Edit tour

Windows Analysis Report
3ClBcOpPUX.exe

Overview

General Information

Sample name:	3ClBcOpPUX.exe renamed because original name is a hash value
Original sample name:	aed92a8301931959100a1bb8c52251df2fdddaf8b76ab34b6f24d7bbe58a4fe6.exe
Analysis ID:	1590401
MD5:	77515669c23c08469a95333a8d43be63
SHA1:	2cea71874e735ab23b2580b03e0afadbbadf0bd4
SHA256:	aed92a8301931959100a1bb8c52251df2fdddaf8b76ab34b6f24d7bbe58a4fe6
Tags:	CyberGateexekalintz-40214-portmap-hostuser-johnk3r
Infos:

Detection

CyberGate

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

Antivirus detection for dropped file

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected CyberGate RAT

AI detected suspicious sample

Allocates memory in foreign processes

C2 URLs / IPs found in malware configuration

Changes security center settings (notifications, updates, antivirus, firewall)

Contains functionality to inject code into remote processes

Contains functionality to inject threads in other processes

Creates a thread in another existing process (thread injection)

Creates an autostart registry key pointing to binary in C:\Windows

Creates an undocumented autostart registry key

Drops PE files with benign system names

Drops executables to the windows directory (C:\Windows) and starts them

Found evasive API chain (may stop execution after checking mutex)

Injects a PE file into a foreign processes

Injects code into the Windows Explorer (explorer.exe)

Machine Learning detection for dropped file

Machine Learning detection for sample

Sigma detected: Files With System Process Name In Unsuspected Locations

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Writes to foreign memory regions

AV process strings found (often used to terminate AV products)

Checks for debuggers (devices)

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Checks if the current process is being debugged

Contains capabilities to detect virtual machines

Contains functionality for read data from the clipboard

Contains functionality to call native functions

Contains functionality to delete services

Contains functionality to dynamically determine API calls

Contains functionality to enumerate running services

Contains functionality to modify clipboard data

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the clipboard data

Contains functionality to record screenshots

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to shutdown / reboot the system

Contains functionality to simulate keystroke presses

Contains functionality to simulate mouse events

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates files inside the system directory

Detected potential crypto function

Drops PE files

Drops PE files to the windows directory (C:\Windows)

Enables debug privileges

Extensive use of GetProcAddress (often used to hide API calls)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found evasive API chain (date check)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

May infect USB drives

May sleep (evasive loops) to hinder dynamic analysis

Modifies existing windows services

One or more processes crash

Potential key logger detected (key state polling based)

Queries disk information (often used to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sigma detected: Common Autorun Keys Modification

Sigma detected: CurrentVersion Autorun Keys Modification

Sigma detected: Uncommon Svchost Parent Process

Sigma detected: Wow6432Node CurrentVersion Autorun Keys Modification

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Yara detected Keylogger Generic

Yara signature match

Classification

Process Tree

System is w10x64

3ClBcOpPUX.exe (PID: 6412 cmdline: "C:\Users\user\Desktop\3ClBcOpPUX.exe" MD5: 77515669C23C08469A95333A8D43BE63)

explorer.exe (PID: 4056 cmdline: C:\Windows\Explorer.EXE MD5: 662F4F92FDE3557E86D110526BB578D5)

explorer.exe (PID: 2708 cmdline: explorer.exe MD5: DD6597597673F72E10C9DE7901FBA0A8)

3ClBcOpPUX.exe (PID: 7304 cmdline: "C:\Users\user\Desktop\3ClBcOpPUX.exe" MD5: 77515669C23C08469A95333A8D43BE63)

svchost.exe (PID: 7532 cmdline: "C:\Windows\system32\System\svchost.exe" MD5: 77515669C23C08469A95333A8D43BE63)

WerFault.exe (PID: 7608 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 7532 -s 564 MD5: C31336C1EFC2CCB44B4326EA793040F2)

svchost.exe (PID: 6996 cmdline: C:\Windows\System32\svchost.exe -k NetworkService -p MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

svchost.exe (PID: 4512 cmdline: C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

svchost.exe (PID: 6340 cmdline: C:\Windows\system32\svchost.exe -k UnistackSvcGroup MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

svchost.exe (PID: 968 cmdline: C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s wscsvc MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

MpCmdRun.exe (PID: 4948 cmdline: "C:\Program Files\Windows Defender\mpcmdrun.exe" -wdenable MD5: B3676839B2EE96983F9ED735CD044159)

conhost.exe (PID: 5172 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

svchost.exe (PID: 7256 cmdline: C:\Windows\system32\svchost.exe -k LocalService -s W32Time MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

svchost.exe (PID: 7548 cmdline: C:\Windows\System32\svchost.exe -k WerSvcGroup MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

WerFault.exe (PID: 7584 cmdline: C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 7532 -ip 7532 MD5: C31336C1EFC2CCB44B4326EA793040F2)

svchost.exe (PID: 7652 cmdline: C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
CyberGate	According to Subex Secure, CyberGate is a Remote Access Trojan (RAT) that allows an attacker to gain unauthorized access tothe victims system. Attackers can remotely connect to the compromised system from anywherearound the world. The Malware author generally uses this program to steal private informationlike passwords, files, etc. It might also be used to install malicious software on the compromisedsystems.	No Attribution	https://blog.cyber5w.com/cybergate-malware-analysis https://blog.reversinglabs.com/blog/rats-in-the-library https://citizenlab.ca/2015/12/packrat-report/ https://sectrio.com/wp-content/uploads/2021/08/cybergate-threat-report.pdf https://www.elastic.co/blog/ten-process-injection-techniques-technical-survey-common-and-trending-process	https://malpedia.caad.fkie.fraunhofer.de/details/win.cybergate

Malware Configuration

Threatname: CyberGate

{"C2 list": ["kalintz-40214.portmap.host:40214"], "Campaign": "ID", "Password": "123", "InstallFlag": "TRUE", "InstallDir": "System", "InstallFileName": "svchost.exe", "ActiveXStartup": "{B4C7TF7E-V451-D2XH-Q4F8-64T3431A5V51}", "REGKeyHKLM": "SAQ", "REGKeyHKCU": "JSA", "EnableMessageBox": "FALSE", "MessageBoxIcon": "16", "MessageBoxButton": "0", "InstallMessage": "texto da mensagem", "ActivateKeylogger": "TRUE", "KeyloggerBackspace": "TRUE", "KeyloggerEnableFTP": "FALSE", "FTPAddress": "ftp.server.com", "FTPDirectory": "./logs/", "FTPUserName": "ftp_user", "FTPPort": "21", "FTPInterval": "30", "ProcessInjection": "0", "ProcessNameForInjection": "explorer.exe", "Persistance": "TRUE", "HideFile": "TRUE", "ChangeCreationDate": "TRUE", "Mutex": "***MUTEX***", "MeltFile": "FALSE", "CyberGateVersion": "2.6", "StartupPolicies": "Policies", "USBSpread": "FALSE"}

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
3ClBcOpPUX.exe	JoeSecurity_CyberGate	Yara detected CyberGate RAT	Joe Security
3ClBcOpPUX.exe	Windows_Trojan_CyberGate_517aac7d	unknown	unknown	0xb540:$a1: IELOGIN.abc 0x92e8:$a2: xxxyyyzzz.dat 0xb4e8:$a3: _x_X_PASSWORDLIST_X_x_ 0x7330:$a4: L$_RasDefaultCredentials#0 0xa1b4:$a5: \signons1.txt
3ClBcOpPUX.exe	Windows_Trojan_CyberGate_9996d800	unknown	unknown	0xa3a2:$a1: 24 08 8B 44 24 08 83 C4 14 5D 5F 5E 5B C3 55 8B EC 83 C4 F0
3ClBcOpPUX.exe	RAT_CyberGate	Detects CyberGate RAT	Kevin Breen <kevin@techanarchy.net>	0xd781:$string1: 23 23 23 23 40 23 23 23 23 E8 EE E9 F9 23 23 23 23 40 23 23 23 23 0xd872:$string1: 23 23 23 23 40 23 23 23 23 E8 EE E9 F9 23 23 23 23 40 23 23 23 23 0xd87f:$string1: 23 23 23 23 40 23 23 23 23 E8 EE E9 F9 23 23 23 23 40 23 23 23 23 0xd92c:$string1: 23 23 23 23 40 23 23 23 23 E8 EE E9 F9 23 23 23 23 40 23 23 23 23 0xd939:$string1: 23 23 23 23 40 23 23 23 23 E8 EE E9 F9 23 23 23 23 40 23 23 23 23 0xd946:$string1: 23 23 23 23 40 23 23 23 23 E8 EE E9 F9 23 23 23 23 40 23 23 23 23 0xd953:$string1: 23 23 23 23 40 23 23 23 23 E8 EE E9 F9 23 23 23 23 40 23 23 23 23 0xd960:$string1: 23 23 23 23 40 23 23 23 23 E8 EE E9 F9 23 23 23 23 40 23 23 23 23 0xd96d:$string1: 23 23 23 23 40 23 23 23 23 E8 EE E9 F9 23 23 23 23 40 23 23 23 23 0xd97a:$string1: 23 23 23 23 40 23 23 23 23 E8 EE E9 F9 23 23 23 23 40 23 23 23 23 0xd987:$string1: 23 23 23 23 40 23 23 23 23 E8 EE E9 F9 23 23 23 23 40 23 23 23 23 0xd994:$string1: 23 23 23 23 40 23 23 23 23 E8 EE E9 F9 23 23 23 23 40 23 23 23 23 0xd9c0:$string1: 23 23 23 23 40 23 23 23 23 E8 EE E9 F9 23 23 23 23 40 23 23 23 23 0xd9cd:$string1: 23 23 23 23 40 23 23 23 23 E8 EE E9 F9 23 23 23 23 40 23 23 23 23 0xd9da:$string1: 23 23 23 23 40 23 23 23 23 E8 EE E9 F9 23 23 23 23 40 23 23 23 23 0xd81a:$string2: 23 23 23 23 40 23 23 23 23 FA FD F0 EF F9 23 23 23 23 40 23 23 23 23 0xd88c:$string2: 23 23 23 23 40 23 23 23 23 FA FD F0 EF F9 23 23 23 23 40 23 23 23 23 0xd902:$string2: 23 23 23 23 40 23 23 23 23 FA FD F0 EF F9 23 23 23 23 40 23 23 23 23 0xd910:$string2: 23 23 23 23 40 23 23 23 23 FA FD F0 EF F9 23 23 23 23 40 23 23 23 23 0xd91e:$string2: 23 23 23 23 40 23 23 23 23 FA FD F0 EF F9 23 23 23 23 40 23 23 23 23 0xd9fb:$string2: 23 23 23 23 40 23 23 23 23 FA FD F0 EF F9 23 23 23 23 40 23 23 23 23
3ClBcOpPUX.exe	CyberGate	unknown	Kevin Breen <kevin@techanarchy.net>	0xd781:$string1: 23 23 23 23 40 23 23 23 23 E8 EE E9 F9 23 23 23 23 40 23 23 23 23 0xd872:$string1: 23 23 23 23 40 23 23 23 23 E8 EE E9 F9 23 23 23 23 40 23 23 23 23 0xd87f:$string1: 23 23 23 23 40 23 23 23 23 E8 EE E9 F9 23 23 23 23 40 23 23 23 23 0xd92c:$string1: 23 23 23 23 40 23 23 23 23 E8 EE E9 F9 23 23 23 23 40 23 23 23 23 0xd939:$string1: 23 23 23 23 40 23 23 23 23 E8 EE E9 F9 23 23 23 23 40 23 23 23 23 0xd946:$string1: 23 23 23 23 40 23 23 23 23 E8 EE E9 F9 23 23 23 23 40 23 23 23 23 0xd953:$string1: 23 23 23 23 40 23 23 23 23 E8 EE E9 F9 23 23 23 23 40 23 23 23 23 0xd960:$string1: 23 23 23 23 40 23 23 23 23 E8 EE E9 F9 23 23 23 23 40 23 23 23 23 0xd96d:$string1: 23 23 23 23 40 23 23 23 23 E8 EE E9 F9 23 23 23 23 40 23 23 23 23 0xd97a:$string1: 23 23 23 23 40 23 23 23 23 E8 EE E9 F9 23 23 23 23 40 23 23 23 23 0xd987:$string1: 23 23 23 23 40 23 23 23 23 E8 EE E9 F9 23 23 23 23 40 23 23 23 23 0xd994:$string1: 23 23 23 23 40 23 23 23 23 E8 EE E9 F9 23 23 23 23 40 23 23 23 23 0xd9c0:$string1: 23 23 23 23 40 23 23 23 23 E8 EE E9 F9 23 23 23 23 40 23 23 23 23 0xd9cd:$string1: 23 23 23 23 40 23 23 23 23 E8 EE E9 F9 23 23 23 23 40 23 23 23 23 0xd9da:$string1: 23 23 23 23 40 23 23 23 23 E8 EE E9 F9 23 23 23 23 40 23 23 23 23 0xd81a:$string2: 23 23 23 23 40 23 23 23 23 FA FD F0 EF F9 23 23 23 23 40 23 23 23 23 0xd88c:$string2: 23 23 23 23 40 23 23 23 23 FA FD F0 EF F9 23 23 23 23 40 23 23 23 23 0xd902:$string2: 23 23 23 23 40 23 23 23 23 FA FD F0 EF F9 23 23 23 23 40 23 23 23 23 0xd910:$string2: 23 23 23 23 40 23 23 23 23 FA FD F0 EF F9 23 23 23 23 40 23 23 23 23 0xd91e:$string2: 23 23 23 23 40 23 23 23 23 FA FD F0 EF F9 23 23 23 23 40 23 23 23 23 0xd9fb:$string2: 23 23 23 23 40 23 23 23 23 FA FD F0 EF F9 23 23 23 23 40 23 23 23 23
3ClBcOpPUX.exe	MALWARE_Win_CyberGate	Detects CyberGate/Spyrat/Rebhip RTA	ditekSHen	0x2bab:$s1: UnitInjectLibrary 0xd678:$s1: UnitInjectLibrary 0x36d3:$s2: TLoader 0x4bf4:$s3: \\.\SyserDbgMsg 0x4c04:$s4: \\.\SyserBoot 0xa184:$s5: \signons 0xa19c:$s5: \signons 0xa1b4:$s5: \signons 0xa1cc:$s5: \signons 0x39b4:$s6: ####@#### 0xae78:$s6: ####@#### 0xd6ac:$s6: ####@#### 0xd6b6:$s6: ####@#### 0xd6c0:$s6: ####@#### 0xd6ca:$s6: ####@#### 0xd6d4:$s6: ####@#### 0xd6de:$s6: ####@#### 0xd6e8:$s6: ####@#### 0xd6f2:$s6: ####@#### 0xd6fc:$s6: ####@#### 0xd706:$s6: ####@####
Click to see the 1 entries

Dropped Files

Source	Rule	Description	Author	Strings
C:\Windows\SysWOW64\System\svchost.exe	JoeSecurity_CyberGate	Yara detected CyberGate RAT	Joe Security
C:\Windows\SysWOW64\System\svchost.exe	Windows_Trojan_CyberGate_517aac7d	unknown	unknown	0xb540:$a1: IELOGIN.abc 0x92e8:$a2: xxxyyyzzz.dat 0xb4e8:$a3: _x_X_PASSWORDLIST_X_x_ 0x7330:$a4: L$_RasDefaultCredentials#0 0xa1b4:$a5: \signons1.txt
C:\Windows\SysWOW64\System\svchost.exe	Windows_Trojan_CyberGate_9996d800	unknown	unknown	0xa3a2:$a1: 24 08 8B 44 24 08 83 C4 14 5D 5F 5E 5B C3 55 8B EC 83 C4 F0
C:\Windows\SysWOW64\System\svchost.exe	RAT_CyberGate	Detects CyberGate RAT	Kevin Breen <kevin@techanarchy.net>	0xd781:$string1: 23 23 23 23 40 23 23 23 23 E8 EE E9 F9 23 23 23 23 40 23 23 23 23 0xd872:$string1: 23 23 23 23 40 23 23 23 23 E8 EE E9 F9 23 23 23 23 40 23 23 23 23 0xd87f:$string1: 23 23 23 23 40 23 23 23 23 E8 EE E9 F9 23 23 23 23 40 23 23 23 23 0xd92c:$string1: 23 23 23 23 40 23 23 23 23 E8 EE E9 F9 23 23 23 23 40 23 23 23 23 0xd939:$string1: 23 23 23 23 40 23 23 23 23 E8 EE E9 F9 23 23 23 23 40 23 23 23 23 0xd946:$string1: 23 23 23 23 40 23 23 23 23 E8 EE E9 F9 23 23 23 23 40 23 23 23 23 0xd953:$string1: 23 23 23 23 40 23 23 23 23 E8 EE E9 F9 23 23 23 23 40 23 23 23 23 0xd960:$string1: 23 23 23 23 40 23 23 23 23 E8 EE E9 F9 23 23 23 23 40 23 23 23 23 0xd96d:$string1: 23 23 23 23 40 23 23 23 23 E8 EE E9 F9 23 23 23 23 40 23 23 23 23 0xd97a:$string1: 23 23 23 23 40 23 23 23 23 E8 EE E9 F9 23 23 23 23 40 23 23 23 23 0xd987:$string1: 23 23 23 23 40 23 23 23 23 E8 EE E9 F9 23 23 23 23 40 23 23 23 23 0xd994:$string1: 23 23 23 23 40 23 23 23 23 E8 EE E9 F9 23 23 23 23 40 23 23 23 23 0xd9c0:$string1: 23 23 23 23 40 23 23 23 23 E8 EE E9 F9 23 23 23 23 40 23 23 23 23 0xd9cd:$string1: 23 23 23 23 40 23 23 23 23 E8 EE E9 F9 23 23 23 23 40 23 23 23 23 0xd9da:$string1: 23 23 23 23 40 23 23 23 23 E8 EE E9 F9 23 23 23 23 40 23 23 23 23 0xd81a:$string2: 23 23 23 23 40 23 23 23 23 FA FD F0 EF F9 23 23 23 23 40 23 23 23 23 0xd88c:$string2: 23 23 23 23 40 23 23 23 23 FA FD F0 EF F9 23 23 23 23 40 23 23 23 23 0xd902:$string2: 23 23 23 23 40 23 23 23 23 FA FD F0 EF F9 23 23 23 23 40 23 23 23 23 0xd910:$string2: 23 23 23 23 40 23 23 23 23 FA FD F0 EF F9 23 23 23 23 40 23 23 23 23 0xd91e:$string2: 23 23 23 23 40 23 23 23 23 FA FD F0 EF F9 23 23 23 23 40 23 23 23 23 0xd9fb:$string2: 23 23 23 23 40 23 23 23 23 FA FD F0 EF F9 23 23 23 23 40 23 23 23 23
C:\Windows\SysWOW64\System\svchost.exe	CyberGate	unknown	Kevin Breen <kevin@techanarchy.net>	0xd781:$string1: 23 23 23 23 40 23 23 23 23 E8 EE E9 F9 23 23 23 23 40 23 23 23 23 0xd872:$string1: 23 23 23 23 40 23 23 23 23 E8 EE E9 F9 23 23 23 23 40 23 23 23 23 0xd87f:$string1: 23 23 23 23 40 23 23 23 23 E8 EE E9 F9 23 23 23 23 40 23 23 23 23 0xd92c:$string1: 23 23 23 23 40 23 23 23 23 E8 EE E9 F9 23 23 23 23 40 23 23 23 23 0xd939:$string1: 23 23 23 23 40 23 23 23 23 E8 EE E9 F9 23 23 23 23 40 23 23 23 23 0xd946:$string1: 23 23 23 23 40 23 23 23 23 E8 EE E9 F9 23 23 23 23 40 23 23 23 23 0xd953:$string1: 23 23 23 23 40 23 23 23 23 E8 EE E9 F9 23 23 23 23 40 23 23 23 23 0xd960:$string1: 23 23 23 23 40 23 23 23 23 E8 EE E9 F9 23 23 23 23 40 23 23 23 23 0xd96d:$string1: 23 23 23 23 40 23 23 23 23 E8 EE E9 F9 23 23 23 23 40 23 23 23 23 0xd97a:$string1: 23 23 23 23 40 23 23 23 23 E8 EE E9 F9 23 23 23 23 40 23 23 23 23 0xd987:$string1: 23 23 23 23 40 23 23 23 23 E8 EE E9 F9 23 23 23 23 40 23 23 23 23 0xd994:$string1: 23 23 23 23 40 23 23 23 23 E8 EE E9 F9 23 23 23 23 40 23 23 23 23 0xd9c0:$string1: 23 23 23 23 40 23 23 23 23 E8 EE E9 F9 23 23 23 23 40 23 23 23 23 0xd9cd:$string1: 23 23 23 23 40 23 23 23 23 E8 EE E9 F9 23 23 23 23 40 23 23 23 23 0xd9da:$string1: 23 23 23 23 40 23 23 23 23 E8 EE E9 F9 23 23 23 23 40 23 23 23 23 0xd81a:$string2: 23 23 23 23 40 23 23 23 23 FA FD F0 EF F9 23 23 23 23 40 23 23 23 23 0xd88c:$string2: 23 23 23 23 40 23 23 23 23 FA FD F0 EF F9 23 23 23 23 40 23 23 23 23 0xd902:$string2: 23 23 23 23 40 23 23 23 23 FA FD F0 EF F9 23 23 23 23 40 23 23 23 23 0xd910:$string2: 23 23 23 23 40 23 23 23 23 FA FD F0 EF F9 23 23 23 23 40 23 23 23 23 0xd91e:$string2: 23 23 23 23 40 23 23 23 23 FA FD F0 EF F9 23 23 23 23 40 23 23 23 23 0xd9fb:$string2: 23 23 23 23 40 23 23 23 23 FA FD F0 EF F9 23 23 23 23 40 23 23 23 23
C:\Windows\SysWOW64\System\svchost.exe	MALWARE_Win_CyberGate	Detects CyberGate/Spyrat/Rebhip RTA	ditekSHen	0x2bab:$s1: UnitInjectLibrary 0xd678:$s1: UnitInjectLibrary 0x36d3:$s2: TLoader 0x4bf4:$s3: \\.\SyserDbgMsg 0x4c04:$s4: \\.\SyserBoot 0xa184:$s5: \signons 0xa19c:$s5: \signons 0xa1b4:$s5: \signons 0xa1cc:$s5: \signons 0x39b4:$s6: ####@#### 0xae78:$s6: ####@#### 0xd6ac:$s6: ####@#### 0xd6b6:$s6: ####@#### 0xd6c0:$s6: ####@#### 0xd6ca:$s6: ####@#### 0xd6d4:$s6: ####@#### 0xd6de:$s6: ####@#### 0xd6e8:$s6: ####@#### 0xd6f2:$s6: ####@#### 0xd6fc:$s6: ####@#### 0xd706:$s6: ####@####
Click to see the 1 entries

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000000.1254230385.0000000000401000.00000020.00000001.01000000.00000003.sdmp	JoeSecurity_CyberGate	Yara detected CyberGate RAT	Joe Security
00000000.00000000.1254230385.0000000000401000.00000020.00000001.01000000.00000003.sdmp	Windows_Trojan_CyberGate_517aac7d	unknown	unknown	0xb140:$a1: IELOGIN.abc 0x8ee8:$a2: xxxyyyzzz.dat 0xb0e8:$a3: _x_X_PASSWORDLIST_X_x_ 0x6f30:$a4: L$_RasDefaultCredentials#0 0x9db4:$a5: \signons1.txt
00000000.00000000.1254230385.0000000000401000.00000020.00000001.01000000.00000003.sdmp	Windows_Trojan_CyberGate_9996d800	unknown	unknown	0x9fa2:$a1: 24 08 8B 44 24 08 83 C4 14 5D 5F 5E 5B C3 55 8B EC 83 C4 F0
00000008.00000002.2518814760.0000000024080000.00000040.00000400.00020000.00000000.sdmp	Windows_Trojan_CyberGate_9996d800	unknown	unknown	0x2b3ee:$a1: 24 08 8B 44 24 08 83 C4 14 5D 5F 5E 5B C3 55 8B EC 83 C4 F0
00000008.00000003.1307346433.0000000005C4A000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CyberGate	Yara detected CyberGate RAT	Joe Security
00000008.00000003.1307346433.0000000005C4A000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_CyberGate_517aac7d	unknown	unknown	0xb4d8:$a1: IELOGIN.abc 0x522e8:$a1: IELOGIN.abc 0x9280:$a2: xxxyyyzzz.dat 0x50090:$a2: xxxyyyzzz.dat 0xb480:$a3: _x_X_PASSWORDLIST_X_x_ 0x52290:$a3: _x_X_PASSWORDLIST_X_x_ 0x72c8:$a4: L$_RasDefaultCredentials#0 0x4e0d8:$a4: L$_RasDefaultCredentials#0 0xa14c:$a5: \signons1.txt 0x50f5c:$a5: \signons1.txt
00000008.00000003.1307346433.0000000005C4A000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_CyberGate_9996d800	unknown	unknown	0xa33a:$a1: 24 08 8B 44 24 08 83 C4 14 5D 5F 5E 5B C3 55 8B EC 83 C4 F0 0x5114a:$a1: 24 08 8B 44 24 08 83 C4 14 5D 5F 5E 5B C3 55 8B EC 83 C4 F0
00000008.00000003.1307346433.0000000005C4A000.00000004.00000020.00020000.00000000.sdmp	RAT_CyberGate	Detects CyberGate RAT	Kevin Breen <kevin@techanarchy.net>	0xd719:$string1: 23 23 23 23 40 23 23 23 23 E8 EE E9 F9 23 23 23 23 40 23 23 23 23 0xd80a:$string1: 23 23 23 23 40 23 23 23 23 E8 EE E9 F9 23 23 23 23 40 23 23 23 23 0xd817:$string1: 23 23 23 23 40 23 23 23 23 E8 EE E9 F9 23 23 23 23 40 23 23 23 23 0xd8c4:$string1: 23 23 23 23 40 23 23 23 23 E8 EE E9 F9 23 23 23 23 40 23 23 23 23 0xd8d1:$string1: 23 23 23 23 40 23 23 23 23 E8 EE E9 F9 23 23 23 23 40 23 23 23 23 0xd8de:$string1: 23 23 23 23 40 23 23 23 23 E8 EE E9 F9 23 23 23 23 40 23 23 23 23 0xd8eb:$string1: 23 23 23 23 40 23 23 23 23 E8 EE E9 F9 23 23 23 23 40 23 23 23 23 0xd8f8:$string1: 23 23 23 23 40 23 23 23 23 E8 EE E9 F9 23 23 23 23 40 23 23 23 23 0xd905:$string1: 23 23 23 23 40 23 23 23 23 E8 EE E9 F9 23 23 23 23 40 23 23 23 23 0xd912:$string1: 23 23 23 23 40 23 23 23 23 E8 EE E9 F9 23 23 23 23 40 23 23 23 23 0xd91f:$string1: 23 23 23 23 40 23 23 23 23 E8 EE E9 F9 23 23 23 23 40 23 23 23 23 0xd92c:$string1: 23 23 23 23 40 23 23 23 23 E8 EE E9 F9 23 23 23 23 40 23 23 23 23 0xd958:$string1: 23 23 23 23 40 23 23 23 23 E8 EE E9 F9 23 23 23 23 40 23 23 23 23 0xd965:$string1: 23 23 23 23 40 23 23 23 23 E8 EE E9 F9 23 23 23 23 40 23 23 23 23 0xd972:$string1: 23 23 23 23 40 23 23 23 23 E8 EE E9 F9 23 23 23 23 40 23 23 23 23 0x54529:$string1: 23 23 23 23 40 23 23 23 23 E8 EE E9 F9 23 23 23 23 40 23 23 23 23 0x5461a:$string1: 23 23 23 23 40 23 23 23 23 E8 EE E9 F9 23 23 23 23 40 23 23 23 23 0x54627:$string1: 23 23 23 23 40 23 23 23 23 E8 EE E9 F9 23 23 23 23 40 23 23 23 23 0x546d4:$string1: 23 23 23 23 40 23 23 23 23 E8 EE E9 F9 23 23 23 23 40 23 23 23 23 0x546e1:$string1: 23 23 23 23 40 23 23 23 23 E8 EE E9 F9 23 23 23 23 40 23 23 23 23 0x546ee:$string1: 23 23 23 23 40 23 23 23 23 E8 EE E9 F9 23 23 23 23 40 23 23 23 23
00000008.00000003.1307346433.0000000005C4A000.00000004.00000020.00020000.00000000.sdmp	CyberGate	unknown	Kevin Breen <kevin@techanarchy.net>	0xd719:$string1: 23 23 23 23 40 23 23 23 23 E8 EE E9 F9 23 23 23 23 40 23 23 23 23 0xd80a:$string1: 23 23 23 23 40 23 23 23 23 E8 EE E9 F9 23 23 23 23 40 23 23 23 23 0xd817:$string1: 23 23 23 23 40 23 23 23 23 E8 EE E9 F9 23 23 23 23 40 23 23 23 23 0xd8c4:$string1: 23 23 23 23 40 23 23 23 23 E8 EE E9 F9 23 23 23 23 40 23 23 23 23 0xd8d1:$string1: 23 23 23 23 40 23 23 23 23 E8 EE E9 F9 23 23 23 23 40 23 23 23 23 0xd8de:$string1: 23 23 23 23 40 23 23 23 23 E8 EE E9 F9 23 23 23 23 40 23 23 23 23 0xd8eb:$string1: 23 23 23 23 40 23 23 23 23 E8 EE E9 F9 23 23 23 23 40 23 23 23 23 0xd8f8:$string1: 23 23 23 23 40 23 23 23 23 E8 EE E9 F9 23 23 23 23 40 23 23 23 23 0xd905:$string1: 23 23 23 23 40 23 23 23 23 E8 EE E9 F9 23 23 23 23 40 23 23 23 23 0xd912:$string1: 23 23 23 23 40 23 23 23 23 E8 EE E9 F9 23 23 23 23 40 23 23 23 23 0xd91f:$string1: 23 23 23 23 40 23 23 23 23 E8 EE E9 F9 23 23 23 23 40 23 23 23 23 0xd92c:$string1: 23 23 23 23 40 23 23 23 23 E8 EE E9 F9 23 23 23 23 40 23 23 23 23 0xd958:$string1: 23 23 23 23 40 23 23 23 23 E8 EE E9 F9 23 23 23 23 40 23 23 23 23 0xd965:$string1: 23 23 23 23 40 23 23 23 23 E8 EE E9 F9 23 23 23 23 40 23 23 23 23 0xd972:$string1: 23 23 23 23 40 23 23 23 23 E8 EE E9 F9 23 23 23 23 40 23 23 23 23 0x54529:$string1: 23 23 23 23 40 23 23 23 23 E8 EE E9 F9 23 23 23 23 40 23 23 23 23 0x5461a:$string1: 23 23 23 23 40 23 23 23 23 E8 EE E9 F9 23 23 23 23 40 23 23 23 23 0x54627:$string1: 23 23 23 23 40 23 23 23 23 E8 EE E9 F9 23 23 23 23 40 23 23 23 23 0x546d4:$string1: 23 23 23 23 40 23 23 23 23 E8 EE E9 F9 23 23 23 23 40 23 23 23 23 0x546e1:$string1: 23 23 23 23 40 23 23 23 23 E8 EE E9 F9 23 23 23 23 40 23 23 23 23 0x546ee:$string1: 23 23 23 23 40 23 23 23 23 E8 EE E9 F9 23 23 23 23 40 23 23 23 23
0000000A.00000002.2519483566.00000000240F0000.00000040.00000400.00020000.00000000.sdmp	Windows_Trojan_CyberGate_9996d800	unknown	unknown	0x2b3ee:$a1: 24 08 8B 44 24 08 83 C4 14 5D 5F 5E 5B C3 55 8B EC 83 C4 F0
00000008.00000002.2518814760.00000000240DB000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
00000008.00000002.2518697463.0000000005C90000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CyberGate	Yara detected CyberGate RAT	Joe Security
00000008.00000002.2518697463.0000000005C90000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_CyberGate_517aac7d	unknown	unknown	0xc2e8:$a1: IELOGIN.abc 0xa090:$a2: xxxyyyzzz.dat 0xc290:$a3: _x_X_PASSWORDLIST_X_x_ 0x80d8:$a4: L$_RasDefaultCredentials#0 0xaf5c:$a5: \signons1.txt
00000008.00000002.2518697463.0000000005C90000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_CyberGate_9996d800	unknown	unknown	0xb14a:$a1: 24 08 8B 44 24 08 83 C4 14 5D 5F 5E 5B C3 55 8B EC 83 C4 F0
00000008.00000002.2518697463.0000000005C90000.00000004.00000020.00020000.00000000.sdmp	RAT_CyberGate	Detects CyberGate RAT	Kevin Breen <kevin@techanarchy.net>	0xe529:$string1: 23 23 23 23 40 23 23 23 23 E8 EE E9 F9 23 23 23 23 40 23 23 23 23 0xe61a:$string1: 23 23 23 23 40 23 23 23 23 E8 EE E9 F9 23 23 23 23 40 23 23 23 23 0xe627:$string1: 23 23 23 23 40 23 23 23 23 E8 EE E9 F9 23 23 23 23 40 23 23 23 23 0xe6d4:$string1: 23 23 23 23 40 23 23 23 23 E8 EE E9 F9 23 23 23 23 40 23 23 23 23 0xe6e1:$string1: 23 23 23 23 40 23 23 23 23 E8 EE E9 F9 23 23 23 23 40 23 23 23 23 0xe6ee:$string1: 23 23 23 23 40 23 23 23 23 E8 EE E9 F9 23 23 23 23 40 23 23 23 23 0xe6fb:$string1: 23 23 23 23 40 23 23 23 23 E8 EE E9 F9 23 23 23 23 40 23 23 23 23 0xe708:$string1: 23 23 23 23 40 23 23 23 23 E8 EE E9 F9 23 23 23 23 40 23 23 23 23 0xe715:$string1: 23 23 23 23 40 23 23 23 23 E8 EE E9 F9 23 23 23 23 40 23 23 23 23 0xe722:$string1: 23 23 23 23 40 23 23 23 23 E8 EE E9 F9 23 23 23 23 40 23 23 23 23 0xe72f:$string1: 23 23 23 23 40 23 23 23 23 E8 EE E9 F9 23 23 23 23 40 23 23 23 23 0xe73c:$string1: 23 23 23 23 40 23 23 23 23 E8 EE E9 F9 23 23 23 23 40 23 23 23 23 0xe768:$string1: 23 23 23 23 40 23 23 23 23 E8 EE E9 F9 23 23 23 23 40 23 23 23 23 0xe775:$string1: 23 23 23 23 40 23 23 23 23 E8 EE E9 F9 23 23 23 23 40 23 23 23 23 0xe782:$string1: 23 23 23 23 40 23 23 23 23 E8 EE E9 F9 23 23 23 23 40 23 23 23 23 0xe5c2:$string2: 23 23 23 23 40 23 23 23 23 FA FD F0 EF F9 23 23 23 23 40 23 23 23 23 0xe634:$string2: 23 23 23 23 40 23 23 23 23 FA FD F0 EF F9 23 23 23 23 40 23 23 23 23 0xe6aa:$string2: 23 23 23 23 40 23 23 23 23 FA FD F0 EF F9 23 23 23 23 40 23 23 23 23 0xe6b8:$string2: 23 23 23 23 40 23 23 23 23 FA FD F0 EF F9 23 23 23 23 40 23 23 23 23 0xe6c6:$string2: 23 23 23 23 40 23 23 23 23 FA FD F0 EF F9 23 23 23 23 40 23 23 23 23 0xe7a3:$string2: 23 23 23 23 40 23 23 23 23 FA FD F0 EF F9 23 23 23 23 40 23 23 23 23
00000008.00000002.2518697463.0000000005C90000.00000004.00000020.00020000.00000000.sdmp	CyberGate	unknown	Kevin Breen <kevin@techanarchy.net>	0xe529:$string1: 23 23 23 23 40 23 23 23 23 E8 EE E9 F9 23 23 23 23 40 23 23 23 23 0xe61a:$string1: 23 23 23 23 40 23 23 23 23 E8 EE E9 F9 23 23 23 23 40 23 23 23 23 0xe627:$string1: 23 23 23 23 40 23 23 23 23 E8 EE E9 F9 23 23 23 23 40 23 23 23 23 0xe6d4:$string1: 23 23 23 23 40 23 23 23 23 E8 EE E9 F9 23 23 23 23 40 23 23 23 23 0xe6e1:$string1: 23 23 23 23 40 23 23 23 23 E8 EE E9 F9 23 23 23 23 40 23 23 23 23 0xe6ee:$string1: 23 23 23 23 40 23 23 23 23 E8 EE E9 F9 23 23 23 23 40 23 23 23 23 0xe6fb:$string1: 23 23 23 23 40 23 23 23 23 E8 EE E9 F9 23 23 23 23 40 23 23 23 23 0xe708:$string1: 23 23 23 23 40 23 23 23 23 E8 EE E9 F9 23 23 23 23 40 23 23 23 23 0xe715:$string1: 23 23 23 23 40 23 23 23 23 E8 EE E9 F9 23 23 23 23 40 23 23 23 23 0xe722:$string1: 23 23 23 23 40 23 23 23 23 E8 EE E9 F9 23 23 23 23 40 23 23 23 23 0xe72f:$string1: 23 23 23 23 40 23 23 23 23 E8 EE E9 F9 23 23 23 23 40 23 23 23 23 0xe73c:$string1: 23 23 23 23 40 23 23 23 23 E8 EE E9 F9 23 23 23 23 40 23 23 23 23 0xe768:$string1: 23 23 23 23 40 23 23 23 23 E8 EE E9 F9 23 23 23 23 40 23 23 23 23 0xe775:$string1: 23 23 23 23 40 23 23 23 23 E8 EE E9 F9 23 23 23 23 40 23 23 23 23 0xe782:$string1: 23 23 23 23 40 23 23 23 23 E8 EE E9 F9 23 23 23 23 40 23 23 23 23 0xe5c2:$string2: 23 23 23 23 40 23 23 23 23 FA FD F0 EF F9 23 23 23 23 40 23 23 23 23 0xe634:$string2: 23 23 23 23 40 23 23 23 23 FA FD F0 EF F9 23 23 23 23 40 23 23 23 23 0xe6aa:$string2: 23 23 23 23 40 23 23 23 23 FA FD F0 EF F9 23 23 23 23 40 23 23 23 23 0xe6b8:$string2: 23 23 23 23 40 23 23 23 23 FA FD F0 EF F9 23 23 23 23 40 23 23 23 23 0xe6c6:$string2: 23 23 23 23 40 23 23 23 23 FA FD F0 EF F9 23 23 23 23 40 23 23 23 23 0xe7a3:$string2: 23 23 23 23 40 23 23 23 23 FA FD F0 EF F9 23 23 23 23 40 23 23 23 23
0000000A.00000002.2519483566.000000002414B000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
Process Memory Space: 3ClBcOpPUX.exe PID: 6412	JoeSecurity_CyberGate	Yara detected CyberGate RAT	Joe Security
Process Memory Space: 3ClBcOpPUX.exe PID: 6412	Windows_Trojan_CyberGate_517aac7d	unknown	unknown	0x161c:$a1: IELOGIN.abc 0x1205:$a2: xxxyyyzzz.dat 0x15c1:$a3: _x_X_PASSWORDLIST_X_x_ 0x15e8:$a3: _x_X_PASSWORDLIST_X_x_ 0xed2:$a4: L$_RasDefaultCredentials#0 0x143d:$a5: \signons1.txt
Process Memory Space: explorer.exe PID: 2708	JoeSecurity_CyberGate	Yara detected CyberGate RAT	Joe Security
Process Memory Space: explorer.exe PID: 2708	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
Process Memory Space: 3ClBcOpPUX.exe PID: 7304	JoeSecurity_CyberGate	Yara detected CyberGate RAT	Joe Security
Process Memory Space: 3ClBcOpPUX.exe PID: 7304	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
Click to see the 18 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
0.0.3ClBcOpPUX.exe.400000.0.unpack	JoeSecurity_CyberGate	Yara detected CyberGate RAT	Joe Security
0.0.3ClBcOpPUX.exe.400000.0.unpack	Windows_Trojan_CyberGate_517aac7d	unknown	unknown	0xb540:$a1: IELOGIN.abc 0x92e8:$a2: xxxyyyzzz.dat 0xb4e8:$a3: _x_X_PASSWORDLIST_X_x_ 0x7330:$a4: L$_RasDefaultCredentials#0 0xa1b4:$a5: \signons1.txt
0.0.3ClBcOpPUX.exe.400000.0.unpack	Windows_Trojan_CyberGate_9996d800	unknown	unknown	0xa3a2:$a1: 24 08 8B 44 24 08 83 C4 14 5D 5F 5E 5B C3 55 8B EC 83 C4 F0
0.0.3ClBcOpPUX.exe.400000.0.unpack	RAT_CyberGate	Detects CyberGate RAT	Kevin Breen <kevin@techanarchy.net>	0xd781:$string1: 23 23 23 23 40 23 23 23 23 E8 EE E9 F9 23 23 23 23 40 23 23 23 23 0xd872:$string1: 23 23 23 23 40 23 23 23 23 E8 EE E9 F9 23 23 23 23 40 23 23 23 23 0xd87f:$string1: 23 23 23 23 40 23 23 23 23 E8 EE E9 F9 23 23 23 23 40 23 23 23 23 0xd92c:$string1: 23 23 23 23 40 23 23 23 23 E8 EE E9 F9 23 23 23 23 40 23 23 23 23 0xd939:$string1: 23 23 23 23 40 23 23 23 23 E8 EE E9 F9 23 23 23 23 40 23 23 23 23 0xd946:$string1: 23 23 23 23 40 23 23 23 23 E8 EE E9 F9 23 23 23 23 40 23 23 23 23 0xd953:$string1: 23 23 23 23 40 23 23 23 23 E8 EE E9 F9 23 23 23 23 40 23 23 23 23 0xd960:$string1: 23 23 23 23 40 23 23 23 23 E8 EE E9 F9 23 23 23 23 40 23 23 23 23 0xd96d:$string1: 23 23 23 23 40 23 23 23 23 E8 EE E9 F9 23 23 23 23 40 23 23 23 23 0xd97a:$string1: 23 23 23 23 40 23 23 23 23 E8 EE E9 F9 23 23 23 23 40 23 23 23 23 0xd987:$string1: 23 23 23 23 40 23 23 23 23 E8 EE E9 F9 23 23 23 23 40 23 23 23 23 0xd994:$string1: 23 23 23 23 40 23 23 23 23 E8 EE E9 F9 23 23 23 23 40 23 23 23 23 0xd9c0:$string1: 23 23 23 23 40 23 23 23 23 E8 EE E9 F9 23 23 23 23 40 23 23 23 23 0xd9cd:$string1: 23 23 23 23 40 23 23 23 23 E8 EE E9 F9 23 23 23 23 40 23 23 23 23 0xd9da:$string1: 23 23 23 23 40 23 23 23 23 E8 EE E9 F9 23 23 23 23 40 23 23 23 23 0xd81a:$string2: 23 23 23 23 40 23 23 23 23 FA FD F0 EF F9 23 23 23 23 40 23 23 23 23 0xd88c:$string2: 23 23 23 23 40 23 23 23 23 FA FD F0 EF F9 23 23 23 23 40 23 23 23 23 0xd902:$string2: 23 23 23 23 40 23 23 23 23 FA FD F0 EF F9 23 23 23 23 40 23 23 23 23 0xd910:$string2: 23 23 23 23 40 23 23 23 23 FA FD F0 EF F9 23 23 23 23 40 23 23 23 23 0xd91e:$string2: 23 23 23 23 40 23 23 23 23 FA FD F0 EF F9 23 23 23 23 40 23 23 23 23 0xd9fb:$string2: 23 23 23 23 40 23 23 23 23 FA FD F0 EF F9 23 23 23 23 40 23 23 23 23
0.0.3ClBcOpPUX.exe.400000.0.unpack	CyberGate	unknown	Kevin Breen <kevin@techanarchy.net>	0xd781:$string1: 23 23 23 23 40 23 23 23 23 E8 EE E9 F9 23 23 23 23 40 23 23 23 23 0xd872:$string1: 23 23 23 23 40 23 23 23 23 E8 EE E9 F9 23 23 23 23 40 23 23 23 23 0xd87f:$string1: 23 23 23 23 40 23 23 23 23 E8 EE E9 F9 23 23 23 23 40 23 23 23 23 0xd92c:$string1: 23 23 23 23 40 23 23 23 23 E8 EE E9 F9 23 23 23 23 40 23 23 23 23 0xd939:$string1: 23 23 23 23 40 23 23 23 23 E8 EE E9 F9 23 23 23 23 40 23 23 23 23 0xd946:$string1: 23 23 23 23 40 23 23 23 23 E8 EE E9 F9 23 23 23 23 40 23 23 23 23 0xd953:$string1: 23 23 23 23 40 23 23 23 23 E8 EE E9 F9 23 23 23 23 40 23 23 23 23 0xd960:$string1: 23 23 23 23 40 23 23 23 23 E8 EE E9 F9 23 23 23 23 40 23 23 23 23 0xd96d:$string1: 23 23 23 23 40 23 23 23 23 E8 EE E9 F9 23 23 23 23 40 23 23 23 23 0xd97a:$string1: 23 23 23 23 40 23 23 23 23 E8 EE E9 F9 23 23 23 23 40 23 23 23 23 0xd987:$string1: 23 23 23 23 40 23 23 23 23 E8 EE E9 F9 23 23 23 23 40 23 23 23 23 0xd994:$string1: 23 23 23 23 40 23 23 23 23 E8 EE E9 F9 23 23 23 23 40 23 23 23 23 0xd9c0:$string1: 23 23 23 23 40 23 23 23 23 E8 EE E9 F9 23 23 23 23 40 23 23 23 23 0xd9cd:$string1: 23 23 23 23 40 23 23 23 23 E8 EE E9 F9 23 23 23 23 40 23 23 23 23 0xd9da:$string1: 23 23 23 23 40 23 23 23 23 E8 EE E9 F9 23 23 23 23 40 23 23 23 23 0xd81a:$string2: 23 23 23 23 40 23 23 23 23 FA FD F0 EF F9 23 23 23 23 40 23 23 23 23 0xd88c:$string2: 23 23 23 23 40 23 23 23 23 FA FD F0 EF F9 23 23 23 23 40 23 23 23 23 0xd902:$string2: 23 23 23 23 40 23 23 23 23 FA FD F0 EF F9 23 23 23 23 40 23 23 23 23 0xd910:$string2: 23 23 23 23 40 23 23 23 23 FA FD F0 EF F9 23 23 23 23 40 23 23 23 23 0xd91e:$string2: 23 23 23 23 40 23 23 23 23 FA FD F0 EF F9 23 23 23 23 40 23 23 23 23 0xd9fb:$string2: 23 23 23 23 40 23 23 23 23 FA FD F0 EF F9 23 23 23 23 40 23 23 23 23
0.0.3ClBcOpPUX.exe.400000.0.unpack	MALWARE_Win_CyberGate	Detects CyberGate/Spyrat/Rebhip RTA	ditekSHen	0x2bab:$s1: UnitInjectLibrary 0xd678:$s1: UnitInjectLibrary 0x36d3:$s2: TLoader 0x4bf4:$s3: \\.\SyserDbgMsg 0x4c04:$s4: \\.\SyserBoot 0xa184:$s5: \signons 0xa19c:$s5: \signons 0xa1b4:$s5: \signons 0xa1cc:$s5: \signons 0x39b4:$s6: ####@#### 0xae78:$s6: ####@#### 0xd6ac:$s6: ####@#### 0xd6b6:$s6: ####@#### 0xd6c0:$s6: ####@#### 0xd6ca:$s6: ####@#### 0xd6d4:$s6: ####@#### 0xd6de:$s6: ####@#### 0xd6e8:$s6: ####@#### 0xd6f2:$s6: ####@#### 0xd6fc:$s6: ####@#### 0xd706:$s6: ####@####
10.2.3ClBcOpPUX.exe.240f0000.0.raw.unpack	Windows_Trojan_CyberGate_9996d800	unknown	unknown	0x2b3ee:$a1: 24 08 8B 44 24 08 83 C4 14 5D 5F 5E 5B C3 55 8B EC 83 C4 F0
10.2.3ClBcOpPUX.exe.240f0000.0.unpack	JoeSecurity_CyberGate	Yara detected CyberGate RAT	Joe Security
10.2.3ClBcOpPUX.exe.240f0000.0.unpack	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
10.2.3ClBcOpPUX.exe.240f0000.0.unpack	Windows_Trojan_CyberGate_9996d800	unknown	unknown	0x2b3ee:$a1: 24 08 8B 44 24 08 83 C4 14 5D 5F 5E 5B C3 55 8B EC 83 C4 F0
8.2.explorer.exe.24080000.0.unpack	JoeSecurity_CyberGate	Yara detected CyberGate RAT	Joe Security
8.2.explorer.exe.24080000.0.unpack	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
8.2.explorer.exe.24080000.0.unpack	Windows_Trojan_CyberGate_9996d800	unknown	unknown	0x2b3ee:$a1: 24 08 8B 44 24 08 83 C4 14 5D 5F 5E 5B C3 55 8B EC 83 C4 F0
8.2.explorer.exe.24080000.0.raw.unpack	Windows_Trojan_CyberGate_9996d800	unknown	unknown	0x2b3ee:$a1: 24 08 8B 44 24 08 83 C4 14 5D 5F 5E 5B C3 55 8B EC 83 C4 F0
Click to see the 9 entries

Sigma Signatures

System Summary

Sigma detected: Files With System Process Name In Unsuspected Locations

Source: File created

Author: Sander Wiebing, Tim Shelton, Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Users\user\Desktop\3ClBcOpPUX.exe, ProcessId: 6412, TargetFilename: C:\Windows\SysWOW64\System\svchost.exe

Sigma detected: Common Autorun Keys Modification

Source: Registry Key set

Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split), wagga (name): Data: Details: C:\Windows\system32\System\svchost.exe Restart, EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\3ClBcOpPUX.exe, ProcessId: 6412, TargetObject: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B4C7TF7E-V451-D2XH-Q4F8-64T3431A5V51}\StubPath

Sigma detected: CurrentVersion Autorun Keys Modification

Source: Registry Key set

Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\Windows\system32\System\svchost.exe, EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\3ClBcOpPUX.exe, ProcessId: 6412, TargetObject: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies

Sigma detected: Uncommon Svchost Parent Process

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\system32\System\svchost.exe" , CommandLine: "C:\Windows\system32\System\svchost.exe" , CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\System\svchost.exe, NewProcessName: C:\Windows\SysWOW64\System\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\System\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\3ClBcOpPUX.exe", ParentImage: C:\Users\user\Desktop\3ClBcOpPUX.exe, ParentProcessId: 7304, ParentProcessName: 3ClBcOpPUX.exe, ProcessCommandLine: "C:\Windows\system32\System\svchost.exe" , ProcessId: 7532, ProcessName: svchost.exe

Sigma detected: Wow6432Node CurrentVersion Autorun Keys Modification

Source: Registry Key set

Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\Windows\system32\System\svchost.exe, EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\3ClBcOpPUX.exe, ProcessId: 6412, TargetObject: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SAQ

Sigma detected: Windows Processes Suspicious Parent Directory

Source: Process started

Author: vburov: Data: Command: C:\Windows\System32\svchost.exe -k NetworkService -p, CommandLine: C:\Windows\System32\svchost.exe -k NetworkService -p, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 624, ProcessCommandLine: C:\Windows\System32\svchost.exe -k NetworkService -p, ProcessId: 6996, ProcessName: svchost.exe

Suricata Signatures

ETPRO MALWARE Cybergate/Rebhip/Spyrat Backdoor M5

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-14T01:14:14.762003+0100	2809763	1	Malware Command and Control Activity Detected	192.168.2.7	49985	193.161.193.99	40214	TCP
2025-01-14T01:14:22.694873+0100	2809763	1	Malware Command and Control Activity Detected	192.168.2.7	49986	193.161.193.99	40214	TCP
2025-01-14T01:14:30.679021+0100	2809763	1	Malware Command and Control Activity Detected	192.168.2.7	49987	193.161.193.99	40214	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: 3ClBcOpPUX.exe

Avira: detected

Antivirus detection for URL or domain

Source: https://login.live	Avira URL Cloud: Label: malware
Source: kalintz-40214.portmap.host:40214	Avira URL Cloud: Label: malware

Antivirus detection for dropped file

Source: C:\Windows\SysWOW64\System\svchost.exe

Avira: detection malicious, Label: TR/Agent.598022

Found malware configuration

Source: 0.0.3ClBcOpPUX.exe.400000.0.unpack

Malware Configuration Extractor: CyberGate {"C2 list": ["kalintz-40214.portmap.host:40214"], "Campaign": "ID", "Password": "123", "InstallFlag": "TRUE", "InstallDir": "System", "InstallFileName": "svchost.exe", "ActiveXStartup": "{B4C7TF7E-V451-D2XH-Q4F8-64T3431A5V51}", "REGKeyHKLM": "SAQ", "REGKeyHKCU": "JSA", "EnableMessageBox": "FALSE", "MessageBoxIcon": "16", "MessageBoxButton": "0", "InstallMessage": "texto da mensagem", "ActivateKeylogger": "TRUE", "KeyloggerBackspace": "TRUE", "KeyloggerEnableFTP": "FALSE", "FTPAddress": "ftp.server.com", "FTPDirectory": "./logs/", "FTPUserName": "ftp_user", "FTPPort": "21", "FTPInterval": "30", "ProcessInjection": "0", "ProcessNameForInjection": "explorer.exe", "Persistance": "TRUE", "HideFile": "TRUE", "ChangeCreationDate": "TRUE", "Mutex": "***MUTEX***", "MeltFile": "FALSE", "CyberGateVersion": "2.6", "StartupPolicies": "Policies", "USBSpread": "FALSE"}

Multi AV Scanner detection for dropped file

Source: C:\Windows\SysWOW64\System\svchost.exe

ReversingLabs: Detection: 97%

Multi AV Scanner detection for submitted file

Source: 3ClBcOpPUX.exe	Virustotal: Detection: 90%			Perma Link
Source: 3ClBcOpPUX.exe	ReversingLabs: Detection: 97%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 99.7% probability

Machine Learning detection for dropped file

Source: C:\Windows\SysWOW64\System\svchost.exe

Joe Sandbox ML: detected

Machine Learning detection for sample

Source: 3ClBcOpPUX.exe

Joe Sandbox ML: detected

Source: 3ClBcOpPUX.exe

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI

Source: explorer.exe	Binary or memory string: autorun.inf
Source: explorer.exe	Binary or memory string: [autorun] ;open=RECYCLER\S-1-5-21-1482476501-3352491937-682996330-1013\
Source: explorer.exe	Binary or memory string: [autorun];open=RECYCLER\S-1-5-21-1482476501-3352491937-682996330-1013\
Source: explorer.exe, 00000008.00000002.2518814760.0000000024080000.00000040.00000400.00020000.00000000.sdmp	Binary or memory string: [autorun]
Source: explorer.exe, 00000008.00000002.2518814760.0000000024080000.00000040.00000400.00020000.00000000.sdmp	Binary or memory string: H[autorun]
Source: explorer.exe, 00000008.00000002.2518814760.0000000024080000.00000040.00000400.00020000.00000000.sdmp	Binary or memory string: autorun.inf
Source: 3ClBcOpPUX.exe	Binary or memory string: autorun.inf
Source: 3ClBcOpPUX.exe	Binary or memory string: [autorun] ;open=RECYCLER\S-1-5-21-1482476501-3352491937-682996330-1013\
Source: 3ClBcOpPUX.exe	Binary or memory string: [autorun];open=RECYCLER\S-1-5-21-1482476501-3352491937-682996330-1013\
Source: 3ClBcOpPUX.exe, 0000000A.00000002.2519483566.00000000240F0000.00000040.00000400.00020000.00000000.sdmp	Binary or memory string: [autorun]
Source: 3ClBcOpPUX.exe, 0000000A.00000002.2519483566.00000000240F0000.00000040.00000400.00020000.00000000.sdmp	Binary or memory string: H[autorun]
Source: 3ClBcOpPUX.exe, 0000000A.00000002.2519483566.00000000240F0000.00000040.00000400.00020000.00000000.sdmp	Binary or memory string: autorun.inf

Source: C:\Windows\SysWOW64\explorer.exe	Code function: 8_2_240863E8 FindFirstFileA,GetLastError,	8_2_240863E8
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 8_2_24086C78 FindFirstFileA,FindClose,	8_2_24086C78
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 8_2_240845F0 GetModuleHandleA,GetProcAddress,lstrcpyn,lstrcpyn,lstrcpyn,FindFirstFileA,FindClose,lstrlen,lstrcpyn,lstrlen,lstrcpyn,	8_2_240845F0
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 8_2_240AD390 FindFirstFileA,FindClose,FileTimeToLocalFileTime,FileTimeToDosDateTime,	8_2_240AD390
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 8_2_24086C77 FindFirstFileA,FindClose,	8_2_24086C77
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 8_2_24085FE2 FindFirstFileA,FindNextFileA,FindClose,RemoveDirectoryA,	8_2_24085FE2
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 8_2_24085FE4 FindFirstFileA,FindNextFileA,FindClose,RemoveDirectoryA,	8_2_24085FE4
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 8_2_240B09E4 FindFirstFileA,FindNextFileA,FindClose,	8_2_240B09E4
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Code function: 10_2_240F6C78 FindFirstFileA,FindClose,	10_2_240F6C78
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Code function: 10_2_240F45F0 GetModuleHandleA,GetProcAddress,lstrcpyn,lstrcpyn,lstrcpyn,FindFirstFileA,FindClose,lstrlen,lstrcpyn,lstrlen,lstrcpyn,	10_2_240F45F0
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Code function: 10_2_2411D390 FindFirstFileA,FindClose,FileTimeToLocalFileTime,FileTimeToDosDateTime,	10_2_2411D390
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Code function: 10_2_240F63E8 FindFirstFileA,GetLastError,	10_2_240F63E8
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Code function: 10_2_240F6C77 FindFirstFileA,FindClose,	10_2_240F6C77
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Code function: 10_2_240F5FE4 FindFirstFileA,FindNextFileA,FindClose,RemoveDirectoryA,	10_2_240F5FE4
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Code function: 10_2_240F5FE2 FindFirstFileA,FindNextFileA,FindClose,RemoveDirectoryA,	10_2_240F5FE2
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Code function: 10_2_241209E4 FindFirstFileA,FindNextFileA,FindClose,	10_2_241209E4

Source: C:\Windows\SysWOW64\explorer.exe

Code function: 8_2_240B092C GetLogicalDriveStringsA,SetErrorMode,GetDriveTypeA,

8_2_240B092C

Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	File opened: C:\Users\user\AppData\Roaming	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Internet Explorer	Jump to behavior

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2809763 - Severity 1 - ETPRO MALWARE Cybergate/Rebhip/Spyrat Backdoor M5 : 192.168.2.7:49986 -> 193.161.193.99:40214
Source: Network traffic	Suricata IDS: 2809763 - Severity 1 - ETPRO MALWARE Cybergate/Rebhip/Spyrat Backdoor M5 : 192.168.2.7:49987 -> 193.161.193.99:40214
Source: Network traffic	Suricata IDS: 2809763 - Severity 1 - ETPRO MALWARE Cybergate/Rebhip/Spyrat Backdoor M5 : 192.168.2.7:49985 -> 193.161.193.99:40214

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: kalintz-40214.portmap.host:40214

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	DNS traffic detected: DNS query: time.windows.com
Source: global traffic	DNS traffic detected: DNS query: kalintz-40214.portmap.host

Source: svchost.exe, 0000000F.00000002.2514755975.000002F4FE05E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://Passport.NET/
Source: svchost.exe, 0000000F.00000003.1480462698.000002F4FE976000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000002.2516436879.000002F4FE97F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000002.2516278622.000002F4FE937000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://Passport.NET/STS
Source: svchost.exe, 0000000F.00000002.2516436879.000002F4FE97F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://Passport.NET/STS09/xmldsig#ripledes-cbcices/SOAPFaultcurity-utility-1.0.xsd
Source: svchost.exe, 0000000F.00000002.2514755975.000002F4FE05E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://Passport.NET/ess
Source: svchost.exe, 0000000F.00000003.1493134780.000002F4FE988000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000003.1493134780.000002F4FE984000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000002.2516436879.000002F4FE97F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000002.2517335984.000002F4FF087000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000003.1364411043.000002F4FE952000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000002.2516278622.000002F4FE937000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://Passport.NET/tb
Source: svchost.exe, 0000000F.00000002.2516793690.000002F4FF040000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000002.2514755975.000002F4FE05E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://Passport.NET/tb:pp
Source: svchost.exe, 0000000F.00000003.1480462698.000002F4FE976000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://Passport.NET/tbA
Source: svchost.exe, 0000000F.00000003.1542355235.000002F4FF043000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000002.2514877018.000002F4FE081000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000003.1456730040.000002F4FF049000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://Passport.NET/tb_
Source: explorer.exe, 00000005.00000003.2277895481.000000000730A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.2523159601.0000000008F83000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.2275783256.0000000008F83000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.1279085771.0000000008F83000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.1270712327.0000000007306000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.2520088878.000000000730B000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0
Source: svchost.exe, 0000000F.00000002.2515436325.000002F4FE0DC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.ver)
Source: explorer.exe, 00000005.00000003.2277895481.000000000730A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.2523159601.0000000008F83000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.2275783256.0000000008F83000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.1279085771.0000000008F83000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.1270712327.0000000007306000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.2520088878.000000000730B000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl07
Source: explorer.exe, 00000005.00000003.2277895481.000000000730A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.2523159601.0000000008F83000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.2275783256.0000000008F83000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.1279085771.0000000008F83000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.1270712327.0000000007306000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.2520088878.000000000730B000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG2.crl0
Source: 57C8EDB95DF3F0AD4EE2DC2B8CFD41570.15.dr	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab
Source: svchost.exe, 0000000F.00000003.1361451065.000002F4FF043000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000003.1456730040.000002F4FF049000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?ee29c2f
Source: svchost.exe, 0000000F.00000002.2514755975.000002F4FE05E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000003.1364411043.000002F4FE952000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000003.1446758121.000002F4FE90E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000002.2516012426.000002F4FE900000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000003.1447490105.000002F4FE90E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd
Source: svchost.exe, 0000000F.00000002.2516436879.000002F4FE97F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd0
Source: svchost.exe, 0000000F.00000003.1480462698.000002F4FE976000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsdAOZ9
Source: svchost.exe, 0000000F.00000002.2516367199.000002F4FE95F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsdrypt
Source: svchost.exe, 0000000F.00000003.1480462698.000002F4FE976000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsdsAAAA
Source: svchost.exe, 0000000F.00000002.2516367199.000002F4FE95F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsdx
Source: svchost.exe, 0000000F.00000002.2516367199.000002F4FE95F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000003.1462998793.000002F4FE910000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000003.1480462698.000002F4FE976000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000003.1461951043.000002F4FE90E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000002.2516436879.000002F4FE97F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000003.1524590976.000002F4FE977000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000003.1364411043.000002F4FE952000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000003.1446758121.000002F4FE90E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000002.2515543348.000002F4FE0E9000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000002.2516012426.000002F4FE900000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000003.1447490105.000002F4FE90E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd
Source: svchost.exe, 0000000F.00000002.2516367199.000002F4FE95F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd-cbc
Source: svchost.exe, 0000000F.00000003.1462230280.000002F4FE929000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsdAAA
Source: svchost.exe, 0000000F.00000003.1462230280.000002F4FE929000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000003.1480462698.000002F4FE976000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsdAAAA
Source: svchost.exe, 0000000F.00000002.2516367199.000002F4FE95F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsdsithm
Source: svchost.exe, 0000000F.00000002.2516367199.000002F4FE95F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsdx
Source: explorer.exe, 00000005.00000003.2277895481.000000000730A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.2523159601.0000000008F83000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.2275783256.0000000008F83000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.1279085771.0000000008F83000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.1270712327.0000000007306000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.2520088878.000000000730B000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0
Source: explorer.exe, 00000005.00000000.1270712327.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.2518815430.00000000071FC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.comhttp://crl3.digicert.com/DigiCertGlobalRootG2.crlhttp://crl4.digicert.com/Di
Source: svchost.exe, 0000000F.00000002.2517335984.000002F4FF087000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000002.2515543348.000002F4FE0E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://passport.net/tb
Source: explorer.exe, 00000005.00000002.2522447188.0000000008820000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000005.00000002.2520944517.0000000007C70000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000005.00000002.2522422061.0000000008810000.00000002.00000001.00040000.00000000.sdmp	String found in binary or memory: http://schemas.micro
Source: svchost.exe, 0000000F.00000002.2516721060.000002F4FF013000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000002.2516367199.000002F4FE95F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/envelope/
Source: svchost.exe, 0000000F.00000002.2516278622.000002F4FE937000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous
Source: svchost.exe, 0000000F.00000002.2516367199.000002F4FE95F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000002.2516278622.000002F4FE937000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/09/policy
Source: svchost.exe, 0000000F.00000002.2514755975.000002F4FE05E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc
Source: svchost.exe, 0000000F.00000002.2516367199.000002F4FE95F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc57
Source: svchost.exe, 0000000F.00000002.2516367199.000002F4FE95F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000002.2514755975.000002F4FE05E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000003.1364411043.000002F4FE952000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust
Source: svchost.exe, 0000000F.00000003.1493134780.000002F4FE988000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000003.1493134780.000002F4FE984000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000003.1364411043.000002F4FE952000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Issue
Source: svchost.exe, 0000000F.00000002.2516367199.000002F4FE95F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Issuee2
Source: svchost.exe, 0000000F.00000002.2516367199.000002F4FE95F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Issuessue
Source: svchost.exe, 0000000F.00000002.2516367199.000002F4FE95F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Issueue
Source: svchost.exe, 0000000F.00000002.2516367199.000002F4FE95F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000002.2514755975.000002F4FE05E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Issue
Source: svchost.exe, 0000000F.00000002.2516367199.000002F4FE95F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/Issue
Source: svchost.exe, 0000000F.00000002.2516278622.000002F4FE937000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trustn
Source: Amcache.hve.14.dr	String found in binary or memory: http://upx.sf.net
Source: explorer.exe, 00000005.00000003.2272569777.000000000C41F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.2274640363.000000000C42C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.2271443276.000000000C3F7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.1282672550.000000000C3F7000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.autoitscript.com/autoit3/J
Source: svchost.exe, 00000002.00000002.1365149444.0000018999C13000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.bingmapsportal.com
Source: explorer.exe, 00000005.00000002.2518815430.00000000071B1000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.foreca.com
Source: svchost.exe, 0000000F.00000003.1511821480.000002F4FE983000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.w3.
Source: svchost.exe, 0000000F.00000003.1341291721.000002F4FE93B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000003.1341344444.000002F4FE940000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000003.1341367006.000002F4FE963000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000002.2514652718.000002F4FE040000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://account.live.com/InlineSignup.aspx?iww=1&id=80502
Source: svchost.exe, 0000000F.00000003.1341477740.000002F4FE956000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000003.1341367006.000002F4FE963000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000003.1341126013.000002F4FE952000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000002.2514755975.000002F4FE05E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://account.live.com/Wizard/Password/Change?id=80601
Source: svchost.exe, 0000000F.00000003.1341291721.000002F4FE93B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000003.1341344444.000002F4FE940000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://account.live.com/Wizard/Password/Change?id=806014
Source: svchost.exe, 0000000F.00000003.1341477740.000002F4FE956000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000003.1341126013.000002F4FE952000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://account.live.com/inlinesignup.aspx?iww=1&id=80601
Source: svchost.exe, 0000000F.00000003.1341477740.000002F4FE956000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000003.1341126013.000002F4FE952000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://account.live.com/inlinesignup.aspx?iww=1&id=80603
Source: svchost.exe, 0000000F.00000003.1341477740.000002F4FE956000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000003.1341126013.000002F4FE952000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://account.live.com/inlinesignup.aspx?iww=1&id=80604
Source: svchost.exe, 0000000F.00000003.1341477740.000002F4FE956000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000003.1341599713.000002F4FE92A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000003.1341126013.000002F4FE952000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://account.live.com/inlinesignup.aspx?iww=1&id=80605
Source: svchost.exe, 0000000F.00000003.1341291721.000002F4FE93B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000003.1341344444.000002F4FE940000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000003.1341367006.000002F4FE963000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000002.2514652718.000002F4FE040000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://account.live.com/inlinesignup.aspx?iww=1&id=80600
Source: svchost.exe, 0000000F.00000003.1341291721.000002F4FE93B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000003.1341344444.000002F4FE940000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000003.1341367006.000002F4FE963000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000002.2514652718.000002F4FE040000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://account.live.com/inlinesignup.aspx?iww=1&id=80601
Source: svchost.exe, 0000000F.00000003.1341291721.000002F4FE93B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000003.1341344444.000002F4FE940000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000003.1341367006.000002F4FE963000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000002.2514755975.000002F4FE05E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://account.live.com/inlinesignup.aspx?iww=1&id=80603
Source: svchost.exe, 0000000F.00000003.1341367006.000002F4FE963000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000002.2514755975.000002F4FE05E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://account.live.com/inlinesignup.aspx?iww=1&id=80604
Source: svchost.exe, 0000000F.00000003.1341367006.000002F4FE963000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000002.2514755975.000002F4FE05E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://account.live.com/inlinesignup.aspx?iww=1&id=80605
Source: svchost.exe, 0000000F.00000003.1341599713.000002F4FE92A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000003.1341291721.000002F4FE93B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000003.1341344444.000002F4FE940000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000003.1341126013.000002F4FE952000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000002.2514652718.000002F4FE040000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000002.2516278622.000002F4FE937000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000003.1341319930.000002F4FE957000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://account.live.com/msangcwam
Source: explorer.exe, 00000005.00000002.2523159601.0000000008F83000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.2275783256.0000000008F83000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.1279085771.0000000008F83000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://activity.windows.com/UserActivity.ReadWrite.CreatedByApp
Source: explorer.exe, 00000005.00000002.2523159601.000000000913F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.1279085771.000000000913F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.2274666714.000000000913F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://android.notify.windows.com/iOS
Source: explorer.exe, 00000005.00000002.2523159601.0000000008F09000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/
Source: explorer.exe, 00000005.00000003.2275783256.0000000008DAD000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/v1/News/Feed/Windows?apikey=qrUeHGGYvVowZJuHA3XaH0uUvg1ZJ0GUZnXk3mxxPF&ocid=wind
Source: explorer.exe, 00000005.00000003.2275783256.0000000008F09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.1279085771.0000000008F09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.2523159601.0000000008F09000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/v1/news/Feed/Windows?
Source: explorer.exe, 00000005.00000000.1270712327.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.2518815430.00000000071FC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/v1/news/Feed/Windows?activityId=DD4083B70FE54739AB05D6BBA3484042&timeOut=5000&oc
Source: explorer.exe, 00000005.00000000.1270712327.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.2518815430.00000000071FC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com:443/v1/news/Feed/Windows?
Source: explorer.exe, 00000005.00000002.2518815430.0000000007276000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.1270712327.0000000007276000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com:443/v1/news/Feed/Windows?t
Source: svchost.exe, 00000002.00000003.1364589405.0000018999C57000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1365308250.0000018999C58000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://appexmapsappupdate.blob.core.windows.net
Source: explorer.exe, 00000005.00000003.2275783256.0000000008DFE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.1279085771.0000000008DFE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.2523159601.0000000008DFE000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://arc.msn.com
Source: explorer.exe, 00000005.00000002.2518815430.00000000071FC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://assets.msn.com/weathermapdata/1/static/finance/1stparty/FinanceTaskbarIcons/Finance_Earnings
Source: explorer.exe, 00000005.00000002.2518815430.00000000071FC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Condition/AAehwh2.svg
Source: explorer.exe, 00000005.00000000.1270712327.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.2518815430.00000000071FC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV
Source: explorer.exe, 00000005.00000000.1270712327.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.2518815430.00000000071FC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV-dark
Source: explorer.exe, 00000005.00000000.1270712327.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.2518815430.00000000071FC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13fcaT
Source: explorer.exe, 00000005.00000000.1270712327.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.2518815430.00000000071FC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13fcaT-dark
Source: svchost.exe, 00000002.00000003.1364589405.0000018999C57000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1365308250.0000018999C58000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.ditu.live.com/REST/V1/MapControlConfiguration/native/
Source: svchost.exe, 00000002.00000003.1364474842.0000018999C5A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1365422776.0000018999C70000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1364324542.0000018999C5F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1365366318.0000018999C63000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1364083180.0000018999C6E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1364224835.0000018999C62000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.ditu.live.com/REST/v1/Imagery/Copyright/
Source: svchost.exe, 00000002.00000002.1365422776.0000018999C70000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1364083180.0000018999C6E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.ditu.live.com/REST/v1/JsonFilter/VenueMaps/data/
Source: svchost.exe, 00000002.00000003.1364589405.0000018999C57000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1365308250.0000018999C58000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.ditu.live.com/REST/v1/Locations
Source: svchost.exe, 00000002.00000002.1365395442.0000018999C68000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1364200029.0000018999C67000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.ditu.live.com/REST/v1/Routes/
Source: svchost.exe, 00000002.00000003.1364025389.0000018999C75000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1365450436.0000018999C77000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.ditu.live.com/REST/v1/Transit/Stops/
Source: svchost.exe, 00000002.00000003.1364589405.0000018999C57000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1365308250.0000018999C58000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.ditu.live.com/mapcontrol/logging.ashx
Source: svchost.exe, 00000002.00000003.1364474842.0000018999C5A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1365366318.0000018999C63000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1365193517.0000018999C2B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1364224835.0000018999C62000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Imagery/Copyright/
Source: svchost.exe, 00000002.00000003.1364589405.0000018999C57000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1365308250.0000018999C58000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Locations
Source: svchost.exe, 00000002.00000002.1365395442.0000018999C68000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1365193517.0000018999C2B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1364200029.0000018999C67000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/
Source: svchost.exe, 00000002.00000003.1364589405.0000018999C57000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1365308250.0000018999C58000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Driving
Source: svchost.exe, 00000002.00000003.1364589405.0000018999C57000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1365308250.0000018999C58000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Transit
Source: svchost.exe, 00000002.00000003.1364589405.0000018999C57000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1365308250.0000018999C58000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Walking
Source: svchost.exe, 00000002.00000002.1365366318.0000018999C63000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1365193517.0000018999C2B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1364224835.0000018999C62000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Traffic/Incidents/
Source: svchost.exe, 00000002.00000003.1364511700.0000018999C41000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1365257506.0000018999C42000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Transit/Schedules/
Source: svchost.exe, 00000002.00000003.1364589405.0000018999C57000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1365308250.0000018999C58000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.virtualearth.net/mapcontrol/logging.ashx
Source: svchost.exe, 00000002.00000002.1365366318.0000018999C63000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1364224835.0000018999C62000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.virtualearth.net/webservices/v1/LoggingService/LoggingService.svc/Log?
Source: svchost.exe, 00000002.00000003.1363958641.0000018999C33000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gd?pv=1&r=
Source: svchost.exe, 00000002.00000002.1365257506.0000018999C42000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdi?pv=1&r=
Source: svchost.exe, 00000002.00000002.1365366318.0000018999C63000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1364224835.0000018999C62000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdv?pv=1&r=
Source: svchost.exe, 00000002.00000003.1364511700.0000018999C41000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1364324542.0000018999C5F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1365257506.0000018999C42000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gri?pv=1&r=
Source: svchost.exe, 00000002.00000003.1363958641.0000018999C33000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dynamic.t
Source: svchost.exe, 00000002.00000003.1364589405.0000018999C57000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1365308250.0000018999C58000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dynamic.t0.tiles.ditu.live.com/comp/gen.ashx
Source: svchost.exe, 00000002.00000003.1364511700.0000018999C41000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ecn.dev.virtualearth.net/REST/V1/MapControlConfiguration/native/
Source: svchost.exe, 00000002.00000002.1365395442.0000018999C68000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1365193517.0000018999C2B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1364200029.0000018999C67000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ecn.dev.virtualearth.net/REST/v1/Imagery/Copyright/
Source: explorer.exe, 00000005.00000000.1282672550.000000000C091000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.2530072847.000000000C091000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://excel.office.com
Source: svchost.exe, 0000000F.00000002.2514451498.000002F4FE039000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ignup.as0
Source: explorer.exe, 00000005.00000000.1270712327.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.2518815430.00000000071FC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA11f7Wa.img
Source: explorer.exe, 00000005.00000000.1270712327.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.2518815430.00000000071FC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA15Yat4.img
Source: explorer.exe, 00000005.00000000.1270712327.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.2518815430.00000000071FC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA1bjET8.img
Source: explorer.exe, 00000005.00000000.1270712327.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.2518815430.00000000071FC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA1c9Jin.img
Source: explorer.exe, 00000005.00000000.1270712327.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.2518815430.00000000071FC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBNvr53.img
Source: svchost.exe, 0000000F.00000002.2514652718.000002F4FE040000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.ecur
Source: svchost.exe, 0000000F.00000002.2514755975.000002F4FE05E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live
Source: svchost.exe, 0000000F.00000002.2517591491.000002F4FF0AE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/
Source: svchost.exe, 0000000F.00000003.1341291721.000002F4FE93B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000003.1341344444.000002F4FE940000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000003.1341367006.000002F4FE963000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000002.2514755975.000002F4FE05E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ApproveSession.srf
Source: svchost.exe, 0000000F.00000003.1341477740.000002F4FE956000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000003.1341126013.000002F4FE952000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/IfExists.srf?uiflavor=4&id=80600
Source: svchost.exe, 0000000F.00000003.1341477740.000002F4FE956000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000003.1341126013.000002F4FE952000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/IfExists.srf?uiflavor=4&id=80601
Source: svchost.exe, 0000000F.00000003.1341367006.000002F4FE963000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000003.1341389723.000002F4FE96B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/IfExists.srf?uiflavor=4&id=80502
Source: svchost.exe, 0000000F.00000002.2514755975.000002F4FE05E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/IfExists.srf?uiflavor=4&id=80502d=80
Source: svchost.exe, 0000000F.00000003.1341367006.000002F4FE963000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000003.1341389723.000002F4FE96B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/IfExists.srf?uiflavor=4&id=80600
Source: svchost.exe, 0000000F.00000002.2514755975.000002F4FE05E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/IfExists.srf?uiflavor=4&id=80600f?id
Source: svchost.exe, 0000000F.00000003.1341367006.000002F4FE963000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000003.1341389723.000002F4FE96B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/IfExists.srf?uiflavor=4&id=80601
Source: svchost.exe, 0000000F.00000002.2514755975.000002F4FE05E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/IfExists.srf?uiflavor=4&id=80601ppse
Source: svchost.exe, 0000000F.00000003.1341291721.000002F4FE93B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000003.1341344444.000002F4FE940000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000002.2514652718.000002F4FE040000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ListSessions.srf
Source: svchost.exe, 0000000F.00000003.1341367006.000002F4FE963000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000002.2514755975.000002F4FE05E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ManageApprover.srf
Source: svchost.exe, 0000000F.00000003.1341291721.000002F4FE93B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000003.1341344444.000002F4FE940000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ManageApprover.srfsrf
Source: svchost.exe, 0000000F.00000003.1341291721.000002F4FE93B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000003.1341344444.000002F4FE940000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000003.1341367006.000002F4FE963000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000002.2514755975.000002F4FE05E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ManageLoginKeys.srf
Source: svchost.exe, 0000000F.00000002.2516721060.000002F4FF013000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000002.2515074606.000002F4FE0A0000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000002.2514755975.000002F4FE05E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/RST2.srf
Source: svchost.exe, 0000000F.00000002.2514755975.000002F4FE05E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/RST2.srffigS
Source: svchost.exe, 0000000F.00000003.1341291721.000002F4FE93B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000003.1341344444.000002F4FE940000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000002.2514652718.000002F4FE040000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000002.2514755975.000002F4FE05E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/didtou.srf
Source: svchost.exe, 0000000F.00000003.1341291721.000002F4FE93B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000003.1341344444.000002F4FE940000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000002.2514652718.000002F4FE040000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/getrealminfo.srf
Source: svchost.exe, 0000000F.00000003.1341291721.000002F4FE93B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000003.1341344444.000002F4FE940000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000002.2514652718.000002F4FE040000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/getuserrealm.srf
Source: svchost.exe, 0000000F.00000003.1341477740.000002F4FE956000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsec
Source: svchost.exe, 0000000F.00000003.1341367006.000002F4FE963000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000002.2514652718.000002F4FE040000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000003.1341389723.000002F4FE96B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/DeviceAssociate.srf
Source: svchost.exe, 0000000F.00000002.2514755975.000002F4FE05E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/DeviceAssociate.srffg:CPAdd
Source: svchost.exe, 0000000F.00000003.1341367006.000002F4FE963000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000002.2514755975.000002F4FE05E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000003.1341389723.000002F4FE96B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/DeviceDisassociate.srf
Source: svchost.exe, 0000000F.00000002.2514755975.000002F4FE05E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/DeviceDisassociate.srflows
Source: svchost.exe, 0000000F.00000002.2514755975.000002F4FE05E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/DeviceQuery.srf
Source: svchost.exe, 0000000F.00000003.1341367006.000002F4FE963000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000002.2514755975.000002F4FE05E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000003.1341389723.000002F4FE96B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/DeviceUpdate.srf
Source: svchost.exe, 0000000F.00000002.2514755975.000002F4FE05E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/DeviceUpdate.srf:CPAddUserI
Source: svchost.exe, 0000000F.00000003.1341367006.000002F4FE963000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000002.2514755975.000002F4FE05E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000003.1341389723.000002F4FE96B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/EnumerateDevices.srf
Source: svchost.exe, 0000000F.00000002.2514755975.000002F4FE05E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/EnumerateDevices.srfps://lo
Source: svchost.exe, 0000000F.00000003.1341291721.000002F4FE93B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000003.1341344444.000002F4FE940000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000003.1341367006.000002F4FE963000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000002.2514755975.000002F4FE05E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/GetAppData.srf
Source: svchost.exe, 0000000F.00000002.2514652718.000002F4FE040000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/GetAppData.srfrfrf6085fid=cpsrf
Source: svchost.exe, 0000000F.00000003.1341367006.000002F4FE963000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000002.2514755975.000002F4FE05E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000003.1341389723.000002F4FE96B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/GetUserKeyData.srf
Source: svchost.exe, 0000000F.00000003.1341599713.000002F4FE92A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000003.1341367006.000002F4FE963000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000003.1341389723.000002F4FE96B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlineClientAuth.srf
Source: svchost.exe, 0000000F.00000002.2517143917.000002F4FF07C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlineClientAuth.srf?stsft=-Dpm3u3XT3KTESDAzqdIj6
Source: svchost.exe, 0000000F.00000002.2514755975.000002F4FE05E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlineClientAuth.srfn.live.
Source: svchost.exe, 0000000F.00000003.1341477740.000002F4FE956000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000003.1341291721.000002F4FE93B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000003.1341344444.000002F4FE940000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000003.1341367006.000002F4FE963000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000003.1341126013.000002F4FE952000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlineConnect.srf?id=80600
Source: svchost.exe, 0000000F.00000002.2514652718.000002F4FE040000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlineConnect.srf?id=80600UE
Source: svchost.exe, 0000000F.00000002.2514451498.000002F4FE039000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlineConnect.srf?id=80601
Source: svchost.exe, 0000000F.00000003.1341477740.000002F4FE956000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000003.1341291721.000002F4FE93B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000003.1341344444.000002F4FE940000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000003.1341367006.000002F4FE963000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000002.2514755975.000002F4FE05E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlineConnect.srf?id=80603
Source: svchost.exe, 0000000F.00000003.1341477740.000002F4FE956000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000003.1341599713.000002F4FE92A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000003.1341367006.000002F4FE963000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000003.1341126013.000002F4FE952000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000002.2514755975.000002F4FE05E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlineConnect.srf?id=80604
Source: svchost.exe, 0000000F.00000002.2516842694.000002F4FF044000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000003.1542355235.000002F4FF043000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000003.1341367006.000002F4FE963000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000003.1341389723.000002F4FE96B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlineDesktop.srf
Source: svchost.exe, 0000000F.00000002.2514755975.000002F4FE05E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlineDesktop.srfSignUpAuth
Source: svchost.exe, 0000000F.00000003.1341599713.000002F4FE92A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlineDesktop.srfm
Source: svchost.exe, 0000000F.00000003.1341291721.000002F4FE93B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000003.1341344444.000002F4FE940000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000003.1341367006.000002F4FE963000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?id=80502
Source: svchost.exe, 0000000F.00000002.2514652718.000002F4FE040000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?id=80502R
Source: svchost.exe, 0000000F.00000003.1341291721.000002F4FE93B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000003.1341344444.000002F4FE940000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000003.1341367006.000002F4FE963000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000002.2514652718.000002F4FE040000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?id=80600
Source: svchost.exe, 0000000F.00000003.1341477740.000002F4FE956000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000003.1341291721.000002F4FE93B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000003.1341344444.000002F4FE940000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000003.1341367006.000002F4FE963000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000003.1341126013.000002F4FE952000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000002.2514652718.000002F4FE040000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?id=80601
Source: svchost.exe, 0000000F.00000003.1341477740.000002F4FE956000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000003.1341291721.000002F4FE93B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000003.1341344444.000002F4FE940000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000003.1341367006.000002F4FE963000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000003.1341126013.000002F4FE952000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000002.2514755975.000002F4FE05E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?id=80603
Source: svchost.exe, 0000000F.00000003.1341126013.000002F4FE952000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000002.2514755975.000002F4FE05E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?id=80604
Source: svchost.exe, 0000000F.00000003.1341291721.000002F4FE93B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000003.1341344444.000002F4FE940000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?id=806043
Source: svchost.exe, 0000000F.00000003.1341477740.000002F4FE956000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000003.1341599713.000002F4FE92A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000003.1341367006.000002F4FE963000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000003.1341126013.000002F4FE952000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000002.2514755975.000002F4FE05E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?id=80605
Source: svchost.exe, 0000000F.00000003.1341477740.000002F4FE956000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000003.1341599713.000002F4FE92A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000003.1341367006.000002F4FE963000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000003.1341126013.000002F4FE952000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000002.2514755975.000002F4FE05E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?id=80606
Source: svchost.exe, 0000000F.00000003.1341599713.000002F4FE92A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000003.1341367006.000002F4FE963000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000003.1341126013.000002F4FE952000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000002.2514755975.000002F4FE05E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?id=80607
Source: svchost.exe, 0000000F.00000003.1341599713.000002F4FE92A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000003.1341367006.000002F4FE963000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000003.1341126013.000002F4FE952000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000002.2514755975.000002F4FE05E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000003.1341319930.000002F4FE957000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?id=80608
Source: svchost.exe, 0000000F.00000003.1341477740.000002F4FE956000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000003.1341126013.000002F4FE952000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlinePOPAuth.srf?id=80601&fid=cp
Source: svchost.exe, 0000000F.00000002.2514652718.000002F4FE040000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000003.1341089618.000002F4FE95A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlinePOPAuth.srf?id=80601&fid=cp
Source: svchost.exe, 0000000F.00000003.1341477740.000002F4FE956000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000003.1341599713.000002F4FE92A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000003.1341367006.000002F4FE963000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000003.1341126013.000002F4FE952000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000002.2514755975.000002F4FE05E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlinePOPAuth.srf?id=80605
Source: svchost.exe, 0000000F.00000003.1341291721.000002F4FE93B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000003.1341344444.000002F4FE940000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000003.1341367006.000002F4FE963000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000002.2514755975.000002F4FE05E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/ResolveUser.srf
Source: svchost.exe, 0000000F.00000002.2514755975.000002F4FE05E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/SHA1Auth.srf
Source: svchost.exe, 0000000F.00000002.2514755975.000002F4FE05E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/deviceaddcredential.srfn.sr
Source: svchost.exe, 0000000F.00000003.1341291721.000002F4FE93B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000003.1341344444.000002F4FE940000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000003.1341367006.000002F4FE963000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000002.2514652718.000002F4FE040000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/devicechangecredential.srf
Source: svchost.exe, 0000000F.00000003.1341291721.000002F4FE93B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000003.1341344444.000002F4FE940000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000003.1341367006.000002F4FE963000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/deviceremovecredential.srf
Source: svchost.exe, 0000000F.00000002.2514652718.000002F4FE040000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/deviceremovecredential.srfLive
Source: svchost.exe, 0000000F.00000003.1341291721.000002F4FE93B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000003.1341344444.000002F4FE940000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000002.2514652718.000002F4FE040000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/resetpw.srf
Source: svchost.exe, 0000000F.00000003.1341291721.000002F4FE93B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000003.1341344444.000002F4FE940000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000002.2514652718.000002F4FE040000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/retention.srf
Source: svchost.exe, 0000000F.00000002.2515543348.000002F4FE0E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com:443/RST2.srf
Source: svchost.exe, 0000000F.00000002.2514755975.000002F4FE05E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.microsoftonline.com/MSARST2.srf
Source: svchost.exe, 0000000F.00000003.1341291721.000002F4FE93B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000003.1341344444.000002F4FE940000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.microsoftonline.com/MSARST2.srfm
Source: svchost.exe, 0000000F.00000003.1341291721.000002F4FE93B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000003.1341344444.000002F4FE940000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000003.1341367006.000002F4FE963000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.microsoftonline.com/ppsecure/DeviceAssociate.srf
Source: svchost.exe, 0000000F.00000002.2514652718.000002F4FE040000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.microsoftonline.com/ppsecure/DeviceAssociate.srfJ
Source: svchost.exe, 0000000F.00000002.2514755975.000002F4FE05E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.microsoftonline.com/ppsecure/DeviceDisassociate.srf
Source: svchost.exe, 0000000F.00000002.2514652718.000002F4FE040000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.microsoftonline.com/ppsecure/DeviceDisassociate.srf.
Source: svchost.exe, 0000000F.00000003.1341291721.000002F4FE93B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000003.1341344444.000002F4FE940000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000003.1341367006.000002F4FE963000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000002.2514755975.000002F4FE05E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.microsoftonline.com/ppsecure/DeviceQuery.srf
Source: svchost.exe, 0000000F.00000002.2514652718.000002F4FE040000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.microsoftonline.com/ppsecure/DeviceQuery.srf-
Source: svchost.exe, 0000000F.00000003.1341291721.000002F4FE93B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000003.1341344444.000002F4FE940000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000003.1341367006.000002F4FE963000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000002.2514755975.000002F4FE05E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.microsoftonline.com/ppsecure/DeviceUpdate.srf
Source: svchost.exe, 0000000F.00000002.2514652718.000002F4FE040000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.microsoftonline.com/ppsecure/DeviceUpdate.srf%
Source: svchost.exe, 0000000F.00000003.1341291721.000002F4FE93B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000003.1341344444.000002F4FE940000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000003.1341367006.000002F4FE963000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000002.2514652718.000002F4FE040000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.microsoftonline.com/ppsecure/EnumerateDevices.srf
Source: svchost.exe, 0000000F.00000003.1341291721.000002F4FE93B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000003.1341344444.000002F4FE940000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000003.1341367006.000002F4FE963000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000002.2514652718.000002F4FE040000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.microsoftonline.com/ppsecure/ResolveUser.srf
Source: svchost.exe, 0000000F.00000002.2514652718.000002F4FE040000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.microsoftonline.com/ppsecure/deviceaddmsacredential.srf
Source: svchost.exe, 0000000F.00000002.2514652718.000002F4FE040000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.microsoftonline.com/ppsecure/devicechangecredential.srf
Source: svchost.exe, 0000000F.00000002.2514652718.000002F4FE040000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.microsoftonline.com/ppsecure/deviceremovecredential.srf
Source: explorer.exe, 00000005.00000000.1282672550.000000000C091000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.2530072847.000000000C091000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://outlook.com
Source: explorer.exe, 00000005.00000000.1282672550.000000000C091000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.2530072847.000000000C091000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://powerpoint.office.com
Source: svchost.exe, 0000000F.00000003.1341344444.000002F4FE940000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000003.1341126013.000002F4FE955000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000002.2514652718.000002F4FE040000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://signup.live.com/signup.aspx
Source: svchost.exe, 00000002.00000003.1364511700.0000018999C41000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/comp/gen.ashx
Source: svchost.exe, 00000002.00000003.1364549872.0000018999C47000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1365257506.0000018999C42000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gd?pv=1&r=
Source: svchost.exe, 00000002.00000003.1364549872.0000018999C47000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1365257506.0000018999C42000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdi?pv=1&r=
Source: svchost.exe, 00000002.00000003.1364399286.0000018999C5D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdv?pv=1&r=
Source: svchost.exe, 00000002.00000002.1365193517.0000018999C2B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1363958641.0000018999C33000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gri?pv=1&r=
Source: svchost.exe, 00000002.00000003.1364589405.0000018999C57000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1365308250.0000018999C58000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t0.ssl.ak.tiles.virtualearth.net/tiles/gen
Source: svchost.exe, 00000002.00000003.1364589405.0000018999C57000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1365308250.0000018999C58000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://tiles.virtualearth.net/tiles/cmd/StreetSideBubbleMetaData?north=
Source: explorer.exe, 00000005.00000000.1270712327.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.2518815430.00000000071FC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://windows.msn.com:443/shell?osLocale=en-GB&chosenMarketReason=ImplicitNew
Source: explorer.exe, 00000005.00000000.1270712327.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.2518815430.00000000071FC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://windows.msn.com:443/shellv2?osLocale=en-GB&chosenMarketReason=ImplicitNew
Source: explorer.exe, 00000005.00000003.2274666714.00000000090F2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.1279085771.00000000090F2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.2523159601.00000000090F2000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://wns.windows.com/
Source: explorer.exe, 00000005.00000000.1282672550.000000000C091000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.2530072847.000000000C091000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://word.office.com
Source: explorer.exe, 00000005.00000000.1270712327.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.2518815430.00000000071FC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/lifestyle/lifestyle-buzz/what-to-do-if-a-worst-case-nuclear-scenario-actua
Source: explorer.exe, 00000005.00000000.1270712327.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.2518815430.00000000071FC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/money/careersandeducation/student-loan-debt-forgiveness-arrives-for-some-b
Source: explorer.exe, 00000005.00000000.1270712327.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.2518815430.00000000071FC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/money/markets/costco-is-seeing-a-gold-rush-what-s-behind-the-demand-for-it
Source: explorer.exe, 00000005.00000000.1270712327.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.2518815430.00000000071FC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/money/realestate/why-this-florida-city-is-a-safe-haven-from-hurricanes/ar-
Source: explorer.exe, 00000005.00000000.1270712327.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.2518815430.00000000071FC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/music/news/6-rock-ballads-that-tug-at-the-heartstrings/ar-AA1hIdsm
Source: explorer.exe, 00000005.00000000.1270712327.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.2518815430.00000000071FC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/politics/kinzinger-has-theory-about-who-next-house-speaker-will-be/vi
Source: explorer.exe, 00000005.00000000.1270712327.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.2518815430.00000000071FC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/technology/prehistoric-comet-impacted-earth-and-triggered-the-switch-
Source: explorer.exe, 00000005.00000000.1270712327.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.2518815430.00000000071FC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/us/dumb-and-dumber-12-states-with-the-absolute-worst-education-in-the
Source: explorer.exe, 00000005.00000000.1270712327.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.2518815430.00000000071FC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/sports/other/simone-biles-leads-u-s-women-s-team-to-seventh-straight-world
Source: explorer.exe, 00000005.00000000.1270712327.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.2518815430.00000000071FC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/weather/topstories/accuweather-el-ni
Source: explorer.exe, 00000005.00000000.1270712327.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.2518815430.00000000071FC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/weather/topstories/here-s-who-could-see-above-average-snowfall-this-winter
Source: explorer.exe, 00000005.00000000.1270712327.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.2518815430.00000000071FC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/weather/topstories/us-winter-forecast-for-the-2023-2024-season/ar-AA1hGINt
Source: explorer.exe, 00000005.00000000.1270712327.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.2518815430.00000000071FC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com:443/en-us/feed
Source: explorer.exe, 00000005.00000002.2518815430.00000000071B1000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.pollensense.com/

