:05.578962088 CET	443	49734	104.21.80.1	192.168.2.4
Jan 11, 2025 07:27:05.579035044 CET	49734	443	192.168.2.4	104.21.80.1
Jan 11, 2025 07:27:05.579330921 CET	49734	443	192.168.2.4	104.21.80.1
Jan 11, 2025 07:27:05.579345942 CET	443	49734	104.21.80.1	192.168.2.4
Jan 11, 2025 07:27:05.624207973 CET	49733	80	192.168.2.4	193.122.130.0
Jan 11, 2025 07:27:06.051405907 CET	443	49734	104.21.80.1	192.168.2.4
Jan 11, 2025 07:27:06.053282022 CET	49734	443	192.168.2.4	104.21.80.1
Jan 11, 2025 07:27:06.053314924 CET	443	49734	104.21.80.1	192.168.2.4
Jan 11, 2025 07:27:06.188515902 CET	443	49734	104.21.80.1	192.168.2.4
Jan 11, 2025 07:27:06.188613892 CET	443	49734	104.21.80.1	192.168.2.4
Jan 11, 2025 07:27:06.188823938 CET	49734	443	192.168.2.4	104.21.80.1
Jan 11, 2025 07:27:06.189146996 CET	49734	443	192.168.2.4	104.21.80.1
Jan 11, 2025 07:27:06.193387032 CET	49735	80	192.168.2.4	193.122.130.0
Jan 11, 2025 07:27:06.198239088 CET	80	49735	193.122.130.0	192.168.2.4
Jan 11, 2025 07:27:06.198348999 CET	49735	80	192.168.2.4	193.122.130.0
Jan 11, 2025 07:27:06.198582888 CET	49735	80	192.168.2.4	193.122.130.0
Jan 11, 2025 07:27:06.203365088 CET	80	49735	193.122.130.0	192.168.2.4
Jan 11, 2025 07:27:06.684894085 CET	80	49735	193.122.130.0	192.168.2.4
Jan 11, 2025 07:27:06.686252117 CET	49736	443	192.168.2.4	104.21.80.1
Jan 11, 2025 07:27:06.686301947 CET	443	49736	104.21.80.1	192.168.2.4
Jan 11, 2025 07:27:06.686388016 CET	49736	443	192.168.2.4	104.21.80.1
Jan 11, 2025 07:27:06.686629057 CET	49736	443	192.168.2.4	104.21.80.1
Jan 11, 2025 07:27:06.686639071 CET	443	49736	104.21.80.1	192.168.2.4
Jan 11, 2025 07:27:06.734045029 CET	49735	80	192.168.2.4	193.122.130.0
Jan 11, 2025 07:27:07.171370983 CET	443	49736	104.21.80.1	192.168.2.4
Jan 11, 2025 07:27:07.174796104 CET	49736	443	192.168.2.4	104.21.80.1
Jan 11, 2025 07:27:07.174832106 CET	443	49736	104.21.80.1	192.168.2.4
Jan 11, 2025 07:27:07.314090014 CET	443	49736	104.21.80.1	192.168.2.4
Jan 11, 2025 07:27:07.314199924 CET	443	49736	104.21.80.1	192.168.2.4
Jan 11, 2025 07:27:07.314294100 CET	49736	443	192.168.2.4	104.21.80.1
Jan 11, 2025 07:27:07.350250006 CET	49736	443	192.168.2.4	104.21.80.1
Jan 11, 2025 07:27:07.389554024 CET	49735	80	192.168.2.4	193.122.130.0
Jan 11, 2025 07:27:07.394663095 CET	80	49735	193.122.130.0	192.168.2.4
Jan 11, 2025 07:27:07.394757986 CET	49735	80	192.168.2.4	193.122.130.0
Jan 11, 2025 07:27:07.398075104 CET	49737	80	192.168.2.4	193.122.130.0
Jan 11, 2025 07:27:07.402976036 CET	80	49737	193.122.130.0	192.168.2.4
Jan 11, 2025 07:27:07.403079033 CET	49737	80	192.168.2.4	193.122.130.0
Jan 11, 2025 07:27:07.406547070 CET	49737	80	192.168.2.4	193.122.130.0
Jan 11, 2025 07:27:07.411367893 CET	80	49737	193.122.130.0	192.168.2.4
Jan 11, 2025 07:27:07.862493992 CET	80	49737	193.122.130.0	192.168.2.4
Jan 11, 2025 07:27:07.863903046 CET	49738	443	192.168.2.4	104.21.80.1
Jan 11, 2025 07:27:07.863941908 CET	443	49738	104.21.80.1	192.168.2.4
Jan 11, 2025 07:27:07.863997936 CET	49738	443	192.168.2.4	104.21.80.1
Jan 11, 2025 07:27:07.864284039 CET	49738	443	192.168.2.4	104.21.80.1
Jan 11, 2025 07:27:07.864293098 CET	443	49738	104.21.80.1	192.168.2.4
Jan 11, 2025 07:27:07.905458927 CET	49737	80	192.168.2.4	193.122.130.0
Jan 11, 2025 07:27:08.324121952 CET	443	49738	104.21.80.1	192.168.2.4
Jan 11, 2025 07:27:08.325948000 CET	49738	443	192.168.2.4	104.21.80.1
Jan 11, 2025 07:27:08.325978041 CET	443	49738	104.21.80.1	192.168.2.4
Jan 11, 2025 07:27:08.449244976 CET	443	49738	104.21.80.1	192.168.2.4
Jan 11, 2025 07:27:08.449333906 CET	443	49738	104.21.80.1	192.168.2.4
Jan 11, 2025 07:27:08.449405909 CET	49738	443	192.168.2.4	104.21.80.1
Jan 11, 2025 07:27:08.449933052 CET	49738	443	192.168.2.4	104.21.80.1
Jan 11, 2025 07:27:08.453504086 CET	49737	80	192.168.2.4	193.122.130.0
Jan 11, 2025 07:27:08.454086065 CET	49739	80	192.168.2.4	193.122.130.0
Jan 11, 2025 07:27:08.458872080 CET	80	49737	193.122.130.0	192.168.2.4
Jan 11, 2025 07:27:08.460318089 CET	80	49739	193.122.130.0	192.168.2.4
Jan 11, 2025 07:27:08.460381985 CET	49737	80	192.168.2.4	193.122.130.0
Jan 11, 2025 07:27:08.460414886 CET	49739	80	192.168.2.4	193.122.130.0
Jan 11, 2025 07:27:08.460509062 CET	49739	80	192.168.2.4	193.122.130.0
Jan 11, 2025 07:27:08.465780020 CET	80	49739	193.122.130.0	192.168.2.4
Jan 11, 2025 07:27:08.948191881 CET	80	49739	193.122.130.0	192.168.2.4
Jan 11, 2025 07:27:08.950398922 CET	49740	443	192.168.2.4	104.21.80.1
Jan 11, 2025 07:27:08.950447083 CET	443	49740	104.21.80.1	192.168.2.4
Jan 11, 2025 07:27:08.950531960 CET	49740	443	192.168.2.4	104.21.80.1
Jan 11, 2025 07:27:08.950872898 CET	49740	443	192.168.2.4	104.21.80.1
Jan 11, 2025 07:27:08.950886965 CET	443	49740	104.21.80.1	192.168.2.4
Jan 11, 2025 07:27:08.999326944 CET	49739	80	192.168.2.4	193.122.130.0
Jan 11, 2025 07:27:09.410098076 CET	443	49740	104.21.80.1	192.168.2.4
Jan 11, 2025 07:27:09.411919117 CET	49740	443	192.168.2.4	104.21.80.1
Jan 11, 2025 07:27:09.411950111 CET	443	49740	104.21.80.1	192.168.2.4
Jan 11, 2025 07:27:09.543081045 CET	443	49740	104.21.80.1	192.168.2.4
Jan 11, 2025 07:27:09.543173075 CET	443	49740	104.21.80.1	192.168.2.4
Jan 11, 2025 07:27:09.543338060 CET	49740	443	192.168.2.4	104.21.80.1
Jan 11, 2025 07:27:09.543865919 CET	49740	443	192.168.2.4	104.21.80.1
Jan 11, 2025 07:27:09.547205925 CET	49739	80	192.168.2.4	193.122.130.0
Jan 11, 2025 07:27:09.548448086 CET	49741	80	192.168.2.4	193.122.130.0
Jan 11, 2025 07:27:09.552356005 CET	80	49739	193.122.130.0	192.168.2.4
Jan 11, 2025 07:27:09.552457094 CET	49739	80	192.168.2.4	193.122.130.0
Jan 11, 2025 07:27:09.553323984 CET	80	49741	193.122.130.0	192.168.2.4
Jan 11, 2025 07:27:09.553502083 CET	49741	80	192.168.2.4	193.122.130.0
Jan 11, 2025 07:27:09.553558111 CET	49741	80	192.168.2.4	193.122.130.0
Jan 11, 2025 07:27:09.558404922 CET	80	49741	193.122.130.0	192.168.2.4
Jan 11, 2025 07:27:10.227519989 CET	80	49741	193.122.130.0	192.168.2.4
Jan 11, 2025 07:27:10.233361959 CET	49742	443	192.168.2.4	104.21.80.1
Jan 11, 2025 07:27:10.233401060 CET	443	49742	104.21.80.1	192.168.2.4
Jan 11, 2025 07:27:10.233474016 CET	49742	443	192.168.2.4	104.21.80.1
Jan 11, 2025 07:27:10.245469093 CET	49742	443	192.168.2.4	104.21.80.1
Jan 11, 2025 07:27:10.245481968 CET	443	49742	104.21.80.1	192.168.2.4
Jan 11, 2025 07:27:10.280591011 CET	49741	80	192.168.2.4	193.122.130.0
Jan 11, 2025 07:27:10.737226963 CET	443	49742	104.21.80.1	192.168.2.4
Jan 11, 2025 07:27:10.738681078 CET	49742	443	192.168.2.4	104.21.80.1
Jan 11, 2025 07:27:10.738698959 CET	443	49742	104.21.80.1	192.168.2.4
Jan 11, 2025 07:27:10.892388105 CET	443	49742	104.21.80.1	192.168.2.4
Jan 11, 2025 07:27:10.892455101 CET	443	49742	104.21.80.1	192.168.2.4
Jan 11, 2025 07:27:10.892503023 CET	49742	443	192.168.2.4	104.21.80.1
Jan 11, 2025 07:27:10.892915010 CET	49742	443	192.168.2.4	104.21.80.1
Jan 11, 2025 07:27:10.899470091 CET	49741	80	192.168.2.4	193.122.130.0
Jan 11, 2025 07:27:10.900552988 CET	49743	80	192.168.2.4	193.122.130.0
Jan 11, 2025 07:27:10.904511929 CET	80	49741	193.122.130.0	192.168.2.4
Jan 11, 2025 07:27:10.904572964 CET	49741	80	192.168.2.4	193.122.130.0
Jan 11, 2025 07:27:10.905395031 CET	80	49743	193.122.130.0	192.168.2.4
Jan 11, 2025 07:27:10.905474901 CET	49743	80	192.168.2.4	193.122.130.0
Jan 11, 2025 07:27:10.905591011 CET	49743	80	192.168.2.4	193.122.130.0
Jan 11, 2025 07:27:10.910392046 CET	80	49743	193.122.130.0	192.168.2.4
Jan 11, 2025 07:27:11.374663115 CET	80	49743	193.122.130.0	192.168.2.4
Jan 11, 2025 07:27:11.376382113 CET	49744	443	192.168.2.4	104.21.80.1
Jan 11, 2025 07:27:11.376487970 CET	443	49744	104.21.80.1	192.168.2.4
Jan 11, 2025 07:27:11.376552105 CET	49744	443	192.168.2.4	104.21.80.1
Jan 11, 2025 07:27:11.376807928 CET	49744	443	192.168.2.4	104.21.80.1
Jan 11, 2025 07:27:11.376838923 CET	443	49744	104.21.80.1	192.168.2.4
Jan 11, 2025 07:27:11.421130896 CET	49743	80	192.168.2.4	193.122.130.0
Jan 11, 2025 07:27:11.830775976 CET	443	49744	104.21.80.1	192.168.2.4
Jan 11, 2025 07:27:11.832891941 CET	49744	443	192.168.2.4	104.21.80.1
Jan 11, 2025 07:27:11.832930088 CET	443	49744	104.21.80.1	192.168.2.4
Jan 11, 2025 07:27:11.981112003 CET	443	49744	104.21.80.1	192.168.2.4
Jan 11, 2025 07:27:11.981172085 CET	443	49744	104.21.80.1	192.168.2.4
Jan 11, 2025 07:27:11.981386900 CET	49744	443	192.168.2.4	104.21.80.1
Jan 11, 2025 07:27:11.981846094 CET	49744	443	192.168.2.4	104.21.80.1
Jan 11, 2025 07:27:12.144900084 CET	49743	80	192.168.2.4	193.122.130.0
Jan 11, 2025 07:27:12.144964933 CET	49733	80	192.168.2.4	193.122.130.0

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 11, 2025 07:27:02.922727108 CET	53477	53	192.168.2.4	1.1.1.1
Jan 11, 2025 07:27:02.940692902 CET	53	53477	1.1.1.1	192.168.2.4
Jan 11, 2025 07:27:03.603379965 CET	59550	53	192.168.2.4	1.1.1.1
Jan 11, 2025 07:27:03.612169027 CET	53	59550	1.1.1.1	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jan 11, 2025 07:27:02.922727108 CET	192.168.2.4	1.1.1.1	0x5c3f	Standard query (0)	checkip.dyndns.org	A (IP address)	IN (0x0001)	false
Jan 11, 2025 07:27:03.603379965 CET	192.168.2.4	1.1.1.1	0xd4aa	Standard query (0)	reallyfreegeoip.org	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Jan 11, 2025 07:27:02.940692902 CET	1.1.1.1	192.168.2.4	0x5c3f	No error (0)	checkip.dyndns.org	checkip.dyndns.com		CNAME (Canonical name)	IN (0x0001)	false
Jan 11, 2025 07:27:02.940692902 CET	1.1.1.1	192.168.2.4	0x5c3f	No error (0)	checkip.dyndns.com		193.122.130.0	A (IP address)	IN (0x0001)	false
Jan 11, 2025 07:27:02.940692902 CET	1.1.1.1	192.168.2.4	0x5c3f	No error (0)	checkip.dyndns.com		132.226.8.169	A (IP address)	IN (0x0001)	false
Jan 11, 2025 07:27:02.940692902 CET	1.1.1.1	192.168.2.4	0x5c3f	No error (0)	checkip.dyndns.com		158.101.44.242	A (IP address)	IN (0x0001)	false
Jan 11, 2025 07:27:02.940692902 CET	1.1.1.1	192.168.2.4	0x5c3f	No error (0)	checkip.dyndns.com		193.122.6.168	A (IP address)	IN (0x0001)	false
Jan 11, 2025 07:27:02.940692902 CET	1.1.1.1	192.168.2.4	0x5c3f	No error (0)	checkip.dyndns.com		132.226.247.73	A (IP address)	IN (0x0001)	false
Jan 11, 2025 07:27:03.612169027 CET	1.1.1.1	192.168.2.4	0xd4aa	No error (0)	reallyfreegeoip.org		104.21.80.1	A (IP address)	IN (0x0001)	false
Jan 11, 2025 07:27:03.612169027 CET	1.1.1.1	192.168.2.4	0xd4aa	No error (0)	reallyfreegeoip.org		104.21.112.1	A (IP address)	IN (0x0001)	false
Jan 11, 2025 07:27:03.612169027 CET	1.1.1.1	192.168.2.4	0xd4aa	No error (0)	reallyfreegeoip.org		104.21.32.1	A (IP address)	IN (0x0001)	false
Jan 11, 2025 07:27:03.612169027 CET	1.1.1.1	192.168.2.4	0xd4aa	No error (0)	reallyfreegeoip.org		104.21.96.1	A (IP address)	IN (0x0001)	false
Jan 11, 2025 07:27:03.612169027 CET	1.1.1.1	192.168.2.4	0xd4aa	No error (0)	reallyfreegeoip.org		104.21.48.1	A (IP address)	IN (0x0001)	false
Jan 11, 2025 07:27:03.612169027 CET	1.1.1.1	192.168.2.4	0xd4aa	No error (0)	reallyfreegeoip.org		104.21.16.1	A (IP address)	IN (0x0001)	false
Jan 11, 2025 07:27:03.612169027 CET	1.1.1.1	192.168.2.4	0xd4aa	No error (0)	reallyfreegeoip.org		104.21.64.1	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

reallyfreegeoip.org

checkip.dyndns.org

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49730	193.122.130.0	80	7500	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 07:27:02.951585054 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 11, 2025 07:27:03.459893942 CET	321	IN	HTTP/1.1 200 OK Date: Sat, 11 Jan 2025 06:27:03 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: b7659f176251765f9a80afd98d4eb7e8 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>
Jan 11, 2025 07:27:03.463999987 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Jan 11, 2025 07:27:03.563694000 CET	321	IN	HTTP/1.1 200 OK Date: Sat, 11 Jan 2025 06:27:03 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: b856bb0cd7d73b7662e01e5361c01d78 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>
Jan 11, 2025 07:27:04.297352076 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Jan 11, 2025 07:27:04.397514105 CET	321	IN	HTTP/1.1 200 OK Date: Sat, 11 Jan 2025 06:27:04 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: b1f3eaf5324d4f90604800cf31bc7813 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.4	49733	193.122.130.0	80	7500	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 07:27:05.105036974 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Jan 11, 2025 07:27:05.577349901 CET	321	IN	HTTP/1.1 200 OK Date: Sat, 11 Jan 2025 06:27:05 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: e2e8464c280d33d429a45c4d6c12d95c Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.4	49735	193.122.130.0	80	7500	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 07:27:06.198582888 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 11, 2025 07:27:06.684894085 CET	321	IN	HTTP/1.1 200 OK Date: Sat, 11 Jan 2025 06:27:06 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: d1435593fdbfbb4d0667cdc5793a38ff Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.4	49737	193.122.130.0	80	7500	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 07:27:07.406547070 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 11, 2025 07:27:07.862493992 CET	321	IN	HTTP/1.1 200 OK Date: Sat, 11 Jan 2025 06:27:07 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 521961c46cc69be78161b03e37ce428f Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.4	49739	193.122.130.0	80	7500	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 07:27:08.460509062 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 11, 2025 07:27:08.948191881 CET	321	IN	HTTP/1.1 200 OK Date: Sat, 11 Jan 2025 06:27:08 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 210f375254a242b041a23e81178a1d9d Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.4	49741	193.122.130.0	80	7500	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 07:27:09.553558111 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 11, 2025 07:27:10.227519989 CET	321	IN	HTTP/1.1 200 OK Date: Sat, 11 Jan 2025 06:27:10 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 031bfe9c04cd17077e44653814800b82 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.4	49743	193.122.130.0	80	7500	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 07:27:10.905591011 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 11, 2025 07:27:11.374663115 CET	321	IN	HTTP/1.1 200 OK Date: Sat, 11 Jan 2025 06:27:11 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 308de3522546690c1edad4afeb27e6e6 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49731	104.21.80.1	443	7500	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-11 06:27:04 UTC	85	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2025-01-11 06:27:04 UTC	853	IN	HTTP/1.1 200 OK Date: Sat, 11 Jan 2025 06:27:04 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 1891613 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=uiRlK6xMUhvixRMlX6THtrNJaYngPsDBcccozier5SkbQLZ%2FHlBFbap0nbapRCHPWVA8HELsA0Y%2FLDUU2EwH4tQ9dtzSKjCK61Pg2bv7eGYnlUCsjct8qkCSPcPCn8bqwQKvB9Xt"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 9002d6bf6ed60f36-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1810&min_rtt=1509&rtt_var=781&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2847&recv_bytes=699&delivery_rate=1935056&cwnd=231&unsent_bytes=0&cid=dc0d450f86c71144&ts=192&x=0"
2025-01-11 06:27:04 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.4	49732	104.21.80.1	443	7500	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-11 06:27:04 UTC	61	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org
2025-01-11 06:27:05 UTC	863	IN	HTTP/1.1 200 OK Date: Sat, 11 Jan 2025 06:27:05 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 1891614 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=lWurPINlq4BWBS19iZqS9IvimYpYkMma792sWHZIwkvP%2BRbrj13D%2FcNcX8ME7Di6uE8W6kMxaATrXXvviABLQd%2BmG98iGzuY%2FngvyUhvnwyF%2FQBJ5Ebc7bEJhgQHtr%2F%2Fz0hbmY7Z"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 9002d6c47f247d0e-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1974&min_rtt=1966&rtt_var=753&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2848&recv_bytes=699&delivery_rate=1438423&cwnd=244&unsent_bytes=0&cid=934112b512145e54&ts=242&x=0"
2025-01-11 06:27:05 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.4	49734	104.21.80.1	443	7500	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-11 06:27:06 UTC	85	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2025-01-11 06:27:06 UTC	861	IN	HTTP/1.1 200 OK Date: Sat, 11 Jan 2025 06:27:06 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 1891615 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=vwXDT7w6tlbhfJ0t%2FDVEQB56SovTDi%2BrRbz7x15jWd%2FzCbqRcenve5cANsXFV%2BcAlMfR9LatPdEtcRWARADwXTjI5w7prZNhcM%2Buj0ts416hKmJBS4vqtyaAmeyg%2BFB9xQxdaYQI"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 9002d6cb4fdec443-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1691&min_rtt=1690&rtt_var=636&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2848&recv_bytes=699&delivery_rate=1715628&cwnd=244&unsent_bytes=0&cid=055ac81fa5b0c265&ts=142&x=0"
2025-01-11 06:27:06 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.4	49736	104.21.80.1	443	7500	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-11 06:27:07 UTC	85	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2025-01-11 06:27:07 UTC	857	IN	HTTP/1.1 200 OK Date: Sat, 11 Jan 2025 06:27:07 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 1891616 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=IJQrbM4T8y%2FhQzWBYeXa9QB8amPLDeEomSuN4Ls%2BlW2I4nXyW62VYCK5ksu6xUGZocsjBR2%2FGmpdhxwj%2BoJhVkzftgqlwCoVau1Fmd9VlloJkqSVbWHA54tVPnOwHgPhxSXYOOCu"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 9002d6d25f778c0f-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1938&min_rtt=1932&rtt_var=738&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2849&recv_bytes=699&delivery_rate=1470292&cwnd=223&unsent_bytes=0&cid=5682be537a73a430&ts=153&x=0"
2025-01-11 06:27:07 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.4	49738	104.21.80.1	443	7500	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-11 06:27:08 UTC	85	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2025-01-11 06:27:08 UTC	859	IN	HTTP/1.1 200 OK Date: Sat, 11 Jan 2025 06:27:08 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 1891617 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=9wqT4q%2FhUGGo5O4OnFkhf4d5mlzx0gxALY2qc%2B7BsTh5bCyABMltCP22YS687abGhImqoX3MQxAzozpb0%2FFygvWzYC%2FsWakPHntZu%2BdObVcSBifWd1FuPCnwueiIYmtMiEANJTV2"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 9002d6d97d9b42d2-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1555&min_rtt=1549&rtt_var=593&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2848&recv_bytes=699&delivery_rate=1828428&cwnd=229&unsent_bytes=0&cid=ef1cde5971b60596&ts=134&x=0"
2025-01-11 06:27:08 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.4	49740	104.21.80.1	443	7500	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-11 06:27:09 UTC	85	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2025-01-11 06:27:09 UTC	855	IN	HTTP/1.1 200 OK Date: Sat, 11 Jan 2025 06:27:09 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 1891618 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=DDgjRPRzP%2FOxV7S319QkEGF5RZnxeqTa8DhBRC%2BCBYmUErRFQ1OFpTAj4aN%2B3rxrlm3cMK1G9HYTXCYg6K1tFPvfV7B3hkQMUS9VzTfwLi8d8dEVmj7HO10vVvxvKo56ArZ8AsIH"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 9002d6e04fb87d0e-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=2004&min_rtt=2004&rtt_var=753&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2848&recv_bytes=699&delivery_rate=1452736&cwnd=244&unsent_bytes=0&cid=9539951f355a877b&ts=141&x=0"
2025-01-11 06:27:09 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.4	49742	104.21.80.1	443	7500	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-11 06:27:10 UTC	61	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org
2025-01-11 06:27:10 UTC	855	IN	HTTP/1.1 200 OK Date: Sat, 11 Jan 2025 06:27:10 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 1891619 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Q2ZihoWM4T8sb4gh50%2FQ84B7g81gkw6Gl5tQUekRoT2D8RgpZsIG2pR%2Fl6Ul1Uiem9s5FUMl8IH8ZowhYzIiJ19kbuCxd0p2A7b2QrmKIbrkDBX3f%2BMpaRtKJIHwxK6WBvflMvvf"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 9002d6e8aece7d0e-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1919&min_rtt=1916&rtt_var=725&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2849&recv_bytes=699&delivery_rate=1502057&cwnd=244&unsent_bytes=0&cid=76607f1e8a39858a&ts=168&x=0"
2025-01-11 06:27:10 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.4	49744	104.21.80.1	443	7500	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-11 06:27:11 UTC	85	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2025-01-11 06:27:11 UTC	855	IN	HTTP/1.1 200 OK Date: Sat, 11 Jan 2025 06:27:11 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 1891621 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Lk3DdWt1WsuzDD1B5xIdKmWRkVNOqbWe0LCyfKJkPzHeUg1S%2F6P8Ua6pnu30hc12SP1kCv8%2BarMXUMTZOND9z68YTiZjrSjCqe7fUD2aspFyu%2FFK7UM0ziJNzfyMgv8cDGcKizGc"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 9002d6ef8cc37d0e-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1989&min_rtt=1981&rtt_var=759&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2849&recv_bytes=699&delivery_rate=1427872&cwnd=244&unsent_bytes=0&cid=c0fc841bbc515ac9&ts=153&x=0"
2025-01-11 06:27:11 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Target ID:	0
Start time:	01:26:55
Start date:	11/01/2025
Path:	C:\Users\user\Desktop\b6AGgIJ87g.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\b6AGgIJ87g.exe"
Imagebase:	0x520000
File size:	1'021'952 bytes
MD5 hash:	04A2CCE147E8B29D89EF24AF80D493CE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	01:26:58
Start date:	11/01/2025
Path:	C:\Users\user\AppData\Local\Maianthemum\biopsies.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\b6AGgIJ87g.exe"
Imagebase:	0x8b0000
File size:	1'021'952 bytes
MD5 hash:	04A2CCE147E8B29D89EF24AF80D493CE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000001.00000002.1744008189.0000000000F50000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: 00000001.00000002.1744008189.0000000000F50000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000001.00000002.1744008189.0000000000F50000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000001.00000002.1744008189.0000000000F50000.00000004.00001000.00020000.00000000.sdmp, Author: unknown Rule: MAL_Envrial_Jan18_1, Description: Detects Encrial credential stealer malware, Source: 00000001.00000002.1744008189.0000000000F50000.00000004.00001000.00020000.00000000.sdmp, Author: Florian Roth Rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook, Description: Detects executables with potential process hoocking, Source: 00000001.00000002.1744008189.0000000000F50000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen Rule: MALWARE_Win_SnakeKeylogger, Description: Detects Snake Keylogger, Source: 00000001.00000002.1744008189.0000000000F50000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen
Antivirus matches:	Detection: 100%, Joe Sandbox ML Detection: 75%, ReversingLabs
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	01:27:01
Start date:	11/01/2025
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\b6AGgIJ87g.exe"
Imagebase:	0x970000
File size:	45'984 bytes
MD5 hash:	9D352BC46709F0CB5EC974633A0C3C94
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000002.00000002.1838731692.0000000000402000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000002.00000002.1838731692.0000000000402000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000002.00000002.1838731692.0000000000402000.00000040.80000000.00040000.00000000.sdmp, Author: unknown Rule: MALWARE_Win_SnakeKeylogger, Description: Detects Snake Keylogger, Source: 00000002.00000002.1838731692.0000000000402000.00000040.80000000.00040000.00000000.sdmp, Author: ditekSHen Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000002.00000002.1840357737.0000000002C31000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000002.00000002.1840357737.0000000002DE5000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	01:27:10
Start date:	11/01/2025
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
Imagebase:	0x240000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	01:27:10
Start date:	11/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	01:27:10
Start date:	11/01/2025
Path:	C:\Windows\SysWOW64\choice.exe
Wow64 process (32bit):	true
Commandline:	choice /C Y /N /D Y /T 3
Imagebase:	0x9f0000
File size:	28'160 bytes
MD5 hash:	FCE0E41C87DC4ABBE976998AD26C27E4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	01:27:13
Start date:	11/01/2025
Path:	C:\Windows\System32\wscript.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\biopsies.vbs"
Imagebase:	0x7ff66ad20000
File size:	170'496 bytes
MD5 hash:	A47CBE969EA935BDD3AB568BB126BC80
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	01:27:13
Start date:	11/01/2025
Path:	C:\Users\user\AppData\Local\Maianthemum\biopsies.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Maianthemum\biopsies.exe"
Imagebase:	0x8b0000
File size:	1'021'952 bytes
MD5 hash:	04A2CCE147E8B29D89EF24AF80D493CE
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000008.00000002.1903450528.0000000003EB0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: 00000008.00000002.1903450528.0000000003EB0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000008.00000002.1903450528.0000000003EB0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000008.00000002.1903450528.0000000003EB0000.00000004.00001000.00020000.00000000.sdmp, Author: unknown Rule: MAL_Envrial_Jan18_1, Description: Detects Encrial credential stealer malware, Source: 00000008.00000002.1903450528.0000000003EB0000.00000004.00001000.00020000.00000000.sdmp, Author: Florian Roth Rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook, Description: Detects executables with potential process hoocking, Source: 00000008.00000002.1903450528.0000000003EB0000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen Rule: MALWARE_Win_SnakeKeylogger, Description: Detects Snake Keylogger, Source: 00000008.00000002.1903450528.0000000003EB0000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	01:27:17
Start date:	11/01/2025
Path:	C:\Users\user\AppData\Local\Maianthemum\biopsies.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Maianthemum\biopsies.exe"
Imagebase:	0x8b0000
File size:	1'021'952 bytes
MD5 hash:	04A2CCE147E8B29D89EF24AF80D493CE
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000009.00000002.1930630182.0000000001100000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: 00000009.00000002.1930630182.0000000001100000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000009.00000002.1930630182.0000000001100000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000009.00000002.1930630182.0000000001100000.00000004.00001000.00020000.00000000.sdmp, Author: unknown Rule: MAL_Envrial_Jan18_1, Description: Detects Encrial credential stealer malware, Source: 00000009.00000002.1930630182.0000000001100000.00000004.00001000.00020000.00000000.sdmp, Author: Florian Roth Rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook, Description: Detects executables with potential process hoocking, Source: 00000009.00000002.1930630182.0000000001100000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen Rule: MALWARE_Win_SnakeKeylogger, Description: Detects Snake Keylogger, Source: 00000009.00000002.1930630182.0000000001100000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	01:27:19
Start date:	11/01/2025
Path:	C:\Users\user\AppData\Local\Maianthemum\biopsies.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Maianthemum\biopsies.exe"
Imagebase:	0x8b0000
File size:	1'021'952 bytes
MD5 hash:	04A2CCE147E8B29D89EF24AF80D493CE
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000C.00000002.1957580721.00000000009D0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: 0000000C.00000002.1957580721.00000000009D0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 0000000C.00000002.1957580721.00000000009D0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 0000000C.00000002.1957580721.00000000009D0000.00000004.00001000.00020000.00000000.sdmp, Author: unknown Rule: MAL_Envrial_Jan18_1, Description: Detects Encrial credential stealer malware, Source: 0000000C.00000002.1957580721.00000000009D0000.00000004.00001000.00020000.00000000.sdmp, Author: Florian Roth Rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook, Description: Detects executables with potential process hoocking, Source: 0000000C.00000002.1957580721.00000000009D0000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen Rule: MALWARE_Win_SnakeKeylogger, Description: Detects Snake Keylogger, Source: 0000000C.00000002.1957580721.00000000009D0000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	13
Start time:	01:27:22
Start date:	11/01/2025
Path:	C:\Users\user\AppData\Local\Maianthemum\biopsies.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Maianthemum\biopsies.exe"
Imagebase:	0x8b0000
File size:	1'021'952 bytes
MD5 hash:	04A2CCE147E8B29D89EF24AF80D493CE
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000D.00000002.1976305286.0000000001F10000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: 0000000D.00000002.1976305286.0000000001F10000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 0000000D.00000002.1976305286.0000000001F10000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 0000000D.00000002.1976305286.0000000001F10000.00000004.00001000.00020000.00000000.sdmp, Author: unknown Rule: MAL_Envrial_Jan18_1, Description: Detects Encrial credential stealer malware, Source: 0000000D.00000002.1976305286.0000000001F10000.00000004.00001000.00020000.00000000.sdmp, Author: Florian Roth Rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook, Description: Detects executables with potential process hoocking, Source: 0000000D.00000002.1976305286.0000000001F10000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen Rule: MALWARE_Win_SnakeKeylogger, Description: Detects Snake Keylogger, Source: 0000000D.00000002.1976305286.0000000001F10000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	14
Start time:	01:27:24
Start date:	11/01/2025
Path:	C:\Users\user\AppData\Local\Maianthemum\biopsies.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Maianthemum\biopsies.exe"
Imagebase:	0x8b0000
File size:	1'021'952 bytes
MD5 hash:	04A2CCE147E8B29D89EF24AF80D493CE
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000E.00000002.2006886217.0000000000E30000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: 0000000E.00000002.2006886217.0000000000E30000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 0000000E.00000002.2006886217.0000000000E30000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 0000000E.00000002.2006886217.0000000000E30000.00000004.00001000.00020000.00000000.sdmp, Author: unknown Rule: MAL_Envrial_Jan18_1, Description: Detects Encrial credential stealer malware, Source: 0000000E.00000002.2006886217.0000000000E30000.00000004.00001000.00020000.00000000.sdmp, Author: Florian Roth Rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook, Description: Detects executables with potential process hoocking, Source: 0000000E.00000002.2006886217.0000000000E30000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen Rule: MALWARE_Win_SnakeKeylogger, Description: Detects Snake Keylogger, Source: 0000000E.00000002.2006886217.0000000000E30000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	15
Start time:	01:27:27
Start date:	11/01/2025
Path:	C:\Users\user\AppData\Local\Maianthemum\biopsies.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Maianthemum\biopsies.exe"
Imagebase:	0x8b0000
File size:	1'021'952 bytes
MD5 hash:	04A2CCE147E8B29D89EF24AF80D493CE
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000F.00000002.2038464121.00000000011F0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: 0000000F.00000002.2038464121.00000000011F0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 0000000F.00000002.2038464121.00000000011F0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 0000000F.00000002.2038464121.00000000011F0000.00000004.00001000.00020000.00000000.sdmp, Author: unknown Rule: MAL_Envrial_Jan18_1, Description: Detects Encrial credential stealer malware, Source: 0000000F.00000002.2038464121.00000000011F0000.00000004.00001000.00020000.00000000.sdmp, Author: Florian Roth Rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook, Description: Detects executables with potential process hoocking, Source: 0000000F.00000002.2038464121.00000000011F0000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen Rule: MALWARE_Win_SnakeKeylogger, Description: Detects Snake Keylogger, Source: 0000000F.00000002.2038464121.00000000011F0000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	16
Start time:	01:27:30
Start date:	11/01/2025
Path:	C:\Users\user\AppData\Local\Maianthemum\biopsies.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Maianthemum\biopsies.exe"
Imagebase:	0x8b0000
File size:	1'021'952 bytes
MD5 hash:	04A2CCE147E8B29D89EF24AF80D493CE
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000010.00000002.2064854133.00000000018E0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: 00000010.00000002.2064854133.00000000018E0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000010.00000002.2064854133.00000000018E0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000010.00000002.2064854133.00000000018E0000.00000004.00001000.00020000.00000000.sdmp, Author: unknown Rule: MAL_Envrial_Jan18_1, Description: Detects Encrial credential stealer malware, Source: 00000010.00000002.2064854133.00000000018E0000.00000004.00001000.00020000.00000000.sdmp, Author: Florian Roth Rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook, Description: Detects executables with potential process hoocking, Source: 00000010.00000002.2064854133.00000000018E0000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen Rule: MALWARE_Win_SnakeKeylogger, Description: Detects Snake Keylogger, Source: 00000010.00000002.2064854133.00000000018E0000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	17
Start time:	01:27:33
Start date:	11/01/2025
Path:	C:\Users\user\AppData\Local\Maianthemum\biopsies.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Maianthemum\biopsies.exe"
Imagebase:	0x8b0000
File size:	1'021'952 bytes
MD5 hash:	04A2CCE147E8B29D89EF24AF80D493CE
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000011.00000002.2100230907.0000000003EC0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: 00000011.00000002.2100230907.0000000003EC0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000011.00000002.2100230907.0000000003EC0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000011.00000002.2100230907.0000000003EC0000.00000004.00001000.00020000.00000000.sdmp, Author: unknown Rule: MAL_Envrial_Jan18_1, Description: Detects Encrial credential stealer malware, Source: 00000011.00000002.2100230907.0000000003EC0000.00000004.00001000.00020000.00000000.sdmp, Author: Florian Roth Rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook, Description: Detects executables with potential process hoocking, Source: 00000011.00000002.2100230907.0000000003EC0000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen Rule: MALWARE_Win_SnakeKeylogger, Description: Detects Snake Keylogger, Source: 00000011.00000002.2100230907.0000000003EC0000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	18
Start time:	01:27:36
Start date:	11/01/2025
Path:	C:\Users\user\AppData\Local\Maianthemum\biopsies.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Maianthemum\biopsies.exe"
Imagebase:	0x8b0000
File size:	1'021'952 bytes
MD5 hash:	04A2CCE147E8B29D89EF24AF80D493CE
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000012.00000002.2133278262.0000000001070000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: 00000012.00000002.2133278262.0000000001070000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000012.00000002.2133278262.0000000001070000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000012.00000002.2133278262.0000000001070000.00000004.00001000.00020000.00000000.sdmp, Author: unknown Rule: MAL_Envrial_Jan18_1, Description: Detects Encrial credential stealer malware, Source: 00000012.00000002.2133278262.0000000001070000.00000004.00001000.00020000.00000000.sdmp, Author: Florian Roth Rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook, Description: Detects executables with potential process hoocking, Source: 00000012.00000002.2133278262.0000000001070000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen Rule: MALWARE_Win_SnakeKeylogger, Description: Detects Snake Keylogger, Source: 00000012.00000002.2133278262.0000000001070000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	19
Start time:	01:27:40
Start date:	11/01/2025
Path:	C:\Users\user\AppData\Local\Maianthemum\biopsies.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Maianthemum\biopsies.exe"
Imagebase:	0x8b0000
File size:	1'021'952 bytes
MD5 hash:	04A2CCE147E8B29D89EF24AF80D493CE
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000013.00000002.2170261177.0000000000E80000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: 00000013.00000002.2170261177.0000000000E80000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000013.00000002.2170261177.0000000000E80000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000013.00000002.2170261177.0000000000E80000.00000004.00001000.00020000.00000000.sdmp, Author: unknown Rule: MAL_Envrial_Jan18_1, Description: Detects Encrial credential stealer malware, Source: 00000013.00000002.2170261177.0000000000E80000.00000004.00001000.00020000.00000000.sdmp, Author: Florian Roth Rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook, Description: Detects executables with potential process hoocking, Source: 00000013.00000002.2170261177.0000000000E80000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen Rule: MALWARE_Win_SnakeKeylogger, Description: Detects Snake Keylogger, Source: 00000013.00000002.2170261177.0000000000E80000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	20
Start time:	01:27:43
Start date:	11/01/2025
Path:	C:\Users\user\AppData\Local\Maianthemum\biopsies.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Maianthemum\biopsies.exe"
Imagebase:	0x8b0000
File size:	1'021'952 bytes
MD5 hash:	04A2CCE147E8B29D89EF24AF80D493CE
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	21
Start time:	01:27:46
Start date:	11/01/2025
Path:	C:\Users\user\AppData\Local\Maianthemum\biopsies.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Maianthemum\biopsies.exe"
Imagebase:	0x8b0000
File size:	1'021'952 bytes
MD5 hash:	04A2CCE147E8B29D89EF24AF80D493CE
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	22
Start time:	01:27:47
Start date:	11/01/2025
Path:	C:\Users\user\AppData\Local\Maianthemum\biopsies.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Maianthemum\biopsies.exe"
Imagebase:	0x8b0000
File size:	1'021'952 bytes
MD5 hash:	04A2CCE147E8B29D89EF24AF80D493CE
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	23
Start time:	01:27:49
Start date:	11/01/2025
Path:	C:\Users\user\AppData\Local\Maianthemum\biopsies.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Maianthemum\biopsies.exe"
Imagebase:	0x8b0000
File size:	1'021'952 bytes
MD5 hash:	04A2CCE147E8B29D89EF24AF80D493CE
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	24
Start time:	01:27:51
Start date:	11/01/2025
Path:	C:\Users\user\AppData\Local\Maianthemum\biopsies.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Maianthemum\biopsies.exe"
Imagebase:	0x8b0000
File size:	1'021'952 bytes
MD5 hash:	04A2CCE147E8B29D89EF24AF80D493CE
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	25
Start time:	01:27:54
Start date:	11/01/2025
Path:	C:\Users\user\AppData\Local\Maianthemum\biopsies.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Maianthemum\biopsies.exe"
Imagebase:	0x8b0000
File size:	1'021'952 bytes
MD5 hash:	04A2CCE147E8B29D89EF24AF80D493CE
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	26
Start time:	01:27:56
Start date:	11/01/2025
Path:	C:\Users\user\AppData\Local\Maianthemum\biopsies.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Maianthemum\biopsies.exe"
Imagebase:	0x8b0000
File size:	1'021'952 bytes
MD5 hash:	04A2CCE147E8B29D89EF24AF80D493CE
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	27
Start time:	01:27:58
Start date:	11/01/2025
Path:	C:\Users\user\AppData\Local\Maianthemum\biopsies.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Maianthemum\biopsies.exe"
Imagebase:	0x8b0000
File size:	1'021'952 bytes
MD5 hash:	04A2CCE147E8B29D89EF24AF80D493CE
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	28
Start time:	01:28:00
Start date:	11/01/2025
Path:	C:\Users\user\AppData\Local\Maianthemum\biopsies.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Maianthemum\biopsies.exe"
Imagebase:	0x8b0000
File size:	1'021'952 bytes
MD5 hash:	04A2CCE147E8B29D89EF24AF80D493CE
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	29
Start time:	01:28:03
Start date:	11/01/2025
Path:	C:\Users\user\AppData\Local\Maianthemum\biopsies.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Maianthemum\biopsies.exe"
Imagebase:	0x8b0000
File size:	1'021'952 bytes
MD5 hash:	04A2CCE147E8B29D89EF24AF80D493CE
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	30
Start time:	01:28:05
Start date:	11/01/2025
Path:	C:\Users\user\AppData\Local\Maianthemum\biopsies.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Maianthemum\biopsies.exe"
Imagebase:	0x8b0000
File size:	1'021'952 bytes
MD5 hash:	04A2CCE147E8B29D89EF24AF80D493CE
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	31
Start time:	01:28:07
Start date:	11/01/2025
Path:	C:\Users\user\AppData\Local\Maianthemum\biopsies.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Maianthemum\biopsies.exe"
Imagebase:	0x8b0000
File size:	1'021'952 bytes
MD5 hash:	04A2CCE147E8B29D89EF24AF80D493CE
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	32
Start time:	01:28:08
Start date:	11/01/2025
Path:	C:\Users\user\AppData\Local\Maianthemum\biopsies.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Maianthemum\biopsies.exe"
Imagebase:	0x7ff70f330000
File size:	1'021'952 bytes
MD5 hash:	04A2CCE147E8B29D89EF24AF80D493CE
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	33
Start time:	01:28:11
Start date:	11/01/2025
Path:	C:\Users\user\AppData\Local\Maianthemum\biopsies.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Maianthemum\biopsies.exe"
Imagebase:	0x8b0000
File size:	1'021'952 bytes
MD5 hash:	04A2CCE147E8B29D89EF24AF80D493CE
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	34
Start time:	01:28:13
Start date:	11/01/2025
Path:	C:\Users\user\AppData\Local\Maianthemum\biopsies.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Maianthemum\biopsies.exe"
Imagebase:	0x8b0000
File size:	1'021'952 bytes
MD5 hash:	04A2CCE147E8B29D89EF24AF80D493CE
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	36
Start time:	01:28:16
Start date:	11/01/2025
Path:	C:\Users\user\AppData\Local\Maianthemum\biopsies.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Maianthemum\biopsies.exe"
Imagebase:	0x8b0000
File size:	1'021'952 bytes
MD5 hash:	04A2CCE147E8B29D89EF24AF80D493CE
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	37
Start time:	01:28:18
Start date:	11/01/2025
Path:	C:\Users\user\AppData\Local\Maianthemum\biopsies.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Maianthemum\biopsies.exe"
Imagebase:	0x8b0000
File size:	1'021'952 bytes
MD5 hash:	04A2CCE147E8B29D89EF24AF80D493CE
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	38
Start time:	01:28:21
Start date:	11/01/2025
Path:	C:\Users\user\AppData\Local\Maianthemum\biopsies.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Maianthemum\biopsies.exe"
Imagebase:	0x8b0000
File size:	1'021'952 bytes
MD5 hash:	04A2CCE147E8B29D89EF24AF80D493CE
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	39
Start time:	01:28:23
Start date:	11/01/2025
Path:	C:\Users\user\AppData\Local\Maianthemum\biopsies.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Maianthemum\biopsies.exe"
Imagebase:	0x8b0000
File size:	1'021'952 bytes
MD5 hash:	04A2CCE147E8B29D89EF24AF80D493CE
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	40
Start time:	01:28:25
Start date:	11/01/2025
Path:	C:\Users\user\AppData\Local\Maianthemum\biopsies.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Maianthemum\biopsies.exe"
Imagebase:	0x8b0000
File size:	1'021'952 bytes
MD5 hash:	04A2CCE147E8B29D89EF24AF80D493CE
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	41
Start time:	01:28:28
Start date:	11/01/2025
Path:	C:\Users\user\AppData\Local\Maianthemum\biopsies.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Maianthemum\biopsies.exe"
Imagebase:	0x8b0000
File size:	1'021'952 bytes
MD5 hash:	04A2CCE147E8B29D89EF24AF80D493CE
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	42
Start time:	01:28:31
Start date:	11/01/2025
Path:	C:\Users\user\AppData\Local\Maianthemum\biopsies.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Maianthemum\biopsies.exe"
Imagebase:	0x8b0000
File size:	1'021'952 bytes
MD5 hash:	04A2CCE147E8B29D89EF24AF80D493CE
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	3.5%
Dynamic/Decrypted Code Coverage:	0.4%
Signature Coverage:	7.6%
Total number of Nodes:	2000
Total number of Limit Nodes:	183

Executed Functions

Function 00523B3A Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 153
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00523B68
IsDebuggerPresent.KERNEL32 ref: 00523B7A
GetFullPathNameW.KERNEL32(00007FFF,?,?,005E52F8,005E52E0,?,?), ref: 00523BEB

Part of subcall function 00527BCC: _memmove.LIBCMT ref: 00527C06

Part of subcall function 0053092D: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,00523C14,005E52F8,?,?,?), ref: 0053096E

SetCurrentDirectoryW.KERNEL32(?), ref: 00523C6F
MessageBoxA.USER32(00000000,This is a third-party compiled AutoIt script.,005D7770,00000010), ref: 0055D281
SetCurrentDirectoryW.KERNEL32(?,005E52F8,?,?,?), ref: 0055D2B9
GetForegroundWindow.USER32(runas,?,?,?,00000001,?,005D4260,005E52F8,?,?,?), ref: 0055D33F
ShellExecuteW.SHELL32(00000000,?,?), ref: 0055D346

Part of subcall function 00523A46: GetSysColorBrush.USER32(0000000F), ref: 00523A50
Part of subcall function 00523A46: LoadCursorW.USER32(00000000,00007F00), ref: 00523A5F
Part of subcall function 00523A46: LoadIconW.USER32(00000063), ref: 00523A76
Part of subcall function 00523A46: LoadIconW.USER32(000000A4), ref: 00523A88
Part of subcall function 00523A46: LoadIconW.USER32(000000A2), ref: 00523A9A
Part of subcall function 00523A46: LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 00523AC0
Part of subcall function 00523A46: RegisterClassExW.USER32(?), ref: 00523B16

Part of subcall function 005239D5: CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00523A03
Part of subcall function 005239D5: CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00523A24
Part of subcall function 005239D5: ShowWindow.USER32(00000000,?,?), ref: 00523A38
Part of subcall function 005239D5: ShowWindow.USER32(00000000,?,?), ref: 00523A41

Part of subcall function 0052434A: _memset.LIBCMT ref: 00524370
Part of subcall function 0052434A: Shell_NotifyIconW.SHELL32(00000000,?), ref: 00524415

Strings

%[, xrefs: 00523C44
This is a third-party compiled AutoIt script., xrefs: 0055D279
runas, xrefs: 0055D33A

Memory Dump Source

Source File: 00000000.00000002.1720891753.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1720847795.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720950764.00000000005AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720950764.00000000005D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720999580.00000000005DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721018782.00000000005E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_b6AGgIJ87g.jbxd

Similarity

API ID: LoadWindow$Icon$CurrentDirectory$CreateFullNamePathShow$BrushClassColorCursorDebuggerExecuteForegroundImageMessageNotifyPresentRegisterShellShell__memmove_memset
String ID: This is a third-party compiled AutoIt script.$runas$%[
API String ID: 529118366-1425557641
Opcode ID: 055277d347e9a78ab39daea6fa3e53424b51e0e7369a0d129c6935412306200c
Instruction ID: a44fc02c57c23bdb3c85f7b29dc5a53b74c39b86a3093ac2ca5ea67b65e1dc8b
Opcode Fuzzy Hash: 055277d347e9a78ab39daea6fa3e53424b51e0e7369a0d129c6935412306200c
Instruction Fuzzy Hash: 44513835D08159AACF15EBF4FC49AED7F78BF9A304F004066F551B61E1EA744A09DB20

Function 005249A0 Relevance: 10.7, APIs: 7, Instructions: 223
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetVersionExW.KERNEL32(?), ref: 005249CD

Part of subcall function 00527BCC: _memmove.LIBCMT ref: 00527C06

GetCurrentProcess.KERNEL32(?,005AFAEC,00000000,00000000,?), ref: 00524A9A
IsWow64Process.KERNEL32(00000000), ref: 00524AA1
GetNativeSystemInfo.KERNELBASE(00000000), ref: 00524AE7
FreeLibrary.KERNEL32(00000000), ref: 00524AF2
GetSystemInfo.KERNEL32(00000000), ref: 00524B23
GetSystemInfo.KERNEL32(00000000), ref: 00524B2F

Memory Dump Source

Source File: 00000000.00000002.1720891753.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1720847795.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720950764.00000000005AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720950764.00000000005D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720999580.00000000005DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721018782.00000000005E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_b6AGgIJ87g.jbxd

Similarity

API ID: InfoSystem$Process$CurrentFreeLibraryNativeVersionWow64_memmove
String ID:
API String ID: 1986165174-0
Opcode ID: ef743a281e54b9e9b1ef31b2cf4041ad2d58de3d5d4bd6dd160e22ea4dc9f7fb
Instruction ID: 4ad3055bf0d727d1dbbb0184e710e287d495473786e508019d6cfd712117e3ea
Opcode Fuzzy Hash: ef743a281e54b9e9b1ef31b2cf4041ad2d58de3d5d4bd6dd160e22ea4dc9f7fb
Instruction Fuzzy Hash: 0891C4319897D1DEC731CB6894901AEBFF5BF3A301B444DAED0CB93A81D220A50CDB69

Function 00524E89 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 62
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateStreamOnHGlobal.COMBASE(00000000,00000001,?,?,?,?,?,00524D8E,?,?,00000000,00000000), ref: 00524E99
FindResourceExW.KERNEL32(?,0000000A,SCRIPT,00000000,?,?,00524D8E,?,?,00000000,00000000), ref: 00524EB0
LoadResource.KERNEL32(?,00000000,?,?,00524D8E,?,?,00000000,00000000,?,?,?,?,?,?,00524E2F), ref: 0055D937
SizeofResource.KERNEL32(?,00000000,?,?,00524D8E,?,?,00000000,00000000,?,?,?,?,?,?,00524E2F), ref: 0055D94C
LockResource.KERNEL32(00524D8E,?,?,00524D8E,?,?,00000000,00000000,?,?,?,?,?,?,00524E2F,00000000), ref: 0055D95F

Strings

SCRIPT, xrefs: 00524EA6

Memory Dump Source

Source File: 00000000.00000002.1720891753.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1720847795.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720950764.00000000005AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720950764.00000000005D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720999580.00000000005DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721018782.00000000005E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_b6AGgIJ87g.jbxd

Similarity

API ID: Resource$CreateFindGlobalLoadLockSizeofStream
String ID: SCRIPT
API String ID: 3051347437-3967369404
Opcode ID: 8dab87858b0234e15a50ecf078eb081f4e96ac4d8ba0a1e5917a8881d47b9aa0
Instruction ID: 2d9a63e9f0535642ec956c231844724284115d707d3a5b87a710b48a78b88c42
Opcode Fuzzy Hash: 8dab87858b0234e15a50ecf078eb081f4e96ac4d8ba0a1e5917a8881d47b9aa0
Instruction Fuzzy Hash: F5114876240701BBE7218BA5EC48F677BBEFFC6B11F204268F40686290DB71E8049B61

Function 0052FCE0 Relevance: 9.8, APIs: 3, Strings: 2, Instructions: 1040COMMON

Download Yara Rule

Strings

%[, xrefs: 0052FCF3
pb^, xrefs: 005649B9

Memory Dump Source

Source File: 00000000.00000002.1720891753.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1720847795.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720950764.00000000005AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720950764.00000000005D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720999580.00000000005DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721018782.00000000005E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_b6AGgIJ87g.jbxd

Similarity

API ID: BuffCharUpper
String ID: pb^$%[
API String ID: 3964851224-1575657069
Opcode ID: 8ea5d7e551992e0ed56fdde071ecbe588e142af8f0407fd75e73987554c74325
Instruction ID: 58aa64ca9160a5fa4d93ded9b6dc81cc2293e9c3ff90aacca00315c645531432
Opcode Fuzzy Hash: 8ea5d7e551992e0ed56fdde071ecbe588e142af8f0407fd75e73987554c74325
Instruction Fuzzy Hash: 629289746083518FD724DF24C494B2ABBE5BF85304F14996DE88A8B3A2D771EC45CF92

Function 0052E6A0 Relevance: 7.4, Strings: 5, Instructions: 1102COMMON

Download Yara Rule

Strings

Dd^, xrefs: 00563B2E
Dd^, xrefs: 00563AF5
Variable must be of type 'Object'., xrefs: 00563E62
Dd^, xrefs: 0052EABA
Dd^, xrefs: 0052EAC1

Memory Dump Source

Source File: 00000000.00000002.1720891753.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1720847795.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720950764.00000000005AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720950764.00000000005D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720999580.00000000005DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721018782.00000000005E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_b6AGgIJ87g.jbxd

Similarity

API ID:
String ID: Dd^$Dd^$Dd^$Dd^$Variable must be of type 'Object'.
API String ID: 0-1160235969
Opcode ID: 4e1a6817b3c87977a4ffeeb127a3ba9b3b4ff6669eae621df5b3f5470cc31d00
Instruction ID: d81f9a1e72d190aa30ce4893d3f17772a1b7dd182989e5baaa423dbb8651e119
Opcode Fuzzy Hash: 4e1a6817b3c87977a4ffeeb127a3ba9b3b4ff6669eae621df5b3f5470cc31d00
Instruction Fuzzy Hash: 85A29E75A00225CFCB24CF54E485AAEBFB5FF5A310F248469E945AB391D731ED42CB90

Function 0058445A Relevance: 4.5, APIs: 3, Instructions: 25fileCOMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNELBASE(?,0055E398), ref: 0058446A
FindFirstFileW.KERNELBASE(?,?), ref: 0058447B
FindClose.KERNEL32(00000000), ref: 0058448B

Memory Dump Source

Source File: 00000000.00000002.1720891753.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1720847795.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720950764.00000000005AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720950764.00000000005D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720999580.00000000005DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721018782.00000000005E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_b6AGgIJ87g.jbxd

Similarity

API ID: FileFind$AttributesCloseFirst
String ID:
API String ID: 48322524-0
Opcode ID: c18845af6850f1226936388eeb9f94b0f582a941f0c932dd59931ea2af018c03
Instruction ID: 3b8812d4aa2743dba89463929cfa54e0a7bd2963a4a54787ebf44c36f70925af
Opcode Fuzzy Hash: c18845af6850f1226936388eeb9f94b0f582a941f0c932dd59931ea2af018c03
Instruction Fuzzy Hash: 1FE0D8364105016746107B78EC0D5ED7F9CAE16335F100B16FC36D10F0E7B45D04AB95

Function 005309D0 Relevance: 64.3, APIs: 27, Strings: 9, Instructions: 1300windowsleeptimeCOMMON

Download Yara Rule

APIs

PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00530A5B
timeGetTime.WINMM ref: 00530D16
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00530E53
Sleep.KERNEL32(0000000A), ref: 00530E61
LockWindowUpdate.USER32(00000000,?,?), ref: 00530EFA
DestroyWindow.USER32 ref: 00530F06
GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00530F20
Sleep.KERNEL32(0000000A,?,?), ref: 00564E83
TranslateMessage.USER32(?), ref: 00565C60
DispatchMessageW.USER32(?), ref: 00565C6E
GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00565C82

Strings

@TRAY_ID, xrefs: 0056578F
pb^, xrefs: 00564F59
pb^, xrefs: 005657B4
pb^, xrefs: 00565003
@GUI_CTRLID, xrefs: 00564F3A
pb^, xrefs: 00564FAE
@COM_EVENTOBJ, xrefs: 005654F0
@GUI_WINHANDLE, xrefs: 00564F8F
@GUI_CTRLHANDLE, xrefs: 00564FE4

Memory Dump Source

Source File: 00000000.00000002.1720891753.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1720847795.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720950764.00000000005AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720950764.00000000005D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720999580.00000000005DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721018782.00000000005E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_b6AGgIJ87g.jbxd

Similarity

API ID: Message$PeekSleepWindow$DestroyDispatchLockTimeTranslateUpdatetime
String ID: @COM_EVENTOBJ$@GUI_CTRLHANDLE$@GUI_CTRLID$@GUI_WINHANDLE$@TRAY_ID$pb^$pb^$pb^$pb^
API String ID: 4212290369-4286532560
Opcode ID: eb137e4bea8f1dcd97de419c7ae1bfb4312278c5fcabb6607be46cc525751e52
Instruction ID: cb5c99ed1999387d08efde794daf56b45df9a5529c446962a0a4f8c1bc0d2b56
Opcode Fuzzy Hash: eb137e4bea8f1dcd97de419c7ae1bfb4312278c5fcabb6607be46cc525751e52
Instruction Fuzzy Hash: ACB2C270608742DFD728DF24C898BAEBFE4BF85304F14491DE589972A1DB71E884DB82

Function 00589155 Relevance: 19.8, APIs: 13, Instructions: 322
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00588F5F: __time64.LIBCMT ref: 00588F69

Part of subcall function 00524EE5: _fseek.LIBCMT ref: 00524EFD

__wsplitpath.LIBCMT ref: 00589234

Part of subcall function 005440FB: __wsplitpath_helper.LIBCMT ref: 0054413B

_wcscpy.LIBCMT ref: 00589247
_wcscat.LIBCMT ref: 0058925A
__wsplitpath.LIBCMT ref: 0058927F
_wcscat.LIBCMT ref: 00589295
_wcscat.LIBCMT ref: 005892A8

Part of subcall function 00588FA5: _memmove.LIBCMT ref: 00588FDE
Part of subcall function 00588FA5: _memmove.LIBCMT ref: 00588FED

_wcscmp.LIBCMT ref: 005891EF

Part of subcall function 00589734: _wcscmp.LIBCMT ref: 00589824
Part of subcall function 00589734: _wcscmp.LIBCMT ref: 00589837

DeleteFileW.KERNEL32(?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?), ref: 00589452
_wcsncpy.LIBCMT ref: 005894C5
DeleteFileW.KERNEL32(?,?), ref: 005894FB
CopyFileW.KERNEL32(?,?,00000000,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 00589511
DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00589522
DeleteFileW.KERNELBASE(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00589534

Memory Dump Source

Source File: 00000000.00000002.1720891753.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1720847795.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720950764.00000000005AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720950764.00000000005D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720999580.00000000005DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721018782.00000000005E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_b6AGgIJ87g.jbxd

Similarity

API ID: File$Delete$_wcscat_wcscmp$__wsplitpath_memmove$Copy__time64__wsplitpath_helper_fseek_wcscpy_wcsncpy
String ID:
API String ID: 1500180987-0
Opcode ID: c201dcb6287bab2ee1749d5f97f61d55428b82d3750142f6b5d4d5fa994cc2dc
Instruction ID: f442c2035a573258e75c9375f82bcdc91bab61bd1a1088955602635cfed662f2
Opcode Fuzzy Hash: c201dcb6287bab2ee1749d5f97f61d55428b82d3750142f6b5d4d5fa994cc2dc
Instruction Fuzzy Hash: CBC140B1D00129AADF21EF95CC85AEEBBBDFF85314F0044A6F609E7151EB309A448F65

Function 00523015 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 73
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00523074
RegisterClassExW.USER32(00000030), ref: 0052309E
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 005230AF
InitCommonControlsEx.COMCTL32(?), ref: 005230CC
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 005230DC
LoadIconW.USER32(000000A9), ref: 005230F2
ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00523101

Strings

0, xrefs: 00523056
AutoIt v3 GUI, xrefs: 00523090
+, xrefs: 0052305D
TaskbarCreated, xrefs: 005230A4

Memory Dump Source

Source File: 00000000.00000002.1720891753.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1720847795.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720950764.00000000005AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720950764.00000000005D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720999580.00000000005DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721018782.00000000005E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_b6AGgIJ87g.jbxd

Similarity

API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
String ID: +$0$AutoIt v3 GUI$TaskbarCreated
API String ID: 2914291525-1005189915
Opcode ID: 3832b5b84dc5251464c7aeac7f080bbd2cfd09fa4909a70c82a5e7c865b95771
Instruction ID: 05a42980b5ea64d26479ff4a0e2bd1ad1c64f69be5d42210ed9bae3ec5bc1765
Opcode Fuzzy Hash: 3832b5b84dc5251464c7aeac7f080bbd2cfd09fa4909a70c82a5e7c865b95771
Instruction Fuzzy Hash: 78312A71845349AFDB50CFE4EC88A9EBFF4FB1A314F24456AE580AA2A0E3B50548DF51

Function 00523041 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 54
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00523074
RegisterClassExW.USER32(00000030), ref: 0052309E
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 005230AF
InitCommonControlsEx.COMCTL32(?), ref: 005230CC
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 005230DC
LoadIconW.USER32(000000A9), ref: 005230F2
ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00523101

Strings

0, xrefs: 00523056
AutoIt v3 GUI, xrefs: 00523090
+, xrefs: 0052305D
TaskbarCreated, xrefs: 005230A4

Memory Dump Source

Source File: 00000000.00000002.1720891753.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1720847795.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720950764.00000000005AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720950764.00000000005D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720999580.00000000005DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721018782.00000000005E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_b6AGgIJ87g.jbxd

Similarity

API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
String ID: +$0$AutoIt v3 GUI$TaskbarCreated
API String ID: 2914291525-1005189915
Opcode ID: 76581b03285c7c21a6c443d2d9598a10fae067dfd02fa2dba97b7bf74426a36d
Instruction ID: 83e433242aa836dea3ea70528477d68f9a1cf297113bf7b419ff68ce30943da9
Opcode Fuzzy Hash: 76581b03285c7c21a6c443d2d9598a10fae067dfd02fa2dba97b7bf74426a36d
Instruction Fuzzy Hash: DB21F7B5D01258AFDB00DFE4EC88BDDBBF4FB19704F10412AF651AA2A0E7B14548AF95

Function 0052708B Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00524706: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,005E52F8,?,005237AE,?), ref: 00524724

Part of subcall function 0054050B: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,00527165), ref: 0054052D

RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,?,\Include\), ref: 005271A8
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?), ref: 0055E8C8
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000), ref: 0055E909
RegCloseKey.ADVAPI32(?), ref: 0055E947
_wcscat.LIBCMT ref: 0055E9A0

Strings

\Include\, xrefs: 00527165
\, xrefs: 0055E9C3
Include, xrefs: 0055E8BF, 0055E900
Software\AutoIt v3\AutoIt, xrefs: 0052719E

Memory Dump Source

Source File: 00000000.00000002.1720891753.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1720847795.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720950764.00000000005AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720950764.00000000005D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720999580.00000000005DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721018782.00000000005E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_b6AGgIJ87g.jbxd

Similarity

API ID: NameQueryValue$CloseFileFullModuleOpenPath_wcscat
String ID: Include$Software\AutoIt v3\AutoIt$\$\Include\
API String ID: 2673923337-2727554177
Opcode ID: abca4a9ca494b521dbaffb66f50c6957d68ac14b7b0b388f54fe42ddfdb61cc3
Instruction ID: 1a1f0dbce327989c58ad511fb98d6dda212e155294a83afe5d35b842face27e7
Opcode Fuzzy Hash: abca4a9ca494b521dbaffb66f50c6957d68ac14b7b0b388f54fe42ddfdb61cc3
Instruction Fuzzy Hash: C671C0755083529EC308DF65E8959ABBFF8FFA9390F40052EF5858B1A0EB70994CCB52

Function 00523633 Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 151
windowtimeregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DefWindowProcW.USER32(?,?,?,?), ref: 005236D2
KillTimer.USER32(?,00000001), ref: 005236FC
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 0052371F
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 0052372A
CreatePopupMenu.USER32 ref: 0052373E
PostQuitMessage.USER32(00000000), ref: 0052374D

Strings

%[, xrefs: 0055D081, 0055D0CF
TaskbarCreated, xrefs: 00523725

Memory Dump Source

Source File: 00000000.00000002.1720891753.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1720847795.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720950764.00000000005AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720950764.00000000005D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720999580.00000000005DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721018782.00000000005E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_b6AGgIJ87g.jbxd

Similarity

API ID: MessageTimerWindow$CreateKillMenuPopupPostProcQuitRegister
String ID: TaskbarCreated$%[
API String ID: 129472671-3028661578
Opcode ID: 3d1f436b1852f670282d7897dfdf79940d48c955c582a35cce534dd9a6dbb494
Instruction ID: 33a0258d3b897f3ea177f84b0396cbf33cc03eb95dd31d98d44172e5699fae68
Opcode Fuzzy Hash: 3d1f436b1852f670282d7897dfdf79940d48c955c582a35cce534dd9a6dbb494
Instruction Fuzzy Hash: 19417BB2100555BBCF285F64FC4DB793F98FF12300F140425FA82962F1E669AE09A761

Function 00523A46 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 71
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00523A50
LoadCursorW.USER32(00000000,00007F00), ref: 00523A5F
LoadIconW.USER32(00000063), ref: 00523A76
LoadIconW.USER32(000000A4), ref: 00523A88
LoadIconW.USER32(000000A2), ref: 00523A9A
LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 00523AC0
RegisterClassExW.USER32(?), ref: 00523B16

Part of subcall function 00523041: GetSysColorBrush.USER32(0000000F), ref: 00523074
Part of subcall function 00523041: RegisterClassExW.USER32(00000030), ref: 0052309E
Part of subcall function 00523041: RegisterWindowMessageW.USER32(TaskbarCreated), ref: 005230AF
Part of subcall function 00523041: InitCommonControlsEx.COMCTL32(?), ref: 005230CC
Part of subcall function 00523041: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 005230DC
Part of subcall function 00523041: LoadIconW.USER32(000000A9), ref: 005230F2
Part of subcall function 00523041: ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00523101

Strings

AutoIt v3, xrefs: 00523B05
0, xrefs: 00523AF4
#, xrefs: 00523AFB

Memory Dump Source

Source File: 00000000.00000002.1720891753.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1720847795.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720950764.00000000005AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720950764.00000000005D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720999580.00000000005DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721018782.00000000005E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_b6AGgIJ87g.jbxd

Similarity

API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
String ID: #$0$AutoIt v3
API String ID: 423443420-4155596026
Opcode ID: d1d705582325ce4c76fc443b156bc7bb66279d5f8cfe79bead3687c379863304
Instruction ID: 9ea61ea91074ba10ea3309ffa618dcda17d1235152a677e923bf435c5e7911a7
Opcode Fuzzy Hash: d1d705582325ce4c76fc443b156bc7bb66279d5f8cfe79bead3687c379863304
Instruction Fuzzy Hash: BF217E75D00344AFEB14CFA4EC89B9D7FB0FB29715F00012AF640AA2A1E3B55548EF90

Function 00523766 Relevance: 16.0, APIs: 1, Strings: 8, Instructions: 267
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

/ErrorStdOut, xrefs: 0052387D
/AutoIt3OutputDebug, xrefs: 00523892
CMDLINE, xrefs: 00523822
CMDLINERAW, xrefs: 005237FB
/AutoIt3ExecuteScript, xrefs: 005238BC
>>>AUTOIT NO CMDEXECUTE<<<, xrefs: 005237AE
/AutoIt3ExecuteLine, xrefs: 005238A7
R^, xrefs: 0055D213

Memory Dump Source

Source File: 00000000.00000002.1720891753.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1720847795.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720950764.00000000005AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720950764.00000000005D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720999580.00000000005DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721018782.00000000005E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_b6AGgIJ87g.jbxd

Similarity

API ID: FileLibraryLoadModuleName__wcsicmp_l_memmove
String ID: /AutoIt3ExecuteLine$/AutoIt3ExecuteScript$/AutoIt3OutputDebug$/ErrorStdOut$>>>AUTOIT NO CMDEXECUTE<<<$CMDLINE$CMDLINERAW$R^
API String ID: 1825951767-420430719
Opcode ID: 60f978ba6f685ba99d265a23fffe9abf907cce764d5072d8ab53e3f34c62cc12
Instruction ID: e361adc1c88c348e9c35146b63894433fa0c50d8de1c8c81fa545ab3650b7f8f
Opcode Fuzzy Hash: 60f978ba6f685ba99d265a23fffe9abf907cce764d5072d8ab53e3f34c62cc12
Instruction Fuzzy Hash: 0EA1307690022E9ACB15EBA0EC99AEEBF7CBF56304F440429F415B71D1EF745A08CB60

Function 0052F76F Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 168
comCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00540162: MapVirtualKeyW.USER32(0000005B,00000000), ref: 00540193
Part of subcall function 00540162: MapVirtualKeyW.USER32(00000010,00000000), ref: 0054019B
Part of subcall function 00540162: MapVirtualKeyW.USER32(000000A0,00000000), ref: 005401A6
Part of subcall function 00540162: MapVirtualKeyW.USER32(000000A1,00000000), ref: 005401B1
Part of subcall function 00540162: MapVirtualKeyW.USER32(00000011,00000000), ref: 005401B9
Part of subcall function 00540162: MapVirtualKeyW.USER32(00000012,00000000), ref: 005401C1

Part of subcall function 005360F9: RegisterWindowMessageW.USER32(WM_GETCONTROLNAME,?,0052F930), ref: 00536154

GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 0052F9CD
OleInitialize.OLE32(00000000), ref: 0052FA4A
CloseHandle.KERNEL32(00000000), ref: 005645C8

Strings

%[, xrefs: 0052F796, 0052F7A8, 0052F96E, 0052FA51
\T^, xrefs: 0052F7F7
S^, xrefs: 0052F7EB
<W^, xrefs: 0052F930

Memory Dump Source

Source File: 00000000.00000002.1720891753.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1720847795.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720950764.00000000005AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720950764.00000000005D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720999580.00000000005DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721018782.00000000005E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_b6AGgIJ87g.jbxd

Similarity

API ID: Virtual$Handle$CloseInitializeMessageRegisterWindow
String ID: <W^$\T^$%[$S^
API String ID: 1986988660-4003361884
Opcode ID: 6587cf314fe517ad56ae61d72a30ce0eed81325a07b5ab74ebc8d41c0b8e8a83
Instruction ID: f065399c5e3fd564b4bdf3ff836caa6e2523adab4aac3fbd5a706e8cf2bf84e6
Opcode Fuzzy Hash: 6587cf314fe517ad56ae61d72a30ce0eed81325a07b5ab74ebc8d41c0b8e8a83
Instruction Fuzzy Hash: 1C81C0B0901BC58FCB8CDF39A9846197FE5FBA834E750852AD189CF2A1F7704488AF11

Function 01362F08 Relevance: 10.7, APIs: 7, Instructions: 151
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNELBASE(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 01362F4D

Memory Dump Source

Source File: 00000000.00000002.1721547331.0000000001362000.00000040.00000020.00020000.00000000.sdmp, Offset: 01362000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1362000_b6AGgIJ87g.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: eb584f4a57c68eb24893e8662cdde2a6850f072ba7aa360e4ef334368506de38
Instruction ID: 5c8026bc10a882bccf7b6804742106643ce9f654d63ee1eafde241eb1b1387f1
Opcode Fuzzy Hash: eb584f4a57c68eb24893e8662cdde2a6850f072ba7aa360e4ef334368506de38
Instruction Fuzzy Hash: AB51E875A50208FBEF20DFA4CC49FDE777CBF48705F108558FA1AEA180DA759A488B64

Function 005239D5 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00523A03
CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00523A24
ShowWindow.USER32(00000000,?,?), ref: 00523A38
ShowWindow.USER32(00000000,?,?), ref: 00523A41

Strings

AutoIt v3, xrefs: 005239FB, 00523A00, 00523A01
edit, xrefs: 00523A1E

Memory Dump Source

Source File: 00000000.00000002.1720891753.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1720847795.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720950764.00000000005AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720950764.00000000005D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720999580.00000000005DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721018782.00000000005E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_b6AGgIJ87g.jbxd

Similarity

API ID: Window$CreateShow
String ID: AutoIt v3$edit
API String ID: 1584632944-3779509399
Opcode ID: 6725b50c2f59d707b9a30cbbec79dc12eee4ad75d2f110a4a5f7c6f1fd214917
Instruction ID: 2c836dbe3a89cbe2e0cc2ffb8cca74e0955ceba2ca2f816a733e8f85687e76de
Opcode Fuzzy Hash: 6725b50c2f59d707b9a30cbbec79dc12eee4ad75d2f110a4a5f7c6f1fd214917
Instruction Fuzzy Hash: C7F03A75A002D07EEA305763AC88E7B3E7DE7D7F54B00002ABB40AA171E2610844EAB0

Function 0052407C Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 88
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 0055D3D7

Part of subcall function 00527BCC: _memmove.LIBCMT ref: 00527C06

_memset.LIBCMT ref: 005240FC
_wcscpy.LIBCMT ref: 00524150
Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 00524160

Strings

Line: , xrefs: 0055D400

Memory Dump Source

Source File: 00000000.00000002.1720891753.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1720847795.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720950764.00000000005AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720950764.00000000005D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720999580.00000000005DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721018782.00000000005E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_b6AGgIJ87g.jbxd

Similarity

API ID: IconLoadNotifyShell_String_memmove_memset_wcscpy
String ID: Line:
API String ID: 3942752672-1585850449
Opcode ID: ddbad92e294a7cbcca4dac2908f34a16f4e23f964103e89fdd88cbda486a8aaa
Instruction ID: 6dcbd386474e72b8c14695a9284623c758df859f6e34dd178589bd983db7c179
Opcode Fuzzy Hash: ddbad92e294a7cbcca4dac2908f34a16f4e23f964103e89fdd88cbda486a8aaa
Instruction Fuzzy Hash: 8831C4710087566FD724EB60EC4AFDB7FD8BF96304F10491AF685960E1EB709648CB92

Function 0054541D Relevance: 7.7, APIs: 5, Instructions: 163
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_memset.LIBCMT ref: 0054547B
_memcpy_s.LIBCMT ref: 005454ED
__read_nolock.LIBCMT ref: 0054554B
__filbuf.LIBCMT ref: 0054556E
_memset.LIBCMT ref: 005455B2

Part of subcall function 00548B28: __getptd_noexit.LIBCMT ref: 00548B28

Memory Dump Source

Source File: 00000000.00000002.1720891753.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1720847795.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720950764.00000000005AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720950764.00000000005D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720999580.00000000005DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721018782.00000000005E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_b6AGgIJ87g.jbxd

Similarity

API ID: _memset$__filbuf__getptd_noexit__read_nolock_memcpy_s
String ID:
API String ID: 1559183368-0
Opcode ID: dfdd2df0ab245b9716d30a375d324e0946404ce6e082d96a71c3349c3dbc91e5
Instruction ID: e6000b6c37e23a46ce169529d83a71c3d2e084557d930dc05575584f48bac555
Opcode Fuzzy Hash: dfdd2df0ab245b9716d30a375d324e0946404ce6e082d96a71c3349c3dbc91e5
Instruction Fuzzy Hash: 2051B670A00B05DBCF249FA9D8446FE7FB6BF41329F248729F8259A2D2E7709D549B40

Function 0052686A Relevance: 7.3, APIs: 2, Strings: 2, Instructions: 260COMMON

Download Yara Rule

APIs

Part of subcall function 00524DDD: LoadLibraryExW.KERNEL32(?,00000000,00000002,?,005E52F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00524E0F

_free.LIBCMT ref: 0055E263
_free.LIBCMT ref: 0055E2AA

Part of subcall function 00526A8C: SetCurrentDirectoryW.KERNEL32(?,?,?,?,00000000), ref: 00526BAD

Strings

>>>AUTOIT SCRIPT<<<, xrefs: 0055E039
Bad directive syntax error, xrefs: 0055E292

Memory Dump Source

Source File: 00000000.00000002.1720891753.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1720847795.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720950764.00000000005AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720950764.00000000005D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720999580.00000000005DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721018782.00000000005E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_b6AGgIJ87g.jbxd

Similarity

API ID: _free$CurrentDirectoryLibraryLoad
String ID: >>>AUTOIT SCRIPT<<<$Bad directive syntax error
API String ID: 2861923089-1757145024
Opcode ID: ccd3c0540e897104d278b194f7dc2f9f5760ac6c854ddc34a347124b85f61b3d
Instruction ID: 2ec3a1cb2447a59c5bb882ebcb85e53778d706332760998538bad39d0c6c0898
Opcode Fuzzy Hash: ccd3c0540e897104d278b194f7dc2f9f5760ac6c854ddc34a347124b85f61b3d
Instruction Fuzzy Hash: BA91617190022A9FCF08EFA4DC569EDBFB8FF49315F10442AF815AB2A1DB709A55CB50

Function 013649C8 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 150fileCOMMON

Download Yara Rule

APIs

Part of subcall function 013648B8: Sleep.KERNELBASE(000001F4), ref: 013648C9

CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000), ref: 01364AEC

Strings

F2EWQOG896, xrefs: 01364B6C, 01364B6F

Memory Dump Source

Source File: 00000000.00000002.1721547331.0000000001362000.00000040.00000020.00020000.00000000.sdmp, Offset: 01362000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1362000_b6AGgIJ87g.jbxd

Similarity

API ID: CreateFileSleep
String ID: F2EWQOG896
API String ID: 2694422964-118633520
Opcode ID: c55918c5c8ddd3d12426476eaeb6cf5e35259ba66a09c69b82cd157f2122d03c
Instruction ID: 8e30d0f9cd2708e9d92cc81207a8ddbd1c2826113cb989f561fd0329352d74d6
Opcode Fuzzy Hash: c55918c5c8ddd3d12426476eaeb6cf5e35259ba66a09c69b82cd157f2122d03c
Instruction Fuzzy Hash: 4051A031E04249EBEF11DBE4D855BEEBB79EF58304F008199E609BB2C0D6790B45CBA5

Function 005235B0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 59registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNELBASE(80000001,Control Panel\Mouse,00000000,00000001,00000000,00000003,00000000,80000001,80000001,?,005235A1,SwapMouseButtons,00000004,?), ref: 005235D4
RegQueryValueExW.KERNELBASE(00000000,00000000,00000000,00000000,?,?,?,?,005235A1,SwapMouseButtons,00000004,?,?,?,?,00522754), ref: 005235F5
RegCloseKey.KERNELBASE(00000000,?,?,005235A1,SwapMouseButtons,00000004,?,?,?,?,00522754), ref: 00523617

Strings

Control Panel\Mouse, xrefs: 005235D2

Memory Dump Source

Source File: 00000000.00000002.1720891753.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1720847795.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720950764.00000000005AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720950764.00000000005D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720999580.00000000005DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721018782.00000000005E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_b6AGgIJ87g.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID: Control Panel\Mouse
API String ID: 3677997916-824357125
Opcode ID: 9cbd39052419e18658d87617f7f0be5b84bac753c38cf236e10d7dac92e8d854
Instruction ID: dd9c578246d5b9e72abc785a1326f61ac2efe2ac44691957df9ae8c370a821ab
Opcode Fuzzy Hash: 9cbd39052419e18658d87617f7f0be5b84bac753c38cf236e10d7dac92e8d854
Instruction Fuzzy Hash: 2B114871610228BFDB208FA4EC44AAEBBBCFF06740F014469E805D7250E271AE44AB60

Function 0058955B Relevance: 6.2, APIs: 4, Instructions: 155COMMON

Download Yara Rule

APIs

Part of subcall function 00524EE5: _fseek.LIBCMT ref: 00524EFD

Part of subcall function 00589734: _wcscmp.LIBCMT ref: 00589824
Part of subcall function 00589734: _wcscmp.LIBCMT ref: 00589837

_free.LIBCMT ref: 005896A2
_free.LIBCMT ref: 005896A9
_free.LIBCMT ref: 00589714

Part of subcall function 00542D55: RtlFreeHeap.NTDLL(00000000,00000000,?,00549A24), ref: 00542D69
Part of subcall function 00542D55: GetLastError.KERNEL32(00000000,?,00549A24), ref: 00542D7B

_free.LIBCMT ref: 0058971C

Memory Dump Source

Source File: 00000000.00000002.1720891753.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1720847795.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720950764.00000000005AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720950764.00000000005D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720999580.00000000005DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721018782.00000000005E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_b6AGgIJ87g.jbxd

Similarity

API ID: _free$_wcscmp$ErrorFreeHeapLast_fseek
String ID:
API String ID: 1552873950-0
Opcode ID: 83a1bf45cb5b46f0fbbb2b282febcfcf75e63ad05b5baa694a85d9b23f0f737c
Instruction ID: e2bdc7549961a7f0a4f8e2a9db3d1c9cfec97ce2209b93f424fd78cc36548baa
Opcode Fuzzy Hash: 83a1bf45cb5b46f0fbbb2b282febcfcf75e63ad05b5baa694a85d9b23f0f737c
Instruction Fuzzy Hash: BB515EB1D04219ABDF249F64DC85AAEBB79FF89300F14449EF609A3341DB715A80CF58

Function 0054470A Relevance: 6.1, APIs: 4, Instructions: 136COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 005447A0
__flush.LIBCMT ref: 005447C0
__write.LIBCMT ref: 005447F3
__flsbuf.LIBCMT ref: 00544821

Part of subcall function 00548B28: __getptd_noexit.LIBCMT ref: 00548B28

Memory Dump Source

Source File: 00000000.00000002.1720891753.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1720847795.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720950764.00000000005AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720950764.00000000005D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720999580.00000000005DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721018782.00000000005E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_b6AGgIJ87g.jbxd

Similarity

API ID: __flsbuf__flush__getptd_noexit__write_memmove
String ID:
API String ID: 2782032738-0
Opcode ID: 998aeda2236a74d80706e5f9a46343bd1135ee917ddd04e378ba6ed458c3dace
Instruction ID: 87481ade180fe825c11ea3adbff061da60a1d936f77d12349e28c62f74066b83
Opcode Fuzzy Hash: 998aeda2236a74d80706e5f9a46343bd1135ee917ddd04e378ba6ed458c3dace
Instruction Fuzzy Hash: 5E41D374A407469BDB18CF69C884AEE7FA5FF81368B24853DE815C7640EB70DD428F40

Function 005244A0 Relevance: 6.1, APIs: 4, Instructions: 66timewindowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 005244CF

Part of subcall function 0052407C: _memset.LIBCMT ref: 005240FC
Part of subcall function 0052407C: _wcscpy.LIBCMT ref: 00524150
Part of subcall function 0052407C: Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 00524160

KillTimer.USER32(?,00000001,?,?), ref: 00524524
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00524533
Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 0055D4B9

Memory Dump Source

Source File: 00000000.00000002.1720891753.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1720847795.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720950764.00000000005AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720950764.00000000005D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720999580.00000000005DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721018782.00000000005E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_b6AGgIJ87g.jbxd

Similarity

API ID: IconNotifyShell_Timer_memset$Kill_wcscpy
String ID:
API String ID: 1378193009-0
Opcode ID: 19025e88b152ad0cae4533195af282b43781dffb8e46b719e298385e7bdcaa0a
Instruction ID: 475f96e1543448fdf3932e87d75e04423ab5ed463116ad2000545d0a1e4bcff3
Opcode Fuzzy Hash: 19025e88b152ad0cae4533195af282b43781dffb8e46b719e298385e7bdcaa0a
Instruction Fuzzy Hash: 4921F5759047949FEB32CB249859BE6BFECBF16309F04049EE7CA5A181C3B42988DB51

Function 00524C70 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 141COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00524CBA

Strings

EA06, xrefs: 0055D8CC
AU3!P/[, xrefs: 00524CB4

Memory Dump Source

Source File: 00000000.00000002.1720891753.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1720847795.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720950764.00000000005AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720950764.00000000005D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720999580.00000000005DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721018782.00000000005E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_b6AGgIJ87g.jbxd

Similarity

API ID: _memmove
String ID: AU3!P/[$EA06
API String ID: 4104443479-1006748828
Opcode ID: 702fabb55b78e4c17d1d4de2b3b74d99ccdd4db956eadef892af45af48a2bc3f
Instruction ID: 78562c308641064c7eb9a476f3a1e6d36494aed9ab33db3c04148fb6f1c63193
Opcode Fuzzy Hash: 702fabb55b78e4c17d1d4de2b3b74d99ccdd4db956eadef892af45af48a2bc3f
Instruction Fuzzy Hash: C2418E32A0017957DF219B64F8557BE7F65BF87300F684465EC82A72C6D6209D448FA1

Function 00527285 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 65COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0055EA39
GetOpenFileNameW.COMDLG32(?), ref: 0055EA83

Part of subcall function 00524750: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00524743,?,?,005237AE,?), ref: 00524770

Part of subcall function 00540791: GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 005407B0

Strings

X, xrefs: 0055EA51

Memory Dump Source

Source File: 00000000.00000002.1720891753.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1720847795.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720950764.00000000005AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720950764.00000000005D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720999580.00000000005DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721018782.00000000005E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_b6AGgIJ87g.jbxd

Similarity

API ID: Name$Path$FileFullLongOpen_memset
String ID: X
API String ID: 3777226403-3081909835
Opcode ID: 3c728887cd587245830f67b5fa3fb5aa533a2833b84e5ab6502b1885b7754c3c
Instruction ID: e2629ff157f25789c73e7c52ce2b5515f75642e3b9bb1f871777bec4678fadf8
Opcode Fuzzy Hash: 3c728887cd587245830f67b5fa3fb5aa533a2833b84e5ab6502b1885b7754c3c
Instruction Fuzzy Hash: B521C631A002599BCB11DF98D849BEE7FF8BF49315F00405AE908A7281DBB4598D8F91

Function 00588D91 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 51COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00588DAC
__fread_nolock.LIBCMT ref: 00588DC1

Strings

EA06, xrefs: 00588DF3

Memory Dump Source

Source File: 00000000.00000002.1720891753.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1720847795.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720950764.00000000005AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720950764.00000000005D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720999580.00000000005DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721018782.00000000005E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_b6AGgIJ87g.jbxd

Similarity

API ID: __fread_nolock_memmove
String ID: EA06
API String ID: 1988441806-3962188686
Opcode ID: 576e8529372d389ab2d849daea88eadf9ac1acc35de4bf440b4ab95782d4e6ac
Instruction ID: 9e130e65738853b13ee6ec0275086160b41686e9bd7ce02d6e40f93f10e230e9
Opcode Fuzzy Hash: 576e8529372d389ab2d849daea88eadf9ac1acc35de4bf440b4ab95782d4e6ac
Instruction Fuzzy Hash: 7701F9718042187FDB28DBA8C81AEFE7FF8EB11301F00459BF552D2281E874A6148760

Function 013635E8 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 41processCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNELBASE(?,00000000), ref: 0136362D
ExitProcess.KERNEL32(00000000), ref: 0136364C

Strings

D, xrefs: 013635F9

Memory Dump Source

Source File: 00000000.00000002.1721547331.0000000001362000.00000040.00000020.00020000.00000000.sdmp, Offset: 01362000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1362000_b6AGgIJ87g.jbxd

Similarity

API ID: Process$CreateExit
String ID: D
API String ID: 126409537-2746444292
Opcode ID: 359d21864460d0aa6716f03c0fb9f93045a71ab212c145842ddc1246808d9d7c
Instruction ID: 1d1d2c823f3b38a62b9de40df4dcede5d2380e9cc9945b62d3763bc476a98177
Opcode Fuzzy Hash: 359d21864460d0aa6716f03c0fb9f93045a71ab212c145842ddc1246808d9d7c
Instruction Fuzzy Hash: 83F0EC7194024CABDB60EFE4CC49FEE777CBF04705F40C508BA5A9A184DA7496188B61

Function 005898E3 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16COMMON

Download Yara Rule

APIs

GetTempPathW.KERNEL32(00000104,?), ref: 005898F8
GetTempFileNameW.KERNELBASE(?,aut,00000000,?), ref: 0058990F

Strings

aut, xrefs: 00589909

Memory Dump Source

Source File: 00000000.00000002.1720891753.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1720847795.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720950764.00000000005AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720950764.00000000005D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720999580.00000000005DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721018782.00000000005E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_b6AGgIJ87g.jbxd

Similarity

API ID: Temp$FileNamePath
String ID: aut
API String ID: 3285503233-3010740371
Opcode ID: 932107abb558802a4e4b171acdad2587e86184f3b5fad4ce76628a076ddc9263
Instruction ID: f0787e1201dc45722c61218ae871fcc4440f712e2c624e732ecb72afa4d6e8d9
Opcode Fuzzy Hash: 932107abb558802a4e4b171acdad2587e86184f3b5fad4ce76628a076ddc9263
Instruction Fuzzy Hash: B0D05E7954030DABDB609BE4DC0EFEA7B3CEB14701F0006B2BB94911A1EAB095989B91

Function 0059CADD Relevance: 4.9, APIs: 3, Instructions: 392COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1720891753.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1720847795.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720950764.00000000005AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720950764.00000000005D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720999580.00000000005DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721018782.00000000005E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_b6AGgIJ87g.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 86133baa7607d5936acc37fb82be62a0d1aef3e84a55ba9cb3fa435d70168cca
Instruction ID: 9f5697681199a82ebc4eb57655c2c6f2a00d1ebebceb66f1c23f674bf57013bd
Opcode Fuzzy Hash: 86133baa7607d5936acc37fb82be62a0d1aef3e84a55ba9cb3fa435d70168cca
Instruction Fuzzy Hash: BEF103716083419FCB14DF28C484A6ABBE5FF89314F54896EF8999B292D730E945CF82

Function 0052434A Relevance: 4.6, APIs: 3, Instructions: 77windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00524370
Shell_NotifyIconW.SHELL32(00000000,?), ref: 00524415
Shell_NotifyIconW.SHELL32(00000001,?), ref: 00524432

Memory Dump Source

Source File: 00000000.00000002.1720891753.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1720847795.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720950764.00000000005AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720950764.00000000005D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720999580.00000000005DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721018782.00000000005E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_b6AGgIJ87g.jbxd

Similarity

API ID: IconNotifyShell_$_memset
String ID:
API String ID: 1505330794-0
Opcode ID: 1120577a4da814c4a520e6b7878a112be63b3053695eace586ea54323a0bacf6
Instruction ID: c7b300913956850c2d125a7609377505bd91946ae48a62e3d2e73313cd1e5168
Opcode Fuzzy Hash: 1120577a4da814c4a520e6b7878a112be63b3053695eace586ea54323a0bacf6
Instruction Fuzzy Hash: CB3150705047118FD725DF64E88469BBFF8FF69309F00092EE6DA86291E771A948CB92

Function 0054571C Relevance: 4.6, APIs: 3, Instructions: 59memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

__FF_MSGBANNER.LIBCMT ref: 00545733

Part of subcall function 0054A16B: __NMSG_WRITE.LIBCMT ref: 0054A192
Part of subcall function 0054A16B: __NMSG_WRITE.LIBCMT ref: 0054A19C

__NMSG_WRITE.LIBCMT ref: 0054573A

Part of subcall function 0054A1C8: GetModuleFileNameW.KERNEL32(00000000,005E33BA,00000104,?,00000001,00000000), ref: 0054A25A
Part of subcall function 0054A1C8: ___crtMessageBoxW.LIBCMT ref: 0054A308

Part of subcall function 0054309F: ___crtCorExitProcess.LIBCMT ref: 005430A5
Part of subcall function 0054309F: ExitProcess.KERNEL32 ref: 005430AE

Part of subcall function 00548B28: __getptd_noexit.LIBCMT ref: 00548B28

RtlAllocateHeap.NTDLL(012B0000,00000000,00000001,00000000,?,?,?,00540DD3,?), ref: 0054575F

Memory Dump Source

Source File: 00000000.00000002.1720891753.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1720847795.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720950764.00000000005AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720950764.00000000005D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720999580.00000000005DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721018782.00000000005E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_b6AGgIJ87g.jbxd

Similarity

API ID: ExitProcess___crt$AllocateFileHeapMessageModuleName__getptd_noexit
String ID:
API String ID: 1372826849-0
Opcode ID: ded488e9bd239d86b253b9914eea71b4306ba9c92c6ca94d02810c6285e165d6
Instruction ID: 89a37cc971656014a263fcabaf39cb5742839223a6fca6e8e7475f631e211f0e
Opcode Fuzzy Hash: ded488e9bd239d86b253b9914eea71b4306ba9c92c6ca94d02810c6285e165d6
Instruction Fuzzy Hash: F701C035240A02DBE6142B34EC8AAEE7F48FB923A9B100935F5459B192EF709C009661

Function 005898A2 Relevance: 4.5, APIs: 3, Instructions: 24filetimeCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(?,40000000,00000001,00000000,00000003,00000080,00000000,?,?,00589548,?,?,?,?,?,00000004), ref: 005898BB
SetFileTime.KERNELBASE(00000000,?,00000000,?,?,00589548,?,?,?,?,?,00000004,00000001,?,?,00000004), ref: 005898D1
CloseHandle.KERNEL32(00000000,?,00589548,?,?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?), ref: 005898D8

Memory Dump Source

Source File: 00000000.00000002.1720891753.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1720847795.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720950764.00000000005AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720950764.00000000005D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720999580.00000000005DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721018782.00000000005E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_b6AGgIJ87g.jbxd

Similarity

API ID: File$CloseCreateHandleTime
String ID:
API String ID: 3397143404-0
Opcode ID: 7059cc5e483a7612e2144cb33aaa232476cd5e1026184d522c8f931a9cd77448
Instruction ID: 4cc4ecd8e0ae30f4e637af7fa9f23facc7ee94680a3ba243bdb125dab168b7c4
Opcode Fuzzy Hash: 7059cc5e483a7612e2144cb33aaa232476cd5e1026184d522c8f931a9cd77448
Instruction Fuzzy Hash: E0E08632240214BBDB312B94EC09FDA7F19AB17761F144121FB54790E087B11515A798

Function 00588D0D Relevance: 4.5, APIs: 3, Instructions: 22COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00588D1B

Part of subcall function 00542D55: RtlFreeHeap.NTDLL(00000000,00000000,?,00549A24), ref: 00542D69
Part of subcall function 00542D55: GetLastError.KERNEL32(00000000,?,00549A24), ref: 00542D7B

_free.LIBCMT ref: 00588D2C
_free.LIBCMT ref: 00588D3E

Memory Dump Source

Source File: 00000000.00000002.1720891753.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1720847795.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720950764.00000000005AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720950764.00000000005D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720999580.00000000005DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721018782.00000000005E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_b6AGgIJ87g.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 625e2a9df38ff8793e00647abbe9ccf0d6414545c555b0c4696158d27d9f7751
Instruction ID: 331674ddec1d294179db5e8a9e74b4860a5821e29cfcda55e4dae57ca0473e52
Opcode Fuzzy Hash: 625e2a9df38ff8793e00647abbe9ccf0d6414545c555b0c4696158d27d9f7751
Instruction Fuzzy Hash: 9FE012B1A0261246CB24B578A944AE31BDCAF98396F94091DB80DE7186DE64F8838224

Function 0052A9C3 Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 534COMMON

Download Yara Rule

Strings

CALL, xrefs: 0055FC01

Memory Dump Source

Source File: 00000000.00000002.1720891753.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1720847795.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720950764.00000000005AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720950764.00000000005D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720999580.00000000005DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721018782.00000000005E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_b6AGgIJ87g.jbxd

Similarity

API ID:
String ID: CALL
API String ID: 0-4196123274
Opcode ID: f4b4b84ddfda5e716438f524199362a716aa285d57c97735f3805bdf989f6e71
Instruction ID: 7f3db9b253b94e39989627bce38ae96f2a9f2254fa96c1360af21dcd434165db
Opcode Fuzzy Hash: f4b4b84ddfda5e716438f524199362a716aa285d57c97735f3805bdf989f6e71
Instruction Fuzzy Hash: C1226870508361DFDB24DF14D494A6ABFE1BF86304F14896DE88A9B3A2D731EC45DB82

Function 005247D0 Relevance: 3.1, APIs: 2, Instructions: 59COMMON

Download Yara Rule

APIs

IsThemeActive.UXTHEME ref: 00524834

Part of subcall function 0054336C: __lock.LIBCMT ref: 00543372
Part of subcall function 0054336C: DecodePointer.KERNEL32(00000001,?,00524849,00577C74), ref: 0054337E
Part of subcall function 0054336C: EncodePointer.KERNEL32(?,?,00524849,00577C74), ref: 00543389

Part of subcall function 005248FD: SystemParametersInfoW.USER32(00002000,00000000,?,00000000), ref: 00524915
Part of subcall function 005248FD: SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 0052492A

Part of subcall function 00523B3A: GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00523B68
Part of subcall function 00523B3A: IsDebuggerPresent.KERNEL32 ref: 00523B7A
Part of subcall function 00523B3A: GetFullPathNameW.KERNEL32(00007FFF,?,?,005E52F8,005E52E0,?,?), ref: 00523BEB
Part of subcall function 00523B3A: SetCurrentDirectoryW.KERNEL32(?), ref: 00523C6F

SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 00524874

Memory Dump Source

Source File: 00000000.00000002.1720891753.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1720847795.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720950764.00000000005AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720950764.00000000005D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720999580.00000000005DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721018782.00000000005E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_b6AGgIJ87g.jbxd

Similarity

API ID: InfoParametersSystem$CurrentDirectoryPointer$ActiveDebuggerDecodeEncodeFullNamePathPresentTheme__lock
String ID:
API String ID: 1438897964-0
Opcode ID: 1d66d40b93f2a26054d64e50cb60b41b01020ec74a24b3a97b7a9d9f6d9ffcd4
Instruction ID: e019346be97fffd926fe972edf3ee813fe987f7add3c3fa3b63e20446b8dd7e2
Opcode Fuzzy Hash: 1d66d40b93f2a26054d64e50cb60b41b01020ec74a24b3a97b7a9d9f6d9ffcd4
Instruction Fuzzy Hash: C4118E729043529BC704DF68E88990ABFE8FFAA754F10491AF1848B2B1EB709548DB91

Function 00540DB6 Relevance: 3.0, APIs: 2, Instructions: 44COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 0054571C: __FF_MSGBANNER.LIBCMT ref: 00545733
Part of subcall function 0054571C: __NMSG_WRITE.LIBCMT ref: 0054573A
Part of subcall function 0054571C: RtlAllocateHeap.NTDLL(012B0000,00000000,00000001,00000000,?,?,?,00540DD3,?), ref: 0054575F

std::exception::exception.LIBCMT ref: 00540DEC
__CxxThrowException@8.LIBCMT ref: 00540E01

Part of subcall function 0054859B: RaiseException.KERNEL32(?,?,?,005D9E78,00000000,?,?,?,?,00540E06,?,005D9E78,?,00000001), ref: 005485F0

Memory Dump Source

Source File: 00000000.00000002.1720891753.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1720847795.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720950764.00000000005AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720950764.00000000005D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720999580.00000000005DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721018782.00000000005E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_b6AGgIJ87g.jbxd

Similarity

API ID: AllocateExceptionException@8HeapRaiseThrowstd::exception::exception
String ID:
API String ID: 3902256705-0
Opcode ID: b677f63961eed275b2d3447339a0a529b189cc38d28766a70711ac238deed934
Instruction ID: 883f57efb808192da9ae65c795edeb3564a9f329afe21d129969c22bd0bc438f
Opcode Fuzzy Hash: b677f63961eed275b2d3447339a0a529b189cc38d28766a70711ac238deed934
Instruction Fuzzy Hash: 7CF0A93590021A66CB14BA98EC095EE7FECFF41359F10082AF91596291DF709A55C5E1

Function 005455FD Relevance: 3.0, APIs: 2, Instructions: 42COMMONLIBRARYCODE

Download Yara Rule

APIs

_memset.LIBCMT ref: 0054562C
__lock_file.LIBCMT ref: 0054564D

Memory Dump Source

Source File: 00000000.00000002.1720891753.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1720847795.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720950764.00000000005AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720950764.00000000005D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720999580.00000000005DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721018782.00000000005E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_b6AGgIJ87g.jbxd

Similarity

API ID: __lock_file_memset
String ID:
API String ID: 26237723-0
Opcode ID: 09f11003d853e939440af1767ed4f14148c906e4d929446d76cbd43653f2d481
Instruction ID: db9219583bb17a70e508500d25b91330ddb36961b1f3996df203d9189133d9eb
Opcode Fuzzy Hash: 09f11003d853e939440af1767ed4f14148c906e4d929446d76cbd43653f2d481
Instruction Fuzzy Hash: FA01A771C01A0AEBCF12AFA89C0A4EE7F61BFD2369F554115F8141A192EB318A51EF91

Function 005453A6 Relevance: 3.0, APIs: 2, Instructions: 33COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00548B28: __getptd_noexit.LIBCMT ref: 00548B28

__lock_file.LIBCMT ref: 005453EB

Part of subcall function 00546C11: __lock.LIBCMT ref: 00546C34

__fclose_nolock.LIBCMT ref: 005453F6

Memory Dump Source

Source File: 00000000.00000002.1720891753.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1720847795.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720950764.00000000005AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720950764.00000000005D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720999580.00000000005DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721018782.00000000005E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_b6AGgIJ87g.jbxd

Similarity

API ID: __fclose_nolock__getptd_noexit__lock__lock_file
String ID:
API String ID: 2800547568-0
Opcode ID: 770a77ee7fbd95202b08b2433ca7d7e34973741f97dceca3c00e85507caf3561
Instruction ID: 8c092e269f7f2cde224d2cf63e0f6b101d73820642275fa688b2f7f8439934bb
Opcode Fuzzy Hash: 770a77ee7fbd95202b08b2433ca7d7e34973741f97dceca3c00e85507caf3561
Instruction Fuzzy Hash: C1F09631801A069BDB106F65980D7ED6EA07F8137CF248505A464AB1C2DBBC4945AB52

Function 01363658 Relevance: 1.7, APIs: 1, Instructions: 169COMMON

Download Yara Rule

APIs

Part of subcall function 01362EC8: GetFileAttributesW.KERNELBASE(?), ref: 01362ED3

CreateDirectoryW.KERNELBASE(?,00000000), ref: 013637BD

Memory Dump Source

Source File: 00000000.00000002.1721547331.0000000001362000.00000040.00000020.00020000.00000000.sdmp, Offset: 01362000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1362000_b6AGgIJ87g.jbxd

Similarity

API ID: AttributesCreateDirectoryFile
String ID:
API String ID: 3401506121-0
Opcode ID: 9d04741d2c0209882df5a419dcc39510e0a758fb8edd098ef46e52ade7220a01
Instruction ID: 9f167444d55868da91098d7d5fe319d95eb090e4b06afa3b14d5efa905664fbb
Opcode Fuzzy Hash: 9d04741d2c0209882df5a419dcc39510e0a758fb8edd098ef46e52ade7220a01
Instruction Fuzzy Hash: 17519E31A1020896EF14DFA4D844BEF773AFF58700F00856DE60DEB284EB759A48CBA5

Function 00540C08 Relevance: 1.6, APIs: 1, Instructions: 94memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE ref: 00540CB7

Memory Dump Source

Source File: 00000000.00000002.1720891753.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1720847795.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720950764.00000000005AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720950764.00000000005D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720999580.00000000005DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721018782.00000000005E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_b6AGgIJ87g.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
Instruction ID: f4d7ae171862489cddc956dbc40128c953cfd46ca124b96e64f4c0439facaa78
Opcode Fuzzy Hash: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
Instruction Fuzzy Hash: 0331C370A00105DBC718DF58D4C49A9FBB6FB99308B7496A5E90ACB391D631EDC1DBC0

Function 0055FCAC Relevance: 1.6, APIs: 1, Instructions: 88COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32 ref: 0055FCB7

Memory Dump Source

Source File: 00000000.00000002.1720891753.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1720847795.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720950764.00000000005AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720950764.00000000005D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720999580.00000000005DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721018782.00000000005E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_b6AGgIJ87g.jbxd

Similarity

API ID: ClearVariant
String ID:
API String ID: 1473721057-0
Opcode ID: a1690d0e79aef1bed43ad2e5df10fc1a4bc946c3d27e305e8c2ab8800debe9bb
Instruction ID: 4f36c46faf0482d058b10fb77bbc2b6adf42b179e8c8f5fd4a338504c1509e0a
Opcode Fuzzy Hash: a1690d0e79aef1bed43ad2e5df10fc1a4bc946c3d27e305e8c2ab8800debe9bb
Instruction Fuzzy Hash: 9F41F5746043518FDB25DF14D498B1ABFE1BF85318F1988ACE9998B3A2C731EC45CB52

Function 00524DDD Relevance: 1.6, APIs: 1, Instructions: 64libraryCOMMON

Download Yara Rule

APIs

Part of subcall function 00524BB5: FreeLibrary.KERNEL32(00000000,?), ref: 00524BEF

Part of subcall function 0054525B: __wfsopen.LIBCMT ref: 00545266

LoadLibraryExW.KERNEL32(?,00000000,00000002,?,005E52F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00524E0F

Part of subcall function 00524B6A: FreeLibrary.KERNEL32(00000000), ref: 00524BA4

Part of subcall function 00524C70: _memmove.LIBCMT ref: 00524CBA

Memory Dump Source

Source File: 00000000.00000002.1720891753.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1720847795.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720950764.00000000005AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720950764.00000000005D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720999580.00000000005DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721018782.00000000005E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_b6AGgIJ87g.jbxd

Similarity

API ID: Library$Free$Load__wfsopen_memmove
String ID:
API String ID: 1396898556-0
Opcode ID: 020df9d337a3a9dfdaba05c677acc09fe7e52af5763ca98efee2861accfc28cf
Instruction ID: 05e9e027e360925c301dc050bb3f57b140df191d6225c267df40aa8ec7eca45b
Opcode Fuzzy Hash: 020df9d337a3a9dfdaba05c677acc09fe7e52af5763ca98efee2861accfc28cf
Instruction Fuzzy Hash: B811C432600216ABDF20AF70D81AFAD7FA9BFC6710F108829F941A71C1EA7199049F61

Function 0055FD85 Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32(?), ref: 0055FD91

Memory Dump Source

Source File: 00000000.00000002.1720891753.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1720847795.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720950764.00000000005AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720950764.00000000005D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720999580.00000000005DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721018782.00000000005E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_b6AGgIJ87g.jbxd

Similarity

API ID: ClearVariant
String ID:
API String ID: 1473721057-0
Opcode ID: f433c035dea3117629f23eb6d011c5942b507c358b482ad20318e6c16b42ce1e
Instruction ID: 3f8e419c4773d9ec3298bcb2d43558e661752d37d5c80b93efcc989223c5dae6
Opcode Fuzzy Hash: f433c035dea3117629f23eb6d011c5942b507c358b482ad20318e6c16b42ce1e
Instruction Fuzzy Hash: 04214474508312DFCB14DF64D444A1ABFE0BF89314F04896CF98A577A2D731E819CB92

Function 00544863 Relevance: 1.5, APIs: 1, Instructions: 36COMMON

Download Yara Rule

APIs

__lock_file.LIBCMT ref: 005448A6

Part of subcall function 00548B28: __getptd_noexit.LIBCMT ref: 00548B28

Memory Dump Source

Source File: 00000000.00000002.1720891753.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1720847795.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720950764.00000000005AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720950764.00000000005D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720999580.00000000005DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721018782.00000000005E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_b6AGgIJ87g.jbxd

Similarity

API ID: __getptd_noexit__lock_file
String ID:
API String ID: 2597487223-0
Opcode ID: bc0a4ea3404a5ae87b155893caa4576e32ad90ef9c0b61ac7cb51a134f36484e
Instruction ID: d948834533692ddc3a564b7e0c8e84ab5ada502cd1cb48150e6acd8288ac1917
Opcode Fuzzy Hash: bc0a4ea3404a5ae87b155893caa4576e32ad90ef9c0b61ac7cb51a134f36484e
Instruction Fuzzy Hash: 33F0C23194160AEBDF11AFB48C0E7EE3EA0FF4132DF158414F424AA192CB788951DF51

Function 00524E4A Relevance: 1.5, APIs: 1, Instructions: 28COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?,?,005E52F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00524E7E

Memory Dump Source

Source File: 00000000.00000002.1720891753.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1720847795.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720950764.00000000005AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720950764.00000000005D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720999580.00000000005DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721018782.00000000005E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_b6AGgIJ87g.jbxd

Similarity

API ID: FreeLibrary
String ID:
API String ID: 3664257935-0
Opcode ID: 2fa5459cc16802dd68f721574cab18092ad623459814db5feef107bcc1c19ebd
Instruction ID: 3e93b1b26ee3d31f5064cbc70d7bb61bc108327c7aff8f9557569272c24fd8ad
Opcode Fuzzy Hash: 2fa5459cc16802dd68f721574cab18092ad623459814db5feef107bcc1c19ebd
Instruction Fuzzy Hash: 1BF03971501722CFEB349F64E494813BFE9BF563293218E3EE2D682660C7329884DF41

Function 00540791 Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 005407B0

Part of subcall function 00527BCC: _memmove.LIBCMT ref: 00527C06

Memory Dump Source

Source File: 00000000.00000002.1720891753.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1720847795.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720950764.00000000005AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720950764.00000000005D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720999580.00000000005DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721018782.00000000005E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_b6AGgIJ87g.jbxd

Similarity

API ID: LongNamePath_memmove
String ID:
API String ID: 2514874351-0
Opcode ID: 8c08d9029d7bc7ac3015306dd52bb77f298b42b08ce54c26b1dcea560746b191
Instruction ID: 508e96d1348ee47a42ea61287621954505b371e6bba7166e1464edd29c95de26
Opcode Fuzzy Hash: 8c08d9029d7bc7ac3015306dd52bb77f298b42b08ce54c26b1dcea560746b191
Instruction Fuzzy Hash: 4BE0CD379051295BC720D6989C09FEA7BEDEFCD7A1F0441B6FC0CD7254D9609C8486D0

Function 00588E9F Relevance: 1.5, APIs: 1, Instructions: 22COMMON

Download Yara Rule

APIs

__fread_nolock.LIBCMT ref: 00588EC1

Memory Dump Source

Source File: 00000000.00000002.1720891753.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1720847795.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720950764.00000000005AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720950764.00000000005D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720999580.00000000005DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721018782.00000000005E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_b6AGgIJ87g.jbxd

Similarity

API ID: __fread_nolock
String ID:
API String ID: 2638373210-0
Opcode ID: 36e66934677415102e9643fee0822ecf6e22e0db5db5ed1a6e3653ba213ae753
Instruction ID: 891c9a229ce65b0b7d0c0ec2d24ac35a1af4d20d5cae097693d601790036c776
Opcode Fuzzy Hash: 36e66934677415102e9643fee0822ecf6e22e0db5db5ed1a6e3653ba213ae753
Instruction Fuzzy Hash: 6FE092B0104B045BD7389A24D800BF377E5FB05304F04081DF6AA93242EB6278458759

Function 01362EC8 Relevance: 1.5, APIs: 1, Instructions: 20COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNELBASE(?), ref: 01362ED3

Memory Dump Source

Source File: 00000000.00000002.1721547331.0000000001362000.00000040.00000020.00020000.00000000.sdmp, Offset: 01362000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1362000_b6AGgIJ87g.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 195c23eedc4a89e51baf60bc3cc3d10d01908f8b29aed20e491e172ce03d4d2a
Instruction ID: 94bc2ce3522056ea30a5469a825ecbd5c4da82244ce9a6be4ab55c2b67c94c03
Opcode Fuzzy Hash: 195c23eedc4a89e51baf60bc3cc3d10d01908f8b29aed20e491e172ce03d4d2a
Instruction Fuzzy Hash: 1AE08C3090524CEBDB14CAAC8E04AAA77ACAB04364F008665AA0AC3A80D6308E00E650

Function 01362E98 Relevance: 1.5, APIs: 1, Instructions: 15COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNELBASE(?), ref: 01362EA3

Memory Dump Source

Source File: 00000000.00000002.1721547331.0000000001362000.00000040.00000020.00020000.00000000.sdmp, Offset: 01362000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1362000_b6AGgIJ87g.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 63700976fb5b8646ca9f82f7877e0f33cef2a649cb81b4b88ad66ba6039b9afc
Instruction ID: 97f52aee8df1a6835514cf51a09e710a63e6a1465620b06e5a7747b7ce38d7fa
Opcode Fuzzy Hash: 63700976fb5b8646ca9f82f7877e0f33cef2a649cb81b4b88ad66ba6039b9afc
Instruction Fuzzy Hash: BFD0A73190620CEBCB10CFB89E049DE73BCD709365F008764FD19C3380D53199009790

Function 0054525B Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

__wfsopen.LIBCMT ref: 00545266

Memory Dump Source

Source File: 00000000.00000002.1720891753.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1720847795.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720950764.00000000005AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720950764.00000000005D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720999580.00000000005DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721018782.00000000005E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_b6AGgIJ87g.jbxd

Similarity

API ID: __wfsopen
String ID:
API String ID: 197181222-0
Opcode ID: 6ddf6e1ab81d7b85eaff3423c11cf18e9f26fa56f97d638f5b10e7f164e3c6f3
Instruction ID: bf07238608b3fb92dd844f405f14603f5af31aea0aea64456857a7b497053fc3
Opcode Fuzzy Hash: 6ddf6e1ab81d7b85eaff3423c11cf18e9f26fa56f97d638f5b10e7f164e3c6f3
Instruction Fuzzy Hash: FBB0927A44420C77CE012A92EC02A893F19AB81768F408021FB0C18162A6B3A6649A89

Function 013648B4 Relevance: 1.3, APIs: 1, Instructions: 21sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(000001F4), ref: 013648C9

Memory Dump Source

Source File: 00000000.00000002.1721547331.0000000001362000.00000040.00000020.00020000.00000000.sdmp, Offset: 01362000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1362000_b6AGgIJ87g.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 647f186050b41918f79179839cbc1a488579cc5f77474145a25b6e124dddc6ea
Instruction ID: cd096f5856227ec08d24ad14e2c5860c820877261161920aff5f6655c609e34a
Opcode Fuzzy Hash: 647f186050b41918f79179839cbc1a488579cc5f77474145a25b6e124dddc6ea
Instruction Fuzzy Hash: 3DE0BF7494010DEFDB00DFA4D5496DD7BB4EF04701F1045A1FD05D7680DB319E54DA62

Function 013648B8 Relevance: 1.3, APIs: 1, Instructions: 18sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(000001F4), ref: 013648C9

Memory Dump Source

Source File: 00000000.00000002.1721547331.0000000001362000.00000040.00000020.00020000.00000000.sdmp, Offset: 01362000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1362000_b6AGgIJ87g.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
Instruction ID: 5135b52034ecfb6499e63764996cc5b9558879179de1a0c7b50498b793fb52dd
Opcode Fuzzy Hash: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
Instruction Fuzzy Hash: 17E0E67494010DDFDB00DFB4D54969D7FB4EF04701F104161FD05D2280D6319D50DA62

Non-executed Functions

Function 005ACABC Relevance: 75.9, APIs: 40, Strings: 3, Instructions: 632windowkeyboardCOMMON

Download Yara Rule

APIs

Part of subcall function 00522612: GetWindowLongW.USER32(?,000000EB), ref: 00522623

DefDlgProcW.USER32(?,0000004E,?,?,?,?,?,?), ref: 005ACB37
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 005ACB95
GetWindowLongW.USER32(?,000000F0), ref: 005ACBD6
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 005ACC00
SendMessageW.USER32 ref: 005ACC29
_wcsncpy.LIBCMT ref: 005ACC95
GetKeyState.USER32(00000011), ref: 005ACCB6
GetKeyState.USER32(00000009), ref: 005ACCC3
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 005ACCD9
GetKeyState.USER32(00000010), ref: 005ACCE3
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 005ACD0C
SendMessageW.USER32 ref: 005ACD33
SendMessageW.USER32(?,00001030,?,005AB348), ref: 005ACE37
ImageList_SetDragCursorImage.COMCTL32(00000000,00000000,00000000,?,?,?), ref: 005ACE4D
ImageList_BeginDrag.COMCTL32(00000000,000000F8,000000F0), ref: 005ACE60
SetCapture.USER32(?), ref: 005ACE69
ClientToScreen.USER32(?,?), ref: 005ACECE
ImageList_DragEnter.COMCTL32(00000000,?,?), ref: 005ACEDB
InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 005ACEF5
ReleaseCapture.USER32 ref: 005ACF00
GetCursorPos.USER32(?), ref: 005ACF3A
ScreenToClient.USER32(?,?), ref: 005ACF47
SendMessageW.USER32(?,00001012,00000000,?), ref: 005ACFA3
SendMessageW.USER32 ref: 005ACFD1
SendMessageW.USER32(?,00001111,00000000,?), ref: 005AD00E
SendMessageW.USER32 ref: 005AD03D
SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 005AD05E
SendMessageW.USER32(?,0000110B,00000009,?), ref: 005AD06D
GetCursorPos.USER32(?), ref: 005AD08D
ScreenToClient.USER32(?,?), ref: 005AD09A
GetParent.USER32(?), ref: 005AD0BA
SendMessageW.USER32(?,00001012,00000000,?), ref: 005AD123
SendMessageW.USER32 ref: 005AD154
ClientToScreen.USER32(?,?), ref: 005AD1B2
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000), ref: 005AD1E2
SendMessageW.USER32(?,00001111,00000000,?), ref: 005AD20C
SendMessageW.USER32 ref: 005AD22F
ClientToScreen.USER32(?,?), ref: 005AD281
TrackPopupMenuEx.USER32(?,00000080,?,?,?,00000000), ref: 005AD2B5

Part of subcall function 005225DB: GetWindowLongW.USER32(?,000000EB), ref: 005225EC

GetWindowLongW.USER32(?,000000F0), ref: 005AD351

Strings

pb^, xrefs: 005ACEAF
F, xrefs: 005AD235
@GUI_DRAGID, xrefs: 005ACE9C

Memory Dump Source

Source File: 00000000.00000002.1720891753.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1720847795.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720950764.00000000005AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720950764.00000000005D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720999580.00000000005DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721018782.00000000005E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_b6AGgIJ87g.jbxd

Similarity

API ID: MessageSend$ClientScreen$ImageLongWindow$CursorDragList_State$CaptureMenuPopupTrack$BeginEnterInvalidateParentProcRectRelease_wcsncpy
String ID: @GUI_DRAGID$F$pb^
API String ID: 3977979337-2394457914
Opcode ID: 51caf90c0f15e9b8b108b91d4efe4e13b1c2af39ae91bea353165eb3a373c12a
Instruction ID: e4df50be49c511fca55a9234a8a27501ef128652cfadf5dc26881f5f7ab91805
Opcode Fuzzy Hash: 51caf90c0f15e9b8b108b91d4efe4e13b1c2af39ae91bea353165eb3a373c12a
Instruction Fuzzy Hash: 7742CF34204345AFDB24DF64D888AAEBFE5FF4A310F540919F5A6872B0D731D854EBA2

Function 00536F9E Relevance: 55.8, APIs: 19, Strings: 10, Instructions: 5018COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 005371C3
_memset.LIBCMT ref: 00537539
_memmove.LIBCMT ref: 005376AC

Strings

[:>:]], xrefs: 00537492
\b(?=\w), xrefs: 00573769
Q\E, xrefs: 00537FCB
\b(?<=\w), xrefs: 00573773
[:<:]], xrefs: 00537479
P\], xrefs: 00571AB8
3cS, xrefs: 005723A0
_S, xrefs: 005723CB
DEFINE, xrefs: 00572103
]], xrefs: 00571A22

Memory Dump Source

Source File: 00000000.00000002.1720891753.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1720847795.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720950764.00000000005AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720950764.00000000005D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720999580.00000000005DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721018782.00000000005E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_b6AGgIJ87g.jbxd

Similarity

API ID: _memmove$_memset
String ID: ]]$3cS$DEFINE$P\]$Q\E$[:<:]]$[:>:]]$\b(?<=\w)$\b(?=\w)$_S
API String ID: 1357608183-308182256
Opcode ID: 87f686ddd100135ba2ed537c899b19ab877d38dd4e382b767db4eb04ba95f4f4
Instruction ID: dde3f3f2fd47376fcba4c85229d47ee4d0d974edfd4ea486a97c9605e267f7d3
Opcode Fuzzy Hash: 87f686ddd100135ba2ed537c899b19ab877d38dd4e382b767db4eb04ba95f4f4
Instruction Fuzzy Hash: 9693A575E00219DFDB24CF58D881BADBBB1FF48710F24856AE949AB381E7709D81EB50

Function 005248D7 Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 131keyboardthreadwindowCOMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(00000000,?), ref: 005248DF
FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 0055D665
IsIconic.USER32(?), ref: 0055D66E
ShowWindow.USER32(?,00000009), ref: 0055D67B
SetForegroundWindow.USER32(?), ref: 0055D685
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 0055D69B
GetCurrentThreadId.KERNEL32 ref: 0055D6A2
GetWindowThreadProcessId.USER32(?,00000000), ref: 0055D6AE
AttachThreadInput.USER32(?,00000000,00000001), ref: 0055D6BF
AttachThreadInput.USER32(?,00000000,00000001), ref: 0055D6C7
AttachThreadInput.USER32(00000000,?,00000001), ref: 0055D6CF
SetForegroundWindow.USER32(?), ref: 0055D6D2
MapVirtualKeyW.USER32(00000012,00000000), ref: 0055D6E7
keybd_event.USER32(00000012,00000000), ref: 0055D6F2
MapVirtualKeyW.USER32(00000012,00000000), ref: 0055D6FC
keybd_event.USER32(00000012,00000000), ref: 0055D701
MapVirtualKeyW.USER32(00000012,00000000), ref: 0055D70A
keybd_event.USER32(00000012,00000000), ref: 0055D70F
MapVirtualKeyW.USER32(00000012,00000000), ref: 0055D719
keybd_event.USER32(00000012,00000000), ref: 0055D71E
SetForegroundWindow.USER32(?), ref: 0055D721
AttachThreadInput.USER32(?,?,00000000), ref: 0055D748

Strings

Shell_TrayWnd, xrefs: 0055D660

Memory Dump Source

Source File: 00000000.00000002.1720891753.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1720847795.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720950764.00000000005AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720950764.00000000005D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720999580.00000000005DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721018782.00000000005E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_b6AGgIJ87g.jbxd

Similarity

API ID: Window$Thread$AttachForegroundInputVirtualkeybd_event$Process$CurrentFindIconicShow
String ID: Shell_TrayWnd
API String ID: 4125248594-2988720461
Opcode ID: 1f4d615890844f6954dc3de557504e31a4bcfe5799029c6a6d5106197b69c33f
Instruction ID: 8ecc46a5b30e50acce1a2803aa29dc7af8ab4f02ddaf566afa59490536c9b686
Opcode Fuzzy Hash: 1f4d615890844f6954dc3de557504e31a4bcfe5799029c6a6d5106197b69c33f
Instruction Fuzzy Hash: 94319272A40318BBEB306FA19C49F7F3E6CEB59B51F104026FE04EA1D1C6B05905ABB1

Function 00578310 Relevance: 35.2, APIs: 17, Strings: 3, Instructions: 224COMMON

Download Yara Rule

APIs

Part of subcall function 005787E1: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0057882B
Part of subcall function 005787E1: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00578858
Part of subcall function 005787E1: GetLastError.KERNEL32 ref: 00578865

_memset.LIBCMT ref: 00578353
DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?,?,?,?,00000001,?,?), ref: 005783A5
CloseHandle.KERNEL32(?), ref: 005783B6
OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 005783CD
GetProcessWindowStation.USER32 ref: 005783E6
SetProcessWindowStation.USER32(00000000), ref: 005783F0
OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 0057840A

Part of subcall function 005781CB: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,00578309), ref: 005781E0
Part of subcall function 005781CB: CloseHandle.KERNEL32(?,?,00578309), ref: 005781F2

Strings

default, xrefs: 00578405
, xrefs: 00578362
winsta0, xrefs: 005783C8

Memory Dump Source

Source File: 00000000.00000002.1720891753.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1720847795.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720950764.00000000005AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720950764.00000000005D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720999580.00000000005DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721018782.00000000005E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_b6AGgIJ87g.jbxd

Similarity

API ID: StationTokenWindow$AdjustCloseHandleOpenPrivilegesProcess$DesktopDuplicateErrorLastLookupPrivilegeValue_memset
String ID: $default$winsta0
API String ID: 2063423040-1027155976
Opcode ID: 720db26142a7b6695f76838e5fa6e02ae8faa3ed4ef5a1fb6c66850001b2ffba
Instruction ID: becd5251893948b30c1fcbd0bcf2e97753b3afc4b1299e015e1a785cfd4f7da8
Opcode Fuzzy Hash: 720db26142a7b6695f76838e5fa6e02ae8faa3ed4ef5a1fb6c66850001b2ffba
Instruction Fuzzy Hash: 3C814971940209BFDF119FA4EC49AFE7FB9FF08304F148169F918A6261DB318A14EB60

Function 0058C75C Relevance: 28.3, APIs: 13, Strings: 3, Instructions: 280timefileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 0058C78D
FindClose.KERNEL32(00000000), ref: 0058C7E1
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 0058C806
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 0058C81D
FileTimeToSystemTime.KERNEL32(?,?), ref: 0058C844
__swprintf.LIBCMT ref: 0058C890
__swprintf.LIBCMT ref: 0058C8D3

Part of subcall function 00527DE1: _memmove.LIBCMT ref: 00527E22

__swprintf.LIBCMT ref: 0058C927

Part of subcall function 00543698: __woutput_l.LIBCMT ref: 005436F1

__swprintf.LIBCMT ref: 0058C975

Part of subcall function 00543698: __flsbuf.LIBCMT ref: 00543713
Part of subcall function 00543698: __flsbuf.LIBCMT ref: 0054372B

__swprintf.LIBCMT ref: 0058C9C4
__swprintf.LIBCMT ref: 0058CA13
__swprintf.LIBCMT ref: 0058CA62

Strings

%4d%02d%02d%02d%02d%02d, xrefs: 0058C88A
%02d, xrefs: 0058C91B, 0058C925, 0058C973, 0058C9C2, 0058CA11, 0058CA60
%4d, xrefs: 0058C8CD

Memory Dump Source

Source File: 00000000.00000002.1720891753.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1720847795.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720950764.00000000005AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720950764.00000000005D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720999580.00000000005DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721018782.00000000005E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_b6AGgIJ87g.jbxd

Similarity

API ID: __swprintf$FileTime$FindLocal__flsbuf$CloseFirstSystem__woutput_l_memmove
String ID: %02d$%4d$%4d%02d%02d%02d%02d%02d
API String ID: 3953360268-2428617273
Opcode ID: 2bbb8a17e23f8d9741a53a048037ab534b710de87d2c6125ccc2d6fab63b3bf1
Instruction ID: 57d145424629417fd9e231eccabdedbe5ded58d370543aa9d7986739ace59f7f
Opcode Fuzzy Hash: 2bbb8a17e23f8d9741a53a048037ab534b710de87d2c6125ccc2d6fab63b3bf1
Instruction Fuzzy Hash: FAA120B2408316ABC714EF94D889DAFBBECFFD5704F400919F58596291EB30DA48CB62

Function 0058EF95 Relevance: 28.1, APIs: 15, Strings: 1, Instructions: 119fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,74DE8FB0,?,00000000), ref: 0058EFB6
_wcscmp.LIBCMT ref: 0058EFCB
_wcscmp.LIBCMT ref: 0058EFE2
GetFileAttributesW.KERNEL32(?), ref: 0058EFF4
SetFileAttributesW.KERNEL32(?,?), ref: 0058F00E
FindNextFileW.KERNEL32(00000000,?), ref: 0058F026
FindClose.KERNEL32(00000000), ref: 0058F031
FindFirstFileW.KERNEL32(*.*,?), ref: 0058F04D
_wcscmp.LIBCMT ref: 0058F074
_wcscmp.LIBCMT ref: 0058F08B
SetCurrentDirectoryW.KERNEL32(?), ref: 0058F09D
SetCurrentDirectoryW.KERNEL32(005D8920), ref: 0058F0BB
FindNextFileW.KERNEL32(00000000,00000010), ref: 0058F0C5
FindClose.KERNEL32(00000000), ref: 0058F0D2
FindClose.KERNEL32(00000000), ref: 0058F0E4

Strings

*.*, xrefs: 0058F048

Memory Dump Source

Source File: 00000000.00000002.1720891753.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1720847795.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720950764.00000000005AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720950764.00000000005D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720999580.00000000005DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721018782.00000000005E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_b6AGgIJ87g.jbxd

Similarity

API ID: Find$File$_wcscmp$Close$AttributesCurrentDirectoryFirstNext
String ID: *.*
API String ID: 1803514871-438819550
Opcode ID: daee5f8fcf9d885b8a0946af49f2bd7553eb68c53b2636a503b83898e0b48cdd
Instruction ID: 68180ff4684b6b30c1109fc66586db7ba719480586c2e747154a4cbdd9b19c28
Opcode Fuzzy Hash: daee5f8fcf9d885b8a0946af49f2bd7553eb68c53b2636a503b83898e0b48cdd
Instruction Fuzzy Hash: 9531E336501209AEDB24FBA4EC4DBEE7BACBF49360F100176EC41E21A1DB70DA44DB61

Function 005A0857 Relevance: 26.7, APIs: 9, Strings: 6, Instructions: 477registryCOMMON

Download Yara Rule

APIs

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 005A0953
RegCreateKeyExW.ADVAPI32(?,?,00000000,005AF910,00000000,?,00000000,?,?), ref: 005A09C1
RegCloseKey.ADVAPI32(00000000,00000001,00000000,00000000,00000000), ref: 005A0A09
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000002,?), ref: 005A0A92
RegCloseKey.ADVAPI32(?), ref: 005A0DB2
RegCloseKey.ADVAPI32(00000000), ref: 005A0DBF

Strings

REG_QWORD, xrefs: 005A0D00
REG_SZ, xrefs: 005A0AD0
REG_EXPAND_SZ, xrefs: 005A0A2F
REG_MULTI_SZ, xrefs: 005A0B7A
REG_DWORD, xrefs: 005A0C83
REG_BINARY, xrefs: 005A0D4D

Memory Dump Source

Source File: 00000000.00000002.1720891753.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1720847795.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720950764.00000000005AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720950764.00000000005D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720999580.00000000005DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721018782.00000000005E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_b6AGgIJ87g.jbxd

Similarity

API ID: Close$ConnectCreateRegistryValue
String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
API String ID: 536824911-966354055
Opcode ID: 0d1b4acf66dc38b872c922505d1ebab8e4bcb1276433051efc0d642369066f3c
Instruction ID: 65486f750ebf34963b7cc702b83c85fa430ae9dcbab35c66981d27f280ebb725
Opcode Fuzzy Hash: 0d1b4acf66dc38b872c922505d1ebab8e4bcb1276433051efc0d642369066f3c
Instruction Fuzzy Hash: B7024B756046129FCB14EF14D859E2ABBE5FF8A314F04885DF8899B3A2CB30EC45CB81

Function 005366E1 Relevance: 25.9, Strings: 20, Instructions: 889COMMON

Download Yara Rule

Strings

NO_START_OPT), xrefs: 0057114F
BSR_UNICODE), xrefs: 00571338
3cS, xrefs: 005368FF
_S, xrefs: 00571465, 0057150C, 005715B4
UCP), xrefs: 0057110D
LIMIT_MATCH=, xrefs: 00571170
ANYCRLF), xrefs: 005712FB
ANY), xrefs: 005712DE
0E\, xrefs: 0053673D
0F\, xrefs: 00536747
LIMIT_RECURSION=, xrefs: 005711FC
0D\, xrefs: 00536733
CRLF), xrefs: 005712C1
UTF), xrefs: 005710FA
LF), xrefs: 005712A4
pG\, xrefs: 00536751
NO_AUTO_POSSESS), xrefs: 0057112E
BSR_ANYCRLF), xrefs: 0057131E
UTF16), xrefs: 005710CF
CR), xrefs: 00571287

Memory Dump Source

Source File: 00000000.00000002.1720891753.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1720847795.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720950764.00000000005AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720950764.00000000005D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720999580.00000000005DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721018782.00000000005E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_b6AGgIJ87g.jbxd

Similarity

API ID:
String ID: 0D\$0E\$0F\$3cS$ANY)$ANYCRLF)$BSR_ANYCRLF)$BSR_UNICODE)$CR)$CRLF)$LF)$LIMIT_MATCH=$LIMIT_RECURSION=$NO_AUTO_POSSESS)$NO_START_OPT)$UCP)$UTF)$UTF16)$pG\$_S
API String ID: 0-1552901207
Opcode ID: f79dc047e55849f5afc23fd83edac0957b474787de630e0dd9e80e2a133d0351
Instruction ID: ba86c5112455ba5626458f6b4b5539a12adc666c0f3633fe0a3a83674e52d696
Opcode Fuzzy Hash: f79dc047e55849f5afc23fd83edac0957b474787de630e0dd9e80e2a133d0351
Instruction Fuzzy Hash: 2B727E75E00619DBDB24CF59D8907AEBBB5FF44310F14856AE809EB290EB309E81DB94