Source: C:\Windows\SysWOW64\explorer.exe

Code function: 8_2_240ACDE0 OpenClipboard,GetClipboardData,DragQueryFile,DragQueryFile,CloseClipboard,

8_2_240ACDE0

Source: C:\Windows\SysWOW64\explorer.exe	Code function: 8_2_240ACFC8 OpenClipboard,GlobalAlloc,GlobalLock,SetClipboardData,GlobalUnlock,		8_2_240ACFC8
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Code function: 10_2_2411CFC8 OpenClipboard,GlobalAlloc,GlobalLock,SetClipboardData,GlobalUnlock,		10_2_2411CFC8

Source: C:\Windows\SysWOW64\explorer.exe

Code function: 8_2_240ACDE0 OpenClipboard,GetClipboardData,DragQueryFile,DragQueryFile,CloseClipboard,

8_2_240ACDE0

Source: C:\Windows\SysWOW64\explorer.exe

Code function: 8_2_240A7464 GetDesktopWindow,GetDC,CreateCompatibleDC,GetClientRect,GetDeviceCaps,GetDeviceCaps,CreateCompatibleBitmap,SelectObject,BitBlt,SelectObject,DeleteDC,ReleaseDC,

8_2_240A7464

Source: C:\Windows\SysWOW64\explorer.exe

Code function: 8_2_240C0318 GetKeyboardState,MapVirtualKeyA,ToAscii,

8_2_240C0318

Source: C:\Windows\SysWOW64\explorer.exe	Code function: 8_2_240C038C GetAsyncKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,		8_2_240C038C
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Code function: 10_2_2413038C GetAsyncKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,		10_2_2413038C

Source: Yara match	File source: 10.2.3ClBcOpPUX.exe.240f0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.explorer.exe.24080000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000008.00000002.2518814760.00000000240DB000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.2519483566.000000002414B000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: explorer.exe PID: 2708, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: 3ClBcOpPUX.exe PID: 7304, type: MEMORYSTR

E-Banking Fraud

Yara detected CyberGate RAT

Source: Yara match	File source: 3ClBcOpPUX.exe, type: SAMPLE
Source: Yara match	File source: 0.0.3ClBcOpPUX.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.3ClBcOpPUX.exe.240f0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.explorer.exe.24080000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.1254230385.0000000000401000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000003.1307346433.0000000005C4A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2518697463.0000000005C90000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 3ClBcOpPUX.exe PID: 6412, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: explorer.exe PID: 2708, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: 3ClBcOpPUX.exe PID: 7304, type: MEMORYSTR
Source: Yara match	File source: C:\Windows\SysWOW64\System\svchost.exe, type: DROPPED

System Summary

Malicious sample detected (through community Yara rule)

Source: 3ClBcOpPUX.exe, type: SAMPLE	Matched rule: Windows_Trojan_CyberGate_517aac7d Author: unknown
Source: 3ClBcOpPUX.exe, type: SAMPLE	Matched rule: Windows_Trojan_CyberGate_9996d800 Author: unknown
Source: 3ClBcOpPUX.exe, type: SAMPLE	Matched rule: Detects CyberGate RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 3ClBcOpPUX.exe, type: SAMPLE	Matched rule: CyberGate Author: Kevin Breen <kevin@techanarchy.net>
Source: 3ClBcOpPUX.exe, type: SAMPLE	Matched rule: Detects CyberGate/Spyrat/Rebhip RTA Author: ditekSHen
Source: 0.0.3ClBcOpPUX.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_CyberGate_517aac7d Author: unknown
Source: 0.0.3ClBcOpPUX.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_CyberGate_9996d800 Author: unknown
Source: 0.0.3ClBcOpPUX.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects CyberGate RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 0.0.3ClBcOpPUX.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: CyberGate Author: Kevin Breen <kevin@techanarchy.net>
Source: 0.0.3ClBcOpPUX.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects CyberGate/Spyrat/Rebhip RTA Author: ditekSHen
Source: 10.2.3ClBcOpPUX.exe.240f0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_CyberGate_9996d800 Author: unknown
Source: 10.2.3ClBcOpPUX.exe.240f0000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_CyberGate_9996d800 Author: unknown
Source: 8.2.explorer.exe.24080000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_CyberGate_9996d800 Author: unknown
Source: 8.2.explorer.exe.24080000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_CyberGate_9996d800 Author: unknown
Source: 00000000.00000000.1254230385.0000000000401000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Windows_Trojan_CyberGate_517aac7d Author: unknown
Source: 00000000.00000000.1254230385.0000000000401000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Windows_Trojan_CyberGate_9996d800 Author: unknown
Source: 00000008.00000002.2518814760.0000000024080000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_CyberGate_9996d800 Author: unknown
Source: 00000008.00000003.1307346433.0000000005C4A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_CyberGate_517aac7d Author: unknown
Source: 00000008.00000003.1307346433.0000000005C4A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_CyberGate_9996d800 Author: unknown
Source: 00000008.00000003.1307346433.0000000005C4A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects CyberGate RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000008.00000003.1307346433.0000000005C4A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: CyberGate Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000A.00000002.2519483566.00000000240F0000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_CyberGate_9996d800 Author: unknown
Source: 00000008.00000002.2518697463.0000000005C90000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_CyberGate_517aac7d Author: unknown
Source: 00000008.00000002.2518697463.0000000005C90000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_CyberGate_9996d800 Author: unknown
Source: 00000008.00000002.2518697463.0000000005C90000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects CyberGate RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000008.00000002.2518697463.0000000005C90000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: CyberGate Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: 3ClBcOpPUX.exe PID: 6412, type: MEMORYSTR	Matched rule: Windows_Trojan_CyberGate_517aac7d Author: unknown
Source: C:\Windows\SysWOW64\System\svchost.exe, type: DROPPED	Matched rule: Windows_Trojan_CyberGate_517aac7d Author: unknown
Source: C:\Windows\SysWOW64\System\svchost.exe, type: DROPPED	Matched rule: Windows_Trojan_CyberGate_9996d800 Author: unknown
Source: C:\Windows\SysWOW64\System\svchost.exe, type: DROPPED	Matched rule: Detects CyberGate RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: C:\Windows\SysWOW64\System\svchost.exe, type: DROPPED	Matched rule: CyberGate Author: Kevin Breen <kevin@techanarchy.net>
Source: C:\Windows\SysWOW64\System\svchost.exe, type: DROPPED	Matched rule: Detects CyberGate/Spyrat/Rebhip RTA Author: ditekSHen

Source: C:\Windows\SysWOW64\explorer.exe	Code function: 8_2_240AB690 NtdllDefWindowProc_A,	8_2_240AB690
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 8_2_24085C1C OpenProcess,NtQueryInformationProcess,NtSetInformationProcess,CloseHandle,	8_2_24085C1C
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 8_2_240AEAA0 SetPropA,GetPropA,NtdllDefWindowProc_A,	8_2_240AEAA0
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Code function: 10_2_240F5C1C OpenProcess,NtQueryInformationProcess,NtSetInformationProcess,CloseHandle,	10_2_240F5C1C
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Code function: 10_2_2411B690 NtdllDefWindowProc_A,	10_2_2411B690
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Code function: 10_2_2411EAA0 SetPropA,GetPropA,NtdllDefWindowProc_A,	10_2_2411EAA0

Source: C:\Windows\SysWOW64\explorer.exe

Code function: 8_2_240AC950 OpenSCManagerA,OpenServiceA,DeleteService,CloseServiceHandle,CloseServiceHandle,

8_2_240AC950

Source: C:\Windows\SysWOW64\explorer.exe	Code function: 8_2_2408528E ExitWindowsEx,		8_2_2408528E
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Code function: 10_2_240F528E ExitWindowsEx,		10_2_240F528E

Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	File created: C:\Windows\SysWOW64\System\	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	File created: C:\Windows\SysWOW64\System\svchost.exe	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	File created: C:\Windows\SysWOW64\System\svchost.exe:Zone.Identifier:$DATA	Jump to behavior

Source: C:\Windows\SysWOW64\explorer.exe	Code function: 8_2_240C6188	8_2_240C6188
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 8_2_2409F414	8_2_2409F414
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 8_2_240A34CC	8_2_240A34CC
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 8_2_240A5C24	8_2_240A5C24
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 8_2_2409FD44	8_2_2409FD44
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 8_2_240A5970	8_2_240A5970
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Code function: 10_2_24136188	10_2_24136188
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Code function: 10_2_2410F414	10_2_2410F414
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Code function: 10_2_241134CC	10_2_241134CC
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Code function: 10_2_24115C24	10_2_24115C24
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Code function: 10_2_2410FD44	10_2_2410FD44
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Code function: 10_2_24115970	10_2_24115970

Source: C:\Windows\SysWOW64\explorer.exe	Code function: String function: 2409562C appears 392 times
Source: C:\Windows\SysWOW64\explorer.exe	Code function: String function: 24083480 appears 140 times
Source: C:\Windows\SysWOW64\explorer.exe	Code function: String function: 24085008 appears 57 times
Source: C:\Windows\SysWOW64\explorer.exe	Code function: String function: 240830DC appears 64 times
Source: C:\Windows\SysWOW64\explorer.exe	Code function: String function: 24083388 appears 37 times
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Code function: String function: 2410562C appears 392 times
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Code function: String function: 240F5008 appears 56 times
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Code function: String function: 240F3480 appears 140 times
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Code function: String function: 240F3388 appears 37 times
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Code function: String function: 240F30DC appears 64 times

Source: C:\Windows\System32\svchost.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 7532 -ip 7532

Source: 3ClBcOpPUX.exe

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI

Source: 3ClBcOpPUX.exe, type: SAMPLE	Matched rule: Windows_Trojan_CyberGate_517aac7d reference_sample = 07b8f25e7b536f5b6f686c12d04edc37e11347c8acd5c53f98a174723078c365, os = windows, severity = x86, creation_date = 2022-02-28, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CyberGate, fingerprint = 3d998bda8e56de6fd6267abdacffece8bcf1c62c2e06540a54244dc6ea816825, id = 517aac7d-2737-4917-9aa1-c0bd1c3e9801, last_modified = 2022-04-12
Source: 3ClBcOpPUX.exe, type: SAMPLE	Matched rule: Windows_Trojan_CyberGate_9996d800 reference_sample = 07b8f25e7b536f5b6f686c12d04edc37e11347c8acd5c53f98a174723078c365, os = windows, severity = x86, creation_date = 2022-02-28, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CyberGate, fingerprint = eb39d2ff211230aedcf1b5ec0d1dfea108473cc7cba68f5dc1a88479734c02b0, id = 9996d800-a833-4535-972b-3ee320215bb6, last_modified = 2022-04-12
Source: 3ClBcOpPUX.exe, type: SAMPLE	Matched rule: RAT_CyberGate date = 01.04.2014, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, description = Detects CyberGate RAT, reference = http://malwareconfig.com/stats/CyberGate
Source: 3ClBcOpPUX.exe, type: SAMPLE	Matched rule: CyberGate date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/CyberGate
Source: 3ClBcOpPUX.exe, type: SAMPLE	Matched rule: MALWARE_Win_CyberGate author = ditekSHen, description = Detects CyberGate/Spyrat/Rebhip RTA
Source: 0.0.3ClBcOpPUX.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_CyberGate_517aac7d reference_sample = 07b8f25e7b536f5b6f686c12d04edc37e11347c8acd5c53f98a174723078c365, os = windows, severity = x86, creation_date = 2022-02-28, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CyberGate, fingerprint = 3d998bda8e56de6fd6267abdacffece8bcf1c62c2e06540a54244dc6ea816825, id = 517aac7d-2737-4917-9aa1-c0bd1c3e9801, last_modified = 2022-04-12
Source: 0.0.3ClBcOpPUX.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_CyberGate_9996d800 reference_sample = 07b8f25e7b536f5b6f686c12d04edc37e11347c8acd5c53f98a174723078c365, os = windows, severity = x86, creation_date = 2022-02-28, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CyberGate, fingerprint = eb39d2ff211230aedcf1b5ec0d1dfea108473cc7cba68f5dc1a88479734c02b0, id = 9996d800-a833-4535-972b-3ee320215bb6, last_modified = 2022-04-12
Source: 0.0.3ClBcOpPUX.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: RAT_CyberGate date = 01.04.2014, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, description = Detects CyberGate RAT, reference = http://malwareconfig.com/stats/CyberGate
Source: 0.0.3ClBcOpPUX.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: CyberGate date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/CyberGate
Source: 0.0.3ClBcOpPUX.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_CyberGate author = ditekSHen, description = Detects CyberGate/Spyrat/Rebhip RTA
Source: 10.2.3ClBcOpPUX.exe.240f0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_CyberGate_9996d800 reference_sample = 07b8f25e7b536f5b6f686c12d04edc37e11347c8acd5c53f98a174723078c365, os = windows, severity = x86, creation_date = 2022-02-28, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CyberGate, fingerprint = eb39d2ff211230aedcf1b5ec0d1dfea108473cc7cba68f5dc1a88479734c02b0, id = 9996d800-a833-4535-972b-3ee320215bb6, last_modified = 2022-04-12
Source: 10.2.3ClBcOpPUX.exe.240f0000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_CyberGate_9996d800 reference_sample = 07b8f25e7b536f5b6f686c12d04edc37e11347c8acd5c53f98a174723078c365, os = windows, severity = x86, creation_date = 2022-02-28, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CyberGate, fingerprint = eb39d2ff211230aedcf1b5ec0d1dfea108473cc7cba68f5dc1a88479734c02b0, id = 9996d800-a833-4535-972b-3ee320215bb6, last_modified = 2022-04-12
Source: 8.2.explorer.exe.24080000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_CyberGate_9996d800 reference_sample = 07b8f25e7b536f5b6f686c12d04edc37e11347c8acd5c53f98a174723078c365, os = windows, severity = x86, creation_date = 2022-02-28, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CyberGate, fingerprint = eb39d2ff211230aedcf1b5ec0d1dfea108473cc7cba68f5dc1a88479734c02b0, id = 9996d800-a833-4535-972b-3ee320215bb6, last_modified = 2022-04-12
Source: 8.2.explorer.exe.24080000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_CyberGate_9996d800 reference_sample = 07b8f25e7b536f5b6f686c12d04edc37e11347c8acd5c53f98a174723078c365, os = windows, severity = x86, creation_date = 2022-02-28, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CyberGate, fingerprint = eb39d2ff211230aedcf1b5ec0d1dfea108473cc7cba68f5dc1a88479734c02b0, id = 9996d800-a833-4535-972b-3ee320215bb6, last_modified = 2022-04-12
Source: 00000000.00000000.1254230385.0000000000401000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Windows_Trojan_CyberGate_517aac7d reference_sample = 07b8f25e7b536f5b6f686c12d04edc37e11347c8acd5c53f98a174723078c365, os = windows, severity = x86, creation_date = 2022-02-28, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CyberGate, fingerprint = 3d998bda8e56de6fd6267abdacffece8bcf1c62c2e06540a54244dc6ea816825, id = 517aac7d-2737-4917-9aa1-c0bd1c3e9801, last_modified = 2022-04-12
Source: 00000000.00000000.1254230385.0000000000401000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Windows_Trojan_CyberGate_9996d800 reference_sample = 07b8f25e7b536f5b6f686c12d04edc37e11347c8acd5c53f98a174723078c365, os = windows, severity = x86, creation_date = 2022-02-28, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CyberGate, fingerprint = eb39d2ff211230aedcf1b5ec0d1dfea108473cc7cba68f5dc1a88479734c02b0, id = 9996d800-a833-4535-972b-3ee320215bb6, last_modified = 2022-04-12
Source: 00000008.00000002.2518814760.0000000024080000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_CyberGate_9996d800 reference_sample = 07b8f25e7b536f5b6f686c12d04edc37e11347c8acd5c53f98a174723078c365, os = windows, severity = x86, creation_date = 2022-02-28, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CyberGate, fingerprint = eb39d2ff211230aedcf1b5ec0d1dfea108473cc7cba68f5dc1a88479734c02b0, id = 9996d800-a833-4535-972b-3ee320215bb6, last_modified = 2022-04-12
Source: 00000008.00000003.1307346433.0000000005C4A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_CyberGate_517aac7d reference_sample = 07b8f25e7b536f5b6f686c12d04edc37e11347c8acd5c53f98a174723078c365, os = windows, severity = x86, creation_date = 2022-02-28, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CyberGate, fingerprint = 3d998bda8e56de6fd6267abdacffece8bcf1c62c2e06540a54244dc6ea816825, id = 517aac7d-2737-4917-9aa1-c0bd1c3e9801, last_modified = 2022-04-12
Source: 00000008.00000003.1307346433.0000000005C4A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_CyberGate_9996d800 reference_sample = 07b8f25e7b536f5b6f686c12d04edc37e11347c8acd5c53f98a174723078c365, os = windows, severity = x86, creation_date = 2022-02-28, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CyberGate, fingerprint = eb39d2ff211230aedcf1b5ec0d1dfea108473cc7cba68f5dc1a88479734c02b0, id = 9996d800-a833-4535-972b-3ee320215bb6, last_modified = 2022-04-12
Source: 00000008.00000003.1307346433.0000000005C4A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: RAT_CyberGate date = 01.04.2014, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, description = Detects CyberGate RAT, reference = http://malwareconfig.com/stats/CyberGate
Source: 00000008.00000003.1307346433.0000000005C4A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: CyberGate date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/CyberGate
Source: 0000000A.00000002.2519483566.00000000240F0000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_CyberGate_9996d800 reference_sample = 07b8f25e7b536f5b6f686c12d04edc37e11347c8acd5c53f98a174723078c365, os = windows, severity = x86, creation_date = 2022-02-28, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CyberGate, fingerprint = eb39d2ff211230aedcf1b5ec0d1dfea108473cc7cba68f5dc1a88479734c02b0, id = 9996d800-a833-4535-972b-3ee320215bb6, last_modified = 2022-04-12
Source: 00000008.00000002.2518697463.0000000005C90000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_CyberGate_517aac7d reference_sample = 07b8f25e7b536f5b6f686c12d04edc37e11347c8acd5c53f98a174723078c365, os = windows, severity = x86, creation_date = 2022-02-28, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CyberGate, fingerprint = 3d998bda8e56de6fd6267abdacffece8bcf1c62c2e06540a54244dc6ea816825, id = 517aac7d-2737-4917-9aa1-c0bd1c3e9801, last_modified = 2022-04-12
Source: 00000008.00000002.2518697463.0000000005C90000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_CyberGate_9996d800 reference_sample = 07b8f25e7b536f5b6f686c12d04edc37e11347c8acd5c53f98a174723078c365, os = windows, severity = x86, creation_date = 2022-02-28, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CyberGate, fingerprint = eb39d2ff211230aedcf1b5ec0d1dfea108473cc7cba68f5dc1a88479734c02b0, id = 9996d800-a833-4535-972b-3ee320215bb6, last_modified = 2022-04-12
Source: 00000008.00000002.2518697463.0000000005C90000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: RAT_CyberGate date = 01.04.2014, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, description = Detects CyberGate RAT, reference = http://malwareconfig.com/stats/CyberGate
Source: 00000008.00000002.2518697463.0000000005C90000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: CyberGate date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/CyberGate
Source: Process Memory Space: 3ClBcOpPUX.exe PID: 6412, type: MEMORYSTR	Matched rule: Windows_Trojan_CyberGate_517aac7d reference_sample = 07b8f25e7b536f5b6f686c12d04edc37e11347c8acd5c53f98a174723078c365, os = windows, severity = x86, creation_date = 2022-02-28, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CyberGate, fingerprint = 3d998bda8e56de6fd6267abdacffece8bcf1c62c2e06540a54244dc6ea816825, id = 517aac7d-2737-4917-9aa1-c0bd1c3e9801, last_modified = 2022-04-12
Source: C:\Windows\SysWOW64\System\svchost.exe, type: DROPPED	Matched rule: Windows_Trojan_CyberGate_517aac7d reference_sample = 07b8f25e7b536f5b6f686c12d04edc37e11347c8acd5c53f98a174723078c365, os = windows, severity = x86, creation_date = 2022-02-28, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CyberGate, fingerprint = 3d998bda8e56de6fd6267abdacffece8bcf1c62c2e06540a54244dc6ea816825, id = 517aac7d-2737-4917-9aa1-c0bd1c3e9801, last_modified = 2022-04-12
Source: C:\Windows\SysWOW64\System\svchost.exe, type: DROPPED	Matched rule: Windows_Trojan_CyberGate_9996d800 reference_sample = 07b8f25e7b536f5b6f686c12d04edc37e11347c8acd5c53f98a174723078c365, os = windows, severity = x86, creation_date = 2022-02-28, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CyberGate, fingerprint = eb39d2ff211230aedcf1b5ec0d1dfea108473cc7cba68f5dc1a88479734c02b0, id = 9996d800-a833-4535-972b-3ee320215bb6, last_modified = 2022-04-12
Source: C:\Windows\SysWOW64\System\svchost.exe, type: DROPPED	Matched rule: RAT_CyberGate date = 01.04.2014, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, description = Detects CyberGate RAT, reference = http://malwareconfig.com/stats/CyberGate
Source: C:\Windows\SysWOW64\System\svchost.exe, type: DROPPED	Matched rule: CyberGate date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/CyberGate
Source: C:\Windows\SysWOW64\System\svchost.exe, type: DROPPED	Matched rule: MALWARE_Win_CyberGate author = ditekSHen, description = Detects CyberGate/Spyrat/Rebhip RTA

Source: classification engine

Classification label: mal100.troj.evad.winEXE@22/16@2/0

Source: C:\Windows\SysWOW64\explorer.exe	Code function: 8_2_240AC424 GetVersionExA,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,AdjustTokenPrivileges,CloseHandle,	8_2_240AC424
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 8_2_24085B30 GetVersionExA,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,AdjustTokenPrivileges,CloseHandle,	8_2_24085B30
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Code function: 10_2_240F5B30 GetVersionExA,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,AdjustTokenPrivileges,CloseHandle,	10_2_240F5B30
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Code function: 10_2_2411C424 GetVersionExA,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,AdjustTokenPrivileges,CloseHandle,	10_2_2411C424

Source: C:\Windows\SysWOW64\explorer.exe	Code function: OpenSCManagerA,CreateServiceA,CloseServiceHandle,CloseServiceHandle,		8_2_240ACBE4
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Code function: OpenSCManagerA,CreateServiceA,CloseServiceHandle,CloseServiceHandle,		10_2_2411CBE4

Source: C:\Windows\SysWOW64\explorer.exe

Code function: 8_2_240AC858 OpenSCManagerA,OpenServiceA,StartServiceA,ControlService,QueryServiceStatus,CloseServiceHandle,CloseServiceHandle,

8_2_240AC858

Source: C:\Users\user\Desktop\3ClBcOpPUX.exe

File created: C:\Users\user\AppData\Roaming\logs.dat

Jump to behavior

Source: C:\Windows\SysWOW64\System\svchost.exe	Mutant created: \Sessions\1\BaseNamedObjects\_x_X_UPDATE_X_x_
Source: C:\Windows\SysWOW64\explorer.exe	Mutant created: \Sessions\1\BaseNamedObjects\*MUTEX*_SAIR
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Mutant created: \Sessions\1\BaseNamedObjects\*MUTEX*
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Mutant created: \Sessions\1\BaseNamedObjects\_x_X_BLOCKMOUSE_X_x_
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \BaseNamedObjects\Local\SM0:7584:64:WilError_03
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Mutant created: \Sessions\1\BaseNamedObjects\_x_X_PASSWORDLIST_X_x_
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7532
Source: C:\Windows\SysWOW64\explorer.exe	Mutant created: \Sessions\1\BaseNamedObjects\*MUTEX*_PERSIST
Source: C:\Windows\System32\conhost.exe	Mutant created: \BaseNamedObjects\Local\SM0:5172:120:WilError_03

Source: C:\Users\user\Desktop\3ClBcOpPUX.exe

File created: C:\Users\user~1\AppData\Local\Temp\XX--XX--XX.txt

Jump to behavior

Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Process created: C:\Windows\SysWOW64\explorer.exe
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Process created: C:\Windows\SysWOW64\explorer.exe			Jump to behavior

Source: C:\Windows\SysWOW64\explorer.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales			Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales			Jump to behavior

Source: C:\Windows\SysWOW64\explorer.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\3ClBcOpPUX.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: 3ClBcOpPUX.exe	Virustotal: Detection: 90%
Source: 3ClBcOpPUX.exe	ReversingLabs: Detection: 97%

Source: C:\Users\user\Desktop\3ClBcOpPUX.exe

File read: C:\Users\user\Desktop\3ClBcOpPUX.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\3ClBcOpPUX.exe "C:\Users\user\Desktop\3ClBcOpPUX.exe"
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k NetworkService -p
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\system32\svchost.exe -k UnistackSvcGroup
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s wscsvc
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Process created: C:\Windows\SysWOW64\explorer.exe explorer.exe
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\system32\svchost.exe -k LocalService -s W32Time
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Process created: C:\Users\user\Desktop\3ClBcOpPUX.exe "C:\Users\user\Desktop\3ClBcOpPUX.exe"
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Process created: C:\Windows\SysWOW64\System\svchost.exe "C:\Windows\system32\System\svchost.exe"
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k WerSvcGroup
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 7532 -ip 7532
Source: C:\Windows\SysWOW64\System\svchost.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7532 -s 564
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc
Source: C:\Windows\System32\svchost.exe	Process created: C:\Program Files\Windows Defender\MpCmdRun.exe "C:\Program Files\Windows Defender\mpcmdrun.exe" -wdenable
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Process created: C:\Windows\SysWOW64\explorer.exe explorer.exe	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Process created: C:\Users\user\Desktop\3ClBcOpPUX.exe "C:\Users\user\Desktop\3ClBcOpPUX.exe"	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process created: C:\Program Files\Windows Defender\MpCmdRun.exe "C:\Program Files\Windows Defender\mpcmdrun.exe" -wdenable	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Process created: C:\Windows\SysWOW64\System\svchost.exe "C:\Windows\system32\System\svchost.exe"	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 7532 -ip 7532	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7532 -s 564	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process created: unknown unknown	Jump to behavior

Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Section loaded: pstorec.dll	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: moshost.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: mapsbtsvc.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: mosstorage.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ztrace_maps.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ztrace_maps.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ztrace_maps.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: mapconfiguration.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: storsvc.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: devobj.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: fltlib.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: bcd.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wer.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: appxdeploymentclient.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: storageusage.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: wscinterop.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: wscapi.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: werconcpl.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: wer.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: hcproviders.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: ndfapi.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: wdi.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: duser.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: aphostservice.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: networkhelper.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: userdataplatformhelperutil.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: syncutil.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: mccspal.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: vaultcli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dmcfgutils.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dmcmnutils.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dmxmlhelputils.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: inproclogger.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: flightsettings.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: windows.networking.connectivity.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: npmproxy.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msv1_0.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ntlmshared.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptdll.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: synccontroller.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: pimstore.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: aphostclient.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: accountaccessor.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dsclient.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: systemeventsbrokerclient.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: userdatalanguageutil.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: mccsengineshared.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: cemapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: userdatatypehelperutil.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: phoneutil.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: execmodelproxy.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: rmclient.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: aepic.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: twinapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: dxgi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: twinapi.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: avicap32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: msacm32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: winmmbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: winmmbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: w32time.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: logoncli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dsrole.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: vmictimeprovider.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Section loaded: pstorec.dll	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Section loaded: avicap32.dll	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Section loaded: msacm32.dll	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Section loaded: winmmbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Section loaded: winmmbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Section loaded: twext.dll	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Section loaded: ntshrui.dll	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Section loaded: windows.fileexplorer.common.dll	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Section loaded: cscapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Section loaded: twinapi.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Section loaded: starttiledata.dll	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Section loaded: acppage.dll	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Section loaded: msi.dll	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Section loaded: aepic.dll	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\System\svchost.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\System\svchost.exe	Section loaded: pstorec.dll	Jump to behavior
Source: C:\Windows\SysWOW64\System\svchost.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\System\svchost.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Windows\SysWOW64\System\svchost.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\System\svchost.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wersvc.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: windowsperformancerecordercontrol.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: weretw.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wer.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: faultrep.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dbgcore.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wer.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wlidsvc.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: clipc.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msxml6.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: netprofm.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: gamestreamingext.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msauserext.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: tbs.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: npmproxy.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptnet.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptngc.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: devobj.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ncryptprov.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: elscore.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: elstrans.dll	Jump to behavior
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: mpclient.dll	Jump to behavior
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: wscapi.dll	Jump to behavior
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: sppc.dll	Jump to behavior

Source: C:\Windows\explorer.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{50CE75BC-766C-4136-BF5E-9197AA23569E}\InProcServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\SysWOW64\explorer.exe

Code function: 8_2_24086EDC LoadLibraryA,GetProcAddress,GetTempPathA,

8_2_24086EDC

Source: C:\Windows\SysWOW64\explorer.exe	Code function: 8_2_24094408 push 24094440h; ret	8_2_24094438
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 8_2_240A6400 push 240A642Ch; ret	8_2_240A6424
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 8_2_240B0430 push 240B0468h; ret	8_2_240B0460
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 8_2_2409545C push 24095488h; ret	8_2_24095480
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 8_2_2409A450 push 2409A47Ch; ret	8_2_2409A474
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 8_2_240C346C push 240C3498h; ret	8_2_240C3490
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 8_2_240B046C push 240B04A0h; ret	8_2_240B0498
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 8_2_24095494 push 240954C0h; ret	8_2_240954B8
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 8_2_240C34A4 push 240C34D0h; ret	8_2_240C34C8
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 8_2_240AB4CC push 240AB4F8h; ret	8_2_240AB4F0
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 8_2_240C34F4 push 240C3520h; ret	8_2_240C3518
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 8_2_24092518 push 24092544h; ret	8_2_2409253C
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 8_2_240B1514 push 240B1540h; ret	8_2_240B1538
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 8_2_2408552C push 24085558h; ret	8_2_24085550
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 8_2_24095544 push 24095570h; ret	8_2_24095568
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 8_2_240C2550 push 240C25CFh; ret	8_2_240C25C7
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 8_2_240A6554 push 240A6580h; ret	8_2_240A6578
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 8_2_2409557C push 240955A8h; ret	8_2_240955A0
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 8_2_24080608 push cs; iretd	8_2_2408060B
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 8_2_24092600 push 2409262Ch; ret	8_2_24092624
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 8_2_240AC62C push 240AC658h; ret	8_2_240AC650
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 8_2_240AC6AC push 240AC6D8h; ret	8_2_240AC6D0
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 8_2_240956A0 push 240956CCh; ret	8_2_240956C4
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 8_2_240936DC push ecx; mov dword ptr [esp], edx	8_2_240936DE
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 8_2_240AB7A0 push 240AB7CCh; ret	8_2_240AB7C4
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 8_2_2408F7F8 push 2408F824h; ret	8_2_2408F81C
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 8_2_240937F0 push 2409381Ch; ret	8_2_24093814
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 8_2_24092010 push 2409203Ch; ret	8_2_24092034
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 8_2_240A606C push 240A6098h; ret	8_2_240A6090
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 8_2_240AE070 push 240AE0A8h; ret	8_2_240AE0A0
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 8_2_24092080 push 240920ACh; ret	8_2_240920A4

Persistence and Installation Behavior

Drops PE files with benign system names

Source: C:\Users\user\Desktop\3ClBcOpPUX.exe

File created: C:\Windows\SysWOW64\System\svchost.exe

Jump to dropped file

Drops executables to the windows directory (C:\Windows) and starts them

Source: C:\Users\user\Desktop\3ClBcOpPUX.exe

Executable created and started: C:\Windows\SysWOW64\System\svchost.exe

Jump to behavior

Source: C:\Users\user\Desktop\3ClBcOpPUX.exe

File created: C:\Windows\SysWOW64\System\svchost.exe

Jump to dropped file

Source: C:\Users\user\Desktop\3ClBcOpPUX.exe

File created: C:\Windows\SysWOW64\System\svchost.exe

Jump to dropped file

Boot Survival

Creates an autostart registry key pointing to binary in C:\Windows

Source: C:\Users\user\Desktop\3ClBcOpPUX.exe

Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run JSA

Jump to behavior

Creates an undocumented autostart registry key

Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run Policies	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run Policies	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run Policies	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run Policies	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Key value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run Policies	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Key value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run Policies	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Key value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run Policies	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Key value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run Policies	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B4C7TF7E-V451-D2XH-Q4F8-64T3431A5V51} StubPath	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B4C7TF7E-V451-D2XH-Q4F8-64T3431A5V51} StubPath	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B4C7TF7E-V451-D2XH-Q4F8-64T3431A5V51} StubPath	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B4C7TF7E-V451-D2XH-Q4F8-64T3431A5V51} StubPath	Jump to behavior

Source: C:\Windows\System32\svchost.exe

Registry key value modified: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\W32Time\Config

Jump to behavior

Source: C:\Windows\SysWOW64\explorer.exe

Code function: 8_2_240AC858 OpenSCManagerA,OpenServiceA,StartServiceA,ControlService,QueryServiceStatus,CloseServiceHandle,CloseServiceHandle,

8_2_240AC858

Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run SAQ	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run SAQ	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run JSA	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run JSA	Jump to behavior

Source: C:\Windows\SysWOW64\explorer.exe

Code function: 8_2_24085564 GetModuleHandleA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

8_2_24085564

Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Found evasive API chain (may stop execution after checking mutex)

Source: C:\Windows\SysWOW64\explorer.exe	Evasive API call chain: CreateMutex,DecisionNodes,Sleep	graph_8-17324
Source: C:\Windows\SysWOW64\explorer.exe	Evasive API call chain: CreateMutex,DecisionNodes,ExitProcess	graph_8-17025
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Evasive API call chain: CreateMutex,DecisionNodes,Sleep	graph_10-17124

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: 3ClBcOpPUX.exe, svchost.exe.0.dr	Binary or memory string: SBIEDLL.DLLS3
Source: 3ClBcOpPUX.exe, svchost.exe.0.dr	Binary or memory string: SBIEDLL.DLL

Source: C:\Windows\System32\svchost.exe

File opened / queried: SCSI#Disk&Ven_VMware&Prod_Virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}

Jump to behavior

Source: C:\Windows\SysWOW64\explorer.exe	Code function: OpenSCManagerA,EnumServicesStatusA,CloseServiceHandle,		8_2_240AC9E0
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Code function: OpenSCManagerA,EnumServicesStatusA,CloseServiceHandle,		10_2_2411C9E0

Source: C:\Windows\SysWOW64\explorer.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Thread delayed: delay time: 1800000	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: C:\Windows\explorer.exe	Window / User API: foregroundWindowGot 648	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Window / User API: threadDelayed 2258	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Window / User API: foregroundWindowGot 1425	Jump to behavior

Source: C:\Users\user\Desktop\3ClBcOpPUX.exe

Evasive API call chain: GetLocalTime,DecisionNodes

graph_10-16743

Source: C:\Windows\SysWOW64\explorer.exe

API coverage: 9.1 %

Source: C:\Windows\SysWOW64\explorer.exe TID: 7240	Thread sleep time: -110000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe TID: 7232	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe TID: 7192	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe TID: 7200	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe TID: 3232	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe TID: 7208	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe TID: 7216	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe TID: 7224	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe TID: 1352	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe TID: 7184	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe TID: 2020	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe TID: 3452	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe TID: 6420	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe TID: 1412	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe TID: 6912	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe TID: 7176	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe TID: 2172	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe TID: 7488	Thread sleep time: -28800000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe TID: 7500	Thread sleep time: -40000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe TID: 7440	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe TID: 7448	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe TID: 7456	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe TID: 7352	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe TID: 7416	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe TID: 7424	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe TID: 7360	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe TID: 7376	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe TID: 7432	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe TID: 7368	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe TID: 7312	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe TID: 7392	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe TID: 7400	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe TID: 7344	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe TID: 7384	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe TID: 7408	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior

Source: C:\Windows\System32\svchost.exe

File opened: PhysicalDrive0

Jump to behavior

Source: C:\Windows\SysWOW64\explorer.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Windows\System32\svchost.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	File Volume queried: C:\Windows\System32 FullSizeInformation	Jump to behavior

Source: C:\Windows\SysWOW64\explorer.exe	Code function: 8_2_240863E8 FindFirstFileA,GetLastError,	8_2_240863E8
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 8_2_24086C78 FindFirstFileA,FindClose,	8_2_24086C78
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 8_2_240845F0 GetModuleHandleA,GetProcAddress,lstrcpyn,lstrcpyn,lstrcpyn,FindFirstFileA,FindClose,lstrlen,lstrcpyn,lstrlen,lstrcpyn,	8_2_240845F0
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 8_2_240AD390 FindFirstFileA,FindClose,FileTimeToLocalFileTime,FileTimeToDosDateTime,	8_2_240AD390
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 8_2_24086C77 FindFirstFileA,FindClose,	8_2_24086C77
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 8_2_24085FE2 FindFirstFileA,FindNextFileA,FindClose,RemoveDirectoryA,	8_2_24085FE2
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 8_2_24085FE4 FindFirstFileA,FindNextFileA,FindClose,RemoveDirectoryA,	8_2_24085FE4
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 8_2_240B09E4 FindFirstFileA,FindNextFileA,FindClose,	8_2_240B09E4
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Code function: 10_2_240F6C78 FindFirstFileA,FindClose,	10_2_240F6C78
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Code function: 10_2_240F45F0 GetModuleHandleA,GetProcAddress,lstrcpyn,lstrcpyn,lstrcpyn,FindFirstFileA,FindClose,lstrlen,lstrcpyn,lstrlen,lstrcpyn,	10_2_240F45F0
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Code function: 10_2_2411D390 FindFirstFileA,FindClose,FileTimeToLocalFileTime,FileTimeToDosDateTime,	10_2_2411D390
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Code function: 10_2_240F63E8 FindFirstFileA,GetLastError,	10_2_240F63E8
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Code function: 10_2_240F6C77 FindFirstFileA,FindClose,	10_2_240F6C77
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Code function: 10_2_240F5FE4 FindFirstFileA,FindNextFileA,FindClose,RemoveDirectoryA,	10_2_240F5FE4
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Code function: 10_2_240F5FE2 FindFirstFileA,FindNextFileA,FindClose,RemoveDirectoryA,	10_2_240F5FE2
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Code function: 10_2_241209E4 FindFirstFileA,FindNextFileA,FindClose,	10_2_241209E4

Source: C:\Windows\SysWOW64\explorer.exe

Code function: 8_2_240B092C GetLogicalDriveStringsA,SetErrorMode,GetDriveTypeA,

8_2_240B092C

Source: C:\Windows\SysWOW64\explorer.exe

Code function: 8_2_2408F870 GetVersionExW,GetVersionExW,GetSystemInfo,GetSystemMetrics,

8_2_2408F870

Source: C:\Windows\SysWOW64\explorer.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Thread delayed: delay time: 1800000	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	File opened: C:\Users\user\AppData\Roaming	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Internet Explorer	Jump to behavior

Source: Amcache.hve.14.dr	Binary or memory string: VMware
Source: explorer.exe, 00000005.00000002.2512612138.0000000000C74000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000I
Source: explorer.exe, 00000005.00000002.2523159601.0000000008DFE000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: BBSCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\4&224f42ef&0&000000
Source: svchost.exe.0.dr	Binary or memory string: VBoxService.exeS3
Source: svchost.exe, 00000004.00000002.2514052060.000001F53405E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: b2f05e9306}\??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\Device\CdRom0\??\Volume{a33c736e-61ca-11ee-8c18-806e6f6e6963}\DosDevices\D:
Source: Amcache.hve.14.dr	Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: svchost.exe, 00000004.00000002.2513853139.000001F53402B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
Source: explorer.exe, 00000005.00000003.2275783256.0000000008F4D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.2523159601.0000000008F4D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.1279085771.0000000008F4D000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000F.00000002.2515436325.000002F4FE0DC000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000002.2514451498.000002F4FE039000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: svchost.exe, 00000004.00000002.2514481625.000001F534089000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\SCSI#Disk&Ven_VMware&Prod_Virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000005.00000002.2515704586.0000000003230000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: VMware, Inc.VMW201.00V.20829224.B64.221121184211/21/2022
Source: Amcache.hve.14.dr	Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: Amcache.hve.14.dr	Binary or memory string: vmci.sys
Source: explorer.exe, 00000005.00000002.2523159601.0000000008DFE000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}e
Source: svchost.exe, 00000004.00000002.2514052060.000001F53404B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: #disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000005.00000002.2523159601.0000000009052000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\4&224F42EF&0&000000}io
Source: explorer.exe, 00000005.00000000.1279085771.0000000008F4D000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000I}~"
Source: explorer.exe, 00000005.00000000.1279085771.0000000008F4D000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: VMware SATA CD00
Source: Amcache.hve.14.dr	Binary or memory string: VMware20,1
Source: Amcache.hve.14.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.14.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.14.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.14.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.14.dr	Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.14.dr	Binary or memory string: VMware PCI VMCI Bus Device
Source: explorer.exe, 00000005.00000002.2520088878.000000000730B000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: War&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
Source: explorer.exe, 00000005.00000002.2523159601.0000000008F27000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.2275783256.0000000008F27000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.1279085771.0000000008F27000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWT`
Source: Amcache.hve.14.dr	Binary or memory string: VMware VMCI Bus Device
Source: explorer.exe, 00000005.00000002.2515704586.0000000003230000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: VMware SVGA IIES1371
Source: Amcache.hve.14.dr	Binary or memory string: VMware Virtual RAM
Source: Amcache.hve.14.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: Amcache.hve.14.dr	Binary or memory string: VMware-42 27 88 19 56 cc 59 1a-97 79 fb 8c bf a1 e2 9d
Source: explorer.exe, 00000005.00000002.2523159601.0000000008DFE000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000005.00000002.2512612138.0000000000C74000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: Amcache.hve.14.dr	Binary or memory string: vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.14.dr	Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.14.dr	Binary or memory string: vmci.syshbin
Source: Amcache.hve.14.dr	Binary or memory string: VMware, Inc.
Source: svchost.exe, 00000004.00000002.2514304342.000001F53407C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
Source: Amcache.hve.14.dr	Binary or memory string: VMware20,1hbin@
Source: Amcache.hve.14.dr	Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.14.dr	Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.14.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: explorer.exe, 00000005.00000002.2515704586.0000000003230000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: VMware, Inc.NoneVMware-42 27 88 19 56 cc 59 1a-97 79 fb 8c bf a1 e2 9dVMware20,1
Source: svchost.exe, 00000004.00000002.2513853139.000001F53402B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: @\??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000005.00000002.2523159601.0000000009013000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000
Source: explorer.exe, 00000005.00000002.2515704586.0000000003230000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: VMware SVGA II
Source: Amcache.hve.14.dr	Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: explorer.exe, 00000005.00000002.2520088878.000000000730B000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: War&Prod_VMware_xU1
Source: Amcache.hve.14.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: explorer.exe, 00000008.00000002.2512837875.0000000002BD6000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000002.2513069759.00000218BCA2B000.00000004.00000020.00020000.00000000.sdmp, 3ClBcOpPUX.exe, 0000000A.00000002.2512975944.0000000000932000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: svchost.exe.0.dr	Binary or memory string: VBoxService.exe
Source: Amcache.hve.14.dr	Binary or memory string: vmci.syshbin`
Source: Amcache.hve.14.dr	Binary or memory string: \driver\vmci,\driver\pci
Source: Amcache.hve.14.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: svchost.exe, 00000004.00000002.2514304342.000001F534064000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000e1}
Source: explorer.exe, 00000005.00000003.2275783256.0000000008DFE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.1279085771.0000000008DFE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.2523159601.0000000008DFE000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWystem32\DriverStore\en-US\machine.inf_loc5
Source: svchost.exe, 0000000F.00000002.2516721060.000002F4FF013000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: NXTVMWare
Source: explorer.exe, 00000005.00000002.2515704586.0000000003230000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: VMware Virtual RAM00000001VMW-4096MBRAM slot #0RAM slot #0
Source: svchost.exe, 00000004.00000002.2513484850.000001F534002000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: HvHostWdiSystemHostScDeviceEnumWiaRpctrkwksAudioEndpointBuilderhidservdot3svcUmRdpServiceDsSvcfhsvcvmickvpexchangevmicshutdownvmicguestinterfacevmicvmsessionsvsvcStorSvcWwanSvcvmicvssDevQueryBrokerNgcSvcsysmainNetmanTabletInputServicePcaSvcDisplayEnhancementServiceIPxlatCfgSvcDeviceAssociationServiceNcbServiceEmbeddedModeSensorServicewlansvcCscServiceWPDBusEnumMixedRealityOpenXRSvc
Source: explorer.exe, 00000005.00000002.2523159601.0000000008DFE000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: VMWare
Source: Amcache.hve.14.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: explorer.exe, 00000005.00000002.2523159601.0000000009052000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\4&224f42ef&0&000000'
Source: svchost.exe, 00000004.00000002.2514052060.000001F53404B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: #Disk&Ven_VMware&Prod_Virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000005.00000002.2512612138.0000000000C74000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000

Source: C:\Windows\SysWOW64\explorer.exe	API call chain: ExitProcess graph end node	graph_8-17112
Source: C:\Windows\SysWOW64\explorer.exe	API call chain: ExitProcess graph end node	graph_8-16637
Source: C:\Windows\SysWOW64\explorer.exe	API call chain: ExitProcess graph end node	graph_8-16702
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	API call chain: ExitProcess graph end node	graph_10-16224
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	API call chain: ExitProcess graph end node	graph_10-18654
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	API call chain: ExitProcess graph end node	graph_10-16298

Source: C:\Users\user\Desktop\3ClBcOpPUX.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	File opened: NTICE
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	File opened: SICE

Source: C:\Windows\SysWOW64\System\svchost.exe

Process queried: DebugPort

Jump to behavior

Source: C:\Windows\SysWOW64\explorer.exe

Code function: 8_2_24086EDC LoadLibraryA,GetProcAddress,GetTempPathA,

8_2_24086EDC

Source: C:\Windows\SysWOW64\explorer.exe

Code function: 8_2_2409E130 WSAStartup,GetProcessHeap,WSACleanup,

8_2_2409E130

Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Process token adjusted: Debug			Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Allocates memory in foreign processes

Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory allocated: C:\Windows\explorer.exe base: 24010000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory allocated: C:\Windows\explorer.exe base: 8510000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory allocated: C:\Windows\explorer.exe base: 7C30000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory allocated: C:\Windows\explorer.exe base: 7C60000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory allocated: C:\Windows\explorer.exe base: 85B0000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory allocated: C:\Windows\explorer.exe base: 85C0000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory allocated: C:\Windows\explorer.exe base: 8850000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory allocated: C:\Windows\explorer.exe base: 8860000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory allocated: C:\Windows\explorer.exe base: 8870000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory allocated: C:\Windows\explorer.exe base: 8B10000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory allocated: C:\Windows\explorer.exe base: 8B30000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory allocated: C:\Windows\explorer.exe base: 8B40000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory allocated: C:\Windows\explorer.exe base: 8B50000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory allocated: C:\Windows\explorer.exe base: 9750000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory allocated: C:\Windows\explorer.exe base: 97F0000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory allocated: C:\Windows\explorer.exe base: 9800000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory allocated: C:\Windows\explorer.exe base: B060000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory allocated: C:\Windows\explorer.exe base: B190000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory allocated: C:\Windows\explorer.exe base: BF40000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory allocated: C:\Windows\explorer.exe base: BF50000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory allocated: C:\Windows\explorer.exe base: BF60000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory allocated: C:\Windows\explorer.exe base: BF70000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory allocated: C:\Windows\explorer.exe base: BF80000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory allocated: C:\Windows\explorer.exe base: BF90000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory allocated: C:\Windows\explorer.exe base: BFA0000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory allocated: C:\Windows\explorer.exe base: BFB0000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory allocated: C:\Windows\explorer.exe base: E2B0000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory allocated: C:\Windows\explorer.exe base: E2C0000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory allocated: C:\Windows\explorer.exe base: E2D0000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory allocated: C:\Windows\explorer.exe base: E2E0000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory allocated: C:\Windows\explorer.exe base: E2F0000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory allocated: C:\Windows\explorer.exe base: E300000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory allocated: C:\Windows\explorer.exe base: E310000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory allocated: C:\Windows\explorer.exe base: E320000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory allocated: C:\Windows\explorer.exe base: E330000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory allocated: C:\Windows\explorer.exe base: E340000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory allocated: C:\Windows\explorer.exe base: E350000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory allocated: C:\Windows\explorer.exe base: E360000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory allocated: C:\Windows\explorer.exe base: E580000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory allocated: C:\Windows\explorer.exe base: E590000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory allocated: C:\Windows\explorer.exe base: E5A0000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory allocated: C:\Windows\explorer.exe base: E5B0000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory allocated: C:\Windows\explorer.exe base: E5C0000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory allocated: C:\Windows\explorer.exe base: E5D0000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory allocated: C:\Windows\explorer.exe base: E5E0000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory allocated: C:\Windows\explorer.exe base: E5F0000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory allocated: C:\Windows\explorer.exe base: E600000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory allocated: C:\Windows\explorer.exe base: E610000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory allocated: C:\Windows\explorer.exe base: E620000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory allocated: C:\Windows\explorer.exe base: E630000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory allocated: C:\Windows\explorer.exe base: F240000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory allocated: C:\Windows\explorer.exe base: F250000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory allocated: C:\Windows\explorer.exe base: F260000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory allocated: C:\Windows\explorer.exe base: F270000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory allocated: C:\Windows\explorer.exe base: F280000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory allocated: C:\Windows\explorer.exe base: F290000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory allocated: C:\Windows\explorer.exe base: F2A0000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory allocated: C:\Windows\explorer.exe base: F2B0000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory allocated: C:\Windows\explorer.exe base: F2C0000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory allocated: C:\Windows\explorer.exe base: F2D0000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory allocated: C:\Windows\explorer.exe base: F2E0000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory allocated: C:\Windows\explorer.exe base: F2F0000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory allocated: C:\Windows\explorer.exe base: F300000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory allocated: C:\Windows\explorer.exe base: F320000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory allocated: C:\Windows\explorer.exe base: F330000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory allocated: C:\Windows\explorer.exe base: 10400000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory allocated: C:\Windows\explorer.exe base: 10410000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory allocated: C:\Windows\explorer.exe base: 10420000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory allocated: C:\Windows\explorer.exe base: 10430000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory allocated: C:\Windows\explorer.exe base: 10440000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory allocated: C:\Windows\explorer.exe base: 10450000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory allocated: C:\Windows\explorer.exe base: 10460000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory allocated: C:\Windows\explorer.exe base: 10470000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory allocated: C:\Windows\explorer.exe base: 10480000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory allocated: C:\Windows\explorer.exe base: 10490000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory allocated: C:\Windows\explorer.exe base: 104A0000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory allocated: C:\Windows\explorer.exe base: 104B0000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory allocated: C:\Windows\explorer.exe base: 104C0000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory allocated: C:\Windows\explorer.exe base: 104D0000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory allocated: C:\Windows\explorer.exe base: 104E0000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory allocated: C:\Windows\explorer.exe base: 104F0000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory allocated: C:\Windows\explorer.exe base: 10500000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory allocated: C:\Windows\explorer.exe base: 10510000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory allocated: C:\Windows\explorer.exe base: 10520000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory allocated: C:\Windows\explorer.exe base: 10530000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory allocated: C:\Windows\explorer.exe base: 10540000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory allocated: C:\Windows\explorer.exe base: 10550000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory allocated: C:\Windows\explorer.exe base: 10560000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory allocated: C:\Windows\explorer.exe base: 10570000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory allocated: C:\Windows\explorer.exe base: 10580000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory allocated: C:\Windows\explorer.exe base: 10590000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory allocated: C:\Windows\explorer.exe base: 105A0000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory allocated: C:\Windows\explorer.exe base: 105B0000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory allocated: C:\Windows\explorer.exe base: 105C0000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory allocated: C:\Windows\explorer.exe base: 105D0000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory allocated: C:\Windows\explorer.exe base: 105E0000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory allocated: C:\Windows\explorer.exe base: 105F0000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory allocated: C:\Windows\explorer.exe base: 10600000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory allocated: C:\Windows\explorer.exe base: 10610000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory allocated: C:\Windows\explorer.exe base: 10620000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory allocated: C:\Windows\explorer.exe base: 10630000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory allocated: C:\Windows\explorer.exe base: 10640000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory allocated: C:\Windows\explorer.exe base: 10650000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory allocated: C:\Windows\explorer.exe base: 10660000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory allocated: C:\Windows\explorer.exe base: 10670000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory allocated: C:\Windows\explorer.exe base: 10680000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory allocated: C:\Windows\explorer.exe base: 10690000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory allocated: C:\Windows\explorer.exe base: 106A0000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory allocated: C:\Windows\explorer.exe base: 106B0000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory allocated: C:\Windows\explorer.exe base: 106C0000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory allocated: C:\Windows\explorer.exe base: 106D0000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory allocated: C:\Windows\explorer.exe base: 106E0000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory allocated: C:\Windows\explorer.exe base: 106F0000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory allocated: C:\Windows\explorer.exe base: 10700000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory allocated: C:\Windows\explorer.exe base: 10710000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory allocated: C:\Windows\explorer.exe base: 10720000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory allocated: C:\Windows\explorer.exe base: 10730000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory allocated: C:\Windows\explorer.exe base: 10740000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory allocated: C:\Windows\explorer.exe base: 10750000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory allocated: C:\Windows\explorer.exe base: 10760000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory allocated: C:\Windows\explorer.exe base: 10770000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory allocated: C:\Windows\explorer.exe base: 10780000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory allocated: C:\Windows\explorer.exe base: 10790000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory allocated: C:\Windows\explorer.exe base: 107A0000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory allocated: C:\Windows\explorer.exe base: 107B0000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory allocated: C:\Windows\explorer.exe base: 107C0000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory allocated: C:\Windows\explorer.exe base: 107D0000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory allocated: C:\Windows\explorer.exe base: 107E0000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory allocated: C:\Windows\explorer.exe base: 107F0000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory allocated: C:\Windows\explorer.exe base: 10800000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory allocated: C:\Windows\explorer.exe base: 10810000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory allocated: C:\Windows\SysWOW64\explorer.exe base: 24080000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory allocated: C:\Windows\SysWOW64\explorer.exe base: 500000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory allocated: C:\Windows\SysWOW64\explorer.exe base: 510000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory allocated: C:\Windows\SysWOW64\explorer.exe base: 520000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory allocated: C:\Windows\SysWOW64\explorer.exe base: 530000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory allocated: C:\Windows\SysWOW64\explorer.exe base: 2A10000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory allocated: C:\Windows\SysWOW64\explorer.exe base: 2A20000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory allocated: C:\Windows\SysWOW64\explorer.exe base: 2A30000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory allocated: C:\Windows\SysWOW64\explorer.exe base: 2A40000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory allocated: C:\Windows\SysWOW64\explorer.exe base: 2A50000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory allocated: C:\Windows\SysWOW64\explorer.exe base: 2A60000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory allocated: C:\Windows\SysWOW64\explorer.exe base: 2A70000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory allocated: C:\Windows\SysWOW64\explorer.exe base: 2A80000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory allocated: C:\Windows\SysWOW64\explorer.exe base: 2A90000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory allocated: C:\Windows\SysWOW64\explorer.exe base: 2AA0000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory allocated: C:\Windows\SysWOW64\explorer.exe base: 2AB0000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory allocated: C:\Windows\SysWOW64\explorer.exe base: 2E90000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory allocated: C:\Windows\SysWOW64\explorer.exe base: 2EA0000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory allocated: C:\Windows\SysWOW64\explorer.exe base: 2EB0000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory allocated: C:\Windows\SysWOW64\explorer.exe base: 2EC0000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory allocated: C:\Windows\SysWOW64\explorer.exe base: 2ED0000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory allocated: C:\Windows\SysWOW64\explorer.exe base: 2EE0000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory allocated: C:\Windows\SysWOW64\explorer.exe base: 2EF0000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory allocated: C:\Windows\SysWOW64\explorer.exe base: 2F00000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory allocated: C:\Windows\SysWOW64\explorer.exe base: 2F10000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory allocated: C:\Windows\SysWOW64\explorer.exe base: 2F20000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory allocated: C:\Windows\SysWOW64\explorer.exe base: 2F30000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory allocated: C:\Windows\SysWOW64\explorer.exe base: 2F40000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory allocated: C:\Windows\SysWOW64\explorer.exe base: 2F50000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory allocated: C:\Windows\SysWOW64\explorer.exe base: 2F60000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory allocated: C:\Windows\SysWOW64\explorer.exe base: 47A0000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory allocated: C:\Windows\SysWOW64\explorer.exe base: 47B0000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory allocated: C:\Windows\SysWOW64\explorer.exe base: 47C0000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory allocated: C:\Windows\SysWOW64\explorer.exe base: 47D0000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory allocated: C:\Windows\SysWOW64\explorer.exe base: 4820000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory allocated: C:\Windows\SysWOW64\explorer.exe base: 4830000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory allocated: C:\Windows\SysWOW64\explorer.exe base: 4840000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory allocated: C:\Windows\SysWOW64\explorer.exe base: 48C0000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory allocated: C:\Windows\SysWOW64\explorer.exe base: 48E0000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory allocated: C:\Windows\SysWOW64\explorer.exe base: 48F0000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory allocated: C:\Windows\SysWOW64\explorer.exe base: 4900000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory allocated: C:\Windows\SysWOW64\explorer.exe base: 4990000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory allocated: C:\Windows\SysWOW64\explorer.exe base: 49A0000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory allocated: C:\Windows\SysWOW64\explorer.exe base: 49B0000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory allocated: C:\Windows\SysWOW64\explorer.exe base: 49C0000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory allocated: C:\Windows\SysWOW64\explorer.exe base: 49D0000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory allocated: C:\Windows\SysWOW64\explorer.exe base: 49E0000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory allocated: C:\Windows\SysWOW64\explorer.exe base: 49F0000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory allocated: C:\Windows\SysWOW64\explorer.exe base: 4A80000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory allocated: C:\Windows\SysWOW64\explorer.exe base: 4A90000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory allocated: C:\Windows\SysWOW64\explorer.exe base: 4AA0000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory allocated: C:\Windows\SysWOW64\explorer.exe base: 4AB0000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory allocated: C:\Windows\SysWOW64\explorer.exe base: 4AC0000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory allocated: C:\Windows\SysWOW64\explorer.exe base: 4AD0000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory allocated: C:\Windows\SysWOW64\explorer.exe base: 4AE0000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory allocated: C:\Windows\SysWOW64\explorer.exe base: 4B70000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory allocated: C:\Windows\SysWOW64\explorer.exe base: 4B80000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory allocated: C:\Windows\SysWOW64\explorer.exe base: 4B90000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory allocated: C:\Windows\SysWOW64\explorer.exe base: 4BA0000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory allocated: C:\Windows\SysWOW64\explorer.exe base: 4BB0000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory allocated: C:\Windows\SysWOW64\explorer.exe base: 4BC0000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory allocated: C:\Windows\SysWOW64\explorer.exe base: 4BD0000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory allocated: C:\Windows\SysWOW64\explorer.exe base: 4C60000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory allocated: C:\Windows\SysWOW64\explorer.exe base: 4C70000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory allocated: C:\Windows\SysWOW64\explorer.exe base: 4C80000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory allocated: C:\Windows\SysWOW64\explorer.exe base: 4C90000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory allocated: C:\Windows\SysWOW64\explorer.exe base: 4CA0000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory allocated: C:\Windows\SysWOW64\explorer.exe base: 4CB0000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory allocated: C:\Windows\SysWOW64\explorer.exe base: 4CC0000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory allocated: C:\Windows\SysWOW64\explorer.exe base: 4D10000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory allocated: C:\Windows\SysWOW64\explorer.exe base: 4D70000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory allocated: C:\Windows\SysWOW64\explorer.exe base: 4D80000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory allocated: C:\Windows\SysWOW64\explorer.exe base: 4D90000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory allocated: C:\Windows\SysWOW64\explorer.exe base: 4DA0000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory allocated: C:\Windows\SysWOW64\explorer.exe base: 4DB0000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory allocated: C:\Windows\SysWOW64\explorer.exe base: 4DC0000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory allocated: C:\Windows\SysWOW64\explorer.exe base: 4E50000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory allocated: C:\Windows\SysWOW64\explorer.exe base: 4E60000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory allocated: C:\Windows\SysWOW64\explorer.exe base: 4E70000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory allocated: C:\Windows\SysWOW64\explorer.exe base: 4E80000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory allocated: C:\Windows\SysWOW64\explorer.exe base: 4E90000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory allocated: C:\Windows\SysWOW64\explorer.exe base: 4EA0000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory allocated: C:\Windows\SysWOW64\explorer.exe base: 4EB0000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory allocated: C:\Windows\SysWOW64\explorer.exe base: 4F40000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory allocated: C:\Windows\SysWOW64\explorer.exe base: 4F50000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory allocated: C:\Windows\SysWOW64\explorer.exe base: 4F60000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory allocated: C:\Windows\SysWOW64\explorer.exe base: 4F70000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory allocated: C:\Windows\SysWOW64\explorer.exe base: 4F80000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory allocated: C:\Windows\SysWOW64\explorer.exe base: 4F90000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory allocated: C:\Windows\SysWOW64\explorer.exe base: 4FA0000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory allocated: C:\Windows\SysWOW64\explorer.exe base: 5030000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory allocated: C:\Windows\SysWOW64\explorer.exe base: 5040000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory allocated: C:\Windows\SysWOW64\explorer.exe base: 5050000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory allocated: C:\Windows\SysWOW64\explorer.exe base: 5060000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory allocated: C:\Windows\SysWOW64\explorer.exe base: 5070000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory allocated: C:\Windows\SysWOW64\explorer.exe base: 5080000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory allocated: C:\Windows\SysWOW64\explorer.exe base: 5090000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory allocated: C:\Windows\SysWOW64\explorer.exe base: 5120000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory allocated: C:\Windows\SysWOW64\explorer.exe base: 5130000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory allocated: C:\Windows\SysWOW64\explorer.exe base: 5140000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory allocated: C:\Windows\SysWOW64\explorer.exe base: 5150000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory allocated: C:\Windows\SysWOW64\explorer.exe base: 5160000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory allocated: C:\Windows\SysWOW64\explorer.exe base: 5170000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory allocated: C:\Windows\SysWOW64\explorer.exe base: 5180000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory allocated: C:\Windows\SysWOW64\explorer.exe base: 5210000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory allocated: C:\Windows\SysWOW64\explorer.exe base: 5220000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory allocated: C:\Windows\SysWOW64\explorer.exe base: 5230000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory allocated: C:\Windows\SysWOW64\explorer.exe base: 5240000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory allocated: C:\Windows\SysWOW64\explorer.exe base: 5250000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory allocated: C:\Windows\SysWOW64\explorer.exe base: 5260000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory allocated: C:\Windows\SysWOW64\explorer.exe base: 5270000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory allocated: C:\Windows\SysWOW64\explorer.exe base: 5300000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory allocated: C:\Windows\SysWOW64\explorer.exe base: 5310000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory allocated: C:\Windows\SysWOW64\explorer.exe base: 5320000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory allocated: C:\Windows\SysWOW64\explorer.exe base: 5330000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory allocated: C:\Windows\SysWOW64\explorer.exe base: 5340000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory allocated: C:\Windows\SysWOW64\explorer.exe base: 5350000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory allocated: C:\Windows\SysWOW64\explorer.exe base: 5360000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory allocated: C:\Windows\SysWOW64\explorer.exe base: 53F0000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory allocated: C:\Windows\SysWOW64\explorer.exe base: 5400000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory allocated: C:\Windows\SysWOW64\explorer.exe base: 5410000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory allocated: C:\Windows\SysWOW64\explorer.exe base: 5420000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory allocated: C:\Windows\SysWOW64\explorer.exe base: 5430000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory allocated: C:\Windows\SysWOW64\explorer.exe base: 5440000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory allocated: C:\Windows\SysWOW64\explorer.exe base: 5450000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory allocated: C:\Windows\SysWOW64\explorer.exe base: 54E0000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory allocated: C:\Windows\SysWOW64\explorer.exe base: 54F0000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory allocated: C:\Windows\SysWOW64\explorer.exe base: 5500000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory allocated: C:\Windows\SysWOW64\explorer.exe base: 5510000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory allocated: C:\Windows\SysWOW64\explorer.exe base: 5520000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory allocated: C:\Windows\SysWOW64\explorer.exe base: 5530000 protect: page execute and read and write	Jump to behavior

Contains functionality to inject code into remote processes

Source: C:\Windows\SysWOW64\explorer.exe

Code function: 8_2_240C4984 CreateProcessA,GetThreadContext,ReadProcessMemory,VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,VirtualProtectEx,WriteProcessMemory,SetThreadContext,TerminateProcess,ResumeThread,

8_2_240C4984

Contains functionality to inject threads in other processes

Source: C:\Windows\SysWOW64\explorer.exe	Code function: 8_2_240AB354 GetModuleHandleA,VirtualFreeEx,VirtualAllocEx,GetModuleHandleA,WriteProcessMemory,CreateRemoteThread,CloseHandle,		8_2_240AB354
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Code function: 10_2_2411B354 GetModuleHandleA,VirtualFreeEx,VirtualAllocEx,GetModuleHandleA,WriteProcessMemory,CreateRemoteThread,CloseHandle,		10_2_2411B354

Creates a thread in another existing process (thread injection)

Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Thread created: C:\Windows\SysWOW64\explorer.exe EIP: 520000	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Thread created: C:\Windows\SysWOW64\explorer.exe EIP: 2A30000	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Thread created: C:\Windows\SysWOW64\explorer.exe EIP: 2A70000	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Thread created: C:\Windows\SysWOW64\explorer.exe EIP: 2AB0000	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Thread created: C:\Windows\SysWOW64\explorer.exe EIP: 2EC0000	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Thread created: C:\Windows\SysWOW64\explorer.exe EIP: 2F00000	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Thread created: C:\Windows\SysWOW64\explorer.exe EIP: 2F30000	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Thread created: C:\Windows\SysWOW64\explorer.exe EIP: 47A0000	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Thread created: C:\Windows\SysWOW64\explorer.exe EIP: 47D0000	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Thread created: C:\Windows\SysWOW64\explorer.exe EIP: 48C0000	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Thread created: C:\Windows\SysWOW64\explorer.exe EIP: 4900000	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Thread created: C:\Windows\SysWOW64\explorer.exe EIP: 49C0000	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Thread created: C:\Windows\SysWOW64\explorer.exe EIP: 49F0000	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Thread created: C:\Windows\SysWOW64\explorer.exe EIP: 4AB0000	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Thread created: C:\Windows\SysWOW64\explorer.exe EIP: 4AE0000	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Thread created: C:\Windows\SysWOW64\explorer.exe EIP: 4BA0000	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Thread created: C:\Windows\SysWOW64\explorer.exe EIP: 4BD0000	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Thread created: C:\Windows\SysWOW64\explorer.exe EIP: 4C90000	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Thread created: C:\Windows\SysWOW64\explorer.exe EIP: 4CC0000	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Thread created: C:\Windows\SysWOW64\explorer.exe EIP: 4D90000	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Thread created: C:\Windows\SysWOW64\explorer.exe EIP: 4DC0000	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Thread created: C:\Windows\SysWOW64\explorer.exe EIP: 4E80000	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Thread created: C:\Windows\SysWOW64\explorer.exe EIP: 4EB0000	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Thread created: C:\Windows\SysWOW64\explorer.exe EIP: 4F70000	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Thread created: C:\Windows\SysWOW64\explorer.exe EIP: 4FA0000	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Thread created: C:\Windows\SysWOW64\explorer.exe EIP: 5060000	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Thread created: C:\Windows\SysWOW64\explorer.exe EIP: 5090000	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Thread created: C:\Windows\SysWOW64\explorer.exe EIP: 5150000	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Thread created: C:\Windows\SysWOW64\explorer.exe EIP: 5180000	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Thread created: C:\Windows\SysWOW64\explorer.exe EIP: 5240000	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Thread created: C:\Windows\SysWOW64\explorer.exe EIP: 5270000	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Thread created: C:\Windows\SysWOW64\explorer.exe EIP: 5330000	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Thread created: C:\Windows\SysWOW64\explorer.exe EIP: 5360000	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Thread created: C:\Windows\SysWOW64\explorer.exe EIP: 5420000	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Thread created: C:\Windows\SysWOW64\explorer.exe EIP: 5450000	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Thread created: C:\Windows\SysWOW64\explorer.exe EIP: 5510000	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Thread created: C:\Windows\SysWOW64\explorer.exe EIP: 5530000	Jump to behavior

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory written: C:\Windows\explorer.exe base: 24010000 value starts with: 4D5A	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory written: C:\Windows\SysWOW64\explorer.exe base: 24080000 value starts with: 4D5A	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory written: C:\Users\user\Desktop\3ClBcOpPUX.exe base: 240F0000 value starts with: 4D5A	Jump to behavior

Injects code into the Windows Explorer (explorer.exe)

Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory written: PID: 4056 base: 8510000 value: 4B	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory written: PID: 4056 base: 7C30000 value: D0	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory written: PID: 4056 base: 7C60000 value: 55	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory written: PID: 4056 base: 85B0000 value: 4C	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory written: PID: 4056 base: 85C0000 value: 4B	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory written: PID: 4056 base: 8850000 value: 70	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory written: PID: 4056 base: 8860000 value: 55	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory written: PID: 4056 base: 8870000 value: 47	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory written: PID: 4056 base: 8B10000 value: 4B	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory written: PID: 4056 base: 8B30000 value: 70	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory written: PID: 4056 base: 8B40000 value: 55	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory written: PID: 4056 base: 8B50000 value: 56	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory written: PID: 4056 base: 9750000 value: 4B	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory written: PID: 4056 base: 97F0000 value: 70	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory written: PID: 4056 base: 9800000 value: 55	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory written: PID: 4056 base: B060000 value: 56	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory written: PID: 4056 base: B190000 value: 4B	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory written: PID: 4056 base: BF40000 value: 70	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory written: PID: 4056 base: BF50000 value: 55	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory written: PID: 4056 base: BF60000 value: 56	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory written: PID: 4056 base: BF70000 value: 4B	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory written: PID: 4056 base: BF80000 value: 70	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory written: PID: 4056 base: BF90000 value: 55	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory written: PID: 4056 base: BFA0000 value: 61	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory written: PID: 4056 base: BFB0000 value: D0	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory written: PID: 4056 base: E2B0000 value: 55	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory written: PID: 4056 base: E2C0000 value: 52	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory written: PID: 4056 base: E2D0000 value: 61	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory written: PID: 4056 base: E2E0000 value: 70	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory written: PID: 4056 base: E2F0000 value: 55	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory written: PID: 4056 base: E300000 value: 41	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory written: PID: 4056 base: E310000 value: D0	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory written: PID: 4056 base: E320000 value: 55	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory written: PID: 4056 base: E330000 value: 63	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory written: PID: 4056 base: E340000 value: 41	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory written: PID: 4056 base: E350000 value: 70	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory written: PID: 4056 base: E360000 value: 55	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory written: PID: 4056 base: E580000 value: 67	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory written: PID: 4056 base: E590000 value: D0	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory written: PID: 4056 base: E5A0000 value: 55	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory written: PID: 4056 base: E5B0000 value: 42	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory written: PID: 4056 base: E5C0000 value: 67	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory written: PID: 4056 base: E5D0000 value: 70	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory written: PID: 4056 base: E5E0000 value: 55	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory written: PID: 4056 base: E5F0000 value: 67	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory written: PID: 4056 base: E600000 value: D0	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory written: PID: 4056 base: E610000 value: 55	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory written: PID: 4056 base: E620000 value: 47	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory written: PID: 4056 base: E630000 value: 67	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory written: PID: 4056 base: F240000 value: 70	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory written: PID: 4056 base: F250000 value: 55	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory written: PID: 4056 base: F260000 value: 6D	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory written: PID: 4056 base: F270000 value: D0	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory written: PID: 4056 base: F280000 value: 55	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory written: PID: 4056 base: F290000 value: 57	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory written: PID: 4056 base: F2A0000 value: 6D	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory written: PID: 4056 base: F2B0000 value: 70	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory written: PID: 4056 base: F2C0000 value: 55	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory written: PID: 4056 base: F2D0000 value: 6D	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory written: PID: 4056 base: F2E0000 value: D0	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory written: PID: 4056 base: F2F0000 value: 55	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory written: PID: 4056 base: F300000 value: 61	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory written: PID: 4056 base: F320000 value: 6D	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory written: PID: 4056 base: F330000 value: 70	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory written: PID: 4056 base: 10400000 value: 55	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory written: PID: 4056 base: 10410000 value: 6E	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory written: PID: 4056 base: 10420000 value: D0	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory written: PID: 4056 base: 10430000 value: 55	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory written: PID: 4056 base: 10440000 value: 5A	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory written: PID: 4056 base: 10450000 value: 6E	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory written: PID: 4056 base: 10460000 value: 70	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory written: PID: 4056 base: 10470000 value: 55	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory written: PID: 4056 base: 10480000 value: 6F	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory written: PID: 4056 base: 10490000 value: D0	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory written: PID: 4056 base: 104A0000 value: 55	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory written: PID: 4056 base: 104B0000 value: 43	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory written: PID: 4056 base: 104C0000 value: 6F	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory written: PID: 4056 base: 104D0000 value: 70	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory written: PID: 4056 base: 104E0000 value: 55	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory written: PID: 4056 base: 104F0000 value: 6F	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory written: PID: 4056 base: 10500000 value: D0	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory written: PID: 4056 base: 10510000 value: 55	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory written: PID: 4056 base: 10520000 value: 53	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory written: PID: 4056 base: 10530000 value: 6F	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory written: PID: 4056 base: 10540000 value: 70	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory written: PID: 4056 base: 10550000 value: 55	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory written: PID: 4056 base: 10560000 value: 70	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory written: PID: 4056 base: 10570000 value: D0	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory written: PID: 4056 base: 10580000 value: 55	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory written: PID: 4056 base: 10590000 value: 53	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory written: PID: 4056 base: 105A0000 value: 70	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory written: PID: 4056 base: 105B0000 value: 70	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory written: PID: 4056 base: 105C0000 value: 55	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory written: PID: 4056 base: 105D0000 value: 73	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory written: PID: 4056 base: 105E0000 value: D0	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory written: PID: 4056 base: 105F0000 value: 55	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory written: PID: 4056 base: 10600000 value: 53	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory written: PID: 4056 base: 10610000 value: 73	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory written: PID: 4056 base: 10620000 value: 70	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory written: PID: 4056 base: 10630000 value: 55	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory written: PID: 4056 base: 10640000 value: 75	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory written: PID: 4056 base: 10650000 value: D0	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory written: PID: 4056 base: 10660000 value: 55	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory written: PID: 4056 base: 10670000 value: 47	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory written: PID: 4056 base: 10680000 value: 75	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory written: PID: 4056 base: 10690000 value: 70	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory written: PID: 4056 base: 106A0000 value: 55	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory written: PID: 4056 base: 106B0000 value: 77	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory written: PID: 4056 base: 106C0000 value: D0	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory written: PID: 4056 base: 106D0000 value: 55	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory written: PID: 4056 base: 106E0000 value: 46	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory written: PID: 4056 base: 106F0000 value: 77	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory written: PID: 4056 base: 10700000 value: 70	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory written: PID: 4056 base: 10710000 value: 55	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory written: PID: 4056 base: 10720000 value: 77	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory written: PID: 4056 base: 10730000 value: D0	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory written: PID: 4056 base: 10740000 value: 55	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory written: PID: 4056 base: 10750000 value: 77	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory written: PID: 4056 base: 10760000 value: 77	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory written: PID: 4056 base: 10770000 value: 70	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory written: PID: 4056 base: 10780000 value: 55	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory written: PID: 4056 base: 10790000 value: 77	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory written: PID: 4056 base: 107A0000 value: D0	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory written: PID: 4056 base: 107B0000 value: 55	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory written: PID: 4056 base: 107C0000 value: 73	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory written: PID: 4056 base: 107D0000 value: 77	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory written: PID: 4056 base: 107E0000 value: 70	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory written: PID: 4056 base: 107F0000 value: 55	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory written: PID: 4056 base: 24010000 value: 4D	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory written: PID: 4056 base: 10800000 value: 00	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory written: PID: 4056 base: 10810000 value: 55	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory written: PID: 2708 base: 500000 value: 4B	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory written: PID: 2708 base: 510000 value: D0	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory written: PID: 2708 base: 520000 value: 55	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory written: PID: 2708 base: 530000 value: 4C	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory written: PID: 2708 base: 2A10000 value: 4B	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory written: PID: 2708 base: 2A20000 value: 70	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory written: PID: 2708 base: 2A30000 value: 55	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory written: PID: 2708 base: 2A40000 value: 47	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory written: PID: 2708 base: 2A50000 value: 4B	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory written: PID: 2708 base: 2A60000 value: 70	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory written: PID: 2708 base: 2A70000 value: 55	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory written: PID: 2708 base: 2A80000 value: 56	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory written: PID: 2708 base: 2A90000 value: 4B	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory written: PID: 2708 base: 2AA0000 value: 70	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory written: PID: 2708 base: 2AB0000 value: 55	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory written: PID: 2708 base: 2E90000 value: 56	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory written: PID: 2708 base: 2EA0000 value: 4B	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory written: PID: 2708 base: 2EB0000 value: 70	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory written: PID: 2708 base: 2EC0000 value: 55	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory written: PID: 2708 base: 2ED0000 value: 56	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory written: PID: 2708 base: 2EE0000 value: 4B	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory written: PID: 2708 base: 2EF0000 value: 70	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory written: PID: 2708 base: 2F00000 value: 55	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory written: PID: 2708 base: 2F10000 value: 61	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory written: PID: 2708 base: 2F20000 value: D0	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory written: PID: 2708 base: 2F30000 value: 55	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory written: PID: 2708 base: 2F40000 value: 52	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory written: PID: 2708 base: 2F50000 value: 61	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory written: PID: 2708 base: 2F60000 value: 70	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory written: PID: 2708 base: 47A0000 value: 55	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory written: PID: 2708 base: 47B0000 value: 41	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory written: PID: 2708 base: 47C0000 value: D0	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory written: PID: 2708 base: 47D0000 value: 55	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory written: PID: 2708 base: 4820000 value: 63	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory written: PID: 2708 base: 4830000 value: 41	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory written: PID: 2708 base: 4840000 value: 70	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory written: PID: 2708 base: 48C0000 value: 55	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory written: PID: 2708 base: 48E0000 value: 67	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory written: PID: 2708 base: 48F0000 value: D0	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory written: PID: 2708 base: 4900000 value: 55	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory written: PID: 2708 base: 4990000 value: 42	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory written: PID: 2708 base: 49A0000 value: 67	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory written: PID: 2708 base: 49B0000 value: 70	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory written: PID: 2708 base: 49C0000 value: 55	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory written: PID: 2708 base: 49D0000 value: 67	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory written: PID: 2708 base: 49E0000 value: D0	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory written: PID: 2708 base: 49F0000 value: 55	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory written: PID: 2708 base: 4A80000 value: 47	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory written: PID: 2708 base: 4A90000 value: 67	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory written: PID: 2708 base: 4AA0000 value: 70	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory written: PID: 2708 base: 4AB0000 value: 55	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory written: PID: 2708 base: 4AC0000 value: 6D	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory written: PID: 2708 base: 4AD0000 value: D0	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory written: PID: 2708 base: 4AE0000 value: 55	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory written: PID: 2708 base: 4B70000 value: 57	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory written: PID: 2708 base: 4B80000 value: 6D	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory written: PID: 2708 base: 4B90000 value: 70	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory written: PID: 2708 base: 4BA0000 value: 55	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory written: PID: 2708 base: 4BB0000 value: 6D	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory written: PID: 2708 base: 4BC0000 value: D0	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory written: PID: 2708 base: 4BD0000 value: 55	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory written: PID: 2708 base: 4C60000 value: 61	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory written: PID: 2708 base: 4C70000 value: 6D	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory written: PID: 2708 base: 4C80000 value: 70	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory written: PID: 2708 base: 4C90000 value: 55	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory written: PID: 2708 base: 4CA0000 value: 6E	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory written: PID: 2708 base: 4CB0000 value: D0	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory written: PID: 2708 base: 4CC0000 value: 55	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory written: PID: 2708 base: 4D10000 value: 5A	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory written: PID: 2708 base: 4D70000 value: 6E	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory written: PID: 2708 base: 4D80000 value: 70	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory written: PID: 2708 base: 4D90000 value: 55	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory written: PID: 2708 base: 4DA0000 value: 6F	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory written: PID: 2708 base: 4DB0000 value: D0	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory written: PID: 2708 base: 4DC0000 value: 55	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory written: PID: 2708 base: 4E50000 value: 43	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory written: PID: 2708 base: 4E60000 value: 6F	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory written: PID: 2708 base: 4E70000 value: 70	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory written: PID: 2708 base: 4E80000 value: 55	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory written: PID: 2708 base: 4E90000 value: 6F	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory written: PID: 2708 base: 4EA0000 value: D0	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory written: PID: 2708 base: 4EB0000 value: 55	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory written: PID: 2708 base: 4F40000 value: 53	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory written: PID: 2708 base: 4F50000 value: 6F	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory written: PID: 2708 base: 4F60000 value: 70	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory written: PID: 2708 base: 4F70000 value: 55	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory written: PID: 2708 base: 4F80000 value: 70	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory written: PID: 2708 base: 4F90000 value: D0	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory written: PID: 2708 base: 4FA0000 value: 55	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory written: PID: 2708 base: 5030000 value: 53	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory written: PID: 2708 base: 5040000 value: 70	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory written: PID: 2708 base: 5050000 value: 70	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory written: PID: 2708 base: 5060000 value: 55	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory written: PID: 2708 base: 5070000 value: 73	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory written: PID: 2708 base: 5080000 value: D0	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory written: PID: 2708 base: 5090000 value: 55	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory written: PID: 2708 base: 5120000 value: 53	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory written: PID: 2708 base: 5130000 value: 73	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory written: PID: 2708 base: 5140000 value: 70	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory written: PID: 2708 base: 5150000 value: 55	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory written: PID: 2708 base: 5160000 value: 75	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory written: PID: 2708 base: 5170000 value: D0	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory written: PID: 2708 base: 5180000 value: 55	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory written: PID: 2708 base: 5210000 value: 47	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory written: PID: 2708 base: 5220000 value: 75	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory written: PID: 2708 base: 5230000 value: 70	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory written: PID: 2708 base: 5240000 value: 55	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory written: PID: 2708 base: 5250000 value: 77	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory written: PID: 2708 base: 5260000 value: D0	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory written: PID: 2708 base: 5270000 value: 55	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory written: PID: 2708 base: 5300000 value: 46	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory written: PID: 2708 base: 5310000 value: 77	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory written: PID: 2708 base: 5320000 value: 70	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory written: PID: 2708 base: 5330000 value: 55	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory written: PID: 2708 base: 5340000 value: 77	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory written: PID: 2708 base: 5350000 value: D0	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory written: PID: 2708 base: 5360000 value: 55	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory written: PID: 2708 base: 53F0000 value: 77	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory written: PID: 2708 base: 5400000 value: 77	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory written: PID: 2708 base: 5410000 value: 70	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory written: PID: 2708 base: 5420000 value: 55	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory written: PID: 2708 base: 5430000 value: 77	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory written: PID: 2708 base: 5440000 value: D0	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory written: PID: 2708 base: 5450000 value: 55	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory written: PID: 2708 base: 54E0000 value: 73	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory written: PID: 2708 base: 54F0000 value: 77	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory written: PID: 2708 base: 5500000 value: 70	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory written: PID: 2708 base: 5510000 value: 55	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory written: PID: 2708 base: 24080000 value: 4D	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory written: PID: 2708 base: 5520000 value: 00	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory written: PID: 2708 base: 5530000 value: 55	Jump to behavior