Function 0058F0F2 Relevance: 24.6, APIs: 13, Strings: 1, Instructions: 112fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,74DE8FB0,?,00000000), ref: 0058F113
_wcscmp.LIBCMT ref: 0058F128
_wcscmp.LIBCMT ref: 0058F13F

Part of subcall function 00584385: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 005843A0

FindNextFileW.KERNEL32(00000000,?), ref: 0058F16E
FindClose.KERNEL32(00000000), ref: 0058F179
FindFirstFileW.KERNEL32(*.*,?), ref: 0058F195
_wcscmp.LIBCMT ref: 0058F1BC
_wcscmp.LIBCMT ref: 0058F1D3
SetCurrentDirectoryW.KERNEL32(?), ref: 0058F1E5
SetCurrentDirectoryW.KERNEL32(005D8920), ref: 0058F203
FindNextFileW.KERNEL32(00000000,00000010), ref: 0058F20D
FindClose.KERNEL32(00000000), ref: 0058F21A
FindClose.KERNEL32(00000000), ref: 0058F22C

Strings

*.*, xrefs: 0058F190

Memory Dump Source

Source File: 00000000.00000002.1720891753.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1720847795.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720950764.00000000005AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720950764.00000000005D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720999580.00000000005DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721018782.00000000005E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_b6AGgIJ87g.jbxd

Similarity

API ID: Find$File$_wcscmp$Close$CurrentDirectoryFirstNext$Create
String ID: *.*
API String ID: 1824444939-438819550
Opcode ID: 5b6733dd6cabd9c2ef8653ef333d11f5fd23edd02f9e514f6a3a1cadf5e8c605
Instruction ID: 3e2cef1f21b8af0ded6b796ea71c2c998b8e7540fff1fd36255110583540068f
Opcode Fuzzy Hash: 5b6733dd6cabd9c2ef8653ef333d11f5fd23edd02f9e514f6a3a1cadf5e8c605
Instruction Fuzzy Hash: 2E31B9395001196ADB20BBA4EC59BEE7FACBF99360F100176EC41F21A0DB30DE45DB54

Function 0058A1EF Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 102fileCOMMON

Download Yara Rule

APIs

GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 0058A20F
__swprintf.LIBCMT ref: 0058A231
CreateDirectoryW.KERNEL32(?,00000000), ref: 0058A26E
CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000003,02200000,00000000), ref: 0058A293
_memset.LIBCMT ref: 0058A2B2
_wcsncpy.LIBCMT ref: 0058A2EE
DeviceIoControl.KERNEL32(00000000,000900A4,?,?,00000000,00000000,?,00000000), ref: 0058A323
CloseHandle.KERNEL32(00000000), ref: 0058A32E
RemoveDirectoryW.KERNEL32(?), ref: 0058A337
CloseHandle.KERNEL32(00000000), ref: 0058A341

Strings

:, xrefs: 0058A252
\??\%s, xrefs: 0058A22B
\, xrefs: 0058A247

Memory Dump Source

Source File: 00000000.00000002.1720891753.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1720847795.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720950764.00000000005AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720950764.00000000005D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720999580.00000000005DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721018782.00000000005E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_b6AGgIJ87g.jbxd

Similarity

API ID: CloseCreateDirectoryHandle$ControlDeviceFileFullNamePathRemove__swprintf_memset_wcsncpy
String ID: :$\$\??\%s
API String ID: 2733774712-3457252023
Opcode ID: ee6d7dc39bd9360546ebda7a1e26ec37b99a22538dacf10aec41ff23cb43ad52
Instruction ID: 15f4628a7591e72e70758de3ccf3138c8c8fe6e16bab00625724a6c565cef4f6
Opcode Fuzzy Hash: ee6d7dc39bd9360546ebda7a1e26ec37b99a22538dacf10aec41ff23cb43ad52
Instruction Fuzzy Hash: 2D3180B590410AABDB219FA0DC49FEB3BBCFF89741F1045B6F909E6160EB7096448B25

Function 00577CAF Relevance: 21.2, APIs: 14, Instructions: 179memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00578202: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 0057821E
Part of subcall function 00578202: GetLastError.KERNEL32(?,00577CE2,?,?,?), ref: 00578228
Part of subcall function 00578202: GetProcessHeap.KERNEL32(00000008,?,?,00577CE2,?,?,?), ref: 00578237
Part of subcall function 00578202: HeapAlloc.KERNEL32(00000000,?,00577CE2,?,?,?), ref: 0057823E
Part of subcall function 00578202: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00578255

Part of subcall function 0057829F: GetProcessHeap.KERNEL32(00000008,00577CF8,00000000,00000000,?,00577CF8,?), ref: 005782AB
Part of subcall function 0057829F: HeapAlloc.KERNEL32(00000000,?,00577CF8,?), ref: 005782B2
Part of subcall function 0057829F: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00577CF8,?), ref: 005782C3

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00577D13
_memset.LIBCMT ref: 00577D28
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00577D47
GetLengthSid.ADVAPI32(?), ref: 00577D58
GetAce.ADVAPI32(?,00000000,?), ref: 00577D95
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00577DB1
GetLengthSid.ADVAPI32(?), ref: 00577DCE
GetProcessHeap.KERNEL32(00000008,-00000008), ref: 00577DDD
HeapAlloc.KERNEL32(00000000), ref: 00577DE4
GetLengthSid.ADVAPI32(?,00000008,?), ref: 00577E05
CopySid.ADVAPI32(00000000), ref: 00577E0C
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00577E3D
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00577E63
SetUserObjectSecurity.USER32(?,00000004,?), ref: 00577E77

Memory Dump Source

Source File: 00000000.00000002.1720891753.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1720847795.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720950764.00000000005AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720950764.00000000005D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720999580.00000000005DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721018782.00000000005E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_b6AGgIJ87g.jbxd

Similarity

API ID: HeapSecurity$AllocDescriptorLengthObjectProcessUser$Dacl$CopyErrorInformationInitializeLast_memset
String ID:
API String ID: 3996160137-0
Opcode ID: 0d4cbd3a93a9de13b0a2aa60d59947bff6ffd4cc7bcf1b004ee9885b616b88f1
Instruction ID: e31d1cfe75df8c89dffe3d976f4e793e4982883b00618c23fd4240e3e91ac679
Opcode Fuzzy Hash: 0d4cbd3a93a9de13b0a2aa60d59947bff6ffd4cc7bcf1b004ee9885b616b88f1
Instruction Fuzzy Hash: 14613D7190450AAFDF10DFA4EC49AEEBB79FF49300F048169F919A7291DB319E05EB60

Function 0058001C Relevance: 18.2, APIs: 12, Instructions: 186keyboardCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 00580097
SetKeyboardState.USER32(?), ref: 00580102
GetAsyncKeyState.USER32(000000A0), ref: 00580122
GetKeyState.USER32(000000A0), ref: 00580139
GetAsyncKeyState.USER32(000000A1), ref: 00580168
GetKeyState.USER32(000000A1), ref: 00580179
GetAsyncKeyState.USER32(00000011), ref: 005801A5
GetKeyState.USER32(00000011), ref: 005801B3
GetAsyncKeyState.USER32(00000012), ref: 005801DC
GetKeyState.USER32(00000012), ref: 005801EA
GetAsyncKeyState.USER32(0000005B), ref: 00580213
GetKeyState.USER32(0000005B), ref: 00580221

Memory Dump Source

Source File: 00000000.00000002.1720891753.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1720847795.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720950764.00000000005AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720950764.00000000005D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720999580.00000000005DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721018782.00000000005E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_b6AGgIJ87g.jbxd

Similarity

API ID: State$Async$Keyboard
String ID:
API String ID: 541375521-0
Opcode ID: 73db6915d4e7bb53ed670954a54c77c925be8c6d51ad07fa43bb98319c026a3e
Instruction ID: 748c50b63e4cce7618373404b708e744c077fbf06bbf269d7b22bb585fdbfec6
Opcode Fuzzy Hash: 73db6915d4e7bb53ed670954a54c77c925be8c6d51ad07fa43bb98319c026a3e
Instruction Fuzzy Hash: D551EB309047896DFB75FBA088197BABFB4AF01380F485599DDC2761C3DAA49B8CC761

Function 005A03DA Relevance: 16.9, APIs: 11, Instructions: 397registryCOMMON

Download Yara Rule

APIs

Part of subcall function 005A0E1A: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0059FDAD,?,?), ref: 005A0E31

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 005A04AC

Part of subcall function 00529837: __itow.LIBCMT ref: 00529862
Part of subcall function 00529837: __swprintf.LIBCMT ref: 005298AC

RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?), ref: 005A054B
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,00000008), ref: 005A05E3
RegCloseKey.ADVAPI32(000000FE,000000FE,00000000,?,00000000), ref: 005A0822
RegCloseKey.ADVAPI32(00000000), ref: 005A082F

Memory Dump Source

Source File: 00000000.00000002.1720891753.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1720847795.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720950764.00000000005AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720950764.00000000005D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720999580.00000000005DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721018782.00000000005E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_b6AGgIJ87g.jbxd

Similarity

API ID: CloseQueryValue$BuffCharConnectRegistryUpper__itow__swprintf
String ID:
API String ID: 1240663315-0
Opcode ID: 8a23435627826099168d3fbeb1001023d576fec27b82ff731003257c52b3ab0a
Instruction ID: 3b8ea548d380e19430fc326e9971ae6145555ff3494f1a1eb07b4fe30510f43a
Opcode Fuzzy Hash: 8a23435627826099168d3fbeb1001023d576fec27b82ff731003257c52b3ab0a
Instruction Fuzzy Hash: 28E13D71604215AFCB14DF24C895D6EBBE4FF8A314F04896DF94ADB2A1DA30ED05CB91

Function 00594164 Relevance: 15.1, APIs: 10, Instructions: 83clipboardmemoryCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 0059418B
EmptyClipboard.USER32 ref: 00594191
GlobalAlloc.KERNEL32(00000002,?), ref: 005941A6
CloseClipboard.USER32 ref: 00594245

Memory Dump Source

Source File: 00000000.00000002.1720891753.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1720847795.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720950764.00000000005AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720950764.00000000005D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720999580.00000000005DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721018782.00000000005E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_b6AGgIJ87g.jbxd

Similarity

API ID: Clipboard$AllocCloseEmptyGlobalOpen
String ID:
API String ID: 1737998785-0
Opcode ID: 9badca12f9799b69f65290bb1550239d2532b34ca03a6a13cc93b7b48f5e7930
Instruction ID: fdf8f269e4c76c346873bfa2d6021f6297d73293205d47ae30ec43bb76f69212
Opcode Fuzzy Hash: 9badca12f9799b69f65290bb1550239d2532b34ca03a6a13cc93b7b48f5e7930
Instruction Fuzzy Hash: 9621BF392006119FDB14AF60EC09F6D7FA8FF56314F04802AF946DB2A1DB30AC02EB94

Function 005837EF Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 167fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00524750: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00524743,?,?,005237AE,?), ref: 00524770

Part of subcall function 00584A31: GetFileAttributesW.KERNEL32(?,0058370B), ref: 00584A32

FindFirstFileW.KERNEL32(?,?), ref: 005838A3
DeleteFileW.KERNEL32(?,?,00000000,?,?,?,?), ref: 0058394B
MoveFileW.KERNEL32(?,?), ref: 0058395E
DeleteFileW.KERNEL32(?,?,?,?,?), ref: 0058397B
FindNextFileW.KERNEL32(00000000,00000010), ref: 0058399D
FindClose.KERNEL32(00000000,?,?,?,?), ref: 005839B9

Strings

\*.*, xrefs: 0058384E, 00583857, 0058386C

Memory Dump Source

Source File: 00000000.00000002.1720891753.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1720847795.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720950764.00000000005AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720950764.00000000005D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720999580.00000000005DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721018782.00000000005E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_b6AGgIJ87g.jbxd

Similarity

API ID: File$Find$Delete$AttributesCloseFirstFullMoveNameNextPath
String ID: \*.*
API String ID: 4002782344-1173974218
Opcode ID: 4466d1fe491cf02f26ae28783293f124ab03a9fe2635351c000a05f40fc06c87
Instruction ID: fd036f3fbee7bafc6d4e2e81f2b6fe285d47a574a7eb5fa1c7f7495ca5fb61a6
Opcode Fuzzy Hash: 4466d1fe491cf02f26ae28783293f124ab03a9fe2635351c000a05f40fc06c87
Instruction Fuzzy Hash: 99516C3180515EAACF15FFA0E99A9EDBF79BF56300F600069E84676191EB316F09CB60

Function 0058F3F3 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 120filesleepCOMMON

Download Yara Rule

APIs

Part of subcall function 00527DE1: _memmove.LIBCMT ref: 00527E22

FindFirstFileW.KERNEL32(?,?,*.*,?,?,00000000,00000000), ref: 0058F440
Sleep.KERNEL32(0000000A), ref: 0058F470
_wcscmp.LIBCMT ref: 0058F484
_wcscmp.LIBCMT ref: 0058F49F
FindNextFileW.KERNEL32(?,?), ref: 0058F53D
FindClose.KERNEL32(00000000), ref: 0058F553

Strings

*.*, xrefs: 0058F425

Memory Dump Source

Source File: 00000000.00000002.1720891753.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1720847795.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720950764.00000000005AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720950764.00000000005D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720999580.00000000005DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721018782.00000000005E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_b6AGgIJ87g.jbxd

Similarity

API ID: Find$File_wcscmp$CloseFirstNextSleep_memmove
String ID: *.*
API String ID: 713712311-438819550
Opcode ID: f96299ef45d799ee1d1b187613d5179c1af96119a4b475f8cf18e67f4d8baf63
Instruction ID: 97f30e9e59a3fdde87f08b6378ae6eeebaddd308295c7a7487861265b44dba7c
Opcode Fuzzy Hash: f96299ef45d799ee1d1b187613d5179c1af96119a4b475f8cf18e67f4d8baf63
Instruction Fuzzy Hash: 9B414E7190021A9FCF14EFA4DC49AEEBFB4FF5A310F14456AE815A31A1EB309E85DB50

Function 00533030 Relevance: 11.1, APIs: 4, Strings: 2, Instructions: 587COMMON

Download Yara Rule

Strings

3cS, xrefs: 00533225
_S, xrefs: 00533322

Memory Dump Source

Source File: 00000000.00000002.1720891753.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1720847795.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720950764.00000000005AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720950764.00000000005D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720999580.00000000005DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721018782.00000000005E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_b6AGgIJ87g.jbxd

Similarity

API ID: __itow__swprintf
String ID: 3cS$_S
API String ID: 674341424-3431193023
Opcode ID: b8d3f6dcaa36fd51bc4518bb49d11d92c17cc6a6cc964997c05c91bd2a9c2906
Instruction ID: d497acce88106c18491bb5254c45aa277497c5a36bbcbfb13e4a35cd6cd03344
Opcode Fuzzy Hash: b8d3f6dcaa36fd51bc4518bb49d11d92c17cc6a6cc964997c05c91bd2a9c2906
Instruction Fuzzy Hash: 97228A716083129FCB24DF24D885B6EBBE4BFC5310F14492CF89A97291EB31E944CB92

Function 00535760 Relevance: 11.0, APIs: 7, Instructions: 532COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 005358A5
_memmove.LIBCMT ref: 005358F5
_memmove.LIBCMT ref: 0053595B

Memory Dump Source

Source File: 00000000.00000002.1720891753.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1720847795.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720950764.00000000005AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720950764.00000000005D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720999580.00000000005DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721018782.00000000005E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_b6AGgIJ87g.jbxd

Similarity

API ID: _memmove
String ID:
API String ID: 4104443479-0
Opcode ID: fd15fec23c0d6048fd65d0830f8ccad9d1af98fab2f51a9dd9db3bd73c745241
Instruction ID: 7155e9415ef2b605b6784285a94d7d9012ba7cffc1e46c4fd6a8c6120a6c24f8
Opcode Fuzzy Hash: fd15fec23c0d6048fd65d0830f8ccad9d1af98fab2f51a9dd9db3bd73c745241
Instruction Fuzzy Hash: 2112AE70A0061ADFDF14DFA4D985AEEBBF5FF88300F209529E406E7291EB35A914DB50

Function 00583B12 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 91fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00524750: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00524743,?,?,005237AE,?), ref: 00524770

Part of subcall function 00584A31: GetFileAttributesW.KERNEL32(?,0058370B), ref: 00584A32

FindFirstFileW.KERNEL32(?,?), ref: 00583B89
DeleteFileW.KERNEL32(?,?,?,?), ref: 00583BD9
FindNextFileW.KERNEL32(00000000,00000010), ref: 00583BEA
FindClose.KERNEL32(00000000), ref: 00583C01
FindClose.KERNEL32(00000000), ref: 00583C0A

Strings

\*.*, xrefs: 00583B5B

Memory Dump Source

Source File: 00000000.00000002.1720891753.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1720847795.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720950764.00000000005AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720950764.00000000005D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720999580.00000000005DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721018782.00000000005E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_b6AGgIJ87g.jbxd

Similarity

API ID: FileFind$Close$AttributesDeleteFirstFullNameNextPath
String ID: \*.*
API String ID: 2649000838-1173974218
Opcode ID: 0bfd51a741a4e2c2ccc4b1f4b8359fa47f172eb953e48ccbd6770f8b59256926
Instruction ID: 1306fcf9d92590afe170a40aca555bf379babd24a039011c966d33049be01cdb
Opcode Fuzzy Hash: 0bfd51a741a4e2c2ccc4b1f4b8359fa47f172eb953e48ccbd6770f8b59256926
Instruction Fuzzy Hash: 94318F310083969BC300FF64D8959AFBBE8BE96310F440D2DF8D592191EB209E0CCB56

Function 005851BD Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 59shutdownCOMMON

Download Yara Rule

APIs

Part of subcall function 005787E1: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0057882B
Part of subcall function 005787E1: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00578858
Part of subcall function 005787E1: GetLastError.KERNEL32 ref: 00578865

ExitWindowsEx.USER32(?,00000000), ref: 005851F9

Strings

SeShutdownPrivilege, xrefs: 005851C9
, xrefs: 005851E7
@, xrefs: 005851EC

Memory Dump Source

Source File: 00000000.00000002.1720891753.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1720847795.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720950764.00000000005AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720950764.00000000005D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720999580.00000000005DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721018782.00000000005E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_b6AGgIJ87g.jbxd

Similarity

API ID: AdjustErrorExitLastLookupPrivilegePrivilegesTokenValueWindows
String ID: $@$SeShutdownPrivilege
API String ID: 2234035333-194228
Opcode ID: c9f31e5e18b9600af750464d99f1c60ce01df1515ff7768a50f23ec2268b4dd7
Instruction ID: 5568cf57aa03618906f83c95faa541a38bc94dfde12044d99b6bf0858bbb8451
Opcode Fuzzy Hash: c9f31e5e18b9600af750464d99f1c60ce01df1515ff7768a50f23ec2268b4dd7
Instruction Fuzzy Hash: 0001F7397916126BEB287268AC8EFBA7E58FB05740F600821FD57F20D2FD511C009790

Function 00596283 Relevance: 9.1, APIs: 6, Instructions: 84networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000001,00000006,?,00000002,00000000), ref: 005962DC
WSAGetLastError.WSOCK32(00000000), ref: 005962EB
bind.WSOCK32(00000000,?,00000010), ref: 00596307
listen.WSOCK32(00000000,00000005), ref: 00596316
WSAGetLastError.WSOCK32(00000000), ref: 00596330
closesocket.WSOCK32(00000000,00000000), ref: 00596344

Memory Dump Source

Source File: 00000000.00000002.1720891753.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1720847795.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720950764.00000000005AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720950764.00000000005D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720999580.00000000005DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721018782.00000000005E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_b6AGgIJ87g.jbxd

Similarity

API ID: ErrorLast$bindclosesocketlistensocket
String ID:
API String ID: 1279440585-0
Opcode ID: d4f9e8698c2fbf1671ab3f9e1eefd54e8080e9735e8baa7dd8c789ab6f688ae0
Instruction ID: 4494c22394434cf791f71a1065a027305463690ab7c75e1da8f77e6c35f3d273
Opcode Fuzzy Hash: d4f9e8698c2fbf1671ab3f9e1eefd54e8080e9735e8baa7dd8c789ab6f688ae0
Instruction Fuzzy Hash: 11210131200211AFCF10EF64D889B6EBBA8FF8A720F148559F816A73D1CB30AC09DB50

Function 00535520 Relevance: 8.0, APIs: 5, Instructions: 516COMMON

Download Yara Rule

APIs

Part of subcall function 00540DB6: std::exception::exception.LIBCMT ref: 00540DEC
Part of subcall function 00540DB6: __CxxThrowException@8.LIBCMT ref: 00540E01

_memmove.LIBCMT ref: 00570258
_memmove.LIBCMT ref: 0057036D
_memmove.LIBCMT ref: 00570414

Memory Dump Source

Source File: 00000000.00000002.1720891753.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1720847795.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720950764.00000000005AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720950764.00000000005D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720999580.00000000005DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721018782.00000000005E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_b6AGgIJ87g.jbxd

Similarity

API ID: _memmove$Exception@8Throwstd::exception::exception
String ID:
API String ID: 1300846289-0
Opcode ID: e6ec3d1426ddc155ccf28ce0b5be08f4ddef27e2be7b82fd157cc748f7805161
Instruction ID: 5e49d40769330a7a22e1dd776e16bcac3b79179a08532201a147893668a5ec87
Opcode Fuzzy Hash: e6ec3d1426ddc155ccf28ce0b5be08f4ddef27e2be7b82fd157cc748f7805161
Instruction Fuzzy Hash: 6502C2B0A0020ADBCF04DF64E985AAE7FF5FF84300F549469E80ADB295EB31D954DB91

Function 00521287 Relevance: 7.9, APIs: 5, Instructions: 379COMMON

Download Yara Rule

APIs

Part of subcall function 00522612: GetWindowLongW.USER32(?,000000EB), ref: 00522623

DefDlgProcW.USER32(?,?,?,?,?), ref: 005219FA
GetSysColor.USER32(0000000F), ref: 00521A4E
SetBkColor.GDI32(?,00000000), ref: 00521A61

Part of subcall function 00521290: DefDlgProcW.USER32(?,00000020,?), ref: 005212D8

Memory Dump Source

Source File: 00000000.00000002.1720891753.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1720847795.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720950764.00000000005AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720950764.00000000005D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720999580.00000000005DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721018782.00000000005E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_b6AGgIJ87g.jbxd

Similarity

API ID: ColorProc$LongWindow
String ID:
API String ID: 3744519093-0
Opcode ID: 3f34062a024ae5d7c4387a9b7ef76f6150b677b7a5904d68434d601b2153b0a9
Instruction ID: fbe28bca5c99d8c56fbdb5287943b6acf674325cc16f04c7f5b9c0a82a37c82f
Opcode Fuzzy Hash: 3f34062a024ae5d7c4387a9b7ef76f6150b677b7a5904d68434d601b2153b0a9
Instruction Fuzzy Hash: 65A16B71106D65BAE728AA38AC5CE7F3E6DFFA3342B14051AF402D51D2DB229D0092F9

Function 0058BCBC Relevance: 7.6, APIs: 5, Instructions: 143fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 0058BCE6
_wcscmp.LIBCMT ref: 0058BD16
_wcscmp.LIBCMT ref: 0058BD2B
FindNextFileW.KERNEL32(00000000,?), ref: 0058BD3C
FindClose.KERNEL32(00000000,00000001,00000000), ref: 0058BD6C

Memory Dump Source

Source File: 00000000.00000002.1720891753.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1720847795.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720950764.00000000005AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720950764.00000000005D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720999580.00000000005DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721018782.00000000005E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_b6AGgIJ87g.jbxd

Similarity

API ID: Find$File_wcscmp$CloseFirstNext
String ID:
API String ID: 2387731787-0
Opcode ID: 93d67e7b7416ab01ba570b78678204358c4d95e93c272b9842a313342fe0efd4
Instruction ID: 205b40e7a1d37a9da8ed45758ba8d41a07f676f7498a80bf0c6ab458613134bd
Opcode Fuzzy Hash: 93d67e7b7416ab01ba570b78678204358c4d95e93c272b9842a313342fe0efd4
Instruction Fuzzy Hash: 9F51C035604602AFD714EF68D494EAABBE8FF8A320F14461DE956973A1DB30FD04CB91

Function 00596747 Relevance: 7.6, APIs: 5, Instructions: 141networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00597D8B: inet_addr.WSOCK32(00000000,?,00000000,?,?,?,00000000), ref: 00597DB6

socket.WSOCK32(00000002,00000002,00000011,?,?,00000000), ref: 0059679E
WSAGetLastError.WSOCK32(00000000), ref: 005967C7
bind.WSOCK32(00000000,?,00000010), ref: 00596800
WSAGetLastError.WSOCK32(00000000), ref: 0059680D
closesocket.WSOCK32(00000000,00000000), ref: 00596821

Memory Dump Source

Source File: 00000000.00000002.1720891753.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1720847795.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720950764.00000000005AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720950764.00000000005D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720999580.00000000005DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721018782.00000000005E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_b6AGgIJ87g.jbxd

Similarity

API ID: ErrorLast$bindclosesocketinet_addrsocket
String ID:
API String ID: 99427753-0
Opcode ID: 5ff4736b3e1826575d32f8ec3ad5651496cfb1fc934847e484320389cb66e3fd
Instruction ID: 04ff01cfe0ea3724ecb03cff43130079038326e3827521e76436fff26bf7a53a
Opcode Fuzzy Hash: 5ff4736b3e1826575d32f8ec3ad5651496cfb1fc934847e484320389cb66e3fd
Instruction Fuzzy Hash: CC41E475A00221AFDB14BF649C8AF7E7BE8FF86714F448458F919AB3C2CA709D058791

Function 005A5376 Relevance: 7.6, APIs: 5, Instructions: 69windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32 ref: 005A53C5
IsWindowEnabled.USER32 ref: 005A53D3
GetForegroundWindow.USER32(?,?,00000001), ref: 005A53E0
IsIconic.USER32 ref: 005A53EE
IsZoomed.USER32 ref: 005A53FC

Memory Dump Source

Source File: 00000000.00000002.1720891753.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1720847795.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720950764.00000000005AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720950764.00000000005D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720999580.00000000005DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721018782.00000000005E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_b6AGgIJ87g.jbxd

Similarity

API ID: Window$EnabledForegroundIconicVisibleZoomed
String ID:
API String ID: 292994002-0
Opcode ID: 7c039a1c5136151a8af8c8d3c48bb43275146cb6065d69d9410b64c6b7b7f5bb
Instruction ID: 856464a9051e35be2a34011e034ce71cf12372a6b174c40e5381d367478aca30
Opcode Fuzzy Hash: 7c039a1c5136151a8af8c8d3c48bb43275146cb6065d69d9410b64c6b7b7f5bb
Instruction Fuzzy Hash: AA11B2327009216FEB215F66AC48E6E7F98FFD77A1B444839F846D7241EB709C0196A0

Function 005780A9 Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 005780C0
GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 005780CA
GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 005780D9
HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 005780E0
GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 005780F6

Memory Dump Source

Source File: 00000000.00000002.1720891753.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1720847795.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720950764.00000000005AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720950764.00000000005D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720999580.00000000005DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721018782.00000000005E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_b6AGgIJ87g.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: da6b070c8f90928fc1b4c3c2ab80747e79ed17225e51ad90a7a7e279e0b06aab
Instruction ID: 8c4b9c297535e9f6e4b166b9ac449e5e03aea9cac020052e052f7dfd3e26eb6b
Opcode Fuzzy Hash: da6b070c8f90928fc1b4c3c2ab80747e79ed17225e51ad90a7a7e279e0b06aab
Instruction Fuzzy Hash: A7F06231240204AFEB100FA5EC8DE7B3FACFF4A755B404025F949C6150CB619C45EB60

Function 0058C397 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 279comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 0058C432
CoCreateInstance.OLE32(005B2D6C,00000000,00000001,005B2BDC,?), ref: 0058C44A

Part of subcall function 00527DE1: _memmove.LIBCMT ref: 00527E22

CoUninitialize.OLE32 ref: 0058C6B7

Strings

.lnk, xrefs: 0058C3C6, 0058C3EE, 0058C3F8

Memory Dump Source

Source File: 00000000.00000002.1720891753.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1720847795.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720950764.00000000005AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720950764.00000000005D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720999580.00000000005DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721018782.00000000005E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_b6AGgIJ87g.jbxd

Similarity

API ID: CreateInitializeInstanceUninitialize_memmove
String ID: .lnk
API String ID: 2683427295-24824748
Opcode ID: bed2417d5d0ccb6172da6c85b9db183599c137148402218e59078f14a285e558
Instruction ID: 5c7fb00db1263728e3401238f7ed35444b97a40f8440e4bfe4e3355773f52185
Opcode Fuzzy Hash: bed2417d5d0ccb6172da6c85b9db183599c137148402218e59078f14a285e558
Instruction Fuzzy Hash: 89A14B71104206AFD300EF54D885EABBBE8FFCA314F00492CF55597292EB71E949CB62

Function 00524B37 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,00524AD0), ref: 00524B45
GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 00524B57

Strings

kernel32.dll, xrefs: 00524B40
GetNativeSystemInfo, xrefs: 00524B51

Memory Dump Source

Source File: 00000000.00000002.1720891753.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1720847795.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720950764.00000000005AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720950764.00000000005D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720999580.00000000005DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721018782.00000000005E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_b6AGgIJ87g.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: GetNativeSystemInfo$kernel32.dll
API String ID: 2574300362-192647395
Opcode ID: 4ba00842b0c3d53b9f051061a05d32951c68c56e0c0029d307e0e7f84323d071
Instruction ID: 2c6592296a82ab1f323b922d67357e6634960a5cab581d1de091638674b17682
Opcode Fuzzy Hash: 4ba00842b0c3d53b9f051061a05d32951c68c56e0c0029d307e0e7f84323d071
Instruction Fuzzy Hash: C3D01234A10727CFDB209FB1E858B467AE4BF17351B118839D4C6D6190D670D480CF64

Function 0059EE0D Relevance: 6.2, APIs: 4, Instructions: 164processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 0059EE3D
Process32FirstW.KERNEL32(00000000,?), ref: 0059EE4B

Part of subcall function 00527DE1: _memmove.LIBCMT ref: 00527E22

Process32NextW.KERNEL32(00000000,?), ref: 0059EF0B
CloseHandle.KERNEL32(00000000,?,?,?), ref: 0059EF1A

Memory Dump Source

Source File: 00000000.00000002.1720891753.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1720847795.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720950764.00000000005AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720950764.00000000005D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720999580.00000000005DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721018782.00000000005E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_b6AGgIJ87g.jbxd

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32_memmove
String ID:
API String ID: 2576544623-0
Opcode ID: 138c1c37b50d9e467136e8f15841c66aa7ac48141660cec6713be18f639c4428
Instruction ID: 703f069c4ed6eb274236f09aaaab42f0882f086cda3048ef3e9b2a1badf2a237
Opcode Fuzzy Hash: 138c1c37b50d9e467136e8f15841c66aa7ac48141660cec6713be18f639c4428
Instruction Fuzzy Hash: E7518071504316AFD710EF24D88AE6BBBE8FF95710F40481DF595962A1EB70A908CB92

Function 0057E616 Relevance: 5.1, APIs: 1, Strings: 2, Instructions: 561stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,?,?,00000000), ref: 0057E628

Strings

|, xrefs: 0057E658
(, xrefs: 0057E66E

Memory Dump Source

Source File: 00000000.00000002.1720891753.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1720847795.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720950764.00000000005AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720950764.00000000005D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720999580.00000000005DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721018782.00000000005E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_b6AGgIJ87g.jbxd

Similarity

API ID: lstrlen
String ID: ($|
API String ID: 1659193697-1631851259
Opcode ID: 3ceafd0285d37a0d19bbdcc2808e8a26239caecca2fdc9b3e52663d327881de4
Instruction ID: e95ed6731c37db071860e126fef387844d203af13a8fd76c0b3727b38ea87887
Opcode Fuzzy Hash: 3ceafd0285d37a0d19bbdcc2808e8a26239caecca2fdc9b3e52663d327881de4
Instruction Fuzzy Hash: 05322675A007059FD728CF29D48596ABBF1FF48310B15C4AEE99ADB3A1E770E941CB40

Function 005922EE Relevance: 4.7, APIs: 3, Instructions: 164networkfileCOMMON

Download Yara Rule

APIs

InternetQueryDataAvailable.WININET(00000001,?,00000000,00000000,00000000,?,?,?,?,?,?,?,?,0059180A,00000000), ref: 005923E1
InternetReadFile.WININET(00000001,00000000,00000001,00000001), ref: 00592418

Memory Dump Source

Source File: 00000000.00000002.1720891753.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1720847795.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720950764.00000000005AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720950764.00000000005D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720999580.00000000005DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721018782.00000000005E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_b6AGgIJ87g.jbxd

Similarity

API ID: Internet$AvailableDataFileQueryRead
String ID:
API String ID: 599397726-0
Opcode ID: c2f62a35094ae16ab86d274418292908bb12a290f038ba4f7e5646dcbcde83c1
Instruction ID: a1b20ef43746f33fac29e2c4ba0e89cb9275252ed09fba0811760b7e192c4e7c
Opcode Fuzzy Hash: c2f62a35094ae16ab86d274418292908bb12a290f038ba4f7e5646dcbcde83c1
Instruction Fuzzy Hash: E241C371904209BFEF209E95DC85EBBBFBCFB80314F10446AF645A6141EB759E419A60

Function 0058B333 Relevance: 4.6, APIs: 3, Instructions: 73COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 0058B343
GetDiskFreeSpaceExW.KERNEL32(?,?,?,?), ref: 0058B39D
SetErrorMode.KERNEL32(00000000,00000001,00000000), ref: 0058B3EA

Memory Dump Source

Source File: 00000000.00000002.1720891753.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1720847795.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720950764.00000000005AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720950764.00000000005D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720999580.00000000005DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721018782.00000000005E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_b6AGgIJ87g.jbxd

Similarity

API ID: ErrorMode$DiskFreeSpace
String ID:
API String ID: 1682464887-0
Opcode ID: 1a8697e8462c6e555b0112a61065b9858be5ba9bb01e7f5ddcea54305c147bda
Instruction ID: 6e8c9e5bdd62d046a97ed7d12d4cd7e0184eaa4e4bd2cd4bf97de5cec4ebd114
Opcode Fuzzy Hash: 1a8697e8462c6e555b0112a61065b9858be5ba9bb01e7f5ddcea54305c147bda
Instruction Fuzzy Hash: 49216035A00518EFCB00EFA5E885AEDBFB8FF89310F1480AAE905AB351DB319915DB50

Function 005787E1 Relevance: 4.6, APIs: 3, Instructions: 67COMMON

Download Yara Rule

APIs

Part of subcall function 00540DB6: std::exception::exception.LIBCMT ref: 00540DEC
Part of subcall function 00540DB6: __CxxThrowException@8.LIBCMT ref: 00540E01

LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0057882B
AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00578858
GetLastError.KERNEL32 ref: 00578865

Memory Dump Source

Source File: 00000000.00000002.1720891753.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1720847795.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720950764.00000000005AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720950764.00000000005D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720999580.00000000005DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721018782.00000000005E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_b6AGgIJ87g.jbxd

Similarity

API ID: AdjustErrorException@8LastLookupPrivilegePrivilegesThrowTokenValuestd::exception::exception
String ID:
API String ID: 1922334811-0
Opcode ID: ccd88cf524056e573650e7829291f34e1bb5954fea5c15a807a4a563c570244e
Instruction ID: 8cd6528c41e216c6ebf5a447319f6ea9562edfefe3b60666cfbd18d7216726cd
Opcode Fuzzy Hash: ccd88cf524056e573650e7829291f34e1bb5954fea5c15a807a4a563c570244e
Instruction Fuzzy Hash: 4B1160B1814205AFD718DFA4EC89D6BBBB8FB45715B20852EE45A97241DA30BC449B60

Function 0057874B Relevance: 4.5, APIs: 3, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 00578774
CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 0057878B
FreeSid.ADVAPI32(?), ref: 0057879B

Memory Dump Source

Source File: 00000000.00000002.1720891753.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1720847795.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720950764.00000000005AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720950764.00000000005D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720999580.00000000005DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721018782.00000000005E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_b6AGgIJ87g.jbxd

Similarity

API ID: AllocateCheckFreeInitializeMembershipToken
String ID:
API String ID: 3429775523-0
Opcode ID: 35c6611ac73f48350b43225a8fd21d829d6e56a9d9ade63281e4870ac9990283
Instruction ID: 2cad32e0feb555710beb397881d93e6d9c2a0af484cdf44440218a1097316b6b
Opcode Fuzzy Hash: 35c6611ac73f48350b43225a8fd21d829d6e56a9d9ade63281e4870ac9990283
Instruction Fuzzy Hash: 45F03C75951208BBDB04DFE49C89AAEBBB8FF08201F1044A9A502E2181E6715A089B50

Function 00588889 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 68COMMON

Download Yara Rule

APIs

__time64.LIBCMT ref: 0058889B

Part of subcall function 0054520A: GetSystemTimeAsFileTime.KERNEL32(00000000,?,?,?,00588F6E,00000000,?,?,?,?,0058911F,00000000,?), ref: 00545213
Part of subcall function 0054520A: __aulldiv.LIBCMT ref: 00545233

Strings

0e^, xrefs: 00588892

Memory Dump Source

Source File: 00000000.00000002.1720891753.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1720847795.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720950764.00000000005AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720950764.00000000005D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720999580.00000000005DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721018782.00000000005E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_b6AGgIJ87g.jbxd

Similarity

API ID: Time$FileSystem__aulldiv__time64
String ID: 0e^
API String ID: 2893107130-1332993939
Opcode ID: 9f9c2af5fbd157846b8e2f3263280b1c6ce3eb9c9f5a635076419f960451e9ff
Instruction ID: f1bfecfb53885ffa3d9d06f27d0710e0e2dde4ce69035774aac61f398ce84d2b
Opcode Fuzzy Hash: 9f9c2af5fbd157846b8e2f3263280b1c6ce3eb9c9f5a635076419f960451e9ff
Instruction Fuzzy Hash: 8121D2326256108BC329CF25D881A62B7E1EBB4310B688E6CD4F5CF2C0CA34A905DF54

Function 0058C6D1 Relevance: 3.1, APIs: 2, Instructions: 52fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 0058C6FB
FindClose.KERNEL32(00000000), ref: 0058C72B

Memory Dump Source

Source File: 00000000.00000002.1720891753.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1720847795.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720950764.00000000005AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720950764.00000000005D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720999580.00000000005DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721018782.00000000005E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_b6AGgIJ87g.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID:
API String ID: 2295610775-0
Opcode ID: 747930639857e31d8d27bff077a1757540ae41916eeae8ee6afdeb1dddbfc5df
Instruction ID: 8c440c952c81cebcebe558c6d722846da866b00862a1d5f2a75a0d46fcf526e0
Opcode Fuzzy Hash: 747930639857e31d8d27bff077a1757540ae41916eeae8ee6afdeb1dddbfc5df
Instruction Fuzzy Hash: 2E1182726006019FDB10EF29D849A2AFBE4FF85320F04851DF8AAD7390DB30AC05CB91

Function 0058A06A Relevance: 3.0, APIs: 2, Instructions: 31windowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000000,?,00000FFF,00000000,00000016,?,00599468,?,005AFB84,?), ref: 0058A097
FormatMessageW.KERNEL32(00001000,00000000,000000FF,00000000,?,00000FFF,00000000,00000016,?,00599468,?,005AFB84,?), ref: 0058A0A9

Memory Dump Source

Source File: 00000000.00000002.1720891753.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1720847795.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720950764.00000000005AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720950764.00000000005D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720999580.00000000005DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721018782.00000000005E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_b6AGgIJ87g.jbxd

Similarity

API ID: ErrorFormatLastMessage
String ID:
API String ID: 3479602957-0
Opcode ID: c53543a3a1f2c33ad840f151152191403ae110538bcb208c93329201ca68860e
Instruction ID: b15b53348b9ecfb410da224ff381d2f72f3074b5a24b04072037c067738c9a5e
Opcode Fuzzy Hash: c53543a3a1f2c33ad840f151152191403ae110538bcb208c93329201ca68860e
Instruction Fuzzy Hash: 3FF0823520522DABDB21AFA4DC4CFEA7B6CBF09362F004166FD09D6181D670A944CBA1

Function 005781CB Relevance: 3.0, APIs: 2, Instructions: 22COMMON

Download Yara Rule

APIs

AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,00578309), ref: 005781E0
CloseHandle.KERNEL32(?,?,00578309), ref: 005781F2

Memory Dump Source

Source File: 00000000.00000002.1720891753.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1720847795.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720950764.00000000005AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720950764.00000000005D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720999580.00000000005DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721018782.00000000005E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_b6AGgIJ87g.jbxd

Similarity

API ID: AdjustCloseHandlePrivilegesToken
String ID:
API String ID: 81990902-0
Opcode ID: e3172261e2341c494475091f1e0cfefc45cbda37e7d211fa887b560b4deebf2d
Instruction ID: bc386e02eddb5467a5b456da051c7ac4d61297562eedac31e6d0d90e9c410ee6
Opcode Fuzzy Hash: e3172261e2341c494475091f1e0cfefc45cbda37e7d211fa887b560b4deebf2d
Instruction Fuzzy Hash: 54E04632010611AEEB252B61EC08DB37BAEFB00315720882DB9A680470CB32ACA0EB10

Function 0054A155 Relevance: 3.0, APIs: 2, Instructions: 8COMMONLIBRARYCODE

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(00000000,?,00548D57,?,?,?,00000001), ref: 0054A15A
UnhandledExceptionFilter.KERNEL32(?,?,?,00000001), ref: 0054A163

Memory Dump Source

Source File: 00000000.00000002.1720891753.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1720847795.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720950764.00000000005AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720950764.00000000005D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720999580.00000000005DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721018782.00000000005E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_b6AGgIJ87g.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 0feb659e9b18759ae865a81d7c8ab1623b8605372ecfb6b392db81076a50edc9
Instruction ID: 3a307619dc7671e9401d9b8149ab201a6a0271077954b8a0373a322e33299833
Opcode Fuzzy Hash: 0feb659e9b18759ae865a81d7c8ab1623b8605372ecfb6b392db81076a50edc9
Instruction Fuzzy Hash: C3B09231054208ABCF002BD1EC59B883F68EB56AA2F404422F60D84060CBA25454AB91

Function 0054F1D9 Relevance: 2.1, APIs: 1, Instructions: 645COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1720891753.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1720847795.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720950764.00000000005AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720950764.00000000005D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720999580.00000000005DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721018782.00000000005E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_b6AGgIJ87g.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d3b905179bdc57511ed456642295ac6d2d980706ec008e17b061f6fdc6e9862c
Instruction ID: bc50c6a9a2b6976438711b65d59772aa151d8e97597e74357450a1619773639f
Opcode Fuzzy Hash: d3b905179bdc57511ed456642295ac6d2d980706ec008e17b061f6fdc6e9862c
Instruction Fuzzy Hash: 78320231D29F054DDB639638D872336A688BFB73C8F15D737E819B59A6EB28D4835200

Function 0055242E Relevance: 1.8, APIs: 1, Instructions: 294COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1720891753.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1720847795.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720950764.00000000005AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720950764.00000000005D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720999580.00000000005DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721018782.00000000005E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_b6AGgIJ87g.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9906c11176c6614517ee8d2050b86b1769b0f371f956182c10398a18b0f04296
Instruction ID: 5387973fbb49cc4f3f0cf71b8ca8f4c76c939bbd32fb943986bc2e9d1ea560c4
Opcode Fuzzy Hash: 9906c11176c6614517ee8d2050b86b1769b0f371f956182c10398a18b0f04296
Instruction Fuzzy Hash: 31B11F20E2AF404DD76396388831336BA9CAFBB2C5F52D71BFC2674D22EB2195875241

Function 00584C53 Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

mouse_event.USER32(00000004,00000000,00000000,00000000,00000000), ref: 00584C76

Memory Dump Source

Source File: 00000000.00000002.1720891753.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1720847795.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720950764.00000000005AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720950764.00000000005D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720999580.00000000005DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721018782.00000000005E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_b6AGgIJ87g.jbxd

Similarity

API ID: mouse_event
String ID:
API String ID: 2434400541-0
Opcode ID: 1730f8cc40c00dff0f2fadfdb3a139439ed68e2fe6f2ed2bfd204b9ed465fb4b
Instruction ID: 70616d2f65b1b0fa9fe71b6d36260cf304d12b4fd5a75ccac8d1e5021544f359
Opcode Fuzzy Hash: 1730f8cc40c00dff0f2fadfdb3a139439ed68e2fe6f2ed2bfd204b9ed465fb4b
Instruction Fuzzy Hash: 57D05EA012220B39EE282B208D8FF7A190DF3C0781F84854E7E41B50C0E8D85C00AF34

Function 005787B1 Relevance: 1.5, APIs: 1, Instructions: 19COMMON

Download Yara Rule

APIs

LogonUserW.ADVAPI32(?,00000001,?,?,00000000,00578389), ref: 005787D1

Memory Dump Source

Source File: 00000000.00000002.1720891753.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1720847795.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720950764.00000000005AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720950764.00000000005D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720999580.00000000005DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721018782.00000000005E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_b6AGgIJ87g.jbxd

Similarity

API ID: LogonUser
String ID:
API String ID: 1244722697-0
Opcode ID: e0932277dcf3688b5b1e02ec0b9cda0e5910fa1a31d6f2dea1018f4219741e07
Instruction ID: c7998952327f4d7745e8a901b13e0b47232c3be4fd3bf696554288d7555275a7
Opcode Fuzzy Hash: e0932277dcf3688b5b1e02ec0b9cda0e5910fa1a31d6f2dea1018f4219741e07
Instruction Fuzzy Hash: C6D05E322A050EABEF018EA4DC05EAE3B69EB04B01F408111FE16C50A1C775D835AB60

Function 0054A124 Relevance: 1.5, APIs: 1, Instructions: 6COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(?), ref: 0054A12A

Memory Dump Source

Source File: 00000000.00000002.1720891753.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1720847795.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720950764.00000000005AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720950764.00000000005D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720999580.00000000005DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721018782.00000000005E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_b6AGgIJ87g.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 71b0fe2453631d2489a609eb8ba3b08fe3b98062630b84f48b7e2c1c824b2ade
Instruction ID: 9a8aa46c83182d253f6bb61d6a5a35d1e4889da47f0b960f9f52db9211680a3a
Opcode Fuzzy Hash: 71b0fe2453631d2489a609eb8ba3b08fe3b98062630b84f48b7e2c1c824b2ade
Instruction Fuzzy Hash: 00A0113000020CAB8F002B82EC08888BFACEA022A0B008022F80C800228B32A820AA80

Function 00538808 Relevance: .6, Instructions: 590COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1720891753.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1720847795.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720950764.00000000005AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720950764.00000000005D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720999580.00000000005DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721018782.00000000005E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_b6AGgIJ87g.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dc47a16ce597f1e286f55862b55d76b1b6bbab2a72c246a5e7e73c127d165436
Instruction ID: 314f91d36d8e7b7345692bfb9027115503a6944b5e4bbc6de0d7b5518328fbbd
Opcode Fuzzy Hash: dc47a16ce597f1e286f55862b55d76b1b6bbab2a72c246a5e7e73c127d165436
Instruction Fuzzy Hash: D1226731504306CBDF3C8A24D494B7CBFA1FB01314F68886BF99A8B592EBB09D81E751

Function 005421C5 Relevance: .3, Instructions: 345COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1720891753.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1720847795.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720950764.00000000005AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720950764.00000000005D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720999580.00000000005DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721018782.00000000005E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_b6AGgIJ87g.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
Instruction ID: e4059703fb47d69df059d79aab8a45f8a2f3636fc346850a95f7063735d3f9f6
Opcode Fuzzy Hash: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
Instruction Fuzzy Hash: D9C1B7722094A309DF2D463A84341BEFFA17EA27B975A076DE4B3CF0D4EE10C965D620

Function 005425FA Relevance: .3, Instructions: 341COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1720891753.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1720847795.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720950764.00000000005AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720950764.00000000005D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720999580.00000000005DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721018782.00000000005E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_b6AGgIJ87g.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
Instruction ID: fd5c3defddaa772ad3d6b34977603b855aa6da0416b8542a8da4bc4a81a4b1ff
Opcode Fuzzy Hash: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
Instruction Fuzzy Hash: 6CC1B2722051A30ADF2D463AC4340BEFEA17EA27F575A076DE4B3DB0D4EE20C964D620

Function 00541978 Relevance: .3, Instructions: 323COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1720891753.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1720847795.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720950764.00000000005AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720950764.00000000005D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720999580.00000000005DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721018782.00000000005E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_b6AGgIJ87g.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
Instruction ID: e1e2546bbea8450795ef1c1910cbe97db2568aab96fb54a681b587d11ea09f07
Opcode Fuzzy Hash: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
Instruction Fuzzy Hash: 9EC1C37220589309DF2D463AC4740BEBFA17EA27B931A076DD4B3CB1C4FE20C9A4D624

Function 01365C38 Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1721547331.0000000001362000.00000040.00000020.00020000.00000000.sdmp, Offset: 01362000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1362000_b6AGgIJ87g.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 424b499c86482d5e2cad33d2eb2b77d7085f14ac4781241b47b3debc7e1ef18c
Instruction ID: acf0862fe7c6ab5cacfdf05683e3135177cc7e80ff02e6918c44cee37ccbddd4
Opcode Fuzzy Hash: 424b499c86482d5e2cad33d2eb2b77d7085f14ac4781241b47b3debc7e1ef18c
Instruction Fuzzy Hash: 3841C271D1051CEBCF48CFADC991AAEBBF2AF88201F548299D516AB345D730AB41DB90

Function 01365B28 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1721547331.0000000001362000.00000040.00000020.00020000.00000000.sdmp, Offset: 01362000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1362000_b6AGgIJ87g.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2824983519b781728331ca74e43d8f1b114060d413125894b627f2317d3cf6f3
Instruction ID: 3752c53fcaedb9c7f85466acb37f18e9370b1da618361704c494368221861024
Opcode Fuzzy Hash: 2824983519b781728331ca74e43d8f1b114060d413125894b627f2317d3cf6f3
Instruction Fuzzy Hash: AC014278A01109EFCB48DF98C5909AEF7F9FB48354F2085A9D819A7745D730AE51DF80

Function 01365AC8 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1721547331.0000000001362000.00000040.00000020.00020000.00000000.sdmp, Offset: 01362000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1362000_b6AGgIJ87g.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6091d3ab8c142cd01bdaf95ad615aaddba634de501579065cef803e1d5150a63
Instruction ID: 8a4023318f2b254ec5284068a88a6e52a417cbe2ec0bd70d096de3fda878db54
Opcode Fuzzy Hash: 6091d3ab8c142cd01bdaf95ad615aaddba634de501579065cef803e1d5150a63
Instruction Fuzzy Hash: 62018078A01209EFCB48DF98C5909AEF7B9FF48254F2085A9D809A7705D730AE41DB80

Function 01364488 Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1721547331.0000000001362000.00000040.00000020.00020000.00000000.sdmp, Offset: 01362000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1362000_b6AGgIJ87g.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e1f80ac41b4fc2d45690e214ca5193b9bf4f67450f61a2a701b7f1fb86cd8f4e
Instruction ID: 2052e7d0eb43af8a57a5c2d707c06396f1b84aee57587abda472ed480d51124b
Opcode Fuzzy Hash: e1f80ac41b4fc2d45690e214ca5193b9bf4f67450f61a2a701b7f1fb86cd8f4e
Instruction Fuzzy Hash: 1AB012310527488BC2118B89E008B1073ECA308E04F1000B0D40C07B01827874008D48

Function 00597806 Relevance: 77.5, APIs: 40, Strings: 4, Instructions: 491filecommemoryCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 0059785B
DeleteObject.GDI32(00000000), ref: 0059786D
DestroyWindow.USER32 ref: 0059787B
GetDesktopWindow.USER32 ref: 00597895
GetWindowRect.USER32(00000000), ref: 0059789C
SetRect.USER32(?,00000000,00000000,000001F4,00000190), ref: 005979DD
AdjustWindowRectEx.USER32(?,88C00000,00000000,00000002), ref: 005979ED
CreateWindowExW.USER32(00000002,AutoIt v3,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00597A35
GetClientRect.USER32(00000000,?), ref: 00597A41
CreateWindowExW.USER32(00000000,static,00000000,5000000E,00000000,00000000,?,?,00000000,00000000,00000000), ref: 00597A7B
CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00597A9D
GetFileSize.KERNEL32(00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00597AB0
GlobalAlloc.KERNEL32(00000002,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00597ABB
GlobalLock.KERNEL32(00000000), ref: 00597AC4
ReadFile.KERNEL32(00000000,00000000,00000000,00000190,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00597AD3
GlobalUnlock.KERNEL32(00000000), ref: 00597ADC
CloseHandle.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00597AE3
GlobalFree.KERNEL32(00000000), ref: 00597AEE
CreateStreamOnHGlobal.OLE32(00000000,00000001,88C00000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00597B00
OleLoadPicture.OLEAUT32(88C00000,00000000,00000000,005B2CAC,00000000), ref: 00597B16
GlobalFree.KERNEL32(00000000), ref: 00597B26
CopyImage.USER32(000001F4,00000000,00000000,00000000,00002000), ref: 00597B4C
SendMessageW.USER32(?,00000172,00000000,000001F4), ref: 00597B6B
SetWindowPos.USER32(?,00000000,00000000,00000000,?,?,00000020,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00597B8D
ShowWindow.USER32(00000004,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00597D7A

Strings

AutoIt v3, xrefs: 00597A2D
DISPLAY, xrefs: 00597BDD
static, xrefs: 00597A75, 00597BCC
, xrefs: 00597D00

Memory Dump Source

Source File: 00000000.00000002.1720891753.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1720847795.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720950764.00000000005AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720950764.00000000005D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720999580.00000000005DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721018782.00000000005E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_b6AGgIJ87g.jbxd

Similarity

API ID: Window$Global$CreateRect$File$DeleteFreeObject$AdjustAllocClientCloseCopyDesktopDestroyHandleImageLoadLockMessagePictureReadSendShowSizeStreamUnlock
String ID: $AutoIt v3$DISPLAY$static
API String ID: 2211948467-2373415609
Opcode ID: b446930cb7440ff12b52caec804061e70a1c0e7c9d6b46bcaf79e3263e2227de
Instruction ID: 3256243d692e19a16aa55973c86d643d90abd604beb13bdb0325275db67bdd59
Opcode Fuzzy Hash: b446930cb7440ff12b52caec804061e70a1c0e7c9d6b46bcaf79e3263e2227de
Instruction Fuzzy Hash: 45026775910219AFDB14DFA4DC89EAE7FB9FF49310F048169F905AB2A1CB30AD05DB60

Function 005A356B Relevance: 51.1, APIs: 6, Strings: 23, Instructions: 365windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,005AF910), ref: 005A3627
IsWindowVisible.USER32(?), ref: 005A364B

Strings

SENDCOMMANDID, xrefs: 005A39DA
SELECTSTRING, xrefs: 005A3806
EDITPASTE, xrefs: 005A395F
CURRENTTAB, xrefs: 005A36BD
SHOWDROPDOWN, xrefs: 005A36E0
ISCHECKED, xrefs: 005A3839
GETCURRENTCOL, xrefs: 005A3928
GETLINE, xrefs: 005A399B
TABRIGHT, xrefs: 005A369D
GETCURRENTSELECTION, xrefs: 005A37E3
GETSELECTED, xrefs: 005A38A3
UNCHECK, xrefs: 005A3883
ISVISIBLE, xrefs: 005A3637
SETCURRENTSELECTION, xrefs: 005A37B6
GETLINECOUNT, xrefs: 005A38C6
TABLEFT, xrefs: 005A3687
CHECK, xrefs: 005A386D
DELSTRING, xrefs: 005A3749
FINDSTRING, xrefs: 005A3776
GETCURRENTLINE, xrefs: 005A38ED
ADDSTRING, xrefs: 005A3716
HIDEDROPDOWN, xrefs: 005A3700
ISENABLED, xrefs: 005A366B

Memory Dump Source

Source File: 00000000.00000002.1720891753.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1720847795.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720950764.00000000005AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720950764.00000000005D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720999580.00000000005DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721018782.00000000005E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_b6AGgIJ87g.jbxd

Similarity

API ID: BuffCharUpperVisibleWindow
String ID: ADDSTRING$CHECK$CURRENTTAB$DELSTRING$EDITPASTE$FINDSTRING$GETCURRENTCOL$GETCURRENTLINE$GETCURRENTSELECTION$GETLINE$GETLINECOUNT$GETSELECTED$HIDEDROPDOWN$ISCHECKED$ISENABLED$ISVISIBLE$SELECTSTRING$SENDCOMMANDID$SETCURRENTSELECTION$SHOWDROPDOWN$TABLEFT$TABRIGHT$UNCHECK
API String ID: 4105515805-45149045
Opcode ID: 99fa3bccee4b8c09110ea1aa96bac0b6896254d786d35af911428fef6d9d1669
Instruction ID: 041a7856e2be75a15c678cc10167159878415a694716770ef3fca28d5502d60e
Opcode Fuzzy Hash: 99fa3bccee4b8c09110ea1aa96bac0b6896254d786d35af911428fef6d9d1669
Instruction Fuzzy Hash: 95D171302043129BCB14EF14D459A6E7FE5BF96358F144859F88A5B3E2DB31DE4ACB81

Function 005AA5DA Relevance: 49.8, APIs: 33, Instructions: 260COMMON

Download Yara Rule

APIs

SetTextColor.GDI32(?,00000000), ref: 005AA630
GetSysColorBrush.USER32(0000000F), ref: 005AA661
GetSysColor.USER32(0000000F), ref: 005AA66D
SetBkColor.GDI32(?,000000FF), ref: 005AA687
SelectObject.GDI32(?,00000000), ref: 005AA696
InflateRect.USER32(?,000000FF,000000FF), ref: 005AA6C1
GetSysColor.USER32(00000010), ref: 005AA6C9
CreateSolidBrush.GDI32(00000000), ref: 005AA6D0
FrameRect.USER32(?,?,00000000), ref: 005AA6DF
DeleteObject.GDI32(00000000), ref: 005AA6E6
InflateRect.USER32(?,000000FE,000000FE), ref: 005AA731
FillRect.USER32(?,?,00000000), ref: 005AA763
GetWindowLongW.USER32(?,000000F0), ref: 005AA78E

Part of subcall function 005AA8CA: GetSysColor.USER32(00000012), ref: 005AA903
Part of subcall function 005AA8CA: SetTextColor.GDI32(?,?), ref: 005AA907
Part of subcall function 005AA8CA: GetSysColorBrush.USER32(0000000F), ref: 005AA91D
Part of subcall function 005AA8CA: GetSysColor.USER32(0000000F), ref: 005AA928
Part of subcall function 005AA8CA: GetSysColor.USER32(00000011), ref: 005AA945
Part of subcall function 005AA8CA: CreatePen.GDI32(00000000,00000001,00743C00), ref: 005AA953
Part of subcall function 005AA8CA: SelectObject.GDI32(?,00000000), ref: 005AA964
Part of subcall function 005AA8CA: SetBkColor.GDI32(?,00000000), ref: 005AA96D
Part of subcall function 005AA8CA: SelectObject.GDI32(?,?), ref: 005AA97A
Part of subcall function 005AA8CA: InflateRect.USER32(?,000000FF,000000FF), ref: 005AA999
Part of subcall function 005AA8CA: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 005AA9B0
Part of subcall function 005AA8CA: GetWindowLongW.USER32(00000000,000000F0), ref: 005AA9C5
Part of subcall function 005AA8CA: SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 005AA9ED

Memory Dump Source

Source File: 00000000.00000002.1720891753.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1720847795.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720950764.00000000005AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720950764.00000000005D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720999580.00000000005DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721018782.00000000005E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_b6AGgIJ87g.jbxd

Similarity

API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameMessageRoundSendSolid
String ID:
API String ID: 3521893082-0
Opcode ID: c36430d4170586d64fa6df16f42456aaa4cab00fe0d87e09005766751e87ba2b
Instruction ID: f1019debf8864956dccf73e3c815820f9af7cffd1492cb802e519387d4fe484b
Opcode Fuzzy Hash: c36430d4170586d64fa6df16f42456aaa4cab00fe0d87e09005766751e87ba2b
Instruction Fuzzy Hash: 6B918D72408301FFC7109FA4DC08A5FBBA9FF8A321F100B29F9A2961A0D731D948DB52

Function 00522C18 Relevance: 49.5, APIs: 27, Strings: 1, Instructions: 486windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?,?), ref: 00522CA2
DeleteObject.GDI32(00000000), ref: 00522CE8
DeleteObject.GDI32(00000000), ref: 00522CF3
DestroyIcon.USER32(00000000,?,?,?), ref: 00522CFE
DestroyWindow.USER32(00000000,?,?,?), ref: 00522D09
SendMessageW.USER32(?,00001308,?,00000000), ref: 0055C43B
ImageList_Remove.COMCTL32(?,000000FF,?), ref: 0055C474
MoveWindow.USER32(?,?,?,?,?,00000000), ref: 0055C89D

Part of subcall function 00521B41: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00522036,?,00000000,?,?,?,?,005216CB,00000000,?), ref: 00521B9A

SendMessageW.USER32(?,00001053), ref: 0055C8DA
SendMessageW.USER32(?,00001008,000000FF,00000000), ref: 0055C8F1
ImageList_Destroy.COMCTL32(00000000,?,?), ref: 0055C907
ImageList_Destroy.COMCTL32(00000000,?,?), ref: 0055C912

Strings

0, xrefs: 0055C731

Memory Dump Source

Source File: 00000000.00000002.1720891753.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1720847795.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720950764.00000000005AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720950764.00000000005D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720999580.00000000005DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721018782.00000000005E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_b6AGgIJ87g.jbxd

Similarity

API ID: Destroy$ImageList_MessageSendWindow$DeleteObject$IconInvalidateMoveRectRemove
String ID: 0
API String ID: 464785882-4108050209
Opcode ID: ded2e43962a60fa5aa8771543f2119a8ddf233eb116670054d4668ea2e845bbb
Instruction ID: f00e028a6f410988a299ef94643b0bd78cfebcab90beaca7f9098883219dd743
Opcode Fuzzy Hash: ded2e43962a60fa5aa8771543f2119a8ddf233eb116670054d4668ea2e845bbb
Instruction Fuzzy Hash: 90129E34504211EFDB10CF24D898BA9BFE1FF4A312F54456AE885DB6A2C731EC4ADB91

Function 005974AB Relevance: 45.8, APIs: 22, Strings: 4, Instructions: 284windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000), ref: 005974DE
SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 0059759D
SetRect.USER32(?,00000000,00000000,0000012C,00000064), ref: 005975DB
AdjustWindowRectEx.USER32(?,88C00000,00000000,00000006), ref: 005975ED
CreateWindowExW.USER32(00000006,AutoIt v3,?,88C00000,?,?,?,?,00000000,00000000,00000000), ref: 00597633
GetClientRect.USER32(00000000,?), ref: 0059763F
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000), ref: 00597683
CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 00597692
GetStockObject.GDI32(00000011), ref: 005976A2
SelectObject.GDI32(00000000,00000000), ref: 005976A6
GetTextFaceW.GDI32(00000000,00000040,?,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000,?,88C00000,?), ref: 005976B6
GetDeviceCaps.GDI32(00000000,0000005A), ref: 005976BF
DeleteDC.GDI32(00000000), ref: 005976C8
CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 005976F4
SendMessageW.USER32(00000030,00000000,00000001), ref: 0059770B
CreateWindowExW.USER32(00000200,msctls_progress32,00000000,50000001,?,0000001E,00000104,00000014,00000000,00000000,00000000), ref: 00597746
SendMessageW.USER32(00000000,00000401,00000000,00640000), ref: 0059775A
SendMessageW.USER32(00000404,00000001,00000000), ref: 0059776B
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000037,00000500,00000032,00000000,00000000,00000000), ref: 0059779B
GetStockObject.GDI32(00000011), ref: 005977A6
SendMessageW.USER32(00000030,00000000,?,50000000), ref: 005977B1
ShowWindow.USER32(00000004,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000,?,88C00000,?,?,?,?), ref: 005977BB

Strings

AutoIt v3, xrefs: 0059762B
DISPLAY, xrefs: 00597688
msctls_progress32, xrefs: 0059773C
static, xrefs: 0059767D, 00597795

Memory Dump Source

Source File: 00000000.00000002.1720891753.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1720847795.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720950764.00000000005AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720950764.00000000005D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720999580.00000000005DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721018782.00000000005E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_b6AGgIJ87g.jbxd

Similarity

API ID: Window$Create$MessageSend$ObjectRect$Stock$AdjustCapsClientDeleteDestroyDeviceFaceFontInfoParametersSelectShowSystemText
String ID: AutoIt v3$DISPLAY$msctls_progress32$static
API String ID: 2910397461-517079104
Opcode ID: 1b7c02c7754449351a1c458e90edd51594b54d04d49ec5d6c1181f6524e26da4
Instruction ID: 885bcfbde5309e47a562b136e23c7519cedd155749c53ed53890dfa4357e79f0
Opcode Fuzzy Hash: 1b7c02c7754449351a1c458e90edd51594b54d04d49ec5d6c1181f6524e26da4
Instruction Fuzzy Hash: 4FA19C71A00219BFEB14DBA4DC8AFAE7BB9FF09714F004115FA04AB2E0D670AD04DB64

Function 0058AD10 Relevance: 45.7, APIs: 3, Strings: 23, Instructions: 186COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 0058AD1E
GetDriveTypeW.KERNEL32(?,005AFAC0,?,\\.\,005AF910), ref: 0058ADFB
SetErrorMode.KERNEL32(00000000,005AFAC0,?,\\.\,005AF910), ref: 0058AF59

Strings

SCSI, xrefs: 0058AEC6
MMC, xrefs: 0058AF1A
RAID, xrefs: 0058AEF7
SATA, xrefs: 0058AF0C
SSA, xrefs: 0058AEE2
Fibre, xrefs: 0058AEE9
PhysicalDrive, xrefs: 0058ADA7
Network, xrefs: 0058AE39
SAS, xrefs: 0058AF05
1394, xrefs: 0058AEDB
ATAPI, xrefs: 0058AECD
RAMDisk, xrefs: 0058AE25
Fixed, xrefs: 0058AE43
SSD, xrefs: 0058AE86
Removable, xrefs: 0058AE4D
iSCSI, xrefs: 0058AEFE
Virtual, xrefs: 0058AF21
USB, xrefs: 0058AEF0
FileBackedVirtual, xrefs: 0058AF28
Unknown, xrefs: 0058AE1B, 0058AEBF
ATA, xrefs: 0058AED4
\\.\, xrefs: 0058AD70
CDROM, xrefs: 0058AE2F

Memory Dump Source

Source File: 00000000.00000002.1720891753.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1720847795.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720950764.00000000005AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720950764.00000000005D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720999580.00000000005DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721018782.00000000005E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_b6AGgIJ87g.jbxd

Similarity

API ID: ErrorMode$DriveType
String ID: 1394$ATA$ATAPI$CDROM$Fibre$FileBackedVirtual$Fixed$MMC$Network$PhysicalDrive$RAID$RAMDisk$Removable$SAS$SATA$SCSI$SSA$SSD$USB$Unknown$Virtual$\\.\$iSCSI
API String ID: 2907320926-4222207086
Opcode ID: d51f04507670d31fc9884cdc58facff28ee4fdb03c9ddfd804d7fa5efc59ac10
Instruction ID: 5c45f29b2daf725612b62c5b85dbd4a18377f0f76cdac0d26183bf20556ff7e5
Opcode Fuzzy Hash: d51f04507670d31fc9884cdc58facff28ee4fdb03c9ddfd804d7fa5efc59ac10
Instruction Fuzzy Hash: F851A3B8644206ABAB20FB54C986CBD7FA0FF49710B244857ED07B73D0EA709D41EB42

Function 005268DC Relevance: 44.0, APIs: 12, Strings: 13, Instructions: 275COMMON

Download Yara Rule

APIs

__wcsnicmp.LIBCMT ref: 00526931
__wcsnicmp.LIBCMT ref: 00526949
__wcsnicmp.LIBCMT ref: 00526961
__wcsnicmp.LIBCMT ref: 00526979
__wcsnicmp.LIBCMT ref: 00526991
__wcsnicmp.LIBCMT ref: 005269A9
__wcsnicmp.LIBCMT ref: 005269C1
__wcsnicmp.LIBCMT ref: 005269D5
__wcsnicmp.LIBCMT ref: 00526A16
__wcsnicmp.LIBCMT ref: 00526A2A
__wcsnicmp.LIBCMT ref: 00526A3E
__wcsnicmp.LIBCMT ref: 00526A52

Strings

#cs, xrefs: 005269CF, 00526A24
#OnAutoItStartRegister, xrefs: 00526973
#comments-start, xrefs: 005269BB, 00526A10
#ce, xrefs: 00526A4C
Bad directive syntax error, xrefs: 0055E31A
#requireadmin, xrefs: 0052695B
#include-once, xrefs: 0052698B
#include, xrefs: 005269A3
Cannot parse #include, xrefs: 0055E3F0
#pragma compile, xrefs: 0052692B
#comments-end, xrefs: 00526A38
#notrayicon, xrefs: 00526943
Unterminated group of comments, xrefs: 0055E403

Memory Dump Source

Source File: 00000000.00000002.1720891753.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1720847795.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720950764.00000000005AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720950764.00000000005D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720999580.00000000005DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721018782.00000000005E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_b6AGgIJ87g.jbxd

Similarity

API ID: __wcsnicmp
String ID: #OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#pragma compile$#requireadmin$Bad directive syntax error$Cannot parse #include$Unterminated group of comments
API String ID: 1038674560-86951937
Opcode ID: 1e98655f705d3c8a1640a74911796927261505bc9183613dd03db36f62cc9ae7
Instruction ID: 17c1b7b755a1b86a19e1f5084862d32de6d6be70d9dc0e996196fa2aa06f0bf7
Opcode Fuzzy Hash: 1e98655f705d3c8a1640a74911796927261505bc9183613dd03db36f62cc9ae7
Instruction Fuzzy Hash: 5C8127B0600226AACF25AB60FC57FAE3F68FF46704F044025FD456A1D6EB71EE45C261

Function 005AA8CA Relevance: 39.2, APIs: 26, Instructions: 187windowCOMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000012), ref: 005AA903
SetTextColor.GDI32(?,?), ref: 005AA907
GetSysColorBrush.USER32(0000000F), ref: 005AA91D
GetSysColor.USER32(0000000F), ref: 005AA928
CreateSolidBrush.GDI32(?), ref: 005AA92D
GetSysColor.USER32(00000011), ref: 005AA945
CreatePen.GDI32(00000000,00000001,00743C00), ref: 005AA953
SelectObject.GDI32(?,00000000), ref: 005AA964
SetBkColor.GDI32(?,00000000), ref: 005AA96D
SelectObject.GDI32(?,?), ref: 005AA97A
InflateRect.USER32(?,000000FF,000000FF), ref: 005AA999
RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 005AA9B0
GetWindowLongW.USER32(00000000,000000F0), ref: 005AA9C5
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 005AA9ED
GetWindowTextW.USER32(00000000,00000000,00000001), ref: 005AAA14
InflateRect.USER32(?,000000FD,000000FD), ref: 005AAA32
DrawFocusRect.USER32(?,?), ref: 005AAA3D
GetSysColor.USER32(00000011), ref: 005AAA4B
SetTextColor.GDI32(?,00000000), ref: 005AAA53
DrawTextW.USER32(?,00000000,000000FF,?,?), ref: 005AAA67
SelectObject.GDI32(?,005AA5FA), ref: 005AAA7E
DeleteObject.GDI32(?), ref: 005AAA89
SelectObject.GDI32(?,?), ref: 005AAA8F
DeleteObject.GDI32(?), ref: 005AAA94
SetTextColor.GDI32(?,?), ref: 005AAA9A
SetBkColor.GDI32(?,?), ref: 005AAAA4

Memory Dump Source

Source File: 00000000.00000002.1720891753.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1720847795.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720950764.00000000005AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720950764.00000000005D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720999580.00000000005DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721018782.00000000005E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_b6AGgIJ87g.jbxd

Similarity

API ID: Color$Object$Text$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
String ID:
API String ID: 1996641542-0
Opcode ID: 3f79ad3184e60aa0b32068d21e5c7a9c06620e14cbf1a081ebb32b43e350bb1e
Instruction ID: d21644c7261e7d767881a56424440afe342e29b6ba329bd8d6b6ecf1fc460f50
Opcode Fuzzy Hash: 3f79ad3184e60aa0b32068d21e5c7a9c06620e14cbf1a081ebb32b43e350bb1e
Instruction Fuzzy Hash: 95511B71900208EFDB119FA4DC48EAEBBB9FB4A320F114625FA11AB2A1D7759944DB90

Function 005A89D5 Relevance: 38.9, APIs: 21, Strings: 1, Instructions: 401windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000158,000000FF,0000014E), ref: 005A8AC1
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 005A8AD2
CharNextW.USER32(0000014E), ref: 005A8B01
SendMessageW.USER32(?,0000014B,00000000,00000000), ref: 005A8B42
SendMessageW.USER32(?,00000158,000000FF,00000158), ref: 005A8B58
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 005A8B69
SendMessageW.USER32(?,000000C2,00000001,0000014E), ref: 005A8B86
SetWindowTextW.USER32(?,0000014E), ref: 005A8BD8
SendMessageW.USER32(?,000000B1,000F4240,000F423F), ref: 005A8BEE
SendMessageW.USER32(?,00001002,00000000,?), ref: 005A8C1F
_memset.LIBCMT ref: 005A8C44
SendMessageW.USER32(00000000,00001060,00000001,00000004), ref: 005A8C8D
_memset.LIBCMT ref: 005A8CEC
SendMessageW.USER32(?,00001053,000000FF,?), ref: 005A8D16
SendMessageW.USER32(?,00001074,?,00000001), ref: 005A8D6E
SendMessageW.USER32(?,0000133D,?,?), ref: 005A8E1B
InvalidateRect.USER32(?,00000000,00000001), ref: 005A8E3D
GetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 005A8E87
SetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 005A8EB4
DrawMenuBar.USER32(?), ref: 005A8EC3
SetWindowTextW.USER32(?,0000014E), ref: 005A8EEB

Strings

0, xrefs: 005A8E55

Memory Dump Source

Source File: 00000000.00000002.1720891753.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1720847795.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720950764.00000000005AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720950764.00000000005D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720999580.00000000005DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721018782.00000000005E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_b6AGgIJ87g.jbxd

Similarity

API ID: MessageSend$Menu$InfoItemTextWindow_memset$CharDrawInvalidateNextRect
String ID: 0
API String ID: 1073566785-4108050209
Opcode ID: a2b7f8e3c84a73f67604c2d821c544365972b42c97d16ce28e1f072b5c23c5ec
Instruction ID: 49c0c40b66ab40ff8c7a380dcb0a7b6e461769ff0b82c0a35d4aff90f267644b
Opcode Fuzzy Hash: a2b7f8e3c84a73f67604c2d821c544365972b42c97d16ce28e1f072b5c23c5ec
Instruction Fuzzy Hash: 20E15E70900219AFDB209F60CC88EFE7FB9FF4A720F148156F915AA291DB749984DF60

Function 005A488F Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 290windowCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 005A49CA
GetDesktopWindow.USER32 ref: 005A49DF
GetWindowRect.USER32(00000000), ref: 005A49E6
GetWindowLongW.USER32(?,000000F0), ref: 005A4A48
DestroyWindow.USER32(?), ref: 005A4A74
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,00000003,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 005A4A9D
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 005A4ABB
SendMessageW.USER32(?,00000439,00000000,00000030), ref: 005A4AE1
SendMessageW.USER32(?,00000421,?,?), ref: 005A4AF6
SendMessageW.USER32(?,0000041D,00000000,00000000), ref: 005A4B09
IsWindowVisible.USER32(?), ref: 005A4B29
SendMessageW.USER32(?,00000412,00000000,D8F0D8F0), ref: 005A4B44
SendMessageW.USER32(?,00000411,00000001,00000030), ref: 005A4B58
GetWindowRect.USER32(?,?), ref: 005A4B70
MonitorFromPoint.USER32(?,?,00000002), ref: 005A4B96
GetMonitorInfoW.USER32(00000000,?), ref: 005A4BB0
CopyRect.USER32(?,?), ref: 005A4BC7
SendMessageW.USER32(?,00000412,00000000), ref: 005A4C32

Strings

0, xrefs: 005A4975
(, xrefs: 005A4BA3
tooltips_class32, xrefs: 005A4A96

Memory Dump Source

Source File: 00000000.00000002.1720891753.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1720847795.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720950764.00000000005AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720950764.00000000005D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720999580.00000000005DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721018782.00000000005E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_b6AGgIJ87g.jbxd

Similarity

API ID: MessageSendWindow$Rect$Monitor$CopyCreateCursorDesktopDestroyFromInfoLongPointVisible
String ID: ($0$tooltips_class32
API String ID: 698492251-4156429822
Opcode ID: 76cc17e3cfc4dc33a0d4e3330bcd9deaf284b496942d1fdfd87f3319ab834982
Instruction ID: 209f79d19a697afe975315c08383706fc4a9c5b2e0efd297f206e9031b687206
Opcode Fuzzy Hash: 76cc17e3cfc4dc33a0d4e3330bcd9deaf284b496942d1fdfd87f3319ab834982
Instruction Fuzzy Hash: 15B17A71608351AFDB04DFA4D848B6EBBE5BF8A310F008918F5999B2A1D7B0EC05CF95

Function 005227D9 Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 286windowtimeCOMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 005228BC
GetSystemMetrics.USER32(00000007), ref: 005228C4
SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 005228EF
GetSystemMetrics.USER32(00000008), ref: 005228F7
GetSystemMetrics.USER32(00000004), ref: 0052291C
SetRect.USER32(000000FF,00000000,00000000,000000FF,000000FF), ref: 00522939
AdjustWindowRectEx.USER32(000000FF,?,00000000,?), ref: 00522949
CreateWindowExW.USER32(?,AutoIt v3 GUI,?,?,?,000000FF,000000FF,000000FF,?,00000000,00000000), ref: 0052297C
SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 00522990
GetClientRect.USER32(00000000,000000FF), ref: 005229AE
GetStockObject.GDI32(00000011), ref: 005229CA
SendMessageW.USER32(00000000,00000030,00000000), ref: 005229D5

Part of subcall function 00522344: GetCursorPos.USER32(?), ref: 00522357
Part of subcall function 00522344: ScreenToClient.USER32(005E57B0,?), ref: 00522374
Part of subcall function 00522344: GetAsyncKeyState.USER32(00000001), ref: 00522399
Part of subcall function 00522344: GetAsyncKeyState.USER32(00000002), ref: 005223A7

SetTimer.USER32(00000000,00000000,00000028,00521256), ref: 005229FC

Strings

AutoIt v3 GUI, xrefs: 00522974

Memory Dump Source

Source File: 00000000.00000002.1720891753.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1720847795.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720950764.00000000005AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720950764.00000000005D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720999580.00000000005DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721018782.00000000005E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_b6AGgIJ87g.jbxd

Similarity

API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
String ID: AutoIt v3 GUI
API String ID: 1458621304-248962490
Opcode ID: d2495008a0ad06813a0df3172369bddedffff1cf916fd23faceb1e05d0d59a9d
Instruction ID: 55703e308f3b719a3d91ba0c7df16f9feed0cd97429f1176901b69bafabe7a39
Opcode Fuzzy Hash: d2495008a0ad06813a0df3172369bddedffff1cf916fd23faceb1e05d0d59a9d
Instruction Fuzzy Hash: 38B1AE75A0021AEFDB14DFA8DC89BAD7FA4FF19315F104229FA15A72E0DB709844DB50

Function 0055A8CB Relevance: 30.0, APIs: 15, Strings: 2, Instructions: 211COMMONLIBRARYCODE

Download Yara Rule

APIs

_copy_environ.LIBCMT ref: 0055A92B
___wtomb_environ.LIBCMT ref: 0055A94D

Part of subcall function 00548B28: __getptd_noexit.LIBCMT ref: 00548B28

__malloc_crt.LIBCMT ref: 0055A975
__malloc_crt.LIBCMT ref: 0055A992
_free.LIBCMT ref: 0055A9C9
__recalloc_crt.LIBCMT ref: 0055AA02
__recalloc_crt.LIBCMT ref: 0055AA47
_strlen.LIBCMT ref: 0055AA73
__calloc_crt.LIBCMT ref: 0055AA7D
_strlen.LIBCMT ref: 0055AA8C
SetEnvironmentVariableA.KERNEL32(00000000,00000000,?,?,?,?,00000000,00000000), ref: 0055AABA
_free.LIBCMT ref: 0055AAD4
_free.LIBCMT ref: 0055AAE1
_free.LIBCMT ref: 0055AAF3
__invoke_watson.LIBCMT ref: 0055AB0D

Strings

{nT, xrefs: 0055AAAD
{nT, xrefs: 0055A932

Memory Dump Source

Source File: 00000000.00000002.1720891753.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1720847795.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720950764.00000000005AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720950764.00000000005D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720999580.00000000005DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721018782.00000000005E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_b6AGgIJ87g.jbxd

Similarity

API ID: _free$__malloc_crt__recalloc_crt_strlen$EnvironmentVariable___wtomb_environ__calloc_crt__getptd_noexit__invoke_watson_copy_environ
String ID: {nT${nT
API String ID: 884005220-1826762898
Opcode ID: e4849e59fda6679699bb6e634c6fec0456c5e6a31fa8ca47e2830a766206bb28
Instruction ID: 52a9bca3170aa09a30d94a37ae51429bf3d4f08df83db3b4099c4b8537da0ffc
Opcode Fuzzy Hash: e4849e59fda6679699bb6e634c6fec0456c5e6a31fa8ca47e2830a766206bb28
Instruction Fuzzy Hash: E8610472900222AFDB245F24DC597AD7FB4FF90326F21471BEC41AB191EB349949CB92

Function 0057A439 Relevance: 26.5, APIs: 14, Strings: 1, Instructions: 273windowtimeCOMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000100), ref: 0057A47A
__swprintf.LIBCMT ref: 0057A51B
_wcscmp.LIBCMT ref: 0057A52E
SendMessageTimeoutW.USER32(?,?,00000101,00000000,00000002,00001388,?), ref: 0057A583
_wcscmp.LIBCMT ref: 0057A5BF
GetClassNameW.USER32(?,?,00000400), ref: 0057A5F6
GetDlgCtrlID.USER32(?), ref: 0057A648
GetWindowRect.USER32(?,?), ref: 0057A67E
GetParent.USER32(?), ref: 0057A69C
ScreenToClient.USER32(00000000), ref: 0057A6A3
GetClassNameW.USER32(?,?,00000100), ref: 0057A71D
_wcscmp.LIBCMT ref: 0057A731
GetWindowTextW.USER32(?,?,00000400), ref: 0057A757
_wcscmp.LIBCMT ref: 0057A76B

Part of subcall function 0054362C: _iswctype.LIBCMT ref: 00543634

Strings

%s%u, xrefs: 0057A515

Memory Dump Source

Source File: 00000000.00000002.1720891753.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1720847795.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720950764.00000000005AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720950764.00000000005D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720999580.00000000005DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721018782.00000000005E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_b6AGgIJ87g.jbxd

Similarity

API ID: _wcscmp$ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout__swprintf_iswctype
String ID: %s%u
API String ID: 3744389584-679674701
Opcode ID: 7135d6f5f3ed02d424b638edfec4353c94ac73ae7ca8be77829638e4177b7e7c
Instruction ID: 16deebe273df3b46a13b5eb081cca27aef81e92b62641f8df618d1385a054c7e
Opcode Fuzzy Hash: 7135d6f5f3ed02d424b638edfec4353c94ac73ae7ca8be77829638e4177b7e7c
Instruction Fuzzy Hash: CCA1C331204607AFDB19DF64D888BAEBBE8FF84315F008529F99DD2190DB30E945DB92

Function 0057AED4 Relevance: 26.5, APIs: 13, Strings: 2, Instructions: 249COMMON

Download Yara Rule

APIs

GetClassNameW.USER32(00000008,?,00000400), ref: 0057AF18
_wcscmp.LIBCMT ref: 0057AF29
GetWindowTextW.USER32(00000001,?,00000400), ref: 0057AF51
CharUpperBuffW.USER32(?,00000000), ref: 0057AF6E
_wcscmp.LIBCMT ref: 0057AF8C
_wcsstr.LIBCMT ref: 0057AF9D
GetClassNameW.USER32(00000018,?,00000400), ref: 0057AFD5
_wcscmp.LIBCMT ref: 0057AFE5
GetWindowTextW.USER32(00000002,?,00000400), ref: 0057B00C
GetClassNameW.USER32(00000018,?,00000400), ref: 0057B055
_wcscmp.LIBCMT ref: 0057B065
GetClassNameW.USER32(00000010,?,00000400), ref: 0057B08D
GetWindowRect.USER32(00000004,?), ref: 0057B0F6

Strings

@, xrefs: 0057AEF9
ThumbnailClass, xrefs: 0057AFE0, 0057B060

Memory Dump Source

Source File: 00000000.00000002.1720891753.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1720847795.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720950764.00000000005AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720950764.00000000005D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720999580.00000000005DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721018782.00000000005E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_b6AGgIJ87g.jbxd

Similarity

API ID: ClassName_wcscmp$Window$Text$BuffCharRectUpper_wcsstr
String ID: @$ThumbnailClass
API String ID: 1788623398-1539354611
Opcode ID: 14fe13ea98fed041b0cd290011966f5a0c567879dabd2b72f4281c3367f153bc
Instruction ID: e8a28fd46151d89127e2d69c758e6b0db4d2b84d8dcf54549078acbe9333903c
Opcode Fuzzy Hash: 14fe13ea98fed041b0cd290011966f5a0c567879dabd2b72f4281c3367f153bc
Instruction Fuzzy Hash: 5F819F711082069FEB05DF14D889BAA7FE8FF94314F04C46AFD898A095DB34DD49DB61

Function 005AC5FE Relevance: 26.4, APIs: 11, Strings: 4, Instructions: 181windowfileCOMMON

Download Yara Rule

APIs

Part of subcall function 00522612: GetWindowLongW.USER32(?,000000EB), ref: 00522623

DragQueryPoint.SHELL32(?,?), ref: 005AC627

Part of subcall function 005AAB37: ClientToScreen.USER32(?,?), ref: 005AAB60
Part of subcall function 005AAB37: GetWindowRect.USER32(?,?), ref: 005AABD6
Part of subcall function 005AAB37: PtInRect.USER32(?,?,005AC014), ref: 005AABE6

SendMessageW.USER32(?,000000B0,?,?), ref: 005AC690
DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 005AC69B
DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 005AC6BE
_wcscat.LIBCMT ref: 005AC6EE
SendMessageW.USER32(?,000000C2,00000001,?), ref: 005AC705
SendMessageW.USER32(?,000000B0,?,?), ref: 005AC71E
SendMessageW.USER32(?,000000B1,?,?), ref: 005AC735
SendMessageW.USER32(?,000000B1,?,?), ref: 005AC757
DragFinish.SHELL32(?), ref: 005AC75E
DefDlgProcW.USER32(?,00000233,?,00000000,?,?,?), ref: 005AC851

Strings

@GUI_DRAGFILE, xrefs: 005AC800
@GUI_DRAGID, xrefs: 005AC7C9
pb^, xrefs: 005AC79B
@GUI_DROPID, xrefs: 005AC77E

Memory Dump Source

Source File: 00000000.00000002.1720891753.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1720847795.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720950764.00000000005AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720950764.00000000005D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720999580.00000000005DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721018782.00000000005E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_b6AGgIJ87g.jbxd

Similarity

API ID: MessageSend$Drag$Query$FileRectWindow$ClientFinishLongPointProcScreen_wcscat
String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID$pb^
API String ID: 169749273-368586474
Opcode ID: 03208ac366a753705c853432576ece34d82587449ff0ba2302b25892e93911e5
Instruction ID: 688aab2d6d6b2fb8d631762a516cbb47658d5dc1a80004b6e5d66aaa837485d0
Opcode Fuzzy Hash: 03208ac366a753705c853432576ece34d82587449ff0ba2302b25892e93911e5
Instruction Fuzzy Hash: D9615C71108301AFC715DFA4D889DAFBFE8FF9A750F04091EF591961A1DB309949CB92

Function 0057ABD4 Relevance: 26.4, APIs: 3, Strings: 12, Instructions: 105COMMON

Download Yara Rule

APIs

__wcsnicmp.LIBCMT ref: 0057AC33

Strings

[LAST, xrefs: 0057ACE0
HANDLE=, xrefs: 0057AC2C
LAST, xrefs: 0057ABF8
ACTIVE, xrefs: 0057AC0E
[REGEXPTITLE:, xrefs: 0057AC5B
CLASSNAME=, xrefs: 0057AC70
[HANDLE:, xrefs: 0057AC3F
[ACTIVE, xrefs: 0057AC20
[CLASS:, xrefs: 0057AC83
REGEXP=, xrefs: 0057AC48
[ALL, xrefs: 0057ACD9
ALL, xrefs: 0057ACC7

Memory Dump Source

Source File: 00000000.00000002.1720891753.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1720847795.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720950764.00000000005AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720950764.00000000005D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720999580.00000000005DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721018782.00000000005E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_b6AGgIJ87g.jbxd

Similarity

API ID: __wcsnicmp
String ID: ACTIVE$ALL$CLASSNAME=$HANDLE=$LAST$REGEXP=$[ACTIVE$[ALL$[CLASS:$[HANDLE:$[LAST$[REGEXPTITLE:
API String ID: 1038674560-1810252412
Opcode ID: f35b3e0240f5aa5030ed511533c962f0fdce9abc6c6e889db464731a8f9573de
Instruction ID: 43517d8780ed38235c007264d4d0b737f14b5565c7e2c7dd5cf3758d3596ca1a
Opcode Fuzzy Hash: f35b3e0240f5aa5030ed511533c962f0fdce9abc6c6e889db464731a8f9573de
Instruction Fuzzy Hash: 8D31D03194821EBADB20EA64ED0BEEE7F68BF99710F60441AF405711E1FB616F04D652

Function 00594FFD Relevance: 25.6, APIs: 17, Instructions: 110COMMON

Download Yara Rule

APIs

LoadCursorW.USER32(00000000,00007F8A), ref: 00595013
LoadCursorW.USER32(00000000,00007F00), ref: 0059501E
LoadCursorW.USER32(00000000,00007F03), ref: 00595029
LoadCursorW.USER32(00000000,00007F8B), ref: 00595034
LoadCursorW.USER32(00000000,00007F01), ref: 0059503F
LoadCursorW.USER32(00000000,00007F81), ref: 0059504A
LoadCursorW.USER32(00000000,00007F88), ref: 00595055
LoadCursorW.USER32(00000000,00007F80), ref: 00595060
LoadCursorW.USER32(00000000,00007F86), ref: 0059506B
LoadCursorW.USER32(00000000,00007F83), ref: 00595076
LoadCursorW.USER32(00000000,00007F85), ref: 00595081
LoadCursorW.USER32(00000000,00007F82), ref: 0059508C
LoadCursorW.USER32(00000000,00007F84), ref: 00595097
LoadCursorW.USER32(00000000,00007F04), ref: 005950A2
LoadCursorW.USER32(00000000,00007F02), ref: 005950AD
LoadCursorW.USER32(00000000,00007F89), ref: 005950B8
GetCursorInfo.USER32(?), ref: 005950C8

Memory Dump Source

Source File: 00000000.00000002.1720891753.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1720847795.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720950764.00000000005AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720950764.00000000005D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720999580.00000000005DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721018782.00000000005E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_b6AGgIJ87g.jbxd

Similarity

API ID: Cursor$Load$Info
String ID:
API String ID: 2577412497-0
Opcode ID: 114971032146c6b394b6362e16547d9d5b5e159db0e474708b8b6173fe456e1e
Instruction ID: 3eee51cdcd308bc944f0c6d505540c831e081817b73025fcecc825d264335eb4
Opcode Fuzzy Hash: 114971032146c6b394b6362e16547d9d5b5e159db0e474708b8b6173fe456e1e
Instruction Fuzzy Hash: 6531F4B1D4831A6ADF109FB68C8995EBFE8FF04750F50453AE54DE7280EA786504CF91

Function 005AA1B9 Relevance: 24.7, APIs: 12, Strings: 2, Instructions: 205windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 005AA259
DestroyWindow.USER32(?,?), ref: 005AA2D3

Part of subcall function 00527BCC: _memmove.LIBCMT ref: 00527C06

CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00000000,?), ref: 005AA34D
SendMessageW.USER32(00000000,00000433,00000000,00000030), ref: 005AA36F
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 005AA382
DestroyWindow.USER32(00000000), ref: 005AA3A4
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00520000,00000000), ref: 005AA3DB
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 005AA3F4
GetDesktopWindow.USER32 ref: 005AA40D
GetWindowRect.USER32(00000000), ref: 005AA414
SendMessageW.USER32(00000000,00000418,00000000,?), ref: 005AA42C
SendMessageW.USER32(00000000,00000421,?,00000000), ref: 005AA444

Part of subcall function 005225DB: GetWindowLongW.USER32(?,000000EB), ref: 005225EC

Strings

0, xrefs: 005AA26F
tooltips_class32, xrefs: 005AA346, 005AA3D4

Memory Dump Source

Source File: 00000000.00000002.1720891753.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1720847795.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720950764.00000000005AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720950764.00000000005D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720999580.00000000005DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721018782.00000000005E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_b6AGgIJ87g.jbxd

Similarity

API ID: Window$MessageSend$CreateDestroy$DesktopLongRect_memmove_memset
String ID: 0$tooltips_class32
API String ID: 1297703922-3619404913
Opcode ID: dcf753e95404e01d0d08261883746803462a4989a4be7217f8d39abbb213a932
Instruction ID: 7243ffaa9d6e52ef286e4604c97ca5121ce4d2aa1cff88eb94dbe9a9f0c7611c
Opcode Fuzzy Hash: dcf753e95404e01d0d08261883746803462a4989a4be7217f8d39abbb213a932
Instruction Fuzzy Hash: 6371CF71140245AFDB25CF28CC49F6A7BE6FB9E304F04492DF9858B2A0E770E906DB52

Function 00587D1A Relevance: 23.1, APIs: 11, Strings: 2, Instructions: 378timeCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(00000000), ref: 00587D5F
VariantCopy.OLEAUT32(00000000,?), ref: 00587D68
VariantClear.OLEAUT32(00000000), ref: 00587D74
VariantTimeToSystemTime.OLEAUT32(?,?,?), ref: 00587E62
__swprintf.LIBCMT ref: 00587E92
VarR8FromDec.OLEAUT32(?,?), ref: 00587EBE
VariantInit.OLEAUT32(?), ref: 00587F6F
SysFreeString.OLEAUT32(00000016), ref: 00588003
VariantClear.OLEAUT32(?), ref: 0058805D
VariantClear.OLEAUT32(?), ref: 0058806C
VariantInit.OLEAUT32(00000000), ref: 005880AA

Strings

Default, xrefs: 00587F1F
%4d%02d%02d%02d%02d%02d, xrefs: 00587E8C

Memory Dump Source

Source File: 00000000.00000002.1720891753.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1720847795.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720950764.00000000005AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720950764.00000000005D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720999580.00000000005DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721018782.00000000005E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_b6AGgIJ87g.jbxd

Similarity

API ID: Variant$ClearInit$Time$CopyFreeFromStringSystem__swprintf
String ID: %4d%02d%02d%02d%02d%02d$Default
API String ID: 3730832054-3931177956
Opcode ID: 69eefe2616099d94ed1c0bb2e7006172b6f9d752d021dc37aa58bd3c8eff319d
Instruction ID: a9f4eab600ef4484bb34d91b23c1b9d5e3ef77c9bd9d8af478d6e91c5e86f0f5
Opcode Fuzzy Hash: 69eefe2616099d94ed1c0bb2e7006172b6f9d752d021dc37aa58bd3c8eff319d
Instruction Fuzzy Hash: 27D1A171A0861ADBDB10FF65D849B7ABFB4BF49300F248855E915BB280DB74EC44DBA0

Function 005A4392 Relevance: 23.0, APIs: 2, Strings: 11, Instructions: 251windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 005A4424
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 005A446F

Strings

EXISTS, xrefs: 005A44D8
COLLAPSE, xrefs: 005A44B5
SELECT, xrefs: 005A4620
CHECK, xrefs: 005A448F
GETITEMCOUNT, xrefs: 005A4551
GETTEXT, xrefs: 005A45C2
EXPAND, xrefs: 005A4521
ISCHECKED, xrefs: 005A45F2
GETTOTALCOUNT, xrefs: 005A4456
GETSELECTED, xrefs: 005A457F
UNCHECK, xrefs: 005A464B

Memory Dump Source

Source File: 00000000.00000002.1720891753.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1720847795.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720950764.00000000005AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720950764.00000000005D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720999580.00000000005DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721018782.00000000005E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_b6AGgIJ87g.jbxd

Similarity

API ID: BuffCharMessageSendUpper
String ID: CHECK$COLLAPSE$EXISTS$EXPAND$GETITEMCOUNT$GETSELECTED$GETTEXT$GETTOTALCOUNT$ISCHECKED$SELECT$UNCHECK
API String ID: 3974292440-4258414348
Opcode ID: 8281d2fc9bf8c15d423b1434d96895dd090025fc033aab0946479dfb955aac5f
Instruction ID: ed0bf2c0d549ad2734f09e8226d2ff0bcd30298dc0b0c8beb20960bbfd437784
Opcode Fuzzy Hash: 8281d2fc9bf8c15d423b1434d96895dd090025fc033aab0946479dfb955aac5f
Instruction Fuzzy Hash: F29179712043129BCB08EF60D455A6EBFE1BFD6354F148869F8965B3A2CB70ED09CB91

Function 005AB7FE Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 197windowlibraryCOMMON

Download Yara Rule

APIs

LoadImageW.USER32(00000000,?,00000001,?,?,00002010), ref: 005AB8B4
LoadLibraryExW.KERNEL32(?,00000000,00000032,?,?,00000001,?,?,?,005A6B11,?), ref: 005AB910
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 005AB949
LoadImageW.USER32(00000000,?,00000001,?,?,00000000), ref: 005AB98C
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 005AB9C3
FreeLibrary.KERNEL32(?), ref: 005AB9CF
ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 005AB9DF
DestroyIcon.USER32(?), ref: 005AB9EE
SendMessageW.USER32(?,00000170,00000000,00000000), ref: 005ABA0B
SendMessageW.USER32(?,00000064,00000172,00000001), ref: 005ABA17

Part of subcall function 00542EFD: __wcsicmp_l.LIBCMT ref: 00542F86

Strings

.exe, xrefs: 005AB84A
.dll, xrefs: 005AB86D
.icl, xrefs: 005AB82A

Memory Dump Source

Source File: 00000000.00000002.1720891753.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1720847795.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720950764.00000000005AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720950764.00000000005D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720999580.00000000005DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721018782.00000000005E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_b6AGgIJ87g.jbxd

Similarity

API ID: Load$Image$IconLibraryMessageSend$DestroyExtractFree__wcsicmp_l
String ID: .dll$.exe$.icl
API String ID: 1212759294-1154884017
Opcode ID: 88c26aa1ba96fbf7be92acb31b09922afbefff8cb8019ed2129560a122a9b930
Instruction ID: b9922f2316604494b025e814685c35332cee6e4928de846ac0e707b2ac0d16f0
Opcode Fuzzy Hash: 88c26aa1ba96fbf7be92acb31b09922afbefff8cb8019ed2129560a122a9b930
Instruction Fuzzy Hash: A361EB7190022ABEFB14DF64CC45BBE7BA8FF0A710F104516FA15D61C2DB749990DBA0

Function 0058DC1A Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 185timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 0058DCDC
SystemTimeToFileTime.KERNEL32(?,?), ref: 0058DCEC
LocalFileTimeToFileTime.KERNEL32(?,?), ref: 0058DCF8
__wsplitpath.LIBCMT ref: 0058DD56
_wcscat.LIBCMT ref: 0058DD6E
_wcscat.LIBCMT ref: 0058DD80
GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 0058DD95
SetCurrentDirectoryW.KERNEL32(?), ref: 0058DDA9
SetCurrentDirectoryW.KERNEL32(?), ref: 0058DDDB
SetCurrentDirectoryW.KERNEL32(?), ref: 0058DDFC
_wcscpy.LIBCMT ref: 0058DE08
SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 0058DE47

Strings

*.*, xrefs: 0058DE02

Memory Dump Source

Source File: 00000000.00000002.1720891753.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1720847795.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720950764.00000000005AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720950764.00000000005D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720999580.00000000005DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721018782.00000000005E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_b6AGgIJ87g.jbxd

Similarity

API ID: CurrentDirectoryTime$File$Local_wcscat$System__wsplitpath_wcscpy
String ID: *.*
API String ID: 3566783562-438819550
Opcode ID: 8a07a067e0922b07654bb86d00d79704ca883d6deb94fc800aa45079002a4a87
Instruction ID: a05c43a64324da9e2fa37aaade67b2b1c9f83a3db02618bad8fbbee7f7136403
Opcode Fuzzy Hash: 8a07a067e0922b07654bb86d00d79704ca883d6deb94fc800aa45079002a4a87
Instruction Fuzzy Hash: 00617D725042169FCB10EF60D8499AEBBF8FF89314F04491DF989D7291DB31E945CBA1

Function 00589C38 Relevance: 22.9, APIs: 7, Strings: 6, Instructions: 150COMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000066,?,00000FFF,00000016), ref: 00589C7F

Part of subcall function 00527DE1: _memmove.LIBCMT ref: 00527E22

LoadStringW.USER32(00000072,?,00000FFF,?), ref: 00589CA0
__swprintf.LIBCMT ref: 00589CF9
__swprintf.LIBCMT ref: 00589D12
_wprintf.LIBCMT ref: 00589DB9
_wprintf.LIBCMT ref: 00589DD7

Strings

Line %d (File "%s"):, xrefs: 00589CF3, 00589D0C
Incorrect parameters to object property !, xrefs: 00589D5B
"%s" (%d) : ==> %s:%s%s, xrefs: 00589DB4
Error: , xrefs: 00589D81
"%s" (%d) : ==> %s:, xrefs: 00589DD2
^ ERROR , xrefs: 00589D4E

Memory Dump Source

Source File: 00000000.00000002.1720891753.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1720847795.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720950764.00000000005AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720950764.00000000005D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720999580.00000000005DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721018782.00000000005E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_b6AGgIJ87g.jbxd

Similarity

API ID: LoadString__swprintf_wprintf$_memmove
String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Incorrect parameters to object property !$Line %d (File "%s"):$^ ERROR
API String ID: 311963372-3080491070
Opcode ID: f04327e9cec4be736b8999ac5c3ac692f3ccb8433a5e51e44c2976eb99b9def7
Instruction ID: eb930ced495c0c63e0f45eba9c804347e9924c0d837091f46d2ecaf7a2d35a26
Opcode Fuzzy Hash: f04327e9cec4be736b8999ac5c3ac692f3ccb8433a5e51e44c2976eb99b9def7
Instruction Fuzzy Hash: 6751713290151AAACF14FBE4ED4AEEEBF78BF59300F504066B505721A1EB312E58DB60

Function 0058A352 Relevance: 22.9, APIs: 5, Strings: 8, Instructions: 138COMMON

Download Yara Rule

APIs

Part of subcall function 00529837: __itow.LIBCMT ref: 00529862
Part of subcall function 00529837: __swprintf.LIBCMT ref: 005298AC

CharLowerBuffW.USER32(?,?), ref: 0058A3CB
GetDriveTypeW.KERNEL32 ref: 0058A418
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0058A460
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0058A497
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0058A4C5

Part of subcall function 00527BCC: _memmove.LIBCMT ref: 00527C06

Strings

open, xrefs: 0058A3F2
closed, xrefs: 0058A3DF, 0058A3E8
type cdaudio alias cd wait, xrefs: 0058A443
close cd wait, xrefs: 0058A4B0
open , xrefs: 0058A427
set cd door , xrefs: 0058A466
close, xrefs: 0058A3D1
wait, xrefs: 0058A482

Memory Dump Source

Source File: 00000000.00000002.1720891753.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1720847795.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720950764.00000000005AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720950764.00000000005D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720999580.00000000005DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721018782.00000000005E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_b6AGgIJ87g.jbxd

Similarity

API ID: SendString$BuffCharDriveLowerType__itow__swprintf_memmove
String ID: type cdaudio alias cd wait$ wait$close$close cd wait$closed$open$open $set cd door
API String ID: 2698844021-4113822522
Opcode ID: de309d533e252a0d578f7d53c4d9f06628909bdf63b9fd65fa5991e7f63eeb05
Instruction ID: c07a4b8d146265556b37f47743011f3811db6e4f0dc2b7f261018402722d0984
Opcode Fuzzy Hash: de309d533e252a0d578f7d53c4d9f06628909bdf63b9fd65fa5991e7f63eeb05
Instruction Fuzzy Hash: 68516D711043169FC700EF24D89596ABBE4FF99718F14486EF889673A1DB31ED09CB92

Function 0057F8AA Relevance: 22.9, APIs: 8, Strings: 5, Instructions: 138windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,00000FFF,00000001,00000000,00000000,?,0055E029,00000001,0000138C,00000001,00000000,00000001,?,00000000,00000000), ref: 0057F8DF
LoadStringW.USER32(00000000,?,0055E029,00000001), ref: 0057F8E8

Part of subcall function 00527DE1: _memmove.LIBCMT ref: 00527E22

GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,?,?,0055E029,00000001,0000138C,00000001,00000000,00000001,?,00000000,00000000,00000001), ref: 0057F90A
LoadStringW.USER32(00000000,?,0055E029,00000001), ref: 0057F90D
__swprintf.LIBCMT ref: 0057F95D
__swprintf.LIBCMT ref: 0057F96E
_wprintf.LIBCMT ref: 0057FA17
MessageBoxW.USER32(00000000,?,?,00011010), ref: 0057FA2E

Strings

Line %d (File "%s"):, xrefs: 0057F957
Error: , xrefs: 0057F9E5
%s (%d) : ==> %s: %s %s, xrefs: 0057FA12
Line %d:, xrefs: 0057F968
^ ERROR, xrefs: 0057F9C3

Memory Dump Source

Source File: 00000000.00000002.1720891753.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1720847795.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720950764.00000000005AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720950764.00000000005D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720999580.00000000005DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721018782.00000000005E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_b6AGgIJ87g.jbxd

Similarity

API ID: HandleLoadModuleString__swprintf$Message_memmove_wprintf
String ID: Error: $%s (%d) : ==> %s: %s %s$Line %d (File "%s"):$Line %d:$^ ERROR
API String ID: 984253442-2268648507
Opcode ID: 5329b98d0870cc1a753e266666436df9de9a44ebcd372c145f05981e79165bab
Instruction ID: 92202e55374f73ea10677c6cf3d6439690e42688b871794dab97be28e2239ba8
Opcode Fuzzy Hash: 5329b98d0870cc1a753e266666436df9de9a44ebcd372c145f05981e79165bab
Instruction Fuzzy Hash: ED413D7280451EAACF14FFE4ED8ADEE7B78BF99300F100065B509761A1EA316F49DB60

Function 005ABA33 Relevance: 22.6, APIs: 15, Instructions: 130filecommemoryCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,00000000,?), ref: 005ABA56
GetFileSize.KERNEL32(00000000,00000000), ref: 005ABA6D
GlobalAlloc.KERNEL32(00000002,00000000), ref: 005ABA78
CloseHandle.KERNEL32(00000000), ref: 005ABA85
GlobalLock.KERNEL32(00000000), ref: 005ABA8E
ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 005ABA9D
GlobalUnlock.KERNEL32(00000000), ref: 005ABAA6
CloseHandle.KERNEL32(00000000), ref: 005ABAAD
CreateStreamOnHGlobal.OLE32(00000000,00000001,?), ref: 005ABABE
OleLoadPicture.OLEAUT32(?,00000000,00000000,005B2CAC,?), ref: 005ABAD7
GlobalFree.KERNEL32(00000000), ref: 005ABAE7
GetObjectW.GDI32(?,00000018,000000FF), ref: 005ABB0B
CopyImage.USER32(?,00000000,?,?,00002000), ref: 005ABB36
DeleteObject.GDI32(00000000), ref: 005ABB5E
SendMessageW.USER32(?,00000172,00000000,00000000), ref: 005ABB74

Memory Dump Source

Source File: 00000000.00000002.1720891753.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1720847795.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720950764.00000000005AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720950764.00000000005D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720999580.00000000005DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721018782.00000000005E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_b6AGgIJ87g.jbxd

Similarity

API ID: Global$File$CloseCreateHandleObject$AllocCopyDeleteFreeImageLoadLockMessagePictureReadSendSizeStreamUnlock
String ID:
API String ID: 3840717409-0
Opcode ID: 6c2569ee1cae1000a89cd790e5a683078284821aec46458675f4945d8ebf65f4
Instruction ID: 317f04447017e6075174d8f0ca62ca3b2b7f7c31c90afbc3db096a621c8b39a2
Opcode Fuzzy Hash: 6c2569ee1cae1000a89cd790e5a683078284821aec46458675f4945d8ebf65f4
Instruction Fuzzy Hash: BE411675600208AFDB219FA5DC88EAEBBB8FF9A711F104068F905D7261D7309E05DB60

Function 0058D899 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 230COMMON

Download Yara Rule

APIs

__wsplitpath.LIBCMT ref: 0058DA10
_wcscat.LIBCMT ref: 0058DA28
_wcscat.LIBCMT ref: 0058DA3A
GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 0058DA4F
SetCurrentDirectoryW.KERNEL32(?), ref: 0058DA63
GetFileAttributesW.KERNEL32(?), ref: 0058DA7B
SetFileAttributesW.KERNEL32(?,00000000), ref: 0058DA95
SetCurrentDirectoryW.KERNEL32(?), ref: 0058DAA7

Strings

*.*, xrefs: 0058DAE6

Memory Dump Source

Source File: 00000000.00000002.1720891753.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1720847795.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720950764.00000000005AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720950764.00000000005D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720999580.00000000005DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721018782.00000000005E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_b6AGgIJ87g.jbxd

Similarity

API ID: CurrentDirectory$AttributesFile_wcscat$__wsplitpath
String ID: *.*
API String ID: 34673085-438819550
Opcode ID: c23bc01092f35cee97749083a5accd715ecf5ac4ca3dc63946baf849821168ec
Instruction ID: 2beffe319466679b906b6302fd85d24425e9712c0beee90b9e79a4b361292792
Opcode Fuzzy Hash: c23bc01092f35cee97749083a5accd715ecf5ac4ca3dc63946baf849821168ec
Instruction Fuzzy Hash: 268161725042459FCB64EF64C845AAABBF4BF89314F184C2EFC89E7291E630D945CB62

Function 005AC1AC Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 229windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00522612: GetWindowLongW.USER32(?,000000EB), ref: 00522623

PostMessageW.USER32(?,00000111,00000000,00000000), ref: 005AC1FC
GetFocus.USER32 ref: 005AC20C
GetDlgCtrlID.USER32(00000000), ref: 005AC217
_memset.LIBCMT ref: 005AC342
GetMenuItemInfoW.USER32(?,00000000,00000000,?), ref: 005AC36D
GetMenuItemCount.USER32(?), ref: 005AC38D
GetMenuItemID.USER32(?,00000000), ref: 005AC3A0
GetMenuItemInfoW.USER32(?,-00000001,00000001,?), ref: 005AC3D4
GetMenuItemInfoW.USER32(?,?,00000001,?), ref: 005AC41C
CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 005AC454
DefDlgProcW.USER32(?,00000111,?,?,?,?,?,?,?), ref: 005AC489

Strings

0, xrefs: 005AC33A

Memory Dump Source

Source File: 00000000.00000002.1720891753.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1720847795.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720950764.00000000005AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720950764.00000000005D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720999580.00000000005DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721018782.00000000005E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_b6AGgIJ87g.jbxd

Similarity

API ID: ItemMenu$Info$CheckCountCtrlFocusLongMessagePostProcRadioWindow_memset
String ID: 0
API String ID: 1296962147-4108050209
Opcode ID: 61c52d8b5d03a56a2387c66a72ca6fac308cc423e857f759fedeccfa672b4102
Instruction ID: 204df07378eaffc2d3041c492888d8b5cafbd672ee0e3f4ed7a46013ceab38fd
Opcode Fuzzy Hash: 61c52d8b5d03a56a2387c66a72ca6fac308cc423e857f759fedeccfa672b4102
Instruction Fuzzy Hash: E8818A70608301AFDB24CF64C894A6EBFE9FF8A714F00492EF99597291D770D905DBA2

Function 0059731A Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 160windowCOMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 0059738F
CreateCompatibleBitmap.GDI32(00000000,00000007,?), ref: 0059739B
CreateCompatibleDC.GDI32(?), ref: 005973A7
SelectObject.GDI32(00000000,?), ref: 005973B4
StretchBlt.GDI32(00000006,00000000,00000000,00000007,?,?,?,?,00000007,?,00CC0020), ref: 00597408
GetDIBits.GDI32(00000006,?,00000000,00000000,00000000,00000028,00000000), ref: 00597444
GetDIBits.GDI32(00000006,?,00000000,?,00000000,00000028,00000000), ref: 00597468
SelectObject.GDI32(00000006,?), ref: 00597470
DeleteObject.GDI32(?), ref: 00597479
DeleteDC.GDI32(00000006), ref: 00597480
ReleaseDC.USER32(00000000,?), ref: 0059748B

Strings

(, xrefs: 00597410

Memory Dump Source

Source File: 00000000.00000002.1720891753.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1720847795.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720950764.00000000005AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720950764.00000000005D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720999580.00000000005DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721018782.00000000005E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_b6AGgIJ87g.jbxd

Similarity

API ID: Object$BitsCompatibleCreateDeleteSelect$BitmapReleaseStretch
String ID: (
API String ID: 2598888154-3887548279
Opcode ID: 3c391324e571168c78dbca1b92ddb3cadc608180b9ade097ef308979f04b49f9
Instruction ID: f165bf2ab0bce77d9b6f664bee46c23d26ba4c9660621dc4d82017142a1d8549
Opcode Fuzzy Hash: 3c391324e571168c78dbca1b92ddb3cadc608180b9ade097ef308979f04b49f9
Instruction Fuzzy Hash: 8D513975904209EFCB14CFA8CC89EAEBBB9FF49310F14852EF95A97211C731A944DB50

Function 00526A8C Relevance: 19.7, APIs: 4, Strings: 7, Instructions: 478COMMON

Download Yara Rule

APIs

Part of subcall function 00540957: GetCurrentDirectoryW.KERNEL32(00007FFF,?,?,?,00526B0C,?,00008000), ref: 00540973

Part of subcall function 00524750: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00524743,?,?,005237AE,?), ref: 00524770

SetCurrentDirectoryW.KERNEL32(?,?,?,?,00000000), ref: 00526BAD
SetCurrentDirectoryW.KERNEL32(?), ref: 00526CFA

Part of subcall function 0052586D: _wcscpy.LIBCMT ref: 005258A5

Part of subcall function 0054363D: _iswctype.LIBCMT ref: 00543645

Strings

>>>AUTOIT SCRIPT<<<, xrefs: 0055E496
EA06, xrefs: 0055E452
Error opening the file, xrefs: 0055E43D, 0055E4B8
#include depth exceeded. Make sure there are no recursive includes, xrefs: 0055E421
Bad directive syntax error, xrefs: 0055E79D
Unterminated string, xrefs: 0055E7E4
AU3!, xrefs: 00526B61

Memory Dump Source

Source File: 00000000.00000002.1720891753.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1720847795.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720950764.00000000005AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720950764.00000000005D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720999580.00000000005DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721018782.00000000005E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_b6AGgIJ87g.jbxd

Similarity

API ID: CurrentDirectory$FullNamePath_iswctype_wcscpy
String ID: #include depth exceeded. Make sure there are no recursive includes$>>>AUTOIT SCRIPT<<<$AU3!$Bad directive syntax error$EA06$Error opening the file$Unterminated string
API String ID: 537147316-1018226102
Opcode ID: 3e3f4fb6efbda45031ff876340d67c50b33a0d5235c09675247f077fd6d7c792
Instruction ID: a12bc844026122a87a5856ac8edb6a31930c0e4ae3eaafd9bfadadbea3925316
Opcode Fuzzy Hash: 3e3f4fb6efbda45031ff876340d67c50b33a0d5235c09675247f077fd6d7c792
Instruction Fuzzy Hash: D70279301083529FC714EF24D8959AEBFE5BFDA354F10481EF889972A1EB30DA49CB52

Function 00582D36 Relevance: 19.7, APIs: 13, Instructions: 214windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00582D50
GetMenuItemInfoW.USER32(00000000,00000007,00000000,00000030), ref: 00582DDD
GetMenuItemCount.USER32(005E5890), ref: 00582E66
DeleteMenu.USER32(005E5890,00000005,00000000,000000F5,?,?), ref: 00582EF6
DeleteMenu.USER32(005E5890,00000004,00000000), ref: 00582EFE
DeleteMenu.USER32(005E5890,00000006,00000000), ref: 00582F06
DeleteMenu.USER32(005E5890,00000003,00000000), ref: 00582F0E
GetMenuItemCount.USER32(005E5890), ref: 00582F16
SetMenuItemInfoW.USER32(005E5890,00000004,00000000,00000030), ref: 00582F4C
GetCursorPos.USER32(?), ref: 00582F56
SetForegroundWindow.USER32(00000000), ref: 00582F5F
TrackPopupMenuEx.USER32(005E5890,00000000,?,00000000,00000000,00000000), ref: 00582F72
PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 00582F7E

Memory Dump Source

Source File: 00000000.00000002.1720891753.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1720847795.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720950764.00000000005AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720950764.00000000005D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720999580.00000000005DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721018782.00000000005E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_b6AGgIJ87g.jbxd

Similarity

API ID: Menu$DeleteItem$CountInfo$CursorForegroundMessagePopupPostTrackWindow_memset
String ID:
API String ID: 3993528054-0
Opcode ID: 20bb3f7bdd550840d5be90a7dfdcfc82ba19621405f116f91ac41e817899d418
Instruction ID: b8d22ed5ae36641d4c8bfafda6df93e3258d1273b122b3f8d61160152f47b2a8
Opcode Fuzzy Hash: 20bb3f7bdd550840d5be90a7dfdcfc82ba19621405f116f91ac41e817899d418
Instruction Fuzzy Hash: 23710770601206BFEB21AF54DC8AFAABF68FF45324F140216FA25BA1E1C7B15C50DB95

Function 005988AB Relevance: 19.6, APIs: 10, Strings: 1, Instructions: 324fileCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 005988D7
CoInitialize.OLE32(00000000), ref: 00598904
CoUninitialize.OLE32 ref: 0059890E
GetRunningObjectTable.OLE32(00000000,?), ref: 00598A0E
SetErrorMode.KERNEL32(00000001,00000029), ref: 00598B3B
CoGetInstanceFromFile.OLE32(00000000,?,00000000,00000015,00000002,?,00000001,005B2C0C), ref: 00598B6F
CoGetObject.OLE32(?,00000000,005B2C0C,?), ref: 00598B92
SetErrorMode.KERNEL32(00000000), ref: 00598BA5
SetErrorMode.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 00598C25
VariantClear.OLEAUT32(?), ref: 00598C35

Strings

,,[, xrefs: 005988C1

Memory Dump Source

Source File: 00000000.00000002.1720891753.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1720847795.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720950764.00000000005AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720950764.00000000005D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720999580.00000000005DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721018782.00000000005E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_b6AGgIJ87g.jbxd

Similarity

API ID: ErrorMode$ObjectVariant$ClearFileFromInitInitializeInstanceRunningTableUninitialize
String ID: ,,[
API String ID: 2395222682-194938180
Opcode ID: fc68499414b60d2d617a24b5799bd34421aacfced03b71cff9aa13a5a525f172
Instruction ID: 0e7c16ff2418d8e597e9fa68a2df5fb287caa1ace1287c3cd5c0bb6542e7e5e7
Opcode Fuzzy Hash: fc68499414b60d2d617a24b5799bd34421aacfced03b71cff9aa13a5a525f172
Instruction Fuzzy Hash: A4C118B1608305AFDB00DF64C88492BBBE9FF8A748F04495DF98A9B251DB71ED05CB52

Function 005777DC Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 128registryshareCOMMON

Download Yara Rule

APIs

Part of subcall function 00527BCC: _memmove.LIBCMT ref: 00527C06

_memset.LIBCMT ref: 0057786B
WNetAddConnection2W.MPR(?,?,?,00000000), ref: 005778A0
RegConnectRegistryW.ADVAPI32(?,80000002,?), ref: 005778BC
RegOpenKeyExW.ADVAPI32(?,?,00000000,00020019,?,?,SOFTWARE\Classes\), ref: 005778D8
RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,?,?,?,SOFTWARE\Classes\), ref: 00577902
CLSIDFromString.OLE32(?,?,?,SOFTWARE\Classes\), ref: 0057792A
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 00577935
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 0057793A

Strings

\CLSID, xrefs: 00577822
SOFTWARE\Classes\, xrefs: 0057780C
\IPC$, xrefs: 00577882

Memory Dump Source

Source File: 00000000.00000002.1720891753.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1720847795.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720950764.00000000005AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720950764.00000000005D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720999580.00000000005DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721018782.00000000005E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_b6AGgIJ87g.jbxd

Similarity

API ID: Close$ConnectConnection2FromOpenQueryRegistryStringValue_memmove_memset
String ID: SOFTWARE\Classes\$\CLSID$\IPC$
API String ID: 1411258926-22481851
Opcode ID: d0130878f4a200e39738d5fc8b4e6db5c0bf0246a1e5f81c87e26785b26f2f20
Instruction ID: 17913b7457300c286b095e2a944ec807f3f0ae4a6cbb83192515cc68fe10e2d3
Opcode Fuzzy Hash: d0130878f4a200e39738d5fc8b4e6db5c0bf0246a1e5f81c87e26785b26f2f20
Instruction Fuzzy Hash: 2B41F97281462EAACB21EFA4EC59DEDBB78FF59710F40442AE905A21A1EA305D05DB90

Function 005A0E1A Relevance: 19.4, APIs: 1, Strings: 10, Instructions: 120COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,?,?,?,?,?,0059FDAD,?,?), ref: 005A0E31

Strings

HKCU, xrefs: 005A0F21
HKEY_LOCAL_MACHINE, xrefs: 005A0E9A
HKEY_CURRENT_USER, xrefs: 005A0F10
HKCR, xrefs: 005A0ED9
HKCC, xrefs: 005A0EFF
HKEY_CURRENT_CONFIG, xrefs: 005A0EEE
HKU, xrefs: 005A0F43
HKEY_USERS, xrefs: 005A0F32
HKEY_CLASSES_ROOT, xrefs: 005A0EC4
HKLM, xrefs: 005A0EAF

Memory Dump Source

Source File: 00000000.00000002.1720891753.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1720847795.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720950764.00000000005AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720950764.00000000005D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720999580.00000000005DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721018782.00000000005E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_b6AGgIJ87g.jbxd

Similarity

API ID: BuffCharUpper
String ID: HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU
API String ID: 3964851224-909552448
Opcode ID: 0c346221c843d1ef1db68e36a52514c0cd28b0432af781b3e616142c55b25901
Instruction ID: 66c5959bbd3c6f688128eab30a5d0785e47a8bdc6da10e04950bfa31d6612a28
Opcode Fuzzy Hash: 0c346221c843d1ef1db68e36a52514c0cd28b0432af781b3e616142c55b25901
Instruction Fuzzy Hash: CD416D3115024A8FCF20EF14D869AEE3FA4BF56344F141456FC552B2D2DB309D5ACBA0

Function 0057F7A1 Relevance: 19.3, APIs: 6, Strings: 5, Instructions: 75windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,00000000,?,0055E2A0,00000010,?,Bad directive syntax error,005AF910,00000000,?,?,?,>>>AUTOIT SCRIPT<<<), ref: 0057F7C2
LoadStringW.USER32(00000000,?,0055E2A0,00000010), ref: 0057F7C9

Part of subcall function 00527DE1: _memmove.LIBCMT ref: 00527E22

_wprintf.LIBCMT ref: 0057F7FC
__swprintf.LIBCMT ref: 0057F81E
MessageBoxW.USER32(00000000,00000001,00000001,00011010), ref: 0057F88D

Strings

., xrefs: 0057F873
Line %d (File "%s"):, xrefs: 0057F833
Error: , xrefs: 0057F85B
Line %d:, xrefs: 0057F818
%s (%d) : ==> %s.: %s %s, xrefs: 0057F7F7

Memory Dump Source

Source File: 00000000.00000002.1720891753.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1720847795.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720950764.00000000005AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720950764.00000000005D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720999580.00000000005DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721018782.00000000005E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_b6AGgIJ87g.jbxd

Similarity

API ID: HandleLoadMessageModuleString__swprintf_memmove_wprintf
String ID: Error: $%s (%d) : ==> %s.: %s %s$.$Line %d (File "%s"):$Line %d:
API String ID: 1506413516-4153970271
Opcode ID: eed8393d9e03f15a5b474f52c527b9de0d569db42c1cc8a5f13420c845c85548
Instruction ID: 8f4321abef9280bb0a91e2ab5f3ac3ccb70eee8356ba43a5455bc34f4453947e
Opcode Fuzzy Hash: eed8393d9e03f15a5b474f52c527b9de0d569db42c1cc8a5f13420c845c85548
Instruction Fuzzy Hash: 59216D3294021EABCF11EFA0DC4AEFE7F39BF19300F044466B509661A1EA719A18DB51

Function 005852C7 Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 74COMMON

Download Yara Rule

APIs

Part of subcall function 00527BCC: _memmove.LIBCMT ref: 00527C06

Part of subcall function 00527924: _memmove.LIBCMT ref: 005279AD

mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 00585330
mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 00585346
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00585357
mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 00585369
mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 0058537A

Strings

alias PlayMe, xrefs: 00585309
open , xrefs: 005852DF
play PlayMe, xrefs: 00585375
status PlayMe mode, xrefs: 0058532B
close PlayMe, xrefs: 00585341, 0058536E
play PlayMe wait, xrefs: 00585364

Memory Dump Source

Source File: 00000000.00000002.1720891753.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1720847795.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720950764.00000000005AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720950764.00000000005D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720999580.00000000005DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721018782.00000000005E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_b6AGgIJ87g.jbxd

Similarity

API ID: SendString$_memmove
String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
API String ID: 2279737902-1007645807
Opcode ID: 0809aaf4048c612e57923ecab52d720bffa9f8e2c040d9cc3f355c64ccaf607b
Instruction ID: 6fcee9585e32d8cacbc0ceaeafc2562cc49efcddc7a80dffb479e52d8af7f8c1
Opcode Fuzzy Hash: 0809aaf4048c612e57923ecab52d720bffa9f8e2c040d9cc3f355c64ccaf607b
Instruction Fuzzy Hash: 78115E21A5022E79D720FA75DC4ADFF6E7CFFE6B50F00082AB801A21D1EEA05D45C6A0

Function 005846B7 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 73networkCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 005846D2
gethostname.WSOCK32(?,00000100), ref: 005846EC
gethostbyname.WSOCK32(?), ref: 005846F9
_wcscpy.LIBCMT ref: 00584721
_memmove.LIBCMT ref: 00584734
inet_ntoa.WSOCK32(?), ref: 0058473F
_strcat.LIBCMT ref: 0058474D
_wcscpy.LIBCMT ref: 00584764
WSACleanup.WSOCK32 ref: 00584772
_wcscpy.LIBCMT ref: 00584780

Strings

0.0.0.0, xrefs: 0058471B

Memory Dump Source

Source File: 00000000.00000002.1720891753.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1720847795.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720950764.00000000005AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720950764.00000000005D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720999580.00000000005DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721018782.00000000005E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_b6AGgIJ87g.jbxd

Similarity

API ID: _wcscpy$CleanupStartup_memmove_strcatgethostbynamegethostnameinet_ntoa
String ID: 0.0.0.0
API String ID: 208665112-3771769585
Opcode ID: 7584c9cd731c1ef66228508ad625d5f8fb83c94797f5c05d4c8ca4fe7f078145
Instruction ID: bcc72cd9e7bf3cf76b840f7d29ffeb0fe5a3cadd75eacfa65d7a448ec7f3d904
Opcode Fuzzy Hash: 7584c9cd731c1ef66228508ad625d5f8fb83c94797f5c05d4c8ca4fe7f078145
Instruction Fuzzy Hash: DD11D5319001166FCB24BB709C4AEEA7FBCFF52715F0401B6F945E60A1EF7499869B50

Function 00584F75 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 72sleepwindowtimeCOMMON

Download Yara Rule

APIs

timeGetTime.WINMM ref: 00584F7A

Part of subcall function 0054049F: timeGetTime.WINMM(?,75C0B400,00530E7B), ref: 005404A3

Sleep.KERNEL32(0000000A), ref: 00584FA6
EnumThreadWindows.USER32(?,Function_00064F28,00000000), ref: 00584FCA
FindWindowExW.USER32(00000000,00000000,BUTTON,00000000), ref: 00584FEC
SetActiveWindow.USER32 ref: 0058500B
SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 00585019
SendMessageW.USER32(00000010,00000000,00000000), ref: 00585038
Sleep.KERNEL32(000000FA), ref: 00585043
IsWindow.USER32 ref: 0058504F
EndDialog.USER32(00000000), ref: 00585060

Strings

BUTTON, xrefs: 00584FDE

Memory Dump Source

Source File: 00000000.00000002.1720891753.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1720847795.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720950764.00000000005AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720950764.00000000005D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720999580.00000000005DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721018782.00000000005E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_b6AGgIJ87g.jbxd

Similarity

API ID: Window$MessageSendSleepTimetime$ActiveDialogEnumFindThreadWindows
String ID: BUTTON
API String ID: 1194449130-3405671355
Opcode ID: 9092abfcafcba58806325b15d93f0eef502748b782799d7a7a6708df94e4d253
Instruction ID: ffa22721884a5db56ec3e1cee17fae763711dcfec7e2635cb0a797c88795cf1e
Opcode Fuzzy Hash: 9092abfcafcba58806325b15d93f0eef502748b782799d7a7a6708df94e4d253
Instruction Fuzzy Hash: 16219274600B45AFE7146F60ECCCA363FA9FB75785B441029FA42962B1EB714D08EB61

Function 0058D58D Relevance: 18.3, APIs: 12, Instructions: 283comCOMMON

Download Yara Rule

APIs

Part of subcall function 00529837: __itow.LIBCMT ref: 00529862
Part of subcall function 00529837: __swprintf.LIBCMT ref: 005298AC

CoInitialize.OLE32(00000000), ref: 0058D5EA
SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 0058D67D
SHGetDesktopFolder.SHELL32(?), ref: 0058D691
CoCreateInstance.OLE32(005B2D7C,00000000,00000001,005D8C1C,?), ref: 0058D6DD
SHCreateShellItem.SHELL32(00000000,00000000,?,00000003), ref: 0058D74C
CoTaskMemFree.OLE32(?,?), ref: 0058D7A4
_memset.LIBCMT ref: 0058D7E1
SHBrowseForFolderW.SHELL32(?), ref: 0058D81D
SHGetPathFromIDListW.SHELL32(00000000,?), ref: 0058D840
CoTaskMemFree.OLE32(00000000), ref: 0058D847
CoTaskMemFree.OLE32(00000000,00000001,00000000), ref: 0058D87E
CoUninitialize.OLE32(00000001,00000000), ref: 0058D880

Memory Dump Source

Source File: 00000000.00000002.1720891753.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1720847795.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720950764.00000000005AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720950764.00000000005D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720999580.00000000005DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721018782.00000000005E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_b6AGgIJ87g.jbxd

Similarity

API ID: FolderFreeTask$Create$BrowseDesktopFromInitializeInstanceItemListLocationPathShellSpecialUninitialize__itow__swprintf_memset
String ID:
API String ID: 1246142700-0
Opcode ID: 0e63630d2cad472b3d9655c804cfa880abb70034a32a64078aca9f466cffd300
Instruction ID: 13ff002b9915697c59ff190a687883909e72e4c4372bdc4c9b1bdea50ca096ae
Opcode Fuzzy Hash: 0e63630d2cad472b3d9655c804cfa880abb70034a32a64078aca9f466cffd300
Instruction Fuzzy Hash: 0BB1EC75A00119AFDB04DFA4D888DAEBBF9FF49314F148469E909EB261DB30ED45CB50

Function 0057C267 Relevance: 18.2, APIs: 12, Instructions: 174COMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,00000001), ref: 0057C283
GetWindowRect.USER32(00000000,?), ref: 0057C295
MoveWindow.USER32(00000001,0000000A,?,00000001,?,00000000), ref: 0057C2F3
GetDlgItem.USER32(?,00000002), ref: 0057C2FE
GetWindowRect.USER32(00000000,?), ref: 0057C310
MoveWindow.USER32(00000001,?,00000000,00000001,?,00000000), ref: 0057C364
GetDlgItem.USER32(?,000003E9), ref: 0057C372
GetWindowRect.USER32(00000000,?), ref: 0057C383
MoveWindow.USER32(00000000,0000000A,00000000,?,?,00000000), ref: 0057C3C6
GetDlgItem.USER32(?,000003EA), ref: 0057C3D4
MoveWindow.USER32(00000000,0000000A,0000000A,?,-00000005,00000000), ref: 0057C3F1
InvalidateRect.USER32(?,00000000,00000001), ref: 0057C3FE

Memory Dump Source

Source File: 00000000.00000002.1720891753.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1720847795.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720950764.00000000005AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720950764.00000000005D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720999580.00000000005DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721018782.00000000005E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_b6AGgIJ87g.jbxd

Similarity

API ID: Window$ItemMoveRect$Invalidate
String ID:
API String ID: 3096461208-0
Opcode ID: 403eb39349cae5b7faabe8e83214ae170df0ccf13c907fd4ab790a136f3f50c1
Instruction ID: 5493bfe1f64930801864f5411834532026c5c5d64212f611def3d3a88134ea3f
Opcode Fuzzy Hash: 403eb39349cae5b7faabe8e83214ae170df0ccf13c907fd4ab790a136f3f50c1
Instruction Fuzzy Hash: B9514D71B00205ABDB18CFA9DD89AAEBBBAFB98311F14852DF51AD7290D7709D049B10