Writes to foreign memory regions

Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory written: C:\Windows\explorer.exe base: 8510000	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory written: C:\Windows\explorer.exe base: 7C30000	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory written: C:\Windows\explorer.exe base: 7C60000	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory written: C:\Windows\explorer.exe base: 85B0000	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory written: C:\Windows\explorer.exe base: 85C0000	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory written: C:\Windows\explorer.exe base: 8850000	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory written: C:\Windows\explorer.exe base: 8860000	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory written: C:\Windows\explorer.exe base: 8870000	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory written: C:\Windows\explorer.exe base: 8B10000	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory written: C:\Windows\explorer.exe base: 8B30000	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory written: C:\Windows\explorer.exe base: 8B40000	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory written: C:\Windows\explorer.exe base: 8B50000	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory written: C:\Windows\explorer.exe base: 9750000	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory written: C:\Windows\explorer.exe base: 97F0000	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory written: C:\Windows\explorer.exe base: 9800000	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory written: C:\Windows\explorer.exe base: B060000	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory written: C:\Windows\explorer.exe base: B190000	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory written: C:\Windows\explorer.exe base: BF40000	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory written: C:\Windows\explorer.exe base: BF50000	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory written: C:\Windows\explorer.exe base: BF60000	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory written: C:\Windows\explorer.exe base: BF70000	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory written: C:\Windows\explorer.exe base: BF80000	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory written: C:\Windows\explorer.exe base: BF90000	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory written: C:\Windows\explorer.exe base: BFA0000	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory written: C:\Windows\explorer.exe base: BFB0000	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory written: C:\Windows\explorer.exe base: E2B0000	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory written: C:\Windows\explorer.exe base: E2C0000	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory written: C:\Windows\explorer.exe base: E2D0000	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory written: C:\Windows\explorer.exe base: E2E0000	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory written: C:\Windows\explorer.exe base: E2F0000	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory written: C:\Windows\explorer.exe base: E300000	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory written: C:\Windows\explorer.exe base: E310000	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory written: C:\Windows\explorer.exe base: E320000	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory written: C:\Windows\explorer.exe base: E330000	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory written: C:\Windows\explorer.exe base: E340000	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory written: C:\Windows\explorer.exe base: E350000	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory written: C:\Windows\explorer.exe base: E360000	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory written: C:\Windows\explorer.exe base: E580000	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory written: C:\Windows\explorer.exe base: E590000	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory written: C:\Windows\explorer.exe base: E5A0000	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory written: C:\Windows\explorer.exe base: E5B0000	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory written: C:\Windows\explorer.exe base: E5C0000	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory written: C:\Windows\explorer.exe base: E5D0000	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory written: C:\Windows\explorer.exe base: E5E0000	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory written: C:\Windows\explorer.exe base: E5F0000	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory written: C:\Windows\explorer.exe base: E600000	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory written: C:\Windows\explorer.exe base: E610000	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory written: C:\Windows\explorer.exe base: E620000	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory written: C:\Windows\explorer.exe base: E630000	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory written: C:\Windows\explorer.exe base: F240000	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory written: C:\Windows\explorer.exe base: F250000	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory written: C:\Windows\explorer.exe base: F260000	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory written: C:\Windows\explorer.exe base: F270000	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory written: C:\Windows\explorer.exe base: F280000	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory written: C:\Windows\explorer.exe base: F290000	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory written: C:\Windows\explorer.exe base: F2A0000	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory written: C:\Windows\explorer.exe base: F2B0000	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory written: C:\Windows\explorer.exe base: F2C0000	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory written: C:\Windows\explorer.exe base: F2D0000	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory written: C:\Windows\explorer.exe base: F2E0000	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory written: C:\Windows\explorer.exe base: F2F0000	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory written: C:\Windows\explorer.exe base: F300000	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory written: C:\Windows\explorer.exe base: F320000	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory written: C:\Windows\explorer.exe base: F330000	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory written: C:\Windows\explorer.exe base: 10400000	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory written: C:\Windows\explorer.exe base: 10410000	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory written: C:\Windows\explorer.exe base: 10420000	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory written: C:\Windows\explorer.exe base: 10430000	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory written: C:\Windows\explorer.exe base: 10440000	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory written: C:\Windows\explorer.exe base: 10450000	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory written: C:\Windows\explorer.exe base: 10460000	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory written: C:\Windows\explorer.exe base: 10470000	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory written: C:\Windows\explorer.exe base: 10480000	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory written: C:\Windows\explorer.exe base: 10490000	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory written: C:\Windows\explorer.exe base: 104A0000	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory written: C:\Windows\explorer.exe base: 104B0000	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory written: C:\Windows\explorer.exe base: 104C0000	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory written: C:\Windows\explorer.exe base: 104D0000	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory written: C:\Windows\explorer.exe base: 104E0000	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory written: C:\Windows\explorer.exe base: 104F0000	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory written: C:\Windows\explorer.exe base: 10500000	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory written: C:\Windows\explorer.exe base: 10510000	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory written: C:\Windows\explorer.exe base: 10520000	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory written: C:\Windows\explorer.exe base: 10530000	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory written: C:\Windows\explorer.exe base: 10540000	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory written: C:\Windows\explorer.exe base: 10550000	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory written: C:\Windows\explorer.exe base: 10560000	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory written: C:\Windows\explorer.exe base: 10570000	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory written: C:\Windows\explorer.exe base: 10580000	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory written: C:\Windows\explorer.exe base: 10590000	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory written: C:\Windows\explorer.exe base: 105A0000	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory written: C:\Windows\explorer.exe base: 105B0000	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory written: C:\Windows\explorer.exe base: 105C0000	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory written: C:\Windows\explorer.exe base: 105D0000	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory written: C:\Windows\explorer.exe base: 105E0000	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory written: C:\Windows\explorer.exe base: 105F0000	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory written: C:\Windows\explorer.exe base: 10600000	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory written: C:\Windows\explorer.exe base: 10610000	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory written: C:\Windows\explorer.exe base: 10620000	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory written: C:\Windows\explorer.exe base: 10630000	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory written: C:\Windows\explorer.exe base: 10640000	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory written: C:\Windows\explorer.exe base: 10650000	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory written: C:\Windows\explorer.exe base: 10660000	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory written: C:\Windows\explorer.exe base: 10670000	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory written: C:\Windows\explorer.exe base: 10680000	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory written: C:\Windows\explorer.exe base: 10690000	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory written: C:\Windows\explorer.exe base: 106A0000	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory written: C:\Windows\explorer.exe base: 106B0000	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory written: C:\Windows\explorer.exe base: 106C0000	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory written: C:\Windows\explorer.exe base: 106D0000	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory written: C:\Windows\explorer.exe base: 106E0000	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory written: C:\Windows\explorer.exe base: 106F0000	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory written: C:\Windows\explorer.exe base: 10700000	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory written: C:\Windows\explorer.exe base: 10710000	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory written: C:\Windows\explorer.exe base: 10720000	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory written: C:\Windows\explorer.exe base: 10730000	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory written: C:\Windows\explorer.exe base: 10740000	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory written: C:\Windows\explorer.exe base: 10750000	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory written: C:\Windows\explorer.exe base: 10760000	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory written: C:\Windows\explorer.exe base: 10770000	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory written: C:\Windows\explorer.exe base: 10780000	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory written: C:\Windows\explorer.exe base: 10790000	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory written: C:\Windows\explorer.exe base: 107A0000	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory written: C:\Windows\explorer.exe base: 107B0000	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory written: C:\Windows\explorer.exe base: 107C0000	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory written: C:\Windows\explorer.exe base: 107D0000	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory written: C:\Windows\explorer.exe base: 107E0000	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory written: C:\Windows\explorer.exe base: 107F0000	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory written: C:\Windows\explorer.exe base: 24010000	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory written: C:\Windows\explorer.exe base: 10800000	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory written: C:\Windows\explorer.exe base: 10810000	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory written: C:\Windows\SysWOW64\explorer.exe base: 500000	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory written: C:\Windows\SysWOW64\explorer.exe base: 510000	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory written: C:\Windows\SysWOW64\explorer.exe base: 520000	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory written: C:\Windows\SysWOW64\explorer.exe base: 530000	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory written: C:\Windows\SysWOW64\explorer.exe base: 2A10000	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory written: C:\Windows\SysWOW64\explorer.exe base: 2A20000	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory written: C:\Windows\SysWOW64\explorer.exe base: 2A30000	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory written: C:\Windows\SysWOW64\explorer.exe base: 2A40000	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory written: C:\Windows\SysWOW64\explorer.exe base: 2A50000	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory written: C:\Windows\SysWOW64\explorer.exe base: 2A60000	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory written: C:\Windows\SysWOW64\explorer.exe base: 2A70000	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory written: C:\Windows\SysWOW64\explorer.exe base: 2A80000	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory written: C:\Windows\SysWOW64\explorer.exe base: 2A90000	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory written: C:\Windows\SysWOW64\explorer.exe base: 2AA0000	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory written: C:\Windows\SysWOW64\explorer.exe base: 2AB0000	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory written: C:\Windows\SysWOW64\explorer.exe base: 2E90000	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory written: C:\Windows\SysWOW64\explorer.exe base: 2EA0000	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory written: C:\Windows\SysWOW64\explorer.exe base: 2EB0000	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory written: C:\Windows\SysWOW64\explorer.exe base: 2EC0000	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory written: C:\Windows\SysWOW64\explorer.exe base: 2ED0000	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory written: C:\Windows\SysWOW64\explorer.exe base: 2EE0000	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory written: C:\Windows\SysWOW64\explorer.exe base: 2EF0000	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory written: C:\Windows\SysWOW64\explorer.exe base: 2F00000	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory written: C:\Windows\SysWOW64\explorer.exe base: 2F10000	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory written: C:\Windows\SysWOW64\explorer.exe base: 2F20000	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory written: C:\Windows\SysWOW64\explorer.exe base: 2F30000	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory written: C:\Windows\SysWOW64\explorer.exe base: 2F40000	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory written: C:\Windows\SysWOW64\explorer.exe base: 2F50000	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory written: C:\Windows\SysWOW64\explorer.exe base: 2F60000	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory written: C:\Windows\SysWOW64\explorer.exe base: 47A0000	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory written: C:\Windows\SysWOW64\explorer.exe base: 47B0000	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory written: C:\Windows\SysWOW64\explorer.exe base: 47C0000	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory written: C:\Windows\SysWOW64\explorer.exe base: 47D0000	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory written: C:\Windows\SysWOW64\explorer.exe base: 4820000	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory written: C:\Windows\SysWOW64\explorer.exe base: 4830000	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory written: C:\Windows\SysWOW64\explorer.exe base: 4840000	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory written: C:\Windows\SysWOW64\explorer.exe base: 48C0000	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory written: C:\Windows\SysWOW64\explorer.exe base: 48E0000	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory written: C:\Windows\SysWOW64\explorer.exe base: 48F0000	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory written: C:\Windows\SysWOW64\explorer.exe base: 4900000	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory written: C:\Windows\SysWOW64\explorer.exe base: 4990000	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory written: C:\Windows\SysWOW64\explorer.exe base: 49A0000	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory written: C:\Windows\SysWOW64\explorer.exe base: 49B0000	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory written: C:\Windows\SysWOW64\explorer.exe base: 49C0000	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory written: C:\Windows\SysWOW64\explorer.exe base: 49D0000	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory written: C:\Windows\SysWOW64\explorer.exe base: 49E0000	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory written: C:\Windows\SysWOW64\explorer.exe base: 49F0000	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory written: C:\Windows\SysWOW64\explorer.exe base: 4A80000	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory written: C:\Windows\SysWOW64\explorer.exe base: 4A90000	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory written: C:\Windows\SysWOW64\explorer.exe base: 4AA0000	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory written: C:\Windows\SysWOW64\explorer.exe base: 4AB0000	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory written: C:\Windows\SysWOW64\explorer.exe base: 4AC0000	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory written: C:\Windows\SysWOW64\explorer.exe base: 4AD0000	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory written: C:\Windows\SysWOW64\explorer.exe base: 4AE0000	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory written: C:\Windows\SysWOW64\explorer.exe base: 4B70000	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory written: C:\Windows\SysWOW64\explorer.exe base: 4B80000	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory written: C:\Windows\SysWOW64\explorer.exe base: 4B90000	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory written: C:\Windows\SysWOW64\explorer.exe base: 4BA0000	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory written: C:\Windows\SysWOW64\explorer.exe base: 4BB0000	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory written: C:\Windows\SysWOW64\explorer.exe base: 4BC0000	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory written: C:\Windows\SysWOW64\explorer.exe base: 4BD0000	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory written: C:\Windows\SysWOW64\explorer.exe base: 4C60000	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory written: C:\Windows\SysWOW64\explorer.exe base: 4C70000	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory written: C:\Windows\SysWOW64\explorer.exe base: 4C80000	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory written: C:\Windows\SysWOW64\explorer.exe base: 4C90000	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory written: C:\Windows\SysWOW64\explorer.exe base: 4CA0000	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory written: C:\Windows\SysWOW64\explorer.exe base: 4CB0000	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory written: C:\Windows\SysWOW64\explorer.exe base: 4CC0000	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory written: C:\Windows\SysWOW64\explorer.exe base: 4D10000	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory written: C:\Windows\SysWOW64\explorer.exe base: 4D70000	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory written: C:\Windows\SysWOW64\explorer.exe base: 4D80000	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory written: C:\Windows\SysWOW64\explorer.exe base: 4D90000	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory written: C:\Windows\SysWOW64\explorer.exe base: 4DA0000	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory written: C:\Windows\SysWOW64\explorer.exe base: 4DB0000	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory written: C:\Windows\SysWOW64\explorer.exe base: 4DC0000	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory written: C:\Windows\SysWOW64\explorer.exe base: 4E50000	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory written: C:\Windows\SysWOW64\explorer.exe base: 4E60000	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory written: C:\Windows\SysWOW64\explorer.exe base: 4E70000	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory written: C:\Windows\SysWOW64\explorer.exe base: 4E80000	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory written: C:\Windows\SysWOW64\explorer.exe base: 4E90000	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory written: C:\Windows\SysWOW64\explorer.exe base: 4EA0000	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory written: C:\Windows\SysWOW64\explorer.exe base: 4EB0000	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory written: C:\Windows\SysWOW64\explorer.exe base: 4F40000	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory written: C:\Windows\SysWOW64\explorer.exe base: 4F50000	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory written: C:\Windows\SysWOW64\explorer.exe base: 4F60000	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory written: C:\Windows\SysWOW64\explorer.exe base: 4F70000	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory written: C:\Windows\SysWOW64\explorer.exe base: 4F80000	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory written: C:\Windows\SysWOW64\explorer.exe base: 4F90000	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory written: C:\Windows\SysWOW64\explorer.exe base: 4FA0000	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory written: C:\Windows\SysWOW64\explorer.exe base: 5030000	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory written: C:\Windows\SysWOW64\explorer.exe base: 5040000	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory written: C:\Windows\SysWOW64\explorer.exe base: 5050000	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory written: C:\Windows\SysWOW64\explorer.exe base: 5060000	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory written: C:\Windows\SysWOW64\explorer.exe base: 5070000	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory written: C:\Windows\SysWOW64\explorer.exe base: 5080000	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory written: C:\Windows\SysWOW64\explorer.exe base: 5090000	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory written: C:\Windows\SysWOW64\explorer.exe base: 5120000	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory written: C:\Windows\SysWOW64\explorer.exe base: 5130000	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory written: C:\Windows\SysWOW64\explorer.exe base: 5140000	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory written: C:\Windows\SysWOW64\explorer.exe base: 5150000	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory written: C:\Windows\SysWOW64\explorer.exe base: 5160000	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory written: C:\Windows\SysWOW64\explorer.exe base: 5170000	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory written: C:\Windows\SysWOW64\explorer.exe base: 5180000	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory written: C:\Windows\SysWOW64\explorer.exe base: 5210000	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory written: C:\Windows\SysWOW64\explorer.exe base: 5220000	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory written: C:\Windows\SysWOW64\explorer.exe base: 5230000	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory written: C:\Windows\SysWOW64\explorer.exe base: 5240000	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory written: C:\Windows\SysWOW64\explorer.exe base: 5250000	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory written: C:\Windows\SysWOW64\explorer.exe base: 5260000	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory written: C:\Windows\SysWOW64\explorer.exe base: 5270000	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory written: C:\Windows\SysWOW64\explorer.exe base: 5300000	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory written: C:\Windows\SysWOW64\explorer.exe base: 5310000	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory written: C:\Windows\SysWOW64\explorer.exe base: 5320000	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory written: C:\Windows\SysWOW64\explorer.exe base: 5330000	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory written: C:\Windows\SysWOW64\explorer.exe base: 5340000	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory written: C:\Windows\SysWOW64\explorer.exe base: 5350000	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory written: C:\Windows\SysWOW64\explorer.exe base: 5360000	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory written: C:\Windows\SysWOW64\explorer.exe base: 53F0000	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory written: C:\Windows\SysWOW64\explorer.exe base: 5400000	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory written: C:\Windows\SysWOW64\explorer.exe base: 5410000	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory written: C:\Windows\SysWOW64\explorer.exe base: 5420000	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory written: C:\Windows\SysWOW64\explorer.exe base: 5430000	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory written: C:\Windows\SysWOW64\explorer.exe base: 5440000	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory written: C:\Windows\SysWOW64\explorer.exe base: 5450000	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory written: C:\Windows\SysWOW64\explorer.exe base: 54E0000	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory written: C:\Windows\SysWOW64\explorer.exe base: 54F0000	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory written: C:\Windows\SysWOW64\explorer.exe base: 5500000	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory written: C:\Windows\SysWOW64\explorer.exe base: 5510000	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory written: C:\Windows\SysWOW64\explorer.exe base: 24080000	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory written: C:\Windows\SysWOW64\explorer.exe base: 5520000	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Memory written: C:\Windows\SysWOW64\explorer.exe base: 5530000	Jump to behavior

Source: C:\Windows\SysWOW64\explorer.exe

Code function: 8_2_240B4968 keybd_event,keybd_event,

8_2_240B4968

Source: C:\Windows\SysWOW64\explorer.exe

Code function: 8_2_2408544E mouse_event,

8_2_2408544E

Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Process created: C:\Windows\SysWOW64\explorer.exe explorer.exe	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Process created: C:\Users\user\Desktop\3ClBcOpPUX.exe "C:\Users\user\Desktop\3ClBcOpPUX.exe"	Jump to behavior
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Process created: C:\Windows\SysWOW64\System\svchost.exe "C:\Windows\system32\System\svchost.exe"	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 7532 -ip 7532	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7532 -s 564	Jump to behavior

Source: 3ClBcOpPUX.exe, 0000000A.00000002.2517015484.00000000045D0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Managerer.
Source: 3ClBcOpPUX.exe, 0000000A.00000002.2517015484.00000000045D0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Managers6+);
Source: 3ClBcOpPUX.exe, 0000000A.00000002.2517015484.00000000045D0000.00000004.00000020.00020000.00000000.sdmp, 3ClBcOpPUX.exe, 0000000A.00000002.2518626694.00000000066B3000.00000004.00000020.00020000.00000000.sdmp, 3ClBcOpPUX.exe, 0000000A.00000002.2519440741.0000000006799000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Manager
Source: explorer.exe, explorer.exe, 00000008.00000002.2518814760.0000000024080000.00000040.00000400.00020000.00000000.sdmp, 3ClBcOpPUX.exe, 3ClBcOpPUX.exe, 0000000A.00000002.2519483566.00000000240F0000.00000040.00000400.00020000.00000000.sdmp	Binary or memory string: ProgMan
Source: 3ClBcOpPUX.exe, 0000000A.00000002.2517015484.00000000045D0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Managerll
Source: 3ClBcOpPUX.exe, 0000000A.00000002.2517015484.00000000045D0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Managers6+
Source: 3ClBcOpPUX.exe, 0000000A.00000002.2517015484.00000000045D0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program ManagerE2
Source: explorer.exe, 00000008.00000002.2518814760.0000000024080000.00000040.00000400.00020000.00000000.sdmp, 3ClBcOpPUX.exe, 0000000A.00000002.2519483566.00000000240F0000.00000040.00000400.00020000.00000000.sdmp	Binary or memory string: deskicoblockProgMan
Source: 3ClBcOpPUX.exe, 0000000A.00000002.2517015484.00000000045D0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Managerer7
Source: 3ClBcOpPUX.exe, 0000000A.00000002.2517015484.00000000045D0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Managers6+)
Source: explorer.exe, 00000005.00000002.2514833375.0000000001440000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000005.00000000.1268566634.0000000001441000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: ?Program Manager
Source: explorer.exe, 00000008.00000002.2518814760.0000000024080000.00000040.00000400.00020000.00000000.sdmp, 3ClBcOpPUX.exe, 0000000A.00000002.2519483566.00000000240F0000.00000040.00000400.00020000.00000000.sdmp	Binary or memory string: ProgManS
Source: 3ClBcOpPUX.exe, 0000000A.00000002.2512975944.0000000000932000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: [ Program Manager ] ---> [ DATE/TIME: 18/01/2025 -- 17:04 ]
Source: 3ClBcOpPUX.exe, 0000000A.00000002.2519440741.0000000006799000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program ManagerHCG
Source: 3ClBcOpPUX.exe, 0000000A.00000002.2519440741.0000000006799000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Manager C/
Source: 3ClBcOpPUX.exe, 0000000A.00000002.2519440741.0000000006799000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Manager$C+
Source: explorer.exe, 00000008.00000002.2518814760.0000000024080000.00000040.00000400.00020000.00000000.sdmp, 3ClBcOpPUX.exe, 0000000A.00000002.2519483566.00000000240F0000.00000040.00000400.00020000.00000000.sdmp	Binary or memory string: 4shell_traywnd
Source: explorer.exe, 00000008.00000002.2518814760.0000000024080000.00000040.00000400.00020000.00000000.sdmp, 3ClBcOpPUX.exe, 0000000A.00000002.2519483566.00000000240F0000.00000040.00000400.00020000.00000000.sdmp	Binary or memory string: Shell_TrayWndTrayNotifyWndSysPagerjh
Source: 3ClBcOpPUX.exe, 0000000A.00000002.2517015484.00000000045D0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Manager_
Source: 3ClBcOpPUX.exe, svchost.exe.0.dr	Binary or memory string: Shell_TrayWndU
Source: 3ClBcOpPUX.exe, 0000000A.00000002.2517015484.00000000045D0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Managers6b
Source: explorer.exe, 00000008.00000002.2518814760.0000000024080000.00000040.00000400.00020000.00000000.sdmp, 3ClBcOpPUX.exe, 0000000A.00000002.2519483566.00000000240F0000.00000040.00000400.00020000.00000000.sdmp	Binary or memory string: Shell_TrayWndSV
Source: 3ClBcOpPUX.exe, 0000000A.00000002.2517015484.00000000045D0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Managers6
Source: 3ClBcOpPUX.exe, svchost.exe.0.dr	Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000005.00000002.2514833375.0000000001440000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000005.00000000.1268566634.0000000001441000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progman
Source: 3ClBcOpPUX.exe, 0000000A.00000002.2517015484.00000000045D0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Managerer
Source: 3ClBcOpPUX.exe, 0000000A.00000002.2517015484.00000000045D0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program ManagerP
Source: 3ClBcOpPUX.exe, 0000000A.00000002.2519440741.0000000006799000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Manager\|Cs
Source: 3ClBcOpPUX.exe, 0000000A.00000002.2517015484.00000000045D0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program ManagererZ
Source: 3ClBcOpPUX.exe, 0000000A.00000002.2517015484.00000000045D0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program ManagerL
Source: explorer.exe, 00000005.00000002.2512612138.0000000000C59000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.1268258520.0000000000C59000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 1Progman
Source: 3ClBcOpPUX.exe, svchost.exe.0.dr	Binary or memory string: explorer.exeexplorer.exeshell_traywndopenU
Source: 3ClBcOpPUX.exe, 0000000A.00000002.2517015484.00000000045D0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Managerx
Source: 3ClBcOpPUX.exe, 0000000A.00000002.2512975944.0000000000932000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: [ Program Manager ] ---> [ DATE/TIME: 14/01/2025 -- 22:12 ]
Source: 3ClBcOpPUX.exe, 0000000A.00000002.2519440741.0000000006799000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program ManagerpC
Source: 3ClBcOpPUX.exe, 0000000A.00000002.2517015484.00000000045D0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Managerv
Source: explorer.exe, 00000005.00000002.2514833375.0000000001440000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000005.00000000.1268566634.0000000001441000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progmanlock
Source: 3ClBcOpPUX.exe, 0000000A.00000002.2517015484.00000000045D0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Manager:wi
Source: explorer.exe, 00000008.00000002.2518814760.0000000024080000.00000040.00000400.00020000.00000000.sdmp, 3ClBcOpPUX.exe, 0000000A.00000002.2519483566.00000000240F0000.00000040.00000400.00020000.00000000.sdmp	Binary or memory string: Shell_TrayWndTrayNotifyWndSysPagerS
Source: explorer.exe, 00000008.00000002.2518814760.0000000024080000.00000040.00000400.00020000.00000000.sdmp, 3ClBcOpPUX.exe, 0000000A.00000002.2519483566.00000000240F0000.00000040.00000400.00020000.00000000.sdmp	Binary or memory string: btnstartblockButtonShell_TrayWnd
Source: 3ClBcOpPUX.exe, svchost.exe.0.dr	Binary or memory string: _PERSISTShell_TrayWndexplorer.exeU
Source: 3ClBcOpPUX.exe, svchost.exe.0.dr	Binary or memory string: shell_traywnd
Source: 3ClBcOpPUX.exe, 0000000A.00000002.2517015484.00000000045D0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Manager9

Source: C:\Windows\SysWOW64\explorer.exe	Code function: GetModuleFileNameA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,lstrcpyn,GetThreadLocale,GetLocaleInfoA,lstrlen,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,	8_2_240847A8
Source: C:\Windows\SysWOW64\explorer.exe	Code function: GetLocaleInfoA,	8_2_24088CD0
Source: C:\Windows\SysWOW64\explorer.exe	Code function: GetKeyboardLayoutNameA,GetLocaleInfoA,GetLocaleInfoA,	8_2_24088DE0
Source: C:\Windows\SysWOW64\explorer.exe	Code function: GetLocaleInfoA,	8_2_24088F80
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Code function: GetModuleFileNameA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,lstrcpyn,GetThreadLocale,GetLocaleInfoA,lstrlen,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,	10_2_240F47A8
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Code function: GetLocaleInfoA,	10_2_240F8CD0
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Code function: GetKeyboardLayoutNameA,GetLocaleInfoA,GetLocaleInfoA,	10_2_240F8DE0
Source: C:\Users\user\Desktop\3ClBcOpPUX.exe	Code function: GetLocaleInfoA,	10_2_240F8F80

Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C: VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C: VolumeInformation	Jump to behavior

Source: C:\Windows\SysWOW64\explorer.exe

Code function: 8_2_24081644 GetSystemTime,

8_2_24081644

Source: C:\Windows\SysWOW64\explorer.exe

Code function: 8_2_240917EC GetUserNameA,

8_2_240917EC

Source: C:\Windows\SysWOW64\explorer.exe

Code function: 8_2_240AC424 GetVersionExA,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,AdjustTokenPrivileges,CloseHandle,

8_2_240AC424

Lowering of HIPS / PFW / Operating System Security Settings

Changes security center settings (notifications, updates, antivirus, firewall)

Source: C:\Windows\System32\svchost.exe

Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Provider\Av\{D68DDC3A-831F-4fae-9E44-DA132C1ACF46} STATE

Jump to behavior

Source: Amcache.hve.14.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.14.dr	Binary or memory string: msmpeng.exe
Source: Amcache.hve.14.dr	Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: svchost.exe, 00000007.00000002.2514960815.0000014C30D02000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Files%\Windows Defender\MsMpeng.exe
Source: Amcache.hve.14.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23090.2008-0\msmpeng.exe
Source: svchost.exe, 00000007.00000002.2514960815.0000014C30D02000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
Source: Amcache.hve.14.dr	Binary or memory string: MsMpEng.exe

Source: C:\Windows\System32\svchost.exe	WMI Queries: IWbemServices::ExecNotificationQuery - ROOT\SecurityCenter : SELECT * FROM __InstanceOperationEvent WHERE TargetInstance ISA 'AntiVirusProduct' OR TargetInstance ISA 'FirewallProduct' OR TargetInstance ISA 'AntiSpywareProduct'
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter2 : AntiVirusProduct
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter2 : AntiVirusProduct

Stealing of Sensitive Information

Yara detected CyberGate RAT

Source: Yara match	File source: 3ClBcOpPUX.exe, type: SAMPLE
Source: Yara match	File source: 0.0.3ClBcOpPUX.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.3ClBcOpPUX.exe.240f0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.explorer.exe.24080000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.1254230385.0000000000401000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000003.1307346433.0000000005C4A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2518697463.0000000005C90000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 3ClBcOpPUX.exe PID: 6412, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: explorer.exe PID: 2708, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: 3ClBcOpPUX.exe PID: 7304, type: MEMORYSTR
Source: Yara match	File source: C:\Windows\SysWOW64\System\svchost.exe, type: DROPPED

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	1 Replication Through Removable Media	1 Windows Management Instrumentation	1 DLL Side-Loading	1 DLL Side-Loading	1 Disable or Modify Tools	21 Input Capture	1 System Time Discovery	Remote Services	1 Archive Collected Data	1 Encrypted Channel	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	12 Native API	22 Windows Service	1 Access Token Manipulation	1 Deobfuscate/Decode Files or Information	LSASS Memory	1 Peripheral Device Discovery	Remote Desktop Protocol	1 Screen Capture	1 Non-Application Layer Protocol	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	12 Service Execution	21 Registry Run Keys / Startup Folder	22 Windows Service	2 Obfuscated Files or Information	Security Account Manager	1 Account Discovery	SMB/Windows Admin Shares	21 Input Capture	11 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	712 Process Injection	1 DLL Side-Loading	NTDS	1 System Service Discovery	Distributed Component Object Model	3 Clipboard Data	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	21 Registry Run Keys / Startup Folder	221 Masquerading	LSA Secrets	4 File and Directory Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	61 Virtualization/Sandbox Evasion	Cached Domain Credentials	35 System Information Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 Access Token Manipulation	DCSync	271 Security Software Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	712 Process Injection	Proc Filesystem	2 Process Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	HTML Smuggling	/etc/passwd and /etc/shadow	61 Virtualization/Sandbox Evasion	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	Dynamic API Resolution	Network Sniffing	1 Application Window Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement
Network Security Appliances	Domains	Compromise Software Dependencies and Development Tools	AppleScript	Launchd	Launchd	Stripped Payloads	Input Capture	1 System Owner/User Discovery	Software Deployment Tools	Remote Data Staging	Mail Protocols	Exfiltration Over Unencrypted Non-C2 Protocol	Firmware Corruption

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
3ClBcOpPUX.exe	90%	Virustotal		Browse
3ClBcOpPUX.exe	97%	ReversingLabs	Win32.Backdoor.Spyrat
3ClBcOpPUX.exe	100%	Avira	TR/Agent.598022
3ClBcOpPUX.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label
C:\Windows\SysWOW64\System\svchost.exe	100%	Avira	TR/Agent.598022
C:\Windows\SysWOW64\System\svchost.exe	100%	Joe Sandbox ML
C:\Windows\SysWOW64\System\svchost.exe	97%	ReversingLabs	Win32.Backdoor.Spyrat

Source	Detection	Scanner	Label
https://ignup.as0	0%	Avira URL Cloud	safe
https://login.live	100%	Avira URL Cloud	malware
https://login.ecur	0%	Avira URL Cloud	safe
kalintz-40214.portmap.host:40214	100%	Avira URL Cloud	malware

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
bg.microsoft.map.fastly.net	199.232.210.172	true	false	high
kalintz-40214.portmap.host	193.161.193.99	true	true	unknown
time.windows.com	unknown	unknown	false	high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
kalintz-40214.portmap.host:40214	true	Avira URL Cloud: malware	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://Passport.NET/ess	svchost.exe, 0000000F.00000002.2514755975.000002F4FE05E000.00000004.00000020.00020000.00000000.sdmp	false		high
https://dev.ditu.live.com/REST/v1/Routes/	svchost.exe, 00000002.00000002.1365395442.0000018999C68000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1364200029.0000018999C67000.00000004.00000020.00020000.00000000.sdmp	false		high
https://api.msn.com:443/v1/news/Feed/Windows?t	explorer.exe, 00000005.00000002.2518815430.0000000007276000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.1270712327.0000000007276000.00000004.00000001.00020000.00000000.sdmp	false		high
https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV	explorer.exe, 00000005.00000000.1270712327.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.2518815430.00000000071FC000.00000004.00000001.00020000.00000000.sdmp	false		high
https://www.msn.com/en-us/sports/other/simone-biles-leads-u-s-women-s-team-to-seventh-straight-world	explorer.exe, 00000005.00000000.1270712327.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.2518815430.00000000071FC000.00000004.00000001.00020000.00000000.sdmp	false		high
https://api.msn.com:443/v1/news/Feed/Windows?	explorer.exe, 00000005.00000000.1270712327.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.2518815430.00000000071FC000.00000004.00000001.00020000.00000000.sdmp	false		high
https://www.msn.com/en-us/weather/topstories/here-s-who-could-see-above-average-snowfall-this-winter	explorer.exe, 00000005.00000000.1270712327.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.2518815430.00000000071FC000.00000004.00000001.00020000.00000000.sdmp	false		high
https://dev.virtualearth.net/REST/v1/Routes/Walking	svchost.exe, 00000002.00000003.1364589405.0000018999C57000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1365308250.0000018999C58000.00000004.00000020.00020000.00000000.sdmp	false		high
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd0	svchost.exe, 0000000F.00000002.2516436879.000002F4FE97F000.00000004.00000020.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/02/sc57	svchost.exe, 0000000F.00000002.2516367199.000002F4FE95F000.00000004.00000020.00020000.00000000.sdmp	false		high
https://excel.office.com	explorer.exe, 00000005.00000000.1282672550.000000000C091000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.2530072847.000000000C091000.00000004.00000001.00020000.00000000.sdmp	false		high
https://www.msn.com/en-us/money/realestate/why-this-florida-city-is-a-safe-haven-from-hurricanes/ar-	explorer.exe, 00000005.00000000.1270712327.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.2518815430.00000000071FC000.00000004.00000001.00020000.00000000.sdmp	false		high
https://login.microsoftonline.com/ppsecure/ResolveUser.srf	svchost.exe, 0000000F.00000003.1341291721.000002F4FE93B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000003.1341344444.000002F4FE940000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000003.1341367006.000002F4FE963000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000002.2514652718.000002F4FE040000.00000004.00000020.00020000.00000000.sdmp	false		high
http://Passport.NET/tbA	svchost.exe, 0000000F.00000003.1480462698.000002F4FE976000.00000004.00000020.00020000.00000000.sdmp	false		high
https://dev.ditu.live.com/REST/v1/Imagery/Copyright/	svchost.exe, 00000002.00000003.1364474842.0000018999C5A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1365422776.0000018999C70000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1364324542.0000018999C5F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1365366318.0000018999C63000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1364083180.0000018999C6E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1364224835.0000018999C62000.00000004.00000020.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/Issue	svchost.exe, 0000000F.00000002.2516367199.000002F4FE95F000.00000004.00000020.00020000.00000000.sdmp	false		high
https://dev.virtualearth.net/REST/v1/Transit/Schedules/	svchost.exe, 00000002.00000003.1364511700.0000018999C41000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1365257506.0000018999C42000.00000004.00000020.00020000.00000000.sdmp	false		high
https://ignup.as0	svchost.exe, 0000000F.00000002.2514451498.000002F4FE039000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://login.microsoftonline.com/ppsecure/devicechangecredential.srf	svchost.exe, 0000000F.00000002.2514652718.000002F4FE040000.00000004.00000020.00020000.00000000.sdmp	false		high
https://login.microsoftonline.com/ppsecure/DeviceDisassociate.srf.	svchost.exe, 0000000F.00000002.2514652718.000002F4FE040000.00000004.00000020.00020000.00000000.sdmp	false		high
https://api.msn.com/v1/news/Feed/Windows?activityId=DD4083B70FE54739AB05D6BBA3484042&timeOut=5000&oc	explorer.exe, 00000005.00000000.1270712327.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.2518815430.00000000071FC000.00000004.00000001.00020000.00000000.sdmp	false		high
https://login.microsoftonline.com/ppsecure/EnumerateDevices.srf	svchost.exe, 0000000F.00000003.1341291721.000002F4FE93B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000003.1341344444.000002F4FE940000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000003.1341367006.000002F4FE963000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000002.2514652718.000002F4FE040000.00000004.00000020.00020000.00000000.sdmp	false		high
https://wns.windows.com/	explorer.exe, 00000005.00000003.2274666714.00000000090F2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.1279085771.00000000090F2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.2523159601.00000000090F2000.00000004.00000001.00020000.00000000.sdmp	false		high
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsdAOZ9	svchost.exe, 0000000F.00000003.1480462698.000002F4FE976000.00000004.00000020.00020000.00000000.sdmp	false		high
https://account.live.com/InlineSignup.aspx?iww=1&id=80502	svchost.exe, 0000000F.00000003.1341291721.000002F4FE93B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000003.1341344444.000002F4FE940000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000003.1341367006.000002F4FE963000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000002.2514652718.000002F4FE040000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.bingmapsportal.com	svchost.exe, 00000002.00000002.1365149444.0000018999C13000.00000004.00000020.00020000.00000000.sdmp	false		high
https://dev.virtualearth.net/REST/v1/Imagery/Copyright/	svchost.exe, 00000002.00000003.1364474842.0000018999C5A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1365366318.0000018999C63000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1365193517.0000018999C2B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1364224835.0000018999C62000.00000004.00000020.00020000.00000000.sdmp	false		high
http://Passport.NET/tb_	svchost.exe, 0000000F.00000003.1542355235.000002F4FF043000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000002.2514877018.000002F4FE081000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000003.1456730040.000002F4FF049000.00000004.00000020.00020000.00000000.sdmp	false		high
https://login.live	svchost.exe, 0000000F.00000002.2514755975.000002F4FE05E000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://www.autoitscript.com/autoit3/J	explorer.exe, 00000005.00000003.2272569777.000000000C41F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.2274640363.000000000C42C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.2271443276.000000000C3F7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.1282672550.000000000C3F7000.00000004.00000001.00020000.00000000.sdmp	false		high
https://word.office.com	explorer.exe, 00000005.00000000.1282672550.000000000C091000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.2530072847.000000000C091000.00000004.00000001.00020000.00000000.sdmp	false		high
https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdv?pv=1&r=	svchost.exe, 00000002.00000003.1364399286.0000018999C5D000.00000004.00000020.00020000.00000000.sdmp	false		high
https://assets.msn.com/weathermapdata/1/static/finance/1stparty/FinanceTaskbarIcons/Finance_Earnings	explorer.exe, 00000005.00000002.2518815430.00000000071FC000.00000004.00000001.00020000.00000000.sdmp	false		high
https://dev.virtualearth.net/REST/v1/Routes/	svchost.exe, 00000002.00000002.1365395442.0000018999C68000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1365193517.0000018999C2B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1364200029.0000018999C67000.00000004.00000020.00020000.00000000.sdmp	false		high
https://login.microsoftonline.com/ppsecure/DeviceAssociate.srfJ	svchost.exe, 0000000F.00000002.2514652718.000002F4FE040000.00000004.00000020.00020000.00000000.sdmp	false		high
https://account.live.com/msangcwam	svchost.exe, 0000000F.00000003.1341599713.000002F4FE92A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000003.1341291721.000002F4FE93B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000003.1341344444.000002F4FE940000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000003.1341126013.000002F4FE952000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000002.2514652718.000002F4FE040000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000002.2516278622.000002F4FE937000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000003.1341319930.000002F4FE957000.00000004.00000020.00020000.00000000.sdmp	false		high
https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13fcaT-dark	explorer.exe, 00000005.00000000.1270712327.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.2518815430.00000000071FC000.00000004.00000001.00020000.00000000.sdmp	false		high
https://dynamic.api.tiles.ditu.live.com/odvs/gri?pv=1&r=	svchost.exe, 00000002.00000003.1364511700.0000018999C41000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1364324542.0000018999C5F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1365257506.0000018999C42000.00000004.00000020.00020000.00000000.sdmp	false		high
http://crl.ver)	svchost.exe, 0000000F.00000002.2515436325.000002F4FE0DC000.00000004.00000020.00020000.00000000.sdmp	false		high
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsdx	svchost.exe, 0000000F.00000002.2516367199.000002F4FE95F000.00000004.00000020.00020000.00000000.sdmp	false		high
http://passport.net/tb	svchost.exe, 0000000F.00000002.2517335984.000002F4FF087000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000002.2515543348.000002F4FE0E9000.00000004.00000020.00020000.00000000.sdmp	false		high
https://windows.msn.com:443/shell?osLocale=en-GB&chosenMarketReason=ImplicitNew	explorer.exe, 00000005.00000000.1270712327.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.2518815430.00000000071FC000.00000004.00000001.00020000.00000000.sdmp	false		high
https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gd?pv=1&r=	svchost.exe, 00000002.00000003.1364549872.0000018999C47000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1365257506.0000018999C42000.00000004.00000020.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/02/trust/Issueue	svchost.exe, 0000000F.00000002.2516367199.000002F4FE95F000.00000004.00000020.00020000.00000000.sdmp	false		high
https://ecn.dev.virtualearth.net/REST/V1/MapControlConfiguration/native/	svchost.exe, 00000002.00000003.1364511700.0000018999C41000.00000004.00000020.00020000.00000000.sdmp	false		high
https://login.microsoftonline.com/ppsecure/DeviceDisassociate.srf	svchost.exe, 0000000F.00000002.2514755975.000002F4FE05E000.00000004.00000020.00020000.00000000.sdmp	false		high
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsdx	svchost.exe, 0000000F.00000002.2516367199.000002F4FE95F000.00000004.00000020.00020000.00000000.sdmp	false		high
https://dev.virtualearth.net/REST/v1/Locations	svchost.exe, 00000002.00000003.1364589405.0000018999C57000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1365308250.0000018999C58000.00000004.00000020.00020000.00000000.sdmp	false		high
https://outlook.com	explorer.exe, 00000005.00000000.1282672550.000000000C091000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.2530072847.000000000C091000.00000004.00000001.00020000.00000000.sdmp	false		high
https://dev.ditu.live.com/REST/V1/MapControlConfiguration/native/	svchost.exe, 00000002.00000003.1364589405.0000018999C57000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1365308250.0000018999C58000.00000004.00000020.00020000.00000000.sdmp	false		high
https://dynamic.t	svchost.exe, 00000002.00000003.1363958641.0000018999C33000.00000004.00000020.00020000.00000000.sdmp	false		high
https://android.notify.windows.com/iOS	explorer.exe, 00000005.00000002.2523159601.000000000913F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.1279085771.000000000913F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.2274666714.000000000913F000.00000004.00000001.00020000.00000000.sdmp	false		high
https://dev.virtualearth.net/REST/v1/Routes/Transit	svchost.exe, 00000002.00000003.1364589405.0000018999C57000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1365308250.0000018999C58000.00000004.00000020.00020000.00000000.sdmp	false		high
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsdAAA	svchost.exe, 0000000F.00000003.1462230280.000002F4FE929000.00000004.00000020.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Issue	svchost.exe, 0000000F.00000002.2516367199.000002F4FE95F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000002.2514755975.000002F4FE05E000.00000004.00000020.00020000.00000000.sdmp	false		high
https://activity.windows.com/UserActivity.ReadWrite.CreatedByApp	explorer.exe, 00000005.00000002.2523159601.0000000008F83000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.2275783256.0000000008F83000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.1279085771.0000000008F83000.00000004.00000001.00020000.00000000.sdmp	false		high
https://www.msn.com/en-us/news/us/dumb-and-dumber-12-states-with-the-absolute-worst-education-in-the	explorer.exe, 00000005.00000000.1270712327.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.2518815430.00000000071FC000.00000004.00000001.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/02/trust/Issuessue	svchost.exe, 0000000F.00000002.2516367199.000002F4FE95F000.00000004.00000020.00020000.00000000.sdmp	false		high
https://dynamic.api.tiles.ditu.live.com/odvs/gdv?pv=1&r=	svchost.exe, 00000002.00000002.1365366318.0000018999C63000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1364224835.0000018999C62000.00000004.00000020.00020000.00000000.sdmp	false		high
https://login.ecur	svchost.exe, 0000000F.00000002.2514652718.000002F4FE040000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/ws/2005/02/trustn	svchost.exe, 0000000F.00000002.2516278622.000002F4FE937000.00000004.00000020.00020000.00000000.sdmp	false		high
https://account.live.com/Wizard/Password/Change?id=806014	svchost.exe, 0000000F.00000003.1341291721.000002F4FE93B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000003.1341344444.000002F4FE940000.00000004.00000020.00020000.00000000.sdmp	false		high
https://dev.ditu.live.com/REST/v1/JsonFilter/VenueMaps/data/	svchost.exe, 00000002.00000002.1365422776.0000018999C70000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1364083180.0000018999C6E000.00000004.00000020.00020000.00000000.sdmp	false		high
https://dynamic.api.tiles.ditu.live.com/odvs/gd?pv=1&r=	svchost.exe, 00000002.00000003.1363958641.0000018999C33000.00000004.00000020.00020000.00000000.sdmp	false		high
https://api.msn.com/v1/news/Feed/Windows?	explorer.exe, 00000005.00000003.2275783256.0000000008F09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.1279085771.0000000008F09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.2523159601.0000000008F09000.00000004.00000001.00020000.00000000.sdmp	false		high
https://www.msn.com/en-us/lifestyle/lifestyle-buzz/what-to-do-if-a-worst-case-nuclear-scenario-actua	explorer.exe, 00000005.00000000.1270712327.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.2518815430.00000000071FC000.00000004.00000001.00020000.00000000.sdmp	false		high
https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13fcaT	explorer.exe, 00000005.00000000.1270712327.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.2518815430.00000000071FC000.00000004.00000001.00020000.00000000.sdmp	false		high
https://www.pollensense.com/	explorer.exe, 00000005.00000002.2518815430.00000000071B1000.00000004.00000001.00020000.00000000.sdmp	false		high
https://dev.virtualearth.net/REST/v1/Routes/Driving	svchost.exe, 00000002.00000003.1364589405.0000018999C57000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1365308250.0000018999C58000.00000004.00000020.00020000.00000000.sdmp	false		high
https://t0.ssl.ak.dynamic.tiles.virtualearth.net/comp/gen.ashx	svchost.exe, 00000002.00000003.1364511700.0000018999C41000.00000004.00000020.00020000.00000000.sdmp	false		high
https://login.microsoftonline.com/ppsecure/deviceremovecredential.srf	svchost.exe, 0000000F.00000002.2514652718.000002F4FE040000.00000004.00000020.00020000.00000000.sdmp	false		high
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsdAAAA	svchost.exe, 0000000F.00000003.1462230280.000002F4FE929000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000003.1480462698.000002F4FE976000.00000004.00000020.00020000.00000000.sdmp	false		high
https://login.microsoftonline.com/ppsecure/DeviceQuery.srf	svchost.exe, 0000000F.00000003.1341291721.000002F4FE93B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000003.1341344444.000002F4FE940000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000003.1341367006.000002F4FE963000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000002.2514755975.000002F4FE05E000.00000004.00000020.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/soap/envelope/	svchost.exe, 0000000F.00000002.2516721060.000002F4FF013000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000002.2516367199.000002F4FE95F000.00000004.00000020.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/02/trust	svchost.exe, 0000000F.00000002.2516367199.000002F4FE95F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000002.2514755975.000002F4FE05E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000003.1364411043.000002F4FE952000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.msn.com/en-us/news/politics/kinzinger-has-theory-about-who-next-house-speaker-will-be/vi	explorer.exe, 00000005.00000000.1270712327.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.2518815430.00000000071FC000.00000004.00000001.00020000.00000000.sdmp	false		high
https://www.msn.com/en-us/money/careersandeducation/student-loan-debt-forgiveness-arrives-for-some-b	explorer.exe, 00000005.00000000.1270712327.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.2518815430.00000000071FC000.00000004.00000001.00020000.00000000.sdmp	false		high
http://schemas.micro	explorer.exe, 00000005.00000002.2522447188.0000000008820000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000005.00000002.2520944517.0000000007C70000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000005.00000002.2522422061.0000000008810000.00000002.00000001.00040000.00000000.sdmp	false		high
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsdsithm	svchost.exe, 0000000F.00000002.2516367199.000002F4FE95F000.00000004.00000020.00020000.00000000.sdmp	false		high
https://login.microsoftonline.com/MSARST2.srf	svchost.exe, 0000000F.00000002.2514755975.000002F4FE05E000.00000004.00000020.00020000.00000000.sdmp	false		high
http://Passport.NET/STS	svchost.exe, 0000000F.00000003.1480462698.000002F4FE976000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000002.2516436879.000002F4FE97F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000002.2516278622.000002F4FE937000.00000004.00000020.00020000.00000000.sdmp	false		high
https://dev.ditu.live.com/mapcontrol/logging.ashx	svchost.exe, 00000002.00000003.1364589405.0000018999C57000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1365308250.0000018999C58000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.msn.com/en-us/weather/topstories/us-winter-forecast-for-the-2023-2024-season/ar-AA1hGINt	explorer.exe, 00000005.00000000.1270712327.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.2518815430.00000000071FC000.00000004.00000001.00020000.00000000.sdmp	false		high
https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gri?pv=1&r=	svchost.exe, 00000002.00000002.1365193517.0000018999C2B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1363958641.0000018999C33000.00000004.00000020.00020000.00000000.sdmp	false		high
https://login.microsoftonline.com/ppsecure/DeviceQuery.srf-	svchost.exe, 0000000F.00000002.2514652718.000002F4FE040000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.w3.	svchost.exe, 0000000F.00000003.1511821480.000002F4FE983000.00000004.00000020.00020000.00000000.sdmp	false		high
http://Passport.NET/	svchost.exe, 0000000F.00000002.2514755975.000002F4FE05E000.00000004.00000020.00020000.00000000.sdmp	false		high
https://login.microsoftonline.com/ppsecure/DeviceUpdate.srf%	svchost.exe, 0000000F.00000002.2514652718.000002F4FE040000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.msn.com/en-us/news/technology/prehistoric-comet-impacted-earth-and-triggered-the-switch-	explorer.exe, 00000005.00000000.1270712327.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.2518815430.00000000071FC000.00000004.00000001.00020000.00000000.sdmp	false		high
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsdsAAAA	svchost.exe, 0000000F.00000003.1480462698.000002F4FE976000.00000004.00000020.00020000.00000000.sdmp	false		high
https://windows.msn.com:443/shellv2?osLocale=en-GB&chosenMarketReason=ImplicitNew	explorer.exe, 00000005.00000000.1270712327.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.2518815430.00000000071FC000.00000004.00000001.00020000.00000000.sdmp	false		high
https://www.msn.com/en-us/money/markets/costco-is-seeing-a-gold-rush-what-s-behind-the-demand-for-it	explorer.exe, 00000005.00000000.1270712327.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.2518815430.00000000071FC000.00000004.00000001.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/02/trust/Issuee2	svchost.exe, 0000000F.00000002.2516367199.000002F4FE95F000.00000004.00000020.00020000.00000000.sdmp	false		high
http://Passport.NET/tb	svchost.exe, 0000000F.00000003.1493134780.000002F4FE988000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000003.1493134780.000002F4FE984000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000002.2516436879.000002F4FE97F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000002.2517335984.000002F4FF087000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000003.1364411043.000002F4FE952000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000002.2516278622.000002F4FE937000.00000004.00000020.00020000.00000000.sdmp	false		high
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd	svchost.exe, 0000000F.00000002.2516367199.000002F4FE95F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000003.1462998793.000002F4FE910000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000003.1480462698.000002F4FE976000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000003.1461951043.000002F4FE90E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000002.2516436879.000002F4FE97F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000003.1524590976.000002F4FE977000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000003.1364411043.000002F4FE952000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000003.1446758121.000002F4FE90E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000002.2515543348.000002F4FE0E9000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000002.2516012426.000002F4FE900000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000003.1447490105.000002F4FE90E000.00000004.00000020.00020000.00000000.sdmp	false		high
http://Passport.NET/STS09/xmldsig#ripledes-cbcices/SOAPFaultcurity-utility-1.0.xsd	svchost.exe, 0000000F.00000002.2516436879.000002F4FE97F000.00000004.00000020.00020000.00000000.sdmp	false		high
https://signup.live.com/signup.aspx	svchost.exe, 0000000F.00000003.1341344444.000002F4FE940000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000003.1341126013.000002F4FE955000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000002.2514652718.000002F4FE040000.00000004.00000020.00020000.00000000.sdmp	false		high
https://ecn.dev.virtualearth.net/REST/v1/Imagery/Copyright/	svchost.exe, 00000002.00000002.1365395442.0000018999C68000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1365193517.0000018999C2B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1364200029.0000018999C67000.00000004.00000020.00020000.00000000.sdmp	false		high
https://account.live.com/inlinesignup.aspx?iww=1&id=80601	svchost.exe, 0000000F.00000003.1341477740.000002F4FE956000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000003.1341126013.000002F4FE952000.00000004.00000020.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1590401
Start date and time:	2025-01-14 01:11:06 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 6m 37s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	19
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	1
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	3ClBcOpPUX.exe renamed because original name is a hash value
Original Sample Name:	aed92a8301931959100a1bb8c52251df2fdddaf8b76ab34b6f24d7bbe58a4fe6.exe
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@22/16@2/0
EGA Information:	Successful, ratio: 66.7%
HCA Information:	Successful, ratio: 96% Number of executed functions: 97 Number of non-executed functions: 204
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, SgrmBroker.exe
Excluded IPs from analysis (whitelisted): 20.101.57.9, 40.126.31.71, 20.190.159.4, 20.190.159.73, 20.190.159.2, 20.190.159.64, 20.190.159.68, 20.190.159.71, 20.190.159.75, 199.232.210.172, 52.168.117.173, 13.107.246.45, 20.12.23.50
Excluded domains from analysis (whitelisted): onedsblobprdeus16.eastus.cloudapp.azure.com, prdv4a.aadg.msidentity.com, otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com.delivery.microsoft.com, twc.trafficmanager.net, www.tm.v4.a.prd.aadg.akadns.net, ctldl.windowsupdate.com, login.msa.msidentity.com, fe3cr.delivery.mp.microsoft.com, login.live.com, blobcollector.events.data.trafficmanager.net, umwatson.events.data.microsoft.com, wu-b-net.trafficmanager.net, www.tm.lg.prod.aadmsa.trafficmanager.net
Execution Graph export aborted for target 3ClBcOpPUX.exe, PID 6412 because there are no executed function
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtEnumerateKey calls found.
Report size getting too big, too many NtOpenFile calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
01:12:05	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run JSA C:\Windows\system32\System\svchost.exe
01:12:14	Autostart	Run: HKLM\Software\Microsoft\Windows\CurrentVersion\Run SAQ C:\Windows\system32\System\svchost.exe
03:12:18	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run JSA C:\Windows\system32\System\svchost.exe
19:12:07	API Interceptor	2894888x Sleep call for process: 3ClBcOpPUX.exe modified
19:12:18	API Interceptor	854x Sleep call for process: explorer.exe modified
21:12:14	API Interceptor	1x Sleep call for process: WerFault.exe modified
21:12:47	API Interceptor	1x Sleep call for process: MpCmdRun.exe modified

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
bg.microsoft.map.fastly.net	40#U0433.doc	Get hash	malicious	Unknown	Browse	199.232.214.172
	KymUijfvKi.doc	Get hash	malicious	Unknown	Browse	199.232.210.172
	Rev5_ Joint Declaration C5 GER_track changes.doc	Get hash	malicious	Unknown	Browse	199.232.210.172
	RoYAd85faz.doc	Get hash	malicious	Unknown	Browse	199.232.210.172
	40#U0433.doc	Get hash	malicious	Unknown	Browse	199.232.210.172
	RoYAd85faz.doc	Get hash	malicious	Unknown	Browse	199.232.214.172
	3.19.1+SetupWIService.exe	Get hash	malicious	Unknown	Browse	199.232.210.172
	JUbmpeT.exe	Get hash	malicious	Vidar	Browse	199.232.210.172
	Invoice and packing list.exe	Get hash	malicious	FormBook, PureLog Stealer	Browse	199.232.210.172
	AstralprivateDLL.exe.bin.exe	Get hash	malicious	DCRat, PureLog Stealer, Xmrig, zgRAT	Browse	199.232.210.172

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_svchost.exe_73eb877722a7a4e6c3285f964f520f8d841e3c_e18b091b_e03f20cc-fcef-4cf7-af63-2fc7398c0d83\Report.wer

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.7789841380022714
Encrypted:	false
SSDEEP:	96:bFFs1Ky3As7hhp7MfGQXIDcQvc6QcEVcw3cE/OhI+HbHg/8BRTf3+kEcIh8dNRgP:xaQ8AH0BU/AjJg3xzuiF9Z24IO8U
MD5:	20718C696A7F435D898DBE21BEB76645
SHA1:	1DE08BDEBBAD548932DA3B371421F3824564E056
SHA-256:	35845DC5B6113FEBF39C603F27A2558F4D9E5F512D3C63A1E115CC1EE17AC2FB
SHA-512:	B8566BF26F5BFFDC9ED6136CAF4E8B4A85F745471E069E3C9FE08C7F8B3F763B941F2B017D4A7C621CA3AAA58A407491F90DCEBD38370F43F9743777EDB9005F
Malicious:	false
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.8.1.2.8.7.1.2.9.3.0.6.3.5.5.9.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.8.1.2.8.7.1.2.9.7.4.3.8.6.9.7.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.e.0.3.f.2.0.c.c.-.f.c.e.f.-.4.c.f.7.-.a.f.6.3.-.2.f.c.7.3.9.8.c.0.d.8.3.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.c.e.2.b.f.e.a.f.-.0.2.7.b.-.4.d.7.b.-.8.1.f.2.-.8.8.1.1.8.e.c.0.9.9.b.0.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.s.v.c.h.o.s.t...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.d.6.c.-.0.0.0.1.-.0.0.1.4.-.f.e.3.4.-.7.8.f.3.1.8.6.6.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.4.2.c.e.3.3.1.5.f.f.a.f.9.9.8.d.5.3.b.f.a.c.f.0.c.c.4.c.6.4.a.0.0.0.0.0.f.f.f.f.!.0.0.0.0.2.c.e.a.7.1.8.7.4.e.7.3.5.a.b.2.3.b.2.5.8.0.b.0.3.e.0.a.f.a.d.b.b.a.d.f.0.b.d.4.!.s.v.c.h.o.s.t...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.1.9.

C:\ProgramData\Microsoft\Windows\WER\Temp\WERA78E.tmp.dmp

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 14 streams, Tue Jan 14 00:12:09 2025, 0x1205a4 type
Category:	dropped
Size (bytes):	37802
Entropy (8bit):	1.9862533692226305
Encrypted:	false
SSDEEP:	192:mbXu8G/kGbOLb4iJCg6jTMyQl9g6J0Fg8HIMHclEg2:nFkTLv66UbDe
MD5:	CB69057ADB3C3392F733F419F0A9D951
SHA1:	C93AB831B479699FAE3B3EB0D087C8ECE5394C61
SHA-256:	F191906D46B8B190E6FDA80C909A62DE9DA42544E9205678EA95835F940CD35D
SHA-512:	051DE0D4334C3A07AABA3DE58300D25B120167B1DDE7FB9FD21BF10A1D8B447A54DC34A36A520659D7F07EBD9110258C615945308657ACF3FCF88258A1C00672
Malicious:	false
Preview:	MDMP..a..... .........g........................h................#..........T.......8...........T................\|......................................................................................................eJ..............GenuineIntel............T.......l.....g.............................0..2...........,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WERA85A.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	8262
Entropy (8bit):	3.6921810286929966
Encrypted:	false
SSDEEP:	192:R6l7wVeJE26r6Y+nM6WFgmfN/prt89bJfsfVjm:R6lXJt6r6Y96EgmfN4JEfc
MD5:	F7B55CBFC02E4A08BA1287177A39C46B
SHA1:	A1397AC55EB1D5433A2D1BEF1673E65EEE515ADB
SHA-256:	972A595B9877B57FB6F0F1E4EF4120E59E697481056476B7300870899B0D7CB7
SHA-512:	8477BC88F225082EA50FD9126216253CA0D0912B1199F894DCA76D9134149A54CD23A6C718FECF01405191C7218D2C44F12DF22BD8966F95C436EE1CEBC56D66
Malicious:	false
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.7.5.3.2.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WERA88A.tmp.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4558
Entropy (8bit):	4.4320058788722605
Encrypted:	false
SSDEEP:	48:cvIwWl8zsSJg77aI9VyWpW8VYx5Ym8M4JCXuFg+q8gF33v+DHMd:uIjfgI7XT7V7JCbHnkHMd
MD5:	D98D166489FEA3E065D77025554B78CB
SHA1:	ADB25DA346D75B0C751D59C19BB7A956077FDA30
SHA-256:	D32F077A3CB923E1F59FA9295E7FB7F758D10BDF80F59CD384258DE03DC20B5A
SHA-512:	8245CBCCCD91CE3933CD06C5191E6319AADE17845FB18787FA0377E69EBA5B2F57FCF5AED23BECF628EC03C1F896F0471F9CD3071949E8772ACB8AE6F4AC63BD
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="674834" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\ProgramData\Microsoft\Windows\WER\Temp\WERA898.tmp.csv

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	79250
Entropy (8bit):	3.049590637428848
Encrypted:	false
SSDEEP:	768:ACgpp7dRr6wkRgYsxG8kmeqOMPh6eWlPa217jjXLbQAy:APp3rjkRgYsx6COMPh6ZlPd1PjXL0Ay
MD5:	33D6D91B276A999DCC935D2E8DF6EEF3
SHA1:	BFE11EA9E758CABEE9511235CE63CCCD443CD26E
SHA-256:	309074DE0B473A2BAD9F15444700D674694C63958B0C07EF45C6BEBB410F4B75
SHA-512:	3C7EBA265569044308889E382BF49A9938F50BE7D12B76D1D62F09232D0B28A0E8AFE0129F551B44C7240C48BDC320E332A3031B580CC9D275E6B0A36B18E025
Malicious:	false
Preview:	I.m.a.g.e.N.a.m.e.,.U.n.i.q.u.e.P.r.o.c.e.s.s.I.d.,.N.u.m.b.e.r.O.f.T.h.r.e.a.d.s.,.W.o.r.k.i.n.g.S.e.t.P.r.i.v.a.t.e.S.i.z.e.,.H.a.r.d.F.a.u.l.t.C.o.u.n.t.,.N.u.m.b.e.r.O.f.T.h.r.e.a.d.s.H.i.g.h.W.a.t.e.r.m.a.r.k.,.C.y.c.l.e.T.i.m.e.,.C.r.e.a.t.e.T.i.m.e.,.U.s.e.r.T.i.m.e.,.K.e.r.n.e.l.T.i.m.e.,.B.a.s.e.P.r.i.o.r.i.t.y.,.P.e.a.k.V.i.r.t.u.a.l.S.i.z.e.,.V.i.r.t.u.a.l.S.i.z.e.,.P.a.g.e.F.a.u.l.t.C.o.u.n.t.,.W.o.r.k.i.n.g.S.e.t.S.i.z.e.,.P.e.a.k.W.o.r.k.i.n.g.S.e.t.S.i.z.e.,.Q.u.o.t.a.P.e.a.k.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.Q.u.o.t.a.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.Q.u.o.t.a.P.e.a.k.N.o.n.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.Q.u.o.t.a.N.o.n.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.P.a.g.e.f.i.l.e.U.s.a.g.e.,.P.e.a.k.P.a.g.e.f.i.l.e.U.s.a.g.e.,.P.r.i.v.a.t.e.P.a.g.e.C.o.u.n.t.,.R.e.a.d.O.p.e.r.a.t.i.o.n.C.o.u.n.t.,.W.r.i.t.e.O.p.e.r.a.t.i.o.n.C.o.u.n.t.,.O.t.h.e.r.O.p.e.r.a.t.i.o.n.C.o.u.n.t.,.R.e.a.d.T.r.a.n.s.f.e.r.C.o.u.n.t.,.W.r.i.t.e.T.r.a.n.s.f.e.r.C.o.u.n.t.,.O.t.h.e.r.T.r.a.n.s.f.e.r.C.o.u.n.t.,.H.a.n.

C:\ProgramData\Microsoft\Windows\WER\Temp\WERA8F7.tmp.txt

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	13340
Entropy (8bit):	2.6856058749085805
Encrypted:	false
SSDEEP:	96:TiZYW/i5wBlfoYCDYzWTHHmYEZfRtEifVAwuw4TbQabOhMYwdI/ry3:2ZD/2VDxg+HQabOhMYwi/G3
MD5:	10A0396F290C63CBB6CE9D2D86DCBACA
SHA1:	DDCBE0E095A4A00344BB7FDB3ABDF8AF9B49527E
SHA-256:	3C6D4DEB81C406247E475DC0540179153125EB46218CED1C2714B8A9F35772C6
SHA-512:	E00903A2D54268596E464A05140594F3DC9C48AD23051209DEEDCFC321D6053F252A23A6A929309CFB2A248507D86E9520ACAD6D8F4038991F1B8106C4B74CC4
Malicious:	false
Preview:	B...T.i.m.e.r.R.e.s.o.l.u.t.i.o.n. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1.5.6.2.5.0.....B...P.a.g.e.S.i.z.e. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .4.0.9.6.....B...N.u.m.b.e.r.O.f.P.h.y.s.i.c.a.l.P.a.g.e.s. . . . . . . . . . . . . . . . . . . . . . . . . . .1.0.4.8.3.3.3.....B...L.o.w.e.s.t.P.h.y.s.i.c.a.l.P.a.g.e.N.u.m.b.e.r. . . . . . . . . . . . . . . . . . . . . . . . . . . . . .2.....B...H.i.g.h.e.s.t.P.h.y.s.i.c.a.l.P.a.g.e.N.u.m.b.e.r. . . . . . . . . . . . . . . . . . . . . . .1.3.1.0.7.1.9.....B...A.l.l.o.c.a.t.i.o.n.G.r.a.n.u.l.a.r.i.t.y. . . . . . . . . . . . . . . . . . . . . . . . . . . . .6.5.5.3.6.....B...M.i.n.i.m.u.m.U.s.e.r.M.o.d.e.A.d.d.r.e.s.s. . . . . . . . . . . . . . . . . . . . . . . . . . . .6.5.5.3.6.....B...M.a.x.i.m.u.m.U.s.e.r.M.o.d.e.A.d.d.r.e.s.s. . . . . . . . . . . . . . . . . .1.4.0.7.3.7.4.8.8.2.8.9.7.9.1.....B...A.c.t.i.v.e.P.r.o.c.e.s.s.o.r.s.A.f.f.i.n.i.t.y.M.a.s.k. . . . . . .

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\57C8EDB95DF3F0AD4EE2DC2B8CFD4157

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	Microsoft Cabinet archive data, Windows 2000/XP setup, 4761 bytes, 1 file, at 0x2c +A "disallowedcert.stl", number 1, 1 datablock, 0x1 compression
Category:	dropped
Size (bytes):	4761
Entropy (8bit):	7.945585251880973
Encrypted:	false
SSDEEP:	96:6ZUpZsm0HwZ8FLSeXs+aiL9qcZ7KtlAD1GlNHgdkVI5F11AcNmwkVFzGz6ENhZC7:62T0QOLl8vAqcZ7K3AUNAdx5FAx9VEOj
MD5:	77B20B5CD41BC6BB475CCA3F91AE6E3C
SHA1:	9E98ACE72BD2AB931341427A856EF4CEA6FAF806
SHA-256:	5511A9B9F9144ED7BDE4CCB074733B7C564D918D2A8B10D391AFC6BE5B3B1509
SHA-512:	3537DA5E7F3ABA3DAFE6A86E9511ABA20B7A3D34F30AEA6CC11FEEF7768BD63C0C85679C49E99C3291BD1B552DED2C6973B6C2F7F6D731BCFACECAB218E72FD4
Malicious:	false
Preview:	MSCF............,...................O..................YWP .disallowedcert.stl.lJ..B...CK.wTS.....{.&Uz.I."E".HS@. .P.!.....E. .DQ..... EDA.H. E..""/.s<.s.9.....&#.{~k.VV..7@......b.R....MdT..B.L..%.C......" ....%.4%..%.B..T.d...S.....pem..$....&.q.`.+...E..C.....$.\|.A.!~d.H>w%S$...QC't..;..<..R@....2. .l..?..c..A....Ew...l..K$.. ~...'......Mt^c..s.Y%..}......h......m....h.......~d...,...=ge3.....2%..(...T..!].....!C~.X..MHU.o[.z].Y...&lXG;uW.:...2!..][\/.G..]6#.I...S..#F.X.k.j.....)Nc.].t^.-l.Y...4?.b...rY....A......7.D.H\.R...s.L,.6.\|.....VQ....<........... [Z....].N0LU.X........6..C\....F.....KbZ..^=.@.B..MyH...%.2.>...]..E.....sZ.f..3z.].Y.t.d$.....P...,. .~..mNZ[PL.<....d..+...l.-...b.^....6F..z.&.;D.._..c."...d..... k9....60?&..Y.v.dgu...{.....{..d=..$......@^..qA..*uJ..@W.V..eC..AV.e+21...N.{.]..]..f]..`Z.....]2.....x..f..K...t. ...e.V.U.$PV..@6W\_nsm.n.........A<.......d....@f..Z... >R..k.....8..Y....E>..2o7..........c..K7n....

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	modified
Size (bytes):	340
Entropy (8bit):	3.2507060390371376
Encrypted:	false
SSDEEP:	6:kKtT5+7DNfUN+SkQlPlEGYRMY9z+s3Ql2DUeXJlOW1:VMLkPlE99SCQl2DUeXJlOA
MD5:	6A91B9A3D168F49DE64FB686F67D9A61
SHA1:	A78EBA042CDF10B195A85B6C2098E5B8B8CF294C
SHA-256:	B519545803EDD8981A049E1FC35CF8C0163E1D55FA6851CDE32262158EA21F35
SHA-512:	9F67E24F92CD5022EF7DB0B608F65578668D93CF478F5EB535CAF900F98715F734F09B1EBDFA8654C7E5F338C572B9FF7DD178289F73D1DBC81A4B2AE14FFB66
Malicious:	false
Preview:	p...... ........``C..f..(....................................................... ........~..MG......&.....6.........h.t.t.p.:././.c.t.l.d.l...w.i.n.d.o.w.s.u.p.d.a.t.e...c.o.m./.m.s.d.o.w.n.l.o.a.d./.u.p.d.a.t.e./.v.3./.s.t.a.t.i.c./.t.r.u.s.t.e.d.r./.e.n./.d.i.s.a.l.l.o.w.e.d.c.e.r.t.s.t.l...c.a.b...".0.6.c.f.c.c.5.4.d.4.7.d.b.1.:.0."...

C:\Users\user\AppData\Local\Temp\UuU.uUu

Download File

Process:	C:\Users\user\Desktop\3ClBcOpPUX.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	8
Entropy (8bit):	2.25
Encrypted:	false
SSDEEP:	3:Mf53:MR
MD5:	86396A44E457CACABE57B4F5017C3846
SHA1:	4D6E3BB1FBA487E23C9ADD0125A51211135E0A6E
SHA-256:	502A4F6D9EBFCC15C0EC5C4EAD12DB75B27ED7EEC533C700EBC7B43B4AEBF78C
SHA-512:	1FFDF754B46FB7C64304DF5E230FBA946F26F6A74EBA517C904D0A784698DE091E973B4EBF9221C7A0B0BC06ABB0F2C9FD627442079C24E20E700FFBCBF1C127
Malicious:	false
Preview:	10:33:08

C:\Users\user\AppData\Local\Temp\XX--XX--XX.txt

Download File

Process:	C:\Users\user\Desktop\3ClBcOpPUX.exe
File Type:	data
Category:	modified
Size (bytes):	235393
Entropy (8bit):	7.963225516788606
Encrypted:	false
SSDEEP:	3072:oiP5JuXLFG3Oa95BrKUqEQ94jhc3PQuPe2D2ue3NXR0jW/UCFnp7HBIJJyCwFiCT:f5JGmrpQsK3RD2u270jupCJsCxCT
MD5:	C68383F0EFD1112CD0A52915818AFCF7
SHA1:	393F192D83B5F1EEE18AE4EDCDF56DEBE8821302
SHA-256:	1662E9DE80AAE9270A40E7F80F26732DC16376E669D8FB7FFD0CC7AC1D0D984A
SHA-512:	4B207B1975DE31D4282B1EC393E55B5BDC8075469BB367EDD05A97D6D116EA590E36A7C4893EE484308F0591418D4AEF1F415AC4F2EE03049809EB852FC285FD
Malicious:	false
Preview:	C:\Users\user\Desktop\3ClBcOpPUX.exe\|C:\Windows\system32\System\svchost.exe\|.............................####@#### ####@#### ####@#### ####@#### ####@#### ####@#### ####@#### ####@#### ####@#### ####@#### ####@#### ####@#### ####@#### ####@#### ####@#### ####@#### ####@#### ####@#### ####@#### ####@####..####@####...####@####....####@####.####@####..............####@####......####@####..........####@####...............................####@####...####@####...####@####.....####@####..####@####.####@####.Q..............####@####...............####@####....####@####....####@####.....####@####............####@####......####@#### ####@####........####@####.&Kj..b####@####..####@####..####@####.....####@####.....####@####.....####@####....####@####....####@####....####@####....####@####....####@####....####@####....####@####....####@####....####@####.####@####...........####@####....####@####....####@####....####@####.........####@####.....####@####............

C:\Users\user\AppData\Local\Temp\XxX.xXx

Download File

Process:	C:\Users\user\Desktop\3ClBcOpPUX.exe
File Type:	ASCII text, with no line terminators
Category:	modified
Size (bytes):	8
Entropy (8bit):	2.5
Encrypted:	false
SSDEEP:	3:MfqRc:MP
MD5:	28EC79CF8431BA0EEA2EF3FFED0882FE
SHA1:	D9EC83611ABFC9B2DA66C1BA52C973E08B93DFBB
SHA-256:	8411CE45394DACB87714A4D8ABB8E69ADFF215BE6171B0A9E4773D4CBBBD1AC5
SHA-512:	B2B07C4C0A6AE5E54DCC504922ECB2A0ADEC817B278000D62E3EE991EBA9D5FA4E1264601F2CB6ED54011E94BD5E9DEAF06CE9C09BB974FC09810D7400984015
Malicious:	false
Preview:	10:43:49

C:\Users\user\AppData\Roaming\logs.dat

Download File

Process:	C:\Users\user\Desktop\3ClBcOpPUX.exe
File Type:	data
Category:	dropped
Size (bytes):	185
Entropy (8bit):	5.480652901743442
Encrypted:	false
SSDEEP:	3:WhqgGRQPehFrcfRr+6b0Z6RXwQ5mMIJZovGgQPehFrcfRr+6X0Z6RzTovx5mMIJc:W4gVPehWfRrP4cyQ5mJJZokPehWfRrPA
MD5:	23184B76889BDBA5B6097D281F9CC037
SHA1:	9D7FA38F94969F22EBBF65E894EBE15C4E90DEE3
SHA-256:	85014D347B251EB75835DAEFF89C028831BDF59EC97BED5D31FEB74FC164246E
SHA-512:	64FE5E1E467C3225028CFC5D7806585AB86261B403FA25C1F60C4E33EAB9EFE7E77D1D8CF3D559DD43AD48A17F50C96976E8B15B859BEDB33686A21F0F9DB797
Malicious:	false
Preview:	ufDQcGGKk..####u{DJIYO[hCMECIS+s6+);4+}$wjbk%..hk1.'>22+6<3>.;+$$81763v....>iKMZ6yQCQP-,!....####u{DJIYO[hCMECIS+s6+);4+}$wjbk%..hk1.'222+6<3>.;+$'=1603v....>iKMZ6yQCQP-,!....####

C:\Windows\ServiceProfiles\LocalService\AppData\Local\Temp\MpCmdRun.log

Download File

Process:	C:\Program Files\Windows Defender\MpCmdRun.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	modified
Size (bytes):	2464
Entropy (8bit):	3.2492648148111805
Encrypted:	false
SSDEEP:	24:QOaqdmuF3rL4+kWReHgHttUKlDENh+pyMySn6tUKlDENh+pyMySwwIPVxcwIPVx9:FaqdF7L4+AAHdKoqKFxcxkFZu
MD5:	01760F1F7BCE9E3C19760633EB313794
SHA1:	AC9867BD048DEE12998FDD217DA8DFD972A57EA4
SHA-256:	68B58C9721C83D1F31581EB25EB8D5C0A99184D0C651FBDD7C147417BDCB8BB8
SHA-512:	8DA8DF6D658E478E791B058657C373893A73F0340E552C9959C934DCC67B1377762159B5BD69789F32BF5973E788C2EA38DEE27DB90EB0BB0AA84E9D9460096C
Malicious:	false
Preview:	..........-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.....M.p.C.m.d.R.u.n.:. .C.o.m.m.a.n.d. .L.i.n.e.:. .".C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.W.i.n.d.o.w.s. .D.e.f.e.n.d.e.r.\.m.p.c.m.d.r.u.n...e.x.e.". .-.w.d.e.n.a.b.l.e..... .S.t.a.r.t. .T.i.m.e.:. .. M.o.n. .. J.a.n. .. 1.3. .. 2.0.2.5. .2.1.:.1.2.:.4.7.........M.p.E.n.s.u.r.e.P.r.o.c.e.s.s.M.i.t.i.g.a.t.i.o.n.P.o.l.i.c.y.:. .h.r. .=. .0.x.1.....W.D.E.n.a.b.l.e........................................ .W.S.C. .S.t.a.t.e. .I.n.f.o. ................................................................. .A.n.t.i.V.i.r.u.s.P.r.o.d.u.c.t. ..............................d.i.s.p.l.a.y.N.a.m.e. .=. .[.W.i.n.d.o.w.s. .D.e.f.e.n.d.e.r.].....p.a.t.h.T.o.S.i.g.n.e.d.P.r.o.d.u.c.t.E.x.e. .=. .[.w.i.n.d.o.w.s.d.

C:\Windows\SysWOW64\System\svchost.exe

Download File

Process:	C:\Users\user\Desktop\3ClBcOpPUX.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	290304
Entropy (8bit):	7.857458421691476
Encrypted:	false
SSDEEP:	6144:jmcD66RRjf5JGmrpQsK3RD2u270jupCJsCxCC:acD663eZ2zkPaCx5
MD5:	77515669C23C08469A95333A8D43BE63
SHA1:	2CEA71874E735AB23B2580B03E0AFADBBADF0BD4
SHA-256:	AED92A8301931959100A1BB8C52251DF2FDDDAF8B76AB34B6F24D7BBE58A4FE6
SHA-512:	9B10AE0C4B02512B9F0E9B35FB5B1A5A323545BE80C241E01519A4781F24F50609CCC2158E63E09C59C2820DE9E37E06301C12509E9133FF4F62976293860304
Malicious:	true
Yara Hits:	Rule: JoeSecurity_CyberGate, Description: Yara detected CyberGate RAT, Source: C:\Windows\SysWOW64\System\svchost.exe, Author: Joe Security Rule: Windows_Trojan_CyberGate_517aac7d, Description: unknown, Source: C:\Windows\SysWOW64\System\svchost.exe, Author: unknown Rule: Windows_Trojan_CyberGate_9996d800, Description: unknown, Source: C:\Windows\SysWOW64\System\svchost.exe, Author: unknown Rule: RAT_CyberGate, Description: Detects CyberGate RAT, Source: C:\Windows\SysWOW64\System\svchost.exe, Author: Kevin Breen <kevin@techanarchy.net> Rule: CyberGate, Description: unknown, Source: C:\Windows\SysWOW64\System\svchost.exe, Author: Kevin Breen <kevin@techanarchy.net> Rule: MALWARE_Win_CyberGate, Description: Detects CyberGate/Spyrat/Rebhip RTA, Source: C:\Windows\SysWOW64\System\svchost.exe, Author: ditekSHen
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 97%
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*..........................................@..............................................@...................................@.......................0..`............................ ......................................................CODE............................... ..`DATA.... ...........................@...BSS......................................idata..............................@....tls.....................................rdata....... ......................@..P.reloc..`....0......................@..P.rsrc........@......................@..P.............P......................@..P........................................................................................................................................

C:\Windows\SysWOW64\System\svchost.exe:Zone.Identifier

Download File

Process:	C:\Users\user\Desktop\3ClBcOpPUX.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	true
Preview:	[ZoneTransfer]....ZoneId=0

C:\Windows\appcompat\Programs\Amcache.hve

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	1835008
Entropy (8bit):	4.416627836501753
Encrypted:	false
SSDEEP:	6144:zcifpi6ceLPL9skLmb0moSWSPtaJG8nAgex285i2MMhA20X4WABlGuNW5+T:oi58oSWIZBk2MM6AFBwoT
MD5:	A05A9010841638FB41F38B63B5A0E996
SHA1:	A286D5A97021E4924589E4B13F98DAFC1D83AC3F
SHA-256:	43CE83B9C9D8ADD94A86E2FE27DED1AB16C0DD427DF81A75104FBC17CBEA8EEA
SHA-512:	7E5C2509DE8C029856DD26E3CDABE2FEA23E9412747E9223B3812FCCEF3A67626D01147CD9343F5167CE58FDEEF2CA2C861162A02D518161B97872A264606992
Malicious:	false
Preview:	regfE...E....\.Z.................... ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtm2...f...............................................................................................................................................................................................................................................................................................................................................n..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.857458421691476
TrID:	Win32 Executable (generic) a (10002005/4) 99.94% Win16/32 Executable Delphi generic (2074/23) 0.02% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	3ClBcOpPUX.exe
File size:	290'304 bytes
MD5:	77515669c23c08469a95333a8d43be63
SHA1:	2cea71874e735ab23b2580b03e0afadbbadf0bd4
SHA256:	aed92a8301931959100a1bb8c52251df2fdddaf8b76ab34b6f24d7bbe58a4fe6
SHA512:	9b10ae0c4b02512b9f0e9b35fb5b1a5a323545be80c241e01519a4781f24f50609ccc2158e63e09c59c2820de9e37e06301c12509e9133ff4f62976293860304
SSDEEP:	6144:jmcD66RRjf5JGmrpQsK3RD2u270jupCJsCxCC:acD663eZ2zkPaCx5
TLSH:	F754F1A6B6C4C6BAC2B40EFC5C28C1A439ADB9323E7714A7F6DD0F4D593D092690D183
File Content Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7.......................................................................................................................................