Function 0052201B Relevance: 18.2, APIs: 12, Instructions: 170timeCOMMON

Download Yara Rule

APIs

Part of subcall function 00521B41: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00522036,?,00000000,?,?,?,?,005216CB,00000000,?), ref: 00521B9A

DestroyWindow.USER32(?,?,?,?,?,?,?,?,?,?,?,00000000,?,?), ref: 005220D3
KillTimer.USER32(-00000001,?,?,?,?,005216CB,00000000,?,?,00521AE2,?,?), ref: 0052216E
DestroyAcceleratorTable.USER32(00000000), ref: 0055BCA6
ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,005216CB,00000000,?,?,00521AE2,?,?), ref: 0055BCD7
ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,005216CB,00000000,?,?,00521AE2,?,?), ref: 0055BCEE
ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,005216CB,00000000,?,?,00521AE2,?,?), ref: 0055BD0A
DeleteObject.GDI32(00000000), ref: 0055BD1C

Memory Dump Source

Source File: 00000000.00000002.1720891753.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1720847795.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720950764.00000000005AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720950764.00000000005D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720999580.00000000005DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721018782.00000000005E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_b6AGgIJ87g.jbxd

Similarity

API ID: Destroy$ImageList_$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
String ID:
API String ID: 641708696-0
Opcode ID: caf72902723a3d94a023dd2fd3c59c52bd602214a86b3af1d7a6c47349796996
Instruction ID: 318d893875da3f0df2723b401d79b3f95d6d1dc73123d02ae645989f89910a35
Opcode Fuzzy Hash: caf72902723a3d94a023dd2fd3c59c52bd602214a86b3af1d7a6c47349796996
Instruction Fuzzy Hash: 8E61A035504B61EFDB399F14E99CB257FF1FF62316F204529E9824A5B0C770A898EB80

Function 005221A5 Relevance: 18.1, APIs: 12, Instructions: 132COMMON

Download Yara Rule

APIs

Part of subcall function 005225DB: GetWindowLongW.USER32(?,000000EB), ref: 005225EC

GetSysColor.USER32(0000000F), ref: 005221D3

Memory Dump Source

Source File: 00000000.00000002.1720891753.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1720847795.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720950764.00000000005AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720950764.00000000005D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720999580.00000000005DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721018782.00000000005E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_b6AGgIJ87g.jbxd

Similarity

API ID: ColorLongWindow
String ID:
API String ID: 259745315-0
Opcode ID: 2715b610955d5587f0d3508794bb5159fafbb7932b58164e3bf59f2dd716139f
Instruction ID: ba16501cb0f89fbda8ab5c600d45ef11ec4478e6683f5d511513a6842a9ff0a7
Opcode Fuzzy Hash: 2715b610955d5587f0d3508794bb5159fafbb7932b58164e3bf59f2dd716139f
Instruction Fuzzy Hash: 22419039100150EADB255F68EC98BB93F66FF17321F184365FE659A1E1C7328C46EB21

Function 0058A8A7 Relevance: 17.7, APIs: 3, Strings: 7, Instructions: 183COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?,005AF910), ref: 0058A90B
GetDriveTypeW.KERNEL32(00000061,005D89A0,00000061), ref: 0058A9D5
_wcscpy.LIBCMT ref: 0058A9FF

Strings

fixed, xrefs: 0058A953
unknown, xrefs: 0058A996
network, xrefs: 0058A969
all, xrefs: 0058A911
ramdisk, xrefs: 0058A97F
removable, xrefs: 0058A93D
cdrom, xrefs: 0058A927

Memory Dump Source

Source File: 00000000.00000002.1720891753.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1720847795.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720950764.00000000005AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720950764.00000000005D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720999580.00000000005DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721018782.00000000005E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_b6AGgIJ87g.jbxd

Similarity

API ID: BuffCharDriveLowerType_wcscpy
String ID: all$cdrom$fixed$network$ramdisk$removable$unknown
API String ID: 2820617543-1000479233
Opcode ID: 0f60b3c3b6672af0cce4bd5057db5936fb2662b856e0bf64f468befcb1a0ad12
Instruction ID: 0ffc0a2a16a59dae38cd65251550c4d07f8af56812ef1e401c29e3b597fba130
Opcode Fuzzy Hash: 0f60b3c3b6672af0cce4bd5057db5936fb2662b856e0bf64f468befcb1a0ad12
Instruction Fuzzy Hash: 72518A311083029BD314EF14D896AAEBFA5FFC5704F14482EF999672E2DB319909CB93

Function 00529837 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 146COMMON

Download Yara Rule

APIs

__itow.LIBCMT ref: 00529862
__swprintf.LIBCMT ref: 005298AC
__i64tow.LIBCMT ref: 0055F5E6

Strings

%.15g, xrefs: 005298A6
False, xrefs: 0055F5AE
True, xrefs: 0055F5A7
0x%p, xrefs: 0055F5C8

Memory Dump Source

Source File: 00000000.00000002.1720891753.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1720847795.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720950764.00000000005AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720950764.00000000005D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720999580.00000000005DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721018782.00000000005E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_b6AGgIJ87g.jbxd

Similarity

API ID: __i64tow__itow__swprintf
String ID: %.15g$0x%p$False$True
API String ID: 421087845-2263619337
Opcode ID: c5b7a88f04eefe2f92ace5407b526680e6c31034f476c163f3589ac74b6b75bb
Instruction ID: 111cb684d52535c49ca798f1a0a4f275674378d22df452871c124798afe42905
Opcode Fuzzy Hash: c5b7a88f04eefe2f92ace5407b526680e6c31034f476c163f3589ac74b6b75bb
Instruction Fuzzy Hash: 1541B571900216AFDB24DF34E85AAB67FE8FF46304F24486FE949D72D1FA3199458B10

Function 005A7152 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 103windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 005A716A
CreateMenu.USER32 ref: 005A7185
SetMenu.USER32(?,00000000), ref: 005A7194
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 005A7221
IsMenu.USER32(?), ref: 005A7237
CreatePopupMenu.USER32 ref: 005A7241
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 005A726E
DrawMenuBar.USER32 ref: 005A7276

Strings

0, xrefs: 005A7160
F, xrefs: 005A7262

Memory Dump Source

Source File: 00000000.00000002.1720891753.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1720847795.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720950764.00000000005AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720950764.00000000005D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720999580.00000000005DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721018782.00000000005E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_b6AGgIJ87g.jbxd

Similarity

API ID: Menu$CreateItem$DrawInfoInsertPopup_memset
String ID: 0$F
API String ID: 176399719-3044882817
Opcode ID: a91d2e5536abf36528611632a109c28d71734e40361a74d2d898d2c8ede4e1d5
Instruction ID: fbc6ccb39c13c58c2edf9451b96a07aac53c34b9bdc02cc36327c8ffc47d81b5
Opcode Fuzzy Hash: a91d2e5536abf36528611632a109c28d71734e40361a74d2d898d2c8ede4e1d5
Instruction Fuzzy Hash: 05412378A01209EFDB20DFA4D988B9ABBB5FF5E310F144028F945A7361D731A914DBA0

Function 005A74BB Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 101windowCOMMON

Download Yara Rule

APIs

MoveWindow.USER32(?,?,?,000000FF,000000FF,00000000,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?), ref: 005A755E
CreateCompatibleDC.GDI32(00000000), ref: 005A7565
SendMessageW.USER32(?,00000173,00000000,00000000), ref: 005A7578
SelectObject.GDI32(00000000,00000000), ref: 005A7580
GetPixel.GDI32(00000000,00000000,00000000), ref: 005A758B
DeleteDC.GDI32(00000000), ref: 005A7594
GetWindowLongW.USER32(?,000000EC), ref: 005A759E
SetLayeredWindowAttributes.USER32(?,00000000,00000000,00000001), ref: 005A75B2
DestroyWindow.USER32(?,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?,?,00000000,00000000,?,?), ref: 005A75BE

Strings

static, xrefs: 005A74F6

Memory Dump Source

Source File: 00000000.00000002.1720891753.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1720847795.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720950764.00000000005AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720950764.00000000005D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720999580.00000000005DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721018782.00000000005E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_b6AGgIJ87g.jbxd

Similarity

API ID: Window$AttributesCompatibleCreateDeleteDestroyLayeredLongMessageMoveObjectPixelSelectSend
String ID: static
API String ID: 2559357485-2160076837
Opcode ID: d1d787fcef507af08fd33b174dad49f79e12751693997cabe429280027009268
Instruction ID: c569fc2054bd13ce6aaeba849fa7a87fa9133f2583cfdcf7624c1cd43dafca21
Opcode Fuzzy Hash: d1d787fcef507af08fd33b174dad49f79e12751693997cabe429280027009268
Instruction Fuzzy Hash: 8C314732505219ABDF119FA4DC08FEB3FA9FF1E360F110224FA55A60A0D731D825EBA4

Function 00546E03 Relevance: 16.8, APIs: 11, Instructions: 258COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00546E3E

Part of subcall function 00548B28: __getptd_noexit.LIBCMT ref: 00548B28

__gmtime64_s.LIBCMT ref: 00546ED7
__gmtime64_s.LIBCMT ref: 00546F0D
__gmtime64_s.LIBCMT ref: 00546F2A
__allrem.LIBCMT ref: 00546F80
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00546F9C
__allrem.LIBCMT ref: 00546FB3
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00546FD1
__allrem.LIBCMT ref: 00546FE8
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00547006
__invoke_watson.LIBCMT ref: 00547077

Memory Dump Source

Source File: 00000000.00000002.1720891753.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1720847795.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720950764.00000000005AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720950764.00000000005D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720999580.00000000005DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721018782.00000000005E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_b6AGgIJ87g.jbxd

Similarity

API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@__gmtime64_s$__getptd_noexit__invoke_watson_memset
String ID:
API String ID: 384356119-0
Opcode ID: 1572197e9c4cf49d3ac3c19b6e82465e4eefa01e3d88f7bbd38cf7a66862b9c5
Instruction ID: 66263885d2c01860fc948617693a8b64b59aa89a3cf7ff0fac1041ea27f20f23
Opcode Fuzzy Hash: 1572197e9c4cf49d3ac3c19b6e82465e4eefa01e3d88f7bbd38cf7a66862b9c5
Instruction Fuzzy Hash: 2E711672A00717ABD7149E68CC45BEBBBE8BF45368F10452AF818D7281F770ED548B91

Function 00582527 Relevance: 16.7, APIs: 11, Instructions: 190windowsleepCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00582542
GetMenuItemInfoW.USER32(005E5890,000000FF,00000000,00000030), ref: 005825A3
SetMenuItemInfoW.USER32(005E5890,00000004,00000000,00000030), ref: 005825D9
Sleep.KERNEL32(000001F4), ref: 005825EB
GetMenuItemCount.USER32(?), ref: 0058262F
GetMenuItemID.USER32(?,00000000), ref: 0058264B
GetMenuItemID.USER32(?,-00000001), ref: 00582675
GetMenuItemID.USER32(?,?), ref: 005826BA
CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 00582700
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00582714
SetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00582735

Memory Dump Source

Source File: 00000000.00000002.1720891753.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1720847795.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720950764.00000000005AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720950764.00000000005D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720999580.00000000005DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721018782.00000000005E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_b6AGgIJ87g.jbxd

Similarity

API ID: ItemMenu$Info$CheckCountRadioSleep_memset
String ID:
API String ID: 4176008265-0
Opcode ID: ec363c3548db267292099f8161e765bea1b527dd5e6eead54c8bc69c333170e8
Instruction ID: a94dbee1e41bdc3a0c431820fde6ce32074ae783075fd099802b7270da581653
Opcode Fuzzy Hash: ec363c3548db267292099f8161e765bea1b527dd5e6eead54c8bc69c333170e8
Instruction Fuzzy Hash: 77618D7490024AAFDF11EFA5D8889AE7FB8FB45308F140459EC42A7251EB31AD09DB21

Function 005A6F23 Relevance: 16.7, APIs: 11, Instructions: 184windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 005A6FA5
SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 005A6FA8
GetWindowLongW.USER32(?,000000F0), ref: 005A6FCC
_memset.LIBCMT ref: 005A6FDD
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 005A6FEF
SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 005A7067

Memory Dump Source

Source File: 00000000.00000002.1720891753.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1720847795.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720950764.00000000005AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720950764.00000000005D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720999580.00000000005DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721018782.00000000005E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_b6AGgIJ87g.jbxd

Similarity

API ID: MessageSend$LongWindow_memset
String ID:
API String ID: 830647256-0
Opcode ID: c4a95edf85eeaee134164a7a5acf709b8ec442a3c589902346e53c611bb44b44
Instruction ID: ade153dbce94e7278757e1e9801bb5be1438a169492dfa0bf13ca6c527317b27
Opcode Fuzzy Hash: c4a95edf85eeaee134164a7a5acf709b8ec442a3c589902346e53c611bb44b44
Instruction Fuzzy Hash: DC619A74900248AFDB10DFA4CC85EEE7BF8FB0A314F140169FA04AB2A1D771AD45DB90

Function 00576B98 Relevance: 16.6, APIs: 11, Instructions: 123memoryCOMMON

Download Yara Rule

APIs

SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,?,?), ref: 00576BBF
SafeArrayAllocData.OLEAUT32(?), ref: 00576C18
VariantInit.OLEAUT32(?), ref: 00576C2A
SafeArrayAccessData.OLEAUT32(?,?), ref: 00576C4A
VariantCopy.OLEAUT32(?,?), ref: 00576C9D
SafeArrayUnaccessData.OLEAUT32(?), ref: 00576CB1
VariantClear.OLEAUT32(?), ref: 00576CC6
SafeArrayDestroyData.OLEAUT32(?), ref: 00576CD3
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 00576CDC
VariantClear.OLEAUT32(?), ref: 00576CEE
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 00576CF9

Memory Dump Source

Source File: 00000000.00000002.1720891753.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1720847795.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720950764.00000000005AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720950764.00000000005D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720999580.00000000005DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721018782.00000000005E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_b6AGgIJ87g.jbxd

Similarity

API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
String ID:
API String ID: 2706829360-0
Opcode ID: 412cb731673d8f5edd95463883c9cb480a46556ec5f66a87e61db0b8af508df4
Instruction ID: e47cf511a4ef8f51886a81615c2d79d07a684a52efc4d8a28ffbe71d2396aabe
Opcode Fuzzy Hash: 412cb731673d8f5edd95463883c9cb480a46556ec5f66a87e61db0b8af508df4
Instruction Fuzzy Hash: 1C414075A0011A9FCF04DFA4D8489AEBFB9FF59350F00C069E959A7261DB30AD45DB90

Function 005983BB Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 197comCOMMON

Download Yara Rule

APIs

Part of subcall function 00529837: __itow.LIBCMT ref: 00529862
Part of subcall function 00529837: __swprintf.LIBCMT ref: 005298AC

CoInitialize.OLE32 ref: 00598403
CoUninitialize.OLE32 ref: 0059840E
CoCreateInstance.OLE32(?,00000000,00000017,005B2BEC,?), ref: 0059846E
IIDFromString.OLE32(?,?), ref: 005984E1
VariantInit.OLEAUT32(?), ref: 0059857B
VariantClear.OLEAUT32(?), ref: 005985DC

Strings

Invalid parameter, xrefs: 005984FA
NULL Pointer assignment, xrefs: 005984B3
Failed to create object, xrefs: 00598479, 0059852F

Memory Dump Source

Source File: 00000000.00000002.1720891753.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1720847795.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720950764.00000000005AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720950764.00000000005D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720999580.00000000005DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721018782.00000000005E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_b6AGgIJ87g.jbxd

Similarity

API ID: Variant$ClearCreateFromInitInitializeInstanceStringUninitialize__itow__swprintf
String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
API String ID: 834269672-1287834457
Opcode ID: 82490001719e87203e9cfef9d3bcc668ade4240a56511c40b1c683dc05584b93
Instruction ID: e037d83c74828afa5268aade594be8662c1fe64f9cbe13b6d5c40f4fc7ebdba5
Opcode Fuzzy Hash: 82490001719e87203e9cfef9d3bcc668ade4240a56511c40b1c683dc05584b93
Instruction Fuzzy Hash: 21619270608312AFCB10DF54D848F6ABFE4BF8A754F144819F9859B291DB70ED48CB92

Function 00595732 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 163networkfileCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 00595793
inet_addr.WSOCK32(?,?,?), ref: 005957D8
gethostbyname.WSOCK32(?), ref: 005957E4
IcmpCreateFile.IPHLPAPI ref: 005957F2
IcmpSendEcho.IPHLPAPI(?,?,?,00000005,00000000,?,00000029,00000FA0), ref: 00595862
IcmpSendEcho.IPHLPAPI(00000000,00000000,?,00000005,00000000,?,00000029,00000FA0), ref: 00595878
IcmpCloseHandle.IPHLPAPI(00000000), ref: 005958ED
WSACleanup.WSOCK32 ref: 005958F3

Strings

Ping, xrefs: 00595816

Memory Dump Source

Source File: 00000000.00000002.1720891753.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1720847795.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720950764.00000000005AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720950764.00000000005D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720999580.00000000005DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721018782.00000000005E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_b6AGgIJ87g.jbxd

Similarity

API ID: Icmp$EchoSend$CleanupCloseCreateFileHandleStartupgethostbynameinet_addr
String ID: Ping
API String ID: 1028309954-2246546115
Opcode ID: d91467bfc86ae40de436c8dab0f22aab50111e134cb035601112e3fdd5a5a7b7
Instruction ID: 4885941ead4419fbde8963d49ac22913d1ad014036a7f7917fa0ad227c612c55
Opcode Fuzzy Hash: d91467bfc86ae40de436c8dab0f22aab50111e134cb035601112e3fdd5a5a7b7
Instruction Fuzzy Hash: 82517E316046019FDB11EF64DC49B2ABBE4FF89720F148929F956DB2E1EB30E914DB41

Function 0058B4C3 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 98COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 0058B4D0
GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,00000002,00000001), ref: 0058B546
GetLastError.KERNEL32 ref: 0058B550
SetErrorMode.KERNEL32(00000000,READY), ref: 0058B5BD

Strings

NOTREADY, xrefs: 0058B57C
UNKNOWN, xrefs: 0058B575
READONLY, xrefs: 0058B588
READY, xrefs: 0058B596
INVALID, xrefs: 0058B58F

Memory Dump Source

Source File: 00000000.00000002.1720891753.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1720847795.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720950764.00000000005AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720950764.00000000005D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720999580.00000000005DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721018782.00000000005E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_b6AGgIJ87g.jbxd

Similarity

API ID: Error$Mode$DiskFreeLastSpace
String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
API String ID: 4194297153-14809454
Opcode ID: e0b4a974c1cb8ed40b5ecff628a7f96bc6790f645d0c480d5ae39036fbd4d515
Instruction ID: d51de5f996eacc495f51f3fa7d73919a72c481020a677dc18e492e2616ee5dff
Opcode Fuzzy Hash: e0b4a974c1cb8ed40b5ecff628a7f96bc6790f645d0c480d5ae39036fbd4d515
Instruction Fuzzy Hash: 75318335A0020ADFEB10FB68D889EBE7FB8FF49311F144166E905A7291EB709A45CB51

Function 00578F8F Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 82windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00527DE1: _memmove.LIBCMT ref: 00527E22

Part of subcall function 0057AA99: GetClassNameW.USER32(?,?,000000FF), ref: 0057AABC

SendMessageW.USER32(?,0000018C,000000FF,00000002), ref: 00579014
GetDlgCtrlID.USER32 ref: 0057901F
GetParent.USER32 ref: 0057903B
SendMessageW.USER32(00000000,?,00000111,?), ref: 0057903E
GetDlgCtrlID.USER32(?), ref: 00579047
GetParent.USER32(?), ref: 00579063
SendMessageW.USER32(00000000,?,?,00000111), ref: 00579066

Strings

ListBox, xrefs: 00578FD1
ComboBox, xrefs: 00578F9C

Memory Dump Source

Source File: 00000000.00000002.1720891753.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1720847795.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720950764.00000000005AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720950764.00000000005D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720999580.00000000005DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721018782.00000000005E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_b6AGgIJ87g.jbxd

Similarity

API ID: MessageSend$CtrlParent$ClassName_memmove
String ID: ComboBox$ListBox
API String ID: 1536045017-1403004172
Opcode ID: 82a4da26d30be3a795ef7add60ffcc25f30576781abcd63b4a6fc15d2099e7aa
Instruction ID: 3a027925cb637a753de5598bb152ede518aaf12a060dc2f31883d1d8e5dca321
Opcode Fuzzy Hash: 82a4da26d30be3a795ef7add60ffcc25f30576781abcd63b4a6fc15d2099e7aa
Instruction Fuzzy Hash: 4E21B574A00109BBDF14ABA4DC89EBEBF74FF9A310F104116B525572E1DB755819EB20

Function 0057907A Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 81windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00527DE1: _memmove.LIBCMT ref: 00527E22

Part of subcall function 0057AA99: GetClassNameW.USER32(?,?,000000FF), ref: 0057AABC

SendMessageW.USER32(?,00000186,00000002,00000000), ref: 005790FD
GetDlgCtrlID.USER32 ref: 00579108
GetParent.USER32 ref: 00579124
SendMessageW.USER32(00000000,?,00000111,?), ref: 00579127
GetDlgCtrlID.USER32(?), ref: 00579130
GetParent.USER32(?), ref: 0057914C
SendMessageW.USER32(00000000,?,?,00000111), ref: 0057914F

Strings

ListBox, xrefs: 005790BC
ComboBox, xrefs: 00579087

Memory Dump Source

Source File: 00000000.00000002.1720891753.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1720847795.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720950764.00000000005AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720950764.00000000005D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720999580.00000000005DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721018782.00000000005E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_b6AGgIJ87g.jbxd

Similarity

API ID: MessageSend$CtrlParent$ClassName_memmove
String ID: ComboBox$ListBox
API String ID: 1536045017-1403004172
Opcode ID: ab234634c1950fce1ddfab0cb913a880f21c08ee8e55bbe01d518e7cbf0cf54c
Instruction ID: 3acb1e3232d296a60038985260ff037c5ad3ec661f8ff1dec4ec830ea6e810f9
Opcode Fuzzy Hash: ab234634c1950fce1ddfab0cb913a880f21c08ee8e55bbe01d518e7cbf0cf54c
Instruction Fuzzy Hash: 79210774A00109BBDF10ABA4EC89EFEBF78FF9A300F004016F915972A1DB754819EB20

Function 00579163 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 72windowCOMMON

Download Yara Rule

APIs

GetParent.USER32 ref: 0057916F
GetClassNameW.USER32(00000000,?,00000100), ref: 00579184
_wcscmp.LIBCMT ref: 00579196
SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 00579211

Strings

SHELLDLL_DefView, xrefs: 00579190
details, xrefs: 005791BF
largeicons, xrefs: 005791A5
list, xrefs: 005791F3
smallicons, xrefs: 005791D9

Memory Dump Source

Source File: 00000000.00000002.1720891753.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1720847795.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720950764.00000000005AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720950764.00000000005D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720999580.00000000005DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721018782.00000000005E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_b6AGgIJ87g.jbxd

Similarity

API ID: ClassMessageNameParentSend_wcscmp
String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
API String ID: 1704125052-3381328864
Opcode ID: c7d2fbe69ff7fabef1991ecb7934a8855070187f40bdfd4be32c8c05756523f2
Instruction ID: cd743b63733ef7f41a0c149bc65998456f5ddc445db21569681bd3b2cf647389
Opcode Fuzzy Hash: c7d2fbe69ff7fabef1991ecb7934a8855070187f40bdfd4be32c8c05756523f2
Instruction Fuzzy Hash: 1511EB3B18C31775EA213628FC1ADE73F9CBB15724B204417F904E51D6FE51586176A4

Function 00587990 Relevance: 15.3, APIs: 10, Instructions: 292COMMON

Download Yara Rule

APIs

SafeArrayGetVartype.OLEAUT32(00000000,?), ref: 00587A6C

Memory Dump Source

Source File: 00000000.00000002.1720891753.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1720847795.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720950764.00000000005AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720950764.00000000005D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720999580.00000000005DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721018782.00000000005E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_b6AGgIJ87g.jbxd

Similarity

API ID: ArraySafeVartype
String ID:
API String ID: 1725837607-0
Opcode ID: 645b6500e3a23e8cb5e099b9044f96054df35ef4046fca0ad8874449984d3de6
Instruction ID: 7ced8ac5eb1557489176f1bdcbddd1d09fe1925c2d3b62b360f1bd771b8a51f1
Opcode Fuzzy Hash: 645b6500e3a23e8cb5e099b9044f96054df35ef4046fca0ad8874449984d3de6
Instruction Fuzzy Hash: F3B16A7190421A9FDB00EFA4C889BBEBBB5FF4D321F244429EA41A7291D734E945DB90

Function 005811CE Relevance: 15.1, APIs: 10, Instructions: 89threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 005811F0
GetForegroundWindow.USER32(00000000,?,?,?,?,?,00580268,?,00000001), ref: 00581204
GetWindowThreadProcessId.USER32(00000000), ref: 0058120B
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00580268,?,00000001), ref: 0058121A
GetWindowThreadProcessId.USER32(?,00000000), ref: 0058122C
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00580268,?,00000001), ref: 00581245
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00580268,?,00000001), ref: 00581257
AttachThreadInput.USER32(00000000,00000000,?,?,?,?,?,00580268,?,00000001), ref: 0058129C
AttachThreadInput.USER32(00000000,00000000,00000000,?,?,?,?,?,00580268,?,00000001), ref: 005812B1
AttachThreadInput.USER32(00000000,00000000,00000000,?,?,?,?,?,00580268,?,00000001), ref: 005812BC

Memory Dump Source

Source File: 00000000.00000002.1720891753.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1720847795.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720950764.00000000005AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720950764.00000000005D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720999580.00000000005DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721018782.00000000005E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_b6AGgIJ87g.jbxd

Similarity

API ID: Thread$AttachInput$Window$Process$CurrentForeground
String ID:
API String ID: 2156557900-0
Opcode ID: 31a3e86303e24c8e659eeca0048aeaf25fb0c506914844bf9310cec9fb27b6b5
Instruction ID: dbca7798113b804e9e5fa52b4597d28517b928f0701ee4a3bc4f53d0f0e80ff9
Opcode Fuzzy Hash: 31a3e86303e24c8e659eeca0048aeaf25fb0c506914844bf9310cec9fb27b6b5
Instruction Fuzzy Hash: 4431FF79600604FBEB64AF91ED88F693BADFB75391F104114FC11EB1A0D3B09D499B54

Function 0052FA5D Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 264comCOMMON

Download Yara Rule

APIs

mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 0052FAA6
OleUninitialize.OLE32(?,00000000), ref: 0052FB45
UnregisterHotKey.USER32(?), ref: 0052FC9C
DestroyWindow.USER32(?), ref: 005645D6
FreeLibrary.KERNEL32(?), ref: 0056463B
VirtualFree.KERNEL32(?,00000000,00008000), ref: 00564668

Strings

close all, xrefs: 0052FAA1

Memory Dump Source

Source File: 00000000.00000002.1720891753.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1720847795.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720950764.00000000005AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720950764.00000000005D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720999580.00000000005DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721018782.00000000005E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_b6AGgIJ87g.jbxd

Similarity

API ID: Free$DestroyLibrarySendStringUninitializeUnregisterVirtualWindow
String ID: close all
API String ID: 469580280-3243417748
Opcode ID: 93a49a17bce98e71ac7844f35d9672099dc9966db17f99c05180f27c5ef53a48
Instruction ID: 9e019040bc527337f3a7016fa45a9b6441f1974e4610ebfe310aa4da9bba5a09
Opcode Fuzzy Hash: 93a49a17bce98e71ac7844f35d9672099dc9966db17f99c05180f27c5ef53a48
Instruction Fuzzy Hash: 12A17031701222CFCB19EF14E599A69FB64BF56704F5446BDE80AAB2A1DB30AC16CF50

Function 00599113 Relevance: 14.3, APIs: 5, Strings: 3, Instructions: 263COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00599167
VariantInit.OLEAUT32(?), ref: 00599238
VariantInit.OLEAUT32(?), ref: 00599339
VariantClear.OLEAUT32(?), ref: 00599343
VariantClear.OLEAUT32(?), ref: 005993A0

Strings

Incorrect Object type in FOR..IN loop, xrefs: 0059931C
,,[, xrefs: 005991E5
Null Object assignment in FOR..IN loop, xrefs: 005991C8, 005992F6, 005993AE

Memory Dump Source

Source File: 00000000.00000002.1720891753.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1720847795.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720950764.00000000005AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720950764.00000000005D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720999580.00000000005DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721018782.00000000005E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_b6AGgIJ87g.jbxd

Similarity

API ID: Variant$ClearInit$_memset
String ID: ,,[$Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop
API String ID: 2862541840-2264883311
Opcode ID: aaccae6bf64bc43650bb73bcf11afdab4c0e6aed455aec5a5f58b7ef1c2c121e
Instruction ID: cb5a37af55537c33d5f06c338b761260f843981d18789d6f3c20cfef68383495
Opcode Fuzzy Hash: aaccae6bf64bc43650bb73bcf11afdab4c0e6aed455aec5a5f58b7ef1c2c121e
Instruction Fuzzy Hash: 09915E71A00219ABDF24DFA9C848FAEBBB8FF85714F10855EF515AB280D7709945CFA0

Function 0057A068 Relevance: 14.2, APIs: 2, Strings: 6, Instructions: 241COMMON

Download Yara Rule

APIs

EnumChildWindows.USER32(?,0057A439), ref: 0057A377

Strings

CLASS, xrefs: 0057A0F6
INSTANCE, xrefs: 0057A285
NAME, xrefs: 0057A1A9
CLASSNN, xrefs: 0057A119
TEXT, xrefs: 0057A2AE
REGEXPCLASS, xrefs: 0057A13C

Memory Dump Source

Source File: 00000000.00000002.1720891753.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1720847795.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720950764.00000000005AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720950764.00000000005D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720999580.00000000005DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721018782.00000000005E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_b6AGgIJ87g.jbxd

Similarity

API ID: ChildEnumWindows
String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT
API String ID: 3555792229-1603158881
Opcode ID: afa3b74a34f1941e4de8847f5e142d55fe2d52f160cb8836d82e572c2b08a327
Instruction ID: 0f7a6d49abbba6d8b1184912e9af88c5ac6d0e847b0198b5b4ed1cbbe0858ecf
Opcode Fuzzy Hash: afa3b74a34f1941e4de8847f5e142d55fe2d52f160cb8836d82e572c2b08a327
Instruction Fuzzy Hash: BC910631600606AADB08DFA0D459BEDFFB4BF84304F54C51AE84DA3292DF306999EBD1

Function 00522E26 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 186windowCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,000000EB), ref: 00522EAE

Part of subcall function 00521DB3: GetClientRect.USER32(?,?), ref: 00521DDC
Part of subcall function 00521DB3: GetWindowRect.USER32(?,?), ref: 00521E1D
Part of subcall function 00521DB3: ScreenToClient.USER32(?,?), ref: 00521E45

GetDC.USER32 ref: 0055CD32
SendMessageW.USER32(?,00000031,00000000,00000000), ref: 0055CD45
SelectObject.GDI32(00000000,00000000), ref: 0055CD53
SelectObject.GDI32(00000000,00000000), ref: 0055CD68
ReleaseDC.USER32(?,00000000), ref: 0055CD70
MoveWindow.USER32(?,?,?,?,?,?,?,00000031,00000000,00000000), ref: 0055CDFB

Strings

U, xrefs: 0055CCD0

Memory Dump Source

Source File: 00000000.00000002.1720891753.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1720847795.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720950764.00000000005AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720950764.00000000005D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720999580.00000000005DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721018782.00000000005E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_b6AGgIJ87g.jbxd

Similarity

API ID: Window$ClientObjectRectSelect$LongMessageMoveReleaseScreenSend
String ID: U
API String ID: 4009187628-3372436214
Opcode ID: 98c38df127071c36addf99adee27e5b950a686dc3ca6a6b27e9dc028b8d9ab51
Instruction ID: 3551b44a6ad9486b2da0504ac4c9b3aacdf2c2dc1a258fe35d4ec27adaad65f8
Opcode Fuzzy Hash: 98c38df127071c36addf99adee27e5b950a686dc3ca6a6b27e9dc028b8d9ab51
Instruction Fuzzy Hash: 2471F231400345EFCF258F64CC94ABA3FB5FF5A325F14466AED569A2A6D7308C48EB60

Function 00591A15 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 134networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 00591A50
HttpOpenRequestW.WININET(00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 00591A7C
InternetQueryOptionW.WININET(00000000,0000001F,00000000,?), ref: 00591ABE
InternetSetOptionW.WININET(00000000,0000001F,00000100,00000004), ref: 00591AD3
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00591AE0
HttpQueryInfoW.WININET(00000000,00000005,?,?,00000000), ref: 00591B10
InternetCloseHandle.WININET(00000000), ref: 00591B57

Part of subcall function 00592483: GetLastError.KERNEL32(?,?,00591817,00000000,00000000,00000001), ref: 00592498
Part of subcall function 00592483: SetEvent.KERNEL32(?,?,00591817,00000000,00000000,00000001), ref: 005924AD

Strings

, xrefs: 00591B01

Memory Dump Source

Source File: 00000000.00000002.1720891753.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1720847795.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720950764.00000000005AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720950764.00000000005D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720999580.00000000005DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721018782.00000000005E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_b6AGgIJ87g.jbxd

Similarity

API ID: Internet$Http$OptionQueryRequest$CloseConnectErrorEventHandleInfoLastOpenSend
String ID:
API String ID: 2603140658-3916222277
Opcode ID: 8ccd7cd12e7350d965ffd4180516c3cdce3777bceb810a20ae2a8fc2649a8528
Instruction ID: 062412857df2f382f116ff224df5bcd97d8fb68595795156d84e08d3110181e2
Opcode Fuzzy Hash: 8ccd7cd12e7350d965ffd4180516c3cdce3777bceb810a20ae2a8fc2649a8528
Instruction Fuzzy Hash: E8417FB150162ABFEF118F50CC89FFA7BADFF09354F004126F9059A191E7749E449BA4

Function 00598C46 Relevance: 13.9, APIs: 9, Instructions: 438COMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(?,?,00000104,?,005AF910), ref: 00598D28
FreeLibrary.KERNEL32(00000000,00000001,00000000,?,005AF910), ref: 00598D5C
QueryPathOfRegTypeLib.OLEAUT32(?,?,?,?,?), ref: 00598ED6
SysFreeString.OLEAUT32(?), ref: 00598F00

Memory Dump Source

Source File: 00000000.00000002.1720891753.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1720847795.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720950764.00000000005AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720950764.00000000005D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720999580.00000000005DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721018782.00000000005E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_b6AGgIJ87g.jbxd

Similarity

API ID: Free$FileLibraryModuleNamePathQueryStringType
String ID:
API String ID: 560350794-0
Opcode ID: 23df554d13764ca2ef0aec2dd34bd9a2372499e768e4c07c8cc8014aa6d856f3
Instruction ID: ce02c00d89320ee8489f6e43284d8229299dea20d3e2c985a5def4fd72eebea2
Opcode Fuzzy Hash: 23df554d13764ca2ef0aec2dd34bd9a2372499e768e4c07c8cc8014aa6d856f3
Instruction Fuzzy Hash: 71F11A71A00219EFDF14DF94C888EAEBBB9FF86314F108498F915AB251DB31AE45DB50

Function 0059F694 Relevance: 13.9, APIs: 9, Instructions: 386processCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0059F6B5
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 0059F848
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 0059F86C
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 0059F8AC
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 0059F8CE
CreateProcessW.KERNEL32(00000000,?,00000000,00000000,?,?,00000000,?,?,?), ref: 0059FA4A
GetLastError.KERNEL32(00000000,00000001,00000000), ref: 0059FA7C
CloseHandle.KERNEL32(?), ref: 0059FAAB
CloseHandle.KERNEL32(?), ref: 0059FB22

Memory Dump Source

Source File: 00000000.00000002.1720891753.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1720847795.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720950764.00000000005AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720950764.00000000005D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720999580.00000000005DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721018782.00000000005E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_b6AGgIJ87g.jbxd

Similarity

API ID: Directory$CloseCurrentHandleSystem$CreateErrorLastProcess_memset
String ID:
API String ID: 4090791747-0
Opcode ID: cd6dfa26f056193ef38660fd07bca35918d6f86d89b6049a75ce93dd2d2ea528
Instruction ID: 9542e5fbdaf84612e8dcbc1e5688413c9282cd0b276090f5ee5940e27b9abc6f
Opcode Fuzzy Hash: cd6dfa26f056193ef38660fd07bca35918d6f86d89b6049a75ce93dd2d2ea528
Instruction Fuzzy Hash: 44E19E316042129FCB14EF24D885B6ABFE1FF85314F18896DF8999B2A2CB31DC45CB52

Function 00584CC1 Relevance: 13.7, APIs: 9, Instructions: 170filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 0058466E: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,00583697,?), ref: 0058468B

Part of subcall function 0058466E: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,00583697,?), ref: 005846A4

Part of subcall function 00584A31: GetFileAttributesW.KERNEL32(?,0058370B), ref: 00584A32

lstrcmpiW.KERNEL32(?,?), ref: 00584D40
_wcscmp.LIBCMT ref: 00584D5A
MoveFileW.KERNEL32(?,?), ref: 00584D75

Memory Dump Source

Source File: 00000000.00000002.1720891753.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1720847795.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720950764.00000000005AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720950764.00000000005D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720999580.00000000005DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721018782.00000000005E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_b6AGgIJ87g.jbxd

Similarity

API ID: FileFullNamePath$AttributesMove_wcscmplstrcmpi
String ID:
API String ID: 793581249-0
Opcode ID: e2a8e7aedd45382851455e4de66d3f429ed04e54a5a6378d672756e3404e8a7e
Instruction ID: b97c1fc48d187496671910b72e93e5546cfeee0369282a47dd9782810cecc8c7
Opcode Fuzzy Hash: e2a8e7aedd45382851455e4de66d3f429ed04e54a5a6378d672756e3404e8a7e
Instruction Fuzzy Hash: E65165B24083469BC724EB90D8859DFBBECBFC5310F40092EBA85D3151EF34A588CB56

Function 005A8645 Relevance: 13.7, APIs: 9, Instructions: 168COMMON

Download Yara Rule

APIs

InvalidateRect.USER32(?,00000000,00000001,?,00000001), ref: 005A86FF

Memory Dump Source

Source File: 00000000.00000002.1720891753.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1720847795.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720950764.00000000005AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720950764.00000000005D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720999580.00000000005DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721018782.00000000005E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_b6AGgIJ87g.jbxd

Similarity

API ID: InvalidateRect
String ID:
API String ID: 634782764-0
Opcode ID: a645f9efb3fc72f0e1925447fe430079cd19a1d0f311108e7a7112b54847f877
Instruction ID: 2cc7da64c034cecdc738d3c3069cdf8c0d307ebca21abf5edc61b2a32026c376
Opcode Fuzzy Hash: a645f9efb3fc72f0e1925447fe430079cd19a1d0f311108e7a7112b54847f877
Instruction Fuzzy Hash: 0251AC34600255BEEB249B289C89FBD7FA5FB17320F600521FA51E72A1DF76A980DB50

Function 00522B72 Relevance: 13.7, APIs: 9, Instructions: 161windowCOMMON

Download Yara Rule

APIs

LoadImageW.USER32(00000000,?,00000001,00000010,00000010,00000010), ref: 0055C2F7
ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 0055C319
LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00000050), ref: 0055C331
ExtractIconExW.SHELL32(?,00000000,?,00000000,00000001), ref: 0055C34F
SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 0055C370
DestroyIcon.USER32(00000000), ref: 0055C37F
SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 0055C39C
DestroyIcon.USER32(?), ref: 0055C3AB

Part of subcall function 005AA4AF: DeleteObject.GDI32(00000000), ref: 005AA4E8

Memory Dump Source

Source File: 00000000.00000002.1720891753.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1720847795.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720950764.00000000005AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720950764.00000000005D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720999580.00000000005DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721018782.00000000005E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_b6AGgIJ87g.jbxd

Similarity

API ID: Icon$DestroyExtractImageLoadMessageSend$DeleteObject
String ID:
API String ID: 2819616528-0
Opcode ID: 1262389cc7165e178037402f8cf435217077961f63ba6494ae81215194c6ec66
Instruction ID: 939d20c117ea4c8cbd6c7c274a19d4384883b5eaa7d8d0726930227b35277f25
Opcode Fuzzy Hash: 1262389cc7165e178037402f8cf435217077961f63ba6494ae81215194c6ec66
Instruction Fuzzy Hash: 43514874600309AFDB24DF64DC45BAA3FA5FF5A311F104929F942A72E0DB70AD54EB50

Function 0057966E Relevance: 13.6, APIs: 9, Instructions: 66sleepkeyboardwindowCOMMON

Download Yara Rule

APIs

Part of subcall function 0057A82C: GetWindowThreadProcessId.USER32(?,00000000), ref: 0057A84C
Part of subcall function 0057A82C: GetCurrentThreadId.KERNEL32 ref: 0057A853
Part of subcall function 0057A82C: AttachThreadInput.USER32(00000000,?,00579683,?,00000001), ref: 0057A85A

MapVirtualKeyW.USER32(00000025,00000000), ref: 0057968E
PostMessageW.USER32(?,00000100,00000025,00000000), ref: 005796AB
Sleep.KERNEL32(00000000,?,00000100,00000025,00000000,?,00000001), ref: 005796AE
MapVirtualKeyW.USER32(00000025,00000000), ref: 005796B7
PostMessageW.USER32(?,00000100,00000027,00000000), ref: 005796D5
Sleep.KERNEL32(00000000,?,00000100,00000027,00000000,?,00000001), ref: 005796D8
MapVirtualKeyW.USER32(00000025,00000000), ref: 005796E1
PostMessageW.USER32(?,00000101,00000027,00000000), ref: 005796F8
Sleep.KERNEL32(00000000,?,00000100,00000027,00000000,?,00000001), ref: 005796FB

Memory Dump Source

Source File: 00000000.00000002.1720891753.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1720847795.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720950764.00000000005AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720950764.00000000005D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720999580.00000000005DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721018782.00000000005E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_b6AGgIJ87g.jbxd

Similarity

API ID: MessagePostSleepThreadVirtual$AttachCurrentInputProcessWindow
String ID:
API String ID: 2014098862-0
Opcode ID: be8b16fd40e441e308bfce826122a5e21752d18c21ddc3f9d94fa2427109d432
Instruction ID: 8b02e64fff0254b80705908c65e5cb190a699c78650cf95e59abd896cabffe61
Opcode Fuzzy Hash: be8b16fd40e441e308bfce826122a5e21752d18c21ddc3f9d94fa2427109d432
Instruction Fuzzy Hash: 2511E1B1910618BFF6106FA0EC89F6A3F2DEB8D750F100425F248AB0E0C9F25C11EBA4

Function 00578921 Relevance: 13.5, APIs: 9, Instructions: 49memorythreadCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000008,0000000C,00000000,00000000,?,0057853C,00000B00,?,?), ref: 0057892A
HeapAlloc.KERNEL32(00000000,?,0057853C,00000B00,?,?), ref: 00578931
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,0057853C,00000B00,?,?), ref: 00578946
GetCurrentProcess.KERNEL32(?,00000000,?,0057853C,00000B00,?,?), ref: 0057894E
DuplicateHandle.KERNEL32(00000000,?,0057853C,00000B00,?,?), ref: 00578951
GetCurrentProcess.KERNEL32(00000008,00000000,00000000,00000002,?,0057853C,00000B00,?,?), ref: 00578961
GetCurrentProcess.KERNEL32(0057853C,00000000,?,0057853C,00000B00,?,?), ref: 00578969
DuplicateHandle.KERNEL32(00000000,?,0057853C,00000B00,?,?), ref: 0057896C
CreateThread.KERNEL32(00000000,00000000,00578992,00000000,00000000,00000000), ref: 00578986

Memory Dump Source

Source File: 00000000.00000002.1720891753.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1720847795.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720950764.00000000005AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720950764.00000000005D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720999580.00000000005DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721018782.00000000005E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_b6AGgIJ87g.jbxd

Similarity

API ID: Process$Current$DuplicateHandleHeap$AllocCreateThread
String ID:
API String ID: 1957940570-0
Opcode ID: 9d437c03dd23d398a80c720d3bdc6ebd3897e3762f6355060fa5fb9a9ea7f330
Instruction ID: 4ba5d475104c3217664638eeef91f38330a15340c2a8a14c8c471226eba8147f
Opcode Fuzzy Hash: 9d437c03dd23d398a80c720d3bdc6ebd3897e3762f6355060fa5fb9a9ea7f330
Instruction Fuzzy Hash: 1101BBB5240308FFE760ABA5DC4DF6B3BACEB99711F418421FA05DB1A1DA709804DB20

Function 00599B23 Relevance: 12.6, APIs: 5, Strings: 2, Instructions: 352COMMON

Download Yara Rule

Strings

Not an Object type, xrefs: 00599B7B
NULL Pointer assignment, xrefs: 00599BA4, 00599EC8

Memory Dump Source

Source File: 00000000.00000002.1720891753.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1720847795.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720950764.00000000005AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720950764.00000000005D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720999580.00000000005DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721018782.00000000005E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_b6AGgIJ87g.jbxd

Similarity

API ID:
String ID: NULL Pointer assignment$Not an Object type
API String ID: 0-572801152
Opcode ID: e3c8ed71f38322ed7de62001377d995458c4f03774dffc688564725bcef9e889
Instruction ID: 20e120a0169ec122f8a3ad544deb8ffabecc7bf78d8bf9601ad53adf7762939c
Opcode Fuzzy Hash: e3c8ed71f38322ed7de62001377d995458c4f03774dffc688564725bcef9e889
Instruction Fuzzy Hash: E4C18471A0021A9FDF10DF9CD884AAEBBF9FF48314F14846DE905A7281E7709D45CB90

Function 0059975D Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 242COMMON

Download Yara Rule

APIs

Part of subcall function 0057710A: CLSIDFromProgID.OLE32(?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00577044,80070057,?,?,?,00577455), ref: 00577127
Part of subcall function 0057710A: ProgIDFromCLSID.OLE32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00577044,80070057,?,?), ref: 00577142
Part of subcall function 0057710A: lstrcmpiW.KERNEL32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00577044,80070057,?,?), ref: 00577150
Part of subcall function 0057710A: CoTaskMemFree.OLE32(00000000,?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00577044,80070057,?), ref: 00577160

CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000,?,?,?), ref: 00599806
_memset.LIBCMT ref: 00599813
_memset.LIBCMT ref: 00599956
CoCreateInstanceEx.OLE32(?,00000000,00000015,?,00000001,00000000), ref: 00599982
CoTaskMemFree.OLE32(?), ref: 0059998D

Strings

NULL Pointer assignment, xrefs: 005999DB

Memory Dump Source

Source File: 00000000.00000002.1720891753.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1720847795.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720950764.00000000005AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720950764.00000000005D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720999580.00000000005DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721018782.00000000005E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_b6AGgIJ87g.jbxd

Similarity

API ID: FreeFromProgTask_memset$CreateInitializeInstanceSecuritylstrcmpi
String ID: NULL Pointer assignment
API String ID: 1300414916-2785691316
Opcode ID: f9989fc19156e68d7d0ad68b1700d0ddfc945d22d3a0d9ed588693c371751989
Instruction ID: 32e6b94a225e4ba7e6df6b28d6b6b82535685aa1294307cf17133c5f91e6769d
Opcode Fuzzy Hash: f9989fc19156e68d7d0ad68b1700d0ddfc945d22d3a0d9ed588693c371751989
Instruction Fuzzy Hash: 02910771D00229ABDF10DFA5DC45ADEBBB9FF49310F10415AF419A7291EB71AA44CFA0

Function 005A6D80 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 143windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 005A6E24
SendMessageW.USER32(?,00001036,00000000,?), ref: 005A6E38
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 005A6E52
_wcscat.LIBCMT ref: 005A6EAD
SendMessageW.USER32(?,00001057,00000000,?), ref: 005A6EC4
SendMessageW.USER32(?,00001061,?,0000000F), ref: 005A6EF2

Strings

SysListView32, xrefs: 005A6DF6

Memory Dump Source

Source File: 00000000.00000002.1720891753.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1720847795.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720950764.00000000005AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720950764.00000000005D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720999580.00000000005DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721018782.00000000005E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_b6AGgIJ87g.jbxd

Similarity

API ID: MessageSend$Window_wcscat
String ID: SysListView32
API String ID: 307300125-78025650
Opcode ID: eba0fc8d864d75ad1416d2a1aa29990b700b72ca4e9e4b9669d6f1956b8ce090
Instruction ID: 281b55ad8e1446f7e08effa93113865dc272fa819878c3d6c42103dbfb059c33
Opcode Fuzzy Hash: eba0fc8d864d75ad1416d2a1aa29990b700b72ca4e9e4b9669d6f1956b8ce090
Instruction Fuzzy Hash: 86419070A00349AFEB219FA4CC89BEE7BE9FF09354F14042AF584E7291D6719D848B60

Function 0059E933 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 136COMMON

Download Yara Rule

APIs

Part of subcall function 00583C55: CreateToolhelp32Snapshot.KERNEL32 ref: 00583C7A
Part of subcall function 00583C55: Process32FirstW.KERNEL32(00000000,?), ref: 00583C88
Part of subcall function 00583C55: CloseHandle.KERNEL32(00000000), ref: 00583D52

OpenProcess.KERNEL32(00000001,00000000,?), ref: 0059E9A4
GetLastError.KERNEL32 ref: 0059E9B7
OpenProcess.KERNEL32(00000001,00000000,?), ref: 0059E9E6
TerminateProcess.KERNEL32(00000000,00000000), ref: 0059EA63
GetLastError.KERNEL32(00000000), ref: 0059EA6E
CloseHandle.KERNEL32(00000000), ref: 0059EAA3

Strings

SeDebugPrivilege, xrefs: 0059E9C2

Memory Dump Source

Source File: 00000000.00000002.1720891753.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1720847795.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720950764.00000000005AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720950764.00000000005D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720999580.00000000005DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721018782.00000000005E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_b6AGgIJ87g.jbxd

Similarity

API ID: Process$CloseErrorHandleLastOpen$CreateFirstProcess32SnapshotTerminateToolhelp32
String ID: SeDebugPrivilege
API String ID: 2533919879-2896544425
Opcode ID: 4cb57555c4195c689df281d56eed79914c764efe230443cd9e55db101242f38a
Instruction ID: 9935b64e324d872a5b8ab29c82a6a7a25e761e5bc09c8994362f03b4fbf32059
Opcode Fuzzy Hash: 4cb57555c4195c689df281d56eed79914c764efe230443cd9e55db101242f38a
Instruction Fuzzy Hash: 8441AC712002029FDB14EF54DC9AF6EBFA5BF81314F088859F9469B3D2CB75A808DB91

Function 00582F94 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 82windowCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000000,00007F03), ref: 00583033

Strings

warning, xrefs: 0058301C
stop, xrefs: 00583004
question, xrefs: 00582FEC
info, xrefs: 00582FD4
blank, xrefs: 00582FB5

Memory Dump Source

Source File: 00000000.00000002.1720891753.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1720847795.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720950764.00000000005AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720950764.00000000005D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720999580.00000000005DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721018782.00000000005E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_b6AGgIJ87g.jbxd

Similarity

API ID: IconLoad
String ID: blank$info$question$stop$warning
API String ID: 2457776203-404129466
Opcode ID: 324dd154ed8862620c00250595a3a52bac8c0b1f810c57ebda0c10079d16f54e
Instruction ID: 4a3faa5b7fa3f00004d7ec8996e3f6d8d672c7e772257078154d75818f308303
Opcode Fuzzy Hash: 324dd154ed8862620c00250595a3a52bac8c0b1f810c57ebda0c10079d16f54e
Instruction Fuzzy Hash: 2411D83124C346FAD724AA58DC4ADBB7F9CBF15764F10006BFD00B6281DA619F4057A5

Function 005842F8 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000100,00000000), ref: 00584312
LoadStringW.USER32(00000000), ref: 00584319
GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 0058432F
LoadStringW.USER32(00000000), ref: 00584336
_wprintf.LIBCMT ref: 0058435C
MessageBoxW.USER32(00000000,?,?,00011010), ref: 0058437A

Strings

%s (%d) : ==> %s: %s %s, xrefs: 00584357

Memory Dump Source

Source File: 00000000.00000002.1720891753.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1720847795.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720950764.00000000005AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720950764.00000000005D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720999580.00000000005DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721018782.00000000005E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_b6AGgIJ87g.jbxd

Similarity

API ID: HandleLoadModuleString$Message_wprintf
String ID: %s (%d) : ==> %s: %s %s
API String ID: 3648134473-3128320259
Opcode ID: 8db2c43362ef6148bb3c9af1013dfc5e5553231167e844e844de316dde983dba
Instruction ID: 44a456f75485c641968ea369123befea376f577c80a2163249b0bb941013f3ba
Opcode Fuzzy Hash: 8db2c43362ef6148bb3c9af1013dfc5e5553231167e844e844de316dde983dba
Instruction Fuzzy Hash: DD0162F6940208BFE761A7E4DD89EFB776CEB09300F0005A2BB45E2051EA745E899B74

Function 005AD43E Relevance: 12.3, APIs: 8, Instructions: 257windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00522612: GetWindowLongW.USER32(?,000000EB), ref: 00522623

GetSystemMetrics.USER32(0000000F), ref: 005AD47C
GetSystemMetrics.USER32(0000000F), ref: 005AD49C
MoveWindow.USER32(00000003,?,?,?,?,00000000,?,?,?), ref: 005AD6D7
SendMessageW.USER32(00000003,00000142,00000000,0000FFFF), ref: 005AD6F5
SendMessageW.USER32(00000003,00000469,?,00000000), ref: 005AD716
ShowWindow.USER32(00000003,00000000), ref: 005AD735
InvalidateRect.USER32(?,00000000,00000001), ref: 005AD75A
DefDlgProcW.USER32(?,00000005,?,?), ref: 005AD77D

Memory Dump Source

Source File: 00000000.00000002.1720891753.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1720847795.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720950764.00000000005AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720950764.00000000005D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720999580.00000000005DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721018782.00000000005E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_b6AGgIJ87g.jbxd

Similarity

API ID: Window$MessageMetricsSendSystem$InvalidateLongMoveProcRectShow
String ID:
API String ID: 1211466189-0
Opcode ID: 4a41b6a51939c030ef7d76cecfbcccce3800c72674e5e4a6e2308636e59af3f6
Instruction ID: 3fdb91f006b0d42c6476ba8a4f95513b817d4027c046f7dac3b742affe98901d
Opcode Fuzzy Hash: 4a41b6a51939c030ef7d76cecfbcccce3800c72674e5e4a6e2308636e59af3f6
Instruction Fuzzy Hash: 3EB1AB71600229EBDF18DF68C9C57AD7BB1FF0A701F088069ED4A9F695D734A950CBA0

Function 00522A5B Relevance: 12.1, APIs: 8, Instructions: 129COMMON

Download Yara Rule

APIs

ShowWindow.USER32(FFFFFFFF,?,00000000,00000000,?,0055C1C7,00000004,00000000,00000000,00000000), ref: 00522ACF
ShowWindow.USER32(FFFFFFFF,00000000,00000000,00000000,?,0055C1C7,00000004,00000000,00000000,00000000,000000FF), ref: 00522B17
ShowWindow.USER32(FFFFFFFF,00000006,00000000,00000000,?,0055C1C7,00000004,00000000,00000000,00000000), ref: 0055C21A
ShowWindow.USER32(FFFFFFFF,?,00000000,00000000,?,0055C1C7,00000004,00000000,00000000,00000000), ref: 0055C286

Memory Dump Source

Source File: 00000000.00000002.1720891753.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1720847795.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720950764.00000000005AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720950764.00000000005D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720999580.00000000005DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721018782.00000000005E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_b6AGgIJ87g.jbxd

Similarity

API ID: ShowWindow
String ID:
API String ID: 1268545403-0
Opcode ID: f458ac593e6c36826423008216c026ee9cd9b5f9c5e14c94ae6f9f3f44710aa8
Instruction ID: dc3b6ef78c0b4a462afb32bd1a166b4c0d0a4a915ce2b8cb3d2f9007843dede1
Opcode Fuzzy Hash: f458ac593e6c36826423008216c026ee9cd9b5f9c5e14c94ae6f9f3f44710aa8
Instruction Fuzzy Hash: CA412C39208790BEC7358B68AC9C76B7FD2BF97300F14882EE487469E0C7B19889D710

Function 005870C6 Relevance: 12.1, APIs: 8, Instructions: 101fileCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(?,000001F5), ref: 005870DD

Part of subcall function 00540DB6: std::exception::exception.LIBCMT ref: 00540DEC
Part of subcall function 00540DB6: __CxxThrowException@8.LIBCMT ref: 00540E01

ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,?,00000000), ref: 00587114
EnterCriticalSection.KERNEL32(?), ref: 00587130
_memmove.LIBCMT ref: 0058717E
_memmove.LIBCMT ref: 0058719B
LeaveCriticalSection.KERNEL32(?), ref: 005871AA
ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,00000000,00000000), ref: 005871BF
InterlockedExchange.KERNEL32(?,000001F6), ref: 005871DE

Memory Dump Source

Source File: 00000000.00000002.1720891753.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1720847795.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720950764.00000000005AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720950764.00000000005D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720999580.00000000005DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721018782.00000000005E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_b6AGgIJ87g.jbxd

Similarity

API ID: CriticalExchangeFileInterlockedReadSection_memmove$EnterException@8LeaveThrowstd::exception::exception
String ID:
API String ID: 256516436-0
Opcode ID: 6d6e6bdb5f17a7416c79de58cd7d429e58a9b503c3c3d271fe9b6431c4e32112
Instruction ID: bf282c61e98cc1e3ff9192026561cb6192ef8db39bb77dd42e06995972bb276c
Opcode Fuzzy Hash: 6d6e6bdb5f17a7416c79de58cd7d429e58a9b503c3c3d271fe9b6431c4e32112
Instruction Fuzzy Hash: DC315E75900205EBDB10EFA5DC89AAABB78FF85710F2441A5ED04AB256DB30DA14DB60

Function 005A61D3 Relevance: 12.1, APIs: 8, Instructions: 95windowCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 005A61EB
GetDC.USER32(00000000), ref: 005A61F3
GetDeviceCaps.GDI32(00000000,0000005A), ref: 005A61FE
ReleaseDC.USER32(00000000,00000000), ref: 005A620A
CreateFontW.GDI32(?,00000000,00000000,00000000,?,00000000,00000000,00000000,00000001,00000004,00000000,?,00000000,?), ref: 005A6246
SendMessageW.USER32(?,00000030,00000000,00000001), ref: 005A6257
MoveWindow.USER32(?,?,?,?,?,00000000,?,?,005A902A,?,?,000000FF,00000000,?,000000FF,?), ref: 005A6291
SendMessageW.USER32(?,00000142,00000000,00000000), ref: 005A62B1

Memory Dump Source

Source File: 00000000.00000002.1720891753.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1720847795.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720950764.00000000005AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720950764.00000000005D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720999580.00000000005DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721018782.00000000005E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_b6AGgIJ87g.jbxd

Similarity

API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
String ID:
API String ID: 3864802216-0
Opcode ID: 42f83d97d2ec2940451b3ae391fc0fd5c5d661c434e35313744e92aa9380a59c
Instruction ID: 2844129b324b0a6a8e4a25a21b50ace26249548349df7570d4550855e2ac662f
Opcode Fuzzy Hash: 42f83d97d2ec2940451b3ae391fc0fd5c5d661c434e35313744e92aa9380a59c
Instruction Fuzzy Hash: 1B316D76101210BFEB118F50DC8AFEA3FA9FF5A765F084065FE089A191C6759841DBA4

Function 0057BBAF Relevance: 12.1, APIs: 8, Instructions: 92COMMON

Download Yara Rule

APIs

_memcmp.LIBCMT ref: 0057BBC4
_memcmp.LIBCMT ref: 0057BBE6
_memcmp.LIBCMT ref: 0057BBFE
_memcmp.LIBCMT ref: 0057BC11
_memcmp.LIBCMT ref: 0057BC2B
_memcmp.LIBCMT ref: 0057BC3E
_memcmp.LIBCMT ref: 0057BC56
_memcmp.LIBCMT ref: 0057BC71

Memory Dump Source

Source File: 00000000.00000002.1720891753.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1720847795.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720950764.00000000005AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720950764.00000000005D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720999580.00000000005DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721018782.00000000005E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_b6AGgIJ87g.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: 23cb8fe2631c58b7125c991c416fbe325054998f5cc093c911c252ee3c9dea0d
Instruction ID: 00e6421f352a4aae6584b521fd943924d6ab8c45a7bdedb855e238b422ad0495
Opcode Fuzzy Hash: 23cb8fe2631c58b7125c991c416fbe325054998f5cc093c911c252ee3c9dea0d
Instruction Fuzzy Hash: 1021BEB16016177BBA056611ED46FFB7F5CBE50348F08C420FD0C96647EF28EE11A2A5

Function 0058EB23 Relevance: 10.8, APIs: 5, Strings: 1, Instructions: 323COMMON

Download Yara Rule

APIs

Part of subcall function 00529837: __itow.LIBCMT ref: 00529862
Part of subcall function 00529837: __swprintf.LIBCMT ref: 005298AC

Part of subcall function 0053FC86: _wcscpy.LIBCMT ref: 0053FCA9

_wcstok.LIBCMT ref: 0058EC94
_wcscpy.LIBCMT ref: 0058ED23
_memset.LIBCMT ref: 0058ED56

Strings

X, xrefs: 0058ED93

Memory Dump Source

Source File: 00000000.00000002.1720891753.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1720847795.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720950764.00000000005AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720950764.00000000005D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720999580.00000000005DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721018782.00000000005E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_b6AGgIJ87g.jbxd

Similarity

API ID: _wcscpy$__itow__swprintf_memset_wcstok
String ID: X
API String ID: 774024439-3081909835
Opcode ID: 9f675397b6801adce45b6fe1eed47a44bdc5e051838fadf29b89eb8ccdf76ea3
Instruction ID: 4d30f63b9fff0945597522d68fb454fe37d5b8622059d6e2d6809f8586eb331c
Opcode Fuzzy Hash: 9f675397b6801adce45b6fe1eed47a44bdc5e051838fadf29b89eb8ccdf76ea3
Instruction Fuzzy Hash: 39C170315087129FC714EF24D88AA5ABBF4FF86314F00492DF9999B2A2DB30EC45CB42

Function 00521424 Relevance: 10.7, APIs: 7, Instructions: 219COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1720891753.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1720847795.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720950764.00000000005AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720950764.00000000005D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720999580.00000000005DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721018782.00000000005E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_b6AGgIJ87g.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ca6c9d625b563790ecfc81ab30f2cec3c6d08959c8ee5f94542ab13b1caef81c
Instruction ID: a45ae0961e668249b8231d3aa83580b20664990e2db55d5ae5f5980ee9c369ae
Opcode Fuzzy Hash: ca6c9d625b563790ecfc81ab30f2cec3c6d08959c8ee5f94542ab13b1caef81c
Instruction Fuzzy Hash: F8716830900519EFDB04DF98DC48ABFBF79FF9A310F108159F915AA291C734AA51CBA4

Function 00596B76 Relevance: 10.7, APIs: 7, Instructions: 212COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1720891753.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1720847795.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720950764.00000000005AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720950764.00000000005D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720999580.00000000005DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721018782.00000000005E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_b6AGgIJ87g.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8f1e810af4cf10fb0d3eb522dee94988dc3d7ae32fedbf7a5579fd17eb6d7f14
Instruction ID: 8b15a171944f9a1af07d2c9b2f44cdc01f7143993fde0862da7914d4a981674a
Opcode Fuzzy Hash: 8f1e810af4cf10fb0d3eb522dee94988dc3d7ae32fedbf7a5579fd17eb6d7f14
Instruction Fuzzy Hash: 7961DE72208312ABCB14EB24DC89E6FBBA8FFD5714F504919F5559B2D2DB309D08CB92

Function 005AB351 Relevance: 10.7, APIs: 7, Instructions: 199windowCOMMON

Download Yara Rule

APIs

IsWindow.USER32(012C4870), ref: 005AB3EB
IsWindowEnabled.USER32(012C4870), ref: 005AB3F7
SendMessageW.USER32(?,0000041C,00000000,00000000), ref: 005AB4DB
SendMessageW.USER32(012C4870,000000B0,?,?), ref: 005AB512
IsDlgButtonChecked.USER32(?,?), ref: 005AB54F
GetWindowLongW.USER32(012C4870,000000EC), ref: 005AB571
SendMessageW.USER32(?,000000A1,00000002,00000000), ref: 005AB589

Memory Dump Source

Source File: 00000000.00000002.1720891753.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1720847795.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720950764.00000000005AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720950764.00000000005D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720999580.00000000005DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721018782.00000000005E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_b6AGgIJ87g.jbxd

Similarity

API ID: MessageSendWindow$ButtonCheckedEnabledLong
String ID:
API String ID: 4072528602-0
Opcode ID: 98c31b5b8ddc902746959dd0cd2a40e60bb6c3868b781cc50b332fffe1f36ee3
Instruction ID: d9763e0640efec28b1c537b68ff870e37b118862df5b4ce8fd80d19d9db20439
Opcode Fuzzy Hash: 98c31b5b8ddc902746959dd0cd2a40e60bb6c3868b781cc50b332fffe1f36ee3
Instruction Fuzzy Hash: A0717934604204AFEF249F65C894FAE7FBAFF4B300F144459E986972A3D732A954DB90

Function 0059F41E Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 177COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0059F448
_memset.LIBCMT ref: 0059F511
ShellExecuteExW.SHELL32(?), ref: 0059F556

Part of subcall function 00529837: __itow.LIBCMT ref: 00529862
Part of subcall function 00529837: __swprintf.LIBCMT ref: 005298AC

Part of subcall function 0053FC86: _wcscpy.LIBCMT ref: 0053FCA9

GetProcessId.KERNEL32(00000000), ref: 0059F5CD
CloseHandle.KERNEL32(00000000), ref: 0059F5FC

Strings

@, xrefs: 0059F525

Memory Dump Source

Source File: 00000000.00000002.1720891753.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1720847795.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720950764.00000000005AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720950764.00000000005D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720999580.00000000005DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721018782.00000000005E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_b6AGgIJ87g.jbxd

Similarity

API ID: _memset$CloseExecuteHandleProcessShell__itow__swprintf_wcscpy
String ID: @
API String ID: 3522835683-2766056989
Opcode ID: 51e0d4fa8c16895e4ad5cd3129b0a1937d865a425de46411604edb0373f3b4a1
Instruction ID: ad1608d2cfaa30416c5f6758efd8fbe878a6ec5ab80d758fc9e6d4a1c9d0a99e
Opcode Fuzzy Hash: 51e0d4fa8c16895e4ad5cd3129b0a1937d865a425de46411604edb0373f3b4a1
Instruction Fuzzy Hash: D261BF75A0062A9FCF14DFA4D4859AEBFF5FF89310F148069E859AB391CB30AD41CB94

Function 00580F4D Relevance: 10.7, APIs: 7, Instructions: 166windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 00580F8C
GetKeyboardState.USER32(?), ref: 00580FA1
SetKeyboardState.USER32(?), ref: 00581002
PostMessageW.USER32(?,00000101,00000010,?), ref: 00581030
PostMessageW.USER32(?,00000101,00000011,?), ref: 0058104F
PostMessageW.USER32(?,00000101,00000012,?), ref: 00581095
PostMessageW.USER32(?,00000101,0000005B,?), ref: 005810B8

Memory Dump Source

Source File: 00000000.00000002.1720891753.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1720847795.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720950764.00000000005AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720950764.00000000005D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720999580.00000000005DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721018782.00000000005E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_b6AGgIJ87g.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: ffd6f4ae69eb0cae7df2fbaf05b7be86345b983e1887ba2c944ef21551da67f0
Instruction ID: 891ca136ef6e55824c18c64cd36200511801ef775047e885dc1bb7bbe00ecd06
Opcode Fuzzy Hash: ffd6f4ae69eb0cae7df2fbaf05b7be86345b983e1887ba2c944ef21551da67f0
Instruction Fuzzy Hash: A8510660504BD57EFB3663348C09BB6BEAD7B06300F088589EAD5A58C3C2D9DCCAD755

Function 00580D66 Relevance: 10.7, APIs: 7, Instructions: 165windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(00000000), ref: 00580DA5
GetKeyboardState.USER32(?), ref: 00580DBA
SetKeyboardState.USER32(?), ref: 00580E1B
PostMessageW.USER32(00000000,00000100,00000010,?), ref: 00580E47
PostMessageW.USER32(00000000,00000100,00000011,?), ref: 00580E64
PostMessageW.USER32(00000000,00000100,00000012,?), ref: 00580EA8
PostMessageW.USER32(00000000,00000100,0000005B,?), ref: 00580EC9

Memory Dump Source

Source File: 00000000.00000002.1720891753.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1720847795.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720950764.00000000005AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720950764.00000000005D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720999580.00000000005DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721018782.00000000005E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_b6AGgIJ87g.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: d6601ebde74a5d15c8516d841fda87264ea47d10738967bfe1fd701135da7f55
Instruction ID: 191116b2a4ea1b017598fc3d8195e5c90d110b7cd57d4cc1358c6b4fa849c42c
Opcode Fuzzy Hash: d6601ebde74a5d15c8516d841fda87264ea47d10738967bfe1fd701135da7f55
Instruction Fuzzy Hash: 255106A06047D53DFB72A3748C45B7B7FAD7B06300F089889E9D5AA4C2C395AC8DE750

Function 005855FD Relevance: 10.6, APIs: 7, Instructions: 138timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32 ref: 0058560A
_wcsncpy.LIBCMT ref: 0058563F
_wcsncpy.LIBCMT ref: 00585671
_wcsncpy.LIBCMT ref: 005856A4
_wcsncpy.LIBCMT ref: 005856E6
_wcsncpy.LIBCMT ref: 00585720
_wcsncpy.LIBCMT ref: 0058574F

Memory Dump Source

Source File: 00000000.00000002.1720891753.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1720847795.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720950764.00000000005AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720950764.00000000005D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720999580.00000000005DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721018782.00000000005E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_b6AGgIJ87g.jbxd

Similarity

API ID: _wcsncpy$LocalTime
String ID:
API String ID: 2945705084-0
Opcode ID: 7c61ea511a2d09377ca4b4fd321db68e77b9410710b83316b7c3181223dadd05
Instruction ID: 811933c126029b82a8c8462174ee44bc11ce9f90bf0763daa77cd043d47cc48c
Opcode Fuzzy Hash: 7c61ea511a2d09377ca4b4fd321db68e77b9410710b83316b7c3181223dadd05
Instruction Fuzzy Hash: B8418075C1061576CB11EBB4884EACFBBA8FF44310F508956F908E3221FA34A755C7A6

Function 0057D56C Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 121comlibraryloaderCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 0057D5D4
SetErrorMode.KERNEL32(00000001,?,?,?,?,?,?,?,?,?), ref: 0057D60A
GetProcAddress.KERNEL32(?,DllGetClassObject), ref: 0057D61B
SetErrorMode.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 0057D69D

Strings

,,[, xrefs: 0057D578
DllGetClassObject, xrefs: 0057D610

Memory Dump Source

Source File: 00000000.00000002.1720891753.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1720847795.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720950764.00000000005AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720950764.00000000005D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720999580.00000000005DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721018782.00000000005E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_b6AGgIJ87g.jbxd

Similarity

API ID: ErrorMode$AddressCreateInstanceProc
String ID: ,,[$DllGetClassObject
API String ID: 753597075-61440137
Opcode ID: 87ecad87f3292ff766b2db1ee6a39e41ba8d639682e4b6a5470260aac1a58248
Instruction ID: b6ca10c4e53d63dc23d24813f71cb6ed7d7170326a4b4552c5e7b750aa6deea7
Opcode Fuzzy Hash: 87ecad87f3292ff766b2db1ee6a39e41ba8d639682e4b6a5470260aac1a58248
Instruction Fuzzy Hash: B1417CB1600205EFDB15DF64E888A9ABFB9FF84310F1581A9AD0D9F205D7B1D944EBB0

Function 00583671 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 111filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 0058466E: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,00583697,?), ref: 0058468B

Part of subcall function 0058466E: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,00583697,?), ref: 005846A4

lstrcmpiW.KERNEL32(?,?), ref: 005836B7
_wcscmp.LIBCMT ref: 005836D3
MoveFileW.KERNEL32(?,?), ref: 005836EB
_wcscat.LIBCMT ref: 00583733
SHFileOperationW.SHELL32(?), ref: 0058379F

Strings

\*.*, xrefs: 0058372D

Memory Dump Source

Source File: 00000000.00000002.1720891753.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1720847795.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720950764.00000000005AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720950764.00000000005D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720999580.00000000005DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721018782.00000000005E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_b6AGgIJ87g.jbxd

Similarity

API ID: FileFullNamePath$MoveOperation_wcscat_wcscmplstrcmpi
String ID: \*.*
API String ID: 1377345388-1173974218
Opcode ID: 48b987486edce47ab819ee34337f89c637e924486840ebaf045de4be9ae53f23
Instruction ID: e679540389009f1af35b44342729b81768f6601386b441638be14a95ea7fd3ad
Opcode Fuzzy Hash: 48b987486edce47ab819ee34337f89c637e924486840ebaf045de4be9ae53f23
Instruction Fuzzy Hash: FF41AF71508345AAC751EF64C4459DF7BE8FF89780F00082EB88AD3251EA34D689CB52

Function 005A7291 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 103windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 005A72AA
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 005A7351
IsMenu.USER32(?), ref: 005A7369
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 005A73B1
DrawMenuBar.USER32 ref: 005A73C4

Strings

0, xrefs: 005A729E

Memory Dump Source

Source File: 00000000.00000002.1720891753.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1720847795.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720950764.00000000005AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720950764.00000000005D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720999580.00000000005DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721018782.00000000005E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_b6AGgIJ87g.jbxd

Similarity

API ID: Menu$Item$DrawInfoInsert_memset
String ID: 0
API String ID: 3866635326-4108050209
Opcode ID: 6fc47f53c724cfea69d00c2d85dc3c06d7b4cfc7be1ee0bbe858a4a5dc856ab7
Instruction ID: 5f9a886df0b741fd1728236269af258ea5c45d98fa18760271332a3e2c18f29e
Opcode Fuzzy Hash: 6fc47f53c724cfea69d00c2d85dc3c06d7b4cfc7be1ee0bbe858a4a5dc856ab7
Instruction Fuzzy Hash: C4411675A04209AFDF20DF50D884A9EBBB9FF0A314F25982AFD459B250D730AD54EB60

Function 005A0FA5 Relevance: 10.6, APIs: 7, Instructions: 101registryCOMMON

Download Yara Rule

APIs

RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?), ref: 005A0FD4
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 005A0FFE
FreeLibrary.KERNEL32(00000000), ref: 005A10B5

Part of subcall function 005A0FA5: RegCloseKey.ADVAPI32(?), ref: 005A101B
Part of subcall function 005A0FA5: FreeLibrary.KERNEL32(?), ref: 005A106D
Part of subcall function 005A0FA5: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?), ref: 005A1090

RegDeleteKeyW.ADVAPI32(?,?), ref: 005A1058

Memory Dump Source

Source File: 00000000.00000002.1720891753.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1720847795.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720950764.00000000005AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720950764.00000000005D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720999580.00000000005DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721018782.00000000005E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_b6AGgIJ87g.jbxd

Similarity

API ID: EnumFreeLibrary$CloseDeleteOpen
String ID:
API String ID: 395352322-0
Opcode ID: 6cea04f0399247806578258078bbc53f913f854be817e4509a7fac9ad02894d5
Instruction ID: d78140b6682e1f1e5d95c36c189101884752e652ad2477928a02604c46a4a726
Opcode Fuzzy Hash: 6cea04f0399247806578258078bbc53f913f854be817e4509a7fac9ad02894d5
Instruction Fuzzy Hash: DA310D71901109BFDB159F90DC89EFFBBBCFF19310F000169E512E2151EA749E899BA4

Function 005A62CD Relevance: 10.6, APIs: 7, Instructions: 99windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 005A62EC
GetWindowLongW.USER32(012C4870,000000F0), ref: 005A631F
GetWindowLongW.USER32(012C4870,000000F0), ref: 005A6354
SendMessageW.USER32(00000000,000000F1,00000000,00000000), ref: 005A6386
SendMessageW.USER32(00000000,000000F1,00000001,00000000), ref: 005A63B0
GetWindowLongW.USER32(00000000,000000F0), ref: 005A63C1
SetWindowLongW.USER32(00000000,000000F0,00000000), ref: 005A63DB

Memory Dump Source

Source File: 00000000.00000002.1720891753.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1720847795.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720950764.00000000005AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720950764.00000000005D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720999580.00000000005DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721018782.00000000005E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_b6AGgIJ87g.jbxd

Similarity

API ID: LongWindow$MessageSend
String ID:
API String ID: 2178440468-0
Opcode ID: 34cf7d0315cbe63b16e906b9b1208dc2bb529920309fe6334f82ecb7c615495c
Instruction ID: 7d40b703c191fb462067d9db6e963e231efaa2b24e8abcbd937a5c6adddb13b9
Opcode Fuzzy Hash: 34cf7d0315cbe63b16e906b9b1208dc2bb529920309fe6334f82ecb7c615495c
Instruction Fuzzy Hash: 34313134644280EFDF20CF58DC84F593BE1FB5A714F2915A9F6518F2B2CB71A845AB50

Function 0057DAEB Relevance: 10.6, APIs: 7, Instructions: 95memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 0057DB2E
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 0057DB54
SysAllocString.OLEAUT32(00000000), ref: 0057DB57
SysAllocString.OLEAUT32(?), ref: 0057DB75
SysFreeString.OLEAUT32(?), ref: 0057DB7E
StringFromGUID2.OLE32(?,?,00000028), ref: 0057DBA3
SysAllocString.OLEAUT32(?), ref: 0057DBB1

Memory Dump Source

Source File: 00000000.00000002.1720891753.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1720847795.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720950764.00000000005AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720950764.00000000005D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720999580.00000000005DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721018782.00000000005E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_b6AGgIJ87g.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: da2c121a9336d89dd351a383147f2072afcb82dc8e1c031c572e2bb4b2acc7ac
Instruction ID: 08f411ffe0774cee857767959d1c7ed0fac18e8e3bbc9702e624f92048c6de67
Opcode Fuzzy Hash: da2c121a9336d89dd351a383147f2072afcb82dc8e1c031c572e2bb4b2acc7ac
Instruction Fuzzy Hash: 17216036600219AFDF109FB8EC88CAB7BBCFF09360B11C525F918DB250D6709C459B64

Function 00596173 Relevance: 10.6, APIs: 7, Instructions: 94networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00597D8B: inet_addr.WSOCK32(00000000,?,00000000,?,?,?,00000000), ref: 00597DB6

socket.WSOCK32(00000002,00000001,00000006,?,?,00000000), ref: 005961C6
WSAGetLastError.WSOCK32(00000000), ref: 005961D5
ioctlsocket.WSOCK32(00000000,8004667E,00000000), ref: 0059620E
connect.WSOCK32(00000000,?,00000010), ref: 00596217
WSAGetLastError.WSOCK32 ref: 00596221
closesocket.WSOCK32(00000000), ref: 0059624A
ioctlsocket.WSOCK32(00000000,8004667E,00000000), ref: 00596263

Memory Dump Source

Source File: 00000000.00000002.1720891753.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1720847795.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720950764.00000000005AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720950764.00000000005D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720999580.00000000005DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721018782.00000000005E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_b6AGgIJ87g.jbxd

Similarity

API ID: ErrorLastioctlsocket$closesocketconnectinet_addrsocket
String ID:
API String ID: 910771015-0
Opcode ID: 61a8c7853e56d01fead0f0ded5d498a3843c424ab8cb890e43b5b28b744a31e7
Instruction ID: 752db698560d5f1b5fa8eebca097526003167b13bd23ebfbf03619554aa1d356
Opcode Fuzzy Hash: 61a8c7853e56d01fead0f0ded5d498a3843c424ab8cb890e43b5b28b744a31e7
Instruction Fuzzy Hash: CC31A135600219AFDF10AF64DC89BBE7BADFF45750F044029F905A7291DB74AC08DBA1

Function 0057F65E Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 90COMMON

Download Yara Rule

APIs

__wcsnicmp.LIBCMT ref: 0057F671
__wcsnicmp.LIBCMT ref: 0057F692
__wcsnicmp.LIBCMT ref: 0057F6AC

Strings

#OnAutoItStartRegister, xrefs: 0057F6A6
#notrayicon, xrefs: 0057F669
#requireadmin, xrefs: 0057F68C

Memory Dump Source

Source File: 00000000.00000002.1720891753.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1720847795.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720950764.00000000005AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720950764.00000000005D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720999580.00000000005DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721018782.00000000005E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_b6AGgIJ87g.jbxd

Similarity

API ID: __wcsnicmp
String ID: #OnAutoItStartRegister$#notrayicon$#requireadmin
API String ID: 1038674560-2734436370
Opcode ID: 72d93e92dc5bb017e750b5202cd225cab6dca82289b8ad00ed45e9fc2382a237
Instruction ID: e7b94e9a097245b55c2f0e1ad9105551f688b029cc8bba26ccb446273946afc9
Opcode Fuzzy Hash: 72d93e92dc5bb017e750b5202cd225cab6dca82289b8ad00ed45e9fc2382a237
Instruction Fuzzy Hash: 2321497220451266D324EA34BC06EEB7FE8FF95344F10C439F98A870A1EB50AD41E3A5

Function 0057DBC4 Relevance: 10.6, APIs: 7, Instructions: 90memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 0057DC09
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 0057DC2F
SysAllocString.OLEAUT32(00000000), ref: 0057DC32
SysAllocString.OLEAUT32 ref: 0057DC53
SysFreeString.OLEAUT32 ref: 0057DC5C
StringFromGUID2.OLE32(?,?,00000028), ref: 0057DC76
SysAllocString.OLEAUT32(?), ref: 0057DC84

Memory Dump Source

Source File: 00000000.00000002.1720891753.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1720847795.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720950764.00000000005AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720950764.00000000005D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720999580.00000000005DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721018782.00000000005E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_b6AGgIJ87g.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: 1744136fe73fdb0a60c5f4a2059d600c8fd4ed9dcbf6c09627bebed76f7e2a5f
Instruction ID: a816ebfc4e5e2dd6ebd086ee565c1482707e033ba5c18675b04a16dbfa4fcd29
Opcode Fuzzy Hash: 1744136fe73fdb0a60c5f4a2059d600c8fd4ed9dcbf6c09627bebed76f7e2a5f
Instruction Fuzzy Hash: 33213135604205AF9B109BE8EC88DAA7BBCFF19360B10C125F918CB2A1D6749C45DB64

Function 005A75CD Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00521D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00521D73
Part of subcall function 00521D35: GetStockObject.GDI32(00000011), ref: 00521D87
Part of subcall function 00521D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 00521D91

SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 005A7632
SendMessageW.USER32(?,00000409,00000000,FF000000), ref: 005A763F
SendMessageW.USER32(?,00000402,00000000,00000000), ref: 005A764A
SendMessageW.USER32(?,00000401,00000000,00640000), ref: 005A7659
SendMessageW.USER32(?,00000404,00000001,00000000), ref: 005A7665

Strings

Msctls_Progress32, xrefs: 005A7603

Memory Dump Source

Source File: 00000000.00000002.1720891753.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1720847795.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720950764.00000000005AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720950764.00000000005D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720999580.00000000005DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721018782.00000000005E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_b6AGgIJ87g.jbxd

Similarity

API ID: MessageSend$CreateObjectStockWindow
String ID: Msctls_Progress32
API String ID: 1025951953-3636473452
Opcode ID: af91dbbd709ebb0abeedb03967637451b336b68557a32a152b40c43fe00a9b3d
Instruction ID: db57e28a0765a289a5f84f99f7e2d339c55748385e9cbb36a4c5e8879db74405
Opcode Fuzzy Hash: af91dbbd709ebb0abeedb03967637451b336b68557a32a152b40c43fe00a9b3d
Instruction Fuzzy Hash: C2118EB2110219BFEF158F64CC85EEB7F6DFF09798F014115BA04A60A0CA729C21DBA4

Function 00549AE6 Relevance: 10.5, APIs: 7, Instructions: 45threadCOMMON

Download Yara Rule

APIs

__init_pointers.LIBCMT ref: 00549AE6

Part of subcall function 00543187: EncodePointer.KERNEL32(00000000), ref: 0054318A
Part of subcall function 00543187: __initp_misc_winsig.LIBCMT ref: 005431A5
Part of subcall function 00543187: GetModuleHandleW.KERNEL32(kernel32.dll), ref: 00549EA0
Part of subcall function 00543187: GetProcAddress.KERNEL32(00000000,FlsAlloc), ref: 00549EB4
Part of subcall function 00543187: GetProcAddress.KERNEL32(00000000,FlsFree), ref: 00549EC7
Part of subcall function 00543187: GetProcAddress.KERNEL32(00000000,FlsGetValue), ref: 00549EDA
Part of subcall function 00543187: GetProcAddress.KERNEL32(00000000,FlsSetValue), ref: 00549EED
Part of subcall function 00543187: GetProcAddress.KERNEL32(00000000,InitializeCriticalSectionEx), ref: 00549F00
Part of subcall function 00543187: GetProcAddress.KERNEL32(00000000,CreateEventExW), ref: 00549F13
Part of subcall function 00543187: GetProcAddress.KERNEL32(00000000,CreateSemaphoreExW), ref: 00549F26
Part of subcall function 00543187: GetProcAddress.KERNEL32(00000000,SetThreadStackGuarantee), ref: 00549F39
Part of subcall function 00543187: GetProcAddress.KERNEL32(00000000,CreateThreadpoolTimer), ref: 00549F4C
Part of subcall function 00543187: GetProcAddress.KERNEL32(00000000,SetThreadpoolTimer), ref: 00549F5F
Part of subcall function 00543187: GetProcAddress.KERNEL32(00000000,WaitForThreadpoolTimerCallbacks), ref: 00549F72
Part of subcall function 00543187: GetProcAddress.KERNEL32(00000000,CloseThreadpoolTimer), ref: 00549F85
Part of subcall function 00543187: GetProcAddress.KERNEL32(00000000,CreateThreadpoolWait), ref: 00549F98
Part of subcall function 00543187: GetProcAddress.KERNEL32(00000000,SetThreadpoolWait), ref: 00549FAB
Part of subcall function 00543187: GetProcAddress.KERNEL32(00000000,CloseThreadpoolWait), ref: 00549FBE

__mtinitlocks.LIBCMT ref: 00549AEB
__mtterm.LIBCMT ref: 00549AF4

Part of subcall function 00549B5C: DeleteCriticalSection.KERNEL32(00000000,00000000,?,?,00549AF9,00547CD0,005DA0B8,00000014), ref: 00549C56
Part of subcall function 00549B5C: _free.LIBCMT ref: 00549C5D
Part of subcall function 00549B5C: DeleteCriticalSection.KERNEL32(02^,?,?,00549AF9,00547CD0,005DA0B8,00000014), ref: 00549C7F

__calloc_crt.LIBCMT ref: 00549B19
__initptd.LIBCMT ref: 00549B3B
GetCurrentThreadId.KERNEL32 ref: 00549B42

Memory Dump Source

Source File: 00000000.00000002.1720891753.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1720847795.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720950764.00000000005AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720950764.00000000005D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720999580.00000000005DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721018782.00000000005E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_b6AGgIJ87g.jbxd

Similarity

API ID: AddressProc$CriticalDeleteSection$CurrentEncodeHandleModulePointerThread__calloc_crt__init_pointers__initp_misc_winsig__initptd__mtinitlocks__mtterm_free
String ID:
API String ID: 3567560977-0
Opcode ID: 45a23e5e53d6af4e71caf55fab9ba7429d3084c631cacb9bf066ffd6140da15d
Instruction ID: 90b989697f4e10e05fae9ab006eb86d9c09bcb38c17d8dd651a9a5dabd44b1b7
Opcode Fuzzy Hash: 45a23e5e53d6af4e71caf55fab9ba7429d3084c631cacb9bf066ffd6140da15d
Instruction Fuzzy Hash: 85F06D3250A7125AE734B775BC0BACB3E90FF8273CB200A1AF460D60D6EE20844142A0

Function 005AB635 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 40processCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 005AB644
_memset.LIBCMT ref: 005AB653
CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,005E6F20,005E6F64), ref: 005AB682
CloseHandle.KERNEL32 ref: 005AB694

Strings

o^, xrefs: 005AB63E
do^, xrefs: 005AB64D

Memory Dump Source

Source File: 00000000.00000002.1720891753.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1720847795.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720950764.00000000005AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720950764.00000000005D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720999580.00000000005DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721018782.00000000005E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_b6AGgIJ87g.jbxd

Similarity

API ID: _memset$CloseCreateHandleProcess
String ID: o^$do^
API String ID: 3277943733-577272521
Opcode ID: 2017ca09c5beadde507651b1c41c226c28876a41c4d8fe17d6e1e2d06cfe72e7
Instruction ID: 116c0d75b0123e7a26604206865d4c3dfebb436552ee0dc45676790aa0dd1788
Opcode Fuzzy Hash: 2017ca09c5beadde507651b1c41c226c28876a41c4d8fe17d6e1e2d06cfe72e7
Instruction Fuzzy Hash: 35F05EB25403507AE7102761BC4AFBB3E9CFB293D5F004421FA98EA196D7714C04D7A8

Function 0054406B Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 19libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoUninitialize,00543F85), ref: 00544085
GetProcAddress.KERNEL32(00000000), ref: 0054408C
EncodePointer.KERNEL32(00000000), ref: 00544097
DecodePointer.KERNEL32(00543F85), ref: 005440B2

Strings

combase.dll, xrefs: 00544080
RoUninitialize, xrefs: 00544074

Memory Dump Source

Source File: 00000000.00000002.1720891753.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1720847795.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720950764.00000000005AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720950764.00000000005D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720999580.00000000005DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721018782.00000000005E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_b6AGgIJ87g.jbxd

Similarity

API ID: Pointer$AddressDecodeEncodeLibraryLoadProc
String ID: RoUninitialize$combase.dll
API String ID: 3489934621-2819208100
Opcode ID: 406e3777f933dcca45a96899b0fee436ea34f8260dc72ef075d4a0325e3f338a
Instruction ID: 0882b12b6986f2eae08d32f77ad7cd02368d24a691c0bc94e2af6edf3c508d83
Opcode Fuzzy Hash: 406e3777f933dcca45a96899b0fee436ea34f8260dc72ef075d4a0325e3f338a
Instruction Fuzzy Hash: 23E09A70585340AFDB18AFA2EC4DB453AA4B725746F104429F141EA0A0CB76560CEB14

Function 005864B8 Relevance: 9.2, APIs: 6, Instructions: 205COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 0058660B
_memmove.LIBCMT ref: 00586546

Part of subcall function 00529837: __itow.LIBCMT ref: 00529862
Part of subcall function 00529837: __swprintf.LIBCMT ref: 005298AC

_memmove.LIBCMT ref: 005865B9
_memmove.LIBCMT ref: 005866A0
_memmove.LIBCMT ref: 005866B9
_memmove.LIBCMT ref: 005866D5

Memory Dump Source

Source File: 00000000.00000002.1720891753.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1720847795.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720950764.00000000005AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720950764.00000000005D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720999580.00000000005DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721018782.00000000005E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_b6AGgIJ87g.jbxd

Similarity

API ID: _memmove$__itow__swprintf
String ID:
API String ID: 3253778849-0
Opcode ID: 3f03857a6e89d49d2b23adb80710b0c1c05ec5fd0e72f6afcc0fdb021d4ac1ae
Instruction ID: 1871ae485d99d8fde7c55d291be1f47c482088b7955ca80e8ce5e6422f5da36a
Opcode Fuzzy Hash: 3f03857a6e89d49d2b23adb80710b0c1c05ec5fd0e72f6afcc0fdb021d4ac1ae
Instruction Fuzzy Hash: 6B616A3090025B9BCB05FF60D889AFE3FA9BF85308F444919FD556A2D2EB34A915DB50

Function 005A01E4 Relevance: 9.2, APIs: 6, Instructions: 167registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00527DE1: _memmove.LIBCMT ref: 00527E22

Part of subcall function 005A0E1A: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0059FDAD,?,?), ref: 005A0E31

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 005A02BD
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 005A02FD
RegCloseKey.ADVAPI32(?,00000001,00000000), ref: 005A0320
RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 005A0349
RegCloseKey.ADVAPI32(?,?,00000000), ref: 005A038C
RegCloseKey.ADVAPI32(00000000), ref: 005A0399

Memory Dump Source

Source File: 00000000.00000002.1720891753.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1720847795.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720950764.00000000005AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720950764.00000000005D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720999580.00000000005DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721018782.00000000005E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_b6AGgIJ87g.jbxd

Similarity

API ID: Close$BuffCharConnectEnumOpenRegistryUpperValue_memmove
String ID:
API String ID: 4046560759-0
Opcode ID: ea1e904f84c17a4a00d2c9ada54506e94687e1718cfd27597086d64703a19417
Instruction ID: 8ea832d1df7d8ac83efe905eaaaafd441feb57a4e888609824af87c0be01afa9
Opcode Fuzzy Hash: ea1e904f84c17a4a00d2c9ada54506e94687e1718cfd27597086d64703a19417
Instruction Fuzzy Hash: CE514831118205AFCB14EF64D889E6EBFE8FF8A314F04491DF585872A2DB31E905DB52

Function 005A5799 Relevance: 9.2, APIs: 6, Instructions: 160windowCOMMON

Download Yara Rule

APIs

GetMenu.USER32(?), ref: 005A57FB
GetMenuItemCount.USER32(00000000), ref: 005A5832
GetMenuStringW.USER32(00000000,00000000,?,00007FFF,00000400), ref: 005A585A
GetMenuItemID.USER32(?,?), ref: 005A58C9
GetSubMenu.USER32(?,?), ref: 005A58D7
PostMessageW.USER32(?,00000111,?,00000000), ref: 005A5928

Memory Dump Source

Source File: 00000000.00000002.1720891753.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1720847795.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720950764.00000000005AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720950764.00000000005D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720999580.00000000005DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721018782.00000000005E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_b6AGgIJ87g.jbxd

Similarity

API ID: Menu$Item$CountMessagePostString
String ID:
API String ID: 650687236-0
Opcode ID: c80c49581c43a2243878e4eb7e3d97ed6154bc690efc544cb17730d3638e39a4
Instruction ID: e5aff522789921c683ce6901212513d884b3449501be831d9eb67b18b2b6b521
Opcode Fuzzy Hash: c80c49581c43a2243878e4eb7e3d97ed6154bc690efc544cb17730d3638e39a4
Instruction Fuzzy Hash: BA516D35E00616AFCF05EFA4C8459AEBBB4FF4A310F144469E901BB351DB34AE41DB90

Function 0057EEEC Relevance: 9.2, APIs: 6, Instructions: 159COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 0057EF06
VariantClear.OLEAUT32(00000013), ref: 0057EF78
VariantClear.OLEAUT32(00000000), ref: 0057EFD3
_memmove.LIBCMT ref: 0057EFFD
VariantClear.OLEAUT32(?), ref: 0057F04A
VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 0057F078

Memory Dump Source

Source File: 00000000.00000002.1720891753.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1720847795.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720950764.00000000005AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720950764.00000000005D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720999580.00000000005DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721018782.00000000005E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_b6AGgIJ87g.jbxd

Similarity

API ID: Variant$Clear$ChangeInitType_memmove
String ID:
API String ID: 1101466143-0
Opcode ID: 316fccc70e72e85210a8f400bc6f92f7e42a8d4455091391f50480266ffb4823
Instruction ID: d616a97b79908e61d10ecfbc5675feae52a2a075f51b652923e63c641a1c41e9
Opcode Fuzzy Hash: 316fccc70e72e85210a8f400bc6f92f7e42a8d4455091391f50480266ffb4823
Instruction Fuzzy Hash: 1F515AB5A00209EFDB14CF58D884AAABBB8FF4D314B158569ED59DB301E335E911CFA0

Function 0058220A Relevance: 9.1, APIs: 6, Instructions: 138windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00582258
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 005822A3
IsMenu.USER32(00000000), ref: 005822C3
CreatePopupMenu.USER32 ref: 005822F7
GetMenuItemCount.USER32(000000FF), ref: 00582355
InsertMenuItemW.USER32(00000000,?,00000001,00000030), ref: 00582386

Memory Dump Source

Source File: 00000000.00000002.1720891753.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1720847795.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720950764.00000000005AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720950764.00000000005D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720999580.00000000005DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721018782.00000000005E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_b6AGgIJ87g.jbxd

Similarity

API ID: Menu$Item$CountCreateInfoInsertPopup_memset
String ID:
API String ID: 3311875123-0
Opcode ID: 7e6230005208fe40a4a911e2c159477604c83be20a5a5d27dafefd0f8d8ab94c
Instruction ID: b4143b24bb80387bfeb8ab5afae1788f3c6bfca9738c9a1aa5a0714ea4483740
Opcode Fuzzy Hash: 7e6230005208fe40a4a911e2c159477604c83be20a5a5d27dafefd0f8d8ab94c
Instruction Fuzzy Hash: BF519C70A0020AEFDF21EF68D898BADBFF5BF56314F104929EC51A7290DB749A44CB51

Function 00521765 Relevance: 9.1, APIs: 6, Instructions: 113COMMON

Download Yara Rule

APIs

Part of subcall function 00522612: GetWindowLongW.USER32(?,000000EB), ref: 00522623

BeginPaint.USER32(?,?,?,?,?,?), ref: 0052179A
GetWindowRect.USER32(?,?), ref: 005217FE
ScreenToClient.USER32(?,?), ref: 0052181B
SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 0052182C
EndPaint.USER32(?,?), ref: 00521876

Memory Dump Source

Source File: 00000000.00000002.1720891753.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1720847795.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720950764.00000000005AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720950764.00000000005D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720999580.00000000005DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721018782.00000000005E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_b6AGgIJ87g.jbxd

Similarity

API ID: PaintWindow$BeginClientLongRectScreenViewport
String ID:
API String ID: 1827037458-0
Opcode ID: 073b4af69b0a2b7f00ed816267c12e119d49027b583bfd5bb7b1c081fbf5985b
Instruction ID: 3d9c9ef4f0ae5729d51abf8c69127a0460ef7f6ab09d5b41cdb83653d983f253
Opcode Fuzzy Hash: 073b4af69b0a2b7f00ed816267c12e119d49027b583bfd5bb7b1c081fbf5985b
Instruction Fuzzy Hash: 53419B31504A51AFD710DF24D8C8BAB7FE8FF66324F140629F9A48B2E1D7309849EB61

Function 005AB69E Relevance: 9.1, APIs: 6, Instructions: 109windowCOMMON

Download Yara Rule

APIs

ShowWindow.USER32(005E57B0,00000000,012C4870,?,?,005E57B0,?,005AB5A8,?,?), ref: 005AB712
EnableWindow.USER32(00000000,00000000), ref: 005AB736
ShowWindow.USER32(005E57B0,00000000,012C4870,?,?,005E57B0,?,005AB5A8,?,?), ref: 005AB796
ShowWindow.USER32(00000000,00000004,?,005AB5A8,?,?), ref: 005AB7A8
EnableWindow.USER32(00000000,00000001), ref: 005AB7CC
SendMessageW.USER32(?,0000130C,?,00000000), ref: 005AB7EF

Memory Dump Source

Source File: 00000000.00000002.1720891753.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1720847795.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720950764.00000000005AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720950764.00000000005D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720999580.00000000005DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721018782.00000000005E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_b6AGgIJ87g.jbxd

Similarity

API ID: Window$Show$Enable$MessageSend
String ID:
API String ID: 642888154-0
Opcode ID: cacbbcd00456e994b67f99526c8a1bd6c63b5de069f89f00c9e5f2fc941c3680
Instruction ID: 83588cd6a742e04de7839d9806acfd0b94a6e5e4e2e377e93b652dc29dec3457
Opcode Fuzzy Hash: cacbbcd00456e994b67f99526c8a1bd6c63b5de069f89f00c9e5f2fc941c3680
Instruction Fuzzy Hash: B9416134600240AFEB26CF24C499B987FE1FF46310F1841B9E9498F6A3C771AC56DBA1

Function 0059709E Relevance: 9.1, APIs: 6, Instructions: 97COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(?,?,?,?,?,?,00594E41,?,?,00000000,00000001), ref: 005970AC

Part of subcall function 005939A0: GetWindowRect.USER32(?,?), ref: 005939B3

GetDesktopWindow.USER32 ref: 005970D6
GetWindowRect.USER32(00000000), ref: 005970DD
mouse_event.USER32(00008001,?,?,00000001,00000001), ref: 0059710F

Part of subcall function 00585244: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 005852BC

GetCursorPos.USER32(?), ref: 0059713B
mouse_event.USER32(00008001,?,?,00000000,00000000), ref: 00597199

Memory Dump Source

Source File: 00000000.00000002.1720891753.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1720847795.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720950764.00000000005AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720950764.00000000005D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720999580.00000000005DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721018782.00000000005E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_b6AGgIJ87g.jbxd

Similarity

API ID: Window$Rectmouse_event$CursorDesktopForegroundSleep
String ID:
API String ID: 4137160315-0
Opcode ID: 13bf41c2ec2e04cc7f05db581e098cabf8b001708e16d0641b0701eb112829cf
Instruction ID: 0a094bc3f5ca6efc8499bc1a837760346ea5350d3e974485f56f91a2e2dd9f63
Opcode Fuzzy Hash: 13bf41c2ec2e04cc7f05db581e098cabf8b001708e16d0641b0701eb112829cf
Instruction Fuzzy Hash: 7831C67250530AABD724DF54C849F5BBBE9FFC9314F00091AF58597191DB70EA09CB92

Function 00578879 Relevance: 9.1, APIs: 6, Instructions: 69memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 005780A9: GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 005780C0
Part of subcall function 005780A9: GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 005780CA
Part of subcall function 005780A9: GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 005780D9
Part of subcall function 005780A9: HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 005780E0
Part of subcall function 005780A9: GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 005780F6

GetLengthSid.ADVAPI32(?,00000000,0057842F), ref: 005788CA
GetProcessHeap.KERNEL32(00000008,00000000), ref: 005788D6
HeapAlloc.KERNEL32(00000000), ref: 005788DD
CopySid.ADVAPI32(00000000,00000000,?), ref: 005788F6
GetProcessHeap.KERNEL32(00000000,00000000,0057842F), ref: 0057890A
HeapFree.KERNEL32(00000000), ref: 00578911

Memory Dump Source

Source File: 00000000.00000002.1720891753.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1720847795.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720950764.00000000005AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720950764.00000000005D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720999580.00000000005DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721018782.00000000005E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_b6AGgIJ87g.jbxd

Similarity

API ID: Heap$Process$AllocInformationToken$CopyErrorFreeLastLength
String ID:
API String ID: 3008561057-0
Opcode ID: 3b963c09b80456a1a8a5121cc5d1713ab1f0414545e86a47e5211ae92ff19f6e
Instruction ID: ae486315d66dae37bc031e448227e534e58340676e7f0226ed292731a58b1385
Opcode Fuzzy Hash: 3b963c09b80456a1a8a5121cc5d1713ab1f0414545e86a47e5211ae92ff19f6e
Instruction Fuzzy Hash: 6D11B131641209FFDB109FA4EC0DBBE7B68FB45311F148468F98997110CB329D04EB61

Function 005785B1 Relevance: 9.1, APIs: 6, Instructions: 65processCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(0000000A,00000004), ref: 005785E2
OpenProcessToken.ADVAPI32(00000000), ref: 005785E9
CreateEnvironmentBlock.USERENV(?,00000004,00000001), ref: 005785F8
CloseHandle.KERNEL32(00000004), ref: 00578603
CreateProcessWithLogonW.ADVAPI32(?,?,?,00000000,00000000,?,?,00000000,?,?,?), ref: 00578632
DestroyEnvironmentBlock.USERENV(00000000), ref: 00578646

Memory Dump Source

Source File: 00000000.00000002.1720891753.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1720847795.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720950764.00000000005AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720950764.00000000005D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720999580.00000000005DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721018782.00000000005E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_b6AGgIJ87g.jbxd

Similarity

API ID: Process$BlockCreateEnvironment$CloseCurrentDestroyHandleLogonOpenTokenWith
String ID:
API String ID: 1413079979-0
Opcode ID: a7955a653f35d9f82bb147bfebe0c5753922ae96cbc723c7cdc85cd15e04dffd
Instruction ID: a0271f0dfebba61fb689677d942fa23ccac059e69cab0e56b3a6c6d64083804e
Opcode Fuzzy Hash: a7955a653f35d9f82bb147bfebe0c5753922ae96cbc723c7cdc85cd15e04dffd
Instruction Fuzzy Hash: 07115C72541209BBDF018FA4ED49BEE7BA9FF09304F048065FE05A2160C7719D64EB60

Function 0057B790 Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 0057B7B5
GetDeviceCaps.GDI32(00000000,00000058), ref: 0057B7C6
GetDeviceCaps.GDI32(00000000,0000005A), ref: 0057B7CD
ReleaseDC.USER32(00000000,00000000), ref: 0057B7D5
MulDiv.KERNEL32(000009EC,?,00000000), ref: 0057B7EC
MulDiv.KERNEL32(000009EC,?,?), ref: 0057B7FE

Memory Dump Source

Source File: 00000000.00000002.1720891753.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1720847795.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720950764.00000000005AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720950764.00000000005D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720999580.00000000005DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721018782.00000000005E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_b6AGgIJ87g.jbxd

Similarity

API ID: CapsDevice$Release
String ID:
API String ID: 1035833867-0
Opcode ID: 108049dba70925fb46a39002e447e2f39f1008a2b8e1153f89446081daefff9a
Instruction ID: f758b8ba659ca94c460becb7554027bc5f14f84531ced7d5ff586d7e15d127a0
Opcode Fuzzy Hash: 108049dba70925fb46a39002e447e2f39f1008a2b8e1153f89446081daefff9a
Instruction Fuzzy Hash: E4018875E00209BBEB105BE69C49B5EBFB8EB59311F004075FA08A7291D6709C00DF90

Function 00540162 Relevance: 9.0, APIs: 6, Instructions: 44keyboardCOMMON

Download Yara Rule

APIs

MapVirtualKeyW.USER32(0000005B,00000000), ref: 00540193
MapVirtualKeyW.USER32(00000010,00000000), ref: 0054019B
MapVirtualKeyW.USER32(000000A0,00000000), ref: 005401A6
MapVirtualKeyW.USER32(000000A1,00000000), ref: 005401B1
MapVirtualKeyW.USER32(00000011,00000000), ref: 005401B9
MapVirtualKeyW.USER32(00000012,00000000), ref: 005401C1

Memory Dump Source

Source File: 00000000.00000002.1720891753.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1720847795.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720950764.00000000005AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720950764.00000000005D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720999580.00000000005DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721018782.00000000005E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_b6AGgIJ87g.jbxd

Similarity

API ID: Virtual
String ID:
API String ID: 4278518827-0
Opcode ID: 7158b081ab0677ab9cf60ba5b47d9abad0de71798899242d561a586914cb12de
Instruction ID: b730a25c0715643f9812a23932818ffa81e5bd1225f41c00f818249340e8b913
Opcode Fuzzy Hash: 7158b081ab0677ab9cf60ba5b47d9abad0de71798899242d561a586914cb12de
Instruction Fuzzy Hash: A3016CB09017597DE3008F5A8C85B52FFA8FF19354F00411BA15C47941C7F5A868CBE5

Function 005853E9 Relevance: 9.0, APIs: 6, Instructions: 43windowtimethreadCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,00000000), ref: 005853F9
SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?), ref: 0058540F
GetWindowThreadProcessId.USER32(?,?), ref: 0058541E
OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 0058542D
TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00585437
CloseHandle.KERNEL32(00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 0058543E

Memory Dump Source

Source File: 00000000.00000002.1720891753.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1720847795.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720950764.00000000005AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720950764.00000000005D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720999580.00000000005DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721018782.00000000005E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_b6AGgIJ87g.jbxd

Similarity

API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
String ID:
API String ID: 839392675-0
Opcode ID: 3bf68feaacbb7fb7723772c79492046fd3fc04f46a39d4396267a673ef1a4f9d
Instruction ID: 3f218cda61229ca966428bc3464e41d4b2074deaf056937720d251b592acaed8
Opcode Fuzzy Hash: 3bf68feaacbb7fb7723772c79492046fd3fc04f46a39d4396267a673ef1a4f9d
Instruction Fuzzy Hash: 54F01D32241558BBE7215BE2DC0DEAB7A7CEBD7B11F000169FA04D2061A7A11A05D7B5

Function 00587230 Relevance: 9.0, APIs: 6, Instructions: 33synchronizationthreadCOMMONLIBRARYCODE

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(?,?), ref: 00587243
EnterCriticalSection.KERNEL32(?,?,00530EE4,?,?), ref: 00587254
TerminateThread.KERNEL32(00000000,000001F6,?,00530EE4,?,?), ref: 00587261
WaitForSingleObject.KERNEL32(00000000,000003E8,?,00530EE4,?,?), ref: 0058726E

Part of subcall function 00586C35: CloseHandle.KERNEL32(00000000,?,0058727B,?,00530EE4,?,?), ref: 00586C3F

InterlockedExchange.KERNEL32(?,000001F6), ref: 00587281
LeaveCriticalSection.KERNEL32(?,?,00530EE4,?,?), ref: 00587288

Memory Dump Source

Source File: 00000000.00000002.1720891753.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1720847795.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720950764.00000000005AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720950764.00000000005D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720999580.00000000005DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721018782.00000000005E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_b6AGgIJ87g.jbxd

Similarity

API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
String ID:
API String ID: 3495660284-0
Opcode ID: 62b27501026a1c725da2588411c920450be6efc4881691075292130504e7d1d0
Instruction ID: b9759b8cf95a12722781d66e73ea5b0c128f1e295e6c8850ac6fca9d76730547
Opcode Fuzzy Hash: 62b27501026a1c725da2588411c920450be6efc4881691075292130504e7d1d0
Instruction Fuzzy Hash: 74F0823E540612EBD7622BA4ED4DAEB7B39FF5A702B100531F503A10B0DB765805DB50

Function 00578992 Relevance: 9.0, APIs: 6, Instructions: 23memorysynchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000000FF), ref: 0057899D
UnloadUserProfile.USERENV(?,?), ref: 005789A9
CloseHandle.KERNEL32(?), ref: 005789B2
CloseHandle.KERNEL32(?), ref: 005789BA
GetProcessHeap.KERNEL32(00000000,?), ref: 005789C3
HeapFree.KERNEL32(00000000), ref: 005789CA

Memory Dump Source

Source File: 00000000.00000002.1720891753.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1720847795.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720950764.00000000005AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720950764.00000000005D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720999580.00000000005DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721018782.00000000005E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_b6AGgIJ87g.jbxd

Similarity

API ID: CloseHandleHeap$FreeObjectProcessProfileSingleUnloadUserWait
String ID:
API String ID: 146765662-0
Opcode ID: 40fa2ed2e96c30830c0c3096a780a0dc95788ccd3ba01a0079ea3fb199ca1abe
Instruction ID: f259290f2e9e2bcbee263662e06a61722d1bf11502bd9a5a607436ad774fbef2
Opcode Fuzzy Hash: 40fa2ed2e96c30830c0c3096a780a0dc95788ccd3ba01a0079ea3fb199ca1abe
Instruction Fuzzy Hash: 13E05276104505FFDB011FE5EC0C95ABB69FBAA762B508631F21981470CB329469EB90

Function 00577530 Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 231COMMON

Download Yara Rule

APIs

ProgIDFromCLSID.OLE32(?,00000000,?,00000000,00000800,00000000,?,005B2C7C,?), ref: 005776EA
CoTaskMemFree.OLE32(00000000,00000000,?,00000000,00000800,00000000,?,005B2C7C,?), ref: 00577702
CLSIDFromProgID.OLE32(?,?,00000000,005AFB80,000000FF,?,00000000,00000800,00000000,?,005B2C7C,?), ref: 00577727
_memcmp.LIBCMT ref: 00577748

Strings

,,[, xrefs: 0057753D

Memory Dump Source

Source File: 00000000.00000002.1720891753.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1720847795.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720950764.00000000005AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720950764.00000000005D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720999580.00000000005DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721018782.00000000005E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_b6AGgIJ87g.jbxd

Similarity

API ID: FromProg$FreeTask_memcmp
String ID: ,,[
API String ID: 314563124-194938180
Opcode ID: 83a496efa3146cf31c4331536512005951d62bd395f58e718259cb9bd0a80e76
Instruction ID: b64ee4345f1a45927da7bc90a20ce5ef8261bc7424d16410ebfa98f67876b38f
Opcode Fuzzy Hash: 83a496efa3146cf31c4331536512005951d62bd395f58e718259cb9bd0a80e76
Instruction Fuzzy Hash: 3B81FD75A00109EFCB04DFA4D988DEEBBB9FF89315F208558E505AB250DB71AE06DB60

Function 005985ED Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 225COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00598613
CharUpperBuffW.USER32(?,?), ref: 00598722
VariantClear.OLEAUT32(?), ref: 0059889A

Part of subcall function 00587562: VariantInit.OLEAUT32(00000000), ref: 005875A2
Part of subcall function 00587562: VariantCopy.OLEAUT32(00000000,?), ref: 005875AB
Part of subcall function 00587562: VariantClear.OLEAUT32(00000000), ref: 005875B7

Strings

Incorrect Parameter format, xrefs: 0059864B, 0059880D
AUTOIT.ERROR, xrefs: 00598728

Memory Dump Source

Source File: 00000000.00000002.1720891753.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1720847795.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720950764.00000000005AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720950764.00000000005D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720999580.00000000005DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721018782.00000000005E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_b6AGgIJ87g.jbxd

Similarity

API ID: Variant$ClearInit$BuffCharCopyUpper
String ID: AUTOIT.ERROR$Incorrect Parameter format
API String ID: 4237274167-1221869570
Opcode ID: 4e4b9652f040419841e335768f9aac785b789c5a6d2482d1aa40a8cef531de0c
Instruction ID: a150628557f7c8ddb2896687eec7b22755f0f38aa174b82c302c1efebfa9d43c
Opcode Fuzzy Hash: 4e4b9652f040419841e335768f9aac785b789c5a6d2482d1aa40a8cef531de0c
Instruction Fuzzy Hash: 6F914C716043029FCB10DF64C48496ABBE4FFDA714F14896EF89A8B3A1DB31E945CB51

Function 00582A96 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 195windowCOMMON

Download Yara Rule

APIs

Part of subcall function 0053FC86: _wcscpy.LIBCMT ref: 0053FCA9

_memset.LIBCMT ref: 00582B87
GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00582BB6
SetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00582C69
SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 00582C97

Strings

0, xrefs: 00582B73

Memory Dump Source

Source File: 00000000.00000002.1720891753.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1720847795.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720950764.00000000005AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720950764.00000000005D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720999580.00000000005DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721018782.00000000005E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_b6AGgIJ87g.jbxd

Similarity

API ID: ItemMenu$Info$Default_memset_wcscpy
String ID: 0
API String ID: 4152858687-4108050209
Opcode ID: 39baea228de326fd9ea718bc833aec7fcc4f231d45418f04f7a961f33b53d2cd
Instruction ID: 3f71497e908773df9da97b3ca01440208be59c08fe3efcd7aa51deac7090d51e
Opcode Fuzzy Hash: 39baea228de326fd9ea718bc833aec7fcc4f231d45418f04f7a961f33b53d2cd
Instruction Fuzzy Hash: B551CD71619301AAD729AE28D849A7FBFE8FF99314F140A2DFC95E61D0DB70CC049B52

Function 00533137 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 161COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00533277
_memmove.LIBCMT ref: 00533310
_free.LIBCMT ref: 00533336
_memmove.LIBCMT ref: 005333E9

Strings

3cS, xrefs: 00533225
_S, xrefs: 00533322

Memory Dump Source

Source File: 00000000.00000002.1720891753.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1720847795.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720950764.00000000005AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720950764.00000000005D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720999580.00000000005DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721018782.00000000005E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_b6AGgIJ87g.jbxd

Similarity

API ID: _memmove$_free
String ID: 3cS$_S
API String ID: 2620147621-3431193023
Opcode ID: a0d175fe039ef803e7626d1bc3dae481e0d4b8e90cdfabbb5d2c99e8a076c673
Instruction ID: 19ca25e07225573d479a8642d853883dbc22961bef0310e1b8333cc2f69f3896
Opcode Fuzzy Hash: a0d175fe039ef803e7626d1bc3dae481e0d4b8e90cdfabbb5d2c99e8a076c673
Instruction Fuzzy Hash: E2513971A043418FDB25CF28C885B6BBBE5BFC5314F44492DE98987351EB35E945CB42

Function 00536192 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 141COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00536248
_memmove.LIBCMT ref: 005362E4
_memset.LIBCMT ref: 00536308

Strings

3cS, xrefs: 005362AF
ERCP, xrefs: 005361B3

Memory Dump Source

Source File: 00000000.00000002.1720891753.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1720847795.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720950764.00000000005AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720950764.00000000005D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720999580.00000000005DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721018782.00000000005E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_b6AGgIJ87g.jbxd

Similarity

API ID: _memset$_memmove
String ID: 3cS$ERCP
API String ID: 2532777613-430453233
Opcode ID: 7a3b65a624f393bb0e45cf95b8c09db5964d14baf0f79b9cbb6bb5b392b8ce85
Instruction ID: 7232f70c6e483a2ae9cd152235d581105e47d3d25ae3d90872f2652a5b22b460
Opcode Fuzzy Hash: 7a3b65a624f393bb0e45cf95b8c09db5964d14baf0f79b9cbb6bb5b392b8ce85
Instruction Fuzzy Hash: 6F517F71900706EBDB24DF55C9457ABBFE4BF44314F20896EE54ACB291E770AA44CB50

Function 00582753 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 114windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 005827C0
GetMenuItemInfoW.USER32(00000004,00000000,00000000,?), ref: 005827DC
DeleteMenu.USER32(?,00000007,00000000), ref: 00582822
DeleteMenu.USER32(?,00000000,00000000,?,00000000,00000000,005E5890,00000000), ref: 0058286B

Strings

0, xrefs: 005827B5

Memory Dump Source

Source File: 00000000.00000002.1720891753.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1720847795.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720950764.00000000005AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720950764.00000000005D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720999580.00000000005DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721018782.00000000005E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_b6AGgIJ87g.jbxd

Similarity

API ID: Menu$Delete$InfoItem_memset
String ID: 0
API String ID: 1173514356-4108050209
Opcode ID: 93346bf4ad8f82c2e43dc1394674d7088aa30513d11f7187dd1d51d2c0afeb1f
Instruction ID: 0c3819e91ba7e4e7fada3bac03b5b044a1b8525ded5a63348f929590c402183b
Opcode Fuzzy Hash: 93346bf4ad8f82c2e43dc1394674d7088aa30513d11f7187dd1d51d2c0afeb1f
Instruction Fuzzy Hash: 61418070604342AFDB24EF24C848B5ABFE4FF85314F14492EF965A7291D730A905CB52

Function 0059D7A5 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 101COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?,?,?,00000000,?,?), ref: 0059D7C5

Part of subcall function 0052784B: _memmove.LIBCMT ref: 00527899

Strings

none, xrefs: 0059D8A0
cdecl, xrefs: 0059D81C
winapi, xrefs: 0059D836
stdcall, xrefs: 0059D847

Memory Dump Source

Source File: 00000000.00000002.1720891753.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1720847795.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720950764.00000000005AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720950764.00000000005D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720999580.00000000005DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721018782.00000000005E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_b6AGgIJ87g.jbxd

Similarity

API ID: BuffCharLower_memmove
String ID: cdecl$none$stdcall$winapi
API String ID: 3425801089-567219261
Opcode ID: fa469e7b9dfbecccf500d1f2e4ff837ce42bd8ed9acd62588dd57b21c914fb50
Instruction ID: 82659a62d7fa80dd25c924582142cdc550e8e5d005a9476cde8981232fd66e31
Opcode Fuzzy Hash: fa469e7b9dfbecccf500d1f2e4ff837ce42bd8ed9acd62588dd57b21c914fb50
Instruction Fuzzy Hash: 9131C47190421AABCF10EF58CC559FEBBB4FF45320B108A2AE825977D2DB31AD05CB90

Function 00578E90 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 94windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00527DE1: _memmove.LIBCMT ref: 00527E22

Part of subcall function 0057AA99: GetClassNameW.USER32(?,?,000000FF), ref: 0057AABC

SendMessageW.USER32(?,00000188,00000000,00000000), ref: 00578F14
SendMessageW.USER32(?,0000018A,00000000,00000000), ref: 00578F27
SendMessageW.USER32(?,00000189,?,00000000), ref: 00578F57

Part of subcall function 00527BCC: _memmove.LIBCMT ref: 00527C06

Strings

ListBox, xrefs: 00578ED3
ComboBox, xrefs: 00578E9E

Memory Dump Source

Source File: 00000000.00000002.1720891753.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1720847795.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720950764.00000000005AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720950764.00000000005D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720999580.00000000005DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721018782.00000000005E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_b6AGgIJ87g.jbxd

Similarity

API ID: MessageSend$_memmove$ClassName
String ID: ComboBox$ListBox
API String ID: 365058703-1403004172
Opcode ID: 162877899c474c333a1658552d12a21d4a3e4543b44ac03fc7df44b2da935c1c
Instruction ID: cad5eaf85346e71b668ba08b2f628c30e77c2704517dd82a9d952bf497b469eb
Opcode Fuzzy Hash: 162877899c474c333a1658552d12a21d4a3e4543b44ac03fc7df44b2da935c1c
Instruction Fuzzy Hash: 9421F271A40109BEDB14ABB0AC4DCFFBF69FF86320B14851AF429972E1DB354849E650

Function 0059182D Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 86networkCOMMON

Download Yara Rule

APIs

InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 0059184C
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00591872
HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 005918A2
InternetCloseHandle.WININET(00000000), ref: 005918E9

Part of subcall function 00592483: GetLastError.KERNEL32(?,?,00591817,00000000,00000000,00000001), ref: 00592498
Part of subcall function 00592483: SetEvent.KERNEL32(?,?,00591817,00000000,00000000,00000001), ref: 005924AD

Strings

, xrefs: 00591893

Memory Dump Source

Source File: 00000000.00000002.1720891753.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1720847795.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720950764.00000000005AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720950764.00000000005D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720999580.00000000005DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721018782.00000000005E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_b6AGgIJ87g.jbxd

Similarity

API ID: HttpInternet$CloseErrorEventHandleInfoLastOpenQueryRequestSend
String ID:
API String ID: 3113390036-3916222277
Opcode ID: 9d75e277ca264c2cddf68a64beadfbb427c7267e4b3f43099c5afa5bdde198ad
Instruction ID: 8ef461809b80449c78e2f7ebbc0c59580e336b13a5936cab45e63fd44d72ca64
Opcode Fuzzy Hash: 9d75e277ca264c2cddf68a64beadfbb427c7267e4b3f43099c5afa5bdde198ad
Instruction Fuzzy Hash: 5321C2B5500719BFEF119F60DC85EBF7BEDFB89784F10412AF40596140EB209D0467A4

Function 005A63E7 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 80windowlibraryCOMMON

Download Yara Rule

APIs

Part of subcall function 00521D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00521D73
Part of subcall function 00521D35: GetStockObject.GDI32(00000011), ref: 00521D87
Part of subcall function 00521D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 00521D91

SendMessageW.USER32(00000000,00000467,00000000,?), ref: 005A6461
LoadLibraryW.KERNEL32(?), ref: 005A6468
SendMessageW.USER32(?,00000467,00000000,00000000), ref: 005A647D
DestroyWindow.USER32(?), ref: 005A6485

Strings

SysAnimate32, xrefs: 005A643C

Memory Dump Source

Source File: 00000000.00000002.1720891753.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1720847795.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720950764.00000000005AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720950764.00000000005D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720999580.00000000005DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721018782.00000000005E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_b6AGgIJ87g.jbxd

Similarity

API ID: MessageSend$Window$CreateDestroyLibraryLoadObjectStock
String ID: SysAnimate32
API String ID: 4146253029-1011021900
Opcode ID: f8339160e04ba8b4cc2f614d639ffec48854f54aa1c18fd65824a5258f20a72a
Instruction ID: f33c944d215d1d56dbfb2a7b62aea41bb782ac4921e540a1fa75969f4d59cf65
Opcode Fuzzy Hash: f8339160e04ba8b4cc2f614d639ffec48854f54aa1c18fd65824a5258f20a72a
Instruction Fuzzy Hash: 1F215E71100205ABEF104FA4DC84EBF7FA9FB5A764F18462AFA5097190D7719C51A760

Function 00586D9C Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79filepipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(0000000C), ref: 00586DBC
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00586DEF
GetStdHandle.KERNEL32(0000000C), ref: 00586E01
CreateFileW.KERNEL32(nul,40000000,00000002,0000000C,00000003,00000080,00000000), ref: 00586E3B

Strings

nul, xrefs: 00586E36

Memory Dump Source

Source File: 00000000.00000002.1720891753.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1720847795.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720950764.00000000005AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720950764.00000000005D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720999580.00000000005DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721018782.00000000005E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_b6AGgIJ87g.jbxd

Similarity

API ID: CreateHandle$FilePipe
String ID: nul
API String ID: 4209266947-2873401336
Opcode ID: b5b981b58bc970218d982f5df9f5d023c3e4dc19d004e42ee216676b4d8db7c1
Instruction ID: 50d996e6fdb51c0b5033851542fbe0e647362e0d17d7bf15c6ec42a28e6cb836
Opcode Fuzzy Hash: b5b981b58bc970218d982f5df9f5d023c3e4dc19d004e42ee216676b4d8db7c1
Instruction Fuzzy Hash: 9821A47460020AABDB20AF69DC04B9A7FF8FF95720F204A19FCA1E72D0D7709955DB50

Function 00586E6A Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79filepipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(000000F6), ref: 00586E89
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00586EBB
GetStdHandle.KERNEL32(000000F6), ref: 00586ECC
CreateFileW.KERNEL32(nul,80000000,00000001,0000000C,00000003,00000080,00000000), ref: 00586F06

Strings

nul, xrefs: 00586F01

Memory Dump Source

Source File: 00000000.00000002.1720891753.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1720847795.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720950764.00000000005AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720950764.00000000005D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720999580.00000000005DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721018782.00000000005E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_b6AGgIJ87g.jbxd

Similarity

API ID: CreateHandle$FilePipe
String ID: nul
API String ID: 4209266947-2873401336
Opcode ID: 8d331d08191904f844381bc9832d4af5b4578d23edbd9cb158e5d3296d051695
Instruction ID: 7c2cf2f7976276110327d9535b4e6648f469e855460dada2beee5cff854de95e
Opcode Fuzzy Hash: 8d331d08191904f844381bc9832d4af5b4578d23edbd9cb158e5d3296d051695
Instruction Fuzzy Hash: 8D2174796003059BDB20AF69DC04A9B7BA8FF55720F200A19FDE1E72D0DB70D855CB60

Function 0058AC40 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 73COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 0058AC54
GetVolumeInformationW.KERNEL32(?,?,00007FFF,?,00000000,00000000,00000000,00000000), ref: 0058ACA8
__swprintf.LIBCMT ref: 0058ACC1
SetErrorMode.KERNEL32(00000000,00000001,00000000,005AF910), ref: 0058ACFF

Strings

%lu, xrefs: 0058ACBB

Memory Dump Source

Source File: 00000000.00000002.1720891753.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1720847795.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720950764.00000000005AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720950764.00000000005D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720999580.00000000005DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721018782.00000000005E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_b6AGgIJ87g.jbxd

Similarity

API ID: ErrorMode$InformationVolume__swprintf
String ID: %lu
API String ID: 3164766367-685833217
Opcode ID: a1d5ba7b26242d3d5754966e4c6282652c493fddf000bf25866de2c1ed5925a1
Instruction ID: 941cfb152edf463b3e63cf3205508792d7c6295adbfc851a5174a7baa7805b21
Opcode Fuzzy Hash: a1d5ba7b26242d3d5754966e4c6282652c493fddf000bf25866de2c1ed5925a1
Instruction Fuzzy Hash: 6C21743060020AAFDB10EF55D945DAE7FB8FF8A714B004069F909AB351DB71EA45DB61

Function 00581142 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 51sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,0057FCED,?,00580D40,?,00008000), ref: 0058115F
Sleep.KERNEL32(00000000,?,?,?,?,?,?,0057FCED,?,00580D40,?,00008000), ref: 00581184
QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,0057FCED,?,00580D40,?,00008000), ref: 0058118E
Sleep.KERNEL32(?,?,?,?,?,?,?,0057FCED,?,00580D40,?,00008000), ref: 005811C1

Strings

@X, xrefs: 0058119D

Memory Dump Source

Source File: 00000000.00000002.1720891753.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1720847795.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720950764.00000000005AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720950764.00000000005D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720999580.00000000005DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721018782.00000000005E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_b6AGgIJ87g.jbxd

Similarity

API ID: CounterPerformanceQuerySleep
String ID: @X
API String ID: 2875609808-1606808409
Opcode ID: 665939e824bdc969377f9f68799583945eb238bc0a9bc751e7a6d5e21c0f39e7
Instruction ID: c05ef009231dd063cabd81a8fb48854fa63da46d580cee97ab853b42fe51f471
Opcode Fuzzy Hash: 665939e824bdc969377f9f68799583945eb238bc0a9bc751e7a6d5e21c0f39e7
Instruction Fuzzy Hash: AF111831D00919D7CF00AFA5D849AEEBF78FB1A711F004456EE85B2240CB709556DB99

Function 00581AE8 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 49COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 00581B19

Strings

APPEND, xrefs: 00581B52
EXISTS, xrefs: 00581B41
KEYS, xrefs: 00581B30
REMOVE, xrefs: 00581B1F

Memory Dump Source

Source File: 00000000.00000002.1720891753.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1720847795.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720950764.00000000005AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720950764.00000000005D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720999580.00000000005DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721018782.00000000005E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_b6AGgIJ87g.jbxd

Similarity

API ID: BuffCharUpper
String ID: APPEND$EXISTS$KEYS$REMOVE
API String ID: 3964851224-769500911
Opcode ID: e372701d11d1426f186979c7d6c5a579d4fd3aedd073cc7001067cca442244b3
Instruction ID: 66ab5b499aaf423c83137bb3b2b57dfe89228b60d8126e945b8cb917d4675f24
Opcode Fuzzy Hash: e372701d11d1426f186979c7d6c5a579d4fd3aedd073cc7001067cca442244b3
Instruction Fuzzy Hash: DE1161709401199FCF00EFA8E8558FEBBB8FF66308F1044A6D854A7391EB325D06CB54

Function 0059EB55 Relevance: 7.7, APIs: 5, Instructions: 247COMMON

Download Yara Rule

APIs

OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 0059EC07
GetProcessIoCounters.KERNEL32(00000000,?), ref: 0059EC37
GetProcessMemoryInfo.PSAPI(00000000,?,00000028), ref: 0059ED6A
CloseHandle.KERNEL32(?), ref: 0059EDEB

Memory Dump Source

Source File: 00000000.00000002.1720891753.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1720847795.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720950764.00000000005AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720950764.00000000005D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720999580.00000000005DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721018782.00000000005E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_b6AGgIJ87g.jbxd

Similarity

API ID: Process$CloseCountersHandleInfoMemoryOpen
String ID:
API String ID: 2364364464-0
Opcode ID: 94dbd1ac09aa588f1129bff158b45f7dd6a9253cd738b85ccacbc5b53762b651
Instruction ID: c4d9e612e059674973daba83bc22381596b798599a0f017e7056122b65d88999
Opcode Fuzzy Hash: 94dbd1ac09aa588f1129bff158b45f7dd6a9253cd738b85ccacbc5b53762b651
Instruction Fuzzy Hash: 548161716043119FDB24EF28D84AF2ABBE5BF89710F44881DF9999B3D2D670AC44CB91

Function 005A0037 Relevance: 7.6, APIs: 5, Instructions: 144registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00527DE1: _memmove.LIBCMT ref: 00527E22

Part of subcall function 005A0E1A: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0059FDAD,?,?), ref: 005A0E31

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 005A00FD
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 005A013C
RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 005A0183
RegCloseKey.ADVAPI32(?,?), ref: 005A01AF
RegCloseKey.ADVAPI32(00000000), ref: 005A01BC

Memory Dump Source

Source File: 00000000.00000002.1720891753.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1720847795.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720950764.00000000005AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720950764.00000000005D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720999580.00000000005DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721018782.00000000005E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_b6AGgIJ87g.jbxd

Similarity

API ID: Close$BuffCharConnectEnumOpenRegistryUpper_memmove
String ID:
API String ID: 3440857362-0
Opcode ID: 5a4230997e336745ca123d5d9c57f1e93dbd40025f38ba1ac81b190fd4d48c2f
Instruction ID: 71b373b72d52884cf5788c7a08f05b57f598cdca83923f3e08f5d3e120cc4ca6
Opcode Fuzzy Hash: 5a4230997e336745ca123d5d9c57f1e93dbd40025f38ba1ac81b190fd4d48c2f
Instruction Fuzzy Hash: C3518D71218205AFD704EF54DC85EAEBBE8FF86304F40492DF595872A2DB31E944DB52

Function 0059D8C8 Relevance: 7.6, APIs: 5, Instructions: 139libraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 00529837: __itow.LIBCMT ref: 00529862
Part of subcall function 00529837: __swprintf.LIBCMT ref: 005298AC

LoadLibraryW.KERNEL32(?,?,?,00000000,?,?,?,?,?,?,?,?), ref: 0059D927
GetProcAddress.KERNEL32(00000000,?), ref: 0059D9AA
GetProcAddress.KERNEL32(00000000,00000000), ref: 0059D9C6
GetProcAddress.KERNEL32(00000000,?), ref: 0059DA07
FreeLibrary.KERNEL32(00000000,?,?,00000000,?,?,?,?,?,?,?,?), ref: 0059DA21

Part of subcall function 00525A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,00587896,?,?,00000000), ref: 00525A2C
Part of subcall function 00525A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,00587896,?,?,00000000,?,?), ref: 00525A50

Memory Dump Source

Source File: 00000000.00000002.1720891753.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1720847795.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720950764.00000000005AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720950764.00000000005D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720999580.00000000005DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721018782.00000000005E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_b6AGgIJ87g.jbxd