File Icon


Icon Hash:	00928e8e8686b000

Static PE Info

General

Entrypoint:	0x40bbf4
Entrypoint Section:	CODE
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
DLL Characteristics:
Time Stamp:	0x2A425E19 [Fri Jun 19 22:22:17 1992 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	078683deeee217bf8224debb163055d6

Entrypoint Preview

Instruction
push ebp
mov ebp, esp
mov ecx, 0000000Bh
push 00000000h
push 00000000h
dec ecx
jne 00007F71111C4DBBh
push ebx
mov eax, 0040BB04h
call 00007F71111BC5CFh
xor eax, eax
push ebp
push 0040C0C4h
push dword ptr fs:[eax]
mov dword ptr fs:[eax], esp
push 0040C0D4h
push 00000000h
push 00000000h
call 00007F71111BC703h
mov ebx, eax
call 00007F71111BC784h
cmp eax, 000000B7h
jne 00007F71111C4DD4h
push ebx
call 00007F71111BC6BFh
push 00002EE0h
call 00007F71111BC7F5h
jmp 00007F71111C4DC8h
push ebx
call 00007F71111BC6ADh
push 0040C0E8h
push 00000000h
push 00000000h
call 00007F71111BC6CFh
mov ebx, eax
call 00007F71111BC750h
cmp eax, 000000B7h
jne 00007F71111C4FF0h
push ebx
call 00007F71111BC687h
lea eax, dword ptr [ebp-14h]
call 00007F71111C2C1Bh
mov edx, dword ptr [ebp-14h]
mov eax, 0040F1ECh
call 00007F71111BAC4Eh
cmp dword ptr [0040F1ECh], 00000000h
je 00007F71111C4DF1h
mov eax, dword ptr [0040F1ECh]
call 00007F71111BAE77h
push eax
lea eax, dword ptr [ebp-18h]
call 00007F71111BF126h
lea eax, dword ptr [ebp-18h]
mov edx, 0040C108h
call 00007F71111BAE69h
mov eax, dword ptr [ebp-18h]
mov edx, dword ptr [0040F1ECh]

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x10000	0xbe4	.idata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x14000	0x399bc	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x13000	0xa60	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x12000	0x18	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
CODE	0x1000	0xb1c8	0xb200	4a2150bf37c4ff6bbd8f4f2c3a09b096	False	0.5470066713483146	data	6.41418124966198	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
DATA	0xd000	0x220	0x400	dd653175899ceecf929eb6d19ce189b4	False	0.2685546875	data	2.7642577357404954	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
BSS	0xe000	0x11f1	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.idata	0x10000	0xbe4	0xc00	4f982c9b59dc3fc83ad5a7c9912faa66	False	0.4296875	data	4.770955685378527	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.tls	0x11000	0x8	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rdata	0x12000	0x18	0x200	a270a5e1f4f71f9ddb31027f913842a2	False	0.05078125	MacBinary, Mon Feb 6 07:28:16 2040 INVALID date, modified Mon Feb 6 07:28:16 2040 "A"	0.20544562813451883	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_SHARED, IMAGE_SCN_MEM_READ
.reloc	0x13000	0xa60	0xc00	ba51f7deda6128aa3417cb4fe1f7eb61	False	0.751953125	data	6.245900512684813	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_SHARED, IMAGE_SCN_MEM_READ
.rsrc	0x14000	0x399bc	0x39a00	d415ea625552dd0d91d60004efc89112	False	0.9749525488069414	data	7.963350386550714	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_SHARED, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	ZLIB Complexity
RT_RCDATA	0x140f8	0x10	data	1.5
RT_RCDATA	0x14108	0x184	data	0.7938144329896907
RT_RCDATA	0x1428c	0x39730	data	0.9758108383762834

Imports

DLL	Import
kernel32.dll	GetCurrentThreadId, WideCharToMultiByte, MultiByteToWideChar, ExitProcess, UnhandledExceptionFilter, RtlUnwind, RaiseException, GetCommandLineA, TlsSetValue, TlsGetValue, LocalAlloc, GetModuleHandleA, GetModuleFileNameA, FreeLibrary, HeapFree, HeapReAlloc, HeapAlloc, GetProcessHeap
user32.dll	CharNextA
oleaut32.dll	SysFreeString, SysReAllocStringLen, SysAllocStringLen
advapi32.dll	RegSetValueExA, RegQueryValueExA, RegOpenKeyExA, RegEnumValueA, RegDeleteKeyA, RegCreateKeyExA, RegCreateKeyA, RegCloseKey, OpenProcessToken, LookupAccountNameA, IsValidSid, GetUserNameA
kernel32.dll	lstrlenA, lstrcmpiA, WriteProcessMemory, WriteFile, WaitForSingleObject, VirtualProtectEx, VirtualProtect, VirtualFreeEx, VirtualFree, VirtualAllocEx, VirtualAlloc, Sleep, SizeofResource, SetFilePointer, SetFileAttributesA, ReadProcessMemory, ReadFile, OpenProcess, LockResource, LoadResource, LoadLibraryA, GlobalFree, GetVersionExA, GetTickCount, GetProcAddress, GetPrivateProfileStringA, GetPrivateProfileIntA, GetModuleHandleA, GetLastError, GetFileSize, GetFileAttributesA, GetExitCodeThread, GetCurrentProcess, FreeResource, FreeLibrary, FindResourceA, FindFirstFileA, FindClose, ExitProcess, DeleteFileA, CreateRemoteThread, CreateProcessA, CreateMutexA, CreateFileA, CreateDirectoryA, CopyFileA, CloseHandle
user32.dll	wvsprintfA, TranslateMessage, ToAscii, SetWindowsHookExA, PeekMessageA, GetWindowThreadProcessId, GetKeyboardState, FindWindowA, DispatchMessageA, CharLowerA, CharUpperA
ole32.dll	OleInitialize, CoCreateInstance
ole32.dll	CoTaskMemFree
pstorec.dll	PStoreCreateInstance
ole32.dll	StringFromCLSID
rasapi32.dll	RasGetEntryDialParamsA, RasEnumEntriesA
shell32.dll	SHGetSpecialFolderPathA
advapi32.dll	LsaFreeMemory, LsaClose, LsaRetrievePrivateData, LsaOpenPolicy, ConvertSidToStringSidA
crypt32.dll	CryptUnprotectData
advapi32.dll	CredEnumerateA
advapi32.dll	CryptDestroyHash, CryptHashData, CryptCreateHash, CryptGetHashParam, CryptReleaseContext, CryptAcquireContextA

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2025-01-14T01:14:14.762003+0100	2809763	ETPRO MALWARE Cybergate/Rebhip/Spyrat Backdoor M5	1	192.168.2.7	49985	193.161.193.99	40214	TCP
2025-01-14T01:14:22.694873+0100	2809763	ETPRO MALWARE Cybergate/Rebhip/Spyrat Backdoor M5	1	192.168.2.7	49986	193.161.193.99	40214	TCP
2025-01-14T01:14:30.679021+0100	2809763	ETPRO MALWARE Cybergate/Rebhip/Spyrat Backdoor M5	1	192.168.2.7	49987	193.161.193.99	40214	TCP

Network Port Distribution

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 14, 2025 01:12:07.510587931 CET	53087	53	192.168.2.7	1.1.1.1
Jan 14, 2025 01:14:14.683231115 CET	50187	53	192.168.2.7	1.1.1.1
Jan 14, 2025 01:14:14.702224970 CET	53	50187	1.1.1.1	192.168.2.7

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jan 14, 2025 01:12:07.510587931 CET	192.168.2.7	1.1.1.1	0x910	Standard query (0)	time.windows.com	A (IP address)	IN (0x0001)	false
Jan 14, 2025 01:14:14.683231115 CET	192.168.2.7	1.1.1.1	0xc16a	Standard query (0)	kalintz-40214.portmap.host	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Jan 14, 2025 01:12:07.517467022 CET	1.1.1.1	192.168.2.7	0x910	No error (0)	time.windows.com	twc.trafficmanager.net		CNAME (Canonical name)	IN (0x0001)	false
Jan 14, 2025 01:12:11.924717903 CET	1.1.1.1	192.168.2.7	0xa5cb	No error (0)	bg.microsoft.map.fastly.net		199.232.210.172	A (IP address)	IN (0x0001)	false
Jan 14, 2025 01:12:11.924717903 CET	1.1.1.1	192.168.2.7	0xa5cb	No error (0)	bg.microsoft.map.fastly.net		199.232.214.172	A (IP address)	IN (0x0001)	false
Jan 14, 2025 01:12:56.252504110 CET	1.1.1.1	192.168.2.7	0x5690	No error (0)	bg.microsoft.map.fastly.net		199.232.210.172	A (IP address)	IN (0x0001)	false
Jan 14, 2025 01:12:56.252504110 CET	1.1.1.1	192.168.2.7	0x5690	No error (0)	bg.microsoft.map.fastly.net		199.232.214.172	A (IP address)	IN (0x0001)	false
Jan 14, 2025 01:14:14.702224970 CET	1.1.1.1	192.168.2.7	0xc16a	No error (0)	kalintz-40214.portmap.host		193.161.193.99	A (IP address)	IN (0x0001)	false

Target ID:	0
Start time:	19:12:01
Start date:	13/01/2025
Path:	C:\Users\user\Desktop\3ClBcOpPUX.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\3ClBcOpPUX.exe"
Imagebase:	0x400000
File size:	290'304 bytes
MD5 hash:	77515669C23C08469A95333A8D43BE63
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CyberGate, Description: Yara detected CyberGate RAT, Source: 00000000.00000000.1254230385.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: Windows_Trojan_CyberGate_517aac7d, Description: unknown, Source: 00000000.00000000.1254230385.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Author: unknown Rule: Windows_Trojan_CyberGate_9996d800, Description: unknown, Source: 00000000.00000000.1254230385.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Author: unknown
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	19:12:02
Start date:	13/01/2025
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k NetworkService -p
Imagebase:	0x7ff7b4ee0000
File size:	55'320 bytes
MD5 hash:	B7F884C1B74A263F746EE12A5F7C9F6A
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	19:12:02
Start date:	13/01/2025
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc
Imagebase:	0x7ff7b4ee0000
File size:	55'320 bytes
MD5 hash:	B7F884C1B74A263F746EE12A5F7C9F6A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	5
Start time:	19:12:02
Start date:	13/01/2025
Path:	C:\Windows\explorer.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\Explorer.EXE
Imagebase:	0x7ff70ffd0000
File size:	5'141'208 bytes
MD5 hash:	662F4F92FDE3557E86D110526BB578D5
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	6
Start time:	19:12:02
Start date:	13/01/2025
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\svchost.exe -k UnistackSvcGroup
Imagebase:	0x7ff7b4ee0000
File size:	55'320 bytes
MD5 hash:	B7F884C1B74A263F746EE12A5F7C9F6A
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	7
Start time:	19:12:03
Start date:	13/01/2025
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s wscsvc
Imagebase:	0x7ff7b4ee0000
File size:	55'320 bytes
MD5 hash:	B7F884C1B74A263F746EE12A5F7C9F6A
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	8
Start time:	19:12:05
Start date:	13/01/2025
Path:	C:\Windows\SysWOW64\explorer.exe
Wow64 process (32bit):	true
Commandline:	explorer.exe
Imagebase:	0xd90000
File size:	4'514'184 bytes
MD5 hash:	DD6597597673F72E10C9DE7901FBA0A8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Borland Delphi
Yara matches:	Rule: Windows_Trojan_CyberGate_9996d800, Description: unknown, Source: 00000008.00000002.2518814760.0000000024080000.00000040.00000400.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_CyberGate, Description: Yara detected CyberGate RAT, Source: 00000008.00000003.1307346433.0000000005C4A000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_CyberGate_517aac7d, Description: unknown, Source: 00000008.00000003.1307346433.0000000005C4A000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_CyberGate_9996d800, Description: unknown, Source: 00000008.00000003.1307346433.0000000005C4A000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: RAT_CyberGate, Description: Detects CyberGate RAT, Source: 00000008.00000003.1307346433.0000000005C4A000.00000004.00000020.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: CyberGate, Description: unknown, Source: 00000008.00000003.1307346433.0000000005C4A000.00000004.00000020.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 00000008.00000002.2518814760.00000000240DB000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CyberGate, Description: Yara detected CyberGate RAT, Source: 00000008.00000002.2518697463.0000000005C90000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_CyberGate_517aac7d, Description: unknown, Source: 00000008.00000002.2518697463.0000000005C90000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_CyberGate_9996d800, Description: unknown, Source: 00000008.00000002.2518697463.0000000005C90000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: RAT_CyberGate, Description: Detects CyberGate RAT, Source: 00000008.00000002.2518697463.0000000005C90000.00000004.00000020.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: CyberGate, Description: unknown, Source: 00000008.00000002.2518697463.0000000005C90000.00000004.00000020.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
Reputation:	moderate
Has exited:	false

Show Windows behavior

Target ID:	9
Start time:	19:12:06
Start date:	13/01/2025
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\svchost.exe -k LocalService -s W32Time
Imagebase:	0x7ff7b4ee0000
File size:	55'320 bytes
MD5 hash:	B7F884C1B74A263F746EE12A5F7C9F6A
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	10
Start time:	19:12:07
Start date:	13/01/2025
Path:	C:\Users\user\Desktop\3ClBcOpPUX.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\3ClBcOpPUX.exe"
Imagebase:	0x400000
File size:	290'304 bytes
MD5 hash:	77515669C23C08469A95333A8D43BE63
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Borland Delphi
Yara matches:	Rule: Windows_Trojan_CyberGate_9996d800, Description: unknown, Source: 0000000A.00000002.2519483566.00000000240F0000.00000040.00000400.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 0000000A.00000002.2519483566.000000002414B000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	11
Start time:	19:12:08
Start date:	13/01/2025
Path:	C:\Windows\SysWOW64\System\svchost.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\system32\System\svchost.exe"
Imagebase:	0x400000
File size:	290'304 bytes
MD5 hash:	77515669C23C08469A95333A8D43BE63
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CyberGate, Description: Yara detected CyberGate RAT, Source: C:\Windows\SysWOW64\System\svchost.exe, Author: Joe Security Rule: Windows_Trojan_CyberGate_517aac7d, Description: unknown, Source: C:\Windows\SysWOW64\System\svchost.exe, Author: unknown Rule: Windows_Trojan_CyberGate_9996d800, Description: unknown, Source: C:\Windows\SysWOW64\System\svchost.exe, Author: unknown Rule: RAT_CyberGate, Description: Detects CyberGate RAT, Source: C:\Windows\SysWOW64\System\svchost.exe, Author: Kevin Breen <kevin@techanarchy.net> Rule: CyberGate, Description: unknown, Source: C:\Windows\SysWOW64\System\svchost.exe, Author: Kevin Breen <kevin@techanarchy.net> Rule: MALWARE_Win_CyberGate, Description: Detects CyberGate/Spyrat/Rebhip RTA, Source: C:\Windows\SysWOW64\System\svchost.exe, Author: ditekSHen
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML Detection: 97%, ReversingLabs
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	19:12:08
Start date:	13/01/2025
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k WerSvcGroup
Imagebase:	0x7ff7b4ee0000
File size:	55'320 bytes
MD5 hash:	B7F884C1B74A263F746EE12A5F7C9F6A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	13
Start time:	19:12:09
Start date:	13/01/2025
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 7532 -ip 7532
Imagebase:	0x7b0000
File size:	483'680 bytes
MD5 hash:	C31336C1EFC2CCB44B4326EA793040F2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	14
Start time:	19:12:09
Start date:	13/01/2025
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 7532 -s 564
Imagebase:	0x7b0000
File size:	483'680 bytes
MD5 hash:	C31336C1EFC2CCB44B4326EA793040F2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	15
Start time:	19:12:09
Start date:	13/01/2025
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc
Imagebase:	0x7ff7b4ee0000
File size:	55'320 bytes
MD5 hash:	B7F884C1B74A263F746EE12A5F7C9F6A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	17
Start time:	21:12:47
Start date:	13/01/2025
Path:	C:\Program Files\Windows Defender\MpCmdRun.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Windows Defender\mpcmdrun.exe" -wdenable
Imagebase:	0x7ff693610000
File size:	468'120 bytes
MD5 hash:	B3676839B2EE96983F9ED735CD044159
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	18
Start time:	21:12:47
Start date:	13/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff75da10000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	4.5%
Dynamic/Decrypted Code Coverage:	30%
Signature Coverage:	13.8%
Total number of Nodes:	747
Total number of Limit Nodes:	9

Executed Functions

Function 240C6188 Relevance: 56.4, APIs: 19, Strings: 13, Instructions: 394
registrysleepthreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyExA.ADVAPI32(80000001,Software\Microsoft\Active Setup\Installed Components\,00000000,00020006,240D37BC,240CB980,240CB97C,00000000,240C6746,?,?,?,00000000,00000000), ref: 240C62AC
RegDeleteKeyA.ADVAPI32(?,00000000), ref: 240C62C4
RegCloseKey.ADVAPI32(?,?,00000000,80000001,Software\Microsoft\Active Setup\Installed Components\,00000000,00020006,240D37BC,240CB980,240CB97C,00000000,240C6746,?,?,?,00000000), ref: 240C62CF
GetLastError.KERNEL32(240CB980,240CB97C,00000000,240C6746,?,?,?,00000000,00000000), ref: 240C630D
CloseHandle.KERNEL32(0000047C,240CB980,240CB97C,00000000,240C6746,?,?,?,00000000,00000000), ref: 240C6321
DeleteFileA.KERNEL32(00000000,240CB980,240CB97C,00000000,240C6746,?,?,?,00000000,00000000), ref: 240C633D

Part of subcall function 24084F18: CreateMutexA.KERNEL32(?,?,?,?,?), ref: 24084F2E

GetLastError.KERNEL32(00000000,240CB980,240CB97C,00000000,240C6746,?,?,?,00000000,00000000), ref: 240C6360
ExitProcess.KERNEL32(00000000,00000000,240CB980,240CB97C,00000000,240C6746,?,?,?,00000000,00000000), ref: 240C636E
CreateThread.KERNEL32(00000000,00000000,Function_00044C04,00000000,00000000,240D37B8), ref: 240C6385
CreateThread.KERNEL32(00000000,00000000,Function_000451BC,00000000,00000000,240D37B8), ref: 240C639C
GetCurrentProcessId.KERNEL32(00000000,00000000,Function_000451BC,00000000,00000000,240D37B8,00000000,00000000,Function_00044C04,00000000,00000000,240D37B8,00000000,240CB980,240CB97C,00000000), ref: 240C6413
SetFileAttributesA.KERNEL32(00000000,00000080,?,logs.dat,240C67CC,?,00000000,00000000,Function_000451BC,00000000,00000000,240D37B8,00000000,00000000,Function_00044C04,00000000), ref: 240C6570

Part of subcall function 24087668: CreateFileA.KERNEL32(00000000,40000000,00000001,00000000,00000003,02000000,00000000,00000000,24087719), ref: 240876C7
Part of subcall function 24087668: SetFileTime.KERNEL32(00000000,00000000,?,00000000,00000000,40000000,00000001,00000000,00000003,02000000,00000000,00000000,24087719), ref: 240876DC
Part of subcall function 24087668: SetFileTime.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,?,00000000,00000000,40000000,00000001,00000000,00000003,02000000,00000000,00000000), ref: 240876EA
Part of subcall function 24087668: SetFileTime.KERNEL32(00000000,?,00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,?,00000000,00000000,40000000,00000001,00000000), ref: 240876F8
Part of subcall function 24087668: CloseHandle.KERNEL32(00000000,00000000,40000000,00000001,00000000,00000003,02000000,00000000,00000000,24087719), ref: 240876FE

GetCurrentProcessId.KERNEL32(SQLite3.dll,240C67CC,?,logs.dat,240C67CC,?,00000000,00000000,Function_000451BC,00000000,00000000,240D37B8,00000000,00000000,Function_00044C04,00000000), ref: 240C6642
SetFileAttributesA.KERNEL32(00000000,00000002,00000000,00000080,?,logs.dat,240C67CC,?,00000000,00000000,Function_000451BC,00000000,00000000,240D37B8,00000000,00000000), ref: 240C6590

Part of subcall function 240878C8: CreateThread.KERNEL32(00000000,00000000,240A84FC,00000000,00000000), ref: 240878D6
Part of subcall function 240878C8: SetThreadPriority.KERNEL32(00000000,00000000,00000000,00000000,240A84FC,00000000,00000000,?,00000000,?,240CB9C4,240A8377,?,240A84EC,?,240A84EC), ref: 240878DF

Sleep.KERNEL32(000003E8,00000001,00000000,00000000,SQLite3.dll,240C67CC,?,logs.dat,240C67CC,?,00000000,00000000,Function_000451BC,00000000,00000000,240D37B8), ref: 240C66EB
CloseHandle.KERNEL32(00000000,000003E8,00000001,00000000,00000000,SQLite3.dll,240C67CC,?,logs.dat,240C67CC,?,00000000,00000000,Function_000451BC,00000000,00000000), ref: 240C66F1
CloseHandle.KERNEL32(00000000,SQLite3.dll,240C67CC,?,logs.dat,240C67CC,?,00000000,00000000,Function_000451BC,00000000,00000000,240D37B8,00000000,00000000,Function_00044C04), ref: 240C670F
CloseHandle.KERNEL32(00000000,00000000,SQLite3.dll,240C67CC,?,logs.dat,240C67CC,?,00000000,00000000,Function_000451BC,00000000,00000000,240D37B8,00000000,00000000), ref: 240C671C
Sleep.KERNEL32(00002EE0,00000000,00000000,SQLite3.dll,240C67CC,?,logs.dat,240C67CC,?,00000000,00000000,Function_000451BC,00000000,00000000,240D37B8,00000000), ref: 240C6726

Strings

####, xrefs: 240C6478, 240C64DD, 240C6521
_x_X_PASSWORDLIST_X_x_, xrefs: 240C66AB
XX--XX--XX.txt, xrefs: 240C61C7
SPY_NET_RATMUTEX, xrefs: 240C666B
logs.dat, xrefs: 240C6432
Software\Microsoft\Active Setup\Installed Components\, xrefs: 240C62A2
open, xrefs: 240C66D5
_PERSIST, xrefs: 240C62E9
SQLite3.dll, xrefs: 240C661F
[LogFile], xrefs: 240C645C
SOFTWARE\Microsoft\, xrefs: 240C665C
PIDprocess, xrefs: 240C6657
njkvenknvjebcddlaknvfdvjkfdskv, xrefs: 240C6457, 240C64FC

Memory Dump Source

Source File: 00000008.00000002.2518814760.0000000024080000.00000040.00000400.00020000.00000000.sdmp, Offset: 24080000, based on PE: true

Associated: 00000008.00000002.2518814760.00000000240D4000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2518814760.00000000240DB000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_24080000_explorer.jbxd

Yara matches

Similarity

API ID: File$Close$CreateHandle$Thread$ProcessTime$AttributesCurrentDeleteErrorLastSleep$ExitMutexOpenPriority
String ID: ####$PIDprocess$SOFTWARE\Microsoft\$SPY_NET_RATMUTEX$SQLite3.dll$Software\Microsoft\Active Setup\Installed Components\$XX--XX--XX.txt$[LogFile]$_PERSIST$_x_X_PASSWORDLIST_X_x_$logs.dat$njkvenknvjebcddlaknvfdvjkfdskv$open
API String ID: 2216801884-1096289745
Opcode ID: 6e808c6c8252a0e6d866195205d9c579cd8f52a47483cfe9166fac5ca02a6d22
Instruction ID: 83e58330049d86604956020f86129039bbc0234bfc5faf3b04b0645f70d47a3c
Opcode Fuzzy Hash: 6e808c6c8252a0e6d866195205d9c579cd8f52a47483cfe9166fac5ca02a6d22
Instruction Fuzzy Hash: 52E14E74744200DBE721DBA8CAD0F4DB3E6EBA5708F508934F500AB399DAB9ECC58B51

Function 240847A8 Relevance: 35.2, APIs: 17, Strings: 3, Instructions: 184
registrystringlibraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleFileNameA.KERNEL32(00000000,?,00000105), ref: 240847C4
RegOpenKeyExA.ADVAPI32(80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105), ref: 240847E2
RegOpenKeyExA.ADVAPI32(80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105), ref: 24084800
RegOpenKeyExA.ADVAPI32(80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000), ref: 2408481E
RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,00000000,00000005,00000000,240848AD,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?), ref: 24084867
RegQueryValueExA.ADVAPI32(?,24084A14,00000000,00000000,00000000,00000005,?,?,00000000,00000000,00000000,00000005,00000000,240848AD,?,80000001), ref: 24084885
RegCloseKey.ADVAPI32(?,240848B4,00000000,00000000,00000005,00000000,240848AD,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105), ref: 240848A7
lstrcpyn.KERNEL32(?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000), ref: 240848C4
GetThreadLocale.KERNEL32(00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?), ref: 240848D1
GetLocaleInfoA.KERNEL32(00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019), ref: 240848D7
lstrlen.KERNEL32(00000000), ref: 24084902
lstrcpyn.KERNEL32(00000000,00000000,00000105,00000000), ref: 24084949
LoadLibraryExA.KERNEL32(00000000,00000000,00000002,00000000,00000000,00000105,00000000), ref: 24084959
lstrcpyn.KERNEL32(00000000,00000000,00000105,00000000), ref: 24084981
LoadLibraryExA.KERNEL32(00000000,00000000,00000002,00000000,00000000,00000105,00000000), ref: 24084991
lstrcpyn.KERNEL32(00000000,00000000,00000105,00000000,00000000,00000002,00000000,00000000,00000105,00000000), ref: 240849B7
LoadLibraryExA.KERNEL32(00000000,00000000,00000002,00000000,00000000,00000105,00000000,00000000,00000002,00000000,00000000,00000105,00000000), ref: 240849C7

Strings

Software\Borland\Delphi\Locales, xrefs: 24084814
., xrefs: 24084914
Software\Borland\Locales, xrefs: 240847D8, 240847F6

Memory Dump Source

Source File: 00000008.00000002.2518814760.0000000024080000.00000040.00000400.00020000.00000000.sdmp, Offset: 24080000, based on PE: true

Associated: 00000008.00000002.2518814760.00000000240D4000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2518814760.00000000240DB000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_24080000_explorer.jbxd

Yara matches

Similarity

API ID: lstrcpyn$LibraryLoadOpen$LocaleQueryValue$CloseFileInfoModuleNameThreadlstrlen
String ID: .$Software\Borland\Delphi\Locales$Software\Borland\Locales
API String ID: 1759228003-3917250287
Opcode ID: 77c2d60fd45ffa0c161ae41f00570ec2873ef225d055da03f2cac67fc35bed84
Instruction ID: 271130a6f051932c0cb1659a4cf5d4df5416558ff2cf1fb7af6483c3d87ec32f
Opcode Fuzzy Hash: 77c2d60fd45ffa0c161ae41f00570ec2873ef225d055da03f2cac67fc35bed84
Instruction Fuzzy Hash: C0514375A0025DBEFB22C6A48D85FEF7BEC9F14744F4001A1AA44E6185EA749FD48BA0

Function 24086EDC Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 15
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNEL32(kernel32.dll,GetTempPathA,?,?,2408704D,?,24090C3E,00000000,24091156,?,?,?,?,00000044,00000000,00000000), ref: 24086EEC
GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 24086EF2
GetTempPathA.KERNELBASE(00000105,?,00000000,kernel32.dll,GetTempPathA,?,?,2408704D,?,24090C3E,00000000,24091156), ref: 24086EF9

Strings

kernel32.dll, xrefs: 24086EE7
GetTempPathA, xrefs: 24086EE2

Memory Dump Source

Source File: 00000008.00000002.2518814760.0000000024080000.00000040.00000400.00020000.00000000.sdmp, Offset: 24080000, based on PE: true

Associated: 00000008.00000002.2518814760.00000000240D4000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2518814760.00000000240DB000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_24080000_explorer.jbxd

Yara matches

Similarity

API ID: AddressLibraryLoadPathProcTemp
String ID: GetTempPathA$kernel32.dll
API String ID: 1686214323-3269217876
Opcode ID: dfa7b7c115db29e24742a2fcb933de4f07472ccf342c221364485f4093a04760
Instruction ID: 43eaa35b106326fd08bb34e4b73b812c28c25187c0d85543d9f5c18a7b748127
Opcode Fuzzy Hash: dfa7b7c115db29e24742a2fcb933de4f07472ccf342c221364485f4093a04760
Instruction Fuzzy Hash: 3DC02B91101E303B372021F61EC0E9F008CDD650A7B010C217004E200FC8008D8038F0

Function 24086C78 Relevance: 3.0, APIs: 2, Instructions: 33
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FindFirstFileA.KERNEL32(00000000,?,00000000,24086CD5,?,00000000), ref: 24086CAD
FindClose.KERNEL32(00000000,00000000,?,00000000,24086CD5,?,00000000), ref: 24086CB8

Memory Dump Source

Source File: 00000008.00000002.2518814760.0000000024080000.00000040.00000400.00020000.00000000.sdmp, Offset: 24080000, based on PE: true

Associated: 00000008.00000002.2518814760.00000000240D4000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2518814760.00000000240DB000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_24080000_explorer.jbxd

Yara matches

Similarity

API ID: Find$CloseFileFirst
String ID:
API String ID: 2295610775-0
Opcode ID: 60b479257f3b3c10ec452338eda81463d8a3a342b5f13493f911d3a5b52b4e9b
Instruction ID: 8ceb04d42ec8a38bab2225475e9ec65668b594f18e0ef09d7274fa3bbae51d2e
Opcode Fuzzy Hash: 60b479257f3b3c10ec452338eda81463d8a3a342b5f13493f911d3a5b52b4e9b
Instruction Fuzzy Hash: 0AF02770500104AFD701EBF8CF9199EB3ECEB6921479209B5E404D2664F7316F40AA10

Function 24086C77 Relevance: 3.0, APIs: 2, Instructions: 33
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FindFirstFileA.KERNEL32(00000000,?,00000000,24086CD5,?,00000000), ref: 24086CAD
FindClose.KERNEL32(00000000,00000000,?,00000000,24086CD5,?,00000000), ref: 24086CB8

Memory Dump Source

Source File: 00000008.00000002.2518814760.0000000024080000.00000040.00000400.00020000.00000000.sdmp, Offset: 24080000, based on PE: true

Associated: 00000008.00000002.2518814760.00000000240D4000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2518814760.00000000240DB000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_24080000_explorer.jbxd

Yara matches

Similarity

API ID: Find$CloseFileFirst
String ID:
API String ID: 2295610775-0
Opcode ID: 9bd62b49d439f6542b680833016f58fc7673fd08b16c68d2ae6cd6e4bbba2389
Instruction ID: de58a06098552d95e9b6490a60e44f3613f89d5d217135cedc47b3ed31b755c5
Opcode Fuzzy Hash: 9bd62b49d439f6542b680833016f58fc7673fd08b16c68d2ae6cd6e4bbba2389
Instruction Fuzzy Hash: C8F02E70504104AFDB01DBF8CF51D9EB7FCDB6521479109B9E404D2665E7355F409A10

Function 240863E8 Relevance: 3.0, APIs: 2, Instructions: 33
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FindFirstFileA.KERNEL32(00000000,?,?,?,?,2408649A,00000000,24086506), ref: 24086403
GetLastError.KERNEL32(00000000,?,?,?,?,2408649A,00000000,24086506), ref: 24086428

Part of subcall function 24085DF8: FileTimeToLocalFileTime.KERNEL32(?), ref: 24085E25
Part of subcall function 24085DF8: FileTimeToDosDateTime.KERNEL32(?,?,?), ref: 24085E34

Part of subcall function 24085DDC: FindClose.KERNEL32(?,?,24086426,00000000,?,?,?,?,2408649A,00000000,24086506), ref: 24085DE8

Memory Dump Source

Source File: 00000008.00000002.2518814760.0000000024080000.00000040.00000400.00020000.00000000.sdmp, Offset: 24080000, based on PE: true

Associated: 00000008.00000002.2518814760.00000000240D4000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2518814760.00000000240DB000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_24080000_explorer.jbxd

Yara matches

Similarity

API ID: FileTime$Find$CloseDateErrorFirstLastLocal
String ID:
API String ID: 976985129-0
Opcode ID: 1d764602b8cb8e00339e7ce8c91f8a4d82bf49f74a8dd3a0fa581d86529fcac6
Instruction ID: e91888dae84ccaf7fa9ce3c20684f439895a30419fb55e3d49986d8bf0cb4097
Opcode Fuzzy Hash: 1d764602b8cb8e00339e7ce8c91f8a4d82bf49f74a8dd3a0fa581d86529fcac6
Instruction Fuzzy Hash: E8E02B72B022200B13105EBC6D9044F59C88F945F931616B9FD10DF30EE930CC8103D0

Function 24088CD0 Relevance: 1.5, APIs: 1, Instructions: 23COMMON

Download Yara Rule

APIs

GetLocaleInfoA.KERNEL32(00000000,0000000F,?,00000002,0000002C,?,?,00000000,24088D23,00000000,24088D66,?,?,00000000,00000000), ref: 24088CE3

Memory Dump Source

Source File: 00000008.00000002.2518814760.0000000024080000.00000040.00000400.00020000.00000000.sdmp, Offset: 24080000, based on PE: true

Associated: 00000008.00000002.2518814760.00000000240D4000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2518814760.00000000240DB000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_24080000_explorer.jbxd

Yara matches

Similarity

API ID: InfoLocale
String ID:
API String ID: 2299586839-0
Opcode ID: c0a5c38b77294cd5bc0105dacaac811761fc0667ac39b8f869ab3184c1b78c3f
Instruction ID: 156ef1a38f183be9878bc82ff34450637604ad5780005f134fa4eaf346bc2697
Opcode Fuzzy Hash: c0a5c38b77294cd5bc0105dacaac811761fc0667ac39b8f869ab3184c1b78c3f
Instruction Fuzzy Hash: 80D05B7731E1503AB210415A2E44D7B4ADCCBD5760F004079BA48C6105E5508C4A5375

Function 240C5240 Relevance: 31.9, APIs: 11, Strings: 7, Instructions: 403
registrysleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNEL32(00001388,00000000,240C57B3,?,?,?,?,00000000,00000000), ref: 240C527E

Part of subcall function 24086858: RegCreateKeyA.ADVAPI32(?,00000000,?), ref: 2408689E
Part of subcall function 24086858: RegSetValueExA.ADVAPI32(?,00000000,00000000,00000002,00000000,00000000,00000000,240868FD), ref: 240868C6
Part of subcall function 24086858: RegCloseKey.ADVAPI32(?,?,00000000,00000000,00000002,00000000,00000000,00000000,240868FD), ref: 240868D5

RegOpenKeyExA.ADVAPI32(80000001,Software\Microsoft\Active Setup\Installed Components\,00000000,00020006,?,?,00000000,00001388,00000000,240C57B3,?,?,?,?,00000000,00000000), ref: 240C55C0
RegDeleteKeyA.ADVAPI32(?,00000000), ref: 240C55D6
RegCloseKey.ADVAPI32(?,?,00000000,80000001,Software\Microsoft\Active Setup\Installed Components\,00000000,00020006,?,?,00000000,00001388,00000000,240C57B3), ref: 240C55DF
GetLastError.KERNEL32(00001388,00000000,240C57B3,?,?,?,?,00000000,00000000), ref: 240C5613
CloseHandle.KERNEL32(00000000,00001388,00000000,240C57B3,?,?,?,?,00000000,00000000), ref: 240C5620
CloseHandle.KERNEL32(0000047C,00000000,00001388,00000000,240C57B3,?,?,?,?,00000000,00000000), ref: 240C562D

Part of subcall function 240870B8: RegOpenKeyExA.ADVAPI32(80000001,00000000,00000000,00000001,?,00000000,24087197), ref: 2408710D
Part of subcall function 240870B8: RegQueryValueExA.ADVAPI32(?,00000000,00000000,?,00000000,?,80000001,00000000,00000000,00000001,?,00000000,24087197), ref: 24087131
Part of subcall function 240870B8: RegQueryValueExA.ADVAPI32(?,00000000,00000000,?,00000000,?,?,00000000,00000000,?,00000000,?,80000001,00000000,00000000,00000001), ref: 2408715B
Part of subcall function 240870B8: RegCloseKey.ADVAPI32(?,?,00000000,00000000,?,00000000,?,80000001,00000000,00000000,00000001,?,00000000,24087197), ref: 2408716F

CloseHandle.KERNEL32(00000000,00001388,00000000,240C57B3,?,?,?,?,00000000,00000000), ref: 240C5638
GetLastError.KERNEL32(00000000,00001388,00000000,240C57B3,?,?,?,?,00000000,00000000), ref: 240C574D
CloseHandle.KERNEL32(00000000,00000000,00001388,00000000,240C57B3,?,?,?,?,00000000,00000000), ref: 240C575A
CloseHandle.KERNEL32(00000000,00000000,00001388,00000000,240C57B3,?,?,?,?,00000000,00000000), ref: 240C5765

Strings

StubPath, xrefs: 240C54EF, 240C5559
Software\Microsoft\Active Setup\Installed Components\, xrefs: 240C55B6
Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run, xrefs: 240C53E8, 240C5439, 240C546F, 240C54C0
Software\Microsoft\Windows\CurrentVersion\Run, xrefs: 240C52B4, 240C530A, 240C5353, 240C53A9
Software\Microsoft\Active Setup\Installed Components\, xrefs: 240C5508, 240C556A
open, xrefs: 240C577C
_SAIR, xrefs: 240C55F2

Memory Dump Source

Source File: 00000008.00000002.2518814760.0000000024080000.00000040.00000400.00020000.00000000.sdmp, Offset: 24080000, based on PE: true

Associated: 00000008.00000002.2518814760.00000000240D4000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2518814760.00000000240DB000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_24080000_explorer.jbxd

Yara matches

Similarity

API ID: Close$Handle$Value$ErrorLastOpenQuery$CreateDeleteSleep
String ID: Software\Microsoft\Active Setup\Installed Components\$Software\Microsoft\Active Setup\Installed Components\$Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run$Software\Microsoft\Windows\CurrentVersion\Run$StubPath$_SAIR$open
API String ID: 3574299486-1043091203
Opcode ID: 9c68d193a0ace123c51d74c5e1ee466423de4a6d01bf0fb3e20116c8d1a68c2e
Instruction ID: 60268a2799a476cfc42c8b54e1ae92c6a0988cb9a732b0702eee736001d1996d
Opcode Fuzzy Hash: 9c68d193a0ace123c51d74c5e1ee466423de4a6d01bf0fb3e20116c8d1a68c2e
Instruction Fuzzy Hash: E0F13D35A00158DBEB00EBE8DA80F8EB3F5BF96248F504165E404AB369DA75EEC5CF51

Function 240870B8 Relevance: 6.1, APIs: 4, Instructions: 83
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyExA.ADVAPI32(80000001,00000000,00000000,00000001,?,00000000,24087197), ref: 2408710D
RegQueryValueExA.ADVAPI32(?,00000000,00000000,?,00000000,?,80000001,00000000,00000000,00000001,?,00000000,24087197), ref: 24087131
RegQueryValueExA.ADVAPI32(?,00000000,00000000,?,00000000,?,?,00000000,00000000,?,00000000,?,80000001,00000000,00000000,00000001), ref: 2408715B
RegCloseKey.ADVAPI32(?,?,00000000,00000000,?,00000000,?,80000001,00000000,00000000,00000001,?,00000000,24087197), ref: 2408716F

Memory Dump Source

Source File: 00000008.00000002.2518814760.0000000024080000.00000040.00000400.00020000.00000000.sdmp, Offset: 24080000, based on PE: true

Associated: 00000008.00000002.2518814760.00000000240D4000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2518814760.00000000240DB000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_24080000_explorer.jbxd

Yara matches

Similarity

API ID: QueryValue$CloseOpen
String ID:
API String ID: 1586453840-0
Opcode ID: 7e46e4fc7e6460bdaee3dba2d0e5daa0c4dfacc7f36fefdb6b1be22ce7553f90
Instruction ID: fc59dedf4a78d4527d88564ef84f6ce2b9f1be7c5dad4d92dc313162ff2f0f84
Opcode Fuzzy Hash: 7e46e4fc7e6460bdaee3dba2d0e5daa0c4dfacc7f36fefdb6b1be22ce7553f90
Instruction Fuzzy Hash: ED212F71A00508AFEB00DBA8DE90EAEB7FCEF98244F504165B504E7258E771EE448B61

Function 24086CE4 Relevance: 6.1, APIs: 4, Instructions: 66
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 24086C78: FindFirstFileA.KERNEL32(00000000,?,00000000,24086CD5,?,00000000), ref: 24086CAD
Part of subcall function 24086C78: FindClose.KERNEL32(00000000,00000000,?,00000000,24086CD5,?,00000000), ref: 24086CB8

CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000,00000000,24086D92), ref: 24086D37
GetFileSize.KERNEL32(00000000,00000000,00000000,80000000,00000001,00000000,00000003,00000000,00000000,00000000,24086D92), ref: 24086D41
ReadFile.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,80000000,00000001,00000000,00000003,00000000,00000000,00000000,24086D92), ref: 24086D5C
CloseHandle.KERNEL32(00000000,00000000,00000000,?,?,00000000,00000000,00000000,00000000,80000000,00000001,00000000,00000003,00000000,00000000,00000000), ref: 24086D77

Memory Dump Source

Source File: 00000008.00000002.2518814760.0000000024080000.00000040.00000400.00020000.00000000.sdmp, Offset: 24080000, based on PE: true

Associated: 00000008.00000002.2518814760.00000000240D4000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2518814760.00000000240DB000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_24080000_explorer.jbxd

Yara matches

Similarity

API ID: File$CloseFind$CreateFirstHandleReadSize
String ID:
API String ID: 2300874643-0
Opcode ID: 5d69ed1204bd4fe6b565c63fb9d11ef445a2e6174274233dbc884c8d8a6ab759
Instruction ID: 6584dd9befaaa7f82e004e022196b7e7f4dc811c13472143ba70f62926f3cc64
Opcode Fuzzy Hash: 5d69ed1204bd4fe6b565c63fb9d11ef445a2e6174274233dbc884c8d8a6ab759
Instruction Fuzzy Hash: 2F114270A00604BFEB11DBA8CE91F6EBBF8DF96B04F5100A4F500EB298DB716E41DA55

Function 24086858 Relevance: 4.6, APIs: 3, Instructions: 59
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegCreateKeyA.ADVAPI32(?,00000000,?), ref: 2408689E
RegSetValueExA.ADVAPI32(?,00000000,00000000,00000002,00000000,00000000,00000000,240868FD), ref: 240868C6
RegCloseKey.ADVAPI32(?,?,00000000,00000000,00000002,00000000,00000000,00000000,240868FD), ref: 240868D5

Memory Dump Source

Source File: 00000008.00000002.2518814760.0000000024080000.00000040.00000400.00020000.00000000.sdmp, Offset: 24080000, based on PE: true

Associated: 00000008.00000002.2518814760.00000000240D4000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2518814760.00000000240DB000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_24080000_explorer.jbxd

Yara matches

Similarity

API ID: CloseCreateValue
String ID:
API String ID: 1818849710-0
Opcode ID: fd4e9ded3c1e21784cf2ccf1d43adafa77a7a481714871c2764f9a56f35ba37c
Instruction ID: afd4936f07ff0d8c7272bc301a7fcc62b9098c169194652013cf811fcd2c3f36
Opcode Fuzzy Hash: fd4e9ded3c1e21784cf2ccf1d43adafa77a7a481714871c2764f9a56f35ba37c
Instruction Fuzzy Hash: DE110071900108BFEB00EFA8DE91E9EB7ECEF69648F414475F804E7254DB719E818B50

Function 04D90000 Relevance: 3.0, APIs: 2, Instructions: 25
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleA.KERNELBASE(?), ref: 04D90018
RtlExitUserThread.NTDLL(00000000), ref: 04D90023

Memory Dump Source

Source File: 00000008.00000002.2515892776.0000000004D90000.00000040.00000400.00020000.00000000.sdmp, Offset: 04D90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_4d90000_explorer.jbxd

Similarity

API ID: ExitHandleModuleThreadUser
String ID:
API String ID: 3752825402-0
Opcode ID: 46ff59f967ff6d5f8062231f6615e391b4eae6b59b37df9d4a5e4cea238d21c4
Instruction ID: 31f55fc70ad1d22fff56d4cf632896c20d063e432f342e22e3eed41fb45fc377
Opcode Fuzzy Hash: 46ff59f967ff6d5f8062231f6615e391b4eae6b59b37df9d4a5e4cea238d21c4
Instruction Fuzzy Hash: 5EE0B676D00118ABCB109AE9DC088DFBB7DEF45221B000662B915F2110DB715A109AA1

Function 04AE0000 Relevance: 3.0, APIs: 2, Instructions: 16
sleeplibraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNELBASE(?), ref: 04AE001D
Sleep.KERNELBASE(FFFFFFFF), ref: 04AE0026

Memory Dump Source

Source File: 00000008.00000002.2515261897.0000000004AE0000.00000040.00000400.00020000.00000000.sdmp, Offset: 04AE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_4ae0000_explorer.jbxd

Similarity

API ID: LibraryLoadSleep
String ID:
API String ID: 2118945035-0
Opcode ID: aa8963ae1cd73f7bd24b0d0180e87021e78b3d589d0fcefb7e39085448f0c57e
Instruction ID: 3d6dcf0603c0b7fa6df61d0a6d33d883493ae2c415736c940b7e86ed4b91e560
Opcode Fuzzy Hash: aa8963ae1cd73f7bd24b0d0180e87021e78b3d589d0fcefb7e39085448f0c57e
Instruction Fuzzy Hash: 03E00274D04608EFCB04DF99C98889DBBB5AF89320B25C295E865A73A5D730AE419A80

Function 04DC0000 Relevance: 3.0, APIs: 2, Instructions: 16sleeplibraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNELBASE(?), ref: 04DC001D
Sleep.KERNELBASE(FFFFFFFF), ref: 04DC0026

Memory Dump Source

Source File: 00000008.00000002.2515954092.0000000004DC0000.00000040.00000400.00020000.00000000.sdmp, Offset: 04DC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_4dc0000_explorer.jbxd

Similarity

API ID: LibraryLoadSleep
String ID:
API String ID: 2118945035-0
Opcode ID: aa8963ae1cd73f7bd24b0d0180e87021e78b3d589d0fcefb7e39085448f0c57e
Instruction ID: f9f4e5dc20143b8f85cd584f36b5cc39d4af475f4f01424f332b360aaee430c5
Opcode Fuzzy Hash: aa8963ae1cd73f7bd24b0d0180e87021e78b3d589d0fcefb7e39085448f0c57e
Instruction Fuzzy Hash: E4E09A74D00608EFCB04CF99C44888DBBB5AF48320B21C295E865973A5D730AE419A40

Function 05450000 Relevance: 3.0, APIs: 2, Instructions: 16sleeplibraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNELBASE(?), ref: 0545001D
Sleep.KERNELBASE(FFFFFFFF), ref: 05450026

Memory Dump Source

Source File: 00000008.00000002.2517607770.0000000005450000.00000040.00000400.00020000.00000000.sdmp, Offset: 05450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_5450000_explorer.jbxd

Similarity

API ID: LibraryLoadSleep
String ID:
API String ID: 2118945035-0
Opcode ID: aa8963ae1cd73f7bd24b0d0180e87021e78b3d589d0fcefb7e39085448f0c57e
Instruction ID: 62ac2a1164ed5bb1b6a20344c76fd19b9ef6bab414a194308cdcc08477aab154
Opcode Fuzzy Hash: aa8963ae1cd73f7bd24b0d0180e87021e78b3d589d0fcefb7e39085448f0c57e
Instruction Fuzzy Hash: E8E00A74D04608EFCB04DF99C54889DBBB5AF49320B25C295E865973A5D7309E419A40

Function 049F0000 Relevance: 3.0, APIs: 2, Instructions: 16
sleeplibraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNELBASE(?), ref: 049F001D
Sleep.KERNELBASE(FFFFFFFF), ref: 049F0026

Memory Dump Source

Source File: 00000008.00000002.2515014943.00000000049F0000.00000040.00000400.00020000.00000000.sdmp, Offset: 049F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_49f0000_explorer.jbxd

Similarity

API ID: LibraryLoadSleep
String ID:
API String ID: 2118945035-0
Opcode ID: aa8963ae1cd73f7bd24b0d0180e87021e78b3d589d0fcefb7e39085448f0c57e
Instruction ID: de8843d6cffdc7bf5c0ce3b72ad9a08c990d02f5e1c05a9b2edb7ac214d5c06b
Opcode Fuzzy Hash: aa8963ae1cd73f7bd24b0d0180e87021e78b3d589d0fcefb7e39085448f0c57e
Instruction Fuzzy Hash: 49E09A74D00608EFCB04CF99C84888DBBB5AF48320B24C291E825973A5D730AE41DB40

Function 04BD0000 Relevance: 3.0, APIs: 2, Instructions: 16
sleeplibraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNELBASE(?), ref: 04BD001D
Sleep.KERNELBASE(FFFFFFFF), ref: 04BD0026

Memory Dump Source

Source File: 00000008.00000002.2515482294.0000000004BD0000.00000040.00000400.00020000.00000000.sdmp, Offset: 04BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_4bd0000_explorer.jbxd

Similarity

API ID: LibraryLoadSleep
String ID:
API String ID: 2118945035-0
Opcode ID: aa8963ae1cd73f7bd24b0d0180e87021e78b3d589d0fcefb7e39085448f0c57e
Instruction ID: 206675a295ea96bcc9cc5f5e9d419b45aca3427680115ea0045db42c2c73d0a5
Opcode Fuzzy Hash: aa8963ae1cd73f7bd24b0d0180e87021e78b3d589d0fcefb7e39085448f0c57e
Instruction Fuzzy Hash: E2E00A74D04608EFCB04DFA9C54889DBBB5AF49320F25C295E865973A5D730AE419A40

Function 047D0000 Relevance: 3.0, APIs: 2, Instructions: 16
sleeplibraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNELBASE(?), ref: 047D001D
Sleep.KERNELBASE(FFFFFFFF), ref: 047D0026

Memory Dump Source

Source File: 00000008.00000002.2514316641.00000000047D0000.00000040.00000400.00020000.00000000.sdmp, Offset: 047D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_47d0000_explorer.jbxd

Similarity

API ID: LibraryLoadSleep
String ID:
API String ID: 2118945035-0
Opcode ID: aa8963ae1cd73f7bd24b0d0180e87021e78b3d589d0fcefb7e39085448f0c57e
Instruction ID: 4f3077591483c2e23e2e345fd0b48ad5319088fc745d4a565e53310b627b9a36
Opcode Fuzzy Hash: aa8963ae1cd73f7bd24b0d0180e87021e78b3d589d0fcefb7e39085448f0c57e
Instruction Fuzzy Hash: 36E00A74D04648EFCB04DFA9C54889DBBB5AF49320F25C295E865973A5D730AE419A40

Function 240B0DB8 Relevance: 1.5, APIs: 1, Instructions: 40COMMON

Download Yara Rule

APIs

SHGetFileInfo.SHELL32(00000000,00000000,?,00000160,00000400), ref: 240B0E03

Memory Dump Source

Source File: 00000008.00000002.2518814760.0000000024080000.00000040.00000400.00020000.00000000.sdmp, Offset: 24080000, based on PE: true

Associated: 00000008.00000002.2518814760.00000000240D4000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2518814760.00000000240DB000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_24080000_explorer.jbxd

Yara matches

Similarity

API ID: FileInfo
String ID:
API String ID: 4041567068-0
Opcode ID: 79fc499499914f8b2ba47a6ab4e4f6ed3c1c166222f177d5a1668bd616378986
Instruction ID: b8fa5b23c36ca3177ef83a191b6ad2c91360fbb833dfb99a472bba9382015985
Opcode Fuzzy Hash: 79fc499499914f8b2ba47a6ab4e4f6ed3c1c166222f177d5a1668bd616378986
Instruction Fuzzy Hash: 07F0C230518218AFE711DB61CD91FDF7BBCEB89754F8104B4E504E7298D6B2AE808E64

Function 2408456C Relevance: 1.5, APIs: 1, Instructions: 26COMMON

Download Yara Rule

APIs

GetModuleFileNameA.KERNEL32(24080000,?,00000105), ref: 2408458A

Part of subcall function 240847A8: GetModuleFileNameA.KERNEL32(00000000,?,00000105), ref: 240847C4
Part of subcall function 240847A8: RegOpenKeyExA.ADVAPI32(80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105), ref: 240847E2
Part of subcall function 240847A8: RegOpenKeyExA.ADVAPI32(80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105), ref: 24084800
Part of subcall function 240847A8: RegOpenKeyExA.ADVAPI32(80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000), ref: 2408481E
Part of subcall function 240847A8: RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,00000000,00000005,00000000,240848AD,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?), ref: 24084867
Part of subcall function 240847A8: RegQueryValueExA.ADVAPI32(?,24084A14,00000000,00000000,00000000,00000005,?,?,00000000,00000000,00000000,00000005,00000000,240848AD,?,80000001), ref: 24084885
Part of subcall function 240847A8: RegCloseKey.ADVAPI32(?,240848B4,00000000,00000000,00000005,00000000,240848AD,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105), ref: 240848A7

Memory Dump Source

Source File: 00000008.00000002.2518814760.0000000024080000.00000040.00000400.00020000.00000000.sdmp, Offset: 24080000, based on PE: true

Associated: 00000008.00000002.2518814760.00000000240D4000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2518814760.00000000240DB000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_24080000_explorer.jbxd

Yara matches

Similarity

API ID: Open$FileModuleNameQueryValue$Close
String ID:
API String ID: 2796650324-0
Opcode ID: 758b88b33a212394f8d448a54f283aba4c3cd53dc29f1031e7330aff75646c12
Instruction ID: c20b26df16d39c23b3e70a34be3ef7ed4af936d78f7bd09a519044eb467719ff
Opcode Fuzzy Hash: 758b88b33a212394f8d448a54f283aba4c3cd53dc29f1031e7330aff75646c12
Instruction Fuzzy Hash: 6DE0ED75A002249FDB01DE5CC9C0A4A37D8AF49654F054A61AD54DF34BE371DA9087D1

Function 02A70000 Relevance: 1.5, APIs: 1, Instructions: 25threadCOMMON

Download Yara Rule

APIs

RtlExitUserThread.NTDLL(00000000), ref: 02A70023

Memory Dump Source

Source File: 00000008.00000002.2512164648.0000000002A70000.00000040.00000400.00020000.00000000.sdmp, Offset: 02A70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2a70000_explorer.jbxd

Similarity

API ID: ExitThreadUser
String ID:
API String ID: 3424019298-0
Opcode ID: 46ff59f967ff6d5f8062231f6615e391b4eae6b59b37df9d4a5e4cea238d21c4
Instruction ID: 31f55fc70ad1d22fff56d4cf632896c20d063e432f342e22e3eed41fb45fc377
Opcode Fuzzy Hash: 46ff59f967ff6d5f8062231f6615e391b4eae6b59b37df9d4a5e4cea238d21c4
Instruction Fuzzy Hash: 5EE0B676D00118ABCB109AE9DC088DFBB7DEF45221B000662B915F2110DB715A109AA1

Function 05060000 Relevance: 1.5, APIs: 1, Instructions: 25threadCOMMON

Download Yara Rule

APIs

RtlExitUserThread.NTDLL(00000000), ref: 05060023

Memory Dump Source

Source File: 00000008.00000002.2516607089.0000000005060000.00000040.00000400.00020000.00000000.sdmp, Offset: 05060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_5060000_explorer.jbxd

Similarity

API ID: ExitThreadUser
String ID:
API String ID: 3424019298-0
Opcode ID: 46ff59f967ff6d5f8062231f6615e391b4eae6b59b37df9d4a5e4cea238d21c4
Instruction ID: 31f55fc70ad1d22fff56d4cf632896c20d063e432f342e22e3eed41fb45fc377
Opcode Fuzzy Hash: 46ff59f967ff6d5f8062231f6615e391b4eae6b59b37df9d4a5e4cea238d21c4
Instruction Fuzzy Hash: 5EE0B676D00118ABCB109AE9DC088DFBB7DEF45221B000662B915F2110DB715A109AA1

Function 02EC0000 Relevance: 1.5, APIs: 1, Instructions: 25threadCOMMON

Download Yara Rule

APIs

RtlExitUserThread.NTDLL(00000000), ref: 02EC0023

Memory Dump Source

Source File: 00000008.00000002.2513395859.0000000002EC0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02EC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2ec0000_explorer.jbxd

Similarity

API ID: ExitThreadUser
String ID:
API String ID: 3424019298-0
Opcode ID: 46ff59f967ff6d5f8062231f6615e391b4eae6b59b37df9d4a5e4cea238d21c4
Instruction ID: 31f55fc70ad1d22fff56d4cf632896c20d063e432f342e22e3eed41fb45fc377
Opcode Fuzzy Hash: 46ff59f967ff6d5f8062231f6615e391b4eae6b59b37df9d4a5e4cea238d21c4
Instruction Fuzzy Hash: 5EE0B676D00118ABCB109AE9DC088DFBB7DEF45221B000662B915F2110DB715A109AA1

Function 02F00000 Relevance: 1.5, APIs: 1, Instructions: 25threadCOMMON

Download Yara Rule

APIs

RtlExitUserThread.NTDLL(00000000), ref: 02F00023

Memory Dump Source

Source File: 00000008.00000002.2513565376.0000000002F00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2f00000_explorer.jbxd

Similarity

API ID: ExitThreadUser
String ID:
API String ID: 3424019298-0
Opcode ID: 46ff59f967ff6d5f8062231f6615e391b4eae6b59b37df9d4a5e4cea238d21c4
Instruction ID: 31f55fc70ad1d22fff56d4cf632896c20d063e432f342e22e3eed41fb45fc377
Opcode Fuzzy Hash: 46ff59f967ff6d5f8062231f6615e391b4eae6b59b37df9d4a5e4cea238d21c4
Instruction Fuzzy Hash: 5EE0B676D00118ABCB109AE9DC088DFBB7DEF45221B000662B915F2110DB715A109AA1

Function 05240000 Relevance: 1.5, APIs: 1, Instructions: 25threadCOMMON

Download Yara Rule

APIs

RtlExitUserThread.NTDLL(00000000), ref: 05240023

Memory Dump Source

Source File: 00000008.00000002.2517055033.0000000005240000.00000040.00000400.00020000.00000000.sdmp, Offset: 05240000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_5240000_explorer.jbxd

Similarity

API ID: ExitThreadUser
String ID:
API String ID: 3424019298-0
Opcode ID: 46ff59f967ff6d5f8062231f6615e391b4eae6b59b37df9d4a5e4cea238d21c4
Instruction ID: 31f55fc70ad1d22fff56d4cf632896c20d063e432f342e22e3eed41fb45fc377
Opcode Fuzzy Hash: 46ff59f967ff6d5f8062231f6615e391b4eae6b59b37df9d4a5e4cea238d21c4
Instruction Fuzzy Hash: 5EE0B676D00118ABCB109AE9DC088DFBB7DEF45221B000662B915F2110DB715A109AA1

Function 04E80000 Relevance: 1.5, APIs: 1, Instructions: 25threadCOMMON

Download Yara Rule

APIs

RtlExitUserThread.NTDLL(00000000), ref: 04E80023

Memory Dump Source

Source File: 00000008.00000002.2516135563.0000000004E80000.00000040.00000400.00020000.00000000.sdmp, Offset: 04E80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_4e80000_explorer.jbxd

Similarity

API ID: ExitThreadUser
String ID:
API String ID: 3424019298-0
Opcode ID: 46ff59f967ff6d5f8062231f6615e391b4eae6b59b37df9d4a5e4cea238d21c4
Instruction ID: 31f55fc70ad1d22fff56d4cf632896c20d063e432f342e22e3eed41fb45fc377
Opcode Fuzzy Hash: 46ff59f967ff6d5f8062231f6615e391b4eae6b59b37df9d4a5e4cea238d21c4
Instruction Fuzzy Hash: 5EE0B676D00118ABCB109AE9DC088DFBB7DEF45221B000662B915F2110DB715A109AA1

Function 04BA0000 Relevance: 1.5, APIs: 1, Instructions: 25threadCOMMON

Download Yara Rule

APIs

RtlExitUserThread.NTDLL(00000000), ref: 04BA0023

Memory Dump Source

Source File: 00000008.00000002.2515423831.0000000004BA0000.00000040.00000400.00020000.00000000.sdmp, Offset: 04BA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_4ba0000_explorer.jbxd

Similarity

API ID: ExitThreadUser
String ID:
API String ID: 3424019298-0
Opcode ID: 46ff59f967ff6d5f8062231f6615e391b4eae6b59b37df9d4a5e4cea238d21c4
Instruction ID: 31f55fc70ad1d22fff56d4cf632896c20d063e432f342e22e3eed41fb45fc377
Opcode Fuzzy Hash: 46ff59f967ff6d5f8062231f6615e391b4eae6b59b37df9d4a5e4cea238d21c4
Instruction Fuzzy Hash: 5EE0B676D00118ABCB109AE9DC088DFBB7DEF45221B000662B915F2110DB715A109AA1

Function 05510000 Relevance: 1.5, APIs: 1, Instructions: 25threadCOMMON

Download Yara Rule

APIs

RtlExitUserThread.NTDLL(00000000), ref: 05510023

Memory Dump Source

Source File: 00000008.00000002.2517773133.0000000005510000.00000040.00000400.00020000.00000000.sdmp, Offset: 05510000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_5510000_explorer.jbxd

Similarity

API ID: ExitThreadUser
String ID:
API String ID: 3424019298-0
Opcode ID: 46ff59f967ff6d5f8062231f6615e391b4eae6b59b37df9d4a5e4cea238d21c4
Instruction ID: 31f55fc70ad1d22fff56d4cf632896c20d063e432f342e22e3eed41fb45fc377
Opcode Fuzzy Hash: 46ff59f967ff6d5f8062231f6615e391b4eae6b59b37df9d4a5e4cea238d21c4
Instruction Fuzzy Hash: 5EE0B676D00118ABCB109AE9DC088DFBB7DEF45221B000662B915F2110DB715A109AA1

Function 048C0000 Relevance: 1.5, APIs: 1, Instructions: 25threadCOMMON

Download Yara Rule

APIs

RtlExitUserThread.NTDLL(00000000), ref: 048C0023

Memory Dump Source

Source File: 00000008.00000002.2514674464.00000000048C0000.00000040.00000400.00020000.00000000.sdmp, Offset: 048C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_48c0000_explorer.jbxd

Similarity

API ID: ExitThreadUser
String ID:
API String ID: 3424019298-0
Opcode ID: 46ff59f967ff6d5f8062231f6615e391b4eae6b59b37df9d4a5e4cea238d21c4
Instruction ID: 31f55fc70ad1d22fff56d4cf632896c20d063e432f342e22e3eed41fb45fc377
Opcode Fuzzy Hash: 46ff59f967ff6d5f8062231f6615e391b4eae6b59b37df9d4a5e4cea238d21c4
Instruction Fuzzy Hash: 5EE0B676D00118ABCB109AE9DC088DFBB7DEF45221B000662B915F2110DB715A109AA1

Function 049C0000 Relevance: 1.5, APIs: 1, Instructions: 25threadCOMMON

Download Yara Rule

APIs

RtlExitUserThread.NTDLL(00000000), ref: 049C0023

Memory Dump Source

Source File: 00000008.00000002.2514960269.00000000049C0000.00000040.00000400.00020000.00000000.sdmp, Offset: 049C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_49c0000_explorer.jbxd

Similarity

API ID: ExitThreadUser
String ID:
API String ID: 3424019298-0
Opcode ID: 46ff59f967ff6d5f8062231f6615e391b4eae6b59b37df9d4a5e4cea238d21c4
Instruction ID: 31f55fc70ad1d22fff56d4cf632896c20d063e432f342e22e3eed41fb45fc377
Opcode Fuzzy Hash: 46ff59f967ff6d5f8062231f6615e391b4eae6b59b37df9d4a5e4cea238d21c4
Instruction Fuzzy Hash: 5EE0B676D00118ABCB109AE9DC088DFBB7DEF45221B000662B915F2110DB715A109AA1

Function 02A30000 Relevance: 1.5, APIs: 1, Instructions: 25threadCOMMON

Download Yara Rule

APIs

RtlExitUserThread.NTDLL(00000000), ref: 02A30023

Memory Dump Source

Source File: 00000008.00000002.2512043811.0000000002A30000.00000040.00000400.00020000.00000000.sdmp, Offset: 02A30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2a30000_explorer.jbxd

Similarity

API ID: ExitThreadUser
String ID:
API String ID: 3424019298-0
Opcode ID: 46ff59f967ff6d5f8062231f6615e391b4eae6b59b37df9d4a5e4cea238d21c4
Instruction ID: 31f55fc70ad1d22fff56d4cf632896c20d063e432f342e22e3eed41fb45fc377
Opcode Fuzzy Hash: 46ff59f967ff6d5f8062231f6615e391b4eae6b59b37df9d4a5e4cea238d21c4
Instruction Fuzzy Hash: 5EE0B676D00118ABCB109AE9DC088DFBB7DEF45221B000662B915F2110DB715A109AA1

Function 04AB0000 Relevance: 1.5, APIs: 1, Instructions: 25threadCOMMON

Download Yara Rule

APIs

RtlExitUserThread.NTDLL(00000000), ref: 04AB0023

Memory Dump Source

Source File: 00000008.00000002.2515203868.0000000004AB0000.00000040.00000400.00020000.00000000.sdmp, Offset: 04AB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_4ab0000_explorer.jbxd

Similarity

API ID: ExitThreadUser
String ID:
API String ID: 3424019298-0
Opcode ID: 46ff59f967ff6d5f8062231f6615e391b4eae6b59b37df9d4a5e4cea238d21c4
Instruction ID: 31f55fc70ad1d22fff56d4cf632896c20d063e432f342e22e3eed41fb45fc377
Opcode Fuzzy Hash: 46ff59f967ff6d5f8062231f6615e391b4eae6b59b37df9d4a5e4cea238d21c4
Instruction Fuzzy Hash: 5EE0B676D00118ABCB109AE9DC088DFBB7DEF45221B000662B915F2110DB715A109AA1

Function 05150000 Relevance: 1.5, APIs: 1, Instructions: 25threadCOMMON

Download Yara Rule

APIs

RtlExitUserThread.NTDLL(00000000), ref: 05150023

Memory Dump Source

Source File: 00000008.00000002.2516823651.0000000005150000.00000040.00000400.00020000.00000000.sdmp, Offset: 05150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_5150000_explorer.jbxd

Similarity

API ID: ExitThreadUser
String ID:
API String ID: 3424019298-0
Opcode ID: 46ff59f967ff6d5f8062231f6615e391b4eae6b59b37df9d4a5e4cea238d21c4
Instruction ID: 31f55fc70ad1d22fff56d4cf632896c20d063e432f342e22e3eed41fb45fc377
Opcode Fuzzy Hash: 46ff59f967ff6d5f8062231f6615e391b4eae6b59b37df9d4a5e4cea238d21c4
Instruction Fuzzy Hash: 5EE0B676D00118ABCB109AE9DC088DFBB7DEF45221B000662B915F2110DB715A109AA1

Function 02AB0000 Relevance: 1.5, APIs: 1, Instructions: 25threadCOMMON

Download Yara Rule

APIs

RtlExitUserThread.NTDLL(00000000), ref: 02AB0023

Memory Dump Source

Source File: 00000008.00000002.2512288608.0000000002AB0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02AB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2ab0000_explorer.jbxd

Similarity

API ID: ExitThreadUser
String ID:
API String ID: 3424019298-0
Opcode ID: 46ff59f967ff6d5f8062231f6615e391b4eae6b59b37df9d4a5e4cea238d21c4
Instruction ID: 31f55fc70ad1d22fff56d4cf632896c20d063e432f342e22e3eed41fb45fc377
Opcode Fuzzy Hash: 46ff59f967ff6d5f8062231f6615e391b4eae6b59b37df9d4a5e4cea238d21c4
Instruction Fuzzy Hash: 5EE0B676D00118ABCB109AE9DC088DFBB7DEF45221B000662B915F2110DB715A109AA1

Function 047A0000 Relevance: 1.5, APIs: 1, Instructions: 25threadCOMMON

Download Yara Rule

APIs

RtlExitUserThread.NTDLL(00000000), ref: 047A0023

Memory Dump Source

Source File: 00000008.00000002.2514229658.00000000047A0000.00000040.00000400.00020000.00000000.sdmp, Offset: 047A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_47a0000_explorer.jbxd

Similarity

API ID: ExitThreadUser
String ID:
API String ID: 3424019298-0
Opcode ID: 46ff59f967ff6d5f8062231f6615e391b4eae6b59b37df9d4a5e4cea238d21c4
Instruction ID: 31f55fc70ad1d22fff56d4cf632896c20d063e432f342e22e3eed41fb45fc377
Opcode Fuzzy Hash: 46ff59f967ff6d5f8062231f6615e391b4eae6b59b37df9d4a5e4cea238d21c4
Instruction Fuzzy Hash: 5EE0B676D00118ABCB109AE9DC088DFBB7DEF45221B000662B915F2110DB715A109AA1

Function 04C90000 Relevance: 1.5, APIs: 1, Instructions: 25threadCOMMON

Download Yara Rule

APIs

RtlExitUserThread.NTDLL(00000000), ref: 04C90023

Memory Dump Source

Source File: 00000008.00000002.2515645674.0000000004C90000.00000040.00000400.00020000.00000000.sdmp, Offset: 04C90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_4c90000_explorer.jbxd

Similarity

API ID: ExitThreadUser
String ID:
API String ID: 3424019298-0
Opcode ID: 46ff59f967ff6d5f8062231f6615e391b4eae6b59b37df9d4a5e4cea238d21c4
Instruction ID: 31f55fc70ad1d22fff56d4cf632896c20d063e432f342e22e3eed41fb45fc377
Opcode Fuzzy Hash: 46ff59f967ff6d5f8062231f6615e391b4eae6b59b37df9d4a5e4cea238d21c4
Instruction Fuzzy Hash: 5EE0B676D00118ABCB109AE9DC088DFBB7DEF45221B000662B915F2110DB715A109AA1

Function 05330000 Relevance: 1.5, APIs: 1, Instructions: 25threadCOMMON

Download Yara Rule

APIs

RtlExitUserThread.NTDLL(00000000), ref: 05330023

Memory Dump Source

Source File: 00000008.00000002.2517302691.0000000005330000.00000040.00000400.00020000.00000000.sdmp, Offset: 05330000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_5330000_explorer.jbxd

Similarity

API ID: ExitThreadUser
String ID:
API String ID: 3424019298-0
Opcode ID: 46ff59f967ff6d5f8062231f6615e391b4eae6b59b37df9d4a5e4cea238d21c4
Instruction ID: 31f55fc70ad1d22fff56d4cf632896c20d063e432f342e22e3eed41fb45fc377
Opcode Fuzzy Hash: 46ff59f967ff6d5f8062231f6615e391b4eae6b59b37df9d4a5e4cea238d21c4
Instruction Fuzzy Hash: 5EE0B676D00118ABCB109AE9DC088DFBB7DEF45221B000662B915F2110DB715A109AA1

Function 05420000 Relevance: 1.5, APIs: 1, Instructions: 25threadCOMMON

Download Yara Rule

APIs

RtlExitUserThread.NTDLL(00000000), ref: 05420023

Memory Dump Source

Source File: 00000008.00000002.2517544848.0000000005420000.00000040.00000400.00020000.00000000.sdmp, Offset: 05420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_5420000_explorer.jbxd

Similarity

API ID: ExitThreadUser
String ID:
API String ID: 3424019298-0
Opcode ID: 46ff59f967ff6d5f8062231f6615e391b4eae6b59b37df9d4a5e4cea238d21c4
Instruction ID: 31f55fc70ad1d22fff56d4cf632896c20d063e432f342e22e3eed41fb45fc377
Opcode Fuzzy Hash: 46ff59f967ff6d5f8062231f6615e391b4eae6b59b37df9d4a5e4cea238d21c4
Instruction Fuzzy Hash: 5EE0B676D00118ABCB109AE9DC088DFBB7DEF45221B000662B915F2110DB715A109AA1

Function 04F70000 Relevance: 1.5, APIs: 1, Instructions: 25threadCOMMON

Download Yara Rule

APIs

RtlExitUserThread.NTDLL(00000000), ref: 04F70023

Memory Dump Source

Source File: 00000008.00000002.2516388547.0000000004F70000.00000040.00000400.00020000.00000000.sdmp, Offset: 04F70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_4f70000_explorer.jbxd

Similarity

API ID: ExitThreadUser
String ID:
API String ID: 3424019298-0
Opcode ID: 46ff59f967ff6d5f8062231f6615e391b4eae6b59b37df9d4a5e4cea238d21c4
Instruction ID: 31f55fc70ad1d22fff56d4cf632896c20d063e432f342e22e3eed41fb45fc377
Opcode Fuzzy Hash: 46ff59f967ff6d5f8062231f6615e391b4eae6b59b37df9d4a5e4cea238d21c4
Instruction Fuzzy Hash: 5EE0B676D00118ABCB109AE9DC088DFBB7DEF45221B000662B915F2110DB715A109AA1

Function 24084F16 Relevance: 1.5, APIs: 1, Instructions: 15synchronizationCOMMON

Download Yara Rule

APIs

CreateMutexA.KERNEL32(?,?,?,?,?), ref: 24084F2E

Memory Dump Source

Source File: 00000008.00000002.2518814760.0000000024080000.00000040.00000400.00020000.00000000.sdmp, Offset: 24080000, based on PE: true

Associated: 00000008.00000002.2518814760.00000000240D4000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2518814760.00000000240DB000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_24080000_explorer.jbxd

Yara matches

Similarity

API ID: CreateMutex
String ID:
API String ID: 1964310414-0
Opcode ID: 4e517a16085b8900b141571b75f19e29287a41f7ed24e47c7e5cc36522aeb123
Instruction ID: d54fbe9932f96986e32372636bce570d65cd7e85171800da9d8aaad5cb4f68cd
Opcode Fuzzy Hash: 4e517a16085b8900b141571b75f19e29287a41f7ed24e47c7e5cc36522aeb123
Instruction Fuzzy Hash: 67D01273250248AF8700DEBCDC05DAB33DCAB28509B008824B918C7105E139E9909B60

Function 24084F18 Relevance: 1.5, APIs: 1, Instructions: 14synchronizationCOMMON

Download Yara Rule

APIs

CreateMutexA.KERNEL32(?,?,?,?,?), ref: 24084F2E

Memory Dump Source

Source File: 00000008.00000002.2518814760.0000000024080000.00000040.00000400.00020000.00000000.sdmp, Offset: 24080000, based on PE: true

Associated: 00000008.00000002.2518814760.00000000240D4000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2518814760.00000000240DB000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_24080000_explorer.jbxd

Yara matches

Similarity

API ID: CreateMutex
String ID:
API String ID: 1964310414-0
Opcode ID: 21e0619b74412fae9514185c35c6bd95fbb7b52f213a822672066e7264c0ded7
Instruction ID: 40b23113d32118202df948085f3741d956f0cc7065c65c86cf6ff2069e504711
Opcode Fuzzy Hash: 21e0619b74412fae9514185c35c6bd95fbb7b52f213a822672066e7264c0ded7
Instruction Fuzzy Hash: 5FC01273160248AF8B00EEA8DC05D9B33DCAB28609B008828B928CB105E139E5A09B60

Function 240812F2 Relevance: 1.5, APIs: 1, Instructions: 8memoryCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(02BA0000,00000000), ref: 24081301

Memory Dump Source

Source File: 00000008.00000002.2518814760.0000000024080000.00000040.00000400.00020000.00000000.sdmp, Offset: 24080000, based on PE: true

Associated: 00000008.00000002.2518814760.00000000240D4000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2518814760.00000000240DB000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_24080000_explorer.jbxd

Yara matches

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 9adf4e6e671955ea75501751516c186b4ec285f2aa2f8ee6c1224da2e83d2bf9
Instruction ID: 6ac85cccd621e1fe138fbf0d6b83f0c3e6a692b518ced0c5e66d0e6c5fc50f8f
Opcode Fuzzy Hash: 9adf4e6e671955ea75501751516c186b4ec285f2aa2f8ee6c1224da2e83d2bf9
Instruction Fuzzy Hash: A4B002A6610501EF9A41EEACDD44F6632EDE79D2443905460B608D7245D52DAC814B21

Function 04FA0000 Relevance: 1.3, APIs: 1, Instructions: 16sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(FFFFFFFF), ref: 04FA0026

Memory Dump Source

Source File: 00000008.00000002.2516435625.0000000004FA0000.00000040.00000400.00020000.00000000.sdmp, Offset: 04FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_4fa0000_explorer.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: aa8963ae1cd73f7bd24b0d0180e87021e78b3d589d0fcefb7e39085448f0c57e
Instruction ID: a66f568b7c2a8952f9408ef335b7a548a38c5285293419062ac4faeb391d7efc
Opcode Fuzzy Hash: aa8963ae1cd73f7bd24b0d0180e87021e78b3d589d0fcefb7e39085448f0c57e
Instruction Fuzzy Hash: 6FE09A74D00608EFCB04CF99C44888DBBB5AF48320B20C291E825973A5D730AE419A40

Function 05180000 Relevance: 1.3, APIs: 1, Instructions: 16sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(FFFFFFFF), ref: 05180026

Memory Dump Source

Source File: 00000008.00000002.2516871358.0000000005180000.00000040.00000400.00020000.00000000.sdmp, Offset: 05180000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_5180000_explorer.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: aa8963ae1cd73f7bd24b0d0180e87021e78b3d589d0fcefb7e39085448f0c57e
Instruction ID: 35a05de8538b7d56dbeb90ad0d2e559c4c6792c0e5f58338626515ced5123585
Opcode Fuzzy Hash: aa8963ae1cd73f7bd24b0d0180e87021e78b3d589d0fcefb7e39085448f0c57e
Instruction Fuzzy Hash: DCE00274D04608EFCB14DF99C98889DBBB5AF89320B25C295E865A73A5D730AE419E80

Function 05090000 Relevance: 1.3, APIs: 1, Instructions: 16sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(FFFFFFFF), ref: 05090026

Memory Dump Source

Source File: 00000008.00000002.2516671988.0000000005090000.00000040.00000400.00020000.00000000.sdmp, Offset: 05090000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_5090000_explorer.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: aa8963ae1cd73f7bd24b0d0180e87021e78b3d589d0fcefb7e39085448f0c57e
Instruction ID: 9560eecf99cf61005495dec4bdbe04de6e45e62394fb05ff2082f5046fe89a4c
Opcode Fuzzy Hash: aa8963ae1cd73f7bd24b0d0180e87021e78b3d589d0fcefb7e39085448f0c57e
Instruction Fuzzy Hash: EEE00274D04608EFCB04DF99C98889DBBB5AF89320F25C295E865A73A5D730AE519A80

Function 05360000 Relevance: 1.3, APIs: 1, Instructions: 16sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(FFFFFFFF), ref: 05360026

Memory Dump Source

Source File: 00000008.00000002.2517362956.0000000005360000.00000040.00000400.00020000.00000000.sdmp, Offset: 05360000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_5360000_explorer.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: aa8963ae1cd73f7bd24b0d0180e87021e78b3d589d0fcefb7e39085448f0c57e
Instruction ID: 79bdf50c7181c17147bbd687f8a5ac6759ab2ffaed197ce0208f14c0cd5b9288
Opcode Fuzzy Hash: aa8963ae1cd73f7bd24b0d0180e87021e78b3d589d0fcefb7e39085448f0c57e
Instruction Fuzzy Hash: 1CE09274D04608EFCB04CF99C88888DBBB5AF88320B20C295E825A73A5D730AE419A80

Function 04CC0000 Relevance: 1.3, APIs: 1, Instructions: 16sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(FFFFFFFF), ref: 04CC0026

Memory Dump Source

Source File: 00000008.00000002.2515702600.0000000004CC0000.00000040.00000400.00020000.00000000.sdmp, Offset: 04CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_4cc0000_explorer.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: aa8963ae1cd73f7bd24b0d0180e87021e78b3d589d0fcefb7e39085448f0c57e
Instruction ID: 5e8a04394fc077d180e871e60db5b89fdcc4bbacee028b089a64edb856b8b828
Opcode Fuzzy Hash: aa8963ae1cd73f7bd24b0d0180e87021e78b3d589d0fcefb7e39085448f0c57e
Instruction Fuzzy Hash: 7BE00274D04608EFCB04DF99C98889DBBB5AF89320B25C295E865A73A5D730AE419A80

Function 02F30000 Relevance: 1.3, APIs: 1, Instructions: 16sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(FFFFFFFF), ref: 02F30026

Memory Dump Source

Source File: 00000008.00000002.2513692950.0000000002F30000.00000040.00000400.00020000.00000000.sdmp, Offset: 02F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2f30000_explorer.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: aa8963ae1cd73f7bd24b0d0180e87021e78b3d589d0fcefb7e39085448f0c57e
Instruction ID: 15d3d3b66fbaa0c9ed2825e626fa4f6c31866dad4dfbb14a7789b51096334045
Opcode Fuzzy Hash: aa8963ae1cd73f7bd24b0d0180e87021e78b3d589d0fcefb7e39085448f0c57e
Instruction Fuzzy Hash: CBE00274D04608EFCB04DF99C98889DBBB5AF89320B25C295E965A73A5D730AE41DA80

Function 00520000 Relevance: 1.3, APIs: 1, Instructions: 16sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(FFFFFFFF), ref: 00520026

Memory Dump Source

Source File: 00000008.00000002.2511680052.0000000000520000.00000040.00000400.00020000.00000000.sdmp, Offset: 00520000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_520000_explorer.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: aa8963ae1cd73f7bd24b0d0180e87021e78b3d589d0fcefb7e39085448f0c57e
Instruction ID: e4c35f613438a4ef54f6400bda3db0e23dd947093058edaf61e17cef691dbfd4
Opcode Fuzzy Hash: aa8963ae1cd73f7bd24b0d0180e87021e78b3d589d0fcefb7e39085448f0c57e
Instruction Fuzzy Hash: 16E00274D04608EFCB04DF99C98889DBBB5AF89320B25C295E865A73A5D730AE419A80

Function 04EB0000 Relevance: 1.3, APIs: 1, Instructions: 16sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(FFFFFFFF), ref: 04EB0026

Memory Dump Source

Source File: 00000008.00000002.2516204837.0000000004EB0000.00000040.00000400.00020000.00000000.sdmp, Offset: 04EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_4eb0000_explorer.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: aa8963ae1cd73f7bd24b0d0180e87021e78b3d589d0fcefb7e39085448f0c57e
Instruction ID: cced881d7e076ddb83b870002673f0bf113c93167b8887f10267e9765c957dd3
Opcode Fuzzy Hash: aa8963ae1cd73f7bd24b0d0180e87021e78b3d589d0fcefb7e39085448f0c57e
Instruction Fuzzy Hash: 2FE00A74D04608EFCB04DF99C54889EBBB5AF49320B25C295E865973A5D730AE419A80

Function 04900000 Relevance: 1.3, APIs: 1, Instructions: 16sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(FFFFFFFF), ref: 04900026

Memory Dump Source

Source File: 00000008.00000002.2514758610.0000000004900000.00000040.00000400.00020000.00000000.sdmp, Offset: 04900000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_4900000_explorer.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: aa8963ae1cd73f7bd24b0d0180e87021e78b3d589d0fcefb7e39085448f0c57e
Instruction ID: a0ab7fac490aa3feabcaa1bc5a5f67a8644700cec10ace5408e57d954df8f8b5
Opcode Fuzzy Hash: aa8963ae1cd73f7bd24b0d0180e87021e78b3d589d0fcefb7e39085448f0c57e
Instruction Fuzzy Hash: 52E00A74D04608EFCB04DF99C54889DBBB5AF49320B25C295E865973A5D730AE41DA40

Function 05270000 Relevance: 1.3, APIs: 1, Instructions: 16sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(FFFFFFFF), ref: 05270026

Memory Dump Source

Source File: 00000008.00000002.2517106391.0000000005270000.00000040.00000400.00020000.00000000.sdmp, Offset: 05270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_5270000_explorer.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: aa8963ae1cd73f7bd24b0d0180e87021e78b3d589d0fcefb7e39085448f0c57e
Instruction ID: 1ac8f74a4c88990f81a636fc29cd56a7138fa5c4a1ab9619d8ef6ef63a43b383
Opcode Fuzzy Hash: aa8963ae1cd73f7bd24b0d0180e87021e78b3d589d0fcefb7e39085448f0c57e
Instruction Fuzzy Hash: 21E00A74D14608EFCB04DF99C54889DBBB5AF49320B25C295E865973A5D7309E419E40

Function 24081309 Relevance: 1.3, APIs: 1, Instructions: 14memoryCOMMON

Download Yara Rule

APIs

HeapFree.KERNEL32(02BA0000,00000000), ref: 2408131B

Memory Dump Source

Source File: 00000008.00000002.2518814760.0000000024080000.00000040.00000400.00020000.00000000.sdmp, Offset: 24080000, based on PE: true

Associated: 00000008.00000002.2518814760.00000000240D4000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2518814760.00000000240DB000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_24080000_explorer.jbxd

Yara matches

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: 7917dad080a0b46715423fa4768a55d94e6974e3c10b0cb94469a6004671e3a3
Instruction ID: da51f0aab13dbaf5326aad5e1be3e1e7700299cab90a00110bdb8d6499e5f4ed
Opcode Fuzzy Hash: 7917dad080a0b46715423fa4768a55d94e6974e3c10b0cb94469a6004671e3a3
Instruction Fuzzy Hash: C7C04CB3660602DB9F119AE8DCC2E1732DCE7682097245521F518DB111D52ED8D05620

Function 05530000 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2517838333.0000000005530000.00000040.00000400.00020000.00000000.sdmp, Offset: 05530000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_5530000_explorer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a8f87fc558e2f538fd351bdfc49e2c6aa18e45c6a6d2c8ec1415aa36aaa266a9
Instruction ID: 18b5e61e04c7bcae5a7a9f8a09946595db22e2a0f492063f86ebefdf2a899b08
Opcode Fuzzy Hash: a8f87fc558e2f538fd351bdfc49e2c6aa18e45c6a6d2c8ec1415aa36aaa266a9
Instruction Fuzzy Hash: 33D01275914208EFDB04CF54D84589EBBF5EB44320F20C165E914973A0E731AE509A44

Non-executed Functions

Function 2408F870 Relevance: 100.5, APIs: 4, Strings: 53, Instructions: 748COMMON

Download Yara Rule

APIs

GetVersionExW.KERNEL32(0000011C), ref: 2408F8DA
GetVersionExW.KERNEL32(00000094,0000011C), ref: 2408F8F6
GetSystemInfo.KERNEL32(?,0000011C), ref: 2408F95C

Part of subcall function 24085C78: wvsprintfA.USER32(?,00000000,?), ref: 24085D0E

Strings

Home Basic, xrefs: 2408FB7E
Windows XP Home, xrefs: 2408FF1F
Windows 95 (Release 2), xrefs: 2408F9B0
%s %s Server, xrefs: 24090076, 240900C7, 24090118, 24090169, 240901BA, 2409020B, 2409025C, 240902AD
Windows 98 SE, xrefs: 2408F9EA
Web, xrefs: 24090290
Windows Vista, xrefs: 2408FA77
Windows ME, xrefs: 2408FA2E
Ultimate, xrefs: 2408FB2D
Windows 2000 Server Datacenter, xrefs: 240903D2
%s %s, xrefs: 2408FB4A, 2408FB9B, 2408FBEC, 2408FC3D, 2408FC8E, 2408FCDF, 2408FD30, 2408FD81, 2408FDD2, 2408FE23, 2408FE74, 2408FEC5
A, xrefs: 2408F9DD
Windows XP Professional x64, xrefs: 2408FEFA
Business N, xrefs: 2408FD64
Windows NT %d.%d, xrefs: 2408FF8D
Premium, xrefs: 2408FBCF
Windows XP Professional, xrefs: 2408FF3A
Windows NT 4.0 Server Web Edition, xrefs: 2409046A
Windows NT 4.0 Server, xrefs: 24090479
Windows NT 4.0 Server Enterprise, xrefs: 24090451
Datacenter, xrefs: 240900AA, 2409014C
Windows 2000 Server Enterprise, xrefs: 240903EE
Windows 2003 Server (Release 2), xrefs: 240903A4
Windows 2003 Server Web Edition, xrefs: 24090333
%d.%d, xrefs: 240904EB
Enterprise IA64, xrefs: 2409023F
Windows Home Server, xrefs: 24090375
Windows 2003 Server Datacenter, xrefs: 240902FB
Enterprise N, xrefs: 2408FE06
Unknown Platform ID (%d), xrefs: 240904A1
Ultimate N, xrefs: 2408FE57
Windows 2000 Professional, xrefs: 2408FF4C
Windows 2008, xrefs: 2408FFC7
Windows NT 4.0 Server Datacenter, xrefs: 24090438
Windows 2003 Server Enterprise, xrefs: 24090317
Premium N, xrefs: 2408FDB5
- Service Pack: %s, xrefs: 24090572
Windows 98, xrefs: 2408FA08
Server (unknown edition), xrefs: 240902CD
(unknown edition), xrefs: 2408FEA8
Business, xrefs: 2408FCC2
Starter, xrefs: 2408FD13
Enterprise, xrefs: 2408FC20, 240900FB, 240901EE
Home Basic N, xrefs: 2408FC71
Windows 2000 Server, xrefs: 2409041C
Windows 3.1, xrefs: 2408F97F
%s (Build: %d, xrefs: 24090535
Windows 95, xrefs: 2408F9C2
Unknown, xrefs: 2408F898
Standard, xrefs: 24090059, 2409019D
Windows 2003 Server, xrefs: 24090345, 24090392
Windows 7, xrefs: 2408FA64
Windows 2000 Server Web Edition, xrefs: 2409040A

Memory Dump Source

Source File: 00000008.00000002.2518814760.0000000024080000.00000040.00000400.00020000.00000000.sdmp, Offset: 24080000, based on PE: true

Associated: 00000008.00000002.2518814760.00000000240D4000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2518814760.00000000240DB000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_24080000_explorer.jbxd

Yara matches

Similarity

API ID: Version$InfoSystemwvsprintf
String ID: - Service Pack: %s$ Server (unknown edition)$%d.%d$%s %s$%s %s Server$%s (Build: %d$(unknown edition)$A$Business$Business N$Datacenter$Enterprise$Enterprise IA64$Enterprise N$Home Basic$Home Basic N$Premium$Premium N$Standard$Starter$Ultimate$Ultimate N$Unknown$Unknown Platform ID (%d)$Web$Windows 2000 Professional$Windows 2000 Server$Windows 2000 Server Datacenter$Windows 2000 Server Enterprise$Windows 2000 Server Web Edition$Windows 2003 Server$Windows 2003 Server (Release 2)$Windows 2003 Server Datacenter$Windows 2003 Server Enterprise$Windows 2003 Server Web Edition$Windows 2008$Windows 3.1$Windows 7$Windows 95$Windows 95 (Release 2)$Windows 98$Windows 98 SE$Windows Home Server$Windows ME$Windows NT %d.%d$Windows NT 4.0 Server$Windows NT 4.0 Server Datacenter$Windows NT 4.0 Server Enterprise$Windows NT 4.0 Server Web Edition$Windows Vista$Windows XP Home$Windows XP Professional$Windows XP Professional x64
API String ID: 3060546747-1031444156
Opcode ID: b47cf49586052f419e382a7e20faf0041ddb6a67089d78b9948c1d2e690f7c62
Instruction ID: df17c93474257d39cc1073cc8c5cb0b09a26220fcbfa1e82950797719517ab0e
Opcode Fuzzy Hash: b47cf49586052f419e382a7e20faf0041ddb6a67089d78b9948c1d2e690f7c62
Instruction Fuzzy Hash: AB728B70A04758CFDB60CB68C984BCEB7F4AF89708F0085E9C489A7255D774EAC89F52

Function 24085564 Relevance: 59.6, APIs: 17, Strings: 17, Instructions: 99libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(kernel32.dll,00000002,240857EB,?,?,2409E487), ref: 24085578
GetProcAddress.KERNEL32(00000000,CreateToolhelp32Snapshot), ref: 24085590
GetProcAddress.KERNEL32(00000000,Heap32ListFirst), ref: 240855A2
GetProcAddress.KERNEL32(00000000,Heap32ListNext), ref: 240855B4
GetProcAddress.KERNEL32(00000000,Heap32First), ref: 240855C6
GetProcAddress.KERNEL32(00000000,Heap32Next), ref: 240855D8
GetProcAddress.KERNEL32(00000000,Toolhelp32ReadProcessMemory), ref: 240855EA
GetProcAddress.KERNEL32(00000000,Process32First), ref: 240855FC
GetProcAddress.KERNEL32(00000000,Process32Next), ref: 2408560E
GetProcAddress.KERNEL32(00000000,Process32FirstW), ref: 24085620
GetProcAddress.KERNEL32(00000000,Process32NextW), ref: 24085632
GetProcAddress.KERNEL32(00000000,Thread32First), ref: 24085644
GetProcAddress.KERNEL32(00000000,Thread32Next), ref: 24085656
GetProcAddress.KERNEL32(00000000,Module32First), ref: 24085668
GetProcAddress.KERNEL32(00000000,Module32Next), ref: 2408567A
GetProcAddress.KERNEL32(00000000,Module32FirstW), ref: 2408568C
GetProcAddress.KERNEL32(00000000,Module32NextW), ref: 2408569E

Strings

kernel32.dll, xrefs: 24085573
Heap32ListNext, xrefs: 240855AC
Process32FirstW, xrefs: 24085618
Module32FirstW, xrefs: 24085684
Toolhelp32ReadProcessMemory, xrefs: 240855E2
Heap32First, xrefs: 240855BE
Module32Next, xrefs: 24085672
Module32First, xrefs: 24085660
CreateToolhelp32Snapshot, xrefs: 24085588
Process32First, xrefs: 240855F4
Heap32Next, xrefs: 240855D0
Process32Next, xrefs: 24085606
Thread32First, xrefs: 2408563C
Thread32Next, xrefs: 2408564E
Process32NextW, xrefs: 2408562A
Heap32ListFirst, xrefs: 2408559A
Module32NextW, xrefs: 24085696

Memory Dump Source

Source File: 00000008.00000002.2518814760.0000000024080000.00000040.00000400.00020000.00000000.sdmp, Offset: 24080000, based on PE: true

Associated: 00000008.00000002.2518814760.00000000240D4000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2518814760.00000000240DB000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_24080000_explorer.jbxd

Yara matches

Similarity

API ID: AddressProc$HandleModule
String ID: CreateToolhelp32Snapshot$Heap32First$Heap32ListFirst$Heap32ListNext$Heap32Next$Module32First$Module32FirstW$Module32Next$Module32NextW$Process32First$Process32FirstW$Process32Next$Process32NextW$Thread32First$Thread32Next$Toolhelp32ReadProcessMemory$kernel32.dll
API String ID: 667068680-597814768
Opcode ID: 39860cc1a93a84c3f6937a83a636479a7ba95729ee98c3ea7a590cc9805c7ebe
Instruction ID: d8949b564c2a7657dad94ac6ec906ffb191b4b4a3187742a75d3338ef8206076
Opcode Fuzzy Hash: 39860cc1a93a84c3f6937a83a636479a7ba95729ee98c3ea7a590cc9805c7ebe
Instruction Fuzzy Hash: FF3152B4911A10EFEB009FB5EAD4F2E3AEAFB162057804569F400EF248D63999C49F95

Function 240845F0 Relevance: 24.6, APIs: 11, Strings: 3, Instructions: 136stringlibraryfileCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(kernel32.dll), ref: 2408460D
GetProcAddress.KERNEL32(00000000,GetLongPathNameA), ref: 2408461E
lstrcpyn.KERNEL32(?,?,?), ref: 2408464E
lstrcpyn.KERNEL32(?,?,?,kernel32.dll), ref: 240846B2
lstrcpyn.KERNEL32(?,?,00000001,?,?,?,kernel32.dll), ref: 240846E7
FindFirstFileA.KERNEL32(?,?,?,?,00000001,?,?,?,kernel32.dll), ref: 240846FA
FindClose.KERNEL32(00000000,?,?,?,?,00000001,?,?,?,kernel32.dll), ref: 24084707
lstrlen.KERNEL32(?,00000000,?,?,?,?,00000001,?,?,?,kernel32.dll), ref: 24084713
lstrcpyn.KERNEL32(0000005D,?,00000104), ref: 24084747
lstrlen.KERNEL32(?,0000005D,?,00000104), ref: 24084753
lstrcpyn.KERNEL32(?,0000005C,?,?,0000005D,?,00000104), ref: 24084775

Strings

kernel32.dll, xrefs: 24084608
GetLongPathNameA, xrefs: 24084618
\, xrefs: 24084725

Memory Dump Source

Source File: 00000008.00000002.2518814760.0000000024080000.00000040.00000400.00020000.00000000.sdmp, Offset: 24080000, based on PE: true

Associated: 00000008.00000002.2518814760.00000000240D4000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2518814760.00000000240DB000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_24080000_explorer.jbxd

Yara matches

Similarity

API ID: lstrcpyn$Findlstrlen$AddressCloseFileFirstHandleModuleProc
String ID: GetLongPathNameA$\$kernel32.dll
API String ID: 3245196872-1565342463
Opcode ID: 70d04a5098422a145ddff46c07505126c9f0d4ada9d53650c8f13fa47754cd63
Instruction ID: 4338a2c445a67e30b7a514790af59e863401a6efe9ebbfd8bf509ad5e6decf18
Opcode Fuzzy Hash: 70d04a5098422a145ddff46c07505126c9f0d4ada9d53650c8f13fa47754cd63
Instruction Fuzzy Hash: C6416C72D00259AFEB11CBB8CE84FDEBBECAF55204F0040B5A958E7244E7749E948B54

Function 240C4984 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 213injectionthreadprocessCOMMON

Download Yara Rule

APIs

CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000004,00000000,00000000,00000044,?), ref: 240C4A0D
GetThreadContext.KERNEL32(?,00010002), ref: 240C4A41
ReadProcessMemory.KERNEL32(?,?,?,00000004,?,?,00010002), ref: 240C4A66
VirtualAllocEx.KERNEL32(?,?,?,00003000,00000004,?,?,?,00000004,?,?,00010002), ref: 240C4AB5
WriteProcessMemory.KERNEL32(?,00000000,00000000,?,?,?,?,?,00003000,00000004,?,?,?,00000004,?,?), ref: 240C4ADE
WriteProcessMemory.KERNEL32(?,00000000,00000000,?,?,?,00000000,00000000,?,?,?,?,?,00003000,00000004,?), ref: 240C4B27
VirtualProtectEx.KERNEL32(?,00000000,?,00000000,?,?,00000000,00000000,?,?,?,00000000,00000000,?,?,?), ref: 240C4B4F
WriteProcessMemory.KERNEL32(?,?,00000000,00000004,?,?,00000000,00000000,?,?,?,?,?,00003000,00000004,?), ref: 240C4B72
SetThreadContext.KERNEL32(?,00010002,?,?,00000000,00000004,?,?,00000000,00000000,?,?,?,?,?,00003000), ref: 240C4B95
TerminateProcess.KERNEL32(?,00000000,240C4BD7), ref: 240C4BBC
ResumeThread.KERNEL32(?,240C4BD7), ref: 240C4BC7

Part of subcall function 240C493C: LoadLibraryA.KERNEL32(ntdll.dll,ZwUnmapViewOfSection,?,00000000,240C4A7E,?,?,?,00000004,?,?,00010002), ref: 240C494C
Part of subcall function 240C493C: GetProcAddress.KERNEL32(00000000,ntdll.dll), ref: 240C4952

Strings

D, xrefs: 240C49D7

Memory Dump Source

Source File: 00000008.00000002.2518814760.0000000024080000.00000040.00000400.00020000.00000000.sdmp, Offset: 24080000, based on PE: true

Associated: 00000008.00000002.2518814760.00000000240D4000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2518814760.00000000240DB000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_24080000_explorer.jbxd

Yara matches

Similarity

API ID: Process$Memory$ThreadWrite$ContextVirtual$AddressAllocCreateLibraryLoadProcProtectReadResumeTerminate
String ID: D
API String ID: 4089571990-2746444292
Opcode ID: 7bd270df3ce09b6d317d1dea3223581e19d0dba858853319a29ceec56bec96ee
Instruction ID: 2e52714fcd95cef4594376e977f5d8d7e86e866cf632b54e2488db645d1595fc
Opcode Fuzzy Hash: 7bd270df3ce09b6d317d1dea3223581e19d0dba858853319a29ceec56bec96ee
Instruction Fuzzy Hash: A181C2B1A00208AFEB51DBE8DD81FEEBBF8FF58304F104465E604E7255D674E9848B64

Function 240A7464 Relevance: 18.1, APIs: 12, Instructions: 74windowCOMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 240A7471
GetDC.USER32(00000000), ref: 240A7479
CreateCompatibleDC.GDI32(00000000), ref: 240A7481
GetClientRect.USER32(00000000,?), ref: 240A7492
GetDeviceCaps.GDI32(00000000,00000008), ref: 240A74B0
GetDeviceCaps.GDI32(00000000,0000000A), ref: 240A74BA
CreateCompatibleBitmap.GDI32(00000000,00000000,00000000), ref: 240A74CA
SelectObject.GDI32(00000000,00000000), ref: 240A74D7
BitBlt.GDI32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00CC0020), ref: 240A74F5
SelectObject.GDI32(00000000,0000000A), ref: 240A7500
DeleteDC.GDI32(00000000), ref: 240A7506
ReleaseDC.USER32(00000000,00000000), ref: 240A750D

Memory Dump Source

Source File: 00000008.00000002.2518814760.0000000024080000.00000040.00000400.00020000.00000000.sdmp, Offset: 24080000, based on PE: true

Associated: 00000008.00000002.2518814760.00000000240D4000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2518814760.00000000240DB000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_24080000_explorer.jbxd

Yara matches

Similarity

API ID: CapsCompatibleCreateDeviceObjectSelect$BitmapClientDeleteDesktopRectReleaseWindow
String ID:
API String ID: 337914687-0
Opcode ID: f1b76e16a75b4e8c41da1ba234a25fc9606e6697ddba96ae8bac77b0f0e9eb6f
Instruction ID: 82de52993a7b4f1a5b6b84c5932fd767c35311b83bdbd33e7a8ffb36127e6a80
Opcode Fuzzy Hash: f1b76e16a75b4e8c41da1ba234a25fc9606e6697ddba96ae8bac77b0f0e9eb6f
Instruction Fuzzy Hash: 641160712457157FE311ABA88D80F3F7AEDDF96A54F404918F984A7245DB34EC8087B2

Function 240B09E4 Relevance: 17.7, APIs: 3, Strings: 7, Instructions: 188fileCOMMON

Download Yara Rule

APIs

FindFirstFileA.KERNEL32(00000000,?,00000000,240B0C93,?,00000000,240B0D1E), ref: 240B0B62
FindNextFileA.KERNEL32(000000FF,?,00000000,?,00000000,240B0C93,?,00000000,240B0D1E), ref: 240B0C6F
FindClose.KERNEL32(000000FF,240B0C9A,240B0C93,?,00000000,240B0D1E), ref: 240B0C8D

Strings

Desktop, xrefs: 240B0AC0
%DESKTOP%, xrefs: 240B0AAE
%RECENT%, xrefs: 240B0A7A
*.*, xrefs: 240B0B49
%WIN%, xrefs: 240B0A48
%SYS%, xrefs: 240B0A61
Recent, xrefs: 240B0A8C

Memory Dump Source

Source File: 00000008.00000002.2518814760.0000000024080000.00000040.00000400.00020000.00000000.sdmp, Offset: 24080000, based on PE: true

Associated: 00000008.00000002.2518814760.00000000240D4000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2518814760.00000000240DB000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_24080000_explorer.jbxd

Yara matches

Similarity

API ID: Find$File$CloseFirstNext
String ID: %DESKTOP%$%RECENT%$%SYS%$%WIN%$*.*$Desktop$Recent
API String ID: 3541575487-3092682246
Opcode ID: ec5a4f1bb3086719f1f4a9bc20d7a7ebcda19e8f596e255f5bf9d2ae10768227
Instruction ID: 1cd4b8d1061c332d3ca40c0b0e512078209f0fb5d942fe5388a1b68589ce260f
Opcode Fuzzy Hash: ec5a4f1bb3086719f1f4a9bc20d7a7ebcda19e8f596e255f5bf9d2ae10768227
Instruction Fuzzy Hash: DA814830A0461D9FDB11DB94CE80A9EB3B9FF99308F5084E9D488A7248DB71AFC58F55

Function 240C038C Relevance: 15.3, APIs: 10, Instructions: 323keyboardCOMMON

Download Yara Rule

APIs

GetAsyncKeyState.USER32(00000008), ref: 240C03C9
GetKeyState.USER32(00000014), ref: 240C03EC
GetKeyState.USER32(00000010), ref: 240C03F9

Memory Dump Source

Source File: 00000008.00000002.2518814760.0000000024080000.00000040.00000400.00020000.00000000.sdmp, Offset: 24080000, based on PE: true

Associated: 00000008.00000002.2518814760.00000000240D4000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2518814760.00000000240DB000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_24080000_explorer.jbxd

Yara matches

Similarity

API ID: State$Async
String ID:
API String ID: 993286747-0
Opcode ID: b84a4695beba6443555084af221b8449dda9ac50571e9db9884ce59f4f8eb9e1
Instruction ID: 8d67679355f059371e97a67b7036a14d9e101ddf765597e44d65d15b57859324
Opcode Fuzzy Hash: b84a4695beba6443555084af221b8449dda9ac50571e9db9884ce59f4f8eb9e1
Instruction Fuzzy Hash: CBB12434714245CBE311E768C684BDEB3E3AFA5308F9084A0A5449F369DEB6DDC24F51

Function 240AC424 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 71COMMON

Download Yara Rule

APIs

GetVersionExA.KERNEL32(?), ref: 240AC441
GetCurrentProcess.KERNEL32(00000020,?,00000000,240AC4E9,?,?), ref: 240AC467
OpenProcessToken.ADVAPI32(00000000,00000020,?,00000000,240AC4E9,?,?), ref: 240AC46D
LookupPrivilegeValueA.ADVAPI32(00000000,SeDebugPrivilege,?), ref: 240AC480
AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,?,00000000,SeDebugPrivilege,?,00000000,00000020,?,00000000,240AC4E9,?,?), ref: 240AC4AA
AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,?,?,00000000,?,00000000,00000000,?,00000000,SeDebugPrivilege,?,00000000), ref: 240AC4D1
CloseHandle.KERNEL32(?,?,00000000,?,00000000,00000000,?,?,00000000,?,00000000,00000000,?,00000000,SeDebugPrivilege,?), ref: 240AC4DA

Strings

SeDebugPrivilege, xrefs: 240AC479

Memory Dump Source

Source File: 00000008.00000002.2518814760.0000000024080000.00000040.00000400.00020000.00000000.sdmp, Offset: 24080000, based on PE: true

Associated: 00000008.00000002.2518814760.00000000240D4000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2518814760.00000000240DB000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_24080000_explorer.jbxd

Yara matches

Similarity

API ID: Token$AdjustPrivilegesProcess$CloseCurrentHandleLookupOpenPrivilegeValueVersion
String ID: SeDebugPrivilege
API String ID: 3222167619-2896544425
Opcode ID: e2c99be8d6ef531b310329a404707eadcf86c4b495a4a577218cf05a241eb51b
Instruction ID: c643fb9694b335e928241480d7b787165963904f8353b599f1a0e75def4a030f
Opcode Fuzzy Hash: e2c99be8d6ef531b310329a404707eadcf86c4b495a4a577218cf05a241eb51b
Instruction Fuzzy Hash: 852172B1A04208BEFB10CBE4DD45FEFBBBCEB05708F1144A5E704E6185E6745A848FA1

Function 24085B30 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 71COMMON

Download Yara Rule

APIs

GetVersionExA.KERNEL32(00000094), ref: 24085B4D
GetCurrentProcess.KERNEL32(00000020,?,00000000,24085BF5,?,00000094), ref: 24085B73
OpenProcessToken.ADVAPI32(00000000,00000020,?,00000000,24085BF5,?,00000094), ref: 24085B79
LookupPrivilegeValueA.ADVAPI32(00000000,SeDebugPrivilege,?), ref: 24085B8C
AdjustTokenPrivileges.ADVAPI32(?,00000000,00000001,00000000,00000000,?,00000000,00000020,?,00000000,24085BF5,?,00000094), ref: 24085BB6
AdjustTokenPrivileges.ADVAPI32(?,00000000,00000001,00000000,00000000,?,?,00000000,00000001,00000000,00000000,?,00000000,00000020,?,00000000), ref: 24085BDD
CloseHandle.KERNEL32(?,?,00000000,00000001,00000000,00000000,?,?,00000000,00000001,00000000,00000000,?,00000000,00000020,?), ref: 24085BE6

Strings

SeDebugPrivilege, xrefs: 24085B85

Memory Dump Source

Source File: 00000008.00000002.2518814760.0000000024080000.00000040.00000400.00020000.00000000.sdmp, Offset: 24080000, based on PE: true

Associated: 00000008.00000002.2518814760.00000000240D4000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2518814760.00000000240DB000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_24080000_explorer.jbxd

Yara matches

Similarity

API ID: Token$AdjustPrivilegesProcess$CloseCurrentHandleLookupOpenPrivilegeValueVersion
String ID: SeDebugPrivilege
API String ID: 3222167619-2896544425
Opcode ID: e3a341f096ad53d33e2fcd37da28399bbce27359c83d5c7a6c38cf2511b19f25
Instruction ID: 65c708978f2a120bc28892b833299d91b42c295770cb7848f347b1e5bd043064
Opcode Fuzzy Hash: e3a341f096ad53d33e2fcd37da28399bbce27359c83d5c7a6c38cf2511b19f25
Instruction Fuzzy Hash: 14210371A00208BEFB10CBA5DE55FEFBBBCEB15704F5044A5E604E6181EA755A848FA1

Function 240ACBE4 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 98serviceCOMMON

Download Yara Rule

APIs

Part of subcall function 240AC424: GetVersionExA.KERNEL32(?), ref: 240AC441
Part of subcall function 240AC424: GetCurrentProcess.KERNEL32(00000020,?,00000000,240AC4E9,?,?), ref: 240AC467
Part of subcall function 240AC424: OpenProcessToken.ADVAPI32(00000000,00000020,?,00000000,240AC4E9,?,?), ref: 240AC46D
Part of subcall function 240AC424: LookupPrivilegeValueA.ADVAPI32(00000000,SeDebugPrivilege,?), ref: 240AC480
Part of subcall function 240AC424: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,?,00000000,SeDebugPrivilege,?,00000000,00000020,?,00000000,240AC4E9,?,?), ref: 240AC4AA
Part of subcall function 240AC424: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,?,?,00000000,?,00000000,00000000,?,00000000,SeDebugPrivilege,?,00000000), ref: 240AC4D1
Part of subcall function 240AC424: CloseHandle.KERNEL32(?,?,00000000,?,00000000,00000000,?,?,00000000,?,00000000,00000000,?,00000000,SeDebugPrivilege,?), ref: 240AC4DA

OpenSCManagerA.ADVAPI32(00000000,00000000,000F003F,00000000,240ACD0F,?,?,?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 240ACC29
CreateServiceA.ADVAPI32(00000000,?,?,000F01FF,00000110,00000002,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,240ACCD4), ref: 240ACC6A

Part of subcall function 24086858: RegCreateKeyA.ADVAPI32(?,00000000,?), ref: 2408689E
Part of subcall function 24086858: RegSetValueExA.ADVAPI32(?,00000000,00000000,00000002,00000000,00000000,00000000,240868FD), ref: 240868C6
Part of subcall function 24086858: RegCloseKey.ADVAPI32(?,?,00000000,00000000,00000002,00000000,00000000,00000000,240868FD), ref: 240868D5

CloseServiceHandle.ADVAPI32(00000000,?,00000000,?,?,000F01FF,00000110,00000002,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 240ACCBF
CloseServiceHandle.ADVAPI32(00000000,00000000,?,00000000,?,?,000F01FF,00000110,00000002,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 240ACCC5

Strings

System\CurrentControlSet\Services\, xrefs: 240ACC90
Description, xrefs: 240ACCAF

Memory Dump Source

Source File: 00000008.00000002.2518814760.0000000024080000.00000040.00000400.00020000.00000000.sdmp, Offset: 24080000, based on PE: true

Associated: 00000008.00000002.2518814760.00000000240D4000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2518814760.00000000240DB000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_24080000_explorer.jbxd

Yara matches

Similarity

API ID: Close$HandleServiceToken$AdjustCreateOpenPrivilegesProcessValue$CurrentLookupManagerPrivilegeVersion
String ID: Description$System\CurrentControlSet\Services\
API String ID: 3877902884-3489731058
Opcode ID: 9a0b62fd6d984170c5ad2a7505ea9847ebe06638d16effb31841ee3752c8e559
Instruction ID: 4119923525d2f5f7ad66db6561a858890574030ec671d0f966480f87724eb80a
Opcode Fuzzy Hash: 9a0b62fd6d984170c5ad2a7505ea9847ebe06638d16effb31841ee3752c8e559
Instruction Fuzzy Hash: B921E770A04219AFEB01DBE1CD51FAFBBF8EF95744F118035E600A7298DE759981CA64

Function 240AC858 Relevance: 10.6, APIs: 7, Instructions: 89serviceCOMMON

Download Yara Rule

APIs

OpenSCManagerA.ADVAPI32(00000000,00000000,000F003F,00000000,240AC93E), ref: 240AC89D
OpenServiceA.ADVAPI32(00000000,00000000,00000020,00000000,00000000,000F003F,00000000,240AC93E), ref: 240AC8CD
StartServiceA.ADVAPI32(00000000,00000000,?,00000000,00000000,00000020,00000000,00000000,000F003F,00000000,240AC93E), ref: 240AC8F5
ControlService.ADVAPI32(00000000,00000001,?,00000000,00000000,00000020,00000000,00000000,000F003F,00000000,240AC93E), ref: 240AC903
QueryServiceStatus.ADVAPI32(00000000,?,00000000,00000000,00000020,00000000,00000000,000F003F,00000000,240AC93E), ref: 240AC90D
CloseServiceHandle.ADVAPI32(00000000,00000000,?,00000000,00000000,00000020,00000000,00000000,000F003F,00000000,240AC93E), ref: 240AC913
CloseServiceHandle.ADVAPI32(00000000,00000000,00000000,00000020,00000000,00000000,000F003F,00000000,240AC93E), ref: 240AC919

Memory Dump Source

Source File: 00000008.00000002.2518814760.0000000024080000.00000040.00000400.00020000.00000000.sdmp, Offset: 24080000, based on PE: true

Associated: 00000008.00000002.2518814760.00000000240D4000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2518814760.00000000240DB000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_24080000_explorer.jbxd

Yara matches

Similarity

API ID: Service$CloseHandleOpen$ControlManagerQueryStartStatus
String ID:
API String ID: 1698138069-0
Opcode ID: 344efda87ddb6d0244a93ceef55f82d995d2f73bd47fe966ab28a5e7173072c9
Instruction ID: 1356bbf25fe69f358075657191841b52d1daf6e5f7ed69793ef279b670921a7e
Opcode Fuzzy Hash: 344efda87ddb6d0244a93ceef55f82d995d2f73bd47fe966ab28a5e7173072c9
Instruction Fuzzy Hash: 7221B571E08228AEEB01DEF48C44FAE77FCEB65614F124435E600E3204DA719A818A65

Function 240AB354 Relevance: 10.6, APIs: 7, Instructions: 70injectionmemorythreadCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(00000000), ref: 240AB36C
VirtualFreeEx.KERNEL32(00000000,?,00000000,00008000,?,00000000), ref: 240AB396
VirtualAllocEx.KERNEL32(00000000,?,?,00003000,00000040,00000000,?,00000000,00008000,?,00000000), ref: 240AB3A5
GetModuleHandleA.KERNEL32(00000000,?,?,00000000,?,?,00003000,00000040,00000000,?,00000000,00008000,?,00000000), ref: 240AB3B8
WriteProcessMemory.KERNEL32(00000000,?,00000000,00000000,?,?,00000000,?,?,00003000,00000040,00000000,?,00000000,00008000), ref: 240AB3C0
CreateRemoteThread.KERNEL32(00000000,00000000,00000000,?,?,00000000,00000000), ref: 240AB3E1
CloseHandle.KERNEL32(00000000,00000000,?,00000000,00000000,?,?,00000000,?,?,00003000,00000040,00000000,?,00000000,00008000), ref: 240AB3E7

Memory Dump Source

Source File: 00000008.00000002.2518814760.0000000024080000.00000040.00000400.00020000.00000000.sdmp, Offset: 24080000, based on PE: true

Associated: 00000008.00000002.2518814760.00000000240D4000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2518814760.00000000240DB000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_24080000_explorer.jbxd

Yara matches

Similarity

API ID: Handle$ModuleVirtual$AllocCloseCreateFreeMemoryProcessRemoteThreadWrite
String ID:
API String ID: 2398686212-0
Opcode ID: 320e831d3db3fd37a1909f490eb8679622ef688ad2e82d5ecf3d3b5ad779abdd
Instruction ID: 2a9b0eff2ce8090d2b9901b7a008506786236bc742ca8e3c10c83ab9f57a414f
Opcode Fuzzy Hash: 320e831d3db3fd37a1909f490eb8679622ef688ad2e82d5ecf3d3b5ad779abdd
Instruction Fuzzy Hash: F5111CB16483047FE350DA698D81F2FBBEDDBC4B14F548828B648DB281D670E84487A6

Function 24085FE4 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 111fileCOMMON

Download Yara Rule

APIs

FindFirstFileA.KERNEL32(00000000,?,00000000,24086160), ref: 24086067
FindNextFileA.KERNEL32(00000000,?,00000000,?,00000000,24086160), ref: 24086108
FindClose.KERNEL32(00000000,00000000,?,00000000,?,00000000,24086160), ref: 2408611C
RemoveDirectoryA.KERNEL32(00000000,00000000,00000000,?,00000000,?,00000000,24086160), ref: 2408612A

Strings

*.*, xrefs: 2408604E

Memory Dump Source

Source File: 00000008.00000002.2518814760.0000000024080000.00000040.00000400.00020000.00000000.sdmp, Offset: 24080000, based on PE: true

Associated: 00000008.00000002.2518814760.00000000240D4000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2518814760.00000000240DB000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_24080000_explorer.jbxd

Yara matches

Similarity

API ID: Find$File$CloseDirectoryFirstNextRemove
String ID: *.*
API String ID: 81111410-438819550
Opcode ID: f44dd8451d94908377e351809a3ef052a581cbca13785e8e9f919bf6a5cbe050
Instruction ID: 7698063760a6dbb61d817c2006e18c422c7c8a3581a6066dbc84a2267262fad2
Opcode Fuzzy Hash: f44dd8451d94908377e351809a3ef052a581cbca13785e8e9f919bf6a5cbe050
Instruction Fuzzy Hash: EB416D30A00608ABEB10DBA4CF80ACEB7F5AFD5758F5185B4D404A735AEB31AFC58E51

Function 24085FE2 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 105fileCOMMON

Download Yara Rule

APIs

FindFirstFileA.KERNEL32(00000000,?,00000000,24086160), ref: 24086067
FindNextFileA.KERNEL32(00000000,?,00000000,?,00000000,24086160), ref: 24086108
FindClose.KERNEL32(00000000,00000000,?,00000000,?,00000000,24086160), ref: 2408611C
RemoveDirectoryA.KERNEL32(00000000,00000000,00000000,?,00000000,?,00000000,24086160), ref: 2408612A

Strings

*.*, xrefs: 2408604E

Memory Dump Source

Source File: 00000008.00000002.2518814760.0000000024080000.00000040.00000400.00020000.00000000.sdmp, Offset: 24080000, based on PE: true

Associated: 00000008.00000002.2518814760.00000000240D4000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2518814760.00000000240DB000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_24080000_explorer.jbxd

Yara matches

Similarity

API ID: Find$File$CloseDirectoryFirstNextRemove
String ID: *.*
API String ID: 81111410-438819550
Opcode ID: 4c030c3950bbef0631a150432673120d0db357fa0d4627a6a695e9e0aaca64d1
Instruction ID: aa455c1306ca748723992af8ee51eb36ed302166786371418a3e339c22e238bb
Opcode Fuzzy Hash: 4c030c3950bbef0631a150432673120d0db357fa0d4627a6a695e9e0aaca64d1
Instruction Fuzzy Hash: FA318130900608ABEB11DBE4CF80A8EB7F4AFD5758F5145B4D404A735AEB31AFC18E51

Function 240ACDE0 Relevance: 7.6, APIs: 5, Instructions: 72clipboardfileCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32(00000000), ref: 240ACE11
GetClipboardData.USER32(0000000F), ref: 240ACE26
DragQueryFile.SHELL32(00000000,000000FF,00000000,00000000), ref: 240ACE38
DragQueryFile.SHELL32(00000000,00000000,00000000,00000105), ref: 240ACE6B
CloseClipboard.USER32 ref: 240ACEB6

Memory Dump Source

Source File: 00000008.00000002.2518814760.0000000024080000.00000040.00000400.00020000.00000000.sdmp, Offset: 24080000, based on PE: true

Associated: 00000008.00000002.2518814760.00000000240D4000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2518814760.00000000240DB000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_24080000_explorer.jbxd

Yara matches

Similarity

API ID: Clipboard$DragFileQuery$CloseDataOpen
String ID:
API String ID: 3062564445-0
Opcode ID: e0dceee8c1bd39cee9fbd9b24a83ff4ae3c0aa2806b27e77456caafc19e911b4
Instruction ID: 21c2928a1178f84fac58b3fe00b8b20abb8fa02fb9d9a49ef5ba362ae7afd610
Opcode Fuzzy Hash: e0dceee8c1bd39cee9fbd9b24a83ff4ae3c0aa2806b27e77456caafc19e911b4
Instruction Fuzzy Hash: CD215C3050862C7FF712DBA8CC50FDF7EB9DB99B44F4200F4E604A2284DAB549C08EA1

Function 240ACFC8 Relevance: 7.6, APIs: 5, Instructions: 54clipboardmemoryCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32(00000000), ref: 240ACFDC
GlobalAlloc.KERNEL32(00002002,00000000,00000000,240AD092,?,00000000), ref: 240ACFF5
GlobalLock.KERNEL32(?), ref: 240AD00F
SetClipboardData.USER32(00000001,?), ref: 240AD03A
GlobalUnlock.KERNEL32(?), ref: 240AD050

Memory Dump Source

Source File: 00000008.00000002.2518814760.0000000024080000.00000040.00000400.00020000.00000000.sdmp, Offset: 24080000, based on PE: true

Associated: 00000008.00000002.2518814760.00000000240D4000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2518814760.00000000240DB000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_24080000_explorer.jbxd

Yara matches

Similarity

API ID: Global$Clipboard$AllocDataLockOpenUnlock
String ID:
API String ID: 3395808788-0
Opcode ID: 5fc4303aa5ac159be724660b4e9fb940535989ea8bfd5f94d5b2a71d768a9f8b
Instruction ID: e1f670fe9767e1a47b5a6f7d70a9c5607cf248d1db0657ed52db441e337caf38
Opcode Fuzzy Hash: 5fc4303aa5ac159be724660b4e9fb940535989ea8bfd5f94d5b2a71d768a9f8b
Instruction Fuzzy Hash: BE012F70200704BFF7128FB5DE71E2EBBAEDB5AA44BC20860FA00C3A04D9769D50CDA0

Function 240AC950 Relevance: 7.5, APIs: 5, Instructions: 49serviceCOMMON

Download Yara Rule

APIs

OpenSCManagerA.ADVAPI32(00000000,00000000,000F003F,00000000,240AC9CF), ref: 240AC97B
OpenServiceA.ADVAPI32(00000000,00000000,00010000,00000000,00000000,000F003F,00000000,240AC9CF), ref: 240AC995
DeleteService.ADVAPI32(00000000,00000000,00000000,00010000,00000000,00000000,000F003F,00000000,240AC9CF), ref: 240AC9A1
CloseServiceHandle.ADVAPI32(00000000,00000000,00000000,00000000,00010000,00000000,00000000,000F003F,00000000,240AC9CF), ref: 240AC9AE
CloseServiceHandle.ADVAPI32(00000000,00000000,00000000,00010000,00000000,00000000,000F003F,00000000,240AC9CF), ref: 240AC9B4

Memory Dump Source

Source File: 00000008.00000002.2518814760.0000000024080000.00000040.00000400.00020000.00000000.sdmp, Offset: 24080000, based on PE: true

Associated: 00000008.00000002.2518814760.00000000240D4000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2518814760.00000000240DB000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_24080000_explorer.jbxd

Yara matches

Similarity

API ID: Service$CloseHandleOpen$DeleteManager
String ID:
API String ID: 204194956-0
Opcode ID: 5d8e3f8f3b4f6b5f4b43c002c1e179242b27bbb121da3e3c960a40674b34612d
Instruction ID: ef67621835be4fc40a79d7c21f5be899f17b56b03fec41528d6c3a1963692e5c
Opcode Fuzzy Hash: 5d8e3f8f3b4f6b5f4b43c002c1e179242b27bbb121da3e3c960a40674b34612d
Instruction Fuzzy Hash: 6101F4716087247AF712DAB5CD55F2F769CDFA5658F030471BB00A6288DEB08E8095A0

Function 240AEAA0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 69nativeCOMMON

Download Yara Rule

APIs

SetPropA.USER32(?,OBJECT,00000000), ref: 240AEAC8
GetPropA.USER32(?,OBJECT), ref: 240AEAEC
NtdllDefWindowProc_A.NTDLL(?,?,?,?), ref: 240AEB30

Strings

OBJECT, xrefs: 240AEAC2, 240AEAE6

Memory Dump Source

Source File: 00000008.00000002.2518814760.0000000024080000.00000040.00000400.00020000.00000000.sdmp, Offset: 24080000, based on PE: true

Associated: 00000008.00000002.2518814760.00000000240D4000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2518814760.00000000240DB000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_24080000_explorer.jbxd

Yara matches

Similarity

API ID: Prop$NtdllProc_Window
String ID: OBJECT
API String ID: 1456104087-1481993322
Opcode ID: d7f3349067f6d571eb6176f930057e4cef61dd13c4399eb666c69671f3ed84e6
Instruction ID: e9e2e137cbae3e0fa5b2f9c52a66f367a7d282de8256e5234044eff5076e7dac
Opcode Fuzzy Hash: d7f3349067f6d571eb6176f930057e4cef61dd13c4399eb666c69671f3ed84e6
Instruction Fuzzy Hash: 1C213071A11229AFD700CFA8C984DAFBBF9EF49610B504169FD45EB300D770DE448BA1

Function 240C47C8 Relevance: 6.1, APIs: 4, Instructions: 100memoryinjectionCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNEL32(?,?,00003000,00000040), ref: 240C482D
VirtualFree.KERNEL32(00000000,00000000,00008000,?,?,00003000,00000040), ref: 240C4840
VirtualAllocEx.KERNEL32(?,?,?,00003000,00000040,00000000,00000000,00008000,?,?,00003000,00000040), ref: 240C485A
WriteProcessMemory.KERNEL32(?,00000000,?,?,?,?,?,?,00003000,00000040), ref: 240C489C

Memory Dump Source

Source File: 00000008.00000002.2518814760.0000000024080000.00000040.00000400.00020000.00000000.sdmp, Offset: 24080000, based on PE: true

Associated: 00000008.00000002.2518814760.00000000240D4000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2518814760.00000000240DB000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_24080000_explorer.jbxd

Yara matches

Similarity

API ID: Virtual$Alloc$FreeMemoryProcessWrite
String ID:
API String ID: 2022580353-0
Opcode ID: 914536b1b8aa764b6814e80e1b55df6753d14af1d98b1894871ba7de307621ad
Instruction ID: 78dafd8a7f2686a249cfde6ffcc8d1192c47f8a2ca109cf1e394441238cac9f3
Opcode Fuzzy Hash: 914536b1b8aa764b6814e80e1b55df6753d14af1d98b1894871ba7de307621ad
Instruction Fuzzy Hash: 3C311971A00245EBEB40CAA9CD81F9EBBF9FB98604F508064EA04E7644D674EA548BA4

Function 24085C1C Relevance: 6.0, APIs: 4, Instructions: 37nativeCOMMON

Download Yara Rule

APIs

OpenProcess.KERNEL32(001F0FFF,00000000,00000000,?,240CB980,?,240C641D,00000000,00000000,Function_000451BC,00000000,00000000,240D37B8,00000000,00000000,Function_00044C04), ref: 24085C29
NtQueryInformationProcess.NTDLL(00000000,00000016,?,00000004,00000000), ref: 24085C40
NtSetInformationProcess.NTDLL(00000000,00000016,?,00000004), ref: 24085C5E
CloseHandle.KERNEL32(00000000,001F0FFF,00000000,00000000,?,240CB980,?,240C641D,00000000,00000000,Function_000451BC,00000000,00000000,240D37B8,00000000,00000000), ref: 24085C6C

Memory Dump Source

Source File: 00000008.00000002.2518814760.0000000024080000.00000040.00000400.00020000.00000000.sdmp, Offset: 24080000, based on PE: true

Associated: 00000008.00000002.2518814760.00000000240D4000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2518814760.00000000240DB000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_24080000_explorer.jbxd

Yara matches

Similarity

API ID: Process$Information$CloseHandleOpenQuery
String ID:
API String ID: 1636144130-0
Opcode ID: 8b0411576a1d48e6dbe04b4ade3104a22fdf87d3cfc7ab914bc7621fac0affc4
Instruction ID: 2878b598d9c0f3458bc33b304419cd33c772740ea96656668a389b7a3b3379aa
Opcode Fuzzy Hash: 8b0411576a1d48e6dbe04b4ade3104a22fdf87d3cfc7ab914bc7621fac0affc4
Instruction Fuzzy Hash: DDF0E5723863143EF3315A544EC2FAF268DDF15BA8F000529F740D60C0C3589EC856E6

Function 240AD390 Relevance: 6.0, APIs: 4, Instructions: 37timefileCOMMON

Download Yara Rule

APIs

FindFirstFileA.KERNEL32(00000000,?), ref: 240AD3AB
FindClose.KERNEL32(00000000,00000000,?), ref: 240AD3B6
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 240AD3CF
FileTimeToDosDateTime.KERNEL32(?,?,?), ref: 240AD3E0

Memory Dump Source

Source File: 00000008.00000002.2518814760.0000000024080000.00000040.00000400.00020000.00000000.sdmp, Offset: 24080000, based on PE: true

Associated: 00000008.00000002.2518814760.00000000240D4000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2518814760.00000000240DB000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_24080000_explorer.jbxd

Yara matches

Similarity

API ID: FileTime$Find$CloseDateFirstLocal
String ID:
API String ID: 2659516521-0
Opcode ID: bc18a95d79a38cb25cabca8d8cea9629f06e396e38b576b1112dcdfe7026f1e7
Instruction ID: 2c51c5b57760e82c913d616b771ef1d0a6758554383f9de2a44dcf55d2a79552
Opcode Fuzzy Hash: bc18a95d79a38cb25cabca8d8cea9629f06e396e38b576b1112dcdfe7026f1e7
Instruction Fuzzy Hash: 75F01272D0024C66DB11DBE58D849CFB3FC9F19214F5006A6E619D21D6FB34AB849BA0

Function 240AC9E0 Relevance: 4.6, APIs: 3, Instructions: 134serviceCOMMON

Download Yara Rule

APIs

OpenSCManagerA.ADVAPI32(00000000,00000000,00000005,00000000,240ACBBC), ref: 240ACA42
EnumServicesStatusA.ADVAPI32(00000000,0000013F,00000003,?,00004800,?,?,?,00000000,00000000,00000005,00000000,240ACBBC), ref: 240ACA7C
CloseServiceHandle.ADVAPI32(00000000,00000000,0000013F,00000003,?,00004800,?,?,?,00000000,00000000,00000005,00000000,240ACBBC), ref: 240ACB99

Memory Dump Source

Source File: 00000008.00000002.2518814760.0000000024080000.00000040.00000400.00020000.00000000.sdmp, Offset: 24080000, based on PE: true

Associated: 00000008.00000002.2518814760.00000000240D4000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2518814760.00000000240DB000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_24080000_explorer.jbxd

Yara matches

Similarity

API ID: CloseEnumHandleManagerOpenServiceServicesStatus
String ID:
API String ID: 236840872-0
Opcode ID: f055424034dcd8ad995ca2098d98aa884f3f36329fe5df601860722a51ec36f6
Instruction ID: e1851471c51b200b567766870b23dae0123b000041c704876e487b711211e06b
Opcode Fuzzy Hash: f055424034dcd8ad995ca2098d98aa884f3f36329fe5df601860722a51ec36f6
Instruction Fuzzy Hash: C851B3B09041689BEF11DB94CD40B8EB7F9EF58704F11C8A6A304A6258DEB69FC5CF94

Function 24088DE0 Relevance: 4.6, APIs: 3, Instructions: 89COMMON

Download Yara Rule

APIs

GetKeyboardLayoutNameA.USER32(?), ref: 24088E18
GetLocaleInfoA.KERNEL32(00000000,00001001,?,00000040,00000000,24088F57), ref: 24088E7B
GetLocaleInfoA.KERNEL32(00000000,00000002,?,00000040,00000000,00001001,?,00000040,00000000,24088F57), ref: 24088EDE

Memory Dump Source

Source File: 00000008.00000002.2518814760.0000000024080000.00000040.00000400.00020000.00000000.sdmp, Offset: 24080000, based on PE: true

Associated: 00000008.00000002.2518814760.00000000240D4000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2518814760.00000000240DB000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_24080000_explorer.jbxd

Yara matches

Similarity

API ID: InfoLocale$KeyboardLayoutName
String ID:
API String ID: 3953094008-0
Opcode ID: dcb3d6fc136b17e0cc09dccacee25ae6f563d5167a4ea418523229c5a5065539
Instruction ID: a7de17463bf9b8672700977f6a9692cb43fe1037bea6c5b4cb15ec170310b6aa
Opcode Fuzzy Hash: dcb3d6fc136b17e0cc09dccacee25ae6f563d5167a4ea418523229c5a5065539
Instruction Fuzzy Hash: FB310C30A0021D9FEB24DB61CD90FCDB3BAAF94304F4084E5960CA655AEB75AF898F55

Function 2409E130 Relevance: 4.6, APIs: 3, Instructions: 62networkmemoryCOMMON

Download Yara Rule

APIs

WSAStartup.WS2_32(00000002,?), ref: 2409E14F
GetProcessHeap.KERNEL32(00000002,00000002,00000000,2409E1E7,?,00000002,?), ref: 2409E1C1
WSACleanup.WS2_32 ref: 2409E1E1

Memory Dump Source

Source File: 00000008.00000002.2518814760.0000000024080000.00000040.00000400.00020000.00000000.sdmp, Offset: 24080000, based on PE: true

Associated: 00000008.00000002.2518814760.00000000240D4000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2518814760.00000000240DB000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_24080000_explorer.jbxd

Yara matches

Similarity

API ID: CleanupHeapProcessStartup
String ID:
API String ID: 1581707949-0
Opcode ID: 6417c44ca987680ec8269f9c4a0a73358d61271665c58d01ec468633ca4878b5
Instruction ID: 3efc5ae402745d003a7f647a3cd3a89e21a58c32fa220c626884af5c5b40f184
Opcode Fuzzy Hash: 6417c44ca987680ec8269f9c4a0a73358d61271665c58d01ec468633ca4878b5
Instruction Fuzzy Hash: C7116D70909204BFFB11CF64CE1EF697BE8D785B10F500278B618A95E1E6745AC0EB56

Function 240B092C Relevance: 4.6, APIs: 3, Instructions: 54COMMON

Download Yara Rule

APIs

GetLogicalDriveStringsA.KERNEL32(00000200,00000000), ref: 240B095E
SetErrorMode.KERNEL32(00000001,00000000,240B09C9,?,?,?,00000000,00000000), ref: 240B0965
GetDriveTypeA.KERNEL32(00000000,240B09E0,?,?,00000001,00000000,240B09C9,?,?,?,00000000,00000000), ref: 240B0981

Memory Dump Source

Source File: 00000008.00000002.2518814760.0000000024080000.00000040.00000400.00020000.00000000.sdmp, Offset: 24080000, based on PE: true

Associated: 00000008.00000002.2518814760.00000000240D4000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2518814760.00000000240DB000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_24080000_explorer.jbxd

Yara matches

Similarity

API ID: Drive$ErrorLogicalModeStringsType
String ID:
API String ID: 2040483995-0
Opcode ID: 21af6301e4383a60b267d77919e6aef4ba687db46a133fa7f8a09336d5cdb994
Instruction ID: 2750ecc62d4e3e62a68a737cda081424d3af883419236b75662827b522e61893
Opcode Fuzzy Hash: 21af6301e4383a60b267d77919e6aef4ba687db46a133fa7f8a09336d5cdb994
Instruction Fuzzy Hash: 94012B307043087FFB1297A0CD91F6E769DEB95704F510475F640A228DDD759EC08E6A

Function 240C0318 Relevance: 4.5, APIs: 3, Instructions: 44keyboardCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,240D32F8,240D3310,00000008,240C1C21,00000010,00000000,240C1D9B,?,?,?,?,00000000,00000000), ref: 240C0326
MapVirtualKeyA.USER32(240D32F8,00000000), ref: 240C034C
ToAscii.USER32(240D32F8,00000000,?,00000000,00000000), ref: 240C0353

Memory Dump Source

Source File: 00000008.00000002.2518814760.0000000024080000.00000040.00000400.00020000.00000000.sdmp, Offset: 24080000, based on PE: true

Associated: 00000008.00000002.2518814760.00000000240D4000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2518814760.00000000240DB000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_24080000_explorer.jbxd

Yara matches

Similarity

API ID: AsciiKeyboardStateVirtual
String ID:
API String ID: 1835671472-0
Opcode ID: c2fdc19dcd3515717c7fdfbf9e1a8ae958a982b41a0d4f373b62abf17821b794
Instruction ID: 30b8776423390409e60af3780e99756b8cca8bf51f80fc654e201e23549bd15e
Opcode Fuzzy Hash: c2fdc19dcd3515717c7fdfbf9e1a8ae958a982b41a0d4f373b62abf17821b794
Instruction Fuzzy Hash: 09F089A270021077F30016BDCD81F7F548DABD115DF40457AB648C63CAD4A6CDC849E3

Function 240AB308 Relevance: 4.5, APIs: 3, Instructions: 41memoryinjectionCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNEL32(00000000,00000000,00000000,00003000,00000040), ref: 240AB320
VirtualProtectEx.KERNEL32(00000000,00000000,00000000,00000040,00000040,00000000,00000000,00000000,00003000,00000040), ref: 240AB331
WriteProcessMemory.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00000000,00000000,00000040,00000040,00000000,00000000,00000000,00003000,00000040), ref: 240AB33F

Memory Dump Source

Source File: 00000008.00000002.2518814760.0000000024080000.00000040.00000400.00020000.00000000.sdmp, Offset: 24080000, based on PE: true

Associated: 00000008.00000002.2518814760.00000000240D4000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2518814760.00000000240DB000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_24080000_explorer.jbxd

Yara matches

Similarity

API ID: Virtual$AllocMemoryProcessProtectWrite
String ID:
API String ID: 4073123320-0
Opcode ID: 56a4fa6d0645d3133e1c967b66819faa260882d9c1448904df0e9c057e9cc939
Instruction ID: ec3fc5a8395f1374215d0fbbce632eae93c84ba03dde5342e0e435e0f1e76053
Opcode Fuzzy Hash: 56a4fa6d0645d3133e1c967b66819faa260882d9c1448904df0e9c057e9cc939
Instruction Fuzzy Hash: 7CE06D623062543AF321009B1D85FAB6A9CCBC6BAAF10013AFB08A51C0E991AD4541B9

Function 240B4968 Relevance: 3.1, APIs: 2, Instructions: 60keyboardCOMMON

Download Yara Rule

APIs

keybd_event.USER32(00000000,00000001,00000000,00000000), ref: 240B49DD
keybd_event.USER32(00000000,00000001,00000002,00000000), ref: 240B49E9

Memory Dump Source

Source File: 00000008.00000002.2518814760.0000000024080000.00000040.00000400.00020000.00000000.sdmp, Offset: 24080000, based on PE: true

Associated: 00000008.00000002.2518814760.00000000240D4000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2518814760.00000000240DB000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_24080000_explorer.jbxd

Yara matches

Similarity

API ID: keybd_event
String ID:
API String ID: 2665452162-0
Opcode ID: 9e1432e1e18d23246adf1469c9ffbdc09c085d17ac10e580e743c58d46fc305b
Instruction ID: 0d2d97dafe3bcee5b9ed1b3e0b556e2b890e37e705b73a2f7cc539446712dd4b
Opcode Fuzzy Hash: 9e1432e1e18d23246adf1469c9ffbdc09c085d17ac10e580e743c58d46fc305b
Instruction Fuzzy Hash: ED117730744204ABFB10DBA4CD91B9EB7E9EFA8304F608160A440F7799EAB59F80965D

Function 240C3EC0 Relevance: 3.1, APIs: 2, Instructions: 51memoryinjectionCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNEL32(?,00000000,00000001,00003000,00000040,00000000,240C3F3E,?,?,?,?,00000000,00000000,00000000), ref: 240C3EFC
WriteProcessMemory.KERNEL32(?,00000000,?,00000001,?,?,00000000,00000001,00003000,00000040,00000000,240C3F3E), ref: 240C3F1E

Memory Dump Source

Source File: 00000008.00000002.2518814760.0000000024080000.00000040.00000400.00020000.00000000.sdmp, Offset: 24080000, based on PE: true

Associated: 00000008.00000002.2518814760.00000000240D4000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2518814760.00000000240DB000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_24080000_explorer.jbxd

Yara matches

Similarity

API ID: AllocMemoryProcessVirtualWrite
String ID:
API String ID: 645232735-0
Opcode ID: 9dce58e893b70c0d385be3412142bb6dea6624c4ec192c00eb49b1f259c0ead4
Instruction ID: 670fc7e47a18eb5832661f4ee273d3a68bd1ec9e4419dc5af7cbe6603f157dbd
Opcode Fuzzy Hash: 9dce58e893b70c0d385be3412142bb6dea6624c4ec192c00eb49b1f259c0ead4
Instruction Fuzzy Hash: 9E01F431600248BFFB11CAA1CD51FAFF7ADEBD9B44F6140B1F900E7284DAB5AE418564

Function 240C3F50 Relevance: 3.0, APIs: 2, Instructions: 28memoryinjectionCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNEL32(?,00000000,?,00003000,00000040,?,?,?,?,?,240C3F9D), ref: 240C3F66
WriteProcessMemory.KERNEL32(?,00000000,?,?,?,?,00000000,?,00003000,00000040,?,?,?,?,?,240C3F9D), ref: 240C3F72

Memory Dump Source

Source File: 00000008.00000002.2518814760.0000000024080000.00000040.00000400.00020000.00000000.sdmp, Offset: 24080000, based on PE: true

Associated: 00000008.00000002.2518814760.00000000240D4000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2518814760.00000000240DB000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_24080000_explorer.jbxd

Yara matches

Similarity

API ID: AllocMemoryProcessVirtualWrite
String ID:
API String ID: 645232735-0
Opcode ID: 1b34d99aab3994f6339959341006049085c8a587ea987c4491767cdf6ce40f0b
Instruction ID: 8676e0f0080f1343b268aa5802eae8353383cdc0aa1c01798f287bb214c501db
Opcode Fuzzy Hash: 1b34d99aab3994f6339959341006049085c8a587ea987c4491767cdf6ce40f0b
Instruction Fuzzy Hash: 1FD05EA234621437F234106B6C45FAB1E4DCBC7BF9E110036B708E6281D4925C0041B8

Function 240A34CC Relevance: 1.6, Strings: 1, Instructions: 368COMMON

Download Yara Rule

Strings

@, xrefs: 240A38A7

Memory Dump Source

Source File: 00000008.00000002.2518814760.0000000024080000.00000040.00000400.00020000.00000000.sdmp, Offset: 24080000, based on PE: true

Associated: 00000008.00000002.2518814760.00000000240D4000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2518814760.00000000240DB000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_24080000_explorer.jbxd

Yara matches

Similarity

API ID:
String ID: @
API String ID: 0-2766056989
Opcode ID: ab98c2aed12ef7e826b10b711029d19c4dedaf7dfd46895b92a267d123399ca2
Instruction ID: 534700772c3e8222777ece1412b50ff606525f1daa3f4d8bec12aeaa028077fa
Opcode Fuzzy Hash: ab98c2aed12ef7e826b10b711029d19c4dedaf7dfd46895b92a267d123399ca2
Instruction Fuzzy Hash: 53F14774E00269CFCB14CFE8C580AEEBBB2FF88314F248169D951AB351D7B59A81CB51

Function 240AB690 Relevance: 1.5, APIs: 1, Instructions: 22nativeCOMMON

Download Yara Rule

APIs

NtdllDefWindowProc_A.NTDLL(?,?,?,?), ref: 240AB6A5

Part of subcall function 240AB624: 6ED92200.AVICAP32(Video,50000000,00000000,00000000,00000280,000001E0,?,00000001,240B9038,000003E8,000003E8,240BE184,webcamgetbuffer,240BE184,webcam,240BE184), ref: 240AB644
Part of subcall function 240AB624: SendMessageA.USER32(?,0000040B,00000000,00000000), ref: 240AB65D
Part of subcall function 240AB624: UnregisterClassA.USER32(MainForm,?), ref: 240AB674

Memory Dump Source

Source File: 00000008.00000002.2518814760.0000000024080000.00000040.00000400.00020000.00000000.sdmp, Offset: 24080000, based on PE: true

Associated: 00000008.00000002.2518814760.00000000240D4000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2518814760.00000000240DB000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_24080000_explorer.jbxd

Yara matches

Similarity

API ID: ClassD92200MessageNtdllProc_SendUnregisterWindow
String ID:
API String ID: 2584475382-0
Opcode ID: 74626c36f2ce0fe2ba0b25495e6ac0bbee8d73dfe1dc0e3524e6ddd753c88333
Instruction ID: 62e514c3206881a8b174c8894201bffe12ad9eebb8f85f0b0a6b5d09a11e2709
Opcode Fuzzy Hash: 74626c36f2ce0fe2ba0b25495e6ac0bbee8d73dfe1dc0e3524e6ddd753c88333
Instruction Fuzzy Hash: DAD06272A0016C6B9750DDE9DCC0C9BB3ECEB19164B544511FF14D7201D575DD5087B1

Function 24088F80 Relevance: 1.5, APIs: 1, Instructions: 22COMMON

Download Yara Rule

APIs

GetLocaleInfoA.KERNEL32(00000400,0000005A,00000005,00000005), ref: 24088F9B

Memory Dump Source

Source File: 00000008.00000002.2518814760.0000000024080000.00000040.00000400.00020000.00000000.sdmp, Offset: 24080000, based on PE: true

Associated: 00000008.00000002.2518814760.00000000240D4000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2518814760.00000000240DB000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_24080000_explorer.jbxd

Yara matches

Similarity

API ID: InfoLocale
String ID:
API String ID: 2299586839-0
Opcode ID: 28c5b5fb3c4d62c0abc58585841f9c2e4756f30ed3372ed4e41b974c69bd6d78
Instruction ID: 5743a79b4e39abd6233bdd8bf1a4a5a9a85ef4933f4049e609da7448167a1b63
Opcode Fuzzy Hash: 28c5b5fb3c4d62c0abc58585841f9c2e4756f30ed3372ed4e41b974c69bd6d78
Instruction Fuzzy Hash: 0AD095133487002BF81081741F8170D53C45790335F500235F704DF2C6DDA5C44D6757

Function 240917EC Relevance: 1.5, APIs: 1, Instructions: 22COMMON

Download Yara Rule

APIs

GetUserNameA.ADVAPI32(00000000), ref: 2409180B

Memory Dump Source

Source File: 00000008.00000002.2518814760.0000000024080000.00000040.00000400.00020000.00000000.sdmp, Offset: 24080000, based on PE: true

Associated: 00000008.00000002.2518814760.00000000240D4000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2518814760.00000000240DB000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_24080000_explorer.jbxd

Yara matches

Similarity

API ID: NameUser
String ID:
API String ID: 2645101109-0
Opcode ID: ef5e2074d3a2af1871b8af6108e12c260b89c9224399b4e881205f4710e18838
Instruction ID: 0018626f68cccbc35ec4a16505f92b095720753c52eebf6585240af9562ebcd1
Opcode Fuzzy Hash: ef5e2074d3a2af1871b8af6108e12c260b89c9224399b4e881205f4710e18838
Instruction Fuzzy Hash: DED05E72304210ABFA00A7789E8089E56CCDFA55A8B000439F084CB209C97A8C8583A5

Function 24081644 Relevance: 1.5, APIs: 1, Instructions: 20timeCOMMON

Download Yara Rule

APIs

GetSystemTime.KERNEL32(?), ref: 2408164E

Memory Dump Source

Source File: 00000008.00000002.2518814760.0000000024080000.00000040.00000400.00020000.00000000.sdmp, Offset: 24080000, based on PE: true

Associated: 00000008.00000002.2518814760.00000000240D4000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2518814760.00000000240DB000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_24080000_explorer.jbxd

Yara matches

Similarity

API ID: SystemTime
String ID:
API String ID: 2656138-0
Opcode ID: 564a6395351698595fdb5722eddf0d527c13ade55289ec0eb4d0e07075f9208a
Instruction ID: 24dc1a89084b4a0a210609edafe67ebf93abdf2363aceda81fbdba882826ba09
Opcode Fuzzy Hash: 564a6395351698595fdb5722eddf0d527c13ade55289ec0eb4d0e07075f9208a
Instruction Fuzzy Hash: 1CE08611E0050E86CB04AFA5CD436EDF7BEEFA5500F044172A818EA2D0F631C792C344

Function 2409FD44 Relevance: .7, Instructions: 681COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2518814760.0000000024080000.00000040.00000400.00020000.00000000.sdmp, Offset: 24080000, based on PE: true

Associated: 00000008.00000002.2518814760.00000000240D4000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2518814760.00000000240DB000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_24080000_explorer.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 591cb859711fab9ed46bfe1b3f20604925a5fa05e4c43a8bf956a236709ee330
Instruction ID: ffc9a9d20b05c6644f5d4388ad327aac4b89e1e99f7b388e4fb441f4ffedbd89
Opcode Fuzzy Hash: 591cb859711fab9ed46bfe1b3f20604925a5fa05e4c43a8bf956a236709ee330
Instruction Fuzzy Hash: B2521274200214CFDB1ACF68C5C0A577BE2BB49314F1486A9DD468F28BC734E996CFA2

Function 2409F414 Relevance: .2, Instructions: 238COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2518814760.0000000024080000.00000040.00000400.00020000.00000000.sdmp, Offset: 24080000, based on PE: true

Associated: 00000008.00000002.2518814760.00000000240D4000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2518814760.00000000240DB000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_24080000_explorer.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a46a25728c0e4dbe5aa0a1433bd48846487817f0c63754d6310f19dcd07371b1
Instruction ID: 699dac9fede36f649ac90fd3507987b5886e716aa5aacc918041474151cfc273
Opcode Fuzzy Hash: a46a25728c0e4dbe5aa0a1433bd48846487817f0c63754d6310f19dcd07371b1
Instruction Fuzzy Hash: 9A61233238DB8103E33D8E7D5CE02B7DAD35FCA21862ED97D94DAC3F52E85AA4565204

Function 240A5C24 Relevance: .2, Instructions: 222COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2518814760.0000000024080000.00000040.00000400.00020000.00000000.sdmp, Offset: 24080000, based on PE: true

Associated: 00000008.00000002.2518814760.00000000240D4000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2518814760.00000000240DB000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_24080000_explorer.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 06de988cec878ba0ca36bc87ef1ab69ba565fea0b0e74ecb0b3620ea03bb8e49
Instruction ID: 38ef5d6753b6c2d5a976dfa3aea941ceeb7f0cce08687278d9cb5981a65d473a
Opcode Fuzzy Hash: 06de988cec878ba0ca36bc87ef1ab69ba565fea0b0e74ecb0b3620ea03bb8e49
Instruction Fuzzy Hash: D7817C73D114374BEB628EA88C443A17392AFCC39EF5B46B0EE04BB64AD534BD5186C0

Function 240A5970 Relevance: .2, Instructions: 190COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2518814760.0000000024080000.00000040.00000400.00020000.00000000.sdmp, Offset: 24080000, based on PE: true

Associated: 00000008.00000002.2518814760.00000000240D4000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2518814760.00000000240DB000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_24080000_explorer.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fdd6e5c21f8e827ed8dbbf5a91f2e70f5af707ada584e64f1391109d8132eb73
Instruction ID: 4e24f6b4f3e1b7025789b109135905238c69c312b8a018972671bd5aa78fc23e
Opcode Fuzzy Hash: fdd6e5c21f8e827ed8dbbf5a91f2e70f5af707ada584e64f1391109d8132eb73
Instruction Fuzzy Hash: 29713773D214779BEB608EA888443617392FF8921CF6B46B0DE05BB647C634BD4296D0

Function 2408544E Relevance: .0, Instructions: 2COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2518814760.0000000024080000.00000040.00000400.00020000.00000000.sdmp, Offset: 24080000, based on PE: true

Associated: 00000008.00000002.2518814760.00000000240D4000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2518814760.00000000240DB000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_24080000_explorer.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5b11512028303bfa0212bcb5a4be5029ed673fec3b531c205c09ceb8686c6913
Instruction ID: 765a02390459b722a7e42cc91e8e35948eb20d4447e2402fcb4df8627caf6720
Opcode Fuzzy Hash: 5b11512028303bfa0212bcb5a4be5029ed673fec3b531c205c09ceb8686c6913
Instruction Fuzzy Hash:

Function 2408528E Relevance: .0, Instructions: 2COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2518814760.0000000024080000.00000040.00000400.00020000.00000000.sdmp, Offset: 24080000, based on PE: true

Associated: 00000008.00000002.2518814760.00000000240D4000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2518814760.00000000240DB000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_24080000_explorer.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 65b6c3cfccdfbc13d2c4430a2e4818bbeaec33822d90a4aef412c98eaaa4eb50
Instruction ID: b73129b27390d48c7e33efaa9897afac445b3a33389757b875c844398a45cc5b
Opcode Fuzzy Hash: 65b6c3cfccdfbc13d2c4430a2e4818bbeaec33822d90a4aef412c98eaaa4eb50
Instruction Fuzzy Hash:

Function 240ABD34 Relevance: 75.4, APIs: 24, Strings: 19, Instructions: 132libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(PSAPI.dll,?,240AC0D5), ref: 240ABD48
GetProcAddress.KERNEL32(00000000,EnumProcesses), ref: 240ABD64
GetProcAddress.KERNEL32(00000000,EnumProcessModules), ref: 240ABD76
GetProcAddress.KERNEL32(00000000,GetModuleBaseNameA), ref: 240ABD88
GetProcAddress.KERNEL32(00000000,GetModuleFileNameExA), ref: 240ABD9A
GetProcAddress.KERNEL32(00000000,GetModuleBaseNameA), ref: 240ABDAC
GetProcAddress.KERNEL32(00000000,GetModuleFileNameExA), ref: 240ABDBE
GetProcAddress.KERNEL32(00000000,GetModuleBaseNameW), ref: 240ABDD0
GetProcAddress.KERNEL32(00000000,GetModuleFileNameExW), ref: 240ABDE2
GetProcAddress.KERNEL32(00000000,GetModuleInformation), ref: 240ABDF4
GetProcAddress.KERNEL32(00000000,EmptyWorkingSet), ref: 240ABE06
GetProcAddress.KERNEL32(00000000,QueryWorkingSet), ref: 240ABE18
GetProcAddress.KERNEL32(00000000,InitializeProcessForWsWatch), ref: 240ABE2A
GetProcAddress.KERNEL32(00000000,GetMappedFileNameA), ref: 240ABE3C
GetProcAddress.KERNEL32(00000000,GetDeviceDriverBaseNameA), ref: 240ABE4E
GetProcAddress.KERNEL32(00000000,GetDeviceDriverFileNameA), ref: 240ABE60
GetProcAddress.KERNEL32(00000000,GetMappedFileNameA), ref: 240ABE72
GetProcAddress.KERNEL32(00000000,GetDeviceDriverBaseNameA), ref: 240ABE84
GetProcAddress.KERNEL32(00000000,GetDeviceDriverFileNameA), ref: 240ABE96
GetProcAddress.KERNEL32(00000000,GetMappedFileNameW), ref: 240ABEA8
GetProcAddress.KERNEL32(00000000,GetDeviceDriverBaseNameW), ref: 240ABEBA

Strings

QueryWorkingSet, xrefs: 240ABE10
GetMappedFileNameW, xrefs: 240ABEA0
GetModuleInformation, xrefs: 240ABDEC
GetDeviceDriverBaseNameA, xrefs: 240ABE46, 240ABE7C
GetModuleBaseNameA, xrefs: 240ABD80, 240ABDA4
GetProcessMemoryInfo, xrefs: 240ABEE8
GetDeviceDriverFileNameW, xrefs: 240ABEC4
EnumProcesses, xrefs: 240ABD5C
EmptyWorkingSet, xrefs: 240ABDFE
GetModuleBaseNameW, xrefs: 240ABDC8
GetModuleFileNameExW, xrefs: 240ABDDA
EnumDeviceDrivers, xrefs: 240ABED6
PSAPI.dll, xrefs: 240ABD43
EnumProcessModules, xrefs: 240ABD6E
InitializeProcessForWsWatch, xrefs: 240ABE22
GetDeviceDriverBaseNameW, xrefs: 240ABEB2
GetMappedFileNameA, xrefs: 240ABE34, 240ABE6A
GetModuleFileNameExA, xrefs: 240ABD92, 240ABDB6
GetDeviceDriverFileNameA, xrefs: 240ABE58, 240ABE8E

Memory Dump Source

Source File: 00000008.00000002.2518814760.0000000024080000.00000040.00000400.00020000.00000000.sdmp, Offset: 24080000, based on PE: true

Associated: 00000008.00000002.2518814760.00000000240D4000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2518814760.00000000240DB000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_24080000_explorer.jbxd

Yara matches

Similarity

API ID: AddressProc$LibraryLoad
String ID: EmptyWorkingSet$EnumDeviceDrivers$EnumProcessModules$EnumProcesses$GetDeviceDriverBaseNameA$GetDeviceDriverBaseNameW$GetDeviceDriverFileNameA$GetDeviceDriverFileNameW$GetMappedFileNameA$GetMappedFileNameW$GetModuleBaseNameA$GetModuleBaseNameW$GetModuleFileNameExA$GetModuleFileNameExW$GetModuleInformation$GetProcessMemoryInfo$InitializeProcessForWsWatch$PSAPI.dll$QueryWorkingSet
API String ID: 2238633743-2267155864
Opcode ID: 679cdb755da540f30d0bf9d195abba68b29756466005435138b47e1bae2e4b6e
Instruction ID: 5f2050a9966ed69662b8963369bb0cb3408b06068752157d5f341148dbf79fc1
Opcode Fuzzy Hash: 679cdb755da540f30d0bf9d195abba68b29756466005435138b47e1bae2e4b6e
Instruction Fuzzy Hash: 31414DB0914A20AFEB00DFF5C9D4F2A3BE9EB162087450569F600EF658D639D9C4AF91

Function 240B4638 Relevance: 54.4, APIs: 25, Strings: 6, Instructions: 181registrysleepCOMMON

Download Yara Rule

APIs

Part of subcall function 24084F18: CreateMutexA.KERNEL32(?,?,?,?,?), ref: 24084F2E

Sleep.KERNEL32(00000064,00000000,240B4885,?,?,00000000,00000000,00000000), ref: 240B4697
CloseHandle.KERNEL32(00000000,00000000,240B4885,?,?,00000000,00000000,00000000), ref: 240B46B2
CloseHandle.KERNEL32(00000000,00000000,00000000,240B4885,?,?,00000000,00000000,00000000), ref: 240B46BF
SetFileAttributesA.KERNEL32(00000000,00000080,00000000,00000000,00000000,240B4885,?,?,00000000,00000000,00000000), ref: 240B46E1
RegOpenKeyA.ADVAPI32(80000002,Software\Microsoft\Windows\CurrentVersion\Run,?), ref: 240B4707
RegDeleteValueA.ADVAPI32(00000000,00000000,80000002,Software\Microsoft\Windows\CurrentVersion\Run,?,00000000,00000080,00000000,00000000,00000000,240B4885,?,?,00000000,00000000,00000000), ref: 240B471C
RegCloseKey.ADVAPI32(00000000,00000000,00000000,80000002,Software\Microsoft\Windows\CurrentVersion\Run,?,00000000,00000080,00000000,00000000,00000000,240B4885,?,?,00000000,00000000), ref: 240B4724
RegOpenKeyA.ADVAPI32(80000001,Software\Microsoft\Windows\CurrentVersion\Run,?), ref: 240B473E
RegDeleteValueA.ADVAPI32(00000000,00000000,80000001,Software\Microsoft\Windows\CurrentVersion\Run,?,00000000,00000080,00000000,00000000,00000000,240B4885,?,?,00000000,00000000,00000000), ref: 240B4753
RegCloseKey.ADVAPI32(00000000,00000000,00000000,80000001,Software\Microsoft\Windows\CurrentVersion\Run,?,00000000,00000080,00000000,00000000,00000000,240B4885,?,?,00000000,00000000), ref: 240B475B
RegOpenKeyA.ADVAPI32(80000001,Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run,?), ref: 240B4775
RegDeleteValueA.ADVAPI32(00000000,00000000,80000001,Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run,?,00000000,00000080,00000000,00000000,00000000,240B4885,?,?,00000000,00000000,00000000), ref: 240B478A
RegCloseKey.ADVAPI32(00000000,00000000,00000000,80000001,Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run,?,00000000,00000080,00000000,00000000,00000000,240B4885,?,?,00000000,00000000), ref: 240B4792
RegOpenKeyA.ADVAPI32(80000002,Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run,?), ref: 240B47A2
RegDeleteValueA.ADVAPI32(00000000,00000000,80000002,Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run,?,00000000,00000000,00000000,80000001,Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run,?,00000000,00000080,00000000,00000000,00000000), ref: 240B47B7
RegCloseKey.ADVAPI32(00000000,00000000,00000000,80000002,Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run,?,00000000,00000000,00000000,80000001,Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run,?,00000000,00000080,00000000,00000000), ref: 240B47BF
RegOpenKeyExA.ADVAPI32(80000002,Software\Microsoft\Active Setup\Installed Components\,00000000,00020006,?,00000000,00000080,00000000,00000000,00000000,240B4885,?,?,00000000,00000000,00000000), ref: 240B47E0
RegDeleteKeyA.ADVAPI32(00000000,00000000), ref: 240B47F5
RegCloseKey.ADVAPI32(00000000,00000000,00000000,80000002,Software\Microsoft\Active Setup\Installed Components\,00000000,00020006,?,00000000,00000080,00000000,00000000,00000000,240B4885), ref: 240B47FD
RegOpenKeyExA.ADVAPI32(80000001,Software\Microsoft\Active Setup\Installed Components\,00000000,00020006,?,00000000,00000000,00000000,80000002,Software\Microsoft\Active Setup\Installed Components\,00000000,00020006,?,00000000,00000080,00000000), ref: 240B4814
RegDeleteKeyA.ADVAPI32(00000000,00000000), ref: 240B4829
RegCloseKey.ADVAPI32(00000000,00000000,00000000,80000001,Software\Microsoft\Active Setup\Installed Components\,00000000,00020006,?,00000000,00000000,00000000,80000002,Software\Microsoft\Active Setup\Installed Components\,00000000,00020006,?), ref: 240B4831
RegOpenKeyExA.ADVAPI32(80000001,Software\,00000000,00020006,?,00000000,00000080,00000000,00000000,00000000,240B4885,?,?,00000000,00000000,00000000), ref: 240B4848
RegDeleteKeyA.ADVAPI32(00000000,00000000), ref: 240B485D
RegCloseKey.ADVAPI32(00000000,00000000,00000000,80000001,Software\,00000000,00020006,?,00000000,00000080,00000000,00000000,00000000,240B4885), ref: 240B4865

Strings

Software\Microsoft\Active Setup\Installed Components\, xrefs: 240B47D6, 240B480A
_SAIR, xrefs: 240B465E
exit, xrefs: 240B468B
Software\, xrefs: 240B483E
Software\Microsoft\Windows\CurrentVersion\Run, xrefs: 240B46FD, 240B4734
Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run, xrefs: 240B476B, 240B4798

Memory Dump Source

Source File: 00000008.00000002.2518814760.0000000024080000.00000040.00000400.00020000.00000000.sdmp, Offset: 24080000, based on PE: true

Associated: 00000008.00000002.2518814760.00000000240D4000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2518814760.00000000240DB000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_24080000_explorer.jbxd

Yara matches

Similarity

API ID: Close$DeleteOpen$Value$Handle$AttributesCreateFileMutexSleep
String ID: Software\$Software\Microsoft\Active Setup\Installed Components\$Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run$Software\Microsoft\Windows\CurrentVersion\Run$_SAIR$exit
API String ID: 2709957979-2341067361
Opcode ID: 51a89a01d2178feaa59726530b3847a02c50a33d72caa2ea782ed869ece21656
Instruction ID: b03a5f83277aec06b835a215a81c1517e203e7727acf484ece3fc80a12f918f2
Opcode Fuzzy Hash: 51a89a01d2178feaa59726530b3847a02c50a33d72caa2ea782ed869ece21656
Instruction Fuzzy Hash: 6C51CE74600254EFE700DFA9DAC4F1A73E9EB6A248F500460B540FB359EA78EDC08F65

Function 24090C08 Relevance: 52.8, APIs: 7, Strings: 23, Instructions: 339filewindowsleepCOMMON

Download Yara Rule

APIs

Part of subcall function 24086C78: FindFirstFileA.KERNEL32(00000000,?,00000000,24086CD5,?,00000000), ref: 24086CAD
Part of subcall function 24086C78: FindClose.KERNEL32(00000000,00000000,?,00000000,24086CD5,?,00000000), ref: 24086CB8

GetTickCount.KERNEL32 ref: 24090F9B
TranslateMessage.USER32(?), ref: 24090FAC
DispatchMessageA.USER32(?), ref: 24090FB8
GetTickCount.KERNEL32 ref: 24090FBD
Sleep.KERNEL32(00000064,00000000,00000000,00000000,2409155C,?,2409155C,", True),?,Set objFile = objFileSystem.CreateTextFile(",00000000,24091156), ref: 24091003
DeleteFileA.KERNEL32(00000000,00000064,00000000,00000000,00000000,2409155C,?,2409155C,", True),?,Set objFile = objFileSystem.CreateTextFile(",00000000,24091156), ref: 24091011
DeleteFileA.KERNEL32(00000000, / ,?,?,?,?,00000000,00000064,00000000,00000000,00000000,2409155C,?,2409155C,", True),?), ref: 24091126

Part of subcall function 240866E4: LoadLibraryA.KERNEL32(shell32.dll,ShellExecuteA,?,?,?,?,2408627C,?,00000000,00000000,00000000,240862A2), ref: 240866FA
Part of subcall function 240866E4: GetProcAddress.KERNEL32(00000000,shell32.dll), ref: 24086700

Strings

CountFW = 0, xrefs: 24090D27
Set colFirewall = objSecurityCenter.ExecQuery("Select * From FirewallProduct",,48), xrefs: 24090C9B
For Each objAntiVirus In colAntiVirus, xrefs: 24090DAB
cscript.exe, xrefs: 24090E4C, 24090EBB, 24090EF4, 24090F63
open, xrefs: 24090ED2, 24090F7A
CountAV = 0, xrefs: 24090D3D
Set objFile = objFileSystem.CreateTextFile(", xrefs: 24090CDD
Enter = Chr(13) + Chr(10), xrefs: 24090D11
Set objFileSystem = CreateObject("Scripting.fileSystemObject"), xrefs: 24090CC7
objFile.Close, xrefs: 24090E19
Next, xrefs: 24090D95, 24090DED
Set colAntiVirus = objSecurityCenter.ExecQuery("Select * From AntiVirusProduct",,48), xrefs: 24090CB1
/ , xrefs: 24091097, 240910EC
teste.vbs, xrefs: 24090C47
CountAV = CountAV + 1, xrefs: 24090DC1
Info = Info & "A" & CountAV & ") " & objAntiVirus.displayName & " v" & objAntiVirus.versionNumber & Enter, xrefs: 24090DD7
Info = Info & "F" & CountFw & ") " & objFirewall.displayName & " v" & objFirewall.versionNumber & Enter, xrefs: 24090D7F
", True), xrefs: 24090CE5
Set objSecurityCenter = GetObject("winmgmts:\\.\root\SecurityCenter"), xrefs: 24090C85
CountFW = CountFW + 1, xrefs: 24090D69
objFile.WriteLine(Info), xrefs: 24090E03
For Each objFirewall In colFirewall, xrefs: 24090D53
teste.txt, xrefs: 24090C65

Memory Dump Source

Source File: 00000008.00000002.2518814760.0000000024080000.00000040.00000400.00020000.00000000.sdmp, Offset: 24080000, based on PE: true

Associated: 00000008.00000002.2518814760.00000000240D4000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2518814760.00000000240DB000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_24080000_explorer.jbxd

Yara matches

Similarity

API ID: File$CountDeleteFindMessageTick$AddressCloseDispatchFirstLibraryLoadProcSleepTranslate
String ID: / $", True)$CountAV = 0$CountAV = CountAV + 1$CountFW = 0$CountFW = CountFW + 1$Enter = Chr(13) + Chr(10)$For Each objAntiVirus In colAntiVirus$For Each objFirewall In colFirewall$Info = Info & "A" & CountAV & ") " & objAntiVirus.displayName & " v" & objAntiVirus.versionNumber & Enter$Info = Info & "F" & CountFw & ") " & objFirewall.displayName & " v" & objFirewall.versionNumber & Enter$Next$Set colAntiVirus = objSecurityCenter.ExecQuery("Select * From AntiVirusProduct",,48)$Set colFirewall = objSecurityCenter.ExecQuery("Select * From FirewallProduct",,48)$Set objFile = objFileSystem.CreateTextFile("$Set objFileSystem = CreateObject("Scripting.fileSystemObject")$Set objSecurityCenter = GetObject("winmgmts:\\.\root\SecurityCenter")$cscript.exe$objFile.Close$objFile.WriteLine(Info)$open$teste.txt$teste.vbs
API String ID: 153418747-372987553
Opcode ID: 90cd02cbcbc54edf0e66bed4de8f3bf98385ee07c0e2b97398f6447681d3d1b1
Instruction ID: d89d2f1234f9cdf823f0317e7b3373685d5fad909fa360fcebee558a7ad2ff9a
Opcode Fuzzy Hash: 90cd02cbcbc54edf0e66bed4de8f3bf98385ee07c0e2b97398f6447681d3d1b1
Instruction Fuzzy Hash: D3C17230B0011567FB02FBA4DE80A8E72E59FA5A4CF9084A5E005AF74DCE71DFC25B66

Function 240A7E60 Relevance: 40.5, APIs: 19, Strings: 4, Instructions: 226filepipethreadCOMMON

Download Yara Rule

APIs

CreateThread.KERNEL32(00000000,00000000,Function_00027D20,00000000,00000000,?), ref: 240A7EC0
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 240A7EF2
CreatePipe.KERNEL32(?,?,0000000C,00000000,?,?,0000000C,00000000), ref: 240A7F08
GetStartupInfoA.KERNEL32(?), ref: 240A7F14
GetEnvironmentVariableA.KERNEL32(COMSPEC,?,00000105,?,?,0000000C,00000000,?,?,0000000C,00000000), ref: 240A7F58
CreateProcessA.KERNEL32(00000000,?,00000000,00000000,000000FF,00000010,00000000,00000000,?,?,COMSPEC,?,00000105,?,?,0000000C), ref: 240A7F80
CloseHandle.KERNEL32(?,00000000,?,00000000,00000000,000000FF,00000010,00000000,00000000,?,?,COMSPEC,?,00000105,?,?), ref: 240A7F89
CloseHandle.KERNEL32(?,?,00000000,?,00000000,00000000,000000FF,00000010,00000000,00000000,?,?,COMSPEC,?,00000105,?), ref: 240A7F92
SetNamedPipeHandleState.KERNEL32(?,00000001,00000000,00000000,?,?,00000000,?,00000000,00000000,000000FF,00000010,00000000,00000000,?,?), ref: 240A7FAA
Sleep.KERNEL32(0000000A,?,00000001,00000000,00000000,?,?,00000000,?,00000000,00000000,000000FF,00000010,00000000,00000000,?), ref: 240A7FB1
GetExitCodeProcess.KERNEL32(?,?), ref: 240A7FC1
ReadFile.KERNEL32(?,?,00001000,?,00000000,0000000A,?,00000001,00000000,00000000,?,?,00000000,?,00000000,00000000), ref: 240A7FEA
CreateThread.KERNEL32(00000000,00000000,Function_00027D20,00000000,00000000,?), ref: 240A806B
WriteFile.KERNEL32(?,00000000,00000000,?,00000000,?,?,00001000,?,00000000,0000000A,?,00000001,00000000,00000000,?), ref: 240A80B6
WriteFile.KERNEL32(?,240A81C8,00000002,?,00000000,?,00000000,00000000,?,00000000,?,?,00001000,?,00000000,0000000A), ref: 240A80CC
GetExitCodeProcess.KERNEL32(?,00000103), ref: 240A80E8
TerminateProcess.KERNEL32(?,00000000,?,00000103,0000000A,?,00000001,00000000,00000000,?,?,00000000,?,00000000,00000000,000000FF), ref: 240A80FF
CloseHandle.KERNEL32(?,?,00000103,0000000A,?,00000001,00000000,00000000,?,?,00000000,?,00000000,00000000,000000FF,00000010), ref: 240A8108
CloseHandle.KERNEL32(?,?,?,00000103,0000000A,?,00000001,00000000,00000000,?,?,00000000,?,00000000,00000000,000000FF), ref: 240A8111

Strings

shellresposta|shelldesativar|, xrefs: 240A8119
COMSPEC, xrefs: 240A7F53
shellresposta|shellresposta|, xrefs: 240A8035
shellresposta|shellativar|, xrefs: 240A7EA5

Memory Dump Source

Source File: 00000008.00000002.2518814760.0000000024080000.00000040.00000400.00020000.00000000.sdmp, Offset: 24080000, based on PE: true

Associated: 00000008.00000002.2518814760.00000000240D4000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2518814760.00000000240DB000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_24080000_explorer.jbxd

Yara matches

Similarity

API ID: CreateHandle$CloseProcess$FilePipe$CodeExitThreadWrite$EnvironmentInfoNamedReadSleepStartupStateTerminateVariable
String ID: COMSPEC$shellresposta|shellativar|$shellresposta|shelldesativar|$shellresposta|shellresposta|
API String ID: 3902820650-3990598949
Opcode ID: f5636b779ee32b613e387e981bca1cd34434a788dafeec7144c3e71260d09282
Instruction ID: 3c4046b3107c15dcc3a2ae1fd5d572607c9ad845ae8817f673ae9eba1b90e903
Opcode Fuzzy Hash: f5636b779ee32b613e387e981bca1cd34434a788dafeec7144c3e71260d09282
Instruction Fuzzy Hash: 42814D71A00218AFEB50CBE4CD94FDEB3FCBB58704F5044A5E244F7285EA74AA858F65

Function 2409B7D0 Relevance: 24.8, APIs: 9, Strings: 5, Instructions: 300registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.ADVAPI32(00000000,00000000,00000000,00000004,?,?,?,00000000,2409BB82,?,?,00000004,00000000,00000000), ref: 2409B8BD
RegCreateKeyA.ADVAPI32(?,00000000,?), ref: 2409B8D3
RegCloseKey.ADVAPI32(?,?,00000000,?,00000000,00000000,00000000,00000004,?,?,?,00000000,2409BB82,?,?,00000004), ref: 2409B8E1
RegOpenKeyExA.ADVAPI32(00000000,00000000,00000000,00000002,?,?,?,00000000,2409BB82,?,?,00000004,00000000,00000000), ref: 2409B905
RegSetValueExA.ADVAPI32(?,00000000,00000000,00000001,00000000,00000000,00000000,00000000,00000000,00000002,?,?,?,00000000,2409BB82), ref: 2409B944
RegSetValueExA.ADVAPI32(?,00000000,00000000,00000003,?,00000000), ref: 2409BA2C
RegSetValueExA.ADVAPI32(?,00000000,00000000,00000004,?,00000004,00000000,00000000,00000000,00000002,?,?,?,00000000,2409BB82), ref: 2409BA67
RegSetValueExA.ADVAPI32(?,00000000,00000000,00000007,00000000,00000000,00000000,00000000,00000000,00000002,?,?,?,00000000,2409BB82), ref: 2409BB28
RegCloseKey.ADVAPI32(?,00000000,00000000,00000000,00000002,?,?,?,00000000,2409BB82,?,?,00000004,00000000,00000000), ref: 2409BB36

Strings

REG_DWORD, xrefs: 2409BA39
REG_BINARY, xrefs: 2409B951
REG_SZ, xrefs: 2409B915
REG_MULTI_SZ, xrefs: 2409BA74
clave, xrefs: 2409B897

Memory Dump Source

Source File: 00000008.00000002.2518814760.0000000024080000.00000040.00000400.00020000.00000000.sdmp, Offset: 24080000, based on PE: true

Associated: 00000008.00000002.2518814760.00000000240D4000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2518814760.00000000240DB000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_24080000_explorer.jbxd

Yara matches

Similarity

API ID: Value$CloseOpen$Create
String ID: REG_BINARY$REG_DWORD$REG_MULTI_SZ$REG_SZ$clave
API String ID: 2929978649-1504967743
Opcode ID: 2cd09e9f94f797a244f1fe718a4b3c6ac7c9d1cf65a6fd542a4c6694a2b79dc0
Instruction ID: e81f782fc1aaf190416c2c2749039070f2d52063cf36124749886d1abde89794
Opcode Fuzzy Hash: 2cd09e9f94f797a244f1fe718a4b3c6ac7c9d1cf65a6fd542a4c6694a2b79dc0
Instruction Fuzzy Hash: 72B1F071A00109AFEB00DBA8DA80A9EB7F9FFA8618F504065E510F7358DBB5DE819B51

Function 2409AD24 Relevance: 24.8, APIs: 4, Strings: 10, Instructions: 273registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.ADVAPI32(00000000,?,00000000,?,00000000,00000001,?,00000000,2409B104), ref: 2409ADF4
RegEnumValueA.ADVAPI32(?,?,00000000,?,00000000,?,00000000,?,00000000,?,00000000,?,00000000,00000001,?,00000000), ref: 2409AE34
RegEnumValueA.ADVAPI32(?,?,00000000,00003FFF,00000000,?,00000000,00003FFF,?,?,00000000,?,00000000,?,00000000,?), ref: 2409AE72

Strings

REG_BINARY, xrefs: 2409AFEB
REG_LINK, xrefs: 2409B027
REG_SZ, xrefs: 2409B054
(Empty), xrefs: 2409AEEE
REG_MULTI_SZ, xrefs: 2409B036
REG_NONE, xrefs: 2409B045
(Default), xrefs: 2409AF9F
REG_DWORD_BIG_ENDIAN, xrefs: 2409B009
REG_DWORD, xrefs: 2409AFFA
REG_EXPAND_SZ, xrefs: 2409B018

Memory Dump Source

Source File: 00000008.00000002.2518814760.0000000024080000.00000040.00000400.00020000.00000000.sdmp, Offset: 24080000, based on PE: true

Associated: 00000008.00000002.2518814760.00000000240D4000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2518814760.00000000240DB000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_24080000_explorer.jbxd

Yara matches

Similarity

API ID: EnumValue$Open
String ID: (Default)$(Empty)$REG_BINARY$REG_DWORD$REG_DWORD_BIG_ENDIAN$REG_EXPAND_SZ$REG_LINK$REG_MULTI_SZ$REG_NONE$REG_SZ
API String ID: 1214633557-2843546354
Opcode ID: 38117ee3c546fd35aa86a0039f5dd57d0098a737d1b97e35b4f74f4ae6b0593c
Instruction ID: 5b49ce07d2451049c1d1f8a6c77ab4a6e7d94fce958f35691296b21f112929b2
Opcode Fuzzy Hash: 38117ee3c546fd35aa86a0039f5dd57d0098a737d1b97e35b4f74f4ae6b0593c
Instruction Fuzzy Hash: 3DB13870A0020D9FEB11DB95C980AEEB7F8FF98A14F5040A5E504B7248DB75ABC5AF21

Function 24093DDC Relevance: 24.7, APIs: 6, Strings: 8, Instructions: 183COMMON

Download Yara Rule

Strings

BTMemoryLoadLibary: IMAGE_NT_SIGNATURE is not valid, xrefs: 24093E5C
BTMemoryLoadLibary: VirtualAlloc failed, xrefs: 24093EB3
BTMemoryLoadLibary: Can't attach library, xrefs: 24093FCD
BTMemoryLoadLibary: dll dos header is not valid, xrefs: 24093E1F
PE, xrefs: 24093E4B
MZ, xrefs: 24093E12
BTMemoryLoadLibary: BuildImportTable failed, xrefs: 24093F7F
BTMemoryLoadLibary: Get DLLEntyPoint failed, xrefs: 24093FAD

Memory Dump Source

Source File: 00000008.00000002.2518814760.0000000024080000.00000040.00000400.00020000.00000000.sdmp, Offset: 24080000, based on PE: true

Associated: 00000008.00000002.2518814760.00000000240D4000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2518814760.00000000240DB000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_24080000_explorer.jbxd

Yara matches

Similarity

API ID:
String ID: BTMemoryLoadLibary: BuildImportTable failed$BTMemoryLoadLibary: Can't attach library$BTMemoryLoadLibary: Get DLLEntyPoint failed$BTMemoryLoadLibary: IMAGE_NT_SIGNATURE is not valid$BTMemoryLoadLibary: VirtualAlloc failed$BTMemoryLoadLibary: dll dos header is not valid$MZ$PE
API String ID: 0-3631919656
Opcode ID: 15e5f6abdcdb6756bf99c1043dad4c80285c6775397bf1651ba9658ad5b644de
Instruction ID: 289216240eb34a8f4167da81814e237759fe5a9d1cc9530b671d6969e8fc9e0a
Opcode Fuzzy Hash: 15e5f6abdcdb6756bf99c1043dad4c80285c6775397bf1651ba9658ad5b644de
Instruction Fuzzy Hash: 09519471B04205AFEB14CFA9C890F9EB7F5EF98B08F1080A5E604EB395D6B1D9C19B54

Function 240C5928 Relevance: 21.1, APIs: 1, Strings: 11, Instructions: 116fileCOMMON

Download Yara Rule

APIs

CopyFileA.KERNEL32(00000000,00000000,00000000), ref: 240C599E

Strings

RECYCLER\, xrefs: 240C5A6C
[autorun];open=RECYCLER\S-1-5-21-1482476501-3352491937-682996330-1013\, xrefs: 240C59A3
shellexecute=, xrefs: 240C59C4
label=PENDRIVE, xrefs: 240C59E0
icon=shell32.dll,4, xrefs: 240C59BA
RECYCLER\S-1-5-21-1482476501-3352491937-682996330-1013\, xrefs: 240C595E, 240C59C9, 240C5A03
shell\Open\command=, xrefs: 240C59FE
autorun.inf, xrefs: 240C5A38, 240C5A54
action=Open folder to view files, xrefs: 240C59EA
shell\Open=Open, xrefs: 240C59F4
shell\Open\Default=1, xrefs: 240C5A1A

Memory Dump Source

Source File: 00000008.00000002.2518814760.0000000024080000.00000040.00000400.00020000.00000000.sdmp, Offset: 24080000, based on PE: true

Associated: 00000008.00000002.2518814760.00000000240D4000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2518814760.00000000240DB000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_24080000_explorer.jbxd

Yara matches

Similarity

API ID: CopyFile
String ID: RECYCLER\$RECYCLER\S-1-5-21-1482476501-3352491937-682996330-1013\$[autorun];open=RECYCLER\S-1-5-21-1482476501-3352491937-682996330-1013\$action=Open folder to view files$autorun.inf$icon=shell32.dll,4$label=PENDRIVE$shell\Open=Open$shell\Open\Default=1$shell\Open\command=$shellexecute=
API String ID: 1304948518-631342129
Opcode ID: ffa449084caf68fc0575dfe4ecd59cd691962d0d0ecbd5a99ebb72fc6baba587
Instruction ID: 998a5d1935fd87c3c22fcd0d861d9e39cdddbe94cc483abb85af5cecddb23af8
Opcode Fuzzy Hash: ffa449084caf68fc0575dfe4ecd59cd691962d0d0ecbd5a99ebb72fc6baba587
Instruction Fuzzy Hash: 5841FE38A00218EBDB04DB95CAD0E9EB7B5EFA9204F604565F401BB25CDB75AF858F50

Function 240C412C Relevance: 21.1, APIs: 8, Strings: 4, Instructions: 58libraryloadersynchronizationCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(kernel32,GetModuleHandleA), ref: 240C4145
GetProcAddress.KERNEL32(00000000,kernel32), ref: 240C414B
GetModuleHandleA.KERNEL32(kernel32,GetProcAddress,00000000,kernel32,GetModuleHandleA), ref: 240C415E
GetProcAddress.KERNEL32(00000000,kernel32), ref: 240C4164
GetModuleHandleA.KERNEL32(kernel32,ExitThread,00000000,kernel32,GetProcAddress,00000000,kernel32,GetModuleHandleA), ref: 240C4177
GetProcAddress.KERNEL32(00000000,kernel32), ref: 240C417D

Part of subcall function 240C3EC0: VirtualAllocEx.KERNEL32(?,00000000,00000001,00003000,00000040,00000000,240C3F3E,?,?,?,?,00000000,00000000,00000000), ref: 240C3EFC
Part of subcall function 240C3EC0: WriteProcessMemory.KERNEL32(?,00000000,?,00000001,?,?,00000000,00000001,00003000,00000040,00000000,240C3F3E), ref: 240C3F1E

Part of subcall function 240C3F80: CreateRemoteThread.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,?), ref: 240C3FBE
Part of subcall function 240C3F80: WaitForSingleObject.KERNEL32(00000000,000000FF,?,00000000,00000000,00000000,00000000,00000000,?), ref: 240C3FCE
Part of subcall function 240C3F80: ReadProcessMemory.KERNEL32(?,00000000,?,?,00000000,00000000,000000FF,?,00000000,00000000,00000000,00000000,00000000,?), ref: 240C3FE1

WaitForSingleObject.KERNEL32(00000000,000000FF,00000000,kernel32,ExitThread,00000000,kernel32,GetProcAddress,00000000,kernel32,GetModuleHandleA), ref: 240C41BD
GetExitCodeThread.KERNEL32(00000000,?,00000000,000000FF,00000000,kernel32,ExitThread,00000000,kernel32,GetProcAddress,00000000,kernel32,GetModuleHandleA), ref: 240C41C4

Strings

ExitThread, xrefs: 240C416D
GetProcAddress, xrefs: 240C4154
kernel32, xrefs: 240C4140, 240C4159, 240C4172
GetModuleHandleA, xrefs: 240C413B

Memory Dump Source

Source File: 00000008.00000002.2518814760.0000000024080000.00000040.00000400.00020000.00000000.sdmp, Offset: 24080000, based on PE: true

Associated: 00000008.00000002.2518814760.00000000240D4000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2518814760.00000000240DB000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_24080000_explorer.jbxd

Yara matches

Similarity

API ID: AddressHandleModuleProc$MemoryObjectProcessSingleThreadWait$AllocCodeCreateExitReadRemoteVirtualWrite
String ID: ExitThread$GetModuleHandleA$GetProcAddress$kernel32
API String ID: 3826234517-3123223305
Opcode ID: 065595ddbb8c269451b3a1400048cd839ac7ba014836e2c777c98ec77d79c011
Instruction ID: 50078bb15551c26ecce1bda9e6f7d1bd60cdc05c8707f285a490f662121d9c91
Opcode Fuzzy Hash: 065595ddbb8c269451b3a1400048cd839ac7ba014836e2c777c98ec77d79c011
Instruction Fuzzy Hash: F4019670A04310B7E3005EBA8C90B5F76C9AFE1118F90493DB954A7289E971D9844BD5

Function 24092638 Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 121fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNEL32(00000000,40000000,00000002,00000000,00000002,00000000,00000000,.txt,2.6,Spy-Net ,240927EC,?,00000000,240927C7), ref: 240926C4
CloseHandle.KERNEL32(00000000,00000000,40000000,00000002,00000000,00000002,00000000,00000000,.txt,2.6,Spy-Net ,240927EC,?,00000000,240927C7), ref: 240926CC
CreateFileA.KERNEL32(00000000,40000000,00000002,00000000,00000003,00000000,00000000,24092850,24092850,?,2409285C,24092850,?,24092844,?,24092844), ref: 24092768
SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002,00000000,40000000,00000002,00000000,00000003,00000000,00000000,24092850,24092850,?,2409285C,24092850), ref: 2409277B
WriteFile.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000000,00000000,00000002,00000000,40000000,00000002,00000000,00000003,00000000,00000000), ref: 24092799
CloseHandle.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00000000,00000000,00000000,00000002,00000000,40000000,00000002,00000000,00000003,00000000), ref: 2409279F

Strings

--- , xrefs: 240926FC
2.6, xrefs: 24092689
Spy-Net , xrefs: 24092684
Desktop, xrefs: 24092672
.txt, xrefs: 2409268E

Memory Dump Source

Source File: 00000008.00000002.2518814760.0000000024080000.00000040.00000400.00020000.00000000.sdmp, Offset: 24080000, based on PE: true

Associated: 00000008.00000002.2518814760.00000000240D4000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2518814760.00000000240DB000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_24080000_explorer.jbxd

Yara matches

Similarity

API ID: File$CloseCreateHandle$PointerWrite
String ID: --- $.txt$2.6$Desktop$Spy-Net
API String ID: 2606874340-3792867649
Opcode ID: 31c68e6bf7aa5223e567f134e594133094464feb89fa7096bc7316d360f983b8
Instruction ID: 7721097ac9171d6dc599bd07c3156d98c0fad7212aa971f3c29bf5518d8a071b
Opcode Fuzzy Hash: 31c68e6bf7aa5223e567f134e594133094464feb89fa7096bc7316d360f983b8
Instruction Fuzzy Hash: 30414630540208BBFB01D7A1DE91FDEB7F8AB5CB04F514864B5007A199DA75ABC5AA14

Function 240C2F20 Relevance: 18.3, APIs: 12, Instructions: 346fileCOMMON

Download Yara Rule

APIs

CopyFileA.KERNEL32(00000000,00000000,00000000), ref: 240C2F9F
SetFileAttributesA.KERNEL32(00000000,00000080,00000000,00000000,00000000,00000000,240C337E,?,00000000,240C33AD,?,?,?,?,00000011,00000000), ref: 240C2FFE
SetFileAttributesA.KERNEL32(00000000,00000080,00000000,00000000,00000000,00000000,240C337E,?,00000000,240C33AD,?,?,?,?,00000011,00000000), ref: 240C30A7
CopyFileA.KERNEL32(00000000,00000000,00000000), ref: 240C30F1
SetFileAttributesA.KERNEL32(00000000,00000080,00000000,00000000,00000000,00000000,240C337E,?,00000000,240C33AD,?,?,?,?,00000011,00000000), ref: 240C3150
CopyFileA.KERNEL32(00000000,00000000,00000000), ref: 240C319A
SetFileAttributesA.KERNEL32(00000000,00000080,00000000,00000000,00000000,00000000,240C337E,?,00000000,240C33AD,?,?,?,?,00000011,00000000), ref: 240C31F9
CopyFileA.KERNEL32(00000000,00000000,00000000), ref: 240C3243
SetFileAttributesA.KERNEL32(00000000,00000080,00000000,00000000,00000000,00000000,240C337E,?,00000000,240C33AD,?,?,?,?,00000011,00000000), ref: 240C32A2
CopyFileA.KERNEL32(00000000,00000000,00000000), ref: 240C32F2
CopyFileA.KERNEL32(00000000,00000000,00000000), ref: 240C3048

Part of subcall function 24086C78: FindFirstFileA.KERNEL32(00000000,?,00000000,24086CD5,?,00000000), ref: 24086CAD
Part of subcall function 24086C78: FindClose.KERNEL32(00000000,00000000,?,00000000,24086CD5,?,00000000), ref: 24086CB8

SetFileAttributesA.KERNEL32(00000000,00000080,00000000,00000000,00000000,00000000,240C337E,?,00000000,240C33AD,?,?,?,?,00000011,00000000), ref: 240C336F

Memory Dump Source

Source File: 00000008.00000002.2518814760.0000000024080000.00000040.00000400.00020000.00000000.sdmp, Offset: 24080000, based on PE: true

Associated: 00000008.00000002.2518814760.00000000240D4000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2518814760.00000000240DB000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_24080000_explorer.jbxd

Yara matches

Similarity

API ID: File$AttributesCopy$Find$CloseFirst
String ID:
API String ID: 1833752699-0
Opcode ID: 7853e1424e7102555f1f487ab28658d5f14f5bd5c1638d5a18cb4264824208d9
Instruction ID: 4fa53f28c9fba894b8756612d22aebea1911a7e69699207b06c13699f069f998
Opcode Fuzzy Hash: 7853e1424e7102555f1f487ab28658d5f14f5bd5c1638d5a18cb4264824208d9
Instruction Fuzzy Hash: 9BD1F871D1020CDFEB00EBA4DA80ECDB3B9EF68608F504965E504EB618DF74AEC68B54

Function 240AB9E4 Relevance: 17.7, APIs: 3, Strings: 7, Instructions: 168registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.ADVAPI32(00000000,?,00000000,?,00000000,00000008,?,00000000,240ABC14,?,?,?,?,00000000,00000000), ref: 240ABA83
RegEnumKeyExA.ADVAPI32(?,00000000,00000000,000000FF,00000000,00000000,00000000,?,00000000,?,00000000,?,00000000,00000008,?,00000000), ref: 240ABBDB
RegCloseKey.ADVAPI32(?,?,00000000,00000000,000000FF,00000000,00000000,00000000,?,00000000,?,00000000,?,00000000,00000008,?), ref: 240ABBEC

Strings

YYY, xrefs: 240ABB4E
DisplayName, xrefs: 240ABAC0
##@@, xrefs: 240ABB2D, 240ABB49, 240ABB53, 240ABB76, 240ABB80, 240ABB9F, 240ABBA9
NNN, xrefs: 240ABB7B, 240ABBA4
QuietUninstallString, xrefs: 240ABB14
SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\, xrefs: 240ABAB0, 240ABADA, 240ABB04
UninstallString, xrefs: 240ABAEA

Memory Dump Source

Source File: 00000008.00000002.2518814760.0000000024080000.00000040.00000400.00020000.00000000.sdmp, Offset: 24080000, based on PE: true

Associated: 00000008.00000002.2518814760.00000000240D4000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2518814760.00000000240DB000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_24080000_explorer.jbxd

Yara matches

Similarity

API ID: CloseEnumOpen
String ID: ##@@$DisplayName$NNN$QuietUninstallString$SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\$UninstallString$YYY
API String ID: 1332880857-2804227269
Opcode ID: 3e6f58b0ccb4ac9992d0f4ed39b15089f4d8de9cb593959f8e19afe106bd4c35
Instruction ID: 06957dce8c2b7e62aa0b57f90f8f96a022d21dc5ceff34241f6d22e6a4540dca
Opcode Fuzzy Hash: 3e6f58b0ccb4ac9992d0f4ed39b15089f4d8de9cb593959f8e19afe106bd4c35
Instruction Fuzzy Hash: 89510D30A10119ABEB00DBE5CE90F9EB7F9AF98208F508065E710B7258DEB59EC5CB51

Function 240A72D8 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 125memoryCOMMON

Download Yara Rule

APIs

GetObjectA.GDI32(?,00000018,?), ref: 240A72F4
GlobalAlloc.KERNEL32(00000000,?), ref: 240A73B2
GlobalLock.KERNEL32(00000000), ref: 240A73C2
GetDC.USER32(00000000), ref: 240A73CD
GetDIBits.GDI32(?,?,00000000,?,?,00000000,00000000), ref: 240A73EF
ReleaseDC.USER32(00000000,?), ref: 240A7432
GlobalUnlock.KERNEL32(00000000), ref: 240A7438
GlobalFree.KERNEL32(00000000), ref: 240A743E
DeleteObject.GDI32(?), ref: 240A7452

Strings

BM, xrefs: 240A73A4

Memory Dump Source

Source File: 00000008.00000002.2518814760.0000000024080000.00000040.00000400.00020000.00000000.sdmp, Offset: 24080000, based on PE: true

Associated: 00000008.00000002.2518814760.00000000240D4000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2518814760.00000000240DB000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_24080000_explorer.jbxd

Yara matches

Similarity

API ID: Global$Object$AllocBitsDeleteFreeLockReleaseUnlock
String ID: BM
API String ID: 668871282-2348483157
Opcode ID: 52f038e44cb06f74d970198296bf04649677888f4fe7566735cdae7b2124c70a
Instruction ID: da886f7faebb16b71943e0313f2f6de8e8d47642fa340c3e8799d7416ecbfaec
Opcode Fuzzy Hash: 52f038e44cb06f74d970198296bf04649677888f4fe7566735cdae7b2124c70a
Instruction Fuzzy Hash: 59413F716087019FE304DF65C980A5FF7EAEFD8704F40C929F9989B264DB70E9458B92

Function 240C35C4 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 88COMMON

Download Yara Rule

APIs

GetSecurityInfo.ADVAPI32(00000000,00000006,00000004,00000000,00000000,00000000,00000000), ref: 240C35E5
LocalFree.KERNEL32(?,00000000,00000006,00000004,00000000,00000000,00000000,00000000), ref: 240C35FA
LocalFree.KERNEL32(00000000,00000000,00000006,00000004,00000000,00000000,00000000,00000000), ref: 240C360B
SetEntriesInAclA.ADVAPI32(00000001,00000000,00000000,?), ref: 240C3651
LocalFree.KERNEL32(?,00000000,00000006,00000004,00000000,00000000), ref: 240C3666
LocalFree.KERNEL32(00000000,00000000,00000006,00000004,00000000,00000000), ref: 240C3677
SetSecurityInfo.ADVAPI32(00000000,00000006,00000004,00000000,00000000,00000002,00000000,00000000,00000006,00000004,00000000,00000000), ref: 240C368C
LocalFree.KERNEL32(?,00000000,00000006,00000004,00000000,00000000,00000002,00000000,00000000,00000006,00000004,00000000,00000000), ref: 240C36A1
LocalFree.KERNEL32(00000000,00000000,00000006,00000004,00000000,00000000,00000002,00000000,00000000,00000006,00000004,00000000,00000000), ref: 240C36B2

Strings

CURRENT_USER, xrefs: 240C363B

Memory Dump Source

Source File: 00000008.00000002.2518814760.0000000024080000.00000040.00000400.00020000.00000000.sdmp, Offset: 24080000, based on PE: true

Associated: 00000008.00000002.2518814760.00000000240D4000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2518814760.00000000240DB000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_24080000_explorer.jbxd

Yara matches

Similarity

API ID: FreeLocal$InfoSecurity$Entries
String ID: CURRENT_USER
API String ID: 3140748100-382982459
Opcode ID: e9fa44e2a25c1fc6dfe836d5c7a25ee8ee01b4a8c14e3ced5f094fd89ce84dea
Instruction ID: 3e137d98928a75f09a0eaaa73506ca0d4b6e46ca73d357be3f0c6c1c7d1a3526
Opcode Fuzzy Hash: e9fa44e2a25c1fc6dfe836d5c7a25ee8ee01b4a8c14e3ced5f094fd89ce84dea
Instruction Fuzzy Hash: B5310870218300EBE711EFB8C981B9FB7D8AB54758F008829F684DB295D7B5D884DB67

Function 240814F4 Relevance: 16.6, APIs: 9, Strings: 2, Instructions: 109COMMON

Download Yara Rule

APIs

CharNextA.USER32(00000000,?,00000000,00000000,?,24081626,?,?,?,240921A4,00000000,2409223D), ref: 2408152B
CharNextA.USER32(00000000,00000000,?,00000000,00000000,?,24081626,?,?,?,240921A4,00000000,2409223D), ref: 24081535
CharNextA.USER32(00000000,00000000,?,00000000,00000000,?,24081626,?,?,?,240921A4,00000000,2409223D), ref: 24081552
CharNextA.USER32(00000000,?,00000000,00000000,?,24081626,?,?,?,240921A4,00000000,2409223D), ref: 2408155C
CharNextA.USER32(00000000,00000000,?,00000000,00000000,?,24081626,?,?,?,240921A4,00000000,2409223D), ref: 24081585
CharNextA.USER32(00000000,00000000,00000000,?,00000000,00000000,?,24081626,?,?,?,240921A4,00000000,2409223D), ref: 2408158F
CharNextA.USER32(00000000,00000000,00000000,?,00000000,00000000,?,24081626,?,?,?,240921A4,00000000,2409223D), ref: 240815B3
CharNextA.USER32(00000000,00000000,?,00000000,00000000,?,24081626,?,?,?,240921A4,00000000,2409223D), ref: 240815BD

Strings

", xrefs: 24081515
", xrefs: 24081510

Memory Dump Source

Source File: 00000008.00000002.2518814760.0000000024080000.00000040.00000400.00020000.00000000.sdmp, Offset: 24080000, based on PE: true

Associated: 00000008.00000002.2518814760.00000000240D4000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2518814760.00000000240DB000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_24080000_explorer.jbxd

Yara matches

Similarity

API ID: CharNext
String ID: "$"
API String ID: 3213498283-3758156766
Opcode ID: 23fd1d24e031142f26a8683bf247f7775e887043fd7ae20f3809c26a31b61328
Instruction ID: 2a7580cf94a3b1f690fcb24a4d766c03aa3b84f082599c359518f7a41c053aa8
Opcode Fuzzy Hash: 23fd1d24e031142f26a8683bf247f7775e887043fd7ae20f3809c26a31b61328
Instruction Fuzzy Hash: 9621D689B483949AEB233AB87FC075AABC94F5B054B5414B5D583CF20BD4708DD6C366

Function 2409E9EC Relevance: 15.9, APIs: 1, Strings: 8, Instructions: 146COMMON

Download Yara Rule

APIs

ExitProcess.KERNEL32(00000000,00000000,2409EBCE), ref: 2409EA5D

Strings

SetMSNStatus, xrefs: 2409EB27
GetContactList, xrefs: 2409EB17
GetCurrentMSNSettings, xrefs: 2409EB47
EnviarStream, xrefs: 2409EB77
Mozilla3_5Password, xrefs: 2409EB07
GetChromePass, xrefs: 2409EB57
GetMSNStatus, xrefs: 2409EB37
StartHttpProxy, xrefs: 2409EB67

Memory Dump Source

Source File: 00000008.00000002.2518814760.0000000024080000.00000040.00000400.00020000.00000000.sdmp, Offset: 24080000, based on PE: true

Associated: 00000008.00000002.2518814760.00000000240D4000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2518814760.00000000240DB000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_24080000_explorer.jbxd

Yara matches

Similarity

API ID: ExitProcess
String ID: EnviarStream$GetChromePass$GetContactList$GetCurrentMSNSettings$GetMSNStatus$Mozilla3_5Password$SetMSNStatus$StartHttpProxy
API String ID: 621844428-2405909186
Opcode ID: a404b835e6daed1c6e54f143fa739e04faee319f0e3fa82022cc2a6e47d66ec9
Instruction ID: 7aeb544832a8aa174b72dac62e0a203f76fad5acb1e482e0d5045d069cf2ae14
Opcode Fuzzy Hash: a404b835e6daed1c6e54f143fa739e04faee319f0e3fa82022cc2a6e47d66ec9
Instruction Fuzzy Hash: F3516F70908109EFE701DF65CD90AAFB7F8EB95604B51803AF414F7258D7749EC29BA1

Function 240AD600 Relevance: 15.9, APIs: 2, Strings: 7, Instructions: 132libraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 240AD15C: RegOpenKeyExA.ADVAPI32(?,00000000,00000000,00000001,?,00000000,240AD228), ref: 240AD194
Part of subcall function 240AD15C: RegQueryValueExA.ADVAPI32(?,00000000,00000000,?,00000000,?,?,00000000,00000000,00000001,?,00000000,240AD228), ref: 240AD1B8
Part of subcall function 240AD15C: RegQueryValueExA.ADVAPI32(?,00000000,00000000,?,00000000,?,?,00000000,00000000,?,00000000,?,?,00000000,00000000,00000001), ref: 240AD1E2
Part of subcall function 240AD15C: RegCloseKey.ADVAPI32(?,?,00000000,00000000,?,00000000,?,?,00000000,00000000,?,00000000,?,?,00000000,00000000), ref: 240AD1FC

LoadLibraryA.KERNEL32(00000000,SteamDecryptDataForThisMachine,?,00000000,?,?,00000000,240AD7AC,?,00000000,240AD7D9,?,?,?,?,00000000), ref: 240AD75A
GetProcAddress.KERNEL32(00000000,00000000), ref: 240AD760

Strings

/ClientRegistry.Blob, xrefs: 240AD65D
\ClientRegistry.blob, xrefs: 240AD68B
\steam.dll, xrefs: 240AD741
SteamPath, xrefs: 240AD639
Phrase, xrefs: 240AD6F0
SteamDecryptDataForThisMachine, xrefs: 240AD739
Software\Valve\Steam\, xrefs: 240AD63E

Memory Dump Source

Source File: 00000008.00000002.2518814760.0000000024080000.00000040.00000400.00020000.00000000.sdmp, Offset: 24080000, based on PE: true

Associated: 00000008.00000002.2518814760.00000000240D4000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2518814760.00000000240DB000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_24080000_explorer.jbxd

Yara matches

Similarity

API ID: QueryValue$AddressCloseLibraryLoadOpenProc
String ID: /ClientRegistry.Blob$Phrase$Software\Valve\Steam\$SteamDecryptDataForThisMachine$SteamPath$\ClientRegistry.blob$\steam.dll
API String ID: 2859330212-1198945235
Opcode ID: 81e3233183920edc7a3fa08531ad4fd81e51fae6b971ade367757e38d173e238
Instruction ID: 7ae38cb45c58996a72390d055a66d63363250b439ad522d939a38e7d5562ce51
Opcode Fuzzy Hash: 81e3233183920edc7a3fa08531ad4fd81e51fae6b971ade367757e38d173e238
Instruction Fuzzy Hash: D8416A7460C204DFE708DFE8D9A095EB7AAEB98608F508035F900E7765DA79EDC18F61

Function 2409158C Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 131libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll), ref: 240915AB
GetProcAddress.KERNEL32(00000000,GlobalMemoryStatusEx), ref: 240915BC
FreeLibrary.KERNEL32(00000000,00000000,GlobalMemoryStatusEx,kernel32.dll), ref: 240915C6

Strings

GlobalMemoryStatusEx, xrefs: 240915B6
, xrefs: 240916BC
kernel32.dll, xrefs: 240915A6
@, xrefs: 240915E7

Memory Dump Source

Source File: 00000008.00000002.2518814760.0000000024080000.00000040.00000400.00020000.00000000.sdmp, Offset: 24080000, based on PE: true

Associated: 00000008.00000002.2518814760.00000000240D4000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2518814760.00000000240DB000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_24080000_explorer.jbxd

Yara matches

Similarity

API ID: Library$AddressFreeLoadProc
String ID: $@$GlobalMemoryStatusEx$kernel32.dll
API String ID: 145871493-802862622
Opcode ID: a0695eb459c535077ae548e9e53af9f4d317f643c4b0f1d39f5e896fad453542
Instruction ID: 0a62dbc71523b7759abc2a43412b096d0ff9b925c49cc149a12007e2341b379f
Opcode Fuzzy Hash: a0695eb459c535077ae548e9e53af9f4d317f643c4b0f1d39f5e896fad453542
Instruction Fuzzy Hash: CE516474A08702AFE341CF29C58090FFBE1AFC86A4F54C92DB4A8DB254E634D8819F53

Function 2408180C Relevance: 15.1, APIs: 10, Instructions: 129fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000), ref: 24081894
GetFileSize.KERNEL32(?,00000000,00000000,80000000,00000001,00000000,00000003,00000080,00000000), ref: 240818B8
SetFilePointer.KERNEL32(?,-00000080,00000000,00000000,?,00000000,00000000,80000000,00000001,00000000,00000003,00000080,00000000), ref: 240818D4
ReadFile.KERNEL32(?,?,00000080,?,00000000,00000000,?,-00000080,00000000,00000000,?,00000000,00000000,80000000,00000001,00000000), ref: 240818F5
SetFilePointer.KERNEL32(?,00000000,00000000,00000002), ref: 2408191E
SetEndOfFile.KERNEL32(?,?,00000000,00000000,00000002), ref: 2408192C
GetStdHandle.KERNEL32(000000F5), ref: 24081967
GetFileType.KERNEL32(?,000000F5), ref: 2408197D
CloseHandle.KERNEL32(?,?,000000F5), ref: 24081998
GetLastError.KERNEL32(000000F5), ref: 240819B0

Memory Dump Source

Source File: 00000008.00000002.2518814760.0000000024080000.00000040.00000400.00020000.00000000.sdmp, Offset: 24080000, based on PE: true

Associated: 00000008.00000002.2518814760.00000000240D4000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2518814760.00000000240DB000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_24080000_explorer.jbxd

Yara matches

Similarity

API ID: File$HandlePointer$CloseCreateErrorLastReadSizeType
String ID:
API String ID: 1694776339-0
Opcode ID: 2b180cf74916ec880ad05251e60469fa9c92f415ef4b61fec18846a6c2b80774
Instruction ID: af6fbe8e4a86e2c2a61c8292de43e810af8be0a8bc1b7036382199afdcfbc581
Opcode Fuzzy Hash: 2b180cf74916ec880ad05251e60469fa9c92f415ef4b61fec18846a6c2b80774
Instruction Fuzzy Hash: BD41D270604701AAF7238F20CB40B667AE5EF407A4F20CE2DD5EA8E5DCE661DDC48756

Function 240ADC10 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 66COMMON

Download Yara Rule

APIs

FindWindowA.USER32(Shell_TrayWnd,00000000), ref: 240ADC3D
GetWindow.USER32(00000000,00000005), ref: 240ADC45
GetClassNameA.USER32(00000000,?,00000080), ref: 240ADC5D
GetWindow.USER32(00000000,00000002), ref: 240ADCAE

Part of subcall function 24085948: CharUpperA.USER32(?,00000000,240859BD), ref: 24085986

ShowWindow.USER32(00000000,00000001,Shell_TrayWnd,00000000,00000000,240ADCDA), ref: 240ADC9C
ShowWindow.USER32(00000000,00000000,Shell_TrayWnd,00000000,00000000,240ADCDA), ref: 240ADCA6

Strings

BUTTON, xrefs: 240ADC88
Shell_TrayWnd, xrefs: 240ADC38

Memory Dump Source

Source File: 00000008.00000002.2518814760.0000000024080000.00000040.00000400.00020000.00000000.sdmp, Offset: 24080000, based on PE: true

Associated: 00000008.00000002.2518814760.00000000240D4000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2518814760.00000000240DB000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_24080000_explorer.jbxd

Yara matches

Similarity

API ID: Window$Show$CharClassFindNameUpper
String ID: BUTTON$Shell_TrayWnd
API String ID: 1958926019-3627955571
Opcode ID: 8b0ff85a86fa1f5089cf1b6e499f70e2fdd4066b1450d826fdc76876509912b6
Instruction ID: d7cdf926e69d2dbe9030aa19f0f129eb183b16f5aca2322b7b90c4dab91f8401
Opcode Fuzzy Hash: 8b0ff85a86fa1f5089cf1b6e499f70e2fdd4066b1450d826fdc76876509912b6
Instruction Fuzzy Hash: 1E11E230910639ABE722D7A1CE51B8DB2ABAF55314FC080B0E604E2255EEB09FC54B94

Function 240C4028 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 53libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(kernel32,Sleep,00000000,240C40C6), ref: 240C4057
GetProcAddress.KERNEL32(00000000,kernel32), ref: 240C405D
GetModuleHandleA.KERNEL32(kernel32,LoadLibraryA,00000000,kernel32,Sleep,00000000,240C40C6), ref: 240C406F
GetProcAddress.KERNEL32(00000000,kernel32), ref: 240C4075

Part of subcall function 240C3EC0: VirtualAllocEx.KERNEL32(?,00000000,00000001,00003000,00000040,00000000,240C3F3E,?,?,?,?,00000000,00000000,00000000), ref: 240C3EFC
Part of subcall function 240C3EC0: WriteProcessMemory.KERNEL32(?,00000000,?,00000001,?,?,00000000,00000001,00003000,00000040,00000000,240C3F3E), ref: 240C3F1E

Part of subcall function 240C3F80: CreateRemoteThread.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,?), ref: 240C3FBE
Part of subcall function 240C3F80: WaitForSingleObject.KERNEL32(00000000,000000FF,?,00000000,00000000,00000000,00000000,00000000,?), ref: 240C3FCE
Part of subcall function 240C3F80: ReadProcessMemory.KERNEL32(?,00000000,?,?,00000000,00000000,000000FF,?,00000000,00000000,00000000,00000000,00000000,?), ref: 240C3FE1

CloseHandle.KERNEL32(00000000,00000000,kernel32,LoadLibraryA,00000000,kernel32,Sleep,00000000,240C40C6), ref: 240C40A9

Strings

LoadLibraryA, xrefs: 240C4065
kernel32, xrefs: 240C4052, 240C406A
Sleep, xrefs: 240C404D

Memory Dump Source

Source File: 00000008.00000002.2518814760.0000000024080000.00000040.00000400.00020000.00000000.sdmp, Offset: 24080000, based on PE: true

Associated: 00000008.00000002.2518814760.00000000240D4000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2518814760.00000000240DB000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_24080000_explorer.jbxd

Yara matches

Similarity

API ID: Handle$AddressMemoryModuleProcProcess$AllocCloseCreateObjectReadRemoteSingleThreadVirtualWaitWrite
String ID: LoadLibraryA$Sleep$kernel32
API String ID: 3487503967-1813742806
Opcode ID: 2b2d56cc8905c56ad5f05eb0f5735a35acf31859ae1d2c3f230f34e9a9b6d08e
Instruction ID: 480790db100d9a47ac929a82d14dfae91a54a773c6c127c5d8faca56f83f83c7
Opcode Fuzzy Hash: 2b2d56cc8905c56ad5f05eb0f5735a35acf31859ae1d2c3f230f34e9a9b6d08e
Instruction Fuzzy Hash: C0019270A40604FFE710EBB5CD90B5EB6E8FF55244BA04964E400E3289EA719E849F55

Function 2409BDD4 Relevance: 13.6, APIs: 9, Instructions: 135registryCOMMON

Download Yara Rule

APIs

RegEnumValueA.ADVAPI32(?,00000000,00000000,00000200,00000000,?,?,00002000,00000000,2409BF43,?,00000000,2409BF60), ref: 2409BE4E
RegSetValueExA.ADVAPI32(?,00000000,00000000,?,?,00002000,?,00000000,00000000,00000200,00000000,?,?,00002000,00000000,2409BF43), ref: 2409BE74
RegDeleteValueA.ADVAPI32(?,00000000,?,00000000,00000000,?,?,00002000,?,00000000,00000000,00000200,00000000,?,?,00002000), ref: 2409BE85
RegEnumKeyExA.ADVAPI32(?,00000000,00000000,00000200,00000000,?,00002000,00000000,?,00000000,00000000,00000200,00000000,?,?,00002000), ref: 2409BEB9
RegCreateKeyA.ADVAPI32(?,00000000,?), ref: 2409BED5
RegCreateKeyA.ADVAPI32(?,00000000,?), ref: 2409BEEE
RegCloseKey.ADVAPI32(?,?,00000000,?,?,00000000,?,?,00000000,00000000,00000200,00000000,?,00002000,00000000), ref: 2409BF08
RegDeleteKeyA.ADVAPI32(?,00000000), ref: 2409BF17
RegCloseKey.ADVAPI32(?,?,00000000,?,?,00000000,?,?,00000000,00000000,00000200,00000000,?,00002000,00000000), ref: 2409BF20

Memory Dump Source

Source File: 00000008.00000002.2518814760.0000000024080000.00000040.00000400.00020000.00000000.sdmp, Offset: 24080000, based on PE: true

Associated: 00000008.00000002.2518814760.00000000240D4000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2518814760.00000000240DB000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_24080000_explorer.jbxd

Yara matches

Similarity

API ID: Value$CloseCreateDeleteEnum
String ID:
API String ID: 925550085-0
Opcode ID: 27bf8121f020eb7f3411d31f37fca5e7f46c6984a8018d078911722d3df7ee77
Instruction ID: fec3bd4944a794073966a9b23eeca109c5e4c5e3a42d2485c6944a08016f6b7e
Opcode Fuzzy Hash: 27bf8121f020eb7f3411d31f37fca5e7f46c6984a8018d078911722d3df7ee77
Instruction Fuzzy Hash: E1410EB1A00209AFEB01DBE9CD90EAFB7FCEF59614F404064F610E7244EB749A459BA0

Function 24093A08 Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 149libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(?,00000000,24093BD1), ref: 24093A62
IsBadReadPtr.KERNEL32(?,00000014), ref: 24093BA2

Strings

BuildImportTable: GetProcAddress failed, xrefs: 24093B7D
BuildImportTable: can't load library: , xrefs: 24093A8E
BuildImportTable: ReallocMemory failed, xrefs: 24093AD6

Memory Dump Source

Source File: 00000008.00000002.2518814760.0000000024080000.00000040.00000400.00020000.00000000.sdmp, Offset: 24080000, based on PE: true

Associated: 00000008.00000002.2518814760.00000000240D4000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2518814760.00000000240DB000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_24080000_explorer.jbxd

Yara matches

Similarity

API ID: LibraryLoadRead
String ID: BuildImportTable: GetProcAddress failed$BuildImportTable: ReallocMemory failed$BuildImportTable: can't load library:
API String ID: 1452896035-1384308123
Opcode ID: 4c0af039fd6833e171a22ba7bb159c3707043b82e20b8ec8e456feeba6b00052
Instruction ID: a7b9b770106d648b09891defcc64f26ce9ae94d833b3851930893045ed427989
Opcode Fuzzy Hash: 4c0af039fd6833e171a22ba7bb159c3707043b82e20b8ec8e456feeba6b00052
Instruction Fuzzy Hash: 1E515A70A04219AFDB00CBA8C884B8DB7F4BF49718F4085A5E614EB345D7B5EAC0DF91

Function 2409DD70 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 63networkCOMMON

Download Yara Rule

APIs

WSAStartup.WS2_32(00000101,?), ref: 2409DDB0
inet_addr.WS2_32(00000000), ref: 2409DDCF
WSACleanup.WS2_32 ref: 2409DDDD

Strings

127.0.0.1, xrefs: 2409DD8A
localhost, xrefs: 2409DD98

Memory Dump Source

Source File: 00000008.00000002.2518814760.0000000024080000.00000040.00000400.00020000.00000000.sdmp, Offset: 24080000, based on PE: true

Associated: 00000008.00000002.2518814760.00000000240D4000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2518814760.00000000240DB000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_24080000_explorer.jbxd

Yara matches

Similarity

API ID: CleanupStartupinet_addr
String ID: 127.0.0.1$localhost
API String ID: 4189620951-2339935011
Opcode ID: dcbd08e5f9fa169b99d992ae179d76779de6fc8bb296d15d46536b693c465828
Instruction ID: 23649bf1d0129fa191e7a1232a44a662d607ade8bdc80fd8e4926d9ad4904f61
Opcode Fuzzy Hash: dcbd08e5f9fa169b99d992ae179d76779de6fc8bb296d15d46536b693c465828
Instruction Fuzzy Hash: 9C112B317492055BF700BAF84E90ADE72DC9FACE18B404575E604D7249E9B1EED076D2

Function 240B2DC8 Relevance: 10.8, APIs: 2, Strings: 4, Instructions: 268sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00000032,?,00000000,240B31F8,?,?,?,?,00000000,00000000), ref: 240B2E74

Part of subcall function 240B2DC8: GetTickCount.KERNEL32 ref: 240B3070

Strings

*.*, xrefs: 240B30F3
.tmp, xrefs: 240B308A
ALL, xrefs: 240B2E39
p2$, xrefs: 240B304E

Memory Dump Source

Source File: 00000008.00000002.2518814760.0000000024080000.00000040.00000400.00020000.00000000.sdmp, Offset: 24080000, based on PE: true

Associated: 00000008.00000002.2518814760.00000000240D4000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2518814760.00000000240DB000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_24080000_explorer.jbxd

Yara matches

Similarity

API ID: CountSleepTick
String ID: *.*$.tmp$ALL$p2$
API String ID: 2804873075-3928342550
Opcode ID: e2b43b394ed9f13856fdb9805985c26f1fb496d268bda17db7f60f38497ed00e
Instruction ID: 71a9b137e69164ecfebc57fb0d6f625ded1376fcdd2b78547e12fad4fc6116e1
Opcode Fuzzy Hash: e2b43b394ed9f13856fdb9805985c26f1fb496d268bda17db7f60f38497ed00e
Instruction Fuzzy Hash: 99B17330A002199FEB11DB50DD90AEEB3B9EFD5308F6085B5D844A7358DA72EEC58F54

Function 240AF494 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 88COMMON

Download Yara Rule

APIs

IsWindow.USER32(00000000), ref: 240AF51F
SetPropA.USER32(?,OBJECT), ref: 240AF532
SetWindowLongA.USER32(?,000000FC,Function_0002F404), ref: 240AF542
SetPropA.USER32(?,WNDPROC,00000000), ref: 240AF551

Strings

WNDPROC, xrefs: 240AF548
OBJECT, xrefs: 240AF529

Memory Dump Source

Source File: 00000008.00000002.2518814760.0000000024080000.00000040.00000400.00020000.00000000.sdmp, Offset: 24080000, based on PE: true

Associated: 00000008.00000002.2518814760.00000000240D4000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2518814760.00000000240DB000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_24080000_explorer.jbxd

Yara matches

Similarity

API ID: PropWindow$Long
String ID: OBJECT$WNDPROC
API String ID: 109861939-55689305
Opcode ID: 87777fa06dafe0f9eb6d708f20e214870df498e0a4e69fd58e8294ea721fbee4
Instruction ID: bd83e5fbbebe20af2b15a275a6ea5f7727fe44cc01203833ef98e9790901c855
Opcode Fuzzy Hash: 87777fa06dafe0f9eb6d708f20e214870df498e0a4e69fd58e8294ea721fbee4
Instruction Fuzzy Hash: 36317E72A00254AFDB00DFE9CC84D6EB7F9EB4D2147508164BA19EB348DB74ED858FA0

Function 240B2A48 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 86windowCOMMON

Download Yara Rule

APIs

GetWindowTextA.USER32(?,00000000,00000000), ref: 240B2A8E
IsWindowVisible.USER32(?), ref: 240B2A9E

Strings

*@*@, xrefs: 240B2AFE
2$, xrefs: 240B2B21
2$, xrefs: 240B2AD1

Memory Dump Source

Source File: 00000008.00000002.2518814760.0000000024080000.00000040.00000400.00020000.00000000.sdmp, Offset: 24080000, based on PE: true

Associated: 00000008.00000002.2518814760.00000000240D4000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2518814760.00000000240DB000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_24080000_explorer.jbxd

Yara matches

Similarity

API ID: Window$TextVisible
String ID: *@*@$2$$2$
API String ID: 1670992164-2096466498
Opcode ID: 51233afb7dfc9e220b8ddc65e4ebc32b0ec84b974e6ca0dd454ebcdb605c0746
Instruction ID: 4cc34d3340b6e8fe0cb622241a57c13b2d48b6fad0fba08ed429ddc4c24fcdc7
Opcode Fuzzy Hash: 51233afb7dfc9e220b8ddc65e4ebc32b0ec84b974e6ca0dd454ebcdb605c0746
Instruction Fuzzy Hash: 5F219271A00204FBFB02DEA0CD94F9EB7ADEB98304F508479B540BA158DE76DF859A19

Function 2408757C Relevance: 10.6, APIs: 7, Instructions: 79filetimeCOMMON

Download Yara Rule

APIs

Part of subcall function 24081644: GetSystemTime.KERNEL32(?), ref: 2408164E

CreateFileA.KERNEL32(00000000,40000000,00000003,00000000,00000003,00000080,00000000,00000000,24087659), ref: 240875E3
CloseHandle.KERNEL32(00000000,00000000,40000000,00000003,00000000,00000003,00000080,00000000,00000000,24087659), ref: 240875F0
CreateFileA.KERNEL32(00000000,40000000,00000003,00000000,00000003,00000004,00000000,00000000,00000000,40000000,00000003,00000000,00000003,00000080,00000000,00000000), ref: 24087605
SetFileTime.KERNEL32(00000000,?,?,?,00000000,40000000,00000003,00000000,00000003,00000004,00000000,00000000,00000000,40000000,00000003,00000000), ref: 2408761E
CloseHandle.KERNEL32(00000000,00000000,40000000,00000003,00000000,00000003,00000004,00000000,00000000,00000000,40000000,00000003,00000000,00000003,00000080,00000000), ref: 24087624
SetFileTime.KERNEL32(00000000,?,?,?,00000000,40000000,00000003,00000000,00000003,00000080,00000000,00000000,24087659), ref: 24087638
CloseHandle.KERNEL32(00000000,00000000,?,?,?,00000000,40000000,00000003,00000000,00000003,00000080,00000000,00000000,24087659), ref: 2408763E

Memory Dump Source

Source File: 00000008.00000002.2518814760.0000000024080000.00000040.00000400.00020000.00000000.sdmp, Offset: 24080000, based on PE: true

Associated: 00000008.00000002.2518814760.00000000240D4000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2518814760.00000000240DB000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_24080000_explorer.jbxd

Yara matches

Similarity

API ID: File$CloseHandleTime$Create$System
String ID:
API String ID: 1407650207-0
Opcode ID: 6e6faca18b4a07bafc50e29083063f6a279406abf546a134a9a2ead300da553b
Instruction ID: defe575dc02cb402623c79baea2cacba7077927c404e5911605ef29713e6f20a
Opcode Fuzzy Hash: 6e6faca18b4a07bafc50e29083063f6a279406abf546a134a9a2ead300da553b
Instruction Fuzzy Hash: A521A2B5900608BAF751E7B4DE91F9E73ECEF58218F504561B220E61C9EB74AB808B64

Function 240C352C Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 19libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(ntdll.dll,240C394B,240CB980,?,240C3A12,240C6642,SQLite3.dll,240C67CC,?,logs.dat,240C67CC,?,00000000,00000000,Function_000451BC,00000000), ref: 240C3531
GetProcAddress.KERNEL32(00000000,RtlInitUnicodeString), ref: 240C3552
GetProcAddress.KERNEL32(00000000,ZwOpenSection), ref: 240C3567

Strings

ntdll.dll, xrefs: 240C352C
RtlInitUnicodeString, xrefs: 240C3547
ZwOpenSection, xrefs: 240C355C

Memory Dump Source

Source File: 00000008.00000002.2518814760.0000000024080000.00000040.00000400.00020000.00000000.sdmp, Offset: 24080000, based on PE: true

Associated: 00000008.00000002.2518814760.00000000240D4000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2518814760.00000000240DB000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_24080000_explorer.jbxd

Yara matches

Similarity

API ID: AddressProc$LibraryLoad
String ID: RtlInitUnicodeString$ZwOpenSection$ntdll.dll
API String ID: 2238633743-2527063403
Opcode ID: 37c21e1219cea5c1dbaa46dd41b9c3193d6137d2f67d6b2dc3aa1cb10d12af2f
Instruction ID: c664dd39ab4d4f66c659da503431cdc2f5558c5d7b827dfae8ffc6453f335cc2
Opcode Fuzzy Hash: 37c21e1219cea5c1dbaa46dd41b9c3193d6137d2f67d6b2dc3aa1cb10d12af2f
Instruction Fuzzy Hash: 8FE042B1925600EFE700AFB7EB54B4D77E5FB55609B800479F000A7A48D77D85C4AF64

Function 2409B3CC Relevance: 9.2, APIs: 6, Instructions: 202registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.ADVAPI32(00000000,00000000,00000000,00020006,?,?,?,?,00000000,2409B63D,?,?,00000003,00000000,00000000), ref: 2409B4CE
RegDeleteKeyA.ADVAPI32(?,00000000), ref: 2409B4F1
RegCloseKey.ADVAPI32(?,?,00000000,00000000,00000000,00000000,00000002,?,?,?,00000000,2409B63D,?,?,00000003,00000000), ref: 2409B615

Part of subcall function 2409A9BC: RegOpenKeyExA.ADVAPI32(00000000,?,00000000,?,00000000,00000008,?,00000000,2409AB1D), ref: 2409AA71
Part of subcall function 2409A9BC: RegEnumKeyExA.ADVAPI32(?,00000000,00000000,000000FF,00000000,00000000,00000000,?,00000000,?,00000000,?,00000000,00000008,?,00000000), ref: 2409AAD4
Part of subcall function 2409A9BC: RegCloseKey.ADVAPI32(?,?,00000001,00000000,000000FF,00000000,00000000,00000000,?,?,00000000,00000000,000000FF,00000000,00000000,00000000), ref: 2409AAE1

RegDeleteKeyA.ADVAPI32(?,00000000), ref: 2409B58E
RegOpenKeyExA.ADVAPI32(00000000,00000000,00000000,00000002,?,?,?,00000000,2409B63D,?,?,00000003,00000000,00000000), ref: 2409B5F5
RegDeleteValueA.ADVAPI32(?,00000000,00000000,00000000,00000000,00000002,?,?,?,00000000,2409B63D,?,?,00000003,00000000,00000000), ref: 2409B607

Memory Dump Source

Source File: 00000008.00000002.2518814760.0000000024080000.00000040.00000400.00020000.00000000.sdmp, Offset: 24080000, based on PE: true

Associated: 00000008.00000002.2518814760.00000000240D4000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2518814760.00000000240DB000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_24080000_explorer.jbxd

Yara matches

Similarity

API ID: DeleteOpen$Close$EnumValue
String ID:
API String ID: 1347035672-0
Opcode ID: 583e60665d961682124b60f4dcfa3dd95171d65c95d0a9a66b583e55ca2c5dcc
Instruction ID: d47bf657650219becaf530ef6559b45d625d41199bb922edc9fb0bc8f69896d5
Opcode Fuzzy Hash: 583e60665d961682124b60f4dcfa3dd95171d65c95d0a9a66b583e55ca2c5dcc
Instruction Fuzzy Hash: 55612271A001099BEB00EBB8DE80AEFB7F9FFA8718F504464E514E7358DA75ED849B50

Function 2409BC2C Relevance: 9.1, APIs: 6, Instructions: 138registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.ADVAPI32(00000000,00000000,?,00000000,0002001B,?,?,00000000,2409BD96,?,?,?,?,00000000,00000000), ref: 2409BCEF
RegQueryValueExA.ADVAPI32(?,?,00000000,?,00000000,?,00000000,00000000,?,00000000,0002001B,?,?,00000000,2409BD96), ref: 2409BD09
RegQueryValueExA.ADVAPI32(?,?,00000000,?,00000000,?,?,?,00000000,?,00000000,?,00000000,00000000,?,00000000), ref: 2409BD2C
RegSetValueExA.ADVAPI32(?,?,00000000,?,00000000,?,?,?,00000000,?,00000000,?,?,?,00000000,?), ref: 2409BD48
RegDeleteValueA.ADVAPI32(?,?,?,?,00000000,?,00000000,?,?,?,00000000,?,00000000,?,?), ref: 2409BD56
RegCloseKey.ADVAPI32(?,00000000,00000000,?,00000000,0002001B,?,?,00000000,2409BD96,?,?,?,?,00000000,00000000), ref: 2409BD6E

Memory Dump Source

Source File: 00000008.00000002.2518814760.0000000024080000.00000040.00000400.00020000.00000000.sdmp, Offset: 24080000, based on PE: true

Associated: 00000008.00000002.2518814760.00000000240D4000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2518814760.00000000240DB000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_24080000_explorer.jbxd

Yara matches

Similarity

API ID: Value$Query$CloseDeleteOpen
String ID:
API String ID: 2877093821-0
Opcode ID: 7c1902bea89f0d04c9cd822cb9671a9471aa2f89d831d1575e33e155ad22e0b6
Instruction ID: 15e835bab1706bb426aa7ce59afc375d03995a411dcfd43861ad94f495f3a83a
Opcode Fuzzy Hash: 7c1902bea89f0d04c9cd822cb9671a9471aa2f89d831d1575e33e155ad22e0b6
Instruction Fuzzy Hash: 46410375A00118ABEB01DAE4DE80EEFB7FCFF58654F104566F900E7254EA75DE418B60

Function 24087578 Relevance: 9.1, APIs: 6, Instructions: 73filetimeCOMMON

Download Yara Rule

APIs

Part of subcall function 24081644: GetSystemTime.KERNEL32(?), ref: 2408164E

CreateFileA.KERNEL32(00000000,40000000,00000003,00000000,00000003,00000080,00000000,00000000,24087659), ref: 240875E3
CloseHandle.KERNEL32(00000000,00000000,40000000,00000003,00000000,00000003,00000080,00000000,00000000,24087659), ref: 240875F0
CreateFileA.KERNEL32(00000000,40000000,00000003,00000000,00000003,00000004,00000000,00000000,00000000,40000000,00000003,00000000,00000003,00000080,00000000,00000000), ref: 24087605
SetFileTime.KERNEL32(00000000,?,?,?,00000000,40000000,00000003,00000000,00000003,00000004,00000000,00000000,00000000,40000000,00000003,00000000), ref: 2408761E
CloseHandle.KERNEL32(00000000,00000000,40000000,00000003,00000000,00000003,00000004,00000000,00000000,00000000,40000000,00000003,00000000,00000003,00000080,00000000), ref: 24087624
SetFileTime.KERNEL32(00000000,?,?,?,00000000,40000000,00000003,00000000,00000003,00000080,00000000,00000000,24087659), ref: 24087638
CloseHandle.KERNEL32(00000000,00000000,?,?,?,00000000,40000000,00000003,00000000,00000003,00000080,00000000,00000000,24087659), ref: 2408763E

Memory Dump Source

Source File: 00000008.00000002.2518814760.0000000024080000.00000040.00000400.00020000.00000000.sdmp, Offset: 24080000, based on PE: true

Associated: 00000008.00000002.2518814760.00000000240D4000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2518814760.00000000240DB000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_24080000_explorer.jbxd

Yara matches

Similarity

API ID: File$CloseHandleTime$Create$System
String ID:
API String ID: 1407650207-0
Opcode ID: 63501a43027af43f614ad4127fa1e25b5d42fbf61b6743d9f9c404312c26d417
Instruction ID: 08d2463b1c87647f1ffebddce421f61cd15af52b76f7b731561e6e17aa6ea093
Opcode Fuzzy Hash: 63501a43027af43f614ad4127fa1e25b5d42fbf61b6743d9f9c404312c26d417
Instruction Fuzzy Hash: 9911D3B0A00604BEF752A774DE92F9E77ACDF55218F5002A1F210EA5CAEB746B808B14

Function 240ACEFC Relevance: 9.1, APIs: 6, Instructions: 69clipboardCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 240ACF15
GetClipboardData.USER32(00000001), ref: 240ACF32
GlobalSize.KERNEL32(00000000), ref: 240ACF52
GlobalLock.KERNEL32(00000000), ref: 240ACF5C
GlobalUnlock.KERNEL32(00000000), ref: 240ACF7D
CloseClipboard.USER32 ref: 240ACFAD

Memory Dump Source

Source File: 00000008.00000002.2518814760.0000000024080000.00000040.00000400.00020000.00000000.sdmp, Offset: 24080000, based on PE: true

Associated: 00000008.00000002.2518814760.00000000240D4000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2518814760.00000000240DB000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_24080000_explorer.jbxd

Yara matches

Similarity

API ID: ClipboardGlobal$CloseDataLockOpenSizeUnlock
String ID:
API String ID: 1964585863-0
Opcode ID: b7e63763716d6febe711de75023821c7665a7f99896b9c68bc00e12aa85193c6
Instruction ID: 397231d076c0b4d2a41ee97938d5943932be0f794765c80450215bbc37a6cab1
Opcode Fuzzy Hash: b7e63763716d6febe711de75023821c7665a7f99896b9c68bc00e12aa85193c6
Instruction Fuzzy Hash: CD11E930908208BFEB01DBF9CD61B5EB7F9EB59314F9244B1E904D3644DA769E40DB60

Function 240C00AC Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 160fileCOMMON

Download Yara Rule

APIs

GetTickCount.KERNEL32 ref: 240C0124
CopyFileA.KERNEL32(00000000,00000000,00000000), ref: 240C0162
SetFileAttributesA.KERNEL32(00000000,00000080,00000000,00000000,00000000,.txt,?,?,00000000,240C02D7,?,?,00000000,00000000), ref: 240C016D

Part of subcall function 24092134: InternetOpenA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 240921C0
Part of subcall function 24092134: InternetConnectA.WININET(00000000,00000000,?,00000000,00000000,00000001,08000000,00000000), ref: 240921F8

Part of subcall function 240923C4: FtpOpenFileA.WININET(?,00000000,40000000,00000002,00000000), ref: 24092431
Part of subcall function 240923C4: InternetWriteFile.WININET(00000000,?,00000001,?), ref: 2409248F
Part of subcall function 240923C4: InternetCloseHandle.WININET(00000000), ref: 240924DE

Strings

.txt, xrefs: 240C0138
___, xrefs: 240C01F4

Memory Dump Source

Source File: 00000008.00000002.2518814760.0000000024080000.00000040.00000400.00020000.00000000.sdmp, Offset: 24080000, based on PE: true

Associated: 00000008.00000002.2518814760.00000000240D4000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2518814760.00000000240DB000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_24080000_explorer.jbxd

Yara matches

Similarity

API ID: FileInternet$Open$AttributesCloseConnectCopyCountHandleTickWrite
String ID: .txt$___
API String ID: 3003208719-4103982732
Opcode ID: 5dfa8de22cbfc580b6aff7469bfcb0a0c10e777afac64a1dfaf2b84f8725ef9b
Instruction ID: 18eb08169823c221048784f302c0c76dabb365d347abb1c5a3a84471ffebf43d
Opcode Fuzzy Hash: 5dfa8de22cbfc580b6aff7469bfcb0a0c10e777afac64a1dfaf2b84f8725ef9b
Instruction Fuzzy Hash: BC511A30A00209EFEB01DFE4CE90F9D77BAEBA8208F514475E540A7259CA79AEC5DF51

Function 240A82AC Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 135sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00002710,?,240A84EC,?,240A84EC,?,00000000,240A84A4,?,?,?,?,00000000,00000000), ref: 240A837F
GetTickCount.KERNEL32 ref: 240A83F3
Sleep.KERNEL32(00002710,00000000,240A847A,?,?,240A84EC,?,240A84EC,?,00002710,?,240A84EC,?,240A84EC,?,00000000), ref: 240A8468

Strings

XXXXXXXXXXXXXXXXXXXX, xrefs: 240A82D6
XxX.xXx, xrefs: 240A8306

Memory Dump Source

Source File: 00000008.00000002.2518814760.0000000024080000.00000040.00000400.00020000.00000000.sdmp, Offset: 24080000, based on PE: true

Associated: 00000008.00000002.2518814760.00000000240D4000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2518814760.00000000240DB000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_24080000_explorer.jbxd

Yara matches

Similarity

API ID: Sleep$CountTick
String ID: XXXXXXXXXXXXXXXXXXXX$XxX.xXx
API String ID: 207069750-1553977181
Opcode ID: 19caaf702ff723324f8177038729b826c716f314a3de33f26a98f832d93d6796
Instruction ID: ae41797b65ab05891077b403d3376d4132e26415975e7d24e5b0ff82c51aff3e
Opcode Fuzzy Hash: 19caaf702ff723324f8177038729b826c716f314a3de33f26a98f832d93d6796
Instruction Fuzzy Hash: D7419832A04118EBEF01DBE4CE90A9EB7B5FF94708F518475E600A7258DB35DEC18B99

Function 240AF404 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 52COMMON

Download Yara Rule

APIs

GetPropA.USER32(?,WNDPROC), ref: 240AF41C
CallWindowProcA.USER32(00000000,?,?,?,?), ref: 240AF429
GetPropA.USER32(?,OBJECT), ref: 240AF437

Strings

WNDPROC, xrefs: 240AF416
OBJECT, xrefs: 240AF431

Memory Dump Source

Source File: 00000008.00000002.2518814760.0000000024080000.00000040.00000400.00020000.00000000.sdmp, Offset: 24080000, based on PE: true

Associated: 00000008.00000002.2518814760.00000000240D4000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2518814760.00000000240DB000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_24080000_explorer.jbxd

Yara matches

Similarity

API ID: Prop$CallProcWindow
String ID: OBJECT$WNDPROC
API String ID: 1345539330-55689305
Opcode ID: 76e0079f64b9836f4116b145812a56fe7655249bbcd4e090df4ef25165a8cbe7
Instruction ID: 181a9a1b04bf33b57293f3b8d022d6dff573b0f8b5edb37c73b0a3a030b9709a
Opcode Fuzzy Hash: 76e0079f64b9836f4116b145812a56fe7655249bbcd4e090df4ef25165a8cbe7
Instruction Fuzzy Hash: 5C0156B2A00219BB9B00DFE5CD84D9FBBFDEF85250B108165BA45A7214DB30DE40CBB1

Function 240AB624 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 24windowCOMMON

Download Yara Rule

APIs

6ED92200.AVICAP32(Video,50000000,00000000,00000000,00000280,000001E0,?,00000001,240B9038,000003E8,000003E8,240BE184,webcamgetbuffer,240BE184,webcam,240BE184), ref: 240AB644
SendMessageA.USER32(?,0000040B,00000000,00000000), ref: 240AB65D
UnregisterClassA.USER32(MainForm,?), ref: 240AB674

Strings

Video, xrefs: 240AB63F
MainForm, xrefs: 240AB66F

Memory Dump Source

Source File: 00000008.00000002.2518814760.0000000024080000.00000040.00000400.00020000.00000000.sdmp, Offset: 24080000, based on PE: true

Associated: 00000008.00000002.2518814760.00000000240D4000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2518814760.00000000240DB000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_24080000_explorer.jbxd

Yara matches

Similarity

API ID: ClassD92200MessageSendUnregister
String ID: MainForm$Video
API String ID: 3398403615-2964836702
Opcode ID: 6d4ca4c496f57578f9c51d2b9f4f92d15ef8f214937fa8ae7997e4ab0c787c79
Instruction ID: 31e5bb2443cdf2cfaa2c403d23465310631616878277636aaba1f1292687c6a2
Opcode Fuzzy Hash: 6d4ca4c496f57578f9c51d2b9f4f92d15ef8f214937fa8ae7997e4ab0c787c79
Instruction Fuzzy Hash: 53E002B1A84350BFF650DEA5CD9AF5936A8D718B0CFA44420F704BA5D4D6ACA6C08F18

Function 240C4594 Relevance: 7.7, APIs: 5, Instructions: 177memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNEL32(?,?,00002000,00000001), ref: 240C45EB
VirtualAlloc.KERNEL32(?,?,00001000,00000004,?,?,00002000,00000001), ref: 240C4611
VirtualProtect.KERNEL32(?,?,00000002,?,?,?,00001000,00000004,?,?,00002000,00000001), ref: 240C463B
VirtualAlloc.KERNEL32(?,?,00001000,00000004,?,?,00000002,?,?,?,00001000,00000004,?,?,00002000,00000001), ref: 240C4693
VirtualProtect.KERNEL32(?,?,00000000,?,00000001), ref: 240C4756

Memory Dump Source

Source File: 00000008.00000002.2518814760.0000000024080000.00000040.00000400.00020000.00000000.sdmp, Offset: 24080000, based on PE: true

Associated: 00000008.00000002.2518814760.00000000240D4000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2518814760.00000000240DB000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_24080000_explorer.jbxd

Yara matches

Similarity

API ID: Virtual$Alloc$Protect
String ID:
API String ID: 655996629-0
Opcode ID: 71fd94f1d6dd89743921dfd707dda38dcf47078e3fa1528d19890e204c93d93b
Instruction ID: 4ea02bdc345c46f888c73298efa50483ad1eab6e96d107ae7dba5571ad76b47c
Opcode Fuzzy Hash: 71fd94f1d6dd89743921dfd707dda38dcf47078e3fa1528d19890e204c93d93b
Instruction Fuzzy Hash: DD71CF75A10208EFDB01CFA8C980EAEB7F9FF88314F158165E904EB255D670EE84CB60

Function 240B1FE4 Relevance: 7.7, APIs: 1, Strings: 4, Instructions: 152sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(000003E8,audio,240B22BC,240B22BC,resposta,|Y|,00000000,240B20D2,?,00000000,240B2222,?,00000000,240B2284), ref: 240B20E1

Strings

resposta, xrefs: 240B2085
audiogetbuffer, xrefs: 240B20A4
audio, xrefs: 240B209A
|Y|, xrefs: 240B2080

Memory Dump Source

Source File: 00000008.00000002.2518814760.0000000024080000.00000040.00000400.00020000.00000000.sdmp, Offset: 24080000, based on PE: true

Associated: 00000008.00000002.2518814760.00000000240D4000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2518814760.00000000240DB000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_24080000_explorer.jbxd

Yara matches

Similarity

API ID: Sleep
String ID: audio$audiogetbuffer$resposta$|Y|
API String ID: 3472027048-441611841
Opcode ID: 418453175a443c245e9e8c8a1688774a02486f28989f9f0e62759e243acdb2a1
Instruction ID: 72abcc6f8586169c1469c914eb67bc7973a5da05e5c86ab304aaa0139346d91d
Opcode Fuzzy Hash: 418453175a443c245e9e8c8a1688774a02486f28989f9f0e62759e243acdb2a1
Instruction Fuzzy Hash: 9F513738A00205EFD301DF64D994AAAB7F0FB6D704B518979FC44AB314E7B999C8CB48

Function 240AADC0 Relevance: 7.6, APIs: 3, Strings: 2, Instructions: 139sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(000003E8,240AB060,?,?,240AB060,240CB98C,240AB060,resposta,|Y|,240CB8DC,00000000,240AB027), ref: 240AAECC

Part of subcall function 24092B24: getpeername.WS2_32(?,?), ref: 24092B3B
Part of subcall function 24092B24: inet_ntoa.WS2_32(?), ref: 24092B44

Part of subcall function 24092B58: getpeername.WS2_32(?,?), ref: 24092B6C
Part of subcall function 24092B58: htons.WS2_32(?), ref: 24092B77

Part of subcall function 24092908: socket.WS2_32(00000002,00000001,00000006), ref: 24092959
Part of subcall function 24092908: htons.WS2_32 ref: 24092968
Part of subcall function 24092908: inet_addr.WS2_32(?), ref: 24092975
Part of subcall function 24092908: gethostbyname.WS2_32(?), ref: 240929A2
Part of subcall function 24092908: connect.WS2_32(00000002,00000002,00000010), ref: 240929CD

Sleep.KERNEL32(0000000A,00000000,240AB027), ref: 240AAE54
Sleep.KERNEL32(00000001,00000000,240AAFAD,?,000003E8,240AB060,?,?,240AB060,240CB98C,240AB060,resposta,|Y|,240CB8DC,00000000,240AB027), ref: 240AAF33

Part of subcall function 24092CEC: send.WSOCK32(?,00000000,00000000,00000000,00000000,00000000,24092D4C,?,00000000,240A8FD9,240A9060,240A9054,?,00000000,240A9016), ref: 24092CF8
Part of subcall function 24092CEC: WSAGetLastError.WS2_32(?,00000000,00000000,00000000,00000000,00000000,24092D4C,?,00000000,240A8FD9,240A9060,240A9054,?,00000000,240A9016), ref: 24092D04

Strings

|Y|, xrefs: 240AAE6F
resposta, xrefs: 240AAE74

Memory Dump Source

Source File: 00000008.00000002.2518814760.0000000024080000.00000040.00000400.00020000.00000000.sdmp, Offset: 24080000, based on PE: true

Associated: 00000008.00000002.2518814760.00000000240D4000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2518814760.00000000240DB000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_24080000_explorer.jbxd

Yara matches

Similarity

API ID: Sleep$getpeernamehtons$ErrorLastconnectgethostbynameinet_addrinet_ntoasendsocket
String ID: resposta$|Y|
API String ID: 3039588340-3743483372
Opcode ID: f6028a0d7f37781e80f3babd1c38907dc2bcc6d34c89045be92934f4f0b51d50
Instruction ID: 4c6f5b1c1e77791307a51af83e962bbd36f9a4bb6d363b6c7c1bc29d0cd63443
Opcode Fuzzy Hash: f6028a0d7f37781e80f3babd1c38907dc2bcc6d34c89045be92934f4f0b51d50
Instruction Fuzzy Hash: B7516C70A00228DFEB11DF95CD90ACEB7F5FF59304F4084A5E644AA294DB709ED19F91

Function 24092908 Relevance: 7.6, APIs: 5, Instructions: 92networkCOMMON

Download Yara Rule

APIs

Part of subcall function 24092A38: shutdown.WS2_32(?,00000002), ref: 24092A83
Part of subcall function 24092A38: closesocket.WS2_32(?), ref: 24092AB1

socket.WS2_32(00000002,00000001,00000006), ref: 24092959
htons.WS2_32 ref: 24092968
inet_addr.WS2_32(?), ref: 24092975
gethostbyname.WS2_32(?), ref: 240929A2
connect.WS2_32(00000002,00000002,00000010), ref: 240929CD

Memory Dump Source

Source File: 00000008.00000002.2518814760.0000000024080000.00000040.00000400.00020000.00000000.sdmp, Offset: 24080000, based on PE: true

Associated: 00000008.00000002.2518814760.00000000240D4000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2518814760.00000000240DB000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_24080000_explorer.jbxd

Yara matches

Similarity

API ID: closesocketconnectgethostbynamehtonsinet_addrshutdownsocket
String ID:
API String ID: 1626636048-0
Opcode ID: 3642ef4c80f895db98b058736c7e7442fc531f55961e66d2d2d515cd1be5f6cd
Instruction ID: 39a387d5771d69be1492c88a8657ab51f14d6ffdb36a2a1e64fd0745c1cee107
Opcode Fuzzy Hash: 3642ef4c80f895db98b058736c7e7442fc531f55961e66d2d2d515cd1be5f6cd
Instruction Fuzzy Hash: 5631B1315043449FEB11CF64DD60A5BBBE8EB0EB14B524CADE800DF255E774DA90EBA1

Function 240C5DD4 Relevance: 7.6, APIs: 5, Instructions: 66sleepCOMMON

Download Yara Rule

APIs

OpenProcess.KERNEL32(001F0FFF,00000000,?,00000000,240C5EB7), ref: 240C5E37
GetCurrentProcessId.KERNEL32(001F0FFF,00000000,?,00000000,240C5EB7), ref: 240C5E50
CloseHandle.KERNEL32(00000000,001F0FFF,00000000,?,00000000,240C5EB7), ref: 240C5E78
CloseHandle.KERNEL32(00000000,00000000,001F0FFF,00000000,?,00000000,240C5EB7), ref: 240C5E8B
Sleep.KERNEL32(00000064,00000000,00000000,001F0FFF,00000000,?,00000000,240C5EB7), ref: 240C5E92

Memory Dump Source

Source File: 00000008.00000002.2518814760.0000000024080000.00000040.00000400.00020000.00000000.sdmp, Offset: 24080000, based on PE: true

Associated: 00000008.00000002.2518814760.00000000240D4000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2518814760.00000000240DB000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_24080000_explorer.jbxd

Yara matches

Similarity

API ID: CloseHandleProcess$CurrentOpenSleep
String ID:
API String ID: 4261582699-0
Opcode ID: d99f670b8388d24fca246b3e83c3e05724f737e24291141fd26cbc3ddd875358
Instruction ID: f124adc55113cf289ed9643db4eff7313dfe51f4299e53a7792c1510ca69815f
Opcode Fuzzy Hash: d99f670b8388d24fca246b3e83c3e05724f737e24291141fd26cbc3ddd875358
Instruction Fuzzy Hash: 7511BF30600619EBE700DB6ADD80A4FB7EAAF65608F504570A804E7649EF70BEC18A95

Function 24087666 Relevance: 7.6, APIs: 5, Instructions: 63timefileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNEL32(00000000,40000000,00000001,00000000,00000003,02000000,00000000,00000000,24087719), ref: 240876C7
SetFileTime.KERNEL32(00000000,00000000,?,00000000,00000000,40000000,00000001,00000000,00000003,02000000,00000000,00000000,24087719), ref: 240876DC
SetFileTime.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,?,00000000,00000000,40000000,00000001,00000000,00000003,02000000,00000000,00000000), ref: 240876EA
SetFileTime.KERNEL32(00000000,?,00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,?,00000000,00000000,40000000,00000001,00000000), ref: 240876F8
CloseHandle.KERNEL32(00000000,00000000,40000000,00000001,00000000,00000003,02000000,00000000,00000000,24087719), ref: 240876FE

Memory Dump Source

Source File: 00000008.00000002.2518814760.0000000024080000.00000040.00000400.00020000.00000000.sdmp, Offset: 24080000, based on PE: true

Associated: 00000008.00000002.2518814760.00000000240D4000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2518814760.00000000240DB000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_24080000_explorer.jbxd

Yara matches

Similarity

API ID: File$Time$CloseCreateHandle
String ID:
API String ID: 670991709-0
Opcode ID: a519130655b6d95c4d9f5b3718da5a45d2f68339c62413270bc36a0067575381
Instruction ID: 474f47bc4311fff77f062d58bd1f3355e3bb1e74d83aa06a54d8bd86b87c2b2a
Opcode Fuzzy Hash: a519130655b6d95c4d9f5b3718da5a45d2f68339c62413270bc36a0067575381
Instruction Fuzzy Hash: D811A5B4A50704BFF710D774DE92F9EB3ECEB54708F600461B610EA1C9EB74AA808B24

Function 24087668 Relevance: 7.6, APIs: 5, Instructions: 62timefileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNEL32(00000000,40000000,00000001,00000000,00000003,02000000,00000000,00000000,24087719), ref: 240876C7
SetFileTime.KERNEL32(00000000,00000000,?,00000000,00000000,40000000,00000001,00000000,00000003,02000000,00000000,00000000,24087719), ref: 240876DC
SetFileTime.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,?,00000000,00000000,40000000,00000001,00000000,00000003,02000000,00000000,00000000), ref: 240876EA
SetFileTime.KERNEL32(00000000,?,00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,?,00000000,00000000,40000000,00000001,00000000), ref: 240876F8
CloseHandle.KERNEL32(00000000,00000000,40000000,00000001,00000000,00000003,02000000,00000000,00000000,24087719), ref: 240876FE

Memory Dump Source

Source File: 00000008.00000002.2518814760.0000000024080000.00000040.00000400.00020000.00000000.sdmp, Offset: 24080000, based on PE: true

Associated: 00000008.00000002.2518814760.00000000240D4000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2518814760.00000000240DB000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_24080000_explorer.jbxd

Yara matches

Similarity

API ID: File$Time$CloseCreateHandle
String ID:
API String ID: 670991709-0
Opcode ID: 0ff348dce1ccf7c1ffa9716afc15dd2b907dec58a60113d87beeb340d0fe3ea5
Instruction ID: d07e282468f8e98748de2187c5a6b8ba8ea62d2fdcc3bb5d355a2da604dff4cb
Opcode Fuzzy Hash: 0ff348dce1ccf7c1ffa9716afc15dd2b907dec58a60113d87beeb340d0fe3ea5
Instruction Fuzzy Hash: 9211C8B4A50704BFF710D774DE92F9EB3ECEB54708F600461B610EA1C9EB74AA808B24

Function 240A7D20 Relevance: 7.6, APIs: 3, Strings: 2, Instructions: 61sleepCOMMON

Download Yara Rule

APIs

Part of subcall function 24092908: socket.WS2_32(00000002,00000001,00000006), ref: 24092959
Part of subcall function 24092908: htons.WS2_32 ref: 24092968
Part of subcall function 24092908: inet_addr.WS2_32(?), ref: 24092975
Part of subcall function 24092908: gethostbyname.WS2_32(?), ref: 240929A2
Part of subcall function 24092908: connect.WS2_32(00000002,00000002,00000010), ref: 240929CD

Sleep.KERNEL32(0000000A,00000000,240A7E17,?,?,?,?,00000000,00000000), ref: 240A7D73
Sleep.KERNEL32(000003E8,0000000A,00000000,240A7E17,?,?,?,?,00000000,00000000), ref: 240A7DBD
Sleep.KERNEL32(0000EA60,000003E8,0000000A,00000000,240A7E17,?,?,?,?,00000000,00000000), ref: 240A7DF5

Strings

|Y|, xrefs: 240A7D84
resposta, xrefs: 240A7D89

Memory Dump Source

Source File: 00000008.00000002.2518814760.0000000024080000.00000040.00000400.00020000.00000000.sdmp, Offset: 24080000, based on PE: true

Associated: 00000008.00000002.2518814760.00000000240D4000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2518814760.00000000240DB000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_24080000_explorer.jbxd

Yara matches

Similarity

API ID: Sleep$connectgethostbynamehtonsinet_addrsocket
String ID: resposta$|Y|
API String ID: 1101491793-3743483372
Opcode ID: 84a2ab28377dd7ba5dadcb1253d604ab3442f10b5a63d6beda17bacdb9a414a2
Instruction ID: 9fe1a575c0b5e28d2a65f93ce4c223c83440f016920e7837adec15606e348feb
Opcode Fuzzy Hash: 84a2ab28377dd7ba5dadcb1253d604ab3442f10b5a63d6beda17bacdb9a414a2
Instruction Fuzzy Hash: A0116D30304658BBE701DBA5CDB0F1E77AAE79DA0CF108435FA00A7668C979FED09A51

Function 2409BFE4 Relevance: 7.6, APIs: 5, Instructions: 58registryCOMMON

Download Yara Rule

APIs

RegOpenKeyA.ADVAPI32(?,00000000,?), ref: 2409C022
RegCreateKeyA.ADVAPI32(?,00000000,?), ref: 2409C039
RegCloseKey.ADVAPI32(?,?,00000000,?,00000000,2409C081), ref: 2409C051
RegCloseKey.ADVAPI32(?,?,?,00000000,?,00000000,2409C081), ref: 2409C05A
RegDeleteKeyA.ADVAPI32(?,00000000), ref: 2409C061

Part of subcall function 2409BDD4: RegEnumValueA.ADVAPI32(?,00000000,00000000,00000200,00000000,?,?,00002000,00000000,2409BF43,?,00000000,2409BF60), ref: 2409BE4E
Part of subcall function 2409BDD4: RegSetValueExA.ADVAPI32(?,00000000,00000000,?,?,00002000,?,00000000,00000000,00000200,00000000,?,?,00002000,00000000,2409BF43), ref: 2409BE74
Part of subcall function 2409BDD4: RegDeleteValueA.ADVAPI32(?,00000000,?,00000000,00000000,?,?,00002000,?,00000000,00000000,00000200,00000000,?,?,00002000), ref: 2409BE85
Part of subcall function 2409BDD4: RegEnumKeyExA.ADVAPI32(?,00000000,00000000,00000200,00000000,?,00002000,00000000,?,00000000,00000000,00000200,00000000,?,?,00002000), ref: 2409BEB9
Part of subcall function 2409BDD4: RegCreateKeyA.ADVAPI32(?,00000000,?), ref: 2409BED5

Memory Dump Source

Source File: 00000008.00000002.2518814760.0000000024080000.00000040.00000400.00020000.00000000.sdmp, Offset: 24080000, based on PE: true

Associated: 00000008.00000002.2518814760.00000000240D4000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2518814760.00000000240DB000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_24080000_explorer.jbxd

Yara matches

Similarity

API ID: Value$CloseCreateDeleteEnum$Open
String ID:
API String ID: 3917402359-0
Opcode ID: 2cfa936f3781f50e30025cdda06e8d1a38946700d607faacb60b6fef6b958f93
Instruction ID: eaa79a23e3a82807ad1dd3d205b30943200442606dee25d4349295ef8581bbec
Opcode Fuzzy Hash: 2cfa936f3781f50e30025cdda06e8d1a38946700d607faacb60b6fef6b958f93
Instruction Fuzzy Hash: 7C115EB1D04218BFEB10DBA8DE80DAFB7FCEF99214F504564B404E3204F635AE808A20

Function 2409E4F8 Relevance: 7.3, APIs: 1, Strings: 3, Instructions: 276COMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32(00000000,2409E8B6,?,?,?,?,00000010,00000000,00000000), ref: 2409E51E

Part of subcall function 2409DD70: WSAStartup.WS2_32(00000101,?), ref: 2409DDB0
Part of subcall function 2409DD70: inet_addr.WS2_32(00000000), ref: 2409DDCF
Part of subcall function 2409DD70: WSACleanup.WS2_32 ref: 2409DDDD

Part of subcall function 2409DD70: gethostbyaddr.WS2_32(000000FF,00000004,00000002), ref: 2409DDF1
Part of subcall function 2409DD70: WSACleanup.WS2_32 ref: 2409DE12

Part of subcall function 24083790: SysFreeString.OLEAUT32(?), ref: 240837A3

Part of subcall function 24083778: SysFreeString.OLEAUT32(?), ref: 24083786

Strings

Unknown, xrefs: 2409E60F, 2409E77E
UDP, xrefs: 2409E707
TCP, xrefs: 2409E56E

Memory Dump Source

Source File: 00000008.00000002.2518814760.0000000024080000.00000040.00000400.00020000.00000000.sdmp, Offset: 24080000, based on PE: true

Associated: 00000008.00000002.2518814760.00000000240D4000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2518814760.00000000240DB000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_24080000_explorer.jbxd

Yara matches

Similarity

API ID: CleanupFreeString$CurrentProcessStartupgethostbyaddrinet_addr
String ID: TCP$UDP$Unknown
API String ID: 3668935989-2456960297
Opcode ID: 1b8aae6a5c1c1070b787d77d1874a8c8f201b08bc2131d869af6fa3b045fb1fc
Instruction ID: 5640acf666d47eac51ecf7c530204bae02fdedf2b58aff29e1517f979918340d
Opcode Fuzzy Hash: 1b8aae6a5c1c1070b787d77d1874a8c8f201b08bc2131d869af6fa3b045fb1fc
Instruction Fuzzy Hash: DAB1E97090010DEBEB10DB94CA90ADEBBFAFF94704F108565E504B7298DA71AEC5EF91

Function 240B3260 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 160COMMON

Download Yara Rule

APIs

GetTickCount.KERNEL32 ref: 240B337A

Strings

t2$, xrefs: 240B335A
.tmp, xrefs: 240B3394
*.*, xrefs: 240B32E9, 240B33FD

Memory Dump Source

Source File: 00000008.00000002.2518814760.0000000024080000.00000040.00000400.00020000.00000000.sdmp, Offset: 24080000, based on PE: true

Associated: 00000008.00000002.2518814760.00000000240D4000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2518814760.00000000240DB000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_24080000_explorer.jbxd

Yara matches

Similarity

API ID: CountTick
String ID: *.*$.tmp$t2$
API String ID: 536389180-2833573020
Opcode ID: e4c2ce4138a1a12d98507f060a2dc6faa79225f874bcfc3b4c416a6f46cecfed
Instruction ID: 69949716a6f8fb7db98a3761da48dc090e199df8a2075524b4a2d37d34985732
Opcode Fuzzy Hash: e4c2ce4138a1a12d98507f060a2dc6faa79225f874bcfc3b4c416a6f46cecfed
Instruction Fuzzy Hash: 1F5182309082189FEB15DB60DD90BDEBBB5EB94304F5080F5D848A3358DB76AEC5CE54

Function 240B06F0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 142shareCOMMON

Download Yara Rule

APIs

WNetOpenEnumA.MPR(00000002,00000000,00000000,?,?), ref: 240B074D
WNetEnumResourceA.MPR(?,FFFFFFFF,?,00004020), ref: 240B0890
WNetCloseEnum.MPR(?), ref: 240B08AE

Strings

@, xrefs: 240B076F

Memory Dump Source

Source File: 00000008.00000002.2518814760.0000000024080000.00000040.00000400.00020000.00000000.sdmp, Offset: 24080000, based on PE: true

Associated: 00000008.00000002.2518814760.00000000240D4000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2518814760.00000000240DB000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_24080000_explorer.jbxd

Yara matches

Similarity

API ID: Enum$CloseOpenResource
String ID: @
API String ID: 1269649575-2726393805
Opcode ID: e764723832160ce069e0404891016595f1bd0836363b692b315b21e98dab449b
Instruction ID: 155cd0891e7e81360f12465e4c1e72a344a7bfdb02a6bc5145304076e92ad930
Opcode Fuzzy Hash: e764723832160ce069e0404891016595f1bd0836363b692b315b21e98dab449b
Instruction Fuzzy Hash: 9D419FB1A00219AFEB118F55CD80F4EB7B9FB84344F1044E5EFC8B6248D6759BC08E99

Function 240C36D0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 77COMMON

Download Yara Rule

APIs

GetVersionExA.KERNEL32(240D3704), ref: 240C36E3

Strings

\Device\PhysicalMemory, xrefs: 240C371B

Memory Dump Source

Source File: 00000008.00000002.2518814760.0000000024080000.00000040.00000400.00020000.00000000.sdmp, Offset: 24080000, based on PE: true

Associated: 00000008.00000002.2518814760.00000000240D4000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2518814760.00000000240DB000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_24080000_explorer.jbxd

Yara matches

Similarity

API ID: Version
String ID: \Device\PhysicalMemory
API String ID: 1889659487-2007344781
Opcode ID: 1ba3d8746b2f18273e836e2a24958028e664d4ba8c7bb483cf3c1c02ac976cb3
Instruction ID: e95d14ec48185fe92c14aa6c0d56f5f20cb4b9c0fe6488dcbbbc2907a46db1fd
Opcode Fuzzy Hash: 1ba3d8746b2f18273e836e2a24958028e664d4ba8c7bb483cf3c1c02ac976cb3
Instruction Fuzzy Hash: 6E213CB1664201EFD360CF76DA84F4E7AE9EB08648F108939F505D6640E7BCD5C48F6A

Function 240AB3FC Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 60threadCOMMON

Download Yara Rule

APIs

Part of subcall function 240815E0: GetModuleFileNameA.KERNEL32(00000000,?,00000105,?,?,?,240921A4,00000000,2409223D,?,?,?,?,00000000,00000000,00000000), ref: 24081604

FindWindowA.USER32(Shell_TrayWnd,00000000), ref: 240AB439
GetWindowThreadProcessId.USER32(00000000,?), ref: 240AB43F
OpenProcess.KERNEL32(001F0FFF,00000000,?,00000000,240AB4AE), ref: 240AB44F

Part of subcall function 240AB308: VirtualAllocEx.KERNEL32(00000000,00000000,00000000,00003000,00000040), ref: 240AB320
Part of subcall function 240AB308: VirtualProtectEx.KERNEL32(00000000,00000000,00000000,00000040,00000040,00000000,00000000,00000000,00003000,00000040), ref: 240AB331
Part of subcall function 240AB308: WriteProcessMemory.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00000000,00000000,00000040,00000040,00000000,00000000,00000000,00003000,00000040), ref: 240AB33F

Part of subcall function 240AB354: GetModuleHandleA.KERNEL32(00000000), ref: 240AB36C
Part of subcall function 240AB354: VirtualFreeEx.KERNEL32(00000000,?,00000000,00008000,?,00000000), ref: 240AB396
Part of subcall function 240AB354: VirtualAllocEx.KERNEL32(00000000,?,?,00003000,00000040,00000000,?,00000000,00008000,?,00000000), ref: 240AB3A5
Part of subcall function 240AB354: GetModuleHandleA.KERNEL32(00000000,?,?,00000000,?,?,00003000,00000040,00000000,?,00000000,00008000,?,00000000), ref: 240AB3B8
Part of subcall function 240AB354: WriteProcessMemory.KERNEL32(00000000,?,00000000,00000000,?,?,00000000,?,?,00003000,00000040,00000000,?,00000000,00008000), ref: 240AB3C0
Part of subcall function 240AB354: CreateRemoteThread.KERNEL32(00000000,00000000,00000000,?,?,00000000,00000000), ref: 240AB3E1
Part of subcall function 240AB354: CloseHandle.KERNEL32(00000000,00000000,?,00000000,00000000,?,?,00000000,?,?,00003000,00000040,00000000,?,00000000,00008000), ref: 240AB3E7

Strings

Shell_TrayWnd, xrefs: 240AB434

Memory Dump Source

Source File: 00000008.00000002.2518814760.0000000024080000.00000040.00000400.00020000.00000000.sdmp, Offset: 24080000, based on PE: true

Associated: 00000008.00000002.2518814760.00000000240D4000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2518814760.00000000240DB000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_24080000_explorer.jbxd

Yara matches

Similarity

API ID: ProcessVirtual$HandleModule$AllocMemoryThreadWindowWrite$CloseCreateFileFindFreeNameOpenProtectRemote
String ID: Shell_TrayWnd
API String ID: 1977168033-2988720461
Opcode ID: 06e6e90431da5b76e2caccc9960f85bcd6c8ab87150ba096d59ddf79d1dfb919
Instruction ID: 680496e033d8f1ea4a12137a47a84bcf9d3929d6efd683d5628fc716b9fba340
Opcode Fuzzy Hash: 06e6e90431da5b76e2caccc9960f85bcd6c8ab87150ba096d59ddf79d1dfb919
Instruction Fuzzy Hash: D9119171B00218AFEB01DBF4CC90BAEB7B9EF49204F504535A711E7348EA74DE408B54

Function 24086198 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 42libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(urlmon.dll,URLDownloadToFileA,00000000,24086200), ref: 240861CD
GetProcAddress.KERNEL32(00000000,urlmon.dll), ref: 240861D3

Strings

URLDownloadToFileA, xrefs: 240861C3
urlmon.dll, xrefs: 240861C8

Memory Dump Source

Source File: 00000008.00000002.2518814760.0000000024080000.00000040.00000400.00020000.00000000.sdmp, Offset: 24080000, based on PE: true

Associated: 00000008.00000002.2518814760.00000000240D4000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2518814760.00000000240DB000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_24080000_explorer.jbxd

Yara matches

Similarity

API ID: AddressLibraryLoadProc
String ID: URLDownloadToFileA$urlmon.dll
API String ID: 2574300362-892269089
Opcode ID: a587342a24a95de404dce28bbafcdb1d47d991acbb5f39d8eefea3e77c969e69
Instruction ID: be0ea41c447e3f95023450b2ff8d5a427c325b79569125c10aaf676f098bff0b
Opcode Fuzzy Hash: a587342a24a95de404dce28bbafcdb1d47d991acbb5f39d8eefea3e77c969e69
Instruction Fuzzy Hash: CAF0C270108A44BFE701CBE6DEA0D5E7BFCEF8E61075288E5F404D3215D5346E409BA4

Function 240861A0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 39libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(urlmon.dll,URLDownloadToFileA,00000000,24086200), ref: 240861CD
GetProcAddress.KERNEL32(00000000,urlmon.dll), ref: 240861D3

Strings

URLDownloadToFileA, xrefs: 240861C3
urlmon.dll, xrefs: 240861C8

Memory Dump Source

Source File: 00000008.00000002.2518814760.0000000024080000.00000040.00000400.00020000.00000000.sdmp, Offset: 24080000, based on PE: true

Associated: 00000008.00000002.2518814760.00000000240D4000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2518814760.00000000240DB000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_24080000_explorer.jbxd

Yara matches

Similarity

API ID: AddressLibraryLoadProc
String ID: URLDownloadToFileA$urlmon.dll
API String ID: 2574300362-892269089
Opcode ID: 1468099460f9f41eec5d9e1df6b829a42ec88bba4c907c73f48b39e71511d7fb
Instruction ID: 9760843419c98393fc84559ff1f348817b4acad2c0b4e93da511fd2dc798235b
Opcode Fuzzy Hash: 1468099460f9f41eec5d9e1df6b829a42ec88bba4c907c73f48b39e71511d7fb
Instruction Fuzzy Hash: 28F0B475604A04BFA700CFE6DE90D5FBBEDEF8D61075288A4F504D3204E634AE409AA4

Function 24090B6C Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 34libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(KERNEL32.DLL,GetProductInfo,00000000,24090BD9), ref: 24090B9B
GetProcAddress.KERNEL32(00000000,KERNEL32.DLL), ref: 24090BA1

Part of subcall function 2408F870: GetVersionExW.KERNEL32(0000011C), ref: 2408F8DA
Part of subcall function 2408F870: GetVersionExW.KERNEL32(00000094,0000011C), ref: 2408F8F6
Part of subcall function 2408F870: GetSystemInfo.KERNEL32(?,0000011C), ref: 2408F95C

Strings

GetProductInfo, xrefs: 24090B91
KERNEL32.DLL, xrefs: 24090B96

Memory Dump Source

Source File: 00000008.00000002.2518814760.0000000024080000.00000040.00000400.00020000.00000000.sdmp, Offset: 24080000, based on PE: true

Associated: 00000008.00000002.2518814760.00000000240D4000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2518814760.00000000240DB000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_24080000_explorer.jbxd

Yara matches

Similarity

API ID: Version$AddressHandleInfoModuleProcSystem
String ID: GetProductInfo$KERNEL32.DLL
API String ID: 335284197-4189171773
Opcode ID: 810db657c7b5435063e0327c5a93816742960031242e2b398112720f43246ab8
Instruction ID: 7fa071a805053e33b165ffb8766eadb5eb35d23d774ebef24853473e00c0618b
Opcode Fuzzy Hash: 810db657c7b5435063e0327c5a93816742960031242e2b398112720f43246ab8
Instruction Fuzzy Hash: 84F0B4316146089FD701DFB5CEA0D8E7BE8EB99A287900131E801B3658EB35ADC19EA0

Function 240866E4 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 28libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(shell32.dll,ShellExecuteA,?,?,?,?,2408627C,?,00000000,00000000,00000000,240862A2), ref: 240866FA
GetProcAddress.KERNEL32(00000000,shell32.dll), ref: 24086700

Strings

ShellExecuteA, xrefs: 240866F0
shell32.dll, xrefs: 240866F5

Memory Dump Source

Source File: 00000008.00000002.2518814760.0000000024080000.00000040.00000400.00020000.00000000.sdmp, Offset: 24080000, based on PE: true

Associated: 00000008.00000002.2518814760.00000000240D4000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2518814760.00000000240DB000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_24080000_explorer.jbxd

Yara matches

Similarity

API ID: AddressLibraryLoadProc
String ID: ShellExecuteA$shell32.dll
API String ID: 2574300362-4013357483
Opcode ID: 86b1c3049ff82331729c4c084a0d7945fcd14d461b73ade3fc5268db42cfb27c
Instruction ID: 1a4cba0d432d5d595430020046fc1caba1b64c7831f8f0aca64adff6e6520f34
Opcode Fuzzy Hash: 86b1c3049ff82331729c4c084a0d7945fcd14d461b73ade3fc5268db42cfb27c
Instruction Fuzzy Hash: 12E08C722006183B6310DADBAD80EAFBBADDED9AA0710C52AB608C3208D4309D418AF0

Function 24091904 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 26libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(AVICAP32.dll,capGetDriverDescriptionA), ref: 2409191A
GetProcAddress.KERNEL32(00000000,AVICAP32.dll), ref: 24091920

Strings

AVICAP32.dll, xrefs: 24091915
capGetDriverDescriptionA, xrefs: 24091910

Memory Dump Source

Source File: 00000008.00000002.2518814760.0000000024080000.00000040.00000400.00020000.00000000.sdmp, Offset: 24080000, based on PE: true

Associated: 00000008.00000002.2518814760.00000000240D4000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2518814760.00000000240DB000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_24080000_explorer.jbxd

Yara matches

Similarity

API ID: AddressLibraryLoadProc
String ID: AVICAP32.dll$capGetDriverDescriptionA
API String ID: 2574300362-2465018903
Opcode ID: cb443fcc5683e95ea429eaceaf3e42d439af1b622e1ab7c7de03c5c39d3e736a
Instruction ID: 3b88c927d9c34af702779e40eb70b21a80e2ef941dced256d61f707e85348a22
Opcode Fuzzy Hash: cb443fcc5683e95ea429eaceaf3e42d439af1b622e1ab7c7de03c5c39d3e736a
Instruction Fuzzy Hash: 3FD0C2722005143B6310A5DBAC80C9BAB9DDFE5970300802AB51897109C4308D4196F0

Function 24086E48 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,GetSystemDirectoryA,?,?,24086F52,00000000,24086F93), ref: 24086E58
GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 24086E5E

Strings

GetSystemDirectoryA, xrefs: 24086E4E
kernel32.dll, xrefs: 24086E53

Memory Dump Source

Source File: 00000008.00000002.2518814760.0000000024080000.00000040.00000400.00020000.00000000.sdmp, Offset: 24080000, based on PE: true

Associated: 00000008.00000002.2518814760.00000000240D4000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2518814760.00000000240DB000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_24080000_explorer.jbxd

Yara matches

Similarity

API ID: AddressLibraryLoadProc
String ID: GetSystemDirectoryA$kernel32.dll
API String ID: 2574300362-261809815
Opcode ID: afa03a52fadc62cf126cb9df784c5854a436c2c9c81659f156c431aa878d51b9
Instruction ID: e552cdb3c2cc82cbe47c322d06972bc29e5ab341057be491b9f6930263d7f3fc
Opcode Fuzzy Hash: afa03a52fadc62cf126cb9df784c5854a436c2c9c81659f156c431aa878d51b9
Instruction Fuzzy Hash: DFC09B91641A303B772075F6DED4E9F458DCE754673010861B515E3109D5554D8459F0

Function 24086E90 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,GetWindowsDirectoryA,?,?,24086FDE,00000000,2408701F), ref: 24086EA0
GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 24086EA6

Strings

kernel32.dll, xrefs: 24086E9B
GetWindowsDirectoryA, xrefs: 24086E96

Memory Dump Source

Source File: 00000008.00000002.2518814760.0000000024080000.00000040.00000400.00020000.00000000.sdmp, Offset: 24080000, based on PE: true

Associated: 00000008.00000002.2518814760.00000000240D4000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2518814760.00000000240DB000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_24080000_explorer.jbxd

Yara matches

Similarity

API ID: AddressLibraryLoadProc
String ID: GetWindowsDirectoryA$kernel32.dll
API String ID: 2574300362-157430550
Opcode ID: 2576f27f95b7c545232153c667ae4b6229afffc2e3f1e2ab892ea3aabb5f9dd2
Instruction ID: ad165a90d513ec477b49c9aafd696f273aa21fdbe02caf4e2b9115b81c4623b6
Opcode Fuzzy Hash: 2576f27f95b7c545232153c667ae4b6229afffc2e3f1e2ab892ea3aabb5f9dd2
Instruction Fuzzy Hash: 6DC09B91551E303B772076F65ED4E9F458DCE6547B30108517514F210D95554D8419F0

Function 240C493C Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(ntdll.dll,ZwUnmapViewOfSection,?,00000000,240C4A7E,?,?,?,00000004,?,?,00010002), ref: 240C494C
GetProcAddress.KERNEL32(00000000,ntdll.dll), ref: 240C4952

Strings

ntdll.dll, xrefs: 240C4947
ZwUnmapViewOfSection, xrefs: 240C4942

Memory Dump Source

Source File: 00000008.00000002.2518814760.0000000024080000.00000040.00000400.00020000.00000000.sdmp, Offset: 24080000, based on PE: true

Associated: 00000008.00000002.2518814760.00000000240D4000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2518814760.00000000240DB000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_24080000_explorer.jbxd

Yara matches

Similarity

API ID: AddressLibraryLoadProc
String ID: ZwUnmapViewOfSection$ntdll.dll
API String ID: 2574300362-452462277
Opcode ID: 201dc8eb16b1d9c59ecfba3f3a059b84e2c2a9ff51e8dbb261888cb1d0dd0537
Instruction ID: d5100be8c530f997de61b22929038440bffd21d35d21b6d055389dc42ac3bc03
Opcode Fuzzy Hash: 201dc8eb16b1d9c59ecfba3f3a059b84e2c2a9ff51e8dbb261888cb1d0dd0537
Instruction Fuzzy Hash: A9C02BD1241A303B3320E1FA6CC0FDF008CDDE406730100113004F200884000D8019F0

Function 24085E80 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 11libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(shell32.dll,SHFileOperationA), ref: 24085E8D
GetProcAddress.KERNEL32(00000000,shell32.dll), ref: 24085E93

Strings

shell32.dll, xrefs: 24085E88
SHFileOperationA, xrefs: 24085E83

Memory Dump Source

Source File: 00000008.00000002.2518814760.0000000024080000.00000040.00000400.00020000.00000000.sdmp, Offset: 24080000, based on PE: true

Associated: 00000008.00000002.2518814760.00000000240D4000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2518814760.00000000240DB000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_24080000_explorer.jbxd

Yara matches

Similarity

API ID: AddressLibraryLoadProc
String ID: SHFileOperationA$shell32.dll
API String ID: 2574300362-1445012119
Opcode ID: f0ff078fdfa81ad6f6ff64c5cacd1a556ded1528ab5b80b700470dc4f5088d75
Instruction ID: 29513d0ef0f736883b0b00c805380371e577bcf8ff92e333702f646d51ce0821
Opcode Fuzzy Hash: f0ff078fdfa81ad6f6ff64c5cacd1a556ded1528ab5b80b700470dc4f5088d75
Instruction Fuzzy Hash: 0FB012F0141B303F771526F29FD0F1F008F5E7401738004003000F100DC9245AC42C71

Function 240B2750 Relevance: 6.1, APIs: 4, Instructions: 81sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(000001F4,00000000,240B2867,?,?,?,?,00000000,00000000), ref: 240B2777
SetWindowPos.USER32(?,000000FF,00000000,00000000,00000000,00000000,00000013,240B288C,240B288C,240B288C,240B2880,?,000001F4,00000000,240B2867), ref: 240B2814
GetForegroundWindow.USER32(?,000000FF,00000000,00000000,00000000,00000000,00000013,240B288C,240B288C,240B288C,240B2880,?,000001F4,00000000,240B2867), ref: 240B2819
SetForegroundWindow.USER32(?), ref: 240B2828

Memory Dump Source

Source File: 00000008.00000002.2518814760.0000000024080000.00000040.00000400.00020000.00000000.sdmp, Offset: 24080000, based on PE: true

Associated: 00000008.00000002.2518814760.00000000240D4000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2518814760.00000000240DB000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_24080000_explorer.jbxd

Yara matches

Similarity

API ID: Window$Foreground$Sleep
String ID:
API String ID: 1564942233-0
Opcode ID: f2f447f7d27fb4a063de258b76bf4d8a7fcf39029a08d1de756ec2811d51672e
Instruction ID: 068297def6d2b3760846d78dcb816023847c8fd71ec8d6c5028b7cb91c444080
Opcode Fuzzy Hash: f2f447f7d27fb4a063de258b76bf4d8a7fcf39029a08d1de756ec2811d51672e
Instruction Fuzzy Hash: 8521FE35601210EFFB01CF95C994F59BBE5EB59304F604274FA80AF298CBB4A9C4CB89

Function 240AD15C Relevance: 6.1, APIs: 4, Instructions: 79registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.ADVAPI32(?,00000000,00000000,00000001,?,00000000,240AD228), ref: 240AD194
RegQueryValueExA.ADVAPI32(?,00000000,00000000,?,00000000,?,?,00000000,00000000,00000001,?,00000000,240AD228), ref: 240AD1B8
RegQueryValueExA.ADVAPI32(?,00000000,00000000,?,00000000,?,?,00000000,00000000,?,00000000,?,?,00000000,00000000,00000001), ref: 240AD1E2
RegCloseKey.ADVAPI32(?,?,00000000,00000000,?,00000000,?,?,00000000,00000000,?,00000000,?,?,00000000,00000000), ref: 240AD1FC

Memory Dump Source

Source File: 00000008.00000002.2518814760.0000000024080000.00000040.00000400.00020000.00000000.sdmp, Offset: 24080000, based on PE: true

Associated: 00000008.00000002.2518814760.00000000240D4000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2518814760.00000000240DB000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_24080000_explorer.jbxd

Yara matches

Similarity

API ID: QueryValue$CloseOpen
String ID:
API String ID: 1586453840-0
Opcode ID: 5db29a71017a4797132414fba1ffc631d4e064b0cc49f7577cd84863d828ecfc
Instruction ID: f15a97948fa6c889147bec58d2629a165401338040125b47f1601ca2b6eb3449
Opcode Fuzzy Hash: 5db29a71017a4797132414fba1ffc631d4e064b0cc49f7577cd84863d828ecfc
Instruction Fuzzy Hash: 882129B5A00148AFEB00DBE9DE81EEFF7FDEF99644F500465B504E7244EA719E408B61

Function 240B3C7C Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 72COMMON

Download Yara Rule

Strings

2$, xrefs: 240B3D18
2$, xrefs: 240B3C87
t2$, xrefs: 240B3CBF

Memory Dump Source

Source File: 00000008.00000002.2518814760.0000000024080000.00000040.00000400.00020000.00000000.sdmp, Offset: 24080000, based on PE: true

Associated: 00000008.00000002.2518814760.00000000240D4000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2518814760.00000000240DB000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_24080000_explorer.jbxd

Yara matches

Similarity

API ID: CountTick
String ID: t2$$2$$2$
API String ID: 536389180-1677347215
Opcode ID: ad62d1b2d851e3dd929fdc3c8920d76bf388a7da23e08ca1306fea3edc36f5d0
Instruction ID: 024d26aec119e63264e4d1abb18bf2fdcc44bb21fd6a0d755a9c996f7be0df3a
Opcode Fuzzy Hash: ad62d1b2d851e3dd929fdc3c8920d76bf388a7da23e08ca1306fea3edc36f5d0
Instruction Fuzzy Hash: AB218730B04108EFEB01DB94D991B9EB3E5EBD4708F708275A440A7348CAF1EEC58659

Function 2409435C Relevance: 6.1, APIs: 4, Instructions: 69memoryCOMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?), ref: 240943BC
VirtualFree.KERNEL32(?,00000000,00008000), ref: 240943E5
GetProcessHeap.KERNEL32(00000000,?), ref: 240943EF
HeapFree.KERNEL32(00000000,00000000,?), ref: 240943F5

Memory Dump Source

Source File: 00000008.00000002.2518814760.0000000024080000.00000040.00000400.00020000.00000000.sdmp, Offset: 24080000, based on PE: true

Associated: 00000008.00000002.2518814760.00000000240D4000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2518814760.00000000240DB000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_24080000_explorer.jbxd

Yara matches

Similarity

API ID: Free$Heap$LibraryProcessVirtual
String ID:
API String ID: 548792435-0
Opcode ID: e397ac280746f29899e15f16e5528460aafa8f579bd66a3a500ee80fa3434e0e
Instruction ID: 0d3d2874e07445a8b23b884448ac5a09d48207ac3d6f7ff082850ce5a37500e9
Opcode Fuzzy Hash: e397ac280746f29899e15f16e5528460aafa8f579bd66a3a500ee80fa3434e0e
Instruction Fuzzy Hash: 17118471A042149FEB10CF68C8C0B0ABBE8EF54724F248195ED18EB285D770ED90DBA0

Function 240B1684 Relevance: 6.1, APIs: 4, Instructions: 59registryCOMMON

Download Yara Rule

APIs

GetClassInfoA.USER32(24080000,240B15A0,?), ref: 240B16A5
UnregisterClassA.USER32(240B15A0,24080000), ref: 240B16CE
RegisterClassA.USER32(240CAA5C), ref: 240B16D8
SetWindowLongA.USER32(00000000,000000FC,00000000), ref: 240B1723

Memory Dump Source

Source File: 00000008.00000002.2518814760.0000000024080000.00000040.00000400.00020000.00000000.sdmp, Offset: 24080000, based on PE: true

Associated: 00000008.00000002.2518814760.00000000240D4000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2518814760.00000000240DB000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_24080000_explorer.jbxd

Yara matches

Similarity

API ID: Class$InfoLongRegisterUnregisterWindow
String ID:
API String ID: 4025006896-0
Opcode ID: 6143290883a634a922ed70b13b6e8e050332cf149ce851a3f0c23cc92d443a86
Instruction ID: be163cbbbb7cffabc85509210853656e0eea88640b02ca9806cbfac86abd37a6
Opcode Fuzzy Hash: 6143290883a634a922ed70b13b6e8e050332cf149ce851a3f0c23cc92d443a86
Instruction Fuzzy Hash: 3001A171604204EBDB00DE69DD80F5E33A9E71820CF208230F954FB284DA39DDC08B54

Function 240C3B80 Relevance: 6.1, APIs: 4, Instructions: 59registryCOMMON

Download Yara Rule

APIs

GetClassInfoA.USER32(24080000,240C3AB0,?), ref: 240C3BA1
UnregisterClassA.USER32(240C3AB0,24080000), ref: 240C3BCA
RegisterClassA.USER32(240CAAC4), ref: 240C3BD4
SetWindowLongA.USER32(00000000,000000FC,00000000), ref: 240C3C1F

Memory Dump Source

Source File: 00000008.00000002.2518814760.0000000024080000.00000040.00000400.00020000.00000000.sdmp, Offset: 24080000, based on PE: true

Associated: 00000008.00000002.2518814760.00000000240D4000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2518814760.00000000240DB000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_24080000_explorer.jbxd

Yara matches

Similarity

API ID: Class$InfoLongRegisterUnregisterWindow
String ID:
API String ID: 4025006896-0
Opcode ID: d77af03b3061eb8ca3272bc9f01eaab0c0105a6aad18e759fccd2fed7d0c25f8
Instruction ID: 62b1ce26e90a5d3815a5fd726919166950108f0270f6cd0e94adc0ddf0f65947
Opcode Fuzzy Hash: d77af03b3061eb8ca3272bc9f01eaab0c0105a6aad18e759fccd2fed7d0c25f8
Instruction Fuzzy Hash: 24014071A14204EBEB40DEA8CD80F9E77A9E71D21DF508221FA14F7284DA7ED8D58B64

Function 24086DA0 Relevance: 6.1, APIs: 4, Instructions: 58fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNEL32(00000000,40000000,00000002,00000000,00000002,00000000,00000000,00000000,24086E3A), ref: 24086DE6
SetFilePointer.KERNEL32(00000000,00000000,00000000,00000000,00000000,40000000,00000002,00000000,00000002,00000000,00000000,00000000,24086E3A), ref: 24086DFE
WriteFile.KERNEL32(00000000,00000000,?,?,00000000,00000000,40000000,00000002,00000000,00000002,00000000,00000000,00000000,24086E3A), ref: 24086E14
CloseHandle.KERNEL32(00000000,00000000,00000000,?,?,00000000,00000000,40000000,00000002,00000000,00000002,00000000,00000000,00000000,24086E3A), ref: 24086E1A

Memory Dump Source

Source File: 00000008.00000002.2518814760.0000000024080000.00000040.00000400.00020000.00000000.sdmp, Offset: 24080000, based on PE: true

Associated: 00000008.00000002.2518814760.00000000240D4000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2518814760.00000000240DB000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_24080000_explorer.jbxd

Yara matches

Similarity

API ID: File$CloseCreateHandlePointerWrite
String ID:
API String ID: 3604237281-0
Opcode ID: 2fcf1791df4547d8dda3cf7f4c5e1219e36f7f43c5f21bbb9450f0429401da83
Instruction ID: de56b5ad2ee08ff546e319ee7d768b1a435e0afc0e280d7e4a876c1baca26b98
Opcode Fuzzy Hash: 2fcf1791df4547d8dda3cf7f4c5e1219e36f7f43c5f21bbb9450f0429401da83
Instruction Fuzzy Hash: EF11F9706007047EF710D7B4DE92F9EB6ECDB55B28F610571F510F61C5DAB16E808554

Function 240C219C Relevance: 6.1, APIs: 4, Instructions: 56fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNEL32(00000000,40000000,00000002,00000000,00000003,00000000,00000000,00000000,240C2231), ref: 240C21E2
SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002,00000000,40000000,00000002,00000000,00000003,00000000,00000000,00000000,240C2231), ref: 240C21F5
WriteFile.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,00000002,00000000,40000000,00000002,00000000,00000003,00000000,00000000), ref: 240C220B
CloseHandle.KERNEL32(00000000,00000000,00000000,?,?,00000000,00000000,00000000,00000000,00000002,00000000,40000000,00000002,00000000,00000003,00000000), ref: 240C2211

Memory Dump Source

Source File: 00000008.00000002.2518814760.0000000024080000.00000040.00000400.00020000.00000000.sdmp, Offset: 24080000, based on PE: true

Associated: 00000008.00000002.2518814760.00000000240D4000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2518814760.00000000240DB000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_24080000_explorer.jbxd

Yara matches

Similarity

API ID: File$CloseCreateHandlePointerWrite
String ID:
API String ID: 3604237281-0
Opcode ID: 3333dc8f723303d6199c4a1d78ca5ec83855d69510a2a9050b20ce6c2ae90ee0
Instruction ID: dd8baee9be185fc324ac02581c870e9e4eee3ae01d5990484cf7897c3f1c8590
Opcode Fuzzy Hash: 3333dc8f723303d6199c4a1d78ca5ec83855d69510a2a9050b20ce6c2ae90ee0
Instruction Fuzzy Hash: 220128B0A00304BFF710D774DD92F5EB6ECDB98B18F600570B500F65D5DAB1AE808514

Function 24085DF8 Relevance: 6.0, APIs: 4, Instructions: 39timefileCOMMON

Download Yara Rule

APIs

FindNextFileA.KERNEL32(?,?), ref: 24085E08
GetLastError.KERNEL32(?,?), ref: 24085E11
FileTimeToLocalFileTime.KERNEL32(?), ref: 24085E25
FileTimeToDosDateTime.KERNEL32(?,?,?), ref: 24085E34

Memory Dump Source

Source File: 00000008.00000002.2518814760.0000000024080000.00000040.00000400.00020000.00000000.sdmp, Offset: 24080000, based on PE: true

Associated: 00000008.00000002.2518814760.00000000240D4000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2518814760.00000000240DB000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_24080000_explorer.jbxd

Yara matches

Similarity

API ID: FileTime$DateErrorFindLastLocalNext
String ID:
API String ID: 2103556486-0
Opcode ID: 35ee4c87c0733f378fda42a6ee83e5f4e77b0bc598ce5457ab0990d3e22c7572
Instruction ID: a8a69a9edf18aa12e55a597b116aea47e37760be6fe743169c72cf6f8c60e256
Opcode Fuzzy Hash: 35ee4c87c0733f378fda42a6ee83e5f4e77b0bc598ce5457ab0990d3e22c7572
Instruction Fuzzy Hash: A1F037B62042009FDB08CFA4CAC1C8B33ECAF5822470489A6AD14CF24FF634E594CBA1

Function 240A8260 Relevance: 6.0, APIs: 4, Instructions: 25windowsleepCOMMON

Download Yara Rule

APIs

PeekMessageA.USER32(?,00000000,00000000,00000000,00000001), ref: 240A826F
TranslateMessage.USER32 ref: 240A8281
DispatchMessageA.USER32 ref: 240A8287
Sleep.KERNEL32(00000014,?,00000000,00000000,00000000,00000001,?,00000000,240A82A2), ref: 240A828E

Memory Dump Source

Source File: 00000008.00000002.2518814760.0000000024080000.00000040.00000400.00020000.00000000.sdmp, Offset: 24080000, based on PE: true

Associated: 00000008.00000002.2518814760.00000000240D4000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2518814760.00000000240DB000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_24080000_explorer.jbxd

Yara matches

Similarity

API ID: Message$DispatchPeekSleepTranslate
String ID:
API String ID: 3768732053-0
Opcode ID: e0efee013de51039d0e7354980530cf19b861c011bd827873c97cf82d2cc744c
Instruction ID: f37470e6b45f03e9db647a18076d76271d8d7041e2e642230dc4a2d10df04929
Opcode Fuzzy Hash: e0efee013de51039d0e7354980530cf19b861c011bd827873c97cf82d2cc744c
Instruction Fuzzy Hash: 08E01732382B3039FB6166E41E82FEE668A4F62A8EF544135F301AA1C4CA91598043ED

Function 24085AC8 Relevance: 6.0, APIs: 4, Instructions: 25windowsleepCOMMON

Download Yara Rule

APIs

PeekMessageA.USER32(?,00000000,00000000,00000000,00000001), ref: 24085AD7
TranslateMessage.USER32 ref: 24085AE9
DispatchMessageA.USER32 ref: 24085AEF
Sleep.KERNEL32(00000001,?,00000000,24085B0A), ref: 24085AF6

Memory Dump Source

Source File: 00000008.00000002.2518814760.0000000024080000.00000040.00000400.00020000.00000000.sdmp, Offset: 24080000, based on PE: true

Associated: 00000008.00000002.2518814760.00000000240D4000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2518814760.00000000240DB000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_24080000_explorer.jbxd

Yara matches

Similarity

API ID: Message$DispatchPeekSleepTranslate
String ID:
API String ID: 3768732053-0
Opcode ID: dfb7a78da4aa2ebe70cdd1689e7c55d7b7e07aafa8ff7ae68d9c62b42834ab5f
Instruction ID: 5d5d1bc8b862d8d9543ec7678fb855b39dc6b6a22f48251e14d167e2ba94bc67
Opcode Fuzzy Hash: dfb7a78da4aa2ebe70cdd1689e7c55d7b7e07aafa8ff7ae68d9c62b42834ab5f
Instruction Fuzzy Hash: 7DE0173138372039FB2196A41EC2FDE628A4F22A8EF504135B201BA1C4CAC5598082A9

Function 2408548A Relevance: 6.0, APIs: 4, Instructions: 12memoryCOMMON

Download Yara Rule

APIs

GlobalHandle.KERNEL32 ref: 2408548F
GlobalUnlock.KERNEL32(00000000), ref: 24085496
GlobalReAlloc.KERNEL32(00000000,00000000), ref: 2408549B
GlobalLock.KERNEL32(00000000), ref: 240854A1

Memory Dump Source

Source File: 00000008.00000002.2518814760.0000000024080000.00000040.00000400.00020000.00000000.sdmp, Offset: 24080000, based on PE: true

Associated: 00000008.00000002.2518814760.00000000240D4000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2518814760.00000000240DB000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_24080000_explorer.jbxd

Yara matches

Similarity

API ID: Global$AllocHandleLockUnlock
String ID:
API String ID: 2167344118-0
Opcode ID: 505157e451beb4b904f6f62bc6a33cc31f1955a287db27c020f03c767c2bc075
Instruction ID: f3d77df0c2e496a6fcd5ea418385657e489c23666ad14941b0d8c481d81ca8a2
Opcode Fuzzy Hash: 505157e451beb4b904f6f62bc6a33cc31f1955a287db27c020f03c767c2bc075
Instruction Fuzzy Hash: 94B002C49907043DBB142BF44E19D3F009E9FB450979449543400D2008E8699C9868B1

Function 240B3548 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 194COMMON

Download Yara Rule

APIs

GetTickCount.KERNEL32 ref: 240B3671

Strings

*.*, xrefs: 240B371C
.tmp, xrefs: 240B368B

Memory Dump Source

Source File: 00000008.00000002.2518814760.0000000024080000.00000040.00000400.00020000.00000000.sdmp, Offset: 24080000, based on PE: true

Associated: 00000008.00000002.2518814760.00000000240D4000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2518814760.00000000240DB000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_24080000_explorer.jbxd

Yara matches

Similarity

API ID: CountTick
String ID: *.*$.tmp
API String ID: 536389180-2468557045
Opcode ID: de9adf5a8c67aa8b87284ae6492263ecaffd55852226da47c42eb16656d9e841
Instruction ID: e4f2d9a049262886a8ee89fd89852fcc2e5efd0003ad477d028c6d0f29151e28
Opcode Fuzzy Hash: de9adf5a8c67aa8b87284ae6492263ecaffd55852226da47c42eb16656d9e841
Instruction Fuzzy Hash: 15718F30A042189FEB21CF61DD90ADEBBB9EB99304FA080F5D848A2754DB719EC5CE54

Function 240B0224 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 108threadCOMMON

Download Yara Rule

APIs

IsWindow.USER32 ref: 240B024A
GetWindowThreadProcessId.USER32(?,FFFFFFFF), ref: 240B0263

Strings

#|#, xrefs: 240B029A, 240B02C9, 240B02F1, 240B0321

Memory Dump Source

Source File: 00000008.00000002.2518814760.0000000024080000.00000040.00000400.00020000.00000000.sdmp, Offset: 24080000, based on PE: true

Associated: 00000008.00000002.2518814760.00000000240D4000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2518814760.00000000240DB000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_24080000_explorer.jbxd

Yara matches

Similarity

API ID: Window$ProcessThread
String ID: #|#
API String ID: 3635926707-3836175907
Opcode ID: 7c2e28b80d42533c65be406909771878f1cf0b2c9102a72ef09598382d0faeed
Instruction ID: 3da95508d8a54926560a791c1728fcf8c4816282569002b0feb2b91beb0a5adf
Opcode Fuzzy Hash: 7c2e28b80d42533c65be406909771878f1cf0b2c9102a72ef09598382d0faeed
Instruction Fuzzy Hash: D9318470600208AFFB05DBA4CA94DAEB3BDEFD8704F508575E80093744EA719E818A64

Function 24093CEC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 75memoryCOMMON

Download Yara Rule

APIs

VirtualFree.KERNEL32(?,?,00004000), ref: 24093D26
VirtualProtect.KERNEL32(?,?,00000000,?), ref: 24093D80

Strings

FinalizeSections: VirtualProtect failed, xrefs: 24093D8E

Memory Dump Source

Source File: 00000008.00000002.2518814760.0000000024080000.00000040.00000400.00020000.00000000.sdmp, Offset: 24080000, based on PE: true

Associated: 00000008.00000002.2518814760.00000000240D4000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2518814760.00000000240DB000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_24080000_explorer.jbxd

Yara matches

Similarity

API ID: Virtual$FreeProtect
String ID: FinalizeSections: VirtualProtect failed
API String ID: 2581862158-3584865983
Opcode ID: 6d98d515a9b3b5d66b6c25b9fdd88f33975f4f966a11bfc609c54d7f3f669307
Instruction ID: c53bbe0c7f358239feba0cda537ce555d7aa01f8bf0656b723b3048b7c8c9c13
Opcode Fuzzy Hash: 6d98d515a9b3b5d66b6c25b9fdd88f33975f4f966a11bfc609c54d7f3f669307
Instruction Fuzzy Hash: D2213B76702200AFE700CF59E9D4F4A7BE8AF5DA94B094151FE48CB355D2B0ED809B51

Function 240A79F4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 62fileCOMMON

Download Yara Rule

APIs

GetTickCount.KERNEL32 ref: 240A7A4F
DeleteFileA.KERNEL32(00000000,.bmp,?,?,00000000,240A7AB6), ref: 240A7A7C

Strings

.bmp, xrefs: 240A7A63

Memory Dump Source

Source File: 00000008.00000002.2518814760.0000000024080000.00000040.00000400.00020000.00000000.sdmp, Offset: 24080000, based on PE: true

Associated: 00000008.00000002.2518814760.00000000240D4000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2518814760.00000000240DB000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_24080000_explorer.jbxd

Yara matches

Similarity

API ID: CountDeleteFileTick
String ID: .bmp
API String ID: 3334397753-2863430793
Opcode ID: 67f4afa7c1725baa1bfbe1eb6f18927d8f99b99a6ff45f6c0c3d1af988224397
Instruction ID: f374b8a90a25705b82f7fc8759f17840ad165932724709fd068315481b825467
Opcode Fuzzy Hash: 67f4afa7c1725baa1bfbe1eb6f18927d8f99b99a6ff45f6c0c3d1af988224397
Instruction Fuzzy Hash: 21119330900118AFEB00DFE4DD90A9EB7B9EFA8304F508479E414A7358DB71AF819E50

Function 24092BF4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 51networkCOMMON

Download Yara Rule

APIs

ioctlsocket.WS2_32(?,4004667F), ref: 24092C0D

Part of subcall function 24092A38: shutdown.WS2_32(?,00000002), ref: 24092A83
Part of subcall function 24092A38: closesocket.WS2_32(?), ref: 24092AB1

WSAGetLastError.WS2_32(?,00000000,?,00000000,?,?,00000000,?,24092CBD,?,?,240A964C,00000000,240AA33B), ref: 24092C52

Strings

3', xrefs: 24092C5A

Memory Dump Source

Source File: 00000008.00000002.2518814760.0000000024080000.00000040.00000400.00020000.00000000.sdmp, Offset: 24080000, based on PE: true

Associated: 00000008.00000002.2518814760.00000000240D4000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2518814760.00000000240DB000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_24080000_explorer.jbxd

Yara matches

Similarity

API ID: ErrorLastclosesocketioctlsocketshutdown
String ID: 3'
API String ID: 3350378930-280543908
Opcode ID: 05f746042fd6d8ccc1c87317fa8887e6a4e8be7e0c9f5f1f579b0408e8897943
Instruction ID: 0447beb9d20b2e9efb65ad6154d49a664647d369ca6b37fded5f85e8ce1fa81a
Opcode Fuzzy Hash: 05f746042fd6d8ccc1c87317fa8887e6a4e8be7e0c9f5f1f579b0408e8897943
Instruction Fuzzy Hash: 920184F52192009BD3107E399C84A4F66D8AB5DB74F114E3CB1E4DF295D634C8C1A792

Analysis Process: 3ClBcOpPUX.exePID: 7304, Parent PID: 6412COMMON

Execution Graph

Execution Coverage:	7%
Dynamic/Decrypted Code Coverage:	11.2%
Signature Coverage:	0%
Total number of Nodes:	2000
Total number of Limit Nodes:	16

Executed Functions

Function 24136188 Relevance: 56.4, APIs: 19, Strings: 13, Instructions: 394
registrysleepthreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyExA.ADVAPI32(80000001,Software\Microsoft\Active Setup\Installed Components\,00000000,00020006,241437BC,2413B980,2413B97C,00000000,24136746,?,?,?,00000000,00000000), ref: 241362AC
RegDeleteKeyA.ADVAPI32(?,00000000), ref: 241362C4
RegCloseKey.ADVAPI32(?,?,00000000,80000001,Software\Microsoft\Active Setup\Installed Components\,00000000,00020006,241437BC,2413B980,2413B97C,00000000,24136746,?,?,?,00000000), ref: 241362CF
GetLastError.KERNEL32(00000000,00000000,00000000,2413B980,2413B97C,00000000,24136746,?,?,?,00000000,00000000), ref: 2413630D
CloseHandle.KERNEL32(000003BC,00000000,00000000,00000000,2413B980,2413B97C,00000000,24136746,?,?,?,00000000,00000000), ref: 24136321
DeleteFileA.KERNEL32(00000000,2413B980,2413B97C,00000000,24136746,?,?,?,00000000,00000000), ref: 2413633D

Part of subcall function 240F4F18: CreateMutexA.KERNEL32(?,?,?,?,24118D32,00000000,00000000,00000000,00000000,?,00001388,?,24118DFC,?,24118DFC,?), ref: 240F4F2E

GetLastError.KERNEL32(00000000,00000000,00000000,00000000,2413B980,2413B97C,00000000,24136746,?,?,?,00000000,00000000), ref: 24136360
ExitProcess.KERNEL32(00000000,00000000,00000000,00000000,00000000,2413B980,2413B97C,00000000,24136746,?,?,?,00000000,00000000), ref: 2413636E
CreateThread.KERNEL32(00000000,00000000,Function_00044C04,00000000,00000000,241437B8), ref: 24136385
CreateThread.KERNEL32(00000000,00000000,Function_000451BC,00000000,00000000,241437B8), ref: 2413639C
GetCurrentProcessId.KERNEL32(00000000,00000000,Function_000451BC,00000000,00000000,241437B8,00000000,00000000,Function_00044C04,00000000,00000000,241437B8,00000000,00000000,00000000,00000000), ref: 24136413
SetFileAttributesA.KERNEL32(00000000,00000080,?,logs.dat,241367CC,?,00000000,00000000,Function_000451BC,00000000,00000000,241437B8,00000000,00000000,Function_00044C04,00000000), ref: 24136570

Part of subcall function 240F7668: CreateFileA.KERNEL32(00000000,40000000,00000001,00000000,00000003,02000000,00000000,00000000,240F7719), ref: 240F76C7
Part of subcall function 240F7668: SetFileTime.KERNEL32(00000000,00000000,?,00000000,00000000,40000000,00000001,00000000,00000003,02000000,00000000,00000000,240F7719), ref: 240F76DC
Part of subcall function 240F7668: SetFileTime.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,?,00000000,00000000,40000000,00000001,00000000,00000003,02000000,00000000,00000000), ref: 240F76EA
Part of subcall function 240F7668: SetFileTime.KERNEL32(00000000,?,00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,?,00000000,00000000,40000000,00000001,00000000), ref: 240F76F8
Part of subcall function 240F7668: CloseHandle.KERNEL32(00000000,00000000,40000000,00000001,00000000,00000003,02000000,00000000,00000000,240F7719), ref: 240F76FE

GetCurrentProcessId.KERNEL32(SQLite3.dll,241367CC,?,logs.dat,241367CC,?,00000000,00000000,Function_000451BC,00000000,00000000,241437B8,00000000,00000000,Function_00044C04,00000000), ref: 24136642
SetFileAttributesA.KERNEL32(00000000,00000002,00000000,00000080,?,logs.dat,241367CC,?,00000000,00000000,Function_000451BC,00000000,00000000,241437B8,00000000,00000000), ref: 24136590

Part of subcall function 240F78C8: CreateThread.KERNEL32(00000000,00000000,24124A34,00000000,00000000), ref: 240F78D6
Part of subcall function 240F78C8: SetThreadPriority.KERNEL32(00000000,00000000,00000000,?,?,24118CF6,24118E4C,24118E40,2413B8DC,0000000A,00000064,?,00001388,?,24118DFC,?), ref: 240F78DF

Sleep.KERNEL32(000003E8,00000001,00000000,00000000,00000000,00000000,_x_X_PASSWORDLIST_X_x_,SQLite3.dll,241367CC,?,logs.dat,241367CC,?,00000000,00000000,Function_000451BC), ref: 241366EB
CloseHandle.KERNEL32(00000000,000003E8,00000001,00000000,00000000,00000000,00000000,_x_X_PASSWORDLIST_X_x_,SQLite3.dll,241367CC,?,logs.dat,241367CC,?,00000000,00000000), ref: 241366F1
CloseHandle.KERNEL32(000003BC,00000000,00000000,_x_X_PASSWORDLIST_X_x_,SQLite3.dll,241367CC,?,logs.dat,241367CC,?,00000000,00000000,Function_000451BC,00000000,00000000,241437B8), ref: 2413670F
CloseHandle.KERNEL32(00000000,000003BC,00000000,00000000,_x_X_PASSWORDLIST_X_x_,SQLite3.dll,241367CC,?,logs.dat,241367CC,?,00000000,00000000,Function_000451BC,00000000,00000000), ref: 2413671C
Sleep.KERNEL32(00002EE0,00000000,000003BC,00000000,00000000,_x_X_PASSWORDLIST_X_x_,SQLite3.dll,241367CC,?,logs.dat,241367CC,?,00000000,00000000,Function_000451BC,00000000), ref: 24136726

Strings

_PERSIST, xrefs: 241362E9
open, xrefs: 241366D5
Software\Microsoft\Active Setup\Installed Components\, xrefs: 241362A2
njkvenknvjebcddlaknvfdvjkfdskv, xrefs: 24136457, 241364FC
[LogFile], xrefs: 2413645C
XX--XX--XX.txt, xrefs: 241361C7
SQLite3.dll, xrefs: 2413661F
logs.dat, xrefs: 24136432
SPY_NET_RATMUTEX, xrefs: 2413666B
_x_X_PASSWORDLIST_X_x_, xrefs: 241366AB
PIDprocess, xrefs: 24136657
SOFTWARE\Microsoft\, xrefs: 2413665C
####, xrefs: 24136478, 241364DD, 24136521

Memory Dump Source

Source File: 0000000A.00000002.2519483566.00000000240F0000.00000040.00000400.00020000.00000000.sdmp, Offset: 240F0000, based on PE: true

Associated: 0000000A.00000002.2519483566.0000000024144000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2519483566.000000002414B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_240f0000_3ClBcOpPUX.jbxd

Yara matches

Similarity

API ID: File$Close$CreateHandle$Thread$ProcessTime$AttributesCurrentDeleteErrorLastSleep$ExitMutexOpenPriority
String ID: ####$PIDprocess$SOFTWARE\Microsoft\$SPY_NET_RATMUTEX$SQLite3.dll$Software\Microsoft\Active Setup\Installed Components\$XX--XX--XX.txt$[LogFile]$_PERSIST$_x_X_PASSWORDLIST_X_x_$logs.dat$njkvenknvjebcddlaknvfdvjkfdskv$open
API String ID: 2216801884-1096289745
Opcode ID: b9db85d793d2e714cb889c9869c8a7581e65bf8d2b3649365f2cacd3f2a07e8b
Instruction ID: c0784e3e509f459fe518fdfbfe76ac423c1293f81d421c2ecbb3126ac2c74c50
Opcode Fuzzy Hash: b9db85d793d2e714cb889c9869c8a7581e65bf8d2b3649365f2cacd3f2a07e8b
Instruction Fuzzy Hash: F4E16A707042049BE715EBA9CCC0B4D7BE6EBA5A48F524470F544BB398CEB8EE858B51

Function 240F47A8 Relevance: 35.2, APIs: 17, Strings: 3, Instructions: 184
registrystringlibraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleFileNameA.KERNEL32(00000000,?,00000105), ref: 240F47C4
RegOpenKeyExA.ADVAPI32(80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105), ref: 240F47E2
RegOpenKeyExA.ADVAPI32(80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105), ref: 240F4800
RegOpenKeyExA.ADVAPI32(80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000), ref: 240F481E
RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,00000000,00000005,00000000,240F48AD,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?), ref: 240F4867
RegQueryValueExA.ADVAPI32(?,240F4A14,00000000,00000000,00000000,00000005,?,?,00000000,00000000,00000000,00000005,00000000,240F48AD,?,80000001), ref: 240F4885
RegCloseKey.ADVAPI32(?,240F48B4,00000000,00000000,00000005,00000000,240F48AD,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105), ref: 240F48A7
lstrcpyn.KERNEL32(?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000), ref: 240F48C4
GetThreadLocale.KERNEL32(00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?), ref: 240F48D1
GetLocaleInfoA.KERNEL32(00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019), ref: 240F48D7
lstrlen.KERNEL32(00000000), ref: 240F4902
lstrcpyn.KERNEL32(00000000,00000000,00000105,00000000), ref: 240F4949
LoadLibraryExA.KERNEL32(00000000,00000000,00000002,00000000,00000000,00000105,00000000), ref: 240F4959
lstrcpyn.KERNEL32(00000000,00000000,00000105,00000000), ref: 240F4981
LoadLibraryExA.KERNEL32(00000000,00000000,00000002,00000000,00000000,00000105,00000000), ref: 240F4991
lstrcpyn.KERNEL32(00000000,00000000,00000105,00000000,00000000,00000002,00000000,00000000,00000105,00000000), ref: 240F49B7
LoadLibraryExA.KERNEL32(00000000,00000000,00000002,00000000,00000000,00000105,00000000,00000000,00000002,00000000,00000000,00000105,00000000), ref: 240F49C7

Strings

Software\Borland\Locales, xrefs: 240F47D8, 240F47F6
., xrefs: 240F4914
Software\Borland\Delphi\Locales, xrefs: 240F4814

Memory Dump Source

Source File: 0000000A.00000002.2519483566.00000000240F0000.00000040.00000400.00020000.00000000.sdmp, Offset: 240F0000, based on PE: true

Associated: 0000000A.00000002.2519483566.0000000024144000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2519483566.000000002414B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_240f0000_3ClBcOpPUX.jbxd

Yara matches

Similarity

API ID: lstrcpyn$LibraryLoadOpen$LocaleQueryValue$CloseFileInfoModuleNameThreadlstrlen
String ID: .$Software\Borland\Delphi\Locales$Software\Borland\Locales
API String ID: 1759228003-3917250287
Opcode ID: f0d95c9899d3809427cc99b5fc07e0407ecbb365a177b5810f1df30185dacb1c
Instruction ID: c67c050267413d564b7aaacf99b1cd5250204466ba31dd0fe85d7c877ffc0f42
Opcode Fuzzy Hash: f0d95c9899d3809427cc99b5fc07e0407ecbb365a177b5810f1df30185dacb1c
Instruction Fuzzy Hash: 0B517275A0425D7AFB12C6E48C85FEF7BECAB14744F4201B1AB04E6185EE749FD48BA0

Function 240F5B30 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 71
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetVersionExA.KERNEL32(00000094), ref: 240F5B4D
GetCurrentProcess.KERNEL32(00000020,?,00000000,240F5BF5,?,00000094), ref: 240F5B73
OpenProcessToken.ADVAPI32(00000000,00000020,?,00000000,240F5BF5,?,00000094), ref: 240F5B79
LookupPrivilegeValueA.ADVAPI32(00000000,SeDebugPrivilege,?), ref: 240F5B8C
AdjustTokenPrivileges.ADVAPI32(?,00000000,00000001,00000000,00000000,?,00000000,00000020,?,00000000,240F5BF5,?,00000094), ref: 240F5BB6
AdjustTokenPrivileges.ADVAPI32(?,00000000,00000001,00000000,00000000,?,?,00000000,00000001,00000000,00000000,?,00000000,00000020,?,00000000), ref: 240F5BDD
CloseHandle.KERNEL32(?,?,00000000,00000001,00000000,00000000,?,?,00000000,00000001,00000000,00000000,?,00000000,00000020,?), ref: 240F5BE6

Strings

SeDebugPrivilege, xrefs: 240F5B85

Memory Dump Source

Source File: 0000000A.00000002.2519483566.00000000240F0000.00000040.00000400.00020000.00000000.sdmp, Offset: 240F0000, based on PE: true

Associated: 0000000A.00000002.2519483566.0000000024144000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2519483566.000000002414B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_240f0000_3ClBcOpPUX.jbxd

Yara matches

Similarity

API ID: Token$AdjustPrivilegesProcess$CloseCurrentHandleLookupOpenPrivilegeValueVersion
String ID: SeDebugPrivilege
API String ID: 3222167619-2896544425
Opcode ID: 7b58dac96864cd444394ee72853ab272b974618b9e7a0277b18eff88761772da
Instruction ID: fa8dca543fc19d8f53f656879f894f2bf4d7d6baf8d57cecacd2c66c0fff779f
Opcode Fuzzy Hash: 7b58dac96864cd444394ee72853ab272b974618b9e7a0277b18eff88761772da
Instruction Fuzzy Hash: D22130B1A10208BEFB10CBE5DD45FEFBBFCEB14704F1244B5EA04E6181DA755A848BA1

Function 240F5C1C Relevance: 6.0, APIs: 4, Instructions: 37nativeCOMMON

Download Yara Rule

APIs

OpenProcess.KERNEL32(001F0FFF,00000000,00000000,?,2413B980,?,2413641D,00000000,00000000,Function_000451BC,00000000,00000000,241437B8,00000000,00000000,Function_00044C04), ref: 240F5C29
NtQueryInformationProcess.NTDLL(00000000,00000016,?,00000004,00000000), ref: 240F5C40
NtSetInformationProcess.NTDLL(00000000,00000016,?,00000004), ref: 240F5C5E
CloseHandle.KERNEL32(00000000,001F0FFF,00000000,00000000,?,2413B980,?,2413641D,00000000,00000000,Function_000451BC,00000000,00000000,241437B8,00000000,00000000), ref: 240F5C6C

Memory Dump Source

Source File: 0000000A.00000002.2519483566.00000000240F0000.00000040.00000400.00020000.00000000.sdmp, Offset: 240F0000, based on PE: true

Associated: 0000000A.00000002.2519483566.0000000024144000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2519483566.000000002414B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_240f0000_3ClBcOpPUX.jbxd

Yara matches

Similarity

API ID: Process$Information$CloseHandleOpenQuery
String ID:
API String ID: 1636144130-0
Opcode ID: 8b0411576a1d48e6dbe04b4ade3104a22fdf87d3cfc7ab914bc7621fac0affc4
Instruction ID: 54cbae652a2b4ed1eed699a3ee30181d7857be5232bb49685b40fa20ead66683
Opcode Fuzzy Hash: 8b0411576a1d48e6dbe04b4ade3104a22fdf87d3cfc7ab914bc7621fac0affc4
Instruction Fuzzy Hash: 42F0E5723863143EF33159505C82FAF368CDF55BA8F030539FB40D60C2CA549AD942E6

Function 240F6C78 Relevance: 3.0, APIs: 2, Instructions: 33fileCOMMON

Download Yara Rule

APIs

FindFirstFileA.KERNEL32(00000000,?,00000000,240F6CD5,?,2413B97C,?,240F6662,00000000,240F66D3,?,?,?,2413B97C), ref: 240F6CAD
FindClose.KERNEL32(00000000,00000000,?,00000000,240F6CD5,?,2413B97C,?,240F6662,00000000,240F66D3,?,?,?,2413B97C), ref: 240F6CB8

Memory Dump Source

Source File: 0000000A.00000002.2519483566.00000000240F0000.00000040.00000400.00020000.00000000.sdmp, Offset: 240F0000, based on PE: true

Associated: 0000000A.00000002.2519483566.0000000024144000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2519483566.000000002414B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_240f0000_3ClBcOpPUX.jbxd

Yara matches

Similarity

API ID: Find$CloseFileFirst
String ID:
API String ID: 2295610775-0
Opcode ID: c6b138c2800e3a2975a57462c0c379afc8971a2a0e60a38bf8654bc5f6f371c6
Instruction ID: 13b09dbf706280a62356818e597d74e640b31d74985c563a068d0f9b37af591c
Opcode Fuzzy Hash: c6b138c2800e3a2975a57462c0c379afc8971a2a0e60a38bf8654bc5f6f371c6
Instruction Fuzzy Hash: 86F0E270500104AFD700EBF8CD9199EB7ECEB5862479309B1E814D26A4FE34AE449A50

Function 240F6C77 Relevance: 3.0, APIs: 2, Instructions: 33fileCOMMON

Download Yara Rule

APIs

FindFirstFileA.KERNEL32(00000000,?,00000000,240F6CD5,?,2413B97C,?,240F6662,00000000,240F66D3,?,?,?,2413B97C), ref: 240F6CAD
FindClose.KERNEL32(00000000,00000000,?,00000000,240F6CD5,?,2413B97C,?,240F6662,00000000,240F66D3,?,?,?,2413B97C), ref: 240F6CB8

Memory Dump Source

Source File: 0000000A.00000002.2519483566.00000000240F0000.00000040.00000400.00020000.00000000.sdmp, Offset: 240F0000, based on PE: true

Associated: 0000000A.00000002.2519483566.0000000024144000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2519483566.000000002414B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_240f0000_3ClBcOpPUX.jbxd

Yara matches

Similarity

API ID: Find$CloseFileFirst
String ID:
API String ID: 2295610775-0
Opcode ID: bce4aeb50a31603514ecadccd17d9c04e2b5c8aab1da8a6b2fcba9643d846f84
Instruction ID: 9b7455f6e1b04896c52cf8f2d3c27bc4b615f7f40e6bfc7e0678b2c4c8afb571
Opcode Fuzzy Hash: bce4aeb50a31603514ecadccd17d9c04e2b5c8aab1da8a6b2fcba9643d846f84
Instruction Fuzzy Hash: 6BF02E70504104AFDB01DBF8CD51D9EB7FCEB5562479309B5E814D35A4EF385F459A10

Function 240F8CD0 Relevance: 1.5, APIs: 1, Instructions: 23COMMON

Download Yara Rule

APIs

GetLocaleInfoA.KERNEL32(00000000,0000000F,?,00000002,0000002C,?,?,00000000,240F8D23,00000000,240F8D66,?,?,00000000,00000000), ref: 240F8CE3

Memory Dump Source

Source File: 0000000A.00000002.2519483566.00000000240F0000.00000040.00000400.00020000.00000000.sdmp, Offset: 240F0000, based on PE: true

Associated: 0000000A.00000002.2519483566.0000000024144000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2519483566.000000002414B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_240f0000_3ClBcOpPUX.jbxd

Yara matches

Similarity

API ID: InfoLocale
String ID:
API String ID: 2299586839-0
Opcode ID: c0a5c38b77294cd5bc0105dacaac811761fc0667ac39b8f869ab3184c1b78c3f
Instruction ID: e2b2b30b613279014826f58682a81aadf59f618d2cd7d787be6e75cbcf1a3d1c
Opcode Fuzzy Hash: c0a5c38b77294cd5bc0105dacaac811761fc0667ac39b8f869ab3184c1b78c3f
Instruction Fuzzy Hash: 89D05E7731E2903AB210416A2D84DBB4ADCDBCA6B0F11417AFE48C6200E7108C4AA3BA

Function 241184FC Relevance: 46.1, APIs: 13, Strings: 13, Instructions: 591
sleepfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTickCount.KERNEL32 ref: 241185D3
CopyFileA.KERNEL32(00000000,00000000,00000000), ref: 24118642
Sleep.KERNEL32(00001388,?,24118DFC,?,24118DFC,?,?,24118DFC,?,24118DFC,?,00000000,24118DD5), ref: 24118713

Strings

myshutdown, xrefs: 24118AAD
exit, xrefs: 24118D69
audiostop|, xrefs: 24118CD1
myrestart, xrefs: 24118B79
desligarmonitor, xrefs: 24118BA9
njkvenknvjebcddlaknvfdvjkfdskv, xrefs: 241189F7
poweroff, xrefs: 24118B49
.tmp, xrefs: 241185E7
_SAIR, xrefs: 24118D16
reconnect, xrefs: 24118BF0
hibernar, xrefs: 24118AE1
UuU.uUu, xrefs: 2411852B
logoff, xrefs: 24118B15

Memory Dump Source

Source File: 0000000A.00000002.2519483566.00000000240F0000.00000040.00000400.00020000.00000000.sdmp, Offset: 240F0000, based on PE: true

Associated: 0000000A.00000002.2519483566.0000000024144000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2519483566.000000002414B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_240f0000_3ClBcOpPUX.jbxd

Yara matches

Similarity

API ID: CopyCountFileSleepTick
String ID: .tmp$UuU.uUu$_SAIR$audiostop|$desligarmonitor$exit$hibernar$logoff$myrestart$myshutdown$njkvenknvjebcddlaknvfdvjkfdskv$poweroff$reconnect
API String ID: 3875903300-1445509685
Opcode ID: adaec0d96607975cb8a2dc77ba91571dc4f16762bf6372ce95fe9903e479254f
Instruction ID: 348bd50761af4b316406bf508f3763b0de59ca608ee2c75115575bc94db54578
Opcode Fuzzy Hash: adaec0d96607975cb8a2dc77ba91571dc4f16762bf6372ce95fe9903e479254f
Instruction Fuzzy Hash: BC321F31B001489FEB01DBA5C8C0A9EBBB5FB65358F518475E808B7398DF78EE858B51

Function 240F757C Relevance: 10.6, APIs: 7, Instructions: 79
filetimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 240F1644: GetSystemTime.KERNEL32(?), ref: 240F164E

CreateFileA.KERNEL32(00000000,40000000,00000003,00000000,00000003,00000080,00000000,00000000,240F7659), ref: 240F75E3
CloseHandle.KERNEL32(00000000,00000000,40000000,00000003,00000000,00000003,00000080,00000000,00000000,240F7659), ref: 240F75F0
CreateFileA.KERNEL32(00000000,40000000,00000003,00000000,00000003,00000004,00000000,00000000,00000000,40000000,00000003,00000000,00000003,00000080,00000000,00000000), ref: 240F7605
SetFileTime.KERNEL32(00000000,?,?,?,00000000,40000000,00000003,00000000,00000003,00000004,00000000,00000000,00000000,40000000,00000003,00000000), ref: 240F761E
CloseHandle.KERNEL32(00000000,00000000,40000000,00000003,00000000,00000003,00000004,00000000,00000000,00000000,40000000,00000003,00000000,00000003,00000080,00000000), ref: 240F7624
SetFileTime.KERNEL32(00000000,?,?,?,00000000,40000000,00000003,00000000,00000003,00000080,00000000,00000000,240F7659), ref: 240F7638
CloseHandle.KERNEL32(00000000,00000000,?,?,?,00000000,40000000,00000003,00000000,00000003,00000080,00000000,00000000,240F7659), ref: 240F763E

Memory Dump Source

Source File: 0000000A.00000002.2519483566.00000000240F0000.00000040.00000400.00020000.00000000.sdmp, Offset: 240F0000, based on PE: true

Associated: 0000000A.00000002.2519483566.0000000024144000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2519483566.000000002414B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_240f0000_3ClBcOpPUX.jbxd

Yara matches

Similarity

API ID: File$CloseHandleTime$Create$System
String ID:
API String ID: 1407650207-0
Opcode ID: aa6035fe38d09aeba5f810ca3b762b34164d23065ef788c33bacf485e5fb884c
Instruction ID: 1874301888d49ff7afa348be4a27249d9896e7b624f90dfd2fd985b58baae0e4
Opcode Fuzzy Hash: aa6035fe38d09aeba5f810ca3b762b34164d23065ef788c33bacf485e5fb884c
Instruction Fuzzy Hash: B821C3B1900208BAF751E7B4DC81F9E73ACEB28618F520171B610E61C5DF74AF848654

Function 240F66E4 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 28
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNEL32(shell32.dll,ShellExecuteA,?,?,?,?,2412546A,00000000,00000000,2412E32C,2412E184,?,2412E184,?,?,2412E2A0), ref: 240F66FA
GetProcAddress.KERNEL32(00000000,shell32.dll), ref: 240F6700
ShellExecuteA.SHELL32(00000000,open,00000000,00000000,?,?,00000000,shell32.dll,ShellExecuteA,?,?,?,?,2412546A,00000000,00000000), ref: 240F6714

Strings

ShellExecuteA, xrefs: 240F66F0
open, xrefs: 240F6712
shell32.dll, xrefs: 240F66F5

Memory Dump Source

Source File: 0000000A.00000002.2519483566.00000000240F0000.00000040.00000400.00020000.00000000.sdmp, Offset: 240F0000, based on PE: true

Associated: 0000000A.00000002.2519483566.0000000024144000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2519483566.000000002414B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_240f0000_3ClBcOpPUX.jbxd

Yara matches

Similarity

API ID: AddressExecuteLibraryLoadProcShell
String ID: ShellExecuteA$open$shell32.dll
API String ID: 3429701994-209507969
Opcode ID: b9d4beea239d046d32b607512332954fa7bbddc8199f017517b3c8233110c62a
Instruction ID: 5dfc984d683ee46d6d2672d683d1384c3b2bf4ee05fec3974b37980483ccf861
Opcode Fuzzy Hash: b9d4beea239d046d32b607512332954fa7bbddc8199f017517b3c8233110c62a
Instruction Fuzzy Hash: 87E086722006043B5310D9DBDC80D9FBB6CDED9A60312C539B908C3205D830AD4146F0

Function 240F7578 Relevance: 9.1, APIs: 6, Instructions: 73
filetimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 240F1644: GetSystemTime.KERNEL32(?), ref: 240F164E

CreateFileA.KERNEL32(00000000,40000000,00000003,00000000,00000003,00000080,00000000,00000000,240F7659), ref: 240F75E3
CloseHandle.KERNEL32(00000000,00000000,40000000,00000003,00000000,00000003,00000080,00000000,00000000,240F7659), ref: 240F75F0
CreateFileA.KERNEL32(00000000,40000000,00000003,00000000,00000003,00000004,00000000,00000000,00000000,40000000,00000003,00000000,00000003,00000080,00000000,00000000), ref: 240F7605
SetFileTime.KERNEL32(00000000,?,?,?,00000000,40000000,00000003,00000000,00000003,00000004,00000000,00000000,00000000,40000000,00000003,00000000), ref: 240F761E
CloseHandle.KERNEL32(00000000,00000000,40000000,00000003,00000000,00000003,00000004,00000000,00000000,00000000,40000000,00000003,00000000,00000003,00000080,00000000), ref: 240F7624
SetFileTime.KERNEL32(00000000,?,?,?,00000000,40000000,00000003,00000000,00000003,00000080,00000000,00000000,240F7659), ref: 240F7638
CloseHandle.KERNEL32(00000000,00000000,?,?,?,00000000,40000000,00000003,00000000,00000003,00000080,00000000,00000000,240F7659), ref: 240F763E

Memory Dump Source

Source File: 0000000A.00000002.2519483566.00000000240F0000.00000040.00000400.00020000.00000000.sdmp, Offset: 240F0000, based on PE: true

Associated: 0000000A.00000002.2519483566.0000000024144000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2519483566.000000002414B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_240f0000_3ClBcOpPUX.jbxd

Yara matches

Similarity

API ID: File$CloseHandleTime$Create$System
String ID:
API String ID: 1407650207-0
Opcode ID: b7971229e404f2dc03aece7db86cc0f9db0addba67c1a86e91455a6819bc35e0
Instruction ID: 44c08107a515ddd9fb9db7d911a5224c118d2f6c9194351fadf7de669eb2556b
Opcode Fuzzy Hash: b7971229e404f2dc03aece7db86cc0f9db0addba67c1a86e91455a6819bc35e0
Instruction Fuzzy Hash: 7E1103B0A002047EF752A778DC92F8E77ACEB24228F520271F610FA1C5DE746F808A15

Function 241182AC Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 135
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNEL32(00002710,?,241184EC,?,241184EC,?,00000000,241184A4,?,?,?,?,00000000,00000000), ref: 2411837F
GetTickCount.KERNEL32 ref: 241183F3
Sleep.KERNEL32(00002710,00000000,2411847A,?,?,241184EC,?,241184EC,?,00002710,?,241184EC,?,241184EC,?,00000000), ref: 24118468

Strings

XXXXXXXXXXXXXXXXXXXX, xrefs: 241182D6
XxX.xXx, xrefs: 24118306

Memory Dump Source

Source File: 0000000A.00000002.2519483566.00000000240F0000.00000040.00000400.00020000.00000000.sdmp, Offset: 240F0000, based on PE: true

Associated: 0000000A.00000002.2519483566.0000000024144000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2519483566.000000002414B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_240f0000_3ClBcOpPUX.jbxd

Yara matches

Similarity

API ID: Sleep$CountTick
String ID: XXXXXXXXXXXXXXXXXXXX$XxX.xXx
API String ID: 207069750-1553977181
Opcode ID: caaa3513e1bca4ec8783d69248d0b399acdefd07900474e52629cb1f7e4c8fe0
Instruction ID: 5e9b0d1f9f23b50a050b80c9e838f676e919f00088429927cb7979cb4c64dd73
Opcode Fuzzy Hash: caaa3513e1bca4ec8783d69248d0b399acdefd07900474e52629cb1f7e4c8fe0
Instruction Fuzzy Hash: A2417F31A04108ABEB01DBA4CCD0A9DBBB9FF54708F52C475E404B7658DE38EB928B15

Function 240F70B8 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 83
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyExA.ADVAPI32(80000001,00000000,00000000,00000001,?,00000000,240F7197,?,?,Desktop), ref: 240F710D
RegQueryValueExA.ADVAPI32(?,00000000,00000000,?,00000000,24102AE0,80000001,00000000,00000000,00000001,?,00000000,240F7197,?,?,Desktop), ref: 240F7131
RegQueryValueExA.ADVAPI32(?,00000000,00000000,?,00000000,24102AE0,?,00000000,00000000,?,00000000,24102AE0,80000001,00000000,00000000,00000001), ref: 240F715B
RegCloseKey.ADVAPI32(?,?,00000000,00000000,?,00000000,24102AE0,80000001,00000000,00000000,00000001,?,00000000,240F7197,?,?), ref: 240F716F

Strings

Desktop, xrefs: 240F70BE

Memory Dump Source

Source File: 0000000A.00000002.2519483566.00000000240F0000.00000040.00000400.00020000.00000000.sdmp, Offset: 240F0000, based on PE: true

Associated: 0000000A.00000002.2519483566.0000000024144000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2519483566.000000002414B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_240f0000_3ClBcOpPUX.jbxd

Yara matches

Similarity

API ID: QueryValue$CloseOpen
String ID: Desktop
API String ID: 1586453840-3336322104
Opcode ID: f14a8c14b77014f4164b02b088e9921b8f9c7882159e3c644ecdd7c10231eb2e
Instruction ID: c6ceb8018b088cd9f979f16cde6e6bbd7f36acc7b0b10ec4655c6f2fc48c2156
Opcode Fuzzy Hash: f14a8c14b77014f4164b02b088e9921b8f9c7882159e3c644ecdd7c10231eb2e
Instruction Fuzzy Hash: 63211B71A00608BBEB00EBA8DD90EAEB3FCEF58614F524075B904E7244DB74EE458B61

Function 240F7666 Relevance: 7.6, APIs: 5, Instructions: 63
timefileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileA.KERNEL32(00000000,40000000,00000001,00000000,00000003,02000000,00000000,00000000,240F7719), ref: 240F76C7
SetFileTime.KERNEL32(00000000,00000000,?,00000000,00000000,40000000,00000001,00000000,00000003,02000000,00000000,00000000,240F7719), ref: 240F76DC
SetFileTime.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,?,00000000,00000000,40000000,00000001,00000000,00000003,02000000,00000000,00000000), ref: 240F76EA
SetFileTime.KERNEL32(00000000,?,00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,?,00000000,00000000,40000000,00000001,00000000), ref: 240F76F8
CloseHandle.KERNEL32(00000000,00000000,40000000,00000001,00000000,00000003,02000000,00000000,00000000,240F7719), ref: 240F76FE

Memory Dump Source

Source File: 0000000A.00000002.2519483566.00000000240F0000.00000040.00000400.00020000.00000000.sdmp, Offset: 240F0000, based on PE: true

Associated: 0000000A.00000002.2519483566.0000000024144000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2519483566.000000002414B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_240f0000_3ClBcOpPUX.jbxd

Yara matches

Similarity

API ID: File$Time$CloseCreateHandle
String ID:
API String ID: 670991709-0
Opcode ID: 6c4a5ec5f6482b3f1940648d70aa9e4521ca5ac3240df8c6f995e202b42cf2bd
Instruction ID: 9f80f808b78f213e306d3cc1cf7fd2ffad025741ff5692b9a1646074ec7998f8
Opcode Fuzzy Hash: 6c4a5ec5f6482b3f1940648d70aa9e4521ca5ac3240df8c6f995e202b42cf2bd
Instruction Fuzzy Hash: F81182B4A50304BEF720D774DC92F9E73ACEB54718F620471B610EA1C5EEB4BE808A64

Function 240F7668 Relevance: 7.6, APIs: 5, Instructions: 62
timefileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileA.KERNEL32(00000000,40000000,00000001,00000000,00000003,02000000,00000000,00000000,240F7719), ref: 240F76C7
SetFileTime.KERNEL32(00000000,00000000,?,00000000,00000000,40000000,00000001,00000000,00000003,02000000,00000000,00000000,240F7719), ref: 240F76DC
SetFileTime.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,?,00000000,00000000,40000000,00000001,00000000,00000003,02000000,00000000,00000000), ref: 240F76EA
SetFileTime.KERNEL32(00000000,?,00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,?,00000000,00000000,40000000,00000001,00000000), ref: 240F76F8
CloseHandle.KERNEL32(00000000,00000000,40000000,00000001,00000000,00000003,02000000,00000000,00000000,240F7719), ref: 240F76FE

Memory Dump Source

Source File: 0000000A.00000002.2519483566.00000000240F0000.00000040.00000400.00020000.00000000.sdmp, Offset: 240F0000, based on PE: true

Associated: 0000000A.00000002.2519483566.0000000024144000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2519483566.000000002414B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_240f0000_3ClBcOpPUX.jbxd

Yara matches

Similarity

API ID: File$Time$CloseCreateHandle
String ID:
API String ID: 670991709-0
Opcode ID: ee83c2f54622b7d1f15c9046fa1deeab20c7da7d1850151ee3acc5687d271019
Instruction ID: 9300f45f5411deccfdf1ffcf0570bf8eafe27e6de770cc7733545faef7750b33
Opcode Fuzzy Hash: ee83c2f54622b7d1f15c9046fa1deeab20c7da7d1850151ee3acc5687d271019
Instruction Fuzzy Hash: 921182B4A50304BAF720D774DC92F9E73ACEB54718F620471B610EA1C5DEB4BA808A64

Function 240F6CE4 Relevance: 6.1, APIs: 4, Instructions: 66
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 240F6C78: FindFirstFileA.KERNEL32(00000000,?,00000000,240F6CD5,?,2413B97C,?,240F6662,00000000,240F66D3,?,?,?,2413B97C), ref: 240F6CAD
Part of subcall function 240F6C78: FindClose.KERNEL32(00000000,00000000,?,00000000,240F6CD5,?,2413B97C,?,240F6662,00000000,240F66D3,?,?,?,2413B97C), ref: 240F6CB8

CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000,00000000,240F6D92,?,?,?,00000000), ref: 240F6D37
GetFileSize.KERNEL32(00000000,00000000,00000000,80000000,00000001,00000000,00000003,00000000,00000000,00000000,240F6D92,?,?,?,00000000), ref: 240F6D41
ReadFile.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,80000000,00000001,00000000,00000003,00000000,00000000,00000000,240F6D92), ref: 240F6D5C
CloseHandle.KERNEL32(00000000,00000000,00000000,?,?,00000000,00000000,00000000,00000000,80000000,00000001,00000000,00000003,00000000,00000000,00000000), ref: 240F6D77

Memory Dump Source

Source File: 0000000A.00000002.2519483566.00000000240F0000.00000040.00000400.00020000.00000000.sdmp, Offset: 240F0000, based on PE: true

Associated: 0000000A.00000002.2519483566.0000000024144000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2519483566.000000002414B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_240f0000_3ClBcOpPUX.jbxd

Yara matches

Similarity

API ID: File$CloseFind$CreateFirstHandleReadSize
String ID:
API String ID: 2300874643-0
Opcode ID: 55ee7388bad3973bde94372826e6ea89319b9c878f74cedd7d334d79db04e7c7
Instruction ID: de282aae041860f821ff11b103cc517022a76a9d13abb6453595114f1e63f5a7
Opcode Fuzzy Hash: 55ee7388bad3973bde94372826e6ea89319b9c878f74cedd7d334d79db04e7c7
Instruction Fuzzy Hash: A3116030A00604BFEB11DB68CC91F6E7BB8EF56B14F5200B4F504EB298DE746E458655

Function 240F6DA0 Relevance: 6.1, APIs: 4, Instructions: 58
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileA.KERNEL32(00000000,40000000,00000002,00000000,00000002,00000000,00000000,00000000,240F6E3A,?,2414330C,00000000), ref: 240F6DE6
SetFilePointer.KERNEL32(00000000,00000000,00000000,00000000,00000000,40000000,00000002,00000000,00000002,00000000,00000000,00000000,240F6E3A,?,2414330C,00000000), ref: 240F6DFE
WriteFile.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,40000000,00000002,00000000,00000002,00000000,00000000,00000000,240F6E3A,?,2414330C), ref: 240F6E14
CloseHandle.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00000000,40000000,00000002,00000000,00000002,00000000,00000000,00000000,240F6E3A), ref: 240F6E1A

Memory Dump Source

Source File: 0000000A.00000002.2519483566.00000000240F0000.00000040.00000400.00020000.00000000.sdmp, Offset: 240F0000, based on PE: true

Associated: 0000000A.00000002.2519483566.0000000024144000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2519483566.000000002414B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_240f0000_3ClBcOpPUX.jbxd

Yara matches

Similarity

API ID: File$CloseCreateHandlePointerWrite
String ID:
API String ID: 3604237281-0
Opcode ID: 73ea0aae0c622ed69b726239551f68aa26d2ee7f49ff4929bd3f3bf3353b775b
Instruction ID: 480bee3d62098c8f471b4f537b5ccb85317a0863c151b6b55957732fb15fec10
Opcode Fuzzy Hash: 73ea0aae0c622ed69b726239551f68aa26d2ee7f49ff4929bd3f3bf3353b775b
Instruction Fuzzy Hash: F211D6706003047AF720D7B4DC92F9EB6ECEB55B28F620571B510F61C5DEB4BE808554

Function 2413219C Relevance: 6.1, APIs: 4, Instructions: 56
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileA.KERNEL32(00000000,40000000,00000002,00000000,00000003,00000000,00000000,00000000,24132231,?,2414330C,00000000), ref: 241321E2
SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002,00000000,40000000,00000002,00000000,00000003,00000000,00000000,00000000,24132231,?,2414330C,00000000), ref: 241321F5
WriteFile.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000000,00000000,00000002,00000000,40000000,00000002,00000000,00000003,00000000,00000000), ref: 2413220B
CloseHandle.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00000000,00000000,00000000,00000002,00000000,40000000,00000002,00000000,00000003,00000000), ref: 24132211

Memory Dump Source

Source File: 0000000A.00000002.2519483566.00000000240F0000.00000040.00000400.00020000.00000000.sdmp, Offset: 240F0000, based on PE: true

Associated: 0000000A.00000002.2519483566.0000000024144000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2519483566.000000002414B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_240f0000_3ClBcOpPUX.jbxd

Yara matches

Similarity

API ID: File$CloseCreateHandlePointerWrite
String ID:
API String ID: 3604237281-0
Opcode ID: fb19bb9b0fe1167166fc9ea4cd781049096fd4f262828be9e48563ecbb9e8258
Instruction ID: ad34e37d84c911e064ee1c28eb1b3cb3310ebf6a6a4c0bf3250136945f9e36cd
Opcode Fuzzy Hash: fb19bb9b0fe1167166fc9ea4cd781049096fd4f262828be9e48563ecbb9e8258
Instruction Fuzzy Hash: 070175706403447AF720E764DC92F5EBBACEB55B28F620571B600FA1D5DEB4BE408514

Function 24118260 Relevance: 6.0, APIs: 4, Instructions: 25windowsleepCOMMON

Download Yara Rule

APIs

PeekMessageA.USER32(?,00000000,00000000,00000000,00000001), ref: 2411826F
TranslateMessage.USER32 ref: 24118281
DispatchMessageA.USER32 ref: 24118287
Sleep.KERNEL32(00000014,?,?,241182A2), ref: 2411828E

Memory Dump Source

Source File: 0000000A.00000002.2519483566.00000000240F0000.00000040.00000400.00020000.00000000.sdmp, Offset: 240F0000, based on PE: true

Associated: 0000000A.00000002.2519483566.0000000024144000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2519483566.000000002414B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_240f0000_3ClBcOpPUX.jbxd

Yara matches

Similarity

API ID: Message$DispatchPeekSleepTranslate
String ID:
API String ID: 3768732053-0
Opcode ID: 5b8e39013756ac92f66ab1ed471163146afefbc0c30940ddccd909afdcd235f4
Instruction ID: a25d7d1ae0bd2e51fffffb5fe576af83a39ac0c3953cf02f3c64ba65c34a8ba4
Opcode Fuzzy Hash: 5b8e39013756ac92f66ab1ed471163146afefbc0c30940ddccd909afdcd235f4
Instruction Fuzzy Hash: 22E0123139272039FB7117A40C81FDE66884F2364EF564175F3056B0C5CA95694091A9

Function 240F6634 Relevance: 4.6, APIs: 3, Instructions: 59fileCOMMON

Download Yara Rule

APIs

Part of subcall function 240F6C78: FindFirstFileA.KERNEL32(00000000,?,00000000,240F6CD5,?,2413B97C,?,240F6662,00000000,240F66D3,?,?,?,2413B97C), ref: 240F6CAD
Part of subcall function 240F6C78: FindClose.KERNEL32(00000000,00000000,?,00000000,240F6CD5,?,2413B97C,?,240F6662,00000000,240F66D3,?,?,?,2413B97C), ref: 240F6CB8

GetFileAttributesA.KERNEL32(00000000,00000000,240F66B3,?,00000000,240F66D3,?,?,?,2413B97C), ref: 240F667F
SetFileAttributesA.KERNEL32(00000000,00000000,00000000,00000000,240F66B3,?,00000000,240F66D3,?,?,?,2413B97C), ref: 240F6695
DeleteFileA.KERNEL32(00000000,00000000,00000000,00000000,00000000,240F66B3,?,00000000,240F66D3,?,?,?,2413B97C), ref: 240F669B

Memory Dump Source

Source File: 0000000A.00000002.2519483566.00000000240F0000.00000040.00000400.00020000.00000000.sdmp, Offset: 240F0000, based on PE: true

Associated: 0000000A.00000002.2519483566.0000000024144000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2519483566.000000002414B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_240f0000_3ClBcOpPUX.jbxd

Yara matches

Similarity

API ID: File$AttributesFind$CloseDeleteFirst
String ID:
API String ID: 996707796-0
Opcode ID: c11861369b5d293e1fbf2e1e522722b30a87822455dce32a3541be7a806ada39
Instruction ID: 287b2e9b035285bf43915597bd26be61f064b78333dd32d0229ba19c29e5d515
Opcode Fuzzy Hash: c11861369b5d293e1fbf2e1e522722b30a87822455dce32a3541be7a806ada39
Instruction Fuzzy Hash: 42116631614244AFE712CBB4DC21E9FB7ECEB6AA18F5308B0E800D2640DE795E51D961

Function 240F6858 Relevance: 4.6, APIs: 3, Instructions: 59registryCOMMON

Download Yara Rule

APIs

RegCreateKeyA.ADVAPI32(80000001,00000000,?), ref: 240F689E
RegSetValueExA.ADVAPI32(?,00000000,00000000,00000002,00000000,00000000,00000000,240F68FD,?,?,?), ref: 240F68C6
RegCloseKey.ADVAPI32(?,?,00000000,00000000,00000002,00000000,00000000,00000000,240F68FD,?,?,?), ref: 240F68D5

Memory Dump Source

Source File: 0000000A.00000002.2519483566.00000000240F0000.00000040.00000400.00020000.00000000.sdmp, Offset: 240F0000, based on PE: true

Associated: 0000000A.00000002.2519483566.0000000024144000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2519483566.000000002414B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_240f0000_3ClBcOpPUX.jbxd

Yara matches

Similarity

API ID: CloseCreateValue
String ID:
API String ID: 1818849710-0
Opcode ID: 1b51a9af7da0486295bbc7fc232a820a4a0898d31d92eabd0dc41375bd6c1c7b
Instruction ID: 5739dfc59308aad53b8e4292b232af5991cfa5c9b0869b9b03dbf9e5631f5ead
Opcode Fuzzy Hash: 1b51a9af7da0486295bbc7fc232a820a4a0898d31d92eabd0dc41375bd6c1c7b
Instruction Fuzzy Hash: EE11EC71900108BFEB00EBA8DD91E9EB7ECEF68658F424475B804E7254DE78EE818B50

Function 24132464 Relevance: 4.6, APIs: 3, Instructions: 51sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00000001,00000000,2413250D,?,?,?,?,00000000), ref: 24132486

Part of subcall function 240F794C: GetForegroundWindow.USER32(00000000,240F79B9,?,24143304,2414330C,?,00000000,?,24132493,00000001,00000000,2413250D), ref: 240F796B
Part of subcall function 240F794C: GetWindowTextLengthA.USER32(00000000), ref: 240F7977
Part of subcall function 240F794C: GetWindowTextA.USER32(00000000,00000000,00000001), ref: 240F7994

Part of subcall function 2413038C: GetAsyncKeyState.USER32(00000008), ref: 241303C9
Part of subcall function 2413038C: GetKeyState.USER32(00000014), ref: 241303EC
Part of subcall function 2413038C: GetKeyState.USER32(00000010), ref: 241303F9

GetTickCount.KERNEL32 ref: 241324A2
GetTickCount.KERNEL32 ref: 241324EE

Memory Dump Source

Source File: 0000000A.00000002.2519483566.00000000240F0000.00000040.00000400.00020000.00000000.sdmp, Offset: 240F0000, based on PE: true

Associated: 0000000A.00000002.2519483566.0000000024144000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2519483566.000000002414B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_240f0000_3ClBcOpPUX.jbxd

Yara matches

Similarity

API ID: StateWindow$CountTextTick$AsyncForegroundLengthSleep
String ID:
API String ID: 3649555911-0
Opcode ID: f62fa9df4ffc2662f08773a5bd375efc1fd5080953ca387a00a0808b364622a9
Instruction ID: e4e5c685a112245be635afc6e50107a82d07dd4161719a3b48bbeb1bac68e4bb
Opcode Fuzzy Hash: f62fa9df4ffc2662f08773a5bd375efc1fd5080953ca387a00a0808b364622a9
Instruction Fuzzy Hash: AB01F530304184BFF315EB51DDD0E8EBFA8DB95768F2244B1E4009B10ECEB2AF8186A1

Function 240F794C Relevance: 4.5, APIs: 3, Instructions: 43COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(00000000,240F79B9,?,24143304,2414330C,?,00000000,?,24132493,00000001,00000000,2413250D), ref: 240F796B
GetWindowTextLengthA.USER32(00000000), ref: 240F7977
GetWindowTextA.USER32(00000000,00000000,00000001), ref: 240F7994

Memory Dump Source

Source File: 0000000A.00000002.2519483566.00000000240F0000.00000040.00000400.00020000.00000000.sdmp, Offset: 240F0000, based on PE: true

Associated: 0000000A.00000002.2519483566.0000000024144000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2519483566.000000002414B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_240f0000_3ClBcOpPUX.jbxd

Yara matches

Similarity

API ID: Window$Text$ForegroundLength
String ID:
API String ID: 1471897267-0
Opcode ID: 24b25d6de3033be04fe15964b52cc2500b306bdca8db84370e252a94abd1d19a
Instruction ID: cab68aa7ebc9ff31ed94fcdabbe1c3c73011f722bf2625fa8dd155bd8c79280b
Opcode Fuzzy Hash: 24b25d6de3033be04fe15964b52cc2500b306bdca8db84370e252a94abd1d19a
Instruction Fuzzy Hash: 2BF0F6712046047BF311A6B9CC91D5EB7DDCF96514B930075A800D3608DEB8AF408561

Function 240F7728 Relevance: 3.0, APIs: 2, Instructions: 34COMMON

Download Yara Rule

APIs

GetFileAttributesA.KERNEL32(00000000,00000000,240F777F), ref: 240F7752
SetFileAttributesA.KERNEL32(00000000,00000000,00000000,00000000,240F777F), ref: 240F7764

Memory Dump Source

Source File: 0000000A.00000002.2519483566.00000000240F0000.00000040.00000400.00020000.00000000.sdmp, Offset: 240F0000, based on PE: true

Associated: 0000000A.00000002.2519483566.0000000024144000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2519483566.000000002414B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_240f0000_3ClBcOpPUX.jbxd

Yara matches

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: c4021b276290dbbd67368b48fc35696a60ea4524dae9e0b3c98c2aa1dfd1306d
Instruction ID: 0a76d734737e342f6ac59f66b7b83150ed9cd9506897caedbb88902d1c329143
Opcode Fuzzy Hash: c4021b276290dbbd67368b48fc35696a60ea4524dae9e0b3c98c2aa1dfd1306d
Instruction Fuzzy Hash: 06F0A070510A48BFB711EBA4CC91CAFB7ECEB596983930071F800D3504DEB47E409961

Function 240F78C4 Relevance: 3.0, APIs: 2, Instructions: 21threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNEL32(00000000,00000000,24124A34,00000000,00000000), ref: 240F78D6
SetThreadPriority.KERNEL32(00000000,00000000,00000000,?,?,24118CF6,24118E4C,24118E40,2413B8DC,0000000A,00000064,?,00001388,?,24118DFC,?), ref: 240F78DF

Memory Dump Source

Source File: 0000000A.00000002.2519483566.00000000240F0000.00000040.00000400.00020000.00000000.sdmp, Offset: 240F0000, based on PE: true

Associated: 0000000A.00000002.2519483566.0000000024144000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2519483566.000000002414B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_240f0000_3ClBcOpPUX.jbxd

Yara matches

Similarity

API ID: Thread$CreatePriority
String ID:
API String ID: 2610526550-0
Opcode ID: 61bb2c7c535dddc69725e08d5f89bd8f97d57c9ece6b52f4b021e6be42d572b0
Instruction ID: ee457a59380481d4eaa8330773a84125dd0db4a2dcd0845deb4195d5e9c078b2
Opcode Fuzzy Hash: 61bb2c7c535dddc69725e08d5f89bd8f97d57c9ece6b52f4b021e6be42d572b0
Instruction Fuzzy Hash: 67D0C9A138E3903FF72552A52C82FBB1E0CDB92769F1502B6BA189A1C6C4846C0852B5

Function 240F78C8 Relevance: 3.0, APIs: 2, Instructions: 20threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNEL32(00000000,00000000,24124A34,00000000,00000000), ref: 240F78D6
SetThreadPriority.KERNEL32(00000000,00000000,00000000,?,?,24118CF6,24118E4C,24118E40,2413B8DC,0000000A,00000064,?,00001388,?,24118DFC,?), ref: 240F78DF

Memory Dump Source

Source File: 0000000A.00000002.2519483566.00000000240F0000.00000040.00000400.00020000.00000000.sdmp, Offset: 240F0000, based on PE: true

Associated: 0000000A.00000002.2519483566.0000000024144000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2519483566.000000002414B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_240f0000_3ClBcOpPUX.jbxd

Yara matches

Similarity

API ID: Thread$CreatePriority
String ID:
API String ID: 2610526550-0
Opcode ID: b90d59c1ece38c85e66cc4d89c17127a835bff16823114e983e9d7694cf179ae
Instruction ID: 49f73861ca3d2c499fb8e9905947dfd86a8e70b7976fdfe00167d53865ba16ff
Opcode Fuzzy Hash: b90d59c1ece38c85e66cc4d89c17127a835bff16823114e983e9d7694cf179ae
Instruction Fuzzy Hash: 28D08CF234A2203EF23412A63C86FBB0D0CDBD17BDF210235BA1C9A1C5C8802C0401F4

Function 240F78EC Relevance: 3.0, APIs: 2, Instructions: 15threadCOMMON

Download Yara Rule

APIs

TerminateThread.KERNEL32(00000000,00000001,?,2413B9C4,24118452,00000000,2411847A,?,?,241184EC,?,241184EC,?,00002710,?,241184EC), ref: 240F78F3
CloseHandle.KERNEL32(00000000,00000000,00000001,?,2413B9C4,24118452,00000000,2411847A,?,?,241184EC,?,241184EC,?,00002710,?), ref: 240F78FF

Memory Dump Source

Source File: 0000000A.00000002.2519483566.00000000240F0000.00000040.00000400.00020000.00000000.sdmp, Offset: 240F0000, based on PE: true

Associated: 0000000A.00000002.2519483566.0000000024144000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2519483566.000000002414B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_240f0000_3ClBcOpPUX.jbxd

Yara matches

Similarity

API ID: CloseHandleTerminateThread
String ID:
API String ID: 2476175854-0
Opcode ID: 5893ba647653e121ef019f223bc399437da0a54cee20f113e6114f75509b07f9
Instruction ID: 4f6ec0a11a7f15314a6e78e0e8be704f1c1393a18fd2723f2129fe93f043bb89
Opcode Fuzzy Hash: 5893ba647653e121ef019f223bc399437da0a54cee20f113e6114f75509b07f9
Instruction Fuzzy Hash: 20C04C6225366429B62129681CD0DEE414DEB525AEF120676F940D5145C9864D8901E5

Function 240F6910 Relevance: 1.6, APIs: 1, Instructions: 53timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?,00000000,240F699E,?,00000000), ref: 240F6933

Memory Dump Source

Source File: 0000000A.00000002.2519483566.00000000240F0000.00000040.00000400.00020000.00000000.sdmp, Offset: 240F0000, based on PE: true

Associated: 0000000A.00000002.2519483566.0000000024144000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2519483566.000000002414B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_240f0000_3ClBcOpPUX.jbxd

Yara matches

Similarity

API ID: LocalTime
String ID:
API String ID: 481472006-0
Opcode ID: 7350b4a9c6820360dd30810cb89ae5069ccbf8b9594c40b0414f4f6db9c65760
Instruction ID: c2bf0c514a4c099d295d3de418d9f90259ce2913d3aff019377138f131494422
Opcode Fuzzy Hash: 7350b4a9c6820360dd30810cb89ae5069ccbf8b9594c40b0414f4f6db9c65760
Instruction Fuzzy Hash: BC0144B1A042096BBB05DBA5CC519BFB6FDEFC9714B828439A404E2654ED349E818661

Function 240F69B8 Relevance: 1.6, APIs: 1, Instructions: 53timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?,00000000,240F6A46,?,00000000), ref: 240F69DB

Memory Dump Source

Source File: 0000000A.00000002.2519483566.00000000240F0000.00000040.00000400.00020000.00000000.sdmp, Offset: 240F0000, based on PE: true

Associated: 0000000A.00000002.2519483566.0000000024144000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2519483566.000000002414B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_240f0000_3ClBcOpPUX.jbxd

Yara matches

Similarity

API ID: LocalTime
String ID:
API String ID: 481472006-0
Opcode ID: a8f0912915f021d7454707f035700b6569a93340550fb12dbb5dd0483ee45bf1
Instruction ID: e13dc0c66355cff34ecccb7f5c24ccd63cea5e1e1c178fc70e494fb7ea36adf7
Opcode Fuzzy Hash: a8f0912915f021d7454707f035700b6569a93340550fb12dbb5dd0483ee45bf1
Instruction Fuzzy Hash: 6F018471A001096FB700DBA5CC518BFB6FEEBC8704B42C436A401E6255ED389D818961

Function 240F6A60 Relevance: 1.6, APIs: 1, Instructions: 53timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?,00000000,240F6AEE), ref: 240F6A83

Memory Dump Source

Source File: 0000000A.00000002.2519483566.00000000240F0000.00000040.00000400.00020000.00000000.sdmp, Offset: 240F0000, based on PE: true

Associated: 0000000A.00000002.2519483566.0000000024144000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2519483566.000000002414B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_240f0000_3ClBcOpPUX.jbxd

Yara matches

Similarity

API ID: LocalTime
String ID:
API String ID: 481472006-0
Opcode ID: b88d4b4d9917857a8a4f0baa790616a87a5da9f63a61f4c0df14a6eeb56480c1
Instruction ID: f66452d7d0d94bfdda57eb3f78a95e83e257f25b9eb5ef09018d3278e5a998dc
Opcode Fuzzy Hash: b88d4b4d9917857a8a4f0baa790616a87a5da9f63a61f4c0df14a6eeb56480c1
Instruction Fuzzy Hash: 17018470A04109ABF700DBA5CC519BFB6FDEBD8704B538435A400E2244ED389E818661

Function 240F69B7 Relevance: 1.5, APIs: 1, Instructions: 47timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?,00000000,240F6A46,?,00000000), ref: 240F69DB

Memory Dump Source

Source File: 0000000A.00000002.2519483566.00000000240F0000.00000040.00000400.00020000.00000000.sdmp, Offset: 240F0000, based on PE: true

Associated: 0000000A.00000002.2519483566.0000000024144000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2519483566.000000002414B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_240f0000_3ClBcOpPUX.jbxd

Yara matches

Similarity

API ID: LocalTime
String ID:
API String ID: 481472006-0
Opcode ID: 1b96d224f17209b4cd6f5ba3788dc72a559d29b6a203a3338a0f859868f96cb9
Instruction ID: adf85b9e96e0cf9f01df45a285c0d4b618369115874d8578113c3fbbdee3d317
Opcode Fuzzy Hash: 1b96d224f17209b4cd6f5ba3788dc72a559d29b6a203a3338a0f859868f96cb9
Instruction Fuzzy Hash: 26017171A04109AFEB01DBA5CC518BFBBB9EBC8714B52C53AA401E2654DD389A928961

Function 240F6A5F Relevance: 1.5, APIs: 1, Instructions: 47timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?,00000000,240F6AEE), ref: 240F6A83

Memory Dump Source

Source File: 0000000A.00000002.2519483566.00000000240F0000.00000040.00000400.00020000.00000000.sdmp, Offset: 240F0000, based on PE: true

Associated: 0000000A.00000002.2519483566.0000000024144000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2519483566.000000002414B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_240f0000_3ClBcOpPUX.jbxd

Yara matches

Similarity

API ID: LocalTime
String ID:
API String ID: 481472006-0
Opcode ID: 1b1495920e1e69c72181523e2035efdf93cbdb3a7f0cea80c10f8088d31fc326
Instruction ID: 058e9bd192f1db0425cee6a8d01071132b642983ffd4e609d67d7197c73e5c22
Opcode Fuzzy Hash: 1b1495920e1e69c72181523e2035efdf93cbdb3a7f0cea80c10f8088d31fc326
Instruction Fuzzy Hash: 0601D470904109AFEB00CBA1CC518BFF7FDEBD8714B53843AA400E2694DD388E82CA61

Function 24120DB8 Relevance: 1.5, APIs: 1, Instructions: 40COMMON

Download Yara Rule

APIs

SHGetFileInfo.SHELL32(00000000,00000000,?,00000160,00000400), ref: 24120E03

Memory Dump Source

Source File: 0000000A.00000002.2519483566.00000000240F0000.00000040.00000400.00020000.00000000.sdmp, Offset: 240F0000, based on PE: true

Associated: 0000000A.00000002.2519483566.0000000024144000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2519483566.000000002414B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_240f0000_3ClBcOpPUX.jbxd

Yara matches

Similarity

API ID: FileInfo
String ID:
API String ID: 4041567068-0
Opcode ID: e1c84737f4da22ff05407a57cf157ca5e7cc64f5f8c22bae5e2f563d64426716
Instruction ID: 8ffcbc6a3047568523fc5794e30d738cf8f0c10aee27efebb55166cd4cbb5258
Opcode Fuzzy Hash: e1c84737f4da22ff05407a57cf157ca5e7cc64f5f8c22bae5e2f563d64426716
Instruction Fuzzy Hash: 1CF0C8316046186FE751DB65CCD1EDB7F7DEB89750F8204B5E604E7148EA72AE808E60

Function 240F456C Relevance: 1.5, APIs: 1, Instructions: 26COMMON

Download Yara Rule

APIs

GetModuleFileNameA.KERNEL32(240F0000,?,00000105), ref: 240F458A

Part of subcall function 240F47A8: GetModuleFileNameA.KERNEL32(00000000,?,00000105), ref: 240F47C4
Part of subcall function 240F47A8: RegOpenKeyExA.ADVAPI32(80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105), ref: 240F47E2
Part of subcall function 240F47A8: RegOpenKeyExA.ADVAPI32(80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105), ref: 240F4800
Part of subcall function 240F47A8: RegOpenKeyExA.ADVAPI32(80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000), ref: 240F481E
Part of subcall function 240F47A8: RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,00000000,00000005,00000000,240F48AD,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?), ref: 240F4867
Part of subcall function 240F47A8: RegQueryValueExA.ADVAPI32(?,240F4A14,00000000,00000000,00000000,00000005,?,?,00000000,00000000,00000000,00000005,00000000,240F48AD,?,80000001), ref: 240F4885
Part of subcall function 240F47A8: RegCloseKey.ADVAPI32(?,240F48B4,00000000,00000000,00000005,00000000,240F48AD,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105), ref: 240F48A7

Memory Dump Source

Source File: 0000000A.00000002.2519483566.00000000240F0000.00000040.00000400.00020000.00000000.sdmp, Offset: 240F0000, based on PE: true

Associated: 0000000A.00000002.2519483566.0000000024144000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2519483566.000000002414B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_240f0000_3ClBcOpPUX.jbxd

Yara matches

Similarity

API ID: Open$FileModuleNameQueryValue$Close
String ID:
API String ID: 2796650324-0
Opcode ID: 1507f16d1c8060c37e29c217a3c29be13e96fd5195aa6ed9a79a539f112e1d2e
Instruction ID: 4be9edb664acf6251dd80e58098c5433b163c0e2f7fb417f7384a8a877ad2ee3
Opcode Fuzzy Hash: 1507f16d1c8060c37e29c217a3c29be13e96fd5195aa6ed9a79a539f112e1d2e
Instruction Fuzzy Hash: 58E03971A002108FDB00DE5888C0A4A33D8BB58654F020661AC54CF24BD774DA908790

Function 005B0000 Relevance: 1.5, APIs: 1, Instructions: 25threadCOMMON

Download Yara Rule

APIs

RtlExitUserThread.NTDLL(00000000), ref: 005B0023

Memory Dump Source

Source File: 0000000A.00000002.2512112996.00000000005B0000.00000040.00000400.00020000.00000000.sdmp, Offset: 005B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_5b0000_3ClBcOpPUX.jbxd

Similarity

API ID: ExitThreadUser
String ID:
API String ID: 3424019298-0
Opcode ID: 46ff59f967ff6d5f8062231f6615e391b4eae6b59b37df9d4a5e4cea238d21c4
Instruction ID: 31f55fc70ad1d22fff56d4cf632896c20d063e432f342e22e3eed41fb45fc377
Opcode Fuzzy Hash: 46ff59f967ff6d5f8062231f6615e391b4eae6b59b37df9d4a5e4cea238d21c4
Instruction Fuzzy Hash: 5EE0B676D00118ABCB109AE9DC088DFBB7DEF45221B000662B915F2110DB715A109AA1

Function 240F4F18 Relevance: 1.5, APIs: 1, Instructions: 14synchronizationCOMMON

Download Yara Rule

APIs

CreateMutexA.KERNEL32(?,?,?,?,24118D32,00000000,00000000,00000000,00000000,?,00001388,?,24118DFC,?,24118DFC,?), ref: 240F4F2E

Memory Dump Source

Source File: 0000000A.00000002.2519483566.00000000240F0000.00000040.00000400.00020000.00000000.sdmp, Offset: 240F0000, based on PE: true

Associated: 0000000A.00000002.2519483566.0000000024144000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2519483566.000000002414B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_240f0000_3ClBcOpPUX.jbxd

Yara matches

Similarity

API ID: CreateMutex
String ID:
API String ID: 1964310414-0
Opcode ID: 21e0619b74412fae9514185c35c6bd95fbb7b52f213a822672066e7264c0ded7
Instruction ID: 823c1d0e01e50064b800e4428e3b95a243eb6a8903d88d4f2bdf10659dca6de7
Opcode Fuzzy Hash: 21e0619b74412fae9514185c35c6bd95fbb7b52f213a822672066e7264c0ded7
Instruction Fuzzy Hash: 5AC01273160248AF8B00EEA8DC05D9B33DCAB28609B008824B928CB104C539E5A49B60

Function 240F12F2 Relevance: 1.5, APIs: 1, Instructions: 8memoryCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00910000,00000000), ref: 240F1301

Memory Dump Source

Source File: 0000000A.00000002.2519483566.00000000240F0000.00000040.00000400.00020000.00000000.sdmp, Offset: 240F0000, based on PE: true

Associated: 0000000A.00000002.2519483566.0000000024144000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2519483566.000000002414B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_240f0000_3ClBcOpPUX.jbxd

Yara matches

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: db486fc141d3cf3eeb78556c17dd34dc273fda7b345a4b96d1047699cca5b23c
Instruction ID: a53d50c721c396865b7d7c55680f7e59519ec1ada49774b322e25b7f76428027
Opcode Fuzzy Hash: db486fc141d3cf3eeb78556c17dd34dc273fda7b345a4b96d1047699cca5b23c
Instruction Fuzzy Hash: 27B002B6710500AF9641EBAD8C44E2636DDE79E2443859450B518E7246D63D9C404B21

Function 240F132D Relevance: 1.5, APIs: 1, Instructions: 8memoryCOMMON

Download Yara Rule

APIs

RtlReAllocateHeap.NTDLL(00910000,00000000), ref: 240F133D

Memory Dump Source

Source File: 0000000A.00000002.2519483566.00000000240F0000.00000040.00000400.00020000.00000000.sdmp, Offset: 240F0000, based on PE: true

Associated: 0000000A.00000002.2519483566.0000000024144000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2519483566.000000002414B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_240f0000_3ClBcOpPUX.jbxd

Yara matches

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: caa7f148bb4efedb58e2c40c176e3d8e526e4d5cb18d2785b2178a1695496079
Instruction ID: ddf5df0d8f213de95b346c22d7e3c0384b9ca9579892887194a9e531566620a4
Opcode Fuzzy Hash: caa7f148bb4efedb58e2c40c176e3d8e526e4d5cb18d2785b2178a1695496079
Instruction Fuzzy Hash: 2FB092B22106009AD641D799CC41F0336DCE75A304F8080107018E7102C53DA8104B28

Function 240F12F4 Relevance: 1.5, APIs: 1, Instructions: 7memoryCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00910000,00000000), ref: 240F1301

Memory Dump Source

Source File: 0000000A.00000002.2519483566.00000000240F0000.00000040.00000400.00020000.00000000.sdmp, Offset: 240F0000, based on PE: true

Associated: 0000000A.00000002.2519483566.0000000024144000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2519483566.000000002414B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_240f0000_3ClBcOpPUX.jbxd

Yara matches

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 2fcb5acfe162e096614889ebecab8206673770e6616922c5236b776d6b1478b1
Instruction ID: 3b47db099ff7fca2c8e59ea9f4f841e02944556415ae8c62579ca1fe9770bf44
Opcode Fuzzy Hash: 2fcb5acfe162e096614889ebecab8206673770e6616922c5236b776d6b1478b1
Instruction Fuzzy Hash: 0BB002B66105009A9541EB998C44E1636DDA79E2443859450B118E7246D63D98404B21

Function 001E0000 Relevance: 1.3, APIs: 1, Instructions: 16sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(FFFFFFFF), ref: 001E0026

Memory Dump Source

Source File: 0000000A.00000002.2511631398.00000000001E0000.00000040.00000400.00020000.00000000.sdmp, Offset: 001E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1e0000_3ClBcOpPUX.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: aa8963ae1cd73f7bd24b0d0180e87021e78b3d589d0fcefb7e39085448f0c57e
Instruction ID: e2f073345a7329657dc691c931dfc1a5492980e565283ffa8103e39a6f4478e4
Opcode Fuzzy Hash: aa8963ae1cd73f7bd24b0d0180e87021e78b3d589d0fcefb7e39085448f0c57e
Instruction Fuzzy Hash: 05E00274D04648EFCB04DF99C98889DBBB5AF89320B25C295E865A73A5D730AE419A80

Function 240F1308 Relevance: 1.3, APIs: 1, Instructions: 15memoryCOMMON

Download Yara Rule

APIs

HeapFree.KERNEL32(00910000,00000000), ref: 240F131B

Memory Dump Source

Source File: 0000000A.00000002.2519483566.00000000240F0000.00000040.00000400.00020000.00000000.sdmp, Offset: 240F0000, based on PE: true

Associated: 0000000A.00000002.2519483566.0000000024144000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2519483566.000000002414B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_240f0000_3ClBcOpPUX.jbxd

Yara matches

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: 59a15fdbb3f15c5d6bc8345cfd75db5c4fd5f4616dbb4cb98fc44142d21b0fec
Instruction ID: 0bb76c5f3ea61e296de792922a5d35944b46e5cc7d5c9e5d99a0432ea5d548a3
Opcode Fuzzy Hash: 59a15fdbb3f15c5d6bc8345cfd75db5c4fd5f4616dbb4cb98fc44142d21b0fec
Instruction Fuzzy Hash: AAC04CB33606015B9B1197EECCC2E1776DCF75E2097549511F518EB112D53EDC905A20

Function 2413251C Relevance: 1.3, APIs: 1, Instructions: 12sleepCOMMON

Download Yara Rule

APIs

Part of subcall function 240F78C8: CreateThread.KERNEL32(00000000,00000000,24124A34,00000000,00000000), ref: 240F78D6
Part of subcall function 240F78C8: SetThreadPriority.KERNEL32(00000000,00000000,00000000,?,?,24118CF6,24118E4C,24118E40,2413B8DC,0000000A,00000064,?,00001388,?,24118DFC,?), ref: 240F78DF

Sleep.KERNEL32(2413B930), ref: 24132540

Part of subcall function 241300AC: GetTickCount.KERNEL32 ref: 24130124
Part of subcall function 241300AC: CopyFileA.KERNEL32(00000000,00000000,00000000), ref: 24130162
Part of subcall function 241300AC: SetFileAttributesA.KERNEL32(00000000,00000080,00000000,00000000,00000000,.txt,?,00000000,00000000,?,00000000,241302D7,?,?,00000000,00000000), ref: 2413016D

Memory Dump Source

Source File: 0000000A.00000002.2519483566.00000000240F0000.00000040.00000400.00020000.00000000.sdmp, Offset: 240F0000, based on PE: true

Associated: 0000000A.00000002.2519483566.0000000024144000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2519483566.000000002414B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_240f0000_3ClBcOpPUX.jbxd

Yara matches

Similarity

API ID: FileThread$AttributesCopyCountCreatePrioritySleepTick
String ID:
API String ID: 696888678-0
Opcode ID: 9b8ae2338a7cda8eedfc3f50b5589dd26a6ba8dd79c3d06478909124bb376d6f
Instruction ID: 8b51a56ded81ec4ed46485657a654098df351e75d5105952bc48e823f70f54b4
Opcode Fuzzy Hash: 9b8ae2338a7cda8eedfc3f50b5589dd26a6ba8dd79c3d06478909124bb376d6f
Instruction Fuzzy Hash: 46D01231B0424097B61CE778DCD080D3E85BFA614C74788696401BF09CCD78FB814726

Function 03CC0000 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2516265880.0000000003CC0000.00000040.00000400.00020000.00000000.sdmp, Offset: 03CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_3cc0000_3ClBcOpPUX.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a8f87fc558e2f538fd351bdfc49e2c6aa18e45c6a6d2c8ec1415aa36aaa266a9
Instruction ID: 18b5e61e04c7bcae5a7a9f8a09946595db22e2a0f492063f86ebefdf2a899b08
Opcode Fuzzy Hash: a8f87fc558e2f538fd351bdfc49e2c6aa18e45c6a6d2c8ec1415aa36aaa266a9
Instruction Fuzzy Hash: 33D01275914208EFDB04CF54D84589EBBF5EB44320F20C165E914973A0E731AE509A44

Non-executed Functions

Function 240F45F0 Relevance: 24.6, APIs: 11, Strings: 3, Instructions: 136stringlibraryfileCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(kernel32.dll), ref: 240F460D
GetProcAddress.KERNEL32(00000000,GetLongPathNameA), ref: 240F461E
lstrcpyn.KERNEL32(?,?,?), ref: 240F464E
lstrcpyn.KERNEL32(?,?,?,kernel32.dll), ref: 240F46B2
lstrcpyn.KERNEL32(?,?,00000001,?,?,?,kernel32.dll), ref: 240F46E7
FindFirstFileA.KERNEL32(?,?,?,?,00000001,?,?,?,kernel32.dll), ref: 240F46FA
FindClose.KERNEL32(00000000,?,?,?,?,00000001,?,?,?,kernel32.dll), ref: 240F4707
lstrlen.KERNEL32(?,00000000,?,?,?,?,00000001,?,?,?,kernel32.dll), ref: 240F4713
lstrcpyn.KERNEL32(0000005D,?,00000104), ref: 240F4747
lstrlen.KERNEL32(?,0000005D,?,00000104), ref: 240F4753
lstrcpyn.KERNEL32(?,0000005C,?,?,0000005D,?,00000104), ref: 240F4775

Strings

GetLongPathNameA, xrefs: 240F4618
kernel32.dll, xrefs: 240F4608
\, xrefs: 240F4725

Memory Dump Source

Source File: 0000000A.00000002.2519483566.00000000240F0000.00000040.00000400.00020000.00000000.sdmp, Offset: 240F0000, based on PE: true

Associated: 0000000A.00000002.2519483566.0000000024144000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2519483566.000000002414B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_240f0000_3ClBcOpPUX.jbxd

Yara matches

Similarity

API ID: lstrcpyn$Findlstrlen$AddressCloseFileFirstHandleModuleProc
String ID: GetLongPathNameA$\$kernel32.dll
API String ID: 3245196872-1565342463
Opcode ID: 2691ca1e4040681da7de2d89c7b7b236e77c8747fd0c532d466ef22df42ae37d
Instruction ID: 5d46ac8944c3ce74a7da0b2e6eec258ee11acae5ecbcb827f627c7d83878ea90
Opcode Fuzzy Hash: 2691ca1e4040681da7de2d89c7b7b236e77c8747fd0c532d466ef22df42ae37d
Instruction Fuzzy Hash: 61419C72900658AFEB51DAF8CC84FDEB7ECAF25214F0600B2A948E7104DF309ED48B50

Function 24134984 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 213injectionthreadprocessCOMMON

Download Yara Rule

APIs

CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000004,00000000,00000000,00000044,?), ref: 24134A0D
GetThreadContext.KERNEL32(?,00010002), ref: 24134A41
ReadProcessMemory.KERNEL32(?,?,?,00000004,?,?,00010002), ref: 24134A66
VirtualAllocEx.KERNEL32(?,?,?,00003000,00000004,?,?,?,00000004,?,?,00010002), ref: 24134AB5
WriteProcessMemory.KERNEL32(?,00000000,00000000,?,?,?,?,?,00003000,00000004,?,?,?,00000004,?,?), ref: 24134ADE
WriteProcessMemory.KERNEL32(?,00000000,00000000,?,?,?,00000000,00000000,?,?,?,?,?,00003000,00000004,?), ref: 24134B27
VirtualProtectEx.KERNEL32(?,00000000,?,00000000,?,?,00000000,00000000,?,?,?,00000000,00000000,?,?,?), ref: 24134B4F
WriteProcessMemory.KERNEL32(?,?,00000000,00000004,?,?,00000000,00000000,?,?,?,?,?,00003000,00000004,?), ref: 24134B72
SetThreadContext.KERNEL32(?,00010002,?,?,00000000,00000004,?,?,00000000,00000000,?,?,?,?,?,00003000), ref: 24134B95
TerminateProcess.KERNEL32(?,00000000,24134BD7), ref: 24134BBC
ResumeThread.KERNEL32(?,24134BD7), ref: 24134BC7

Part of subcall function 2413493C: LoadLibraryA.KERNEL32(ntdll.dll,ZwUnmapViewOfSection,?,00000000,24134A7E,?,?,?,00000004,?,?,00010002), ref: 2413494C
Part of subcall function 2413493C: GetProcAddress.KERNEL32(00000000,ntdll.dll), ref: 24134952

Strings

D, xrefs: 241349D7

Memory Dump Source

Source File: 0000000A.00000002.2519483566.00000000240F0000.00000040.00000400.00020000.00000000.sdmp, Offset: 240F0000, based on PE: true

Associated: 0000000A.00000002.2519483566.0000000024144000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2519483566.000000002414B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_240f0000_3ClBcOpPUX.jbxd

Yara matches

Similarity

API ID: Process$Memory$ThreadWrite$ContextVirtual$AddressAllocCreateLibraryLoadProcProtectReadResumeTerminate
String ID: D
API String ID: 4089571990-2746444292
Opcode ID: 338db447ca8bd9bce197389899b484d4e9ec1f8a2a8513815abdf10abf862362
Instruction ID: 8b64923ba1a19e7ffb7e1291c2de0c7915bc87762f8be36215f7dae0e3a628c9
Opcode Fuzzy Hash: 338db447ca8bd9bce197389899b484d4e9ec1f8a2a8513815abdf10abf862362
Instruction Fuzzy Hash: 2781C7B1A00209AFEB51DBE8DC81FEEBBF8AF58304F1144A5F604E7255D774EA448B64

Function 241209E4 Relevance: 17.7, APIs: 3, Strings: 7, Instructions: 188fileCOMMON

Download Yara Rule

APIs

FindFirstFileA.KERNEL32(00000000,?,00000000,24120C93,?,00000000,24120D1E), ref: 24120B62
FindNextFileA.KERNEL32(000000FF,?,00000000,?,00000000,24120C93,?,00000000,24120D1E), ref: 24120C6F
FindClose.KERNEL32(000000FF,24120C9A,24120C93,?,00000000,24120D1E), ref: 24120C8D

Strings

%RECENT%, xrefs: 24120A7A
%SYS%, xrefs: 24120A61
%WIN%, xrefs: 24120A48
Recent, xrefs: 24120A8C
%DESKTOP%, xrefs: 24120AAE
Desktop, xrefs: 24120AC0
*.*, xrefs: 24120B49

Memory Dump Source

Source File: 0000000A.00000002.2519483566.00000000240F0000.00000040.00000400.00020000.00000000.sdmp, Offset: 240F0000, based on PE: true

Associated: 0000000A.00000002.2519483566.0000000024144000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2519483566.000000002414B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_240f0000_3ClBcOpPUX.jbxd

Yara matches

Similarity

API ID: Find$File$CloseFirstNext
String ID: %DESKTOP%$%RECENT%$%SYS%$%WIN%$*.*$Desktop$Recent
API String ID: 3541575487-3092682246
Opcode ID: 3b874ca6de88f01ef1f90662cee5c028f6597501964798851508670073e482bc
Instruction ID: b13421e1c651a729f42dbbdc2982019bd47d8475f6f59c7c937d489feb9dd2bd
Opcode Fuzzy Hash: 3b874ca6de88f01ef1f90662cee5c028f6597501964798851508670073e482bc
Instruction Fuzzy Hash: D9815930A00A2D9FDB11DB94CC80ADEBBB9AF45318F5141E9D508E7248DB74AF858F51

Function 2413038C Relevance: 15.3, APIs: 10, Instructions: 323keyboardCOMMON

Download Yara Rule

APIs

GetAsyncKeyState.USER32(00000008), ref: 241303C9
GetKeyState.USER32(00000014), ref: 241303EC
GetKeyState.USER32(00000010), ref: 241303F9

Memory Dump Source

Source File: 0000000A.00000002.2519483566.00000000240F0000.00000040.00000400.00020000.00000000.sdmp, Offset: 240F0000, based on PE: true

Associated: 0000000A.00000002.2519483566.0000000024144000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2519483566.000000002414B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_240f0000_3ClBcOpPUX.jbxd

Yara matches

Similarity

API ID: State$Async
String ID:
API String ID: 993286747-0
Opcode ID: 56ea7edbb8224b653674744ad167b2c83213fffa18f639db4eec15ba92e3ec76
Instruction ID: cf2234c9268d6d80ab92be89397bde116319e340a141ce3f0bde973acd4df602
Opcode Fuzzy Hash: 56ea7edbb8224b653674744ad167b2c83213fffa18f639db4eec15ba92e3ec76
Instruction Fuzzy Hash: DBB160347042458BF312E768CCC4BD9BBE2AF99718F9248B0D4449B25DDEB9EF824B51

Function 2411C424 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 71COMMON

Download Yara Rule

APIs

GetVersionExA.KERNEL32(?), ref: 2411C441
GetCurrentProcess.KERNEL32(00000020,?,00000000,2411C4E9,?,?), ref: 2411C467
OpenProcessToken.ADVAPI32(00000000,00000020,?,00000000,2411C4E9,?,?), ref: 2411C46D
LookupPrivilegeValueA.ADVAPI32(00000000,SeDebugPrivilege,?), ref: 2411C480
AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,?,00000000,SeDebugPrivilege,?,00000000,00000020,?,00000000,2411C4E9,?,?), ref: 2411C4AA
AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,?,?,00000000,?,00000000,00000000,?,00000000,SeDebugPrivilege,?,00000000), ref: 2411C4D1
CloseHandle.KERNEL32(?,?,00000000,?,00000000,00000000,?,?,00000000,?,00000000,00000000,?,00000000,SeDebugPrivilege,?), ref: 2411C4DA

Strings

SeDebugPrivilege, xrefs: 2411C479

Memory Dump Source

Source File: 0000000A.00000002.2519483566.00000000240F0000.00000040.00000400.00020000.00000000.sdmp, Offset: 240F0000, based on PE: true

Associated: 0000000A.00000002.2519483566.0000000024144000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2519483566.000000002414B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_240f0000_3ClBcOpPUX.jbxd

Yara matches

Similarity

API ID: Token$AdjustPrivilegesProcess$CloseCurrentHandleLookupOpenPrivilegeValueVersion
String ID: SeDebugPrivilege
API String ID: 3222167619-2896544425
Opcode ID: 8168c5cd38bdd27c8b41c3622df13c108970857d4e50d44ec0955794d47e86a0
Instruction ID: 9533e18d868dbf79bd32bfd0715859a2918ae8bf3baa04f07b212115b239771b
Opcode Fuzzy Hash: 8168c5cd38bdd27c8b41c3622df13c108970857d4e50d44ec0955794d47e86a0
Instruction Fuzzy Hash: 75216371A04208BEFB10CBA4DC85FEFBBBCEB15704F1144B1EA04E6184DA745A448FA1

Function 2411CBE4 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 98serviceCOMMON

Download Yara Rule

APIs

Part of subcall function 2411C424: GetVersionExA.KERNEL32(?), ref: 2411C441
Part of subcall function 2411C424: GetCurrentProcess.KERNEL32(00000020,?,00000000,2411C4E9,?,?), ref: 2411C467
Part of subcall function 2411C424: OpenProcessToken.ADVAPI32(00000000,00000020,?,00000000,2411C4E9,?,?), ref: 2411C46D
Part of subcall function 2411C424: LookupPrivilegeValueA.ADVAPI32(00000000,SeDebugPrivilege,?), ref: 2411C480
Part of subcall function 2411C424: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,?,00000000,SeDebugPrivilege,?,00000000,00000020,?,00000000,2411C4E9,?,?), ref: 2411C4AA
Part of subcall function 2411C424: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,?,?,00000000,?,00000000,00000000,?,00000000,SeDebugPrivilege,?,00000000), ref: 2411C4D1
Part of subcall function 2411C424: CloseHandle.KERNEL32(?,?,00000000,?,00000000,00000000,?,?,00000000,?,00000000,00000000,?,00000000,SeDebugPrivilege,?), ref: 2411C4DA

OpenSCManagerA.ADVAPI32(00000000,00000000,000F003F,00000000,2411CD0F,?,?,?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 2411CC29
CreateServiceA.ADVAPI32(00000000,?,?,000F01FF,00000110,00000002,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,2411CCD4), ref: 2411CC6A

Part of subcall function 240F6858: RegCreateKeyA.ADVAPI32(80000001,00000000,?), ref: 240F689E
Part of subcall function 240F6858: RegSetValueExA.ADVAPI32(?,00000000,00000000,00000002,00000000,00000000,00000000,240F68FD,?,?,?), ref: 240F68C6
Part of subcall function 240F6858: RegCloseKey.ADVAPI32(?,?,00000000,00000000,00000002,00000000,00000000,00000000,240F68FD,?,?,?), ref: 240F68D5

CloseServiceHandle.ADVAPI32(00000000,?,00000000,?,?,000F01FF,00000110,00000002,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 2411CCBF
CloseServiceHandle.ADVAPI32(00000000,00000000,?,00000000,?,?,000F01FF,00000110,00000002,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 2411CCC5

Strings

Description, xrefs: 2411CCAF
System\CurrentControlSet\Services\, xrefs: 2411CC90

Memory Dump Source

Source File: 0000000A.00000002.2519483566.00000000240F0000.00000040.00000400.00020000.00000000.sdmp, Offset: 240F0000, based on PE: true

Associated: 0000000A.00000002.2519483566.0000000024144000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2519483566.000000002414B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_240f0000_3ClBcOpPUX.jbxd

Yara matches

Similarity

API ID: Close$HandleServiceToken$AdjustCreateOpenPrivilegesProcessValue$CurrentLookupManagerPrivilegeVersion
String ID: Description$System\CurrentControlSet\Services\
API String ID: 3877902884-3489731058
Opcode ID: 0a0086b2cc73cb1cd3f0421674a51aeb8c74618905e159e61875df5eeb3b82f3
Instruction ID: a7c1b46f10006cfee209675508d272d8400bc418021740816a4e6dce43b89a67
Opcode Fuzzy Hash: 0a0086b2cc73cb1cd3f0421674a51aeb8c74618905e159e61875df5eeb3b82f3
Instruction Fuzzy Hash: 95210A70A00209BFEB01DBA0CC91FAFBBB9EF55754F114075E504E7298EE789E01DA50

Function 2411B354 Relevance: 10.6, APIs: 7, Instructions: 70injectionmemorythreadCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(00000000), ref: 2411B36C
VirtualFreeEx.KERNEL32(00000000,?,00000000,00008000,?,00000000), ref: 2411B396
VirtualAllocEx.KERNEL32(00000000,?,?,00003000,00000040,00000000,?,00000000,00008000,?,00000000), ref: 2411B3A5
GetModuleHandleA.KERNEL32(00000000,?,?,00000000,?,?,00003000,00000040,00000000,?,00000000,00008000,?,00000000), ref: 2411B3B8
WriteProcessMemory.KERNEL32(00000000,?,00000000,00000000,?,?,00000000,?,?,00003000,00000040,00000000,?,00000000,00008000), ref: 2411B3C0
CreateRemoteThread.KERNEL32(00000000,00000000,00000000,?,?,00000000,00000000), ref: 2411B3E1
CloseHandle.KERNEL32(00000000,00000000,?,00000000,00000000,?,?,00000000,?,?,00003000,00000040,00000000,?,00000000,00008000), ref: 2411B3E7

Memory Dump Source

Source File: 0000000A.00000002.2519483566.00000000240F0000.00000040.00000400.00020000.00000000.sdmp, Offset: 240F0000, based on PE: true

Associated: 0000000A.00000002.2519483566.0000000024144000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2519483566.000000002414B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_240f0000_3ClBcOpPUX.jbxd

Yara matches

Similarity

API ID: Handle$ModuleVirtual$AllocCloseCreateFreeMemoryProcessRemoteThreadWrite
String ID:
API String ID: 2398686212-0
Opcode ID: 320e831d3db3fd37a1909f490eb8679622ef688ad2e82d5ecf3d3b5ad779abdd
Instruction ID: ea8ee0bd8c37a9db8a6099aa5e98b1dadd33f9f7e843c4e86b46a19b0b7c2c76
Opcode Fuzzy Hash: 320e831d3db3fd37a1909f490eb8679622ef688ad2e82d5ecf3d3b5ad779abdd
Instruction Fuzzy Hash: 921112B12443047FE360DB698C81F6FBBDCEBD4714F558868BA48D7285DA70E8448766

Function 240F5FE4 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 111fileCOMMON

Download Yara Rule

APIs

FindFirstFileA.KERNEL32(00000000,?,00000000,240F6160), ref: 240F6067
FindNextFileA.KERNEL32(00000000,?,00000000,?,00000000,240F6160), ref: 240F6108
FindClose.KERNEL32(00000000,00000000,?,00000000,?,00000000,240F6160), ref: 240F611C
RemoveDirectoryA.KERNEL32(00000000,00000000,00000000,?,00000000,?,00000000,240F6160), ref: 240F612A

Strings

*.*, xrefs: 240F604E

Memory Dump Source

Source File: 0000000A.00000002.2519483566.00000000240F0000.00000040.00000400.00020000.00000000.sdmp, Offset: 240F0000, based on PE: true

Associated: 0000000A.00000002.2519483566.0000000024144000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2519483566.000000002414B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_240f0000_3ClBcOpPUX.jbxd

Yara matches

Similarity

API ID: Find$File$CloseDirectoryFirstNextRemove
String ID: *.*
API String ID: 81111410-438819550
Opcode ID: 589ab8de6870cd8ce73f45b36839711648b9d3e0dbcc0180ef914455842102b8
Instruction ID: 54e17d97572217b81e1c3760895fb50f13166b14fd8d7cba5bdaec577459786d
Opcode Fuzzy Hash: 589ab8de6870cd8ce73f45b36839711648b9d3e0dbcc0180ef914455842102b8
Instruction Fuzzy Hash: 6B416E30900608ABEB10DBA4CD90ACEB7F5BF95768F5245B5D804E7359DF34AFC68A50

Function 240F5FE2 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 105fileCOMMON

Download Yara Rule

APIs

FindFirstFileA.KERNEL32(00000000,?,00000000,240F6160), ref: 240F6067
FindNextFileA.KERNEL32(00000000,?,00000000,?,00000000,240F6160), ref: 240F6108
FindClose.KERNEL32(00000000,00000000,?,00000000,?,00000000,240F6160), ref: 240F611C
RemoveDirectoryA.KERNEL32(00000000,00000000,00000000,?,00000000,?,00000000,240F6160), ref: 240F612A

Strings

*.*, xrefs: 240F604E

Memory Dump Source

Source File: 0000000A.00000002.2519483566.00000000240F0000.00000040.00000400.00020000.00000000.sdmp, Offset: 240F0000, based on PE: true

Associated: 0000000A.00000002.2519483566.0000000024144000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2519483566.000000002414B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_240f0000_3ClBcOpPUX.jbxd

Yara matches

Similarity

API ID: Find$File$CloseDirectoryFirstNextRemove
String ID: *.*
API String ID: 81111410-438819550
Opcode ID: b1ff480b62c8d31f6b0df2978234ab5aa24c22028277c72224dd8734c8d120b8
Instruction ID: 1531d70b103d94e1d74d5b461f95de84e7dd2692d677940b60937174c7d0f57c
Opcode Fuzzy Hash: b1ff480b62c8d31f6b0df2978234ab5aa24c22028277c72224dd8734c8d120b8
Instruction Fuzzy Hash: 42318130900508ABEB10DBE4CD4098EB7F5BF95768F5245B4D804E7259DF34AFC68A51

Function 2411CFC8 Relevance: 7.6, APIs: 5, Instructions: 54clipboardmemoryCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32(00000000), ref: 2411CFDC
GlobalAlloc.KERNEL32(00002002,00000000,00000000,2411D092,?,00000000), ref: 2411CFF5
GlobalLock.KERNEL32(?), ref: 2411D00F
SetClipboardData.USER32(00000001,?), ref: 2411D03A
GlobalUnlock.KERNEL32(?), ref: 2411D050

Memory Dump Source

Source File: 0000000A.00000002.2519483566.00000000240F0000.00000040.00000400.00020000.00000000.sdmp, Offset: 240F0000, based on PE: true

Associated: 0000000A.00000002.2519483566.0000000024144000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2519483566.000000002414B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_240f0000_3ClBcOpPUX.jbxd

Yara matches

Similarity

API ID: Global$Clipboard$AllocDataLockOpenUnlock
String ID:
API String ID: 3395808788-0
Opcode ID: 097404531e8a21b7fb8a929bbf961608d185668a119ebf2e76a9b4bf5ff4b2bb
Instruction ID: fd46ad72e37dec1d67e9fe064c312b21b398e8edf579ddaf2c89ed0e66bbf126
Opcode Fuzzy Hash: 097404531e8a21b7fb8a929bbf961608d185668a119ebf2e76a9b4bf5ff4b2bb
Instruction Fuzzy Hash: 2901D471200644BFF7229F759CB1D2EBBACDB59A44BC30870F904C3605DD79AD11C960

Function 2411EAA0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 69nativeCOMMON

Download Yara Rule

APIs

SetPropA.USER32(?,OBJECT,00000000), ref: 2411EAC8
GetPropA.USER32(?,OBJECT), ref: 2411EAEC
NtdllDefWindowProc_A.NTDLL(?,?,?,?), ref: 2411EB30

Strings

OBJECT, xrefs: 2411EAC2, 2411EAE6

Memory Dump Source

Source File: 0000000A.00000002.2519483566.00000000240F0000.00000040.00000400.00020000.00000000.sdmp, Offset: 240F0000, based on PE: true

Associated: 0000000A.00000002.2519483566.0000000024144000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2519483566.000000002414B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_240f0000_3ClBcOpPUX.jbxd

Yara matches

Similarity

API ID: Prop$NtdllProc_Window
String ID: OBJECT
API String ID: 1456104087-1481993322
Opcode ID: b356f9bce23f5cf68c2e5e5fde2a52d80af506bf77b50ff53fe2f27ecd1d5e73
Instruction ID: 4044a0093e227a8d98c57d23e32e097e32b58f469c3fc11ba8a19cf1e1f5231a
Opcode Fuzzy Hash: b356f9bce23f5cf68c2e5e5fde2a52d80af506bf77b50ff53fe2f27ecd1d5e73
Instruction Fuzzy Hash: CF21FE71A01219AFD710DFA8C9C4DAEBBF8EF49614B5145A9EC09E7301D7709F408BA5

Function 241347C8 Relevance: 6.1, APIs: 4, Instructions: 100memoryinjectionCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNEL32(?,?,00003000,00000040), ref: 2413482D
VirtualFree.KERNEL32(00000000,00000000,00008000,?,?,00003000,00000040), ref: 24134840
VirtualAllocEx.KERNEL32(?,?,?,00003000,00000040,00000000,00000000,00008000,?,?,00003000,00000040), ref: 2413485A
WriteProcessMemory.KERNEL32(?,00000000,?,?,?,?,?,?,00003000,00000040), ref: 2413489C

Memory Dump Source

Source File: 0000000A.00000002.2519483566.00000000240F0000.00000040.00000400.00020000.00000000.sdmp, Offset: 240F0000, based on PE: true

Associated: 0000000A.00000002.2519483566.0000000024144000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2519483566.000000002414B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_240f0000_3ClBcOpPUX.jbxd

Yara matches

Similarity

API ID: Virtual$Alloc$FreeMemoryProcessWrite
String ID:
API String ID: 2022580353-0
Opcode ID: eb6d76005167538706816c2aaeecc160133f7c664a34aac661579d818c8fe209
Instruction ID: cca4e630ba75db2e7ae9e8cfbbf5fd8fcc332d84e042ac81104804fb7239a068
Opcode Fuzzy Hash: eb6d76005167538706816c2aaeecc160133f7c664a34aac661579d818c8fe209
Instruction Fuzzy Hash: 1A312F71A00245BFE750CBA9CC81F9EBBF9FB98614F5580A4E604F7644DB74EE108BA4

Function 2411D390 Relevance: 6.0, APIs: 4, Instructions: 37timefileCOMMON

Download Yara Rule

APIs

FindFirstFileA.KERNEL32(00000000,?), ref: 2411D3AB
FindClose.KERNEL32(00000000,00000000,?), ref: 2411D3B6
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 2411D3CF
FileTimeToDosDateTime.KERNEL32(?,?,?), ref: 2411D3E0

Memory Dump Source

Source File: 0000000A.00000002.2519483566.00000000240F0000.00000040.00000400.00020000.00000000.sdmp, Offset: 240F0000, based on PE: true

Associated: 0000000A.00000002.2519483566.0000000024144000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2519483566.000000002414B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_240f0000_3ClBcOpPUX.jbxd

Yara matches

Similarity

API ID: FileTime$Find$CloseDateFirstLocal
String ID:
API String ID: 2659516521-0
Opcode ID: 9143006eb41c45353f1fb9a1df9d4207309235395cb7662632e7840d83c7f675
Instruction ID: 1ede241b11f29c94655825e4dbe32ee3d1ce9a00880b1bfc5a47e687e3075fcb
Opcode Fuzzy Hash: 9143006eb41c45353f1fb9a1df9d4207309235395cb7662632e7840d83c7f675
Instruction Fuzzy Hash: 44F012B2D1020C66DB11DBE58DC49CFB3AC6F14224F5106F6E91DD21D5EB38AB485BA1

Function 2411BD34 Relevance: 75.4, APIs: 24, Strings: 19, Instructions: 132libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(PSAPI.dll,?,2411C0D5), ref: 2411BD48
GetProcAddress.KERNEL32(00000000,EnumProcesses), ref: 2411BD64
GetProcAddress.KERNEL32(00000000,EnumProcessModules), ref: 2411BD76
GetProcAddress.KERNEL32(00000000,GetModuleBaseNameA), ref: 2411BD88
GetProcAddress.KERNEL32(00000000,GetModuleFileNameExA), ref: 2411BD9A
GetProcAddress.KERNEL32(00000000,GetModuleBaseNameA), ref: 2411BDAC
GetProcAddress.KERNEL32(00000000,GetModuleFileNameExA), ref: 2411BDBE
GetProcAddress.KERNEL32(00000000,GetModuleBaseNameW), ref: 2411BDD0
GetProcAddress.KERNEL32(00000000,GetModuleFileNameExW), ref: 2411BDE2
GetProcAddress.KERNEL32(00000000,GetModuleInformation), ref: 2411BDF4
GetProcAddress.KERNEL32(00000000,EmptyWorkingSet), ref: 2411BE06
GetProcAddress.KERNEL32(00000000,QueryWorkingSet), ref: 2411BE18
GetProcAddress.KERNEL32(00000000,InitializeProcessForWsWatch), ref: 2411BE2A
GetProcAddress.KERNEL32(00000000,GetMappedFileNameA), ref: 2411BE3C
GetProcAddress.KERNEL32(00000000,GetDeviceDriverBaseNameA), ref: 2411BE4E
GetProcAddress.KERNEL32(00000000,GetDeviceDriverFileNameA), ref: 2411BE60
GetProcAddress.KERNEL32(00000000,GetMappedFileNameA), ref: 2411BE72
GetProcAddress.KERNEL32(00000000,GetDeviceDriverBaseNameA), ref: 2411BE84
GetProcAddress.KERNEL32(00000000,GetDeviceDriverFileNameA), ref: 2411BE96
GetProcAddress.KERNEL32(00000000,GetMappedFileNameW), ref: 2411BEA8
GetProcAddress.KERNEL32(00000000,GetDeviceDriverBaseNameW), ref: 2411BEBA

Strings

EmptyWorkingSet, xrefs: 2411BDFE
GetDeviceDriverFileNameW, xrefs: 2411BEC4
GetModuleBaseNameW, xrefs: 2411BDC8
QueryWorkingSet, xrefs: 2411BE10
EnumProcessModules, xrefs: 2411BD6E
GetMappedFileNameA, xrefs: 2411BE34, 2411BE6A
GetModuleBaseNameA, xrefs: 2411BD80, 2411BDA4
InitializeProcessForWsWatch, xrefs: 2411BE22
GetDeviceDriverFileNameA, xrefs: 2411BE58, 2411BE8E
GetProcessMemoryInfo, xrefs: 2411BEE8
PSAPI.dll, xrefs: 2411BD43
EnumProcesses, xrefs: 2411BD5C
GetModuleFileNameExW, xrefs: 2411BDDA
GetMappedFileNameW, xrefs: 2411BEA0
GetDeviceDriverBaseNameA, xrefs: 2411BE46, 2411BE7C
GetDeviceDriverBaseNameW, xrefs: 2411BEB2
GetModuleFileNameExA, xrefs: 2411BD92, 2411BDB6
GetModuleInformation, xrefs: 2411BDEC
EnumDeviceDrivers, xrefs: 2411BED6

Memory Dump Source

Source File: 0000000A.00000002.2519483566.00000000240F0000.00000040.00000400.00020000.00000000.sdmp, Offset: 240F0000, based on PE: true

Associated: 0000000A.00000002.2519483566.0000000024144000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2519483566.000000002414B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_240f0000_3ClBcOpPUX.jbxd

Yara matches

Similarity

API ID: AddressProc$LibraryLoad
String ID: EmptyWorkingSet$EnumDeviceDrivers$EnumProcessModules$EnumProcesses$GetDeviceDriverBaseNameA$GetDeviceDriverBaseNameW$GetDeviceDriverFileNameA$GetDeviceDriverFileNameW$GetMappedFileNameA$GetMappedFileNameW$GetModuleBaseNameA$GetModuleBaseNameW$GetModuleFileNameExA$GetModuleFileNameExW$GetModuleInformation$GetProcessMemoryInfo$InitializeProcessForWsWatch$PSAPI.dll$QueryWorkingSet
API String ID: 2238633743-2267155864
Opcode ID: 2d4db1a84fcddde94c6b998c3309facc3dd338e632ce89cce69372d15775f384
Instruction ID: 552ebbbbfee55f3bc4b85f8b417fa3213a071b5fa031229a6715fa04f70b3c61
Opcode Fuzzy Hash: 2d4db1a84fcddde94c6b998c3309facc3dd338e632ce89cce69372d15775f384
Instruction Fuzzy Hash: 97411BB1A106119FEB10DFBA88D4E1D3BA8FB162443430579F808EF64DEB39D9849F95

Function 240F5564 Relevance: 59.6, APIs: 17, Strings: 17, Instructions: 99libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(kernel32.dll,00000002,240F57EB,?,?,2410E487), ref: 240F5578
GetProcAddress.KERNEL32(00000000,CreateToolhelp32Snapshot), ref: 240F5590
GetProcAddress.KERNEL32(00000000,Heap32ListFirst), ref: 240F55A2
GetProcAddress.KERNEL32(00000000,Heap32ListNext), ref: 240F55B4
GetProcAddress.KERNEL32(00000000,Heap32First), ref: 240F55C6
GetProcAddress.KERNEL32(00000000,Heap32Next), ref: 240F55D8
GetProcAddress.KERNEL32(00000000,Toolhelp32ReadProcessMemory), ref: 240F55EA
GetProcAddress.KERNEL32(00000000,Process32First), ref: 240F55FC
GetProcAddress.KERNEL32(00000000,Process32Next), ref: 240F560E
GetProcAddress.KERNEL32(00000000,Process32FirstW), ref: 240F5620
GetProcAddress.KERNEL32(00000000,Process32NextW), ref: 240F5632
GetProcAddress.KERNEL32(00000000,Thread32First), ref: 240F5644
GetProcAddress.KERNEL32(00000000,Thread32Next), ref: 240F5656
GetProcAddress.KERNEL32(00000000,Module32First), ref: 240F5668
GetProcAddress.KERNEL32(00000000,Module32Next), ref: 240F567A
GetProcAddress.KERNEL32(00000000,Module32FirstW), ref: 240F568C
GetProcAddress.KERNEL32(00000000,Module32NextW), ref: 240F569E

Strings

Module32Next, xrefs: 240F5672
Process32Next, xrefs: 240F5606
kernel32.dll, xrefs: 240F5573
Toolhelp32ReadProcessMemory, xrefs: 240F55E2
Heap32ListNext, xrefs: 240F55AC
Heap32Next, xrefs: 240F55D0
Process32FirstW, xrefs: 240F5618
Module32First, xrefs: 240F5660
Heap32ListFirst, xrefs: 240F559A
Thread32First, xrefs: 240F563C
Module32FirstW, xrefs: 240F5684
Thread32Next, xrefs: 240F564E
Process32First, xrefs: 240F55F4
CreateToolhelp32Snapshot, xrefs: 240F5588
Heap32First, xrefs: 240F55BE
Process32NextW, xrefs: 240F562A
Module32NextW, xrefs: 240F5696

Memory Dump Source

Source File: 0000000A.00000002.2519483566.00000000240F0000.00000040.00000400.00020000.00000000.sdmp, Offset: 240F0000, based on PE: true

Associated: 0000000A.00000002.2519483566.0000000024144000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2519483566.000000002414B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_240f0000_3ClBcOpPUX.jbxd

Yara matches

Similarity

API ID: AddressProc$HandleModule
String ID: CreateToolhelp32Snapshot$Heap32First$Heap32ListFirst$Heap32ListNext$Heap32Next$Module32First$Module32FirstW$Module32Next$Module32NextW$Process32First$Process32FirstW$Process32Next$Process32NextW$Thread32First$Thread32Next$Toolhelp32ReadProcessMemory$kernel32.dll
API String ID: 667068680-597814768
Opcode ID: 8444a12f7f70b02fec8e8d73ec587f597cc3db0bb04e09df8ee4fe448a6397f1
Instruction ID: 41f1342bb5b153fc71fb9d9f245127f62e60109077f34ec66c9041621370de1d
Opcode Fuzzy Hash: 8444a12f7f70b02fec8e8d73ec587f597cc3db0bb04e09df8ee4fe448a6397f1
Instruction Fuzzy Hash: 623136F4A11A10AFEB20AFB69CD4F1D3FA8FB162447420579F400EF24BEA3995848F55

Function 24124638 Relevance: 54.4, APIs: 25, Strings: 6, Instructions: 181registrysleepCOMMON

Download Yara Rule

APIs

Part of subcall function 240F4F18: CreateMutexA.KERNEL32(?,?,?,?,24118D32,00000000,00000000,00000000,00000000,?,00001388,?,24118DFC,?,24118DFC,?), ref: 240F4F2E

Sleep.KERNEL32(00000064,00000000,00000000,00000000,00000000,24124885,?,?,00000000,00000000,00000000), ref: 24124697
CloseHandle.KERNEL32(000003F4,00000000,00000000,00000000,00000000,24124885,?,?,00000000,00000000,00000000), ref: 241246B2
CloseHandle.KERNEL32(000003BC,000003F4,00000000,00000000,00000000,00000000,24124885,?,?,00000000,00000000,00000000), ref: 241246BF
SetFileAttributesA.KERNEL32(00000000,00000080,000003BC,000003F4,00000000,00000000,00000000,00000000,24124885,?,?,00000000,00000000,00000000), ref: 241246E1
RegOpenKeyA.ADVAPI32(80000002,Software\Microsoft\Windows\CurrentVersion\Run,?), ref: 24124707
RegDeleteValueA.ADVAPI32(00000000,00000000,80000002,Software\Microsoft\Windows\CurrentVersion\Run,?,00000000,00000080,000003BC,000003F4,00000000,00000000,00000000,00000000,24124885), ref: 2412471C
RegCloseKey.ADVAPI32(00000000,00000000,00000000,80000002,Software\Microsoft\Windows\CurrentVersion\Run,?,00000000,00000080,000003BC,000003F4,00000000,00000000,00000000,00000000,24124885), ref: 24124724
RegOpenKeyA.ADVAPI32(80000001,Software\Microsoft\Windows\CurrentVersion\Run,?), ref: 2412473E
RegDeleteValueA.ADVAPI32(00000000,00000000,80000001,Software\Microsoft\Windows\CurrentVersion\Run,?,00000000,00000080,000003BC,000003F4,00000000,00000000,00000000,00000000,24124885), ref: 24124753
RegCloseKey.ADVAPI32(00000000,00000000,00000000,80000001,Software\Microsoft\Windows\CurrentVersion\Run,?,00000000,00000080,000003BC,000003F4,00000000,00000000,00000000,00000000,24124885), ref: 2412475B
RegOpenKeyA.ADVAPI32(80000001,Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run,?), ref: 24124775
RegDeleteValueA.ADVAPI32(00000000,00000000,80000001,Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run,?,00000000,00000080,000003BC,000003F4,00000000,00000000,00000000,00000000,24124885), ref: 2412478A
RegCloseKey.ADVAPI32(00000000,00000000,00000000,80000001,Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run,?,00000000,00000080,000003BC,000003F4,00000000,00000000,00000000,00000000,24124885), ref: 24124792
RegOpenKeyA.ADVAPI32(80000002,Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run,?), ref: 241247A2
RegDeleteValueA.ADVAPI32(00000000,00000000,80000002,Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run,?,00000000,00000000,00000000,80000001,Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run,?,00000000,00000080,000003BC,000003F4,00000000), ref: 241247B7
RegCloseKey.ADVAPI32(00000000,00000000,00000000,80000002,Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run,?,00000000,00000000,00000000,80000001,Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run,?,00000000,00000080,000003BC,000003F4), ref: 241247BF
RegOpenKeyExA.ADVAPI32(80000002,Software\Microsoft\Active Setup\Installed Components\,00000000,00020006,?,00000000,00000080,000003BC,000003F4,00000000,00000000,00000000,00000000,24124885), ref: 241247E0
RegDeleteKeyA.ADVAPI32(00000000,00000000), ref: 241247F5
RegCloseKey.ADVAPI32(00000000,00000000,00000000,80000002,Software\Microsoft\Active Setup\Installed Components\,00000000,00020006,?,00000000,00000080,000003BC,000003F4,00000000,00000000,00000000,00000000), ref: 241247FD
RegOpenKeyExA.ADVAPI32(80000001,Software\Microsoft\Active Setup\Installed Components\,00000000,00020006,?,00000000,00000000,00000000,80000002,Software\Microsoft\Active Setup\Installed Components\,00000000,00020006,?,00000000,00000080,000003BC), ref: 24124814
RegDeleteKeyA.ADVAPI32(00000000,00000000), ref: 24124829
RegCloseKey.ADVAPI32(00000000,00000000,00000000,80000001,Software\Microsoft\Active Setup\Installed Components\,00000000,00020006,?,00000000,00000000,00000000,80000002,Software\Microsoft\Active Setup\Installed Components\,00000000,00020006,?), ref: 24124831
RegOpenKeyExA.ADVAPI32(80000001,Software\,00000000,00020006,?,00000000,00000080,000003BC,000003F4,00000000,00000000,00000000,00000000,24124885), ref: 24124848
RegDeleteKeyA.ADVAPI32(00000000,00000000), ref: 2412485D
RegCloseKey.ADVAPI32(00000000,00000000,00000000,80000001,Software\,00000000,00020006,?,00000000,00000080,000003BC,000003F4,00000000,00000000,00000000,00000000), ref: 24124865

Strings

exit, xrefs: 2412468B
Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run, xrefs: 2412476B, 24124798
Software\Microsoft\Active Setup\Installed Components\, xrefs: 241247D6, 2412480A
Software\, xrefs: 2412483E
Software\Microsoft\Windows\CurrentVersion\Run, xrefs: 241246FD, 24124734
_SAIR, xrefs: 2412465E

Memory Dump Source

Source File: 0000000A.00000002.2519483566.00000000240F0000.00000040.00000400.00020000.00000000.sdmp, Offset: 240F0000, based on PE: true

Associated: 0000000A.00000002.2519483566.0000000024144000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2519483566.000000002414B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_240f0000_3ClBcOpPUX.jbxd

Yara matches

Similarity

API ID: Close$DeleteOpen$Value$Handle$AttributesCreateFileMutexSleep
String ID: Software\$Software\Microsoft\Active Setup\Installed Components\$Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run$Software\Microsoft\Windows\CurrentVersion\Run$_SAIR$exit
API String ID: 2709957979-2341067361
Opcode ID: 7f2011058b3a84b6ff136e8c5cd535a8d88ed1dae21dcd4f91f570005b288c22
Instruction ID: 6ece36f28214a684b15d2eebf358169563991e7ed99b4d9b07868b547a4216b3
Opcode Fuzzy Hash: 7f2011058b3a84b6ff136e8c5cd535a8d88ed1dae21dcd4f91f570005b288c22
Instruction Fuzzy Hash: DB51F170700654AFE700DBA9DDC5F5A77EAFB69748F5204B0B900EB298CE78ED808B55

Function 24100C08 Relevance: 52.8, APIs: 7, Strings: 23, Instructions: 339filewindowsleepCOMMON

Download Yara Rule

APIs

Part of subcall function 240F6C78: FindFirstFileA.KERNEL32(00000000,?,00000000,240F6CD5,?,2413B97C,?,240F6662,00000000,240F66D3,?,?,?,2413B97C), ref: 240F6CAD
Part of subcall function 240F6C78: FindClose.KERNEL32(00000000,00000000,?,00000000,240F6CD5,?,2413B97C,?,240F6662,00000000,240F66D3,?,?,?,2413B97C), ref: 240F6CB8

GetTickCount.KERNEL32 ref: 24100F9B
TranslateMessage.USER32(?), ref: 24100FAC
DispatchMessageA.USER32(?), ref: 24100FB8
GetTickCount.KERNEL32 ref: 24100FBD
Sleep.KERNEL32(00000064,00000000,00000000,00000000,2410155C,?,2410155C,", True),?,Set objFile = objFileSystem.CreateTextFile(",00000000,24101156), ref: 24101003
DeleteFileA.KERNEL32(00000000,00000064,00000000,00000000,00000000,2410155C,?,2410155C,", True),?,Set objFile = objFileSystem.CreateTextFile(",00000000,24101156), ref: 24101011
DeleteFileA.KERNEL32(00000000, / ,?,?,?,?,00000000,00000064,00000000,00000000,00000000,2410155C,?,2410155C,", True),?), ref: 24101126

Part of subcall function 240F66E4: LoadLibraryA.KERNEL32(shell32.dll,ShellExecuteA,?,?,?,?,2412546A,00000000,00000000,2412E32C,2412E184,?,2412E184,?,?,2412E2A0), ref: 240F66FA
Part of subcall function 240F66E4: GetProcAddress.KERNEL32(00000000,shell32.dll), ref: 240F6700
Part of subcall function 240F66E4: ShellExecuteA.SHELL32(00000000,open,00000000,00000000,?,?,00000000,shell32.dll,ShellExecuteA,?,?,?,?,2412546A,00000000,00000000), ref: 240F6714

Strings

Info = Info & "F" & CountFw & ") " & objFirewall.displayName & " v" & objFirewall.versionNumber & Enter, xrefs: 24100D7F
cscript.exe, xrefs: 24100E4C, 24100EBB, 24100EF4, 24100F63
CountAV = 0, xrefs: 24100D3D
CountAV = CountAV + 1, xrefs: 24100DC1
Set colFirewall = objSecurityCenter.ExecQuery("Select * From FirewallProduct",,48), xrefs: 24100C9B
CountFW = CountFW + 1, xrefs: 24100D69
For Each objFirewall In colFirewall, xrefs: 24100D53
teste.txt, xrefs: 24100C65
CountFW = 0, xrefs: 24100D27
/ , xrefs: 24101097, 241010EC
For Each objAntiVirus In colAntiVirus, xrefs: 24100DAB
open, xrefs: 24100ED2, 24100F7A
Set colAntiVirus = objSecurityCenter.ExecQuery("Select * From AntiVirusProduct",,48), xrefs: 24100CB1
Next, xrefs: 24100D95, 24100DED
teste.vbs, xrefs: 24100C47
Info = Info & "A" & CountAV & ") " & objAntiVirus.displayName & " v" & objAntiVirus.versionNumber & Enter, xrefs: 24100DD7
Enter = Chr(13) + Chr(10), xrefs: 24100D11
Set objFile = objFileSystem.CreateTextFile(", xrefs: 24100CDD
objFile.Close, xrefs: 24100E19
", True), xrefs: 24100CE5
Set objSecurityCenter = GetObject("winmgmts:\\.\root\SecurityCenter"), xrefs: 24100C85
objFile.WriteLine(Info), xrefs: 24100E03
Set objFileSystem = CreateObject("Scripting.fileSystemObject"), xrefs: 24100CC7

Memory Dump Source

Source File: 0000000A.00000002.2519483566.00000000240F0000.00000040.00000400.00020000.00000000.sdmp, Offset: 240F0000, based on PE: true

Associated: 0000000A.00000002.2519483566.0000000024144000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2519483566.000000002414B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_240f0000_3ClBcOpPUX.jbxd

Yara matches

Similarity

API ID: File$CountDeleteFindMessageTick$AddressCloseDispatchExecuteFirstLibraryLoadProcShellSleepTranslate
String ID: / $", True)$CountAV = 0$CountAV = CountAV + 1$CountFW = 0$CountFW = CountFW + 1$Enter = Chr(13) + Chr(10)$For Each objAntiVirus In colAntiVirus$For Each objFirewall In colFirewall$Info = Info & "A" & CountAV & ") " & objAntiVirus.displayName & " v" & objAntiVirus.versionNumber & Enter$Info = Info & "F" & CountFw & ") " & objFirewall.displayName & " v" & objFirewall.versionNumber & Enter$Next$Set colAntiVirus = objSecurityCenter.ExecQuery("Select * From AntiVirusProduct",,48)$Set colFirewall = objSecurityCenter.ExecQuery("Select * From FirewallProduct",,48)$Set objFile = objFileSystem.CreateTextFile("$Set objFileSystem = CreateObject("Scripting.fileSystemObject")$Set objSecurityCenter = GetObject("winmgmts:\\.\root\SecurityCenter")$cscript.exe$objFile.Close$objFile.WriteLine(Info)$open$teste.txt$teste.vbs
API String ID: 1377169233-372987553
Opcode ID: 7a3c73f3fb9775ef94d5530d303705ab4120cdaa3f8c4ecbb0b75225cb7587af
Instruction ID: 3a785a1d8f21faca4d9431be13d338bf17114b2b9585133f4b235daf804e6b8e
Opcode Fuzzy Hash: 7a3c73f3fb9775ef94d5530d303705ab4120cdaa3f8c4ecbb0b75225cb7587af
Instruction Fuzzy Hash: 7CC16070A0011557EB12E7A49CC0B8D76A59FA571CF9294B5E804BB20CCE7DEFC24FA6

Function 24117E60 Relevance: 40.5, APIs: 19, Strings: 4, Instructions: 226filepipethreadCOMMON

Download Yara Rule

APIs

CreateThread.KERNEL32(00000000,00000000,Function_00027D20,00000000,00000000,?), ref: 24117EC0
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 24117EF2
CreatePipe.KERNEL32(?,?,0000000C,00000000,?,?,0000000C,00000000), ref: 24117F08
GetStartupInfoA.KERNEL32(?), ref: 24117F14
GetEnvironmentVariableA.KERNEL32(COMSPEC,?,00000105,?,?,0000000C,00000000,?,?,0000000C,00000000), ref: 24117F58
CreateProcessA.KERNEL32(00000000,?,00000000,00000000,000000FF,00000010,00000000,00000000,?,?,COMSPEC,?,00000105,?,?,0000000C), ref: 24117F80
CloseHandle.KERNEL32(?,00000000,?,00000000,00000000,000000FF,00000010,00000000,00000000,?,?,COMSPEC,?,00000105,?,?), ref: 24117F89
CloseHandle.KERNEL32(?,?,00000000,?,00000000,00000000,000000FF,00000010,00000000,00000000,?,?,COMSPEC,?,00000105,?), ref: 24117F92
SetNamedPipeHandleState.KERNEL32(?,00000001,00000000,00000000,?,?,00000000,?,00000000,00000000,000000FF,00000010,00000000,00000000,?,?), ref: 24117FAA
Sleep.KERNEL32(0000000A,?,00000001,00000000,00000000,?,?,00000000,?,00000000,00000000,000000FF,00000010,00000000,00000000,?), ref: 24117FB1
GetExitCodeProcess.KERNEL32(?,?), ref: 24117FC1
ReadFile.KERNEL32(?,?,00001000,?,00000000,0000000A,?,00000001,00000000,00000000,?,?,00000000,?,00000000,00000000), ref: 24117FEA
CreateThread.KERNEL32(00000000,00000000,Function_00027D20,00000000,00000000,?), ref: 2411806B
WriteFile.KERNEL32(?,00000000,00000000,?,00000000,?,?,00001000,?,00000000,0000000A,?,00000001,00000000,00000000,?), ref: 241180B6
WriteFile.KERNEL32(?,241181C8,00000002,?,00000000,?,00000000,00000000,?,00000000,?,?,00001000,?,00000000,0000000A), ref: 241180CC
GetExitCodeProcess.KERNEL32(?,00000103), ref: 241180E8
TerminateProcess.KERNEL32(?,00000000,?,00000103,0000000A,?,00000001,00000000,00000000,?,?,00000000,?,00000000,00000000,000000FF), ref: 241180FF
CloseHandle.KERNEL32(?,?,00000103,0000000A,?,00000001,00000000,00000000,?,?,00000000,?,00000000,00000000,000000FF,00000010), ref: 24118108
CloseHandle.KERNEL32(?,?,?,00000103,0000000A,?,00000001,00000000,00000000,?,?,00000000,?,00000000,00000000,000000FF), ref: 24118111

Strings

shellresposta|shellativar|, xrefs: 24117EA5
shellresposta|shelldesativar|, xrefs: 24118119
COMSPEC, xrefs: 24117F53
shellresposta|shellresposta|, xrefs: 24118035

Memory Dump Source

Source File: 0000000A.00000002.2519483566.00000000240F0000.00000040.00000400.00020000.00000000.sdmp, Offset: 240F0000, based on PE: true

Associated: 0000000A.00000002.2519483566.0000000024144000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2519483566.000000002414B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_240f0000_3ClBcOpPUX.jbxd

Yara matches

Similarity

API ID: CreateHandle$CloseProcess$FilePipe$CodeExitThreadWrite$EnvironmentInfoNamedReadSleepStartupStateTerminateVariable
String ID: COMSPEC$shellresposta|shellativar|$shellresposta|shelldesativar|$shellresposta|shellresposta|
API String ID: 3902820650-3990598949
Opcode ID: 587a1e72be56dc420f5a34bff8531f0caa7e82aedb30fa3364d9fd4cfa11a8fd
Instruction ID: decd18bbfb940dcff5daa9fa6213fc729e0ef01f4d309f5884a41f6e17ae560f
Opcode Fuzzy Hash: 587a1e72be56dc420f5a34bff8531f0caa7e82aedb30fa3364d9fd4cfa11a8fd
Instruction Fuzzy Hash: E7810171900608AFEB50DBA4CC91FDEB7BCBB18714F5144B1E648F6284DF74AB858B61

Function 24135240 Relevance: 31.9, APIs: 11, Strings: 7, Instructions: 403registrysleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00001388,00000000,241357B3,?,?,?,?,00000000,00000000), ref: 2413527E

Part of subcall function 240F6858: RegCreateKeyA.ADVAPI32(80000001,00000000,?), ref: 240F689E
Part of subcall function 240F6858: RegSetValueExA.ADVAPI32(?,00000000,00000000,00000002,00000000,00000000,00000000,240F68FD,?,?,?), ref: 240F68C6
Part of subcall function 240F6858: RegCloseKey.ADVAPI32(?,?,00000000,00000000,00000002,00000000,00000000,00000000,240F68FD,?,?,?), ref: 240F68D5

RegOpenKeyExA.ADVAPI32(80000001,Software\Microsoft\Active Setup\Installed Components\,00000000,00020006,?,?,00000000,00001388,00000000,241357B3,?,?,?,?,00000000,00000000), ref: 241355C0
RegDeleteKeyA.ADVAPI32(?,00000000), ref: 241355D6
RegCloseKey.ADVAPI32(?,?,00000000,80000001,Software\Microsoft\Active Setup\Installed Components\,00000000,00020006,?,?,00000000,00001388,00000000,241357B3), ref: 241355DF
GetLastError.KERNEL32(00000000,00000000,00000000,00001388,00000000,241357B3,?,?,?,?,00000000,00000000), ref: 24135613
CloseHandle.KERNEL32(00000000,00000000,00000000,00000000,00001388,00000000,241357B3,?,?,?,?,00000000,00000000), ref: 24135620
CloseHandle.KERNEL32(000003BC,00000000,00000000,00000000,00000000,00001388,00000000,241357B3,?,?,?,?,00000000,00000000), ref: 2413562D

Part of subcall function 240F70B8: RegOpenKeyExA.ADVAPI32(80000001,00000000,00000000,00000001,?,00000000,240F7197,?,?,Desktop), ref: 240F710D
Part of subcall function 240F70B8: RegQueryValueExA.ADVAPI32(?,00000000,00000000,?,00000000,24102AE0,80000001,00000000,00000000,00000001,?,00000000,240F7197,?,?,Desktop), ref: 240F7131
Part of subcall function 240F70B8: RegQueryValueExA.ADVAPI32(?,00000000,00000000,?,00000000,24102AE0,?,00000000,00000000,?,00000000,24102AE0,80000001,00000000,00000000,00000001), ref: 240F715B
Part of subcall function 240F70B8: RegCloseKey.ADVAPI32(?,?,00000000,00000000,?,00000000,24102AE0,80000001,00000000,00000000,00000001,?,00000000,240F7197,?,?), ref: 240F716F

CloseHandle.KERNEL32(00000000,00000000,00000000,00000000,00001388,00000000,241357B3,?,?,?,?,00000000,00000000), ref: 24135638
GetLastError.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00001388,00000000,241357B3,?,?,?,?,00000000,00000000), ref: 2413574D
CloseHandle.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00001388,00000000,241357B3,?,?,?,?,00000000), ref: 2413575A
CloseHandle.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00001388,00000000,241357B3,?,?,?,?,00000000), ref: 24135765

Strings

Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run, xrefs: 241353E8, 24135439, 2413546F, 241354C0
Software\Microsoft\Active Setup\Installed Components\, xrefs: 241355B6
_SAIR, xrefs: 241355F2
StubPath, xrefs: 241354EF, 24135559
open, xrefs: 2413577C
Software\Microsoft\Windows\CurrentVersion\Run, xrefs: 241352B4, 2413530A, 24135353, 241353A9
Software\Microsoft\Active Setup\Installed Components\, xrefs: 24135508, 2413556A

Memory Dump Source

Source File: 0000000A.00000002.2519483566.00000000240F0000.00000040.00000400.00020000.00000000.sdmp, Offset: 240F0000, based on PE: true

Associated: 0000000A.00000002.2519483566.0000000024144000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2519483566.000000002414B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_240f0000_3ClBcOpPUX.jbxd

Yara matches

Similarity

API ID: Close$Handle$Value$ErrorLastOpenQuery$CreateDeleteSleep
String ID: Software\Microsoft\Active Setup\Installed Components\$Software\Microsoft\Active Setup\Installed Components\$Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run$Software\Microsoft\Windows\CurrentVersion\Run$StubPath$_SAIR$open
API String ID: 3574299486-1043091203
Opcode ID: 19e503f8060c018566cda9548b12043d2f8011c51ee8e0770e0b7d12e668a7e8
Instruction ID: 8fba1103338802b7b71cce35b2f317a0f3f1042f7038b56d353022a6a19a7f9f
Opcode Fuzzy Hash: 19e503f8060c018566cda9548b12043d2f8011c51ee8e0770e0b7d12e668a7e8
Instruction Fuzzy Hash: 33F10B71A00158DBEB00EBA8CCC0E8EB7F6BF55658F5141B5E404EB268DE78EE85CB51

Function 2410B7D0 Relevance: 24.8, APIs: 9, Strings: 5, Instructions: 300registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.ADVAPI32(00000000,00000000,00000000,00000004,?,?,?,00000000,2410BB82,?,?,00000004,00000000,00000000), ref: 2410B8BD
RegCreateKeyA.ADVAPI32(?,00000000,?), ref: 2410B8D3
RegCloseKey.ADVAPI32(?,?,00000000,?,00000000,00000000,00000000,00000004,?,?,?,00000000,2410BB82,?,?,00000004), ref: 2410B8E1
RegOpenKeyExA.ADVAPI32(00000000,00000000,00000000,00000002,?,?,?,00000000,2410BB82,?,?,00000004,00000000,00000000), ref: 2410B905
RegSetValueExA.ADVAPI32(?,00000000,00000000,00000001,00000000,00000000,00000000,00000000,00000000,00000002,?,?,?,00000000,2410BB82), ref: 2410B944
RegSetValueExA.ADVAPI32(?,00000000,00000000,00000003,?,00000000), ref: 2410BA2C
RegSetValueExA.ADVAPI32(?,00000000,00000000,00000004,?,00000004,00000000,00000000,00000000,00000002,?,?,?,00000000,2410BB82), ref: 2410BA67
RegSetValueExA.ADVAPI32(?,00000000,00000000,00000007,00000000,00000000,00000000,00000000,00000000,00000002,?,?,?,00000000,2410BB82), ref: 2410BB28
RegCloseKey.ADVAPI32(?,00000000,00000000,00000000,00000002,?,?,?,00000000,2410BB82,?,?,00000004,00000000,00000000), ref: 2410BB36

Strings

clave, xrefs: 2410B897
REG_MULTI_SZ, xrefs: 2410BA74
REG_BINARY, xrefs: 2410B951
REG_DWORD, xrefs: 2410BA39
REG_SZ, xrefs: 2410B915

Memory Dump Source

Source File: 0000000A.00000002.2519483566.00000000240F0000.00000040.00000400.00020000.00000000.sdmp, Offset: 240F0000, based on PE: true

Associated: 0000000A.00000002.2519483566.0000000024144000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2519483566.000000002414B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_240f0000_3ClBcOpPUX.jbxd

Yara matches

Similarity

API ID: Value$CloseOpen$Create
String ID: REG_BINARY$REG_DWORD$REG_MULTI_SZ$REG_SZ$clave
API String ID: 2929978649-1504967743
Opcode ID: 54d7ddee6303811a1146c2e0067109d0ae0c1b507f6afbcccafabace9bbdb27a
Instruction ID: 8314db524c380c1ebd86cc399062801e7f743f6e0099773f647f46c7368235be
Opcode Fuzzy Hash: 54d7ddee6303811a1146c2e0067109d0ae0c1b507f6afbcccafabace9bbdb27a
Instruction Fuzzy Hash: 51B1F471A00109AFEB00DBE4CD80ADEB7B9BF64618F519075E914F7258EE78EF858750

Function 2410AD24 Relevance: 24.8, APIs: 4, Strings: 10, Instructions: 273registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.ADVAPI32(00000000,?,00000000,?,00000000,00000001,?,00000000,2410B104), ref: 2410ADF4
RegEnumValueA.ADVAPI32(?,?,00000000,?,00000000,?,00000000,?,00000000,?,00000000,?,00000000,00000001,?,00000000), ref: 2410AE34
RegEnumValueA.ADVAPI32(?,?,00000000,00003FFF,00000000,?,00000000,00003FFF,?,?,00000000,?,00000000,?,00000000,?), ref: 2410AE72

Strings

(Empty), xrefs: 2410AEEE
REG_SZ, xrefs: 2410B054
(Default), xrefs: 2410AF9F
REG_EXPAND_SZ, xrefs: 2410B018
REG_DWORD, xrefs: 2410AFFA
REG_BINARY, xrefs: 2410AFEB
REG_LINK, xrefs: 2410B027
REG_DWORD_BIG_ENDIAN, xrefs: 2410B009
REG_MULTI_SZ, xrefs: 2410B036
REG_NONE, xrefs: 2410B045

Memory Dump Source

Source File: 0000000A.00000002.2519483566.00000000240F0000.00000040.00000400.00020000.00000000.sdmp, Offset: 240F0000, based on PE: true

Associated: 0000000A.00000002.2519483566.0000000024144000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2519483566.000000002414B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_240f0000_3ClBcOpPUX.jbxd

Yara matches

Similarity

API ID: EnumValue$Open
String ID: (Default)$(Empty)$REG_BINARY$REG_DWORD$REG_DWORD_BIG_ENDIAN$REG_EXPAND_SZ$REG_LINK$REG_MULTI_SZ$REG_NONE$REG_SZ
API String ID: 1214633557-2843546354
Opcode ID: 3ef722f1b83aeb0dcaf2e9d6cf05dd44c4d3ada440fc931d25a67431c5163a7b
Instruction ID: 8ce92a4293ee61af877fb662a9439840848c280d1ea63579cf8f36cd0f3c58fe
Opcode Fuzzy Hash: 3ef722f1b83aeb0dcaf2e9d6cf05dd44c4d3ada440fc931d25a67431c5163a7b
Instruction Fuzzy Hash: CAB1F970A002199BEB11DB94D8C0AEEB7F9FF68314F5190B5E904B7248DB74AB858F61

Function 24103DDC Relevance: 24.7, APIs: 6, Strings: 8, Instructions: 183COMMON

Download Yara Rule

Strings

BTMemoryLoadLibary: VirtualAlloc failed, xrefs: 24103EB3
BTMemoryLoadLibary: dll dos header is not valid, xrefs: 24103E1F
BTMemoryLoadLibary: Can't attach library, xrefs: 24103FCD
MZ, xrefs: 24103E12
BTMemoryLoadLibary: IMAGE_NT_SIGNATURE is not valid, xrefs: 24103E5C
BTMemoryLoadLibary: BuildImportTable failed, xrefs: 24103F7F
PE, xrefs: 24103E4B
BTMemoryLoadLibary: Get DLLEntyPoint failed, xrefs: 24103FAD

Memory Dump Source

Source File: 0000000A.00000002.2519483566.00000000240F0000.00000040.00000400.00020000.00000000.sdmp, Offset: 240F0000, based on PE: true

Associated: 0000000A.00000002.2519483566.0000000024144000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2519483566.000000002414B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_240f0000_3ClBcOpPUX.jbxd

Yara matches

Similarity

API ID:
String ID: BTMemoryLoadLibary: BuildImportTable failed$BTMemoryLoadLibary: Can't attach library$BTMemoryLoadLibary: Get DLLEntyPoint failed$BTMemoryLoadLibary: IMAGE_NT_SIGNATURE is not valid$BTMemoryLoadLibary: VirtualAlloc failed$BTMemoryLoadLibary: dll dos header is not valid$MZ$PE
API String ID: 0-3631919656
Opcode ID: d05bbb86e32e34a24f152bd59349a6f18370b506eaf92b5aaa4ed9055e37f9fa
Instruction ID: d7a9d60fd9e2c3149896545fedaadedc5e74e86f341c7345cee66e105eb3df73
Opcode Fuzzy Hash: d05bbb86e32e34a24f152bd59349a6f18370b506eaf92b5aaa4ed9055e37f9fa
Instruction Fuzzy Hash: 17518371B04208AFE710DBA9CCD0F9DBBF4AF59714F1180A5E904FB359DA70EA418B54

Function 24135928 Relevance: 21.1, APIs: 1, Strings: 11, Instructions: 116fileCOMMON

Download Yara Rule

APIs

CopyFileA.KERNEL32(00000000,00000000,00000000), ref: 2413599E

Strings

shell\Open\Default=1, xrefs: 24135A1A
shellexecute=, xrefs: 241359C4
RECYCLER\S-1-5-21-1482476501-3352491937-682996330-1013\, xrefs: 2413595E, 241359C9, 24135A03
shell\Open\command=, xrefs: 241359FE
RECYCLER\, xrefs: 24135A6C
autorun.inf, xrefs: 24135A38, 24135A54
icon=shell32.dll,4, xrefs: 241359BA
action=Open folder to view files, xrefs: 241359EA
[autorun];open=RECYCLER\S-1-5-21-1482476501-3352491937-682996330-1013\, xrefs: 241359A3
label=PENDRIVE, xrefs: 241359E0
shell\Open=Open, xrefs: 241359F4

Memory Dump Source

Source File: 0000000A.00000002.2519483566.00000000240F0000.00000040.00000400.00020000.00000000.sdmp, Offset: 240F0000, based on PE: true

Associated: 0000000A.00000002.2519483566.0000000024144000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2519483566.000000002414B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_240f0000_3ClBcOpPUX.jbxd

Yara matches

Similarity

API ID: CopyFile
String ID: RECYCLER\$RECYCLER\S-1-5-21-1482476501-3352491937-682996330-1013\$[autorun];open=RECYCLER\S-1-5-21-1482476501-3352491937-682996330-1013\$action=Open folder to view files$autorun.inf$icon=shell32.dll,4$label=PENDRIVE$shell\Open=Open$shell\Open\Default=1$shell\Open\command=$shellexecute=
API String ID: 1304948518-631342129
Opcode ID: 8727e34b2fce1204b6779d98cc7fdbb148fd5f9c0f4fbb796866d13350d56420
Instruction ID: 27f4fa99a2c5ebd9d348a2b35c616ea1257348719b550c87453774ac7d82e0a8
Opcode Fuzzy Hash: 8727e34b2fce1204b6779d98cc7fdbb148fd5f9c0f4fbb796866d13350d56420
Instruction Fuzzy Hash: 8741C930A00109ABDB00EBA5DCD0D9DBBB6EF59A18FA245A4E401BB25DCF74AF458F54

Function 2413412C Relevance: 21.1, APIs: 8, Strings: 4, Instructions: 58libraryloadersynchronizationCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(kernel32,GetModuleHandleA), ref: 24134145
GetProcAddress.KERNEL32(00000000,kernel32), ref: 2413414B
GetModuleHandleA.KERNEL32(kernel32,GetProcAddress,00000000,kernel32,GetModuleHandleA), ref: 2413415E
GetProcAddress.KERNEL32(00000000,kernel32), ref: 24134164
GetModuleHandleA.KERNEL32(kernel32,ExitThread,00000000,kernel32,GetProcAddress,00000000,kernel32,GetModuleHandleA), ref: 24134177
GetProcAddress.KERNEL32(00000000,kernel32), ref: 2413417D

Part of subcall function 24133EC0: VirtualAllocEx.KERNEL32(?,00000000,00000001,00003000,00000040,00000000,24133F3E,?,?,?,?,00000000,00000000,00000000), ref: 24133EFC
Part of subcall function 24133EC0: WriteProcessMemory.KERNEL32(?,00000000,?,00000001,?,?,00000000,00000001,00003000,00000040,00000000,24133F3E), ref: 24133F1E

Part of subcall function 24133F80: CreateRemoteThread.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,?), ref: 24133FBE
Part of subcall function 24133F80: WaitForSingleObject.KERNEL32(00000000,000000FF,?,00000000,00000000,00000000,00000000,00000000,?), ref: 24133FCE
Part of subcall function 24133F80: ReadProcessMemory.KERNEL32(?,00000000,?,?,00000000,00000000,000000FF,?,00000000,00000000,00000000,00000000,00000000,?), ref: 24133FE1

WaitForSingleObject.KERNEL32(00000000,000000FF,00000000,kernel32,ExitThread,00000000,kernel32,GetProcAddress,00000000,kernel32,GetModuleHandleA), ref: 241341BD
GetExitCodeThread.KERNEL32(00000000,?,00000000,000000FF,00000000,kernel32,ExitThread,00000000,kernel32,GetProcAddress,00000000,kernel32,GetModuleHandleA), ref: 241341C4

Strings

GetProcAddress, xrefs: 24134154
kernel32, xrefs: 24134140, 24134159, 24134172
GetModuleHandleA, xrefs: 2413413B
ExitThread, xrefs: 2413416D

Memory Dump Source

Source File: 0000000A.00000002.2519483566.00000000240F0000.00000040.00000400.00020000.00000000.sdmp, Offset: 240F0000, based on PE: true

Associated: 0000000A.00000002.2519483566.0000000024144000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2519483566.000000002414B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_240f0000_3ClBcOpPUX.jbxd

Yara matches

Similarity

API ID: AddressHandleModuleProc$MemoryObjectProcessSingleThreadWait$AllocCodeCreateExitReadRemoteVirtualWrite
String ID: ExitThread$GetModuleHandleA$GetProcAddress$kernel32
API String ID: 3826234517-3123223305
Opcode ID: 3d107cd32fcdff0593348af6593c25d1f67eef5fa3bd4022c16f38065528386a
Instruction ID: 21620f528f8cdbf54650fbbeee3739b764d18337792c9afa592608aa5c3ea906
Opcode Fuzzy Hash: 3d107cd32fcdff0593348af6593c25d1f67eef5fa3bd4022c16f38065528386a
Instruction Fuzzy Hash: A201C46070431427E320AEBA4CD1E1F7E889FB1114F824938F954A728ADE74EE444795

Function 24102638 Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 121fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNEL32(00000000,40000000,00000002,00000000,00000002,00000000,00000000,.txt,2.6,Spy-Net ,241027EC,?,00000000,241027C7,?,?), ref: 241026C4
CloseHandle.KERNEL32(00000000,00000000,40000000,00000002,00000000,00000002,00000000,00000000,.txt,2.6,Spy-Net ,241027EC,?,00000000,241027C7), ref: 241026CC
CreateFileA.KERNEL32(00000000,40000000,00000002,00000000,00000003,00000000,00000000,24102850,24102850,?,2410285C,24102850,00000000,24102844,00000000,24102844), ref: 24102768
SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002,00000000,40000000,00000002,00000000,00000003,00000000,00000000,24102850,24102850,?,2410285C,24102850), ref: 2410277B
WriteFile.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000000,00000000,00000002,00000000,40000000,00000002,00000000,00000003,00000000,00000000), ref: 24102799
CloseHandle.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00000000,00000000,00000000,00000002,00000000,40000000,00000002,00000000,00000003,00000000), ref: 2410279F

Strings

Spy-Net , xrefs: 24102684
2.6, xrefs: 24102689
--- , xrefs: 241026FC
Desktop, xrefs: 24102672
.txt, xrefs: 2410268E

Memory Dump Source

Source File: 0000000A.00000002.2519483566.00000000240F0000.00000040.00000400.00020000.00000000.sdmp, Offset: 240F0000, based on PE: true

Associated: 0000000A.00000002.2519483566.0000000024144000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2519483566.000000002414B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_240f0000_3ClBcOpPUX.jbxd

Yara matches

Similarity

API ID: File$CloseCreateHandle$PointerWrite
String ID: --- $.txt$2.6$Desktop$Spy-Net
API String ID: 2606874340-3792867649
Opcode ID: 78822adaa20c4a73af220ef3d7a9e6702b4d79599abc689e2c1cab7ecb13354f
Instruction ID: 09e3e387e1077ba1c077768e28705996eb932e64f2996161dc583e4c488c3a60
Opcode Fuzzy Hash: 78822adaa20c4a73af220ef3d7a9e6702b4d79599abc689e2c1cab7ecb13354f
Instruction Fuzzy Hash: 6E419530940208BBFB15D7A0CCD1FEE77B8EB68714F529471FA00BA099DE74AF858A14

Function 24132F20 Relevance: 18.3, APIs: 12, Instructions: 346fileCOMMON

Download Yara Rule

APIs

CopyFileA.KERNEL32(00000000,00000000,00000000), ref: 24132F9F
SetFileAttributesA.KERNEL32(00000000,00000080,00000000,00000000,00000000,00000000,2413337E,?,00000000,241333AD,?,?,?,?,00000011,00000000), ref: 24132FFE
SetFileAttributesA.KERNEL32(00000000,00000080,00000000,00000000,00000000,00000000,2413337E,?,00000000,241333AD,?,?,?,?,00000011,00000000), ref: 241330A7
CopyFileA.KERNEL32(00000000,00000000,00000000), ref: 241330F1
SetFileAttributesA.KERNEL32(00000000,00000080,00000000,00000000,00000000,00000000,2413337E,?,00000000,241333AD,?,?,?,?,00000011,00000000), ref: 24133150
CopyFileA.KERNEL32(00000000,00000000,00000000), ref: 2413319A
SetFileAttributesA.KERNEL32(00000000,00000080,00000000,00000000,00000000,00000000,2413337E,?,00000000,241333AD,?,?,?,?,00000011,00000000), ref: 241331F9
CopyFileA.KERNEL32(00000000,00000000,00000000), ref: 24133243
SetFileAttributesA.KERNEL32(00000000,00000080,00000000,00000000,00000000,00000000,2413337E,?,00000000,241333AD,?,?,?,?,00000011,00000000), ref: 241332A2
CopyFileA.KERNEL32(00000000,00000000,00000000), ref: 241332F2
CopyFileA.KERNEL32(00000000,00000000,00000000), ref: 24133048

Part of subcall function 240F6C78: FindFirstFileA.KERNEL32(00000000,?,00000000,240F6CD5,?,2413B97C,?,240F6662,00000000,240F66D3,?,?,?,2413B97C), ref: 240F6CAD
Part of subcall function 240F6C78: FindClose.KERNEL32(00000000,00000000,?,00000000,240F6CD5,?,2413B97C,?,240F6662,00000000,240F66D3,?,?,?,2413B97C), ref: 240F6CB8

SetFileAttributesA.KERNEL32(00000000,00000080,00000000,00000000,00000000,00000000,2413337E,?,00000000,241333AD,?,?,?,?,00000011,00000000), ref: 2413336F

Memory Dump Source

Source File: 0000000A.00000002.2519483566.00000000240F0000.00000040.00000400.00020000.00000000.sdmp, Offset: 240F0000, based on PE: true

Associated: 0000000A.00000002.2519483566.0000000024144000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2519483566.000000002414B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_240f0000_3ClBcOpPUX.jbxd

Yara matches

Similarity

API ID: File$AttributesCopy$Find$CloseFirst
String ID:
API String ID: 1833752699-0
Opcode ID: 3a92fd7bcce21e5fcb3224dedd65d1fb5dcd1ab4c70876be3e45c859901b5ca8
Instruction ID: b03e173020bb745d83b5d990b79a6150cc7f8403096e7295f095b9fd6bbc984f
Opcode Fuzzy Hash: 3a92fd7bcce21e5fcb3224dedd65d1fb5dcd1ab4c70876be3e45c859901b5ca8
Instruction Fuzzy Hash: 87D10731A0029C9FEB50EBA4DD81ECDBBB9BF64614F124971E404EB118DF74AF868B54

Function 24117464 Relevance: 18.1, APIs: 12, Instructions: 74windowCOMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 24117471
GetDC.USER32(00000000), ref: 24117479
CreateCompatibleDC.GDI32(00000000), ref: 24117481
GetClientRect.USER32(00000000,?), ref: 24117492
GetDeviceCaps.GDI32(00000000,00000008), ref: 241174B0
GetDeviceCaps.GDI32(00000000,0000000A), ref: 241174BA
CreateCompatibleBitmap.GDI32(00000000,00000000,00000000), ref: 241174CA
SelectObject.GDI32(00000000,00000000), ref: 241174D7
BitBlt.GDI32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00CC0020), ref: 241174F5
SelectObject.GDI32(00000000,0000000A), ref: 24117500
DeleteDC.GDI32(00000000), ref: 24117506
ReleaseDC.USER32(00000000,00000000), ref: 2411750D

Memory Dump Source

Source File: 0000000A.00000002.2519483566.00000000240F0000.00000040.00000400.00020000.00000000.sdmp, Offset: 240F0000, based on PE: true

Associated: 0000000A.00000002.2519483566.0000000024144000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2519483566.000000002414B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_240f0000_3ClBcOpPUX.jbxd

Yara matches

Similarity

API ID: CapsCompatibleCreateDeviceObjectSelect$BitmapClientDeleteDesktopRectReleaseWindow
String ID:
API String ID: 337914687-0
Opcode ID: f1b76e16a75b4e8c41da1ba234a25fc9606e6697ddba96ae8bac77b0f0e9eb6f
Instruction ID: 93c17b19677ea8884ed82218fd984536cc18c4bd36585ffa8a6101b09aacf749
Opcode Fuzzy Hash: f1b76e16a75b4e8c41da1ba234a25fc9606e6697ddba96ae8bac77b0f0e9eb6f
Instruction Fuzzy Hash: 641181711447057FE320ABA8CC80F7F7AECEF92654F424A38F984A7246DE30A9404772

Function 2411B9E4 Relevance: 17.7, APIs: 3, Strings: 7, Instructions: 168registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.ADVAPI32(00000000,?,00000000,?,00000000,00000008,?,00000000,2411BC14,?,?,?,?,00000000,00000000), ref: 2411BA83
RegEnumKeyExA.ADVAPI32(?,00000000,00000000,000000FF,00000000,00000000,00000000,?,00000000,?,00000000,?,00000000,00000008,?,00000000), ref: 2411BBDB
RegCloseKey.ADVAPI32(?,?,00000000,00000000,000000FF,00000000,00000000,00000000,?,00000000,?,00000000,?,00000000,00000008,?), ref: 2411BBEC

Strings

QuietUninstallString, xrefs: 2411BB14
DisplayName, xrefs: 2411BAC0
YYY, xrefs: 2411BB4E
##@@, xrefs: 2411BB2D, 2411BB49, 2411BB53, 2411BB76, 2411BB80, 2411BB9F, 2411BBA9
NNN, xrefs: 2411BB7B, 2411BBA4
SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\, xrefs: 2411BAB0, 2411BADA, 2411BB04
UninstallString, xrefs: 2411BAEA

Memory Dump Source

Source File: 0000000A.00000002.2519483566.00000000240F0000.00000040.00000400.00020000.00000000.sdmp, Offset: 240F0000, based on PE: true

Associated: 0000000A.00000002.2519483566.0000000024144000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2519483566.000000002414B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_240f0000_3ClBcOpPUX.jbxd

Yara matches

Similarity

API ID: CloseEnumOpen
String ID: ##@@$DisplayName$NNN$QuietUninstallString$SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\$UninstallString$YYY
API String ID: 1332880857-2804227269
Opcode ID: f0246bff8d63bab93cccc5eabc9a50c7b1d3701b96bfc158b6b290078a9b72ef
Instruction ID: 3514ccc0901e60d866f1b2ab1b1eaaa39501a319980d2a51355e8db5703e9987
Opcode Fuzzy Hash: f0246bff8d63bab93cccc5eabc9a50c7b1d3701b96bfc158b6b290078a9b72ef
Instruction Fuzzy Hash: 23512E30A00149ABEB00DBA9CDD0FDEB7B9BF68218F524075E518B7298DE789F45CB51

Function 241172D8 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 125memoryCOMMON

Download Yara Rule

APIs

GetObjectA.GDI32(?,00000018,?), ref: 241172F4
GlobalAlloc.KERNEL32(00000000,?), ref: 241173B2
GlobalLock.KERNEL32(00000000), ref: 241173C2
GetDC.USER32(00000000), ref: 241173CD
GetDIBits.GDI32(?,?,00000000,?,?,00000000,00000000), ref: 241173EF
ReleaseDC.USER32(00000000,?), ref: 24117432
GlobalUnlock.KERNEL32(00000000), ref: 24117438
GlobalFree.KERNEL32(00000000), ref: 2411743E
DeleteObject.GDI32(?), ref: 24117452

Strings

BM, xrefs: 241173A4

Memory Dump Source

Source File: 0000000A.00000002.2519483566.00000000240F0000.00000040.00000400.00020000.00000000.sdmp, Offset: 240F0000, based on PE: true

Associated: 0000000A.00000002.2519483566.0000000024144000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2519483566.000000002414B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_240f0000_3ClBcOpPUX.jbxd

Yara matches

Similarity

API ID: Global$Object$AllocBitsDeleteFreeLockReleaseUnlock
String ID: BM
API String ID: 668871282-2348483157
Opcode ID: 7239cca198844cb54eff92d7bf05901ef6670e854347018845be8973e6573da8
Instruction ID: b1af74f2699bd09656ccb1cf9345d97af69707c0a5b62beef28a91a5f5d417c3
Opcode Fuzzy Hash: 7239cca198844cb54eff92d7bf05901ef6670e854347018845be8973e6573da8
Instruction Fuzzy Hash: 48415A716087019FE344DF69C880A5FBBE9EF98304F058939F9988B365EB70D9458B92

Function 241335C4 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 88COMMON

Download Yara Rule

APIs

GetSecurityInfo.ADVAPI32(00000000,00000006,00000004,00000000,00000000,00000000,00000000), ref: 241335E5
LocalFree.KERNEL32(?,00000000,00000006,00000004,00000000,00000000,00000000,00000000), ref: 241335FA
LocalFree.KERNEL32