Similarity

API ID: AddressProc$ByteCharLibraryMultiWide$FreeLoad__itow__swprintf
String ID:
API String ID: 327935632-0
Opcode ID: 27a1ffd3bee445ecc16840608fb08390268a2f7cd2952dadbc672e758df1da2e
Instruction ID: 3cebcc8cdf12bd9c82817ebf0470436c1d1cfa658189a8683ec8b84be946b6f2
Opcode Fuzzy Hash: 27a1ffd3bee445ecc16840608fb08390268a2f7cd2952dadbc672e758df1da2e
Instruction Fuzzy Hash: F9512935A0421ADFCB00EFA8D4889ADBBF4FF5A320B448065E855AB352DB31ED45CF50

Function 0058E571 Relevance: 7.6, APIs: 5, Instructions: 135COMMON

Download Yara Rule

APIs

GetPrivateProfileSectionW.KERNEL32(00000003,?,00007FFF,?), ref: 0058E61F
GetPrivateProfileSectionW.KERNEL32(?,00000001,00000003,?), ref: 0058E648
WritePrivateProfileSectionW.KERNEL32(?,?,?), ref: 0058E687

Part of subcall function 00529837: __itow.LIBCMT ref: 00529862
Part of subcall function 00529837: __swprintf.LIBCMT ref: 005298AC

WritePrivateProfileStringW.KERNEL32(00000003,00000000,00000000,?), ref: 0058E6AC
WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 0058E6B4

Memory Dump Source

Source File: 00000000.00000002.1720891753.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1720847795.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720950764.00000000005AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720950764.00000000005D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720999580.00000000005DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721018782.00000000005E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_b6AGgIJ87g.jbxd

Similarity

API ID: PrivateProfile$SectionWrite$String$__itow__swprintf
String ID:
API String ID: 1389676194-0
Opcode ID: 075f779527707bc524d6414b03f96578677fdf9b0b592e2881c81332b11a56c3
Instruction ID: 56c8c9b5bc33c6fd0c3dda881f5a6c875713b3aadd0beec06fef5fac017c8271
Opcode Fuzzy Hash: 075f779527707bc524d6414b03f96578677fdf9b0b592e2881c81332b11a56c3
Instruction Fuzzy Hash: 63513939A00116DFCB04EF65D985AADBBF5FF4A314F1480A9E809AB3A1DB31ED11DB50

Function 005AA056 Relevance: 7.6, APIs: 5, Instructions: 130COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1720891753.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1720847795.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720950764.00000000005AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720950764.00000000005D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720999580.00000000005DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721018782.00000000005E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_b6AGgIJ87g.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a8f9ccc16de418c7681682fe259491ee8c20dfdd6f0c6eb3392cfa6987e550ac
Instruction ID: 95004bcc842c98ee66fa18dd38915cd5f7c626ada66d28a178759410276c7b59
Opcode Fuzzy Hash: a8f9ccc16de418c7681682fe259491ee8c20dfdd6f0c6eb3392cfa6987e550ac
Instruction Fuzzy Hash: BF419E35904244BFD724DB68CC88FADBFA8FB0B310F140565E856A72E1D730AD45EAA1

Function 00522344 Relevance: 7.6, APIs: 5, Instructions: 111keyboardCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 00522357
ScreenToClient.USER32(005E57B0,?), ref: 00522374
GetAsyncKeyState.USER32(00000001), ref: 00522399
GetAsyncKeyState.USER32(00000002), ref: 005223A7

Memory Dump Source

Source File: 00000000.00000002.1720891753.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1720847795.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720950764.00000000005AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720950764.00000000005D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720999580.00000000005DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721018782.00000000005E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_b6AGgIJ87g.jbxd

Similarity

API ID: AsyncState$ClientCursorScreen
String ID:
API String ID: 4210589936-0
Opcode ID: 1e05ea37d7da98bb77799b0dd3c49566429ccbbb5379d7559945655fbb92410c
Instruction ID: 19f2c9dbd2f37614eab14c02b3924d8c6f84773f0a1b7e0c4a8da839861278e0
Opcode Fuzzy Hash: 1e05ea37d7da98bb77799b0dd3c49566429ccbbb5379d7559945655fbb92410c
Instruction Fuzzy Hash: 53416F39604215FFDB15DF68C848AEDBFB4BF16361F20471AE829922E0C734A954DB91

Function 005763AA Relevance: 7.6, APIs: 5, Instructions: 97windowCOMMON

Download Yara Rule

APIs

PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 005763E7
TranslateAcceleratorW.USER32(?,?,?), ref: 00576433
TranslateMessage.USER32(?), ref: 0057645C
DispatchMessageW.USER32(?), ref: 00576466
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00576475

Memory Dump Source

Source File: 00000000.00000002.1720891753.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1720847795.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720950764.00000000005AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720950764.00000000005D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720999580.00000000005DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721018782.00000000005E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_b6AGgIJ87g.jbxd

Similarity

API ID: Message$PeekTranslate$AcceleratorDispatch
String ID:
API String ID: 2108273632-0
Opcode ID: ba559cd30b2516273cf7372004977991dbaf67da1491076ef52f3b9337c5cecd
Instruction ID: b155e4b2cbe3f42b351fd8e075e8439330b4762015c5e3514c126f40b626dc11
Opcode Fuzzy Hash: ba559cd30b2516273cf7372004977991dbaf67da1491076ef52f3b9337c5cecd
Instruction Fuzzy Hash: 8931E471900A82AFDF288FB0ECC4BB67FA9BB11304F148565E569C70A0E7359849FB60

Function 00578A1F Relevance: 7.6, APIs: 5, Instructions: 89sleepwindowCOMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 00578A30
PostMessageW.USER32(?,00000201,00000001), ref: 00578ADA
Sleep.KERNEL32(00000000,?,00000201,00000001,?,?,?), ref: 00578AE2
PostMessageW.USER32(?,00000202,00000000), ref: 00578AF0
Sleep.KERNEL32(00000000,?,00000202,00000000,?,?,00000201,00000001,?,?,?), ref: 00578AF8

Memory Dump Source

Source File: 00000000.00000002.1720891753.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1720847795.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720950764.00000000005AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720950764.00000000005D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720999580.00000000005DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721018782.00000000005E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_b6AGgIJ87g.jbxd

Similarity

API ID: MessagePostSleep$RectWindow
String ID:
API String ID: 3382505437-0
Opcode ID: 7dba5317b405e14a45f8cbd00745599299c1a5aa92eb964327c14f19fb9d9f12
Instruction ID: 9f96dc3bbc2dcdfdac8cf6b89b37dd9022773b14dd0d24e48e5afc3703c1ea1b
Opcode Fuzzy Hash: 7dba5317b405e14a45f8cbd00745599299c1a5aa92eb964327c14f19fb9d9f12
Instruction Fuzzy Hash: 4131C471500219EBDF14CFA8E94CAAE3FB5FB15325F108229F929DB1D0C7709914EB90

Function 0057B1EC Relevance: 7.6, APIs: 5, Instructions: 88windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 0057B204
SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 0057B221
SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 0057B259
CharUpperBuffW.USER32(00000000,00000000,?,?,?,?), ref: 0057B27F
_wcsstr.LIBCMT ref: 0057B289

Memory Dump Source

Source File: 00000000.00000002.1720891753.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1720847795.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720950764.00000000005AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720950764.00000000005D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720999580.00000000005DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721018782.00000000005E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_b6AGgIJ87g.jbxd

Similarity

API ID: MessageSend$BuffCharUpperVisibleWindow_wcsstr
String ID:
API String ID: 3902887630-0
Opcode ID: 5e65a7d7422358e033161e151aa43531622c418c51833c4c052e6504590592de
Instruction ID: 333a1e037dd89ae6cb702d1825de615251d5f7f884dc3fd06d3ca57480ce72eb
Opcode Fuzzy Hash: 5e65a7d7422358e033161e151aa43531622c418c51833c4c052e6504590592de
Instruction Fuzzy Hash: 9921F5756052017AFB155B75AC0DF7F7FACEF89710F108129F808DA1A2EF619C40A3A0

Function 005AB14B Relevance: 7.6, APIs: 5, Instructions: 85COMMON

Download Yara Rule

APIs

Part of subcall function 00522612: GetWindowLongW.USER32(?,000000EB), ref: 00522623

GetWindowLongW.USER32(?,000000F0), ref: 005AB192
SetWindowLongW.USER32(00000000,000000F0,00000001), ref: 005AB1B7
SetWindowLongW.USER32(00000000,000000EC,000000FF), ref: 005AB1CF
GetSystemMetrics.USER32(00000004), ref: 005AB1F8
SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000047,?,?,?,?,?,?,?,00590E90,00000000), ref: 005AB216

Memory Dump Source

Source File: 00000000.00000002.1720891753.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1720847795.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720950764.00000000005AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720950764.00000000005D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720999580.00000000005DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721018782.00000000005E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_b6AGgIJ87g.jbxd

Similarity

API ID: Window$Long$MetricsSystem
String ID:
API String ID: 2294984445-0
Opcode ID: 536b7569c872c3ffd85294b2ff1c4f1f22aaee16fd5fd757f9b6eeb3a9552de9
Instruction ID: 78418c62775d1cfca7bc37f7cda6395996c83e5a1a3d70f759a7b4112eeb7599
Opcode Fuzzy Hash: 536b7569c872c3ffd85294b2ff1c4f1f22aaee16fd5fd757f9b6eeb3a9552de9
Instruction Fuzzy Hash: 0721AD31A10661AFDB249F789C04B6E3BA4FF17321F204B29B922C71E1E7309820DB90

Function 00579307 Relevance: 7.6, APIs: 5, Instructions: 84windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00579320

Part of subcall function 00527BCC: _memmove.LIBCMT ref: 00527C06

SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00579352
__itow.LIBCMT ref: 0057936A
SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00579392
__itow.LIBCMT ref: 005793A3

Memory Dump Source

Source File: 00000000.00000002.1720891753.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1720847795.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720950764.00000000005AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720950764.00000000005D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720999580.00000000005DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721018782.00000000005E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_b6AGgIJ87g.jbxd

Similarity

API ID: MessageSend$__itow$_memmove
String ID:
API String ID: 2983881199-0
Opcode ID: 601c436acb21d150a87b433e3732b429ccbfe361ab88b7e5f1c692f2fb75687d
Instruction ID: 31d0c81304eec076a24323f7a03ecfeb84752069149cc635d635979eee4514da
Opcode Fuzzy Hash: 601c436acb21d150a87b433e3732b429ccbfe361ab88b7e5f1c692f2fb75687d
Instruction Fuzzy Hash: 0D21D731700219ABDB109FA4AC89EEE7FA9FFDA710F048425FD09E71D1D6B08D45A7A1

Function 00595A4D Relevance: 7.6, APIs: 5, Instructions: 70COMMON

Download Yara Rule

APIs

IsWindow.USER32(00000000), ref: 00595A6E
GetForegroundWindow.USER32 ref: 00595A85
GetDC.USER32(00000000), ref: 00595AC1
GetPixel.GDI32(00000000,?,00000003), ref: 00595ACD
ReleaseDC.USER32(00000000,00000003), ref: 00595B08

Memory Dump Source

Source File: 00000000.00000002.1720891753.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1720847795.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720950764.00000000005AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720950764.00000000005D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720999580.00000000005DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721018782.00000000005E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_b6AGgIJ87g.jbxd

Similarity

API ID: Window$ForegroundPixelRelease
String ID:
API String ID: 4156661090-0
Opcode ID: e8a94763a501b8ffcdbce4c3e5e4a3c0d5c72ecad4e884858c076fb62e0ce1b8
Instruction ID: dd99a7404801bf5bca2c7bc849cb0d6f497243909c7275e0cdaf733eaa2f0472
Opcode Fuzzy Hash: e8a94763a501b8ffcdbce4c3e5e4a3c0d5c72ecad4e884858c076fb62e0ce1b8
Instruction Fuzzy Hash: DD21C335A00104AFDB14EFA4DC88AAABBF5FF99311F148479F909D7362DA30AC04DB90

Function 005212F3 Relevance: 7.6, APIs: 5, Instructions: 67COMMON

Download Yara Rule

APIs

ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 0052134D
SelectObject.GDI32(?,00000000), ref: 0052135C
BeginPath.GDI32(?), ref: 00521373
SelectObject.GDI32(?,00000000), ref: 0052139C

Memory Dump Source

Source File: 00000000.00000002.1720891753.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1720847795.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720950764.00000000005AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720950764.00000000005D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720999580.00000000005DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721018782.00000000005E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_b6AGgIJ87g.jbxd

Similarity

API ID: ObjectSelect$BeginCreatePath
String ID:
API String ID: 3225163088-0
Opcode ID: f1b15c9846bc63ee70a7cb68a35d12393753b83567333667f07e4a83fc9e8cbe
Instruction ID: abc1487d40eb1ad0b8717a55b9cc91264dbcef6d93487d91d16b029269000c16
Opcode Fuzzy Hash: f1b15c9846bc63ee70a7cb68a35d12393753b83567333667f07e4a83fc9e8cbe
Instruction Fuzzy Hash: 0721B231804A54EFDB10CF24EC8876A3FA9FB31315F244626F8419A0F0E7B08899EF94

Function 0057BC9E Relevance: 7.6, APIs: 5, Instructions: 61COMMON

Download Yara Rule

APIs

_memcmp.LIBCMT ref: 0057BCB3
_memcmp.LIBCMT ref: 0057BCD1
_memcmp.LIBCMT ref: 0057BCE4
_memcmp.LIBCMT ref: 0057BCFC
_memcmp.LIBCMT ref: 0057BD14

Memory Dump Source

Source File: 00000000.00000002.1720891753.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1720847795.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720950764.00000000005AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720950764.00000000005D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720999580.00000000005DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721018782.00000000005E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_b6AGgIJ87g.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: b2f1705cb44a535b0915e567a4059ed67bed5eed3a593933d703d667b614325d
Instruction ID: 80d24287061fbefa71d46dd8de6eaee1eccf4214760db210af5e432b88924876
Opcode Fuzzy Hash: b2f1705cb44a535b0915e567a4059ed67bed5eed3a593933d703d667b614325d
Instruction Fuzzy Hash: 4A0192B260050A7BEA156A11AD42FFBBF5CFE50398F04C421FD0996242EF50EE11A2A5

Function 00584A93 Relevance: 7.6, APIs: 5, Instructions: 56synchronizationthreadwindowCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 00584ABA
__beginthreadex.LIBCMT ref: 00584AD8
MessageBoxW.USER32(?,?,?,?), ref: 00584AED
WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?), ref: 00584B03
CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 00584B0A

Memory Dump Source

Source File: 00000000.00000002.1720891753.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1720847795.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720950764.00000000005AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720950764.00000000005D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720999580.00000000005DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721018782.00000000005E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_b6AGgIJ87g.jbxd

Similarity

API ID: CloseCurrentHandleMessageObjectSingleThreadWait__beginthreadex
String ID:
API String ID: 3824534824-0
Opcode ID: 38ee996f15252f221d0ed211bfacbea16315132c1def391069cbe9a31622d4c1
Instruction ID: f13fd34156a18b1845ab52d78f858c1fbea7462831fe632afc8705fe8cd6691c
Opcode Fuzzy Hash: 38ee996f15252f221d0ed211bfacbea16315132c1def391069cbe9a31622d4c1
Instruction Fuzzy Hash: 9B114876904245BBCB04AFA8EC48A9B7FADFB55325F144269FD14E3250E771C9088BA0

Function 00578202 Relevance: 7.5, APIs: 5, Instructions: 49memoryCOMMON

Download Yara Rule

APIs

GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 0057821E
GetLastError.KERNEL32(?,00577CE2,?,?,?), ref: 00578228
GetProcessHeap.KERNEL32(00000008,?,?,00577CE2,?,?,?), ref: 00578237
HeapAlloc.KERNEL32(00000000,?,00577CE2,?,?,?), ref: 0057823E
GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00578255

Memory Dump Source

Source File: 00000000.00000002.1720891753.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1720847795.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720950764.00000000005AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720950764.00000000005D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720999580.00000000005DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721018782.00000000005E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_b6AGgIJ87g.jbxd

Similarity

API ID: HeapObjectSecurityUser$AllocErrorLastProcess
String ID:
API String ID: 842720411-0
Opcode ID: bca70939ed6de73157836e8b306f621e647ae4f95a1a054c85ad2fd9e02cbebd
Instruction ID: 58b45d89193b5f682bb1ed890387db9485f5c3a040d462bef5e0d0d7fc605b56
Opcode Fuzzy Hash: bca70939ed6de73157836e8b306f621e647ae4f95a1a054c85ad2fd9e02cbebd
Instruction Fuzzy Hash: 3B014675280204AFDB204FA6EC4CD6B7FADFF9A756B504469F809C3220DA318C04EB60

Function 0057710A Relevance: 7.5, APIs: 5, Instructions: 48stringCOMMON

Download Yara Rule

APIs

CLSIDFromProgID.OLE32(?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00577044,80070057,?,?,?,00577455), ref: 00577127
ProgIDFromCLSID.OLE32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00577044,80070057,?,?), ref: 00577142
lstrcmpiW.KERNEL32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00577044,80070057,?,?), ref: 00577150
CoTaskMemFree.OLE32(00000000,?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00577044,80070057,?), ref: 00577160
CLSIDFromString.OLE32(?,?,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00577044,80070057,?,?), ref: 0057716C

Memory Dump Source

Source File: 00000000.00000002.1720891753.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1720847795.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720950764.00000000005AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720950764.00000000005D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720999580.00000000005DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721018782.00000000005E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_b6AGgIJ87g.jbxd

Similarity

API ID: From$Prog$FreeStringTasklstrcmpi
String ID:
API String ID: 3897988419-0
Opcode ID: b7bb9c0994f341047fc783afb504312102950c4bb94a08ed0d291780d3735693
Instruction ID: 75260d873441d450fdc213f002b4045ed1cb4742598b9a3a170faf4af0725a79
Opcode Fuzzy Hash: b7bb9c0994f341047fc783afb504312102950c4bb94a08ed0d291780d3735693
Instruction Fuzzy Hash: F3017C76601209AFDB114FA4FC44AAA7FADFB49791F1481B4FD08D2220DB75DD40EBA0

Function 00585244 Relevance: 7.5, APIs: 5, Instructions: 48sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00585260
QueryPerformanceFrequency.KERNEL32(?,?,?,?,?,?,?,?,?,?,?), ref: 0058526E
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?), ref: 00585276
QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,?,?), ref: 00585280
Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 005852BC

Memory Dump Source

Source File: 00000000.00000002.1720891753.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1720847795.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720950764.00000000005AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720950764.00000000005D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720999580.00000000005DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721018782.00000000005E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_b6AGgIJ87g.jbxd

Similarity

API ID: PerformanceQuery$CounterSleep$Frequency
String ID:
API String ID: 2833360925-0
Opcode ID: dd20c0d0c1ef8a4ada47d3d958d728eb8d8a2099f0c5b23b3fcfa74cb5fbba5e
Instruction ID: 19ab0d206db618419f611bcf4ffb2019abf77b177e98c482085c3a8888b193f5
Opcode Fuzzy Hash: dd20c0d0c1ef8a4ada47d3d958d728eb8d8a2099f0c5b23b3fcfa74cb5fbba5e
Instruction Fuzzy Hash: 66015739D01A29DBDF00EFE4E848AEDBF78BB19311F400566E982B2140DF305958DBA1

Function 0057810A Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 00578121
GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 0057812B
GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 0057813A
HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 00578141
GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00578157

Memory Dump Source

Source File: 00000000.00000002.1720891753.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1720847795.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720950764.00000000005AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720950764.00000000005D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720999580.00000000005DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721018782.00000000005E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_b6AGgIJ87g.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: d382cd243c7ba590851e6a1cb3a7fcf7ee9c38a7830ebc62a8f13dc89dad2e6e
Instruction ID: 46e6391d87265c51adb62fd6ac7d86768971b608979a0a4de7f8de8c7107dc90
Opcode Fuzzy Hash: d382cd243c7ba590851e6a1cb3a7fcf7ee9c38a7830ebc62a8f13dc89dad2e6e
Instruction Fuzzy Hash: F9F03C71340304AFEB110FA5EC8CE7B3BACFF4A655B404025F94986150CF619945EB60

Function 0057C1E3 Relevance: 7.5, APIs: 5, Instructions: 41windowtimeCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003E9), ref: 0057C1F7
GetWindowTextW.USER32(00000000,?,00000100), ref: 0057C20E
MessageBeep.USER32(00000000), ref: 0057C226
KillTimer.USER32(?,0000040A), ref: 0057C242
EndDialog.USER32(?,00000001), ref: 0057C25C

Memory Dump Source

Source File: 00000000.00000002.1720891753.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1720847795.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720950764.00000000005AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720950764.00000000005D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720999580.00000000005DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721018782.00000000005E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_b6AGgIJ87g.jbxd

Similarity

API ID: BeepDialogItemKillMessageTextTimerWindow
String ID:
API String ID: 3741023627-0
Opcode ID: b1523e3c7d4f66011a615f589ffd417915f56e331152a5c7477434344067839d
Instruction ID: b070d2c997570ee60cd8b1f5bc75c1cd4f8a4f79ddd2167a4b92ce5d657763ff
Opcode Fuzzy Hash: b1523e3c7d4f66011a615f589ffd417915f56e331152a5c7477434344067839d
Instruction Fuzzy Hash: 5A01A234404304ABEB205FA0ED4EF967FB8FF11B06F00466DA5C6A24E1DBE06948AB90

Function 005213B0 Relevance: 7.5, APIs: 5, Instructions: 29COMMON

Download Yara Rule

APIs

EndPath.GDI32(?), ref: 005213BF
StrokeAndFillPath.GDI32(?,?,0055B888,00000000,?), ref: 005213DB
SelectObject.GDI32(?,00000000), ref: 005213EE
DeleteObject.GDI32 ref: 00521401
StrokePath.GDI32(?), ref: 0052141C

Memory Dump Source

Source File: 00000000.00000002.1720891753.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1720847795.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720950764.00000000005AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720950764.00000000005D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720999580.00000000005DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721018782.00000000005E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_b6AGgIJ87g.jbxd

Similarity

API ID: Path$ObjectStroke$DeleteFillSelect
String ID:
API String ID: 2625713937-0
Opcode ID: d8a557134d0b53fe453cdcba315d3a6c9646924f5b3f61266437d08d8496570c
Instruction ID: 05b01307439d5a7c57a814f9ec6c3611bad2a228a05d3ab31ffe271512be2c4f
Opcode Fuzzy Hash: d8a557134d0b53fe453cdcba315d3a6c9646924f5b3f61266437d08d8496570c
Instruction Fuzzy Hash: 37F0CD30008A48DBDB195F66EC8C7593FA5BB3232AF188224E5AA490F1D771459DEF54

Function 00532CFB Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 265COMMON

Download Yara Rule

APIs

Part of subcall function 00540DB6: std::exception::exception.LIBCMT ref: 00540DEC
Part of subcall function 00540DB6: __CxxThrowException@8.LIBCMT ref: 00540E01

Part of subcall function 00527DE1: _memmove.LIBCMT ref: 00527E22

Part of subcall function 00527A51: _memmove.LIBCMT ref: 00527AAB

__swprintf.LIBCMT ref: 00532ECD

Strings

\\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs], xrefs: 00532D66

Memory Dump Source

Source File: 00000000.00000002.1720891753.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1720847795.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720950764.00000000005AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720950764.00000000005D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720999580.00000000005DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721018782.00000000005E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_b6AGgIJ87g.jbxd

Similarity

API ID: _memmove$Exception@8Throw__swprintfstd::exception::exception
String ID: \\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs]
API String ID: 1943609520-557222456
Opcode ID: d71646121037d81b0bd2772a0a103dbd51e933b2217de17f68cdd00fbc978504
Instruction ID: 7498173c5e5cdbf38396f58ef9531f8ad5963ca7f1aba6793a668e0b2613f527
Opcode Fuzzy Hash: d71646121037d81b0bd2772a0a103dbd51e933b2217de17f68cdd00fbc978504
Instruction Fuzzy Hash: 80913A715087169FC714EF24D89AC6EBFA8FF8A710F00491DF5969B2A1EA30ED44CB52

Function 0058B93B Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 261comCOMMON

Download Yara Rule

APIs

Part of subcall function 00524750: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00524743,?,?,005237AE,?), ref: 00524770

CoInitialize.OLE32(00000000), ref: 0058B9BB
CoCreateInstance.OLE32(005B2D6C,00000000,00000001,005B2BDC,?), ref: 0058B9D4
CoUninitialize.OLE32 ref: 0058B9F1

Part of subcall function 00529837: __itow.LIBCMT ref: 00529862
Part of subcall function 00529837: __swprintf.LIBCMT ref: 005298AC

Strings

.lnk, xrefs: 0058B99D, 0058B9AB

Memory Dump Source

Source File: 00000000.00000002.1720891753.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1720847795.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720950764.00000000005AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720950764.00000000005D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720999580.00000000005DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721018782.00000000005E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_b6AGgIJ87g.jbxd

Similarity

API ID: CreateFullInitializeInstanceNamePathUninitialize__itow__swprintf
String ID: .lnk
API String ID: 2126378814-24824748
Opcode ID: 8b3f4aeb5eec6f3bce2de555f60dc871453a016d4ee64530946aebba83f9d41d
Instruction ID: 5885c8bc36ea52a907fa565310e12601072a6ea1bd0ca86a1cc1fc2452fa72cb
Opcode Fuzzy Hash: 8b3f4aeb5eec6f3bce2de555f60dc871453a016d4ee64530946aebba83f9d41d
Instruction Fuzzy Hash: 82A17A756043129FDB14EF14C484D6ABBE9FF8A314F048998F899AB3A1CB31ED45CB91

Function 0057B2F3 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 241comCOMMON

Download Yara Rule

APIs

OleSetContainedObject.OLE32(?,00000001), ref: 0057B4BE

Strings

%[, xrefs: 0057B561
Container, xrefs: 0057B43B
AutoIt3GUI, xrefs: 0057B436

Memory Dump Source

Source File: 00000000.00000002.1720891753.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1720847795.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720950764.00000000005AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720950764.00000000005D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720999580.00000000005DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721018782.00000000005E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_b6AGgIJ87g.jbxd

Similarity

API ID: ContainedObject
String ID: AutoIt3GUI$Container$%[
API String ID: 3565006973-249053226
Opcode ID: 7d10ae2e5e08eaee6ae07d743f779f64b2d773973333c2b7ff2beb5f7165543a
Instruction ID: 5a91b60d080577a8e49887901d5baba28b47ae3d5db08d265a8af59ca89ac223
Opcode Fuzzy Hash: 7d10ae2e5e08eaee6ae07d743f779f64b2d773973333c2b7ff2beb5f7165543a
Instruction Fuzzy Hash: 12913A70600601AFEB14DF68D884B6ABBF5FF49714F20856EF94ACB291EB71E841DB50

Function 0054501D Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 180COMMON

Download Yara Rule

APIs

__startOneArgErrorHandling.LIBCMT ref: 005450AD

Part of subcall function 005500F0: __87except.LIBCMT ref: 0055012B

Strings

pow, xrefs: 00545085, 005450A2

Memory Dump Source

Source File: 00000000.00000002.1720891753.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1720847795.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720950764.00000000005AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720950764.00000000005D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720999580.00000000005DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721018782.00000000005E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_b6AGgIJ87g.jbxd

Similarity

API ID: ErrorHandling__87except__start
String ID: pow
API String ID: 2905807303-2276729525
Opcode ID: 737df89aa651fc99c45d2394c5c3f68857e96858f18a72b7cb386bb74636783c
Instruction ID: d4df99d5c6d9ac025a4de9f7de5d72121b388a22d8626a7a3d37e56006198133
Opcode Fuzzy Hash: 737df89aa651fc99c45d2394c5c3f68857e96858f18a72b7cb386bb74636783c
Instruction Fuzzy Hash: 2F517035908A0687DB117B14CC2D3BE2F90BB80705F205D5AE8D9861DBFE348DCCDA86

Function 00568584 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 148COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 0056862B
_memmove.LIBCMT ref: 00568685

Strings

3cS, xrefs: 0056860C
_S, xrefs: 005686FF, 0056DFDC, 0056DFF8

Memory Dump Source

Source File: 00000000.00000002.1720891753.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1720847795.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720950764.00000000005AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720950764.00000000005D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720999580.00000000005DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721018782.00000000005E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_b6AGgIJ87g.jbxd

Similarity

API ID: _memmove
String ID: 3cS$_S
API String ID: 4104443479-3431193023
Opcode ID: ecb9d526df9f95372d5c92470285efda91a4c363a5943603f5cb6c205db4202f
Instruction ID: 3c1329e02ee3dd4686de4771496d35f4b4c663ddd1a8aa64e6158221327d49d8
Opcode Fuzzy Hash: ecb9d526df9f95372d5c92470285efda91a4c363a5943603f5cb6c205db4202f
Instruction Fuzzy Hash: 27514D70E006099FCF24CFA8C884ABEBBB1FF55304F248529E85AD7250EB31A955CF51

Function 005797F5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 122windowCOMMON

Download Yara Rule

APIs

Part of subcall function 005814BC: WriteProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,00579296,?,?,00000034,00000800,?,00000034), ref: 005814E6

SendMessageW.USER32(?,00001104,00000000,00000000), ref: 0057983F

Part of subcall function 00581487: ReadProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,005792C5,?,?,00000800,?,00001073,00000000,?,?), ref: 005814B1

Part of subcall function 005813DE: GetWindowThreadProcessId.USER32(?,?), ref: 00581409
Part of subcall function 005813DE: OpenProcess.KERNEL32(00000438,00000000,?,?,?,0057925A,00000034,?,?,00001004,00000000,00000000), ref: 00581419
Part of subcall function 005813DE: VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000004,?,?,0057925A,00000034,?,?,00001004,00000000,00000000), ref: 0058142F

SendMessageW.USER32(?,00001111,00000000,00000000), ref: 005798AC
SendMessageW.USER32(?,00001111,00000000,00000000), ref: 005798F9

Strings

@, xrefs: 00579911

Memory Dump Source

Source File: 00000000.00000002.1720891753.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1720847795.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720950764.00000000005AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720950764.00000000005D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720999580.00000000005DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721018782.00000000005E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_b6AGgIJ87g.jbxd

Similarity

API ID: Process$MessageSend$Memory$AllocOpenReadThreadVirtualWindowWrite
String ID: @
API String ID: 4150878124-2766056989
Opcode ID: d9b7fcb7afa6661de54cbdd7e3e6548a97b81af4ec382b39b37def1b80a3b492
Instruction ID: 16d03349ff2262ee1efa64999147734270e478514a4131ddb355256fb9fcdc52
Opcode Fuzzy Hash: d9b7fcb7afa6661de54cbdd7e3e6548a97b81af4ec382b39b37def1b80a3b492
Instruction Fuzzy Hash: E0416E76900219BFDF10EFA4CC85ADEBBB8FB49300F004099FA45B7191DA716E45DBA1

Function 005A7946 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 110COMMON

Download Yara Rule

APIs

SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013,?,?,SysTreeView32,005AF910,00000000,?,?,?,?), ref: 005A79DF
GetWindowLongW.USER32 ref: 005A79FC
SetWindowLongW.USER32(?,000000F0,00000000), ref: 005A7A0C

Strings

SysTreeView32, xrefs: 005A79B1

Memory Dump Source

Source File: 00000000.00000002.1720891753.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1720847795.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720950764.00000000005AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720950764.00000000005D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720999580.00000000005DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721018782.00000000005E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_b6AGgIJ87g.jbxd

Similarity

API ID: Window$Long
String ID: SysTreeView32
API String ID: 847901565-1698111956
Opcode ID: adae23e23716d0c69f108f45340cc05cc3fc0e109566be9727495e31ec0ea10f
Instruction ID: a27d15292693c94fea29f39d83473764fc1f2642437dfa0631e229f87ab841a5
Opcode Fuzzy Hash: adae23e23716d0c69f108f45340cc05cc3fc0e109566be9727495e31ec0ea10f
Instruction Fuzzy Hash: 6331CE3120460AAFDB118E78DC45BEB7BA9FF4A324F208725F875922E0D730ED509B50

Function 005A73D9 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 90windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001009,00000000,?), ref: 005A7461
SetWindowPos.USER32(?,00000000,?,?,?,?,00000004), ref: 005A7475
SendMessageW.USER32(?,00001002,00000000,?), ref: 005A7499

Strings

SysMonthCal32, xrefs: 005A742C

Memory Dump Source

Source File: 00000000.00000002.1720891753.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1720847795.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720950764.00000000005AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720950764.00000000005D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720999580.00000000005DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721018782.00000000005E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_b6AGgIJ87g.jbxd

Similarity

API ID: MessageSend$Window
String ID: SysMonthCal32
API String ID: 2326795674-1439706946
Opcode ID: e2156e59fd2062934464b110b0e31d09bebcef0c3990969a586e011cc1523bb6
Instruction ID: a696e6a766ce2ee62a54b94457efa6e9d5a5ecf6308164391d8da86dd22644ca
Opcode Fuzzy Hash: e2156e59fd2062934464b110b0e31d09bebcef0c3990969a586e011cc1523bb6
Instruction Fuzzy Hash: 5A21B132500219ABDF118EA4CC46FEE3F69FF8D724F110114FE156B1D0DA75AC559BA0

Function 005A7B93 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 88windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000469,?,00000000), ref: 005A7C4A
SendMessageW.USER32(00000000,00000465,00000000,80017FFF), ref: 005A7C58
DestroyWindow.USER32(00000000,00000000,?,?,?,00000000,msctls_updown32,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 005A7C5F

Strings

msctls_updown32, xrefs: 005A7BC4

Memory Dump Source

Source File: 00000000.00000002.1720891753.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1720847795.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720950764.00000000005AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720950764.00000000005D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720999580.00000000005DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721018782.00000000005E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_b6AGgIJ87g.jbxd

Similarity

API ID: MessageSend$DestroyWindow
String ID: msctls_updown32
API String ID: 4014797782-2298589950
Opcode ID: f02a9b9abefa07c0422d1254e69caa83327774ee80e3caa791607e13c06adf14
Instruction ID: 7340fd866f3a888d076ceecdec38f9bb608f305d0f0ae9b708d467610c4b578a
Opcode Fuzzy Hash: f02a9b9abefa07c0422d1254e69caa83327774ee80e3caa791607e13c06adf14
Instruction Fuzzy Hash: 7E217FB5604609AFEB10DF24DCD5CAA3BEDFF5A364B140459F9019B3A1DB31EC119BA0

Function 005A6CB0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000180,00000000,?), ref: 005A6D3B
SendMessageW.USER32(?,00000186,00000000,00000000), ref: 005A6D4B
MoveWindow.USER32(?,?,?,?,?,00000000,?,?,Listbox,00000000,00000000,?,?,?,?,?), ref: 005A6D70

Strings

Listbox, xrefs: 005A6D08

Memory Dump Source

Source File: 00000000.00000002.1720891753.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1720847795.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720950764.00000000005AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720950764.00000000005D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720999580.00000000005DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721018782.00000000005E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_b6AGgIJ87g.jbxd

Similarity

API ID: MessageSend$MoveWindow
String ID: Listbox
API String ID: 3315199576-2633736733
Opcode ID: ee1555a664a54ac513a5095d8ef050dbe1b7fe7c5012e58d609fcf03cac62570
Instruction ID: 6bc327b5edea89fd29535e423a7bcd89907d8567a78fa5622a1b727de2bcf67b
Opcode Fuzzy Hash: ee1555a664a54ac513a5095d8ef050dbe1b7fe7c5012e58d609fcf03cac62570
Instruction Fuzzy Hash: A4218032610118BFDF158F54DC45EAF3BAAFF8A760F058124FA459B1A0C6719C519BA0

Function 005939E9 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 84COMMON

Download Yara Rule

APIs

__snwprintf.LIBCMT ref: 00593A66

Part of subcall function 00527DE1: _memmove.LIBCMT ref: 00527E22

Strings

%[, xrefs: 005939F4
AUTOITCALLVARIABLE%d, xrefs: 00593A58
, $, xrefs: 00593AA6

Memory Dump Source

Source File: 00000000.00000002.1720891753.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1720847795.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720950764.00000000005AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720950764.00000000005D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720999580.00000000005DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721018782.00000000005E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_b6AGgIJ87g.jbxd

Similarity

API ID: __snwprintf_memmove
String ID: , $$AUTOITCALLVARIABLE%d$%[
API String ID: 3506404897-741242068
Opcode ID: 03cbad5b87ed85684dff4ef2e8abbaf699b30a192bb23593f1f2fedb43db5ddd
Instruction ID: 5f8a99ee20955743ebbef35e5959287f576c05c160f33bdd49798efdc8fbba53
Opcode Fuzzy Hash: 03cbad5b87ed85684dff4ef2e8abbaf699b30a192bb23593f1f2fedb43db5ddd
Instruction Fuzzy Hash: 6D21503160022AEFCF10EFA4DC86AAE7FB5BF89700F504455E555AB291DA30EA45CB61

Function 005A770E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 66windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 005A7772
SendMessageW.USER32(?,00000406,00000000,00640000), ref: 005A7787
SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 005A7794

Strings

msctls_trackbar32, xrefs: 005A7749

Memory Dump Source

Source File: 00000000.00000002.1720891753.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1720847795.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720950764.00000000005AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720950764.00000000005D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720999580.00000000005DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721018782.00000000005E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_b6AGgIJ87g.jbxd

Similarity

API ID: MessageSend
String ID: msctls_trackbar32
API String ID: 3850602802-1010561917
Opcode ID: 98cd3454500bcd8a34a8f8bb0681d35b687cbb993c9ec845ff6da3f0d6670e83
Instruction ID: 8398c71fa40ca85829179f5afe38e7fafda543de35bab083b9140bf7fc371fe9
Opcode Fuzzy Hash: 98cd3454500bcd8a34a8f8bb0681d35b687cbb993c9ec845ff6da3f0d6670e83
Instruction Fuzzy Hash: BF112332204209BAEF245F64DC05FEB3BA9FF8EB54F010129FA41A60A0D272E811DB20

Function 00546B71 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 45COMMON

Download Yara Rule

APIs

__calloc_crt.LIBCMT ref: 00546B93
__calloc_crt.LIBCMT ref: 00546BAC

Strings

], xrefs: 00546BD1
@B^, xrefs: 00546BC3

Memory Dump Source

Source File: 00000000.00000002.1720891753.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1720847795.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720950764.00000000005AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720950764.00000000005D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720999580.00000000005DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721018782.00000000005E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_b6AGgIJ87g.jbxd

Similarity

API ID: __calloc_crt
String ID: ]$@B^
API String ID: 3494438863-2679402885
Opcode ID: 896c3c21eb16e077894a1494d9906449ab5b3e3c09283f577047fdbd5b81c366
Instruction ID: f88fff1bcceee935765de2b0499f6acb6e7a197f31d662f7f55e696f0e296fad
Opcode Fuzzy Hash: 896c3c21eb16e077894a1494d9906449ab5b3e3c09283f577047fdbd5b81c366
Instruction Fuzzy Hash: 1AF0A475604A128BF7299F18BCA2BE62FD5F75133CB10041BE340CE280FB3088449681

Function 00549B79 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 20COMMON

Download Yara Rule

APIs

__lock.LIBCMT ref: 00549B94

Part of subcall function 00549C0B: __mtinitlocknum.LIBCMT ref: 00549C1D
Part of subcall function 00549C0B: EnterCriticalSection.KERNEL32(00000000,?,00549A7C,0000000D), ref: 00549C36

__updatetlocinfoEx_nolock.LIBCMT ref: 00549BA4

Part of subcall function 00549100: ___addlocaleref.LIBCMT ref: 0054911C
Part of subcall function 00549100: ___removelocaleref.LIBCMT ref: 00549127
Part of subcall function 00549100: ___freetlocinfo.LIBCMT ref: 0054913B

Strings

8], xrefs: 00549B85
8], xrefs: 00549B8A, 00549B9F, 00549BAB

Memory Dump Source

Source File: 00000000.00000002.1720891753.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1720847795.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720950764.00000000005AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720950764.00000000005D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720999580.00000000005DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721018782.00000000005E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_b6AGgIJ87g.jbxd

Similarity

API ID: CriticalEnterEx_nolockSection___addlocaleref___freetlocinfo___removelocaleref__lock__mtinitlocknum__updatetlocinfo
String ID: 8]$8]
API String ID: 547918592-2921900188
Opcode ID: f9feb72b6582b32ae84441d1cfff6a1b3389a0e117dd4ee54cc38de3f469f090
Instruction ID: c644e78af078d3bd9d54297f6752f3a46ac6d73bc45d3c6fc0263b70fb05716f
Opcode Fuzzy Hash: f9feb72b6582b32ae84441d1cfff6a1b3389a0e117dd4ee54cc38de3f469f090
Instruction Fuzzy Hash: A7E08C31947702AAFA30BBE8690BB9E2FA0BB80B29F20115BF055592C1CE702C00D657

Function 00524C03 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,00524BD0,?,00524DEF,?,005E52F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00524C11
GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00524C23

Strings

kernel32.dll, xrefs: 00524C0C
Wow64DisableWow64FsRedirection, xrefs: 00524C1D

Memory Dump Source

Source File: 00000000.00000002.1720891753.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1720847795.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720950764.00000000005AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720950764.00000000005D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720999580.00000000005DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721018782.00000000005E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_b6AGgIJ87g.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: Wow64DisableWow64FsRedirection$kernel32.dll
API String ID: 2574300362-3689287502
Opcode ID: 2569916c0aaece91b96dde0b0c1a8d3026a98bebcbfea5c4eb7ef789b836c817
Instruction ID: eab64be0f4452f7a18d99cdc8b49ee34bc846a6e6b8ed2a47242fb120bf027be
Opcode Fuzzy Hash: 2569916c0aaece91b96dde0b0c1a8d3026a98bebcbfea5c4eb7ef789b836c817
Instruction Fuzzy Hash: DED01230511723CFD720AFB5ED48646BEE5FF1A352B118C3AD485D6190E6B0D880CB60

Function 00524C36 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,00524B83,?), ref: 00524C44
GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00524C56

Strings

kernel32.dll, xrefs: 00524C3F
Wow64RevertWow64FsRedirection, xrefs: 00524C50

Memory Dump Source

Source File: 00000000.00000002.1720891753.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1720847795.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720950764.00000000005AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720950764.00000000005D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720999580.00000000005DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721018782.00000000005E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_b6AGgIJ87g.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: Wow64RevertWow64FsRedirection$kernel32.dll
API String ID: 2574300362-1355242751
Opcode ID: 7f80ff30e4a27e42582447068284f49c457bb35d7948f53bd6a80da2f9ee12ef
Instruction ID: 93018dce92ab62808ff2ea63ace831825d4563af70ad2a1384fc97640830d046
Opcode Fuzzy Hash: 7f80ff30e4a27e42582447068284f49c457bb35d7948f53bd6a80da2f9ee12ef
Instruction Fuzzy Hash: ABD01730510723CFD7209FB9E94864A7BE4BF16351F11883AD496E62A0E670D880CB60

Function 005A0DE7 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(advapi32.dll,?,005A1039), ref: 005A0DF5
GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 005A0E07

Strings

advapi32.dll, xrefs: 005A0DF0
RegDeleteKeyExW, xrefs: 005A0E01

Memory Dump Source

Source File: 00000000.00000002.1720891753.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1720847795.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720950764.00000000005AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720950764.00000000005D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720999580.00000000005DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721018782.00000000005E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_b6AGgIJ87g.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: RegDeleteKeyExW$advapi32.dll
API String ID: 2574300362-4033151799
Opcode ID: 961a59df25f42cf7235323652a9f7c11908bc2f7df678183c805cba717bce331
Instruction ID: b311ae7bded1a48482f52065d2828e5937221694113a76d9d76207e5a6c65e74
Opcode Fuzzy Hash: 961a59df25f42cf7235323652a9f7c11908bc2f7df678183c805cba717bce331
Instruction Fuzzy Hash: 0DD01270550712CFD7209FB5D8486467AD9BF26352F119C7FD485D6290D6B0D490D750

Function 005990E0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,00000001,00598CF4,?,005AF910), ref: 005990EE
GetProcAddress.KERNEL32(00000000,GetModuleHandleExW), ref: 00599100

Strings

kernel32.dll, xrefs: 005990E9
GetModuleHandleExW, xrefs: 005990FA

Memory Dump Source

Source File: 00000000.00000002.1720891753.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1720847795.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720950764.00000000005AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720950764.00000000005D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720999580.00000000005DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721018782.00000000005E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_b6AGgIJ87g.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: GetModuleHandleExW$kernel32.dll
API String ID: 2574300362-199464113
Opcode ID: dc6e4d07e6dbe4f2db9e64d9918e30c442bab11faf29cbca10b9c1e8c0f2f3dc
Instruction ID: ae54bea39334c9168a603c77ff93b087f51378e22e955ee9e7711f9933412e94
Opcode Fuzzy Hash: dc6e4d07e6dbe4f2db9e64d9918e30c442bab11faf29cbca10b9c1e8c0f2f3dc
Instruction Fuzzy Hash: B6D01734510713CFDB209FB9D8586467AE4BF16352B168C3ED486D6690EB70C880DBA0

Function 00561714 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 17timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 00561718
__swprintf.LIBCMT ref: 00561749

Strings

%.3d, xrefs: 00561723
WIN_XPe, xrefs: 00561788

Memory Dump Source

Source File: 00000000.00000002.1720891753.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1720847795.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720950764.00000000005AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720950764.00000000005D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720999580.00000000005DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721018782.00000000005E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_b6AGgIJ87g.jbxd

Similarity

API ID: LocalTime__swprintf
String ID: %.3d$WIN_XPe
API String ID: 2070861257-2409531811
Opcode ID: 2aa3c964e34093e425c20184ecaf78ac636ef73010fe497ff436ff62dae09303
Instruction ID: 4900fc7b456aca4c008963ae67e551a7fb182adae95b83a9bf278f7dd50bf865
Opcode Fuzzy Hash: 2aa3c964e34093e425c20184ecaf78ac636ef73010fe497ff436ff62dae09303
Instruction Fuzzy Hash: A5D01771804519EACB549A909C888F97F7CFB19301F180962B406E3080E226AB94EA29

Function 0057717D Relevance: 6.3, APIs: 4, Instructions: 333COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1720891753.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1720847795.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720950764.00000000005AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720950764.00000000005D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720999580.00000000005DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721018782.00000000005E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_b6AGgIJ87g.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f196a2d0453514c6ca42280da3db1f9d2ac518f05dbc8397510defaf5fbdb93a
Instruction ID: ba1c9a13ed8fba2a2bc84b0d49e6225571760152380c7dbfa3a83bf66aa7b064
Opcode Fuzzy Hash: f196a2d0453514c6ca42280da3db1f9d2ac518f05dbc8397510defaf5fbdb93a
Instruction Fuzzy Hash: 96C16274A0421AEFCB14CFA4E884DAEBBB5FF4C714B158998E809DB251D730DD41EB90

Function 0059E02A Relevance: 6.3, APIs: 4, Instructions: 307memoryCOMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?), ref: 0059E0BE
CharLowerBuffW.USER32(?,?), ref: 0059E101

Part of subcall function 0059D7A5: CharLowerBuffW.USER32(?,?,?,?,00000000,?,?), ref: 0059D7C5

VirtualAlloc.KERNEL32(00000000,00000077,00003000,00000040), ref: 0059E301
_memmove.LIBCMT ref: 0059E314

Memory Dump Source

Source File: 00000000.00000002.1720891753.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1720847795.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720950764.00000000005AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720950764.00000000005D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720999580.00000000005DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721018782.00000000005E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_b6AGgIJ87g.jbxd

Similarity

API ID: BuffCharLower$AllocVirtual_memmove
String ID:
API String ID: 3659485706-0
Opcode ID: ebb0a49c96ee5b00a081522156b549728faf4a9964cdc602f2e7a566d6d521d6
Instruction ID: 28963d5e1c7c18e13d981de2385d828a77fe49fb64339fa04da278f1e5e5e14e
Opcode Fuzzy Hash: ebb0a49c96ee5b00a081522156b549728faf4a9964cdc602f2e7a566d6d521d6
Instruction Fuzzy Hash: 86C15971608311DFCB04DF28C485A6ABBE4FF89714F14896DF8999B391D731E946CB82

Function 00598093 Relevance: 6.3, APIs: 4, Instructions: 267COMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 005980C3
CoUninitialize.OLE32 ref: 005980CE

Part of subcall function 0057D56C: CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 0057D5D4

VariantInit.OLEAUT32(?), ref: 005980D9
VariantClear.OLEAUT32(?), ref: 005983AA

Memory Dump Source

Source File: 00000000.00000002.1720891753.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1720847795.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720950764.00000000005AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720950764.00000000005D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720999580.00000000005DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721018782.00000000005E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_b6AGgIJ87g.jbxd

Similarity

API ID: Variant$ClearCreateInitInitializeInstanceUninitialize
String ID:
API String ID: 780911581-0
Opcode ID: 6eae49b5e068612260aa72ceed046ed8c392a7654053903863ca29cf2690f9b7
Instruction ID: 3078221dd348db69288af638844f693473f8918d146524dbed2ce9ff3e109b85
Opcode Fuzzy Hash: 6eae49b5e068612260aa72ceed046ed8c392a7654053903863ca29cf2690f9b7
Instruction Fuzzy Hash: F3A17D756047129FCB04DF64C885B2ABBE4BF8A714F18485CF9969B3A1CB34EC45CB86

Function 0057687D Relevance: 6.2, APIs: 4, Instructions: 202memoryCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 0057688E
SysAllocString.OLEAUT32(00000000), ref: 00576937
VariantCopy.OLEAUT32 ref: 00576966
VariantClear.OLEAUT32(?), ref: 0057698D

Memory Dump Source

Source File: 00000000.00000002.1720891753.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1720847795.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720950764.00000000005AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720950764.00000000005D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720999580.00000000005DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721018782.00000000005E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_b6AGgIJ87g.jbxd

Similarity

API ID: Variant$AllocClearCopyInitString
String ID:
API String ID: 2808897238-0
Opcode ID: 06ba72c28dc291667eefaba527ad495005cd91d52f65664adf2b618138928bd5
Instruction ID: a4b346efd1d5941aae218ac29b58ba748037fc682511f22a9f8ac72e589b4db1
Opcode Fuzzy Hash: 06ba72c28dc291667eefaba527ad495005cd91d52f65664adf2b618138928bd5
Instruction Fuzzy Hash: EC51D774704B02DECF24AF65E89962ABBE5BF45310F20D81FE58EE7291DA30D840A701

Function 005A97F4 Relevance: 6.1, APIs: 4, Instructions: 140COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(012CD4D8,?), ref: 005A9863
ScreenToClient.USER32(00000002,00000002), ref: 005A9896
MoveWindow.USER32(?,?,?,?,000000FF,00000001,?,?,00000002,?,?), ref: 005A9903

Memory Dump Source

Source File: 00000000.00000002.1720891753.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1720847795.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720950764.00000000005AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720950764.00000000005D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720999580.00000000005DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721018782.00000000005E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_b6AGgIJ87g.jbxd

Similarity

API ID: Window$ClientMoveRectScreen
String ID:
API String ID: 3880355969-0
Opcode ID: 80cc2af09bbdc1a8c62cbecc0e6380f193e22686cb11bcfdf21a89c754156812
Instruction ID: 5238936009b411f7d672dd53e8df892223450b2d390372126d164ecdb1a0700b
Opcode Fuzzy Hash: 80cc2af09bbdc1a8c62cbecc0e6380f193e22686cb11bcfdf21a89c754156812
Instruction Fuzzy Hash: 79514E34A00219EFCF14CF64D884AAE7FB6FF56360F248169F9559B2A0D730AD41DB90

Function 00579A80 Relevance: 6.1, APIs: 4, Instructions: 129windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000110A,00000004,00000000), ref: 00579AD2
__itow.LIBCMT ref: 00579B03

Part of subcall function 00579D53: SendMessageW.USER32(?,0000113E,00000000,00000000), ref: 00579DBE

SendMessageW.USER32(?,0000110A,00000001,?), ref: 00579B6C
__itow.LIBCMT ref: 00579BC3

Memory Dump Source

Source File: 00000000.00000002.1720891753.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1720847795.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720950764.00000000005AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720950764.00000000005D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720999580.00000000005DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721018782.00000000005E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_b6AGgIJ87g.jbxd

Similarity

API ID: MessageSend$__itow
String ID:
API String ID: 3379773720-0
Opcode ID: c0ad36be5250ad24441cdda950303438dfab52adaa3c0955a51f5730a59991a3
Instruction ID: 572973a62163a17a4e4efd537b7f3e4ee747f2c9bc1c95d9b4f957825312ed0e
Opcode Fuzzy Hash: c0ad36be5250ad24441cdda950303438dfab52adaa3c0955a51f5730a59991a3
Instruction Fuzzy Hash: 65419074A0421DABDF21DF54E849BEE7FB9FF89710F004069F909A3291DB709944DBA1

Function 005969AA Relevance: 6.1, APIs: 4, Instructions: 127networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000002,00000011), ref: 005969D1
WSAGetLastError.WSOCK32(00000000), ref: 005969E1

Part of subcall function 00529837: __itow.LIBCMT ref: 00529862
Part of subcall function 00529837: __swprintf.LIBCMT ref: 005298AC

#21.WSOCK32(?,0000FFFF,00000020,00000002,00000004), ref: 00596A45
WSAGetLastError.WSOCK32(00000000), ref: 00596A51

Memory Dump Source

Source File: 00000000.00000002.1720891753.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1720847795.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720950764.00000000005AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720950764.00000000005D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720999580.00000000005DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721018782.00000000005E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_b6AGgIJ87g.jbxd

Similarity

API ID: ErrorLast$__itow__swprintfsocket
String ID:
API String ID: 2214342067-0
Opcode ID: a4cf8c95d1400b3a19c5381b93ed71c1a0dc62eb48da523d9130f457e97a26a0
Instruction ID: eb56020fb3a8af40d1b52e2f8bc8a6ff53357fcb5542c0e0d8f8b428fde90a38
Opcode Fuzzy Hash: a4cf8c95d1400b3a19c5381b93ed71c1a0dc62eb48da523d9130f457e97a26a0
Instruction Fuzzy Hash: B041C375700211AFEB24AF64DC8AF3A7BA4FF46B14F448418FA19AF3C2DA709D048791

Function 0059641A Relevance: 6.1, APIs: 4, Instructions: 116COMMON

Download Yara Rule

APIs

#16.WSOCK32(?,?,00000000,00000000,00000000,00000000,?,?,00000000,005AF910), ref: 005964A7
_strlen.LIBCMT ref: 005964D9

Memory Dump Source

Source File: 00000000.00000002.1720891753.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1720847795.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720950764.00000000005AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720950764.00000000005D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720999580.00000000005DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721018782.00000000005E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_b6AGgIJ87g.jbxd

Similarity

API ID: _strlen
String ID:
API String ID: 4218353326-0
Opcode ID: 3d0879be304197ced7c06a18452365148dd0ba5a93e8c9cdc05bb6701a684668
Instruction ID: 1bac776e721b2fde320ddb4d24250603c25f1c49db1f6cc2a73aabca0c20bc63
Opcode Fuzzy Hash: 3d0879be304197ced7c06a18452365148dd0ba5a93e8c9cdc05bb6701a684668
Instruction Fuzzy Hash: FE41B331A00116AFCF14EBA8EC89EAEBFA8BF85310F508155F819972D2EB30ED44C750

Function 0058B7F4 Relevance: 6.1, APIs: 4, Instructions: 111fileCOMMON

Download Yara Rule

APIs

CreateHardLinkW.KERNEL32(00000002,?,00000000), ref: 0058B89E
GetLastError.KERNEL32(?,00000000), ref: 0058B8C4
DeleteFileW.KERNEL32(00000002,?,00000000), ref: 0058B8E9
CreateHardLinkW.KERNEL32(00000002,?,00000000,?,00000000), ref: 0058B915

Memory Dump Source

Source File: 00000000.00000002.1720891753.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1720847795.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720950764.00000000005AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720950764.00000000005D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720999580.00000000005DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721018782.00000000005E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_b6AGgIJ87g.jbxd

Similarity

API ID: CreateHardLink$DeleteErrorFileLast
String ID:
API String ID: 3321077145-0
Opcode ID: 9acb17c7097c3b9b28237211543edffdd10a408ace00e994a76b408561dd7b9e
Instruction ID: 6896e8b6abd1a5550df4a00ea7c2cfed4227ebedd45a0f552684f7534a44452b
Opcode Fuzzy Hash: 9acb17c7097c3b9b28237211543edffdd10a408ace00e994a76b408561dd7b9e
Instruction Fuzzy Hash: 5E411A39600511DFCB14EF55D488A59BBE5BF8A310F098098ED4AAB3A2CB30FD01DB95

Function 005A8851 Relevance: 6.1, APIs: 4, Instructions: 109COMMON

Download Yara Rule

APIs

InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 005A88DE

Memory Dump Source

Source File: 00000000.00000002.1720891753.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1720847795.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720950764.00000000005AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720950764.00000000005D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720999580.00000000005DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721018782.00000000005E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_b6AGgIJ87g.jbxd

Similarity

API ID: InvalidateRect
String ID:
API String ID: 634782764-0
Opcode ID: 967c5b37c7a65b61139aa187329254089c9e522542368c6cb4995b8a1faa85a3
Instruction ID: 122a2a5c5bf05c7a373c87c7e74026c80377f16930b1925ac17df0f1b1b5e3ec
Opcode Fuzzy Hash: 967c5b37c7a65b61139aa187329254089c9e522542368c6cb4995b8a1faa85a3
Instruction Fuzzy Hash: 8C31D234600109AFEB249A58CC85BBE7FB5FB07310F944912FA51E61A1DE74E940A792

Function 005AAB37 Relevance: 6.1, APIs: 4, Instructions: 106windowCOMMON

Download Yara Rule

APIs

ClientToScreen.USER32(?,?), ref: 005AAB60
GetWindowRect.USER32(?,?), ref: 005AABD6
PtInRect.USER32(?,?,005AC014), ref: 005AABE6
MessageBeep.USER32(00000000), ref: 005AAC57

Memory Dump Source

Source File: 00000000.00000002.1720891753.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1720847795.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720950764.00000000005AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720950764.00000000005D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720999580.00000000005DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721018782.00000000005E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_b6AGgIJ87g.jbxd

Similarity

API ID: Rect$BeepClientMessageScreenWindow
String ID:
API String ID: 1352109105-0
Opcode ID: 1d92ff0aed70d677b7a4e85a33954e57824bc096b184f77750fea9077c60b88c
Instruction ID: 08ef2ec524772043f7b59f3f9e6e4d3e9393d752ba233ba9da0f5265615d792e
Opcode Fuzzy Hash: 1d92ff0aed70d677b7a4e85a33954e57824bc096b184f77750fea9077c60b88c
Instruction Fuzzy Hash: 4B418C30600209DFDB11DF58C894A6D7BF5FB4A320F2480A9F9559F260E730AC45DB92

Function 00580AD6 Relevance: 6.1, APIs: 4, Instructions: 105keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,00000000,?,00000001), ref: 00580B27
SetKeyboardState.USER32(00000080,?,00000001), ref: 00580B43
PostMessageW.USER32(00000000,00000102,00000001,00000001), ref: 00580BA9
SendInput.USER32(00000001,00000000,0000001C,00000000,?,00000001), ref: 00580BFB

Memory Dump Source

Source File: 00000000.00000002.1720891753.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1720847795.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720950764.00000000005AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720950764.00000000005D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720999580.00000000005DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721018782.00000000005E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_b6AGgIJ87g.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: 1e6c4b83a5606910bcaecc514292ef2d3b0cb0e543d4f28600212cbda4710727
Instruction ID: 2fab622546fc16ade56b9f07e20afa90b6d26419b36c6405a4b64e6b37d72d66
Opcode Fuzzy Hash: 1e6c4b83a5606910bcaecc514292ef2d3b0cb0e543d4f28600212cbda4710727
Instruction Fuzzy Hash: A4315A30E40218AFFF70AB658C09BFEBFA9BB45326F04925AEC91721D1C3748D499751

Function 00580C11 Relevance: 6.1, APIs: 4, Instructions: 101keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,75C0C0D0,?,00008000), ref: 00580C66
SetKeyboardState.USER32(00000080,?,00008000), ref: 00580C82
PostMessageW.USER32(00000000,00000101,00000000), ref: 00580CE1
SendInput.USER32(00000001,?,0000001C,75C0C0D0,?,00008000), ref: 00580D33

Memory Dump Source

Source File: 00000000.00000002.1720891753.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1720847795.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720950764.00000000005AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720950764.00000000005D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720999580.00000000005DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721018782.00000000005E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_b6AGgIJ87g.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: 252ed86d816a57ce704e97a109dde1a4f782515eacfbcda60709edd0da8cd271
Instruction ID: 4904d4a0980510c31c08888c406d74d6d5f32da081a1829ea668971f27ab8c9f
Opcode Fuzzy Hash: 252ed86d816a57ce704e97a109dde1a4f782515eacfbcda60709edd0da8cd271
Instruction Fuzzy Hash: 50313530941218AEFF70AEA5C8097BEFF6ABB89310F04972AEC85721D1C3359D4D9751

Function 005561C5 Relevance: 6.1, APIs: 4, Instructions: 97COMMONLIBRARYCODE

Download Yara Rule

APIs

_LocaleUpdate::_LocaleUpdate.LIBCMT ref: 005561FB
__isleadbyte_l.LIBCMT ref: 00556229
MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,00000000,00000000,?,00000000,00000000,?,?), ref: 00556257
MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,00000000,00000000,?,00000000,00000000,?,?), ref: 0055628D

Memory Dump Source

Source File: 00000000.00000002.1720891753.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1720847795.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720950764.00000000005AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720950764.00000000005D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720999580.00000000005DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721018782.00000000005E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_b6AGgIJ87g.jbxd

Similarity

API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
String ID:
API String ID: 3058430110-0
Opcode ID: ec7f589a153fe1a0d109a2915397b2a14ce50423c9317bee548b3098f84ed498
Instruction ID: 3207df8f2adf0131693902d656ad8539373ef63f3e78be41f186c06a17a17fae
Opcode Fuzzy Hash: ec7f589a153fe1a0d109a2915397b2a14ce50423c9317bee548b3098f84ed498
Instruction Fuzzy Hash: 3331EF34600286AFDF218F64CC58BBA7FA9FF82312F55412AEC20871A1DB30D958DB90

Function 005A4EEE Relevance: 6.1, APIs: 4, Instructions: 95COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32 ref: 005A4F02

Part of subcall function 00583641: GetWindowThreadProcessId.USER32(00000000,00000000), ref: 0058365B
Part of subcall function 00583641: GetCurrentThreadId.KERNEL32 ref: 00583662
Part of subcall function 00583641: AttachThreadInput.USER32(00000000,?,00585005), ref: 00583669

GetCaretPos.USER32(?), ref: 005A4F13
ClientToScreen.USER32(00000000,?), ref: 005A4F4E
GetForegroundWindow.USER32 ref: 005A4F54

Memory Dump Source

Source File: 00000000.00000002.1720891753.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1720847795.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720950764.00000000005AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720950764.00000000005D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720999580.00000000005DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721018782.00000000005E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_b6AGgIJ87g.jbxd

Similarity

API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
String ID:
API String ID: 2759813231-0
Opcode ID: f6fd334aa3f31275ab586f1394c51a1e2e8a2e689a450916485239aa6485c0f2
Instruction ID: 34daa249e11de83e460a8497ddceaee2eb3d83946a31e002b05091fa8bec97b5
Opcode Fuzzy Hash: f6fd334aa3f31275ab586f1394c51a1e2e8a2e689a450916485239aa6485c0f2
Instruction Fuzzy Hash: 47310C72D00119AFDB04EFA5D8859EFBBF9FF99300F10446AE815E7241EA759E058BA0

Function 00583C55 Relevance: 6.1, APIs: 4, Instructions: 85processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 00583C7A
Process32FirstW.KERNEL32(00000000,?), ref: 00583C88
Process32NextW.KERNEL32(00000000,?), ref: 00583CA8
CloseHandle.KERNEL32(00000000), ref: 00583D52

Memory Dump Source

Source File: 00000000.00000002.1720891753.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1720847795.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720950764.00000000005AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720950764.00000000005D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720999580.00000000005DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721018782.00000000005E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_b6AGgIJ87g.jbxd

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
String ID:
API String ID: 420147892-0
Opcode ID: 7be523487b10490fb3a9629ff46d6f6229d107fe4180cacf46253c494891f8ce
Instruction ID: 344627bebc0c65b99960ae63804c3921db221b2b13be41bdbf14e47d865bb5e0
Opcode Fuzzy Hash: 7be523487b10490fb3a9629ff46d6f6229d107fe4180cacf46253c494891f8ce
Instruction Fuzzy Hash: 703184711083069FD304EF54D885AAFBFE8FFDA754F50082DF881961A1EB71AA49CB52

Function 005AC498 Relevance: 6.1, APIs: 4, Instructions: 83windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00522612: GetWindowLongW.USER32(?,000000EB), ref: 00522623

GetCursorPos.USER32(?), ref: 005AC4D2
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000,?,0055B9AB,?,?,?,?,?), ref: 005AC4E7
GetCursorPos.USER32(?), ref: 005AC534
DefDlgProcW.USER32(?,0000007B,?,?,?,?,?,?,?,?,?,?,0055B9AB,?,?,?), ref: 005AC56E

Memory Dump Source

Source File: 00000000.00000002.1720891753.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1720847795.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720950764.00000000005AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720950764.00000000005D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720999580.00000000005DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721018782.00000000005E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_b6AGgIJ87g.jbxd

Similarity

API ID: Cursor$LongMenuPopupProcTrackWindow
String ID:
API String ID: 2864067406-0
Opcode ID: cfd0503ef16ecf3aaf2ccf04d76bd16df6d19c378c96dd399f0136f4ded619de
Instruction ID: 967af9eda18dea0ba322163b9e372a75132879fea34ac1e9587dc712f733d710
Opcode Fuzzy Hash: cfd0503ef16ecf3aaf2ccf04d76bd16df6d19c378c96dd399f0136f4ded619de
Instruction Fuzzy Hash: D7316F39A00458EFCB258F98C898EAE7FB5FF4F310F444169F9458B261D731A950EBA4

Function 00578656 Relevance: 6.1, APIs: 4, Instructions: 79memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 0057810A: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 00578121
Part of subcall function 0057810A: GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 0057812B
Part of subcall function 0057810A: GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 0057813A
Part of subcall function 0057810A: HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 00578141
Part of subcall function 0057810A: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00578157

LookupPrivilegeValueW.ADVAPI32(00000000,?,?), ref: 005786A3
_memcmp.LIBCMT ref: 005786C6
GetProcessHeap.KERNEL32(00000000,00000000), ref: 005786FC
HeapFree.KERNEL32(00000000), ref: 00578703

Memory Dump Source

Source File: 00000000.00000002.1720891753.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1720847795.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720950764.00000000005AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720950764.00000000005D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720999580.00000000005DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721018782.00000000005E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_b6AGgIJ87g.jbxd

Similarity

API ID: Heap$InformationProcessToken$AllocErrorFreeLastLookupPrivilegeValue_memcmp
String ID:
API String ID: 1592001646-0
Opcode ID: a739730205f5cfc65be58fd1e08279223143873e861020dd81f380cbabbc267a
Instruction ID: fedad3c7e0b748c298e54dd8e89e9a533996b6b78ba4d819e066aa16fcbab7dc
Opcode Fuzzy Hash: a739730205f5cfc65be58fd1e08279223143873e861020dd81f380cbabbc267a
Instruction Fuzzy Hash: E5216B71E80109EBDB10DFA4D949BFEBBB8FF55344F158059E448AB241DB31AE05EB60

Function 0054098C Relevance: 6.1, APIs: 4, Instructions: 79COMMON

Download Yara Rule

APIs

__setmode.LIBCMT ref: 005409AE

Part of subcall function 00525A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,00587896,?,?,00000000), ref: 00525A2C
Part of subcall function 00525A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,00587896,?,?,00000000,?,?), ref: 00525A50

_fprintf.LIBCMT ref: 005409E5
OutputDebugStringW.KERNEL32(?), ref: 00575DBB

Part of subcall function 00544AAA: _flsall.LIBCMT ref: 00544AC3

__setmode.LIBCMT ref: 00540A1A

Memory Dump Source

Source File: 00000000.00000002.1720891753.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1720847795.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720950764.00000000005AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720950764.00000000005D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720999580.00000000005DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721018782.00000000005E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_b6AGgIJ87g.jbxd

Similarity

API ID: ByteCharMultiWide__setmode$DebugOutputString_flsall_fprintf
String ID:
API String ID: 521402451-0
Opcode ID: b6c54167bb3a1e6e04f43a689cafb2f0e5a26e7be89804daa8f577a08e09ad6a
Instruction ID: 4fce606ba1594dda0b62c759cc8faf509d6674d3b69906018e1cd66337d2ea9f
Opcode Fuzzy Hash: b6c54167bb3a1e6e04f43a689cafb2f0e5a26e7be89804daa8f577a08e09ad6a
Instruction Fuzzy Hash: 7E11F3319442066BDB04B6A4AC4BAFE7F68BF92324F644055F205A71C2EE7059469BA4

Function 00591767 Relevance: 6.1, APIs: 4, Instructions: 78networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 005917A3

Part of subcall function 0059182D: InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 0059184C
Part of subcall function 0059182D: InternetCloseHandle.WININET(00000000), ref: 005918E9

Memory Dump Source

Source File: 00000000.00000002.1720891753.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1720847795.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720950764.00000000005AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720950764.00000000005D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720999580.00000000005DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721018782.00000000005E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_b6AGgIJ87g.jbxd

Similarity

API ID: Internet$CloseConnectHandleOpen
String ID:
API String ID: 1463438336-0
Opcode ID: a671210bf3de62da52640db95e71f4ad3ca184dad66a122c5e7f335a6d9905fd
Instruction ID: 5e624ff83e2b9c688d72aac6b77ecce8f23e4350b0eb5ac801a81fedfa067744
Opcode Fuzzy Hash: a671210bf3de62da52640db95e71f4ad3ca184dad66a122c5e7f335a6d9905fd
Instruction Fuzzy Hash: B921F631200A13BFEF129FA0DC00FBABFA9FF89710F10442AF91596650DB71D811ABA4

Function 00583A2A Relevance: 6.1, APIs: 4, Instructions: 78COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNEL32(?,005AFAC0), ref: 00583A64
GetLastError.KERNEL32 ref: 00583A73
CreateDirectoryW.KERNEL32(?,00000000), ref: 00583A82
CreateDirectoryW.KERNEL32(?,00000000,00000000,000000FF,005AFAC0), ref: 00583ADF

Memory Dump Source

Source File: 00000000.00000002.1720891753.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1720847795.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720950764.00000000005AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720950764.00000000005D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720999580.00000000005DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721018782.00000000005E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_b6AGgIJ87g.jbxd

Similarity

API ID: CreateDirectory$AttributesErrorFileLast
String ID:
API String ID: 2267087916-0
Opcode ID: 5cd1d0fc1c8d94691be870715e369e3569ef4e2ac522c0370b5de28a2b510a12
Instruction ID: 11f510f26a8c287517ec5dead929d960fb82c5ec8907bb705273f59fc4cc09b3
Opcode Fuzzy Hash: 5cd1d0fc1c8d94691be870715e369e3569ef4e2ac522c0370b5de28a2b510a12
Instruction Fuzzy Hash: B721B1741082028F8314EF28D8858AE7FE4BE5A764F144A2DF899D72E1D7319E4ACB42

Function 0057DCBE Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 68stringCOMMON

Download Yara Rule

APIs

Part of subcall function 0057F0BC: lstrlenW.KERNEL32(?,00000002,?,?,000000EF,?,0057DCD3,?,?,?,0057EAC6,00000000,000000EF,00000119,?,?), ref: 0057F0CB
Part of subcall function 0057F0BC: lstrcpyW.KERNEL32(00000000,?,?,0057DCD3,?,?,?,0057EAC6,00000000,000000EF,00000119,?,?,00000000), ref: 0057F0F1
Part of subcall function 0057F0BC: lstrcmpiW.KERNEL32(00000000,?,0057DCD3,?,?,?,0057EAC6,00000000,000000EF,00000119,?,?), ref: 0057F122

lstrlenW.KERNEL32(?,00000002,?,?,?,?,0057EAC6,00000000,000000EF,00000119,?,?,00000000), ref: 0057DCEC
lstrcpyW.KERNEL32(00000000,?,?,0057EAC6,00000000,000000EF,00000119,?,?,00000000), ref: 0057DD12
lstrcmpiW.KERNEL32(00000002,cdecl,?,0057EAC6,00000000,000000EF,00000119,?,?,00000000), ref: 0057DD46

Strings

cdecl, xrefs: 0057DD3D

Memory Dump Source

Source File: 00000000.00000002.1720891753.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1720847795.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720950764.00000000005AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720950764.00000000005D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720999580.00000000005DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721018782.00000000005E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_b6AGgIJ87g.jbxd

Similarity

API ID: lstrcmpilstrcpylstrlen
String ID: cdecl
API String ID: 4031866154-3896280584
Opcode ID: 77c54f44b79c7361b6cd74f17c1ec3a0ed7b73179766c4529d74ff06cc61e8a4
Instruction ID: 0f5cd05c727aa83cbf45dcd666de153c7541b3da2a65fe6dc6269898f6d5d0e1
Opcode Fuzzy Hash: 77c54f44b79c7361b6cd74f17c1ec3a0ed7b73179766c4529d74ff06cc61e8a4
Instruction Fuzzy Hash: 0A11843A200305EBCB259F74DC49D7A7BB9FF85350B40952AE90ACB290EB719851E7A1

Function 005550E2 Relevance: 6.1, APIs: 4, Instructions: 67COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 00555101

Part of subcall function 0054571C: __FF_MSGBANNER.LIBCMT ref: 00545733
Part of subcall function 0054571C: __NMSG_WRITE.LIBCMT ref: 0054573A
Part of subcall function 0054571C: RtlAllocateHeap.NTDLL(012B0000,00000000,00000001,00000000,?,?,?,00540DD3,?), ref: 0054575F

Memory Dump Source

Source File: 00000000.00000002.1720891753.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1720847795.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720950764.00000000005AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720950764.00000000005D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720999580.00000000005DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721018782.00000000005E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_b6AGgIJ87g.jbxd

Similarity

API ID: AllocateHeap_free
String ID:
API String ID: 614378929-0
Opcode ID: df47ba7b86373acdc99d91f01021d251e3152ed3b8d705a1537fcb7461c4a37a
Instruction ID: 5f925da134d2b641a6a739fa019c414728b2b433a43dfba355c1f3f46f6c9189
Opcode Fuzzy Hash: df47ba7b86373acdc99d91f01021d251e3152ed3b8d705a1537fcb7461c4a37a
Instruction Fuzzy Hash: 5C119471900E12AFCF252F74A86D7AD3F98BB553A6B10092BFD859A161EE308948D790

Function 00596369 Relevance: 6.1, APIs: 4, Instructions: 61networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00525A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,00587896,?,?,00000000), ref: 00525A2C
Part of subcall function 00525A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,00587896,?,?,00000000,?,?), ref: 00525A50

gethostbyname.WSOCK32(?,?,?), ref: 00596399
WSAGetLastError.WSOCK32(00000000), ref: 005963A4
_memmove.LIBCMT ref: 005963D1
inet_ntoa.WSOCK32(?), ref: 005963DC

Memory Dump Source

Source File: 00000000.00000002.1720891753.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1720847795.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720950764.00000000005AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720950764.00000000005D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720999580.00000000005DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721018782.00000000005E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_b6AGgIJ87g.jbxd

Similarity

API ID: ByteCharMultiWide$ErrorLast_memmovegethostbynameinet_ntoa
String ID:
API String ID: 1504782959-0
Opcode ID: b8e90b9ec550b7d865967e69553de6c853527f0970454fbf37e521d8840c7ccd
Instruction ID: 12f91b10292be85ca2e038b5019a31f3c2d5475677e48b0917181e08a676cf80
Opcode Fuzzy Hash: b8e90b9ec550b7d865967e69553de6c853527f0970454fbf37e521d8840c7ccd
Instruction Fuzzy Hash: AB11337150011AAFCF04FBA4ED8ACEEBFB8BF5A310B544465F505A72A1EB309E14DB61

Function 00578B41 Relevance: 6.1, APIs: 4, Instructions: 59windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000B0,?,?), ref: 00578B61
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00578B73
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00578B89
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00578BA4

Memory Dump Source

Source File: 00000000.00000002.1720891753.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1720847795.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720950764.00000000005AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720950764.00000000005D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720999580.00000000005DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721018782.00000000005E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_b6AGgIJ87g.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 68f1bfae69414f4b70e60f3078e081c6bd0b6bbdb569623878f0c182ff57f159
Instruction ID: 00fddc4d96079b09dd88b91d2b1f6f4cf86ab35094900682db82de0143753873
Opcode Fuzzy Hash: 68f1bfae69414f4b70e60f3078e081c6bd0b6bbdb569623878f0c182ff57f159
Instruction Fuzzy Hash: 15115E79940218FFDB10DF95CC88FADBB74FB48310F204095E904B7250DA716E10EB94

Function 00521290 Relevance: 6.1, APIs: 4, Instructions: 59COMMON

Download Yara Rule

APIs

Part of subcall function 00522612: GetWindowLongW.USER32(?,000000EB), ref: 00522623

DefDlgProcW.USER32(?,00000020,?), ref: 005212D8
GetClientRect.USER32(?,?), ref: 0055B5FB
GetCursorPos.USER32(?), ref: 0055B605
ScreenToClient.USER32(?,?), ref: 0055B610

Memory Dump Source

Source File: 00000000.00000002.1720891753.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1720847795.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720950764.00000000005AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720950764.00000000005D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720999580.00000000005DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721018782.00000000005E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_b6AGgIJ87g.jbxd

Similarity

API ID: Client$CursorLongProcRectScreenWindow
String ID:
API String ID: 4127811313-0
Opcode ID: 6128f5ab546f39cd641190f8477273b1075e66622bece020aec06e02affed108
Instruction ID: 0cfb939b95201b00532fa6cab7e8a0eb7f7869525870d3a504914f5707439821
Opcode Fuzzy Hash: 6128f5ab546f39cd641190f8477273b1075e66622bece020aec06e02affed108
Instruction Fuzzy Hash: A6116D3A90042AEFCB10DF95E8899EF7BB8FF56300F100455F941E7181D730BA559BA9

Function 0057D831 Relevance: 6.0, APIs: 4, Instructions: 50registryCOMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(?,?,00000104,00000000,00000000), ref: 0057D84D
LoadTypeLibEx.OLEAUT32(?,00000002,?), ref: 0057D864
RegisterTypeLib.OLEAUT32(?,?,00000000), ref: 0057D879
RegisterTypeLibForUser.OLEAUT32(?,?,00000000), ref: 0057D897

Memory Dump Source

Source File: 00000000.00000002.1720891753.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1720847795.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720950764.00000000005AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720950764.00000000005D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720999580.00000000005DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721018782.00000000005E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_b6AGgIJ87g.jbxd

Similarity

API ID: Type$Register$FileLoadModuleNameUser
String ID:
API String ID: 1352324309-0
Opcode ID: fba104b5c68dab906c1a82acabaaef22fc872993eac4ae202147fbb6e1ea7d43
Instruction ID: b9978f937deff33e5ae93ef54ba63e21e9512dc4b593b00a3a8588dca53436dc
Opcode Fuzzy Hash: fba104b5c68dab906c1a82acabaaef22fc872993eac4ae202147fbb6e1ea7d43
Instruction Fuzzy Hash: 14115E75605304DBE7208F90EC08F92BBBCFF04B00F108969A55AD6450D7B0E549BBB2

Function 00556FB7 Relevance: 6.0, APIs: 4, Instructions: 48COMMONLIBRARYCODE

Download Yara Rule

APIs

__cftof_l.LIBCMT ref: 00556FDB

Part of subcall function 005576C2: __fltout2.LIBCMT ref: 005576EB

__cftog_l.LIBCMT ref: 00557001
__cftoe_l.LIBCMT ref: 00557033

Memory Dump Source

Source File: 00000000.00000002.1720891753.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1720847795.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720950764.00000000005AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720950764.00000000005D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720999580.00000000005DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721018782.00000000005E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_b6AGgIJ87g.jbxd

Similarity

API ID: __cftoe_l__cftof_l__cftog_l__fltout2
String ID:
API String ID: 3016257755-0
Opcode ID: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
Instruction ID: 646c0ab97ab650b8c54a19cd4bc38bcc1e901b2cfe48907ba7d34a8d39bbe3d4
Opcode Fuzzy Hash: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
Instruction Fuzzy Hash: 99017E3244414EBBCF125E84EC29CED3FA2BB1C352B488416FE1859070D236D9B9AF81

Function 005AB2C5 Relevance: 6.0, APIs: 4, Instructions: 47COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 005AB2E4
ScreenToClient.USER32(?,?), ref: 005AB2FC
ScreenToClient.USER32(?,?), ref: 005AB320
InvalidateRect.USER32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 005AB33B

Memory Dump Source

Source File: 00000000.00000002.1720891753.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1720847795.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720950764.00000000005AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720950764.00000000005D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720999580.00000000005DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721018782.00000000005E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_b6AGgIJ87g.jbxd

Similarity

API ID: ClientRectScreen$InvalidateWindow
String ID:
API String ID: 357397906-0
Opcode ID: 678dc2a973adeff4e947340e1c1ee2b36b70f7936246c194fbea6f47c1c2dc5d
Instruction ID: 68a638e85b72687275d81869e58455dc9e02f26dfd504342cfb6ba22dbdc14be
Opcode Fuzzy Hash: 678dc2a973adeff4e947340e1c1ee2b36b70f7936246c194fbea6f47c1c2dc5d
Instruction Fuzzy Hash: C21144B9D00209EFDB41CFA9C8849EEBBF9FF19311F108166E914E3220D735AA559F91

Function 00586BDA Relevance: 6.0, APIs: 4, Instructions: 33COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(?), ref: 00586BE6

Part of subcall function 005876C4: _memset.LIBCMT ref: 005876F9

_memmove.LIBCMT ref: 00586C09
_memset.LIBCMT ref: 00586C16
LeaveCriticalSection.KERNEL32(?), ref: 00586C26

Memory Dump Source

Source File: 00000000.00000002.1720891753.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1720847795.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720950764.00000000005AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720950764.00000000005D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720999580.00000000005DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721018782.00000000005E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_b6AGgIJ87g.jbxd

Similarity

API ID: CriticalSection_memset$EnterLeave_memmove
String ID:
API String ID: 48991266-0
Opcode ID: 0e794be8c7f7a6f647afda17c4c282a366cb9694a27173165a731de4fe0eb6c0
Instruction ID: 9179be65f1d9fe2bd9a167db7c46097f17c793fd08211199c441d33371997d55
Opcode Fuzzy Hash: 0e794be8c7f7a6f647afda17c4c282a366cb9694a27173165a731de4fe0eb6c0
Instruction Fuzzy Hash: 47F0543A100100ABCF416F95DC89A8ABF29FF85324F148061FE086E267D731E811DBB4

Function 00522218 Relevance: 6.0, APIs: 4, Instructions: 23COMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000008), ref: 00522231
SetTextColor.GDI32(?,000000FF), ref: 0052223B
SetBkMode.GDI32(?,00000001), ref: 00522250
GetStockObject.GDI32(00000005), ref: 00522258
GetWindowDC.USER32(?,00000000), ref: 0055BE83
GetPixel.GDI32(00000000,00000000,00000000), ref: 0055BE90
GetPixel.GDI32(00000000,?,00000000), ref: 0055BEA9
GetPixel.GDI32(00000000,00000000,?), ref: 0055BEC2
GetPixel.GDI32(00000000,?,?), ref: 0055BEE2
ReleaseDC.USER32(?,00000000), ref: 0055BEED

Memory Dump Source

Source File: 00000000.00000002.1720891753.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1720847795.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720950764.00000000005AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720950764.00000000005D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720999580.00000000005DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721018782.00000000005E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_b6AGgIJ87g.jbxd

Similarity

API ID: Pixel$Color$ModeObjectReleaseStockTextWindow
String ID:
API String ID: 1946975507-0
Opcode ID: eabb9e8133848065298f680ee1626fd11e38738e86cf3825e49222c00501b715
Instruction ID: a56b9bb992fa385e778f023fe227779433ca0998e28c39be2e1e406101b887d9
Opcode Fuzzy Hash: eabb9e8133848065298f680ee1626fd11e38738e86cf3825e49222c00501b715
Instruction Fuzzy Hash: FCE0ED32504244EAEF215FA4FC4D7D83F15EB26336F148376FA69580E197724998EB22

Function 00578712 Relevance: 6.0, APIs: 4, Instructions: 23threadCOMMON

Download Yara Rule

APIs

GetCurrentThread.KERNEL32 ref: 0057871B
OpenThreadToken.ADVAPI32(00000000,?,?,?,005782E6), ref: 00578722
GetCurrentProcess.KERNEL32(00000028,?,?,?,?,005782E6), ref: 0057872F
OpenProcessToken.ADVAPI32(00000000,?,?,?,005782E6), ref: 00578736

Memory Dump Source

Source File: 00000000.00000002.1720891753.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1720847795.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720950764.00000000005AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720950764.00000000005D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720999580.00000000005DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721018782.00000000005E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_b6AGgIJ87g.jbxd

Similarity

API ID: CurrentOpenProcessThreadToken
String ID:
API String ID: 3974789173-0
Opcode ID: 5df0a51ff3d96b198cef6295d90966f78714cc806f58e54775dcdcaf598127a3
Instruction ID: 51382764622edce1d92af03845542d9242761b4b7cfd2b1efd3f824d8417bfb7
Opcode Fuzzy Hash: 5df0a51ff3d96b198cef6295d90966f78714cc806f58e54775dcdcaf598127a3
Instruction Fuzzy Hash: 60E086366512119BDB605FF06D0CB973BACFF62792F148828B24AC9040DA348449E750

Function 00561D5D Relevance: 6.0, APIs: 4, Instructions: 20COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 00561D5D
GetDC.USER32(00000000), ref: 00561D67
GetDeviceCaps.GDI32(00000000,0000000C), ref: 00561D87
ReleaseDC.USER32(?), ref: 00561DA8

Memory Dump Source

Source File: 00000000.00000002.1720891753.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1720847795.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720950764.00000000005AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720950764.00000000005D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720999580.00000000005DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721018782.00000000005E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_b6AGgIJ87g.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: e8d0c14026ebbc3404b68af1e540b6efd28b1fc7e96c2f522a1401b3eae7b166
Instruction ID: d4ffae8caeeb3a6c1f214ac669b468fa6cde0a58e4e11994c78587990ac0ed9a
Opcode Fuzzy Hash: e8d0c14026ebbc3404b68af1e540b6efd28b1fc7e96c2f522a1401b3eae7b166
Instruction Fuzzy Hash: 7CE0EEB5800204EFCF519FA0E80CAAD7FB1BF6A351F148429F95AA7260CB789145AF40

Function 00561D71 Relevance: 6.0, APIs: 4, Instructions: 19COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 00561D71
GetDC.USER32(00000000), ref: 00561D7B
GetDeviceCaps.GDI32(00000000,0000000C), ref: 00561D87
ReleaseDC.USER32(?), ref: 00561DA8

Memory Dump Source

Source File: 00000000.00000002.1720891753.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1720847795.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720950764.00000000005AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720950764.00000000005D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720999580.00000000005DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721018782.00000000005E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_b6AGgIJ87g.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: 81c1ee6dd2beb4451eaca12cb8bcc76d5753ab0108697a2e8a0e4db580c73e99
Instruction ID: b9d22ba9c18448c12441a6aabba6010bf554cc764b38a3d7bc2dd2a93409b340
Opcode Fuzzy Hash: 81c1ee6dd2beb4451eaca12cb8bcc76d5753ab0108697a2e8a0e4db580c73e99
Instruction Fuzzy Hash: A6E0EEB5800204AFCF219FA0D80C69D7FA1BF6A351F108429F95AA7260CB789145AF40

Function 00526240 Relevance: 5.6, APIs: 2, Strings: 1, Instructions: 317COMMON

Download Yara Rule

Strings

%[, xrefs: 0052624E

Memory Dump Source

Source File: 00000000.00000002.1720891753.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1720847795.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720950764.00000000005AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720950764.00000000005D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720999580.00000000005DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721018782.00000000005E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_b6AGgIJ87g.jbxd

Similarity

API ID:
String ID: %[
API String ID: 0-4034644999
Opcode ID: 33ecc04584fc66bd1c3299c5b6304c94aaf34259d843cf9cadbc36b307f23239
Instruction ID: a2fe82e00314424c4fa2556d1fc7ffab50dd8899297d52d77d83db107d0f704e
Opcode Fuzzy Hash: 33ecc04584fc66bd1c3299c5b6304c94aaf34259d843cf9cadbc36b307f23239
Instruction Fuzzy Hash: DDB1B07190012A9BCF14EF94E8959FEBFB8FF5A310F144426E942A71D1EB309E85C791

Function 0059AEA2 Relevance: 5.6, APIs: 1, Strings: 2, Instructions: 313COMMON

Download Yara Rule

APIs

__itow_s.LIBCMT ref: 0059AFAE

Strings

xb^, xrefs: 0059AFE4
xb^, xrefs: 0059B010

Memory Dump Source

Source File: 00000000.00000002.1720891753.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1720847795.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720950764.00000000005AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720950764.00000000005D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720999580.00000000005DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721018782.00000000005E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_b6AGgIJ87g.jbxd

Similarity

API ID: __itow_s
String ID: xb^$xb^
API String ID: 3653519197-777972382
Opcode ID: 7c3ba5e4bb6fcb633c4c318df6358777c73400561b691dca102e5d8e189ab8a5
Instruction ID: 11d5d50d7702b06fad397d746a2adf5da5fb2e95b5f9515ac9e36371a032ff2d
Opcode Fuzzy Hash: 7c3ba5e4bb6fcb633c4c318df6358777c73400561b691dca102e5d8e189ab8a5
Instruction Fuzzy Hash: F8B18E74A0020AAFEF14DF54D994DBABFB9FF99300F148459F9459B291EB30E940DBA0

Function 0058AFAC Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 201shareCOMMON

Download Yara Rule

APIs

Part of subcall function 0053FC86: _wcscpy.LIBCMT ref: 0053FCA9

Part of subcall function 00529837: __itow.LIBCMT ref: 00529862
Part of subcall function 00529837: __swprintf.LIBCMT ref: 005298AC

__wcsnicmp.LIBCMT ref: 0058B02D
WNetUseConnectionW.MPR(00000000,?,?,00000000,?,?,00000100,?), ref: 0058B0F6

Strings

LPT, xrefs: 0058B027

Memory Dump Source

Source File: 00000000.00000002.1720891753.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1720847795.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720950764.00000000005AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720950764.00000000005D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720999580.00000000005DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721018782.00000000005E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_b6AGgIJ87g.jbxd

Similarity

API ID: Connection__itow__swprintf__wcsnicmp_wcscpy
String ID: LPT
API String ID: 3222508074-1350329615
Opcode ID: 417408cffdab936c598498ada76e908f07a49134650e51f772a4ee2a4336008b
Instruction ID: 6c54081a440143db6a424f30a5165a5fa15e8c9df811ec08ed2b21ce100c9a09
Opcode Fuzzy Hash: 417408cffdab936c598498ada76e908f07a49134650e51f772a4ee2a4336008b
Instruction Fuzzy Hash: 1C617F75A00219EFDB18EF94D899EAEBBB8FF49310F144059F916AB391D730AE40CB54

Function 00532957 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 144sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00000000), ref: 00532968
GlobalMemoryStatusEx.KERNEL32(?), ref: 00532981

Strings

@, xrefs: 00532975

Memory Dump Source

Source File: 00000000.00000002.1720891753.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1720847795.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720950764.00000000005AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720950764.00000000005D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720999580.00000000005DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721018782.00000000005E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_b6AGgIJ87g.jbxd

Similarity

API ID: GlobalMemorySleepStatus
String ID: @
API String ID: 2783356886-2766056989
Opcode ID: 0f91fedfb630b32e6cb87094797e6e04bcccbe81b769b1ac9a8a9e451dc530f4
Instruction ID: 1b2fb735f85bc3f71574b60755f0c9bca5a9a687c124b8d9f213bee822c4e1ca
Opcode Fuzzy Hash: 0f91fedfb630b32e6cb87094797e6e04bcccbe81b769b1ac9a8a9e451dc530f4
Instruction Fuzzy Hash: E15138724087559BD320EF50E88ABABBBE8FFD6354F42485DF2D8411A1DB308529CB56

Function 00589734 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 138COMMON

Download Yara Rule

APIs

Part of subcall function 00524F0B: __fread_nolock.LIBCMT ref: 00524F29

_wcscmp.LIBCMT ref: 00589824
_wcscmp.LIBCMT ref: 00589837

Strings

FILE, xrefs: 00589770

Memory Dump Source

Source File: 00000000.00000002.1720891753.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1720847795.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720950764.00000000005AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720950764.00000000005D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720999580.00000000005DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721018782.00000000005E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_b6AGgIJ87g.jbxd

Similarity

API ID: _wcscmp$__fread_nolock
String ID: FILE
API String ID: 4029003684-3121273764
Opcode ID: 37a76150a873182f8cd81a1fe3ee830bc83f4f8008e4219400f64010c0f2bb4d
Instruction ID: d6582229a965fc29a448b6fcd9c9814600152e7562edb5d06586521f0679afd4
Opcode Fuzzy Hash: 37a76150a873182f8cd81a1fe3ee830bc83f4f8008e4219400f64010c0f2bb4d
Instruction Fuzzy Hash: C8418571A0021ABADF21AAA4DC49FFFBFB9EFC6714F014469B904B7181D67199048B61

Function 00560574 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 115COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32 ref: 0056057F

Strings

Dd^, xrefs: 0052A151
Dd^, xrefs: 0052A317

Memory Dump Source

Source File: 00000000.00000002.1720891753.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1720847795.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720950764.00000000005AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720950764.00000000005D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720999580.00000000005DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721018782.00000000005E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_b6AGgIJ87g.jbxd

Similarity

API ID: ClearVariant
String ID: Dd^$Dd^
API String ID: 1473721057-3975118295
Opcode ID: c1b88d1cc4340cd3f2f13a28b7b4cf6a4f1605593f82332dc384f7ab0011287b
Instruction ID: 04bf32fdf14ba15a6229a98e1f8b49a6109d764200c0be5d23759b903363f84d
Opcode Fuzzy Hash: c1b88d1cc4340cd3f2f13a28b7b4cf6a4f1605593f82332dc384f7ab0011287b
Instruction Fuzzy Hash: A451E3786043518FDB54CF19D584A1ABBF1BFAA394F54485CE9858B3A1D331EC85CF42

Function 0059258E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 97networkCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0059259E
InternetCrackUrlW.WININET(?,00000000,00000000,0000007C), ref: 005925D4

Strings

|, xrefs: 005925A5

Memory Dump Source

Source File: 00000000.00000002.1720891753.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1720847795.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720950764.00000000005AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720950764.00000000005D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720999580.00000000005DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721018782.00000000005E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_b6AGgIJ87g.jbxd

Similarity

API ID: CrackInternet_memset
String ID: |
API String ID: 1413715105-2343686810
Opcode ID: af4b298d46c74516967689e53f17af269af7bc8520b848688235a443c3d07d73
Instruction ID: 23d8ecbed53f4f98d981461c1c3f40393c6f4d939b81d18ea8525a9aa28b3533
Opcode Fuzzy Hash: af4b298d46c74516967689e53f17af269af7bc8520b848688235a443c3d07d73
Instruction Fuzzy Hash: 71311A7180011AEBCF11EFA1DC89EEEBFB8FF49310F140059F915AA162EB315956DB60

Function 005A7A71 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 97windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001132,00000000,?), ref: 005A7B61
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 005A7B76

Strings

', xrefs: 005A7ACA

Memory Dump Source

Source File: 00000000.00000002.1720891753.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1720847795.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720950764.00000000005AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720950764.00000000005D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720999580.00000000005DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721018782.00000000005E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_b6AGgIJ87g.jbxd

Similarity

API ID: MessageSend
String ID: '
API String ID: 3850602802-1997036262
Opcode ID: 04eca3e9820ceb19c5282f2b1c025c5e3e3819be946f46dd4afcb87196786060
Instruction ID: b2d858f3b0abc7a040a158ca4c9927de83e8e8b1cbeb197b21389be37d89f11f
Opcode Fuzzy Hash: 04eca3e9820ceb19c5282f2b1c025c5e3e3819be946f46dd4afcb87196786060
Instruction Fuzzy Hash: 5B410A74A0520EAFDB14CF64C981BDEBBB5FF09300F14016AE904AB351E770AA51DFA0

Function 005A6A63 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95COMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?,?,?), ref: 005A6B17
MoveWindow.USER32(?,?,?,?,?,00000001,?,?,?), ref: 005A6B53

Strings

static, xrefs: 005A6AB3

Memory Dump Source

Source File: 00000000.00000002.1720891753.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1720847795.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720950764.00000000005AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720950764.00000000005D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720999580.00000000005DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721018782.00000000005E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_b6AGgIJ87g.jbxd

Similarity

API ID: Window$DestroyMove
String ID: static
API String ID: 2139405536-2160076837
Opcode ID: 0cc2deb9c07a5533b74e05cbdbc6481725e7e749f442925bfb64179f3d5f9c64
Instruction ID: 73f60e6d5efb29f0fc716755467c6ea5220e6df6b4b65588243418c8fae0feae
Opcode Fuzzy Hash: 0cc2deb9c07a5533b74e05cbdbc6481725e7e749f442925bfb64179f3d5f9c64
Instruction Fuzzy Hash: 7A318171100608AEDB109F74DC81BFF7BA9FF89760F148619F9A5D7190DA31AC91D760

Function 005828A2 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 88windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00582911
GetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 0058294C

Strings

0, xrefs: 0058290A

Memory Dump Source

Source File: 00000000.00000002.1720891753.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1720847795.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720950764.00000000005AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720950764.00000000005D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720999580.00000000005DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721018782.00000000005E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_b6AGgIJ87g.jbxd

Similarity

API ID: InfoItemMenu_memset
String ID: 0
API String ID: 2223754486-4108050209
Opcode ID: a2f93208e7edfdda31c6ea840a96de77cf0c3f9e37210cca3e74ad1c47ab696a
Instruction ID: 8377994acb9a81d2cd6e8f311a28040bb2665de5765848050aa93abe85a4843a
Opcode Fuzzy Hash: a2f93208e7edfdda31c6ea840a96de77cf0c3f9e37210cca3e74ad1c47ab696a
Instruction Fuzzy Hash: BA31C331A00305AFEB28EF58C985BAEBFB8FF45354F140029ED85B61A0E7709984CB51

Function 005A66D4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000143,00000000,?), ref: 005A6761
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 005A676C

Strings

Combobox, xrefs: 005A672E

Memory Dump Source

Source File: 00000000.00000002.1720891753.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1720847795.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720950764.00000000005AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720950764.00000000005D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720999580.00000000005DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721018782.00000000005E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_b6AGgIJ87g.jbxd

Similarity

API ID: MessageSend
String ID: Combobox
API String ID: 3850602802-2096851135
Opcode ID: 3ff3fb81d2a4f108a4ae1a5b722e63d7bb153f37dc05972e06b7c2cf7e5cdddb
Instruction ID: cf8b002cc221a7634996ac4bc045fd27388bd1bc2abe279b1426c612dd2c7fbd
Opcode Fuzzy Hash: 3ff3fb81d2a4f108a4ae1a5b722e63d7bb153f37dc05972e06b7c2cf7e5cdddb
Instruction Fuzzy Hash: 6011B675210209AFEF159F54DC84EBF3F6AFB9A368F150125F91497290D631DC5187A0

Function 005A6C07 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 68COMMON

Download Yara Rule

APIs

Part of subcall function 00521D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00521D73
Part of subcall function 00521D35: GetStockObject.GDI32(00000011), ref: 00521D87
Part of subcall function 00521D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 00521D91

GetWindowRect.USER32(00000000,?), ref: 005A6C71
GetSysColor.USER32(00000012), ref: 005A6C8B

Strings

static, xrefs: 005A6C4E

Memory Dump Source

Source File: 00000000.00000002.1720891753.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1720847795.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720950764.00000000005AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720950764.00000000005D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720999580.00000000005DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721018782.00000000005E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_b6AGgIJ87g.jbxd

Similarity

API ID: Window$ColorCreateMessageObjectRectSendStock
String ID: static
API String ID: 1983116058-2160076837
Opcode ID: d30b584e3a65afa63314af376d6a3de70d977bf63bd432047743577835651b93
Instruction ID: 0bb000d1fe70283bb1d68aca0950078c72ed7290c34f1055fceea41bbfe45f64
Opcode Fuzzy Hash: d30b584e3a65afa63314af376d6a3de70d977bf63bd432047743577835651b93
Instruction Fuzzy Hash: E721597651021AAFDF04DFB8CC45AEE7BA9FB19314F044628F995D3250E635E850DB60

Function 005A6920 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64windowCOMMON

Download Yara Rule

APIs

GetWindowTextLengthW.USER32(00000000), ref: 005A69A2
SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 005A69B1

Strings

edit, xrefs: 005A6986

Memory Dump Source

Source File: 00000000.00000002.1720891753.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1720847795.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720950764.00000000005AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720950764.00000000005D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720999580.00000000005DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721018782.00000000005E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_b6AGgIJ87g.jbxd

Similarity

API ID: LengthMessageSendTextWindow
String ID: edit
API String ID: 2978978980-2167791130
Opcode ID: 549ad49ff765463829330f947b706caa2ff205c3e103a749e83cdf223eb8ef64
Instruction ID: b2e8d611109a72ea0cabc63d2fbb2fa1a04b4feefeafe158224bdc1cc5a866ec
Opcode Fuzzy Hash: 549ad49ff765463829330f947b706caa2ff205c3e103a749e83cdf223eb8ef64
Instruction Fuzzy Hash: B5116D71500108AFEB108E64DC44AEF3B69FB16374F544724F9A5971E0C731DC55A760

Function 005829AF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 63windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00582A22
GetMenuItemInfoW.USER32(00000030,?,00000000,00000030), ref: 00582A41

Strings

0, xrefs: 00582A18

Memory Dump Source

Source File: 00000000.00000002.1720891753.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1720847795.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720950764.00000000005AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720950764.00000000005D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720999580.00000000005DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721018782.00000000005E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_b6AGgIJ87g.jbxd

Similarity

API ID: InfoItemMenu_memset
String ID: 0
API String ID: 2223754486-4108050209
Opcode ID: 530f539edfd35715952e410842a0f55d7bfa3600f47ab66623b2323aa90290d8
Instruction ID: c9205b1e3fba5680264cbfd775eb404ece5d05316831b05b7be2081dd6a2e247
Opcode Fuzzy Hash: 530f539edfd35715952e410842a0f55d7bfa3600f47ab66623b2323aa90290d8
Instruction Fuzzy Hash: A511D036901114ABCB39EA98D984BAA7FA8BF45304F144029EC55FB290E7B0AD0AC791

Function 005921D6 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 62networkCOMMON

Download Yara Rule

APIs

InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 0059222C
InternetSetOptionW.WININET(00000000,00000032,?,00000008), ref: 00592255

Strings

<local>, xrefs: 0059221D

Memory Dump Source

Source File: 00000000.00000002.1720891753.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1720847795.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720950764.00000000005AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720950764.00000000005D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720999580.00000000005DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721018782.00000000005E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_b6AGgIJ87g.jbxd

Similarity

API ID: Internet$OpenOption
String ID: <local>
API String ID: 942729171-4266983199
Opcode ID: c44a35076fa49a58c5c8a38ebba888665ecb5d2bbb31fec79c74fa7114ed6031
Instruction ID: 22a3e36d780a0cfb35edea1f0b00c72434468ab0d1b52498bfccd8c21c63b75d
Opcode Fuzzy Hash: c44a35076fa49a58c5c8a38ebba888665ecb5d2bbb31fec79c74fa7114ed6031
Instruction Fuzzy Hash: 3A11CE74541225BADF299F518C88EFBFFA8FF16751F10862AF91586100D3706994EAF0

Function 0053092D Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 52COMMON

Download Yara Rule

APIs

GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,00523C14,005E52F8,?,?,?), ref: 0053096E

Part of subcall function 00527BCC: _memmove.LIBCMT ref: 00527C06

_wcscat.LIBCMT ref: 00564CB7

Strings

S^, xrefs: 005309AE

Memory Dump Source

Source File: 00000000.00000002.1720891753.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1720847795.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720950764.00000000005AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720950764.00000000005D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720999580.00000000005DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721018782.00000000005E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_b6AGgIJ87g.jbxd

Similarity

API ID: FullNamePath_memmove_wcscat
String ID: S^
API String ID: 257928180-4185188088
Opcode ID: 27212091fc82cba3ece1cb65efb0b13fb66c84a8b70b78fe7a98bb21252b3370
Instruction ID: b46dd259d554a53b85278a9a2a0e62200993ddd51b286dc4bf0b9797f0d3312f
Opcode Fuzzy Hash: 27212091fc82cba3ece1cb65efb0b13fb66c84a8b70b78fe7a98bb21252b3370
Instruction Fuzzy Hash: 2C11E532A0131A9BCB00EBA0D809FCD7FF8BF4C350F0048A6B984D32C1EAB096885B10

Function 00578E05 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00527DE1: _memmove.LIBCMT ref: 00527E22

Part of subcall function 0057AA99: GetClassNameW.USER32(?,?,000000FF), ref: 0057AABC

SendMessageW.USER32(?,000001A2,000000FF,?), ref: 00578E73

Strings

ListBox, xrefs: 00578E3D
ComboBox, xrefs: 00578E12

Memory Dump Source

Source File: 00000000.00000002.1720891753.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1720847795.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720950764.00000000005AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720950764.00000000005D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720999580.00000000005DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721018782.00000000005E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_b6AGgIJ87g.jbxd

Similarity

API ID: ClassMessageNameSend_memmove
String ID: ComboBox$ListBox
API String ID: 372448540-1403004172
Opcode ID: 2891b77f87fe3d1cd7b762574626e2edffe07dc42a3398d0e6bb09d5422b44a7
Instruction ID: 4ab4b24202cd0bde69c7eb85933c48ee2ed24e63dad6c75c725a374a7c60e91e
Opcode Fuzzy Hash: 2891b77f87fe3d1cd7b762574626e2edffe07dc42a3398d0e6bb09d5422b44a7
Instruction Fuzzy Hash: F501F57164122AAB8B14EBA4DC4DCFE7B6CBF86320B044A1AF835572D1EF315808E750

Function 00578CFD Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00527DE1: _memmove.LIBCMT ref: 00527E22

Part of subcall function 0057AA99: GetClassNameW.USER32(?,?,000000FF), ref: 0057AABC

SendMessageW.USER32(?,00000180,00000000,?), ref: 00578D6B

Strings

ListBox, xrefs: 00578D35
ComboBox, xrefs: 00578D0A

Memory Dump Source

Source File: 00000000.00000002.1720891753.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1720847795.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720950764.00000000005AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720950764.00000000005D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720999580.00000000005DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721018782.00000000005E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_b6AGgIJ87g.jbxd

Similarity

API ID: ClassMessageNameSend_memmove
String ID: ComboBox$ListBox
API String ID: 372448540-1403004172
Opcode ID: a0658e196bdb6417926154a88f7eecc7f995eb0a249cf48d76a0c0ad530c3e05
Instruction ID: ca2d2a59272460bfda72b294da71c62e3fad91614ff28266ab36206a46f4d21f
Opcode Fuzzy Hash: a0658e196bdb6417926154a88f7eecc7f995eb0a249cf48d76a0c0ad530c3e05
Instruction Fuzzy Hash: 9901D871641119ABCB24EBA0D95AEFE7FA8BF56340F1040167405632D1EE215E08E3B1

Function 00578D82 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00527DE1: _memmove.LIBCMT ref: 00527E22

Part of subcall function 0057AA99: GetClassNameW.USER32(?,?,000000FF), ref: 0057AABC

SendMessageW.USER32(?,00000182,?,00000000), ref: 00578DEE

Strings

ListBox, xrefs: 00578DBA
ComboBox, xrefs: 00578D8F

Memory Dump Source

Source File: 00000000.00000002.1720891753.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1720847795.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720950764.00000000005AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720950764.00000000005D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720999580.00000000005DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721018782.00000000005E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_b6AGgIJ87g.jbxd

Similarity

API ID: ClassMessageNameSend_memmove
String ID: ComboBox$ListBox
API String ID: 372448540-1403004172
Opcode ID: b2af8c64f4efa8a4889e2768d7539d8270734efe9ae6f247c8c18b4792ec32f3
Instruction ID: c43416d7d72881b6088ac91238ba2867ca2c4d20a6b4b2513f62d314797335d8
Opcode Fuzzy Hash: b2af8c64f4efa8a4889e2768d7539d8270734efe9ae6f247c8c18b4792ec32f3
Instruction Fuzzy Hash: 2D01FC7164111967CB25E6A4E94DEFE7F5CBF56300F144016B805632D1DD214E08F271

Function 0057C4EB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 48COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 0057C534

Part of subcall function 0057C816: _memmove.LIBCMT ref: 0057C860
Part of subcall function 0057C816: VariantInit.OLEAUT32(00000000), ref: 0057C882
Part of subcall function 0057C816: VariantCopy.OLEAUT32(00000000,?), ref: 0057C88C

VariantClear.OLEAUT32(?), ref: 0057C556

Strings

d}], xrefs: 0057C517

Memory Dump Source

Source File: 00000000.00000002.1720891753.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1720847795.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720950764.00000000005AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720950764.00000000005D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720999580.00000000005DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721018782.00000000005E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_b6AGgIJ87g.jbxd

Similarity

API ID: Variant$Init$ClearCopy_memmove
String ID: d}]
API String ID: 2932060187-1070895132
Opcode ID: ec47de1e3c882874fa958eeb720e3a974b341c1f70dd8af95b0756d2c2ca8e91
Instruction ID: 181a23f8e1ba70d884bef23a5c3f97004936487e5064d0a2997fe72b5103978a
Opcode Fuzzy Hash: ec47de1e3c882874fa958eeb720e3a974b341c1f70dd8af95b0756d2c2ca8e91
Instruction Fuzzy Hash: 1A1112719007099FC720DF99D88489AFBF8FF18310B50856FE58AD7651E771AA48CF90

Function 00584F28 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 29COMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000100), ref: 00584F46
_wcscmp.LIBCMT ref: 00584F58

Strings

#32770, xrefs: 00584F52

Memory Dump Source

Source File: 00000000.00000002.1720891753.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1720847795.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720950764.00000000005AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720950764.00000000005D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720999580.00000000005DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721018782.00000000005E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_b6AGgIJ87g.jbxd

Similarity

API ID: ClassName_wcscmp
String ID: #32770
API String ID: 2292705959-463685578
Opcode ID: 28275b88761ddf3f82d609d5efaeb5f11ad9d968c256a58cd0b7f4c893e548ae
Instruction ID: b94bb1ee462a761ac2b64ec18c7f5839f696ebbec3f9ee15946bd9ea71f7e6d1
Opcode Fuzzy Hash: 28275b88761ddf3f82d609d5efaeb5f11ad9d968c256a58cd0b7f4c893e548ae
Instruction Fuzzy Hash: 83E0D13260032927D7209799AC49FF7FBACFB65B71F000157FD04D7151D5609A4587D0

Function 0055B2C1 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 0055B314: _memset.LIBCMT ref: 0055B321

Part of subcall function 00540940: InitializeCriticalSectionAndSpinCount.KERNEL32(?,00000000,?,0055B2F0,?,?,?,0052100A), ref: 00540945

IsDebuggerPresent.KERNEL32(?,?,?,0052100A), ref: 0055B2F4
OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,0052100A), ref: 0055B303

Strings

ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 0055B2FE

Memory Dump Source

Source File: 00000000.00000002.1720891753.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1720847795.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720950764.00000000005AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720950764.00000000005D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720999580.00000000005DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721018782.00000000005E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_b6AGgIJ87g.jbxd

Similarity

API ID: CountCriticalDebugDebuggerInitializeOutputPresentSectionSpinString_memset
String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
API String ID: 3158253471-631824599
Opcode ID: 455788b0b0e9ee66ae7a2344661c6b27c7dfcae51187c40a5820e126ff1b27ee
Instruction ID: acfab3f0be059ecae2dc0a78b0ecddfd696f023999e3ef33e6d2250ae822f579
Opcode Fuzzy Hash: 455788b0b0e9ee66ae7a2344661c6b27c7dfcae51187c40a5820e126ff1b27ee
Instruction Fuzzy Hash: CBE06D742007118FE7209F68E8087427EE8BF10305F018E6EE896DB281E7B4E40CDBA1

Function 00577C74 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 22windowCOMMON

Download Yara Rule

APIs

MessageBoxW.USER32(00000000,Error allocating memory.,AutoIt,00000010), ref: 00577C82

Part of subcall function 00543358: _doexit.LIBCMT ref: 00543362

Strings

AutoIt, xrefs: 00577C76
Error allocating memory., xrefs: 00577C7B

Memory Dump Source

Source File: 00000000.00000002.1720891753.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1720847795.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720950764.00000000005AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720950764.00000000005D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720999580.00000000005DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721018782.00000000005E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_b6AGgIJ87g.jbxd

Similarity

API ID: Message_doexit
String ID: AutoIt$Error allocating memory.
API String ID: 1993061046-4017498283
Opcode ID: c3df0d6e0263311a08d2f4e5aeb53dbe9475c5f82b04c2c2f1febfb7593c6dc4
Instruction ID: 98c01e3fb732d836edf5387c4eb8f6a7688ee58ed9d10f3d04dec78e7e5f7184
Opcode Fuzzy Hash: c3df0d6e0263311a08d2f4e5aeb53dbe9475c5f82b04c2c2f1febfb7593c6dc4
Instruction Fuzzy Hash: 38D05B323C431C36D21532A97D0FFCA7E4CAF59B57F144826FB08595D349D1599052E9

Function 00561935 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 21COMMON

Download Yara Rule

APIs

GetSystemDirectoryW.KERNEL32(?), ref: 00561775

Part of subcall function 0059BFF0: LoadLibraryA.KERNEL32(kernel32.dll,?,0056195E,?), ref: 0059BFFE
Part of subcall function 0059BFF0: GetProcAddress.KERNEL32(00000000,GetSystemWow64DirectoryW), ref: 0059C010

FreeLibrary.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00000104), ref: 0056196D

Strings

WIN_XPe, xrefs: 00561788

Memory Dump Source

Source File: 00000000.00000002.1720891753.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1720847795.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720950764.00000000005AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720950764.00000000005D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720999580.00000000005DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721018782.00000000005E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_b6AGgIJ87g.jbxd

Similarity

API ID: Library$AddressDirectoryFreeLoadProcSystem
String ID: WIN_XPe
API String ID: 582185067-3257408948
Opcode ID: 1b3fd526c6af37c3fa9e866e03084f9bf765525e558c06fb9342e7a1d3c8723c
Instruction ID: 671e775bf7f256673fd4b7cf1b62bd9abf2b94cdb073620e8dfe77b92d883629
Opcode Fuzzy Hash: 1b3fd526c6af37c3fa9e866e03084f9bf765525e558c06fb9342e7a1d3c8723c
Instruction Fuzzy Hash: 72F0A571800109DBDB15DB95D988AECBEB8FB18301F580495E102A7091D7715E88EF64

Function 005A5964 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 005A596E
PostMessageW.USER32(00000000,00000111,00000197,00000000), ref: 005A5981

Part of subcall function 00585244: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 005852BC

Strings

Shell_TrayWnd, xrefs: 005A5967

Memory Dump Source

Source File: 00000000.00000002.1720891753.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1720847795.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720950764.00000000005AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720950764.00000000005D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720999580.00000000005DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721018782.00000000005E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_b6AGgIJ87g.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: dc117d586c517c3ec82da875c9428212dd2fe6389980e21e0b9ab4cca8820653
Instruction ID: c57b61279ee1657502073fea42796b95bc736d6cb3efe31e42f4f14f8c882b26
Opcode Fuzzy Hash: dc117d586c517c3ec82da875c9428212dd2fe6389980e21e0b9ab4cca8820653
Instruction Fuzzy Hash: 90D0C935784311B7E674BBB0AC4FFA67A54BB55B50F000826B64AAA1D0D9E0A804C754

Function 005A5998 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 005A59AE
PostMessageW.USER32(00000000), ref: 005A59B5

Part of subcall function 00585244: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 005852BC

Strings

Shell_TrayWnd, xrefs: 005A59A7

Memory Dump Source

Source File: 00000000.00000002.1720891753.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1720847795.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720950764.00000000005AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720950764.00000000005D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720999580.00000000005DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721018782.00000000005E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_b6AGgIJ87g.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: ea2a5bd12355bdd31932298cc4825547a73c05cb95e9624123be0d27fe09c649
Instruction ID: c033d8215dd9a9cc3e0afd4ebe8b8e8c3acc31deaf90deb9295b43e0ebe41a3a
Opcode Fuzzy Hash: ea2a5bd12355bdd31932298cc4825547a73c05cb95e9624123be0d27fe09c649
Instruction Fuzzy Hash: 94D0C9357813117BE674BBB0AC4FF967A54BB55B50F000826B646AA1D0D9E0A804C754

Source: unknown	Process created: C:\Users\user\Desktop\b6AGgIJ87g.exe "C:\Users\user\Desktop\b6AGgIJ87g.exe"
Source: C:\Users\user\Desktop\b6AGgIJ87g.exe	Process created: C:\Users\user\AppData\Local\Maianthemum\biopsies.exe "C:\Users\user\Desktop\b6AGgIJ87g.exe"
Source: C:\Users\user\AppData\Local\Maianthemum\biopsies.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\b6AGgIJ87g.exe"
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\choice.exe choice /C Y /N /D Y /T 3
Source: unknown	Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\biopsies.vbs"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Users\user\AppData\Local\Maianthemum\biopsies.exe "C:\Users\user\AppData\Local\Maianthemum\biopsies.exe"
Source: C:\Users\user\AppData\Local\Maianthemum\biopsies.exe	Process created: C:\Users\user\AppData\Local\Maianthemum\biopsies.exe "C:\Users\user\AppData\Local\Maianthemum\biopsies.exe"
Source: C:\Users\user\AppData\Local\Maianthemum\biopsies.exe	Process created: C:\Users\user\AppData\Local\Maianthemum\biopsies.exe "C:\Users\user\AppData\Local\Maianthemum\biopsies.exe"
Source: C:\Users\user\AppData\Local\Maianthemum\biopsies.exe	Process created: C:\Users\user\AppData\Local\Maianthemum\biopsies.exe "C:\Users\user\AppData\Local\Maianthemum\biopsies.exe"
Source: C:\Users\user\AppData\Local\Maianthemum\biopsies.exe	Process created: C:\Users\user\AppData\Local\Maianthemum\biopsies.exe "C:\Users\user\AppData\Local\Maianthemum\biopsies.exe"
Source: C:\Users\user\AppData\Local\Maianthemum\biopsies.exe	Process created: C:\Users\user\AppData\Local\Maianthemum\biopsies.exe "C:\Users\user\AppData\Local\Maianthemum\biopsies.exe"
Source: C:\Users\user\AppData\Local\Maianthemum\biopsies.exe	Process created: C:\Users\user\AppData\Local\Maianthemum\biopsies.exe "C:\Users\user\AppData\Local\Maianthemum\biopsies.exe"
Source: C:\Users\user\AppData\Local\Maianthemum\biopsies.exe	Process created: C:\Users\user\AppData\Local\Maianthemum\biopsies.exe "C:\Users\user\AppData\Local\Maianthemum\biopsies.exe"
Source: C:\Users\user\AppData\Local\Maianthemum\biopsies.exe	Process created: C:\Users\user\AppData\Local\Maianthemum\biopsies.exe "C:\Users\user\AppData\Local\Maianthemum\biopsies.exe"
Source: C:\Users\user\AppData\Local\Maianthemum\biopsies.exe	Process created: C:\Users\user\AppData\Local\Maianthemum\biopsies.exe "C:\Users\user\AppData\Local\Maianthemum\biopsies.exe"
Source: C:\Users\user\AppData\Local\Maianthemum\biopsies.exe	Process created: C:\Users\user\AppData\Local\Maianthemum\biopsies.exe "C:\Users\user\AppData\Local\Maianthemum\biopsies.exe"
Source: C:\Users\user\AppData\Local\Maianthemum\biopsies.exe	Process created: C:\Users\user\AppData\Local\Maianthemum\biopsies.exe "C:\Users\user\AppData\Local\Maianthemum\biopsies.exe"
Source: C:\Users\user\AppData\Local\Maianthemum\biopsies.exe	Process created: C:\Users\user\AppData\Local\Maianthemum\biopsies.exe "C:\Users\user\AppData\Local\Maianthemum\biopsies.exe"
Source: C:\Users\user\AppData\Local\Maianthemum\biopsies.exe	Process created: C:\Users\user\AppData\Local\Maianthemum\biopsies.exe "C:\Users\user\AppData\Local\Maianthemum\biopsies.exe"
Source: C:\Users\user\AppData\Local\Maianthemum\biopsies.exe	Process created: C:\Users\user\AppData\Local\Maianthemum\biopsies.exe "C:\Users\user\AppData\Local\Maianthemum\biopsies.exe"
Source: C:\Users\user\AppData\Local\Maianthemum\biopsies.exe	Process created: C:\Users\user\AppData\Local\Maianthemum\biopsies.exe "C:\Users\user\AppData\Local\Maianthemum\biopsies.exe"
Source: C:\Users\user\AppData\Local\Maianthemum\biopsies.exe	Process created: C:\Users\user\AppData\Local\Maianthemum\biopsies.exe "C:\Users\user\AppData\Local\Maianthemum\biopsies.exe"
Source: C:\Users\user\AppData\Local\Maianthemum\biopsies.exe	Process created: C:\Users\user\AppData\Local\Maianthemum\biopsies.exe "C:\Users\user\AppData\Local\Maianthemum\biopsies.exe"
Source: C:\Users\user\AppData\Local\Maianthemum\biopsies.exe	Process created: C:\Users\user\AppData\Local\Maianthemum\biopsies.exe "C:\Users\user\AppData\Local\Maianthemum\biopsies.exe"
Source: C:\Users\user\AppData\Local\Maianthemum\biopsies.exe	Process created: C:\Users\user\AppData\Local\Maianthemum\biopsies.exe "C:\Users\user\AppData\Local\Maianthemum\biopsies.exe"
Source: C:\Users\user\AppData\Local\Maianthemum\biopsies.exe	Process created: C:\Users\user\AppData\Local\Maianthemum\biopsies.exe "C:\Users\user\AppData\Local\Maianthemum\biopsies.exe"
Source: C:\Users\user\AppData\Local\Maianthemum\biopsies.exe	Process created: C:\Users\user\AppData\Local\Maianthemum\biopsies.exe "C:\Users\user\AppData\Local\Maianthemum\biopsies.exe"
Source: C:\Users\user\AppData\Local\Maianthemum\biopsies.exe	Process created: C:\Users\user\AppData\Local\Maianthemum\biopsies.exe "C:\Users\user\AppData\Local\Maianthemum\biopsies.exe"
Source: C:\Users\user\AppData\Local\Maianthemum\biopsies.exe	Process created: C:\Users\user\AppData\Local\Maianthemum\biopsies.exe "C:\Users\user\AppData\Local\Maianthemum\biopsies.exe"
Source: C:\Users\user\AppData\Local\Maianthemum\biopsies.exe	Process created: C:\Users\user\AppData\Local\Maianthemum\biopsies.exe "C:\Users\user\AppData\Local\Maianthemum\biopsies.exe"
Source: C:\Users\user\AppData\Local\Maianthemum\biopsies.exe	Process created: C:\Users\user\AppData\Local\Maianthemum\biopsies.exe "C:\Users\user\AppData\Local\Maianthemum\biopsies.exe"
Source: C:\Users\user\AppData\Local\Maianthemum\biopsies.exe	Process created: C:\Users\user\AppData\Local\Maianthemum\biopsies.exe "C:\Users\user\AppData\Local\Maianthemum\biopsies.exe"
Source: C:\Users\user\AppData\Local\Maianthemum\biopsies.exe	Process created: C:\Users\user\AppData\Local\Maianthemum\biopsies.exe "C:\Users\user\AppData\Local\Maianthemum\biopsies.exe"
Source: C:\Users\user\AppData\Local\Maianthemum\biopsies.exe	Process created: C:\Users\user\AppData\Local\Maianthemum\biopsies.exe "C:\Users\user\AppData\Local\Maianthemum\biopsies.exe"
Source: C:\Users\user\AppData\Local\Maianthemum\biopsies.exe	Process created: C:\Users\user\AppData\Local\Maianthemum\biopsies.exe "C:\Users\user\AppData\Local\Maianthemum\biopsies.exe"
Source: C:\Users\user\AppData\Local\Maianthemum\biopsies.exe	Process created: C:\Users\user\AppData\Local\Maianthemum\biopsies.exe "C:\Users\user\AppData\Local\Maianthemum\biopsies.exe"
Source: C:\Users\user\AppData\Local\Maianthemum\biopsies.exe	Process created: C:\Users\user\AppData\Local\Maianthemum\biopsies.exe "C:\Users\user\AppData\Local\Maianthemum\biopsies.exe"
Source: C:\Users\user\Desktop\b6AGgIJ87g.exe	Process created: C:\Users\user\AppData\Local\Maianthemum\biopsies.exe "C:\Users\user\Desktop\b6AGgIJ87g.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Maianthemum\biopsies.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\b6AGgIJ87g.exe"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\choice.exe choice /C Y /N /D Y /T 3	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process created: C:\Users\user\AppData\Local\Maianthemum\biopsies.exe "C:\Users\user\AppData\Local\Maianthemum\biopsies.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Maianthemum\biopsies.exe	Process created: C:\Users\user\AppData\Local\Maianthemum\biopsies.exe "C:\Users\user\AppData\Local\Maianthemum\biopsies.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Maianthemum\biopsies.exe	Process created: C:\Users\user\AppData\Local\Maianthemum\biopsies.exe "C:\Users\user\AppData\Local\Maianthemum\biopsies.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Maianthemum\biopsies.exe	Process created: C:\Users\user\AppData\Local\Maianthemum\biopsies.exe "C:\Users\user\AppData\Local\Maianthemum\biopsies.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Maianthemum\biopsies.exe	Process created: C:\Users\user\AppData\Local\Maianthemum\biopsies.exe "C:\Users\user\AppData\Local\Maianthemum\biopsies.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Maianthemum\biopsies.exe	Process created: C:\Users\user\AppData\Local\Maianthemum\biopsies.exe "C:\Users\user\AppData\Local\Maianthemum\biopsies.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Maianthemum\biopsies.exe	Process created: C:\Users\user\AppData\Local\Maianthemum\biopsies.exe "C:\Users\user\AppData\Local\Maianthemum\biopsies.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Maianthemum\biopsies.exe	Process created: C:\Users\user\AppData\Local\Maianthemum\biopsies.exe "C:\Users\user\AppData\Local\Maianthemum\biopsies.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Maianthemum\biopsies.exe	Process created: C:\Users\user\AppData\Local\Maianthemum\biopsies.exe "C:\Users\user\AppData\Local\Maianthemum\biopsies.exe"
Source: C:\Users\user\AppData\Local\Maianthemum\biopsies.exe	Process created: C:\Users\user\AppData\Local\Maianthemum\biopsies.exe "C:\Users\user\AppData\Local\Maianthemum\biopsies.exe"
Source: C:\Users\user\AppData\Local\Maianthemum\biopsies.exe	Process created: C:\Users\user\AppData\Local\Maianthemum\biopsies.exe "C:\Users\user\AppData\Local\Maianthemum\biopsies.exe"
Source: C:\Users\user\AppData\Local\Maianthemum\biopsies.exe	Process created: C:\Users\user\AppData\Local\Maianthemum\biopsies.exe "C:\Users\user\AppData\Local\Maianthemum\biopsies.exe"
Source: C:\Users\user\AppData\Local\Maianthemum\biopsies.exe	Process created: C:\Users\user\AppData\Local\Maianthemum\biopsies.exe "C:\Users\user\AppData\Local\Maianthemum\biopsies.exe"
Source: C:\Users\user\AppData\Local\Maianthemum\biopsies.exe	Process created: C:\Users\user\AppData\Local\Maianthemum\biopsies.exe "C:\Users\user\AppData\Local\Maianthemum\biopsies.exe"
Source: C:\Users\user\AppData\Local\Maianthemum\biopsies.exe	Process created: C:\Users\user\AppData\Local\Maianthemum\biopsies.exe "C:\Users\user\AppData\Local\Maianthemum\biopsies.exe"
Source: C:\Users\user\AppData\Local\Maianthemum\biopsies.exe	Process created: C:\Users\user\AppData\Local\Maianthemum\biopsies.exe "C:\Users\user\AppData\Local\Maianthemum\biopsies.exe"
Source: C:\Users\user\AppData\Local\Maianthemum\biopsies.exe	Process created: C:\Users\user\AppData\Local\Maianthemum\biopsies.exe "C:\Users\user\AppData\Local\Maianthemum\biopsies.exe"
Source: C:\Users\user\AppData\Local\Maianthemum\biopsies.exe	Process created: C:\Users\user\AppData\Local\Maianthemum\biopsies.exe "C:\Users\user\AppData\Local\Maianthemum\biopsies.exe"
Source: C:\Users\user\AppData\Local\Maianthemum\biopsies.exe	Process created: C:\Users\user\AppData\Local\Maianthemum\biopsies.exe "C:\Users\user\AppData\Local\Maianthemum\biopsies.exe"
Source: C:\Users\user\AppData\Local\Maianthemum\biopsies.exe	Process created: C:\Users\user\AppData\Local\Maianthemum\biopsies.exe "C:\Users\user\AppData\Local\Maianthemum\biopsies.exe"
Source: C:\Users\user\AppData\Local\Maianthemum\biopsies.exe	Process created: C:\Users\user\AppData\Local\Maianthemum\biopsies.exe "C:\Users\user\AppData\Local\Maianthemum\biopsies.exe"
Source: C:\Users\user\AppData\Local\Maianthemum\biopsies.exe	Process created: C:\Users\user\AppData\Local\Maianthemum\biopsies.exe "C:\Users\user\AppData\Local\Maianthemum\biopsies.exe"
Source: C:\Users\user\AppData\Local\Maianthemum\biopsies.exe	Process created: C:\Users\user\AppData\Local\Maianthemum\biopsies.exe "C:\Users\user\AppData\Local\Maianthemum\biopsies.exe"
Source: C:\Users\user\AppData\Local\Maianthemum\biopsies.exe	Process created: C:\Users\user\AppData\Local\Maianthemum\biopsies.exe "C:\Users\user\AppData\Local\Maianthemum\biopsies.exe"
Source: C:\Users\user\AppData\Local\Maianthemum\biopsies.exe	Process created: C:\Users\user\AppData\Local\Maianthemum\biopsies.exe "C:\Users\user\AppData\Local\Maianthemum\biopsies.exe"
Source: C:\Users\user\AppData\Local\Maianthemum\biopsies.exe	Process created: C:\Users\user\AppData\Local\Maianthemum\biopsies.exe "C:\Users\user\AppData\Local\Maianthemum\biopsies.exe"
Source: C:\Users\user\AppData\Local\Maianthemum\biopsies.exe	Process created: C:\Users\user\AppData\Local\Maianthemum\biopsies.exe "C:\Users\user\AppData\Local\Maianthemum\biopsies.exe"
Source: C:\Users\user\AppData\Local\Maianthemum\biopsies.exe	Process created: C:\Users\user\AppData\Local\Maianthemum\biopsies.exe "C:\Users\user\AppData\Local\Maianthemum\biopsies.exe"
Source: C:\Users\user\AppData\Local\Maianthemum\biopsies.exe	Process created: C:\Users\user\AppData\Local\Maianthemum\biopsies.exe "C:\Users\user\AppData\Local\Maianthemum\biopsies.exe"
Source: C:\Users\user\AppData\Local\Maianthemum\biopsies.exe	Process created: C:\Users\user\AppData\Local\Maianthemum\biopsies.exe "C:\Users\user\AppData\Local\Maianthemum\biopsies.exe"
Source: C:\Users\user\AppData\Local\Maianthemum\biopsies.exe	Process created: C:\Users\user\AppData\Local\Maianthemum\biopsies.exe "C:\Users\user\AppData\Local\Maianthemum\biopsies.exe"
Source: C:\Users\user\AppData\Local\Maianthemum\biopsies.exe	Process created: C:\Users\user\AppData\Local\Maianthemum\biopsies.exe "C:\Users\user\AppData\Local\Maianthemum\biopsies.exe"
Source: C:\Users\user\AppData\Local\Maianthemum\biopsies.exe	Process created: unknown unknown

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop.Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
Tactics:	Defense Evasion, Initial Access, Persistence, Privilege Escalation
Data Sources:	Logon Session: Logon Session Creation, Logon Session: Logon Session Metadata, User Account: User Account Authentication
Platforms:	Azure AD, Containers, Google Workspace, IaaS, Linux, macOS, Network, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in an attempt to elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions.
Tactics:	Privilege Escalation
Data Sources:	Driver: Driver Load, Process: Process Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. This information can help adversaries determine which accounts exist, which can aid in follow-on behavior such as brute-forcing, spear-phishing attacks, or account takeovers (e.g., Valid Accounts ).
Tactics:	Discovery
Data Sources:	Command: Command Execution, File: File Access, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report b6AGgIJ87g.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Snake Keylogger

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Data Obfuscation

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Location Tracking

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Maianthemum\biopsies.exe

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\RegSvcs.exe.log

C:\Users\user\AppData\Local\Temp\aut14A7.tmp

C:\Users\user\AppData\Local\Temp\aut21F6.tmp

C:\Users\user\AppData\Local\Temp\aut2F63.tmp

C:\Users\user\AppData\Local\Temp\aut3E09.tmp

C:\Users\user\AppData\Local\Temp\aut45F8.tmp

C:\Users\user\AppData\Local\Temp\aut4BF4.tmp

C:\Users\user\AppData\Local\Temp\aut53F2.tmp

C:\Users\user\AppData\Local\Temp\aut5BC2.tmp

C:\Users\user\AppData\Local\Temp\aut6652.tmp

Windows Analysis Report
b6AGgIJ87g.exe

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine or network device. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer or network device via Network Device CLI (e.g. `reload` ).
Tactics:	Impact
Data Sources:	Command: Command Execution, Process: Process Creation, Sensor Health: Host Status
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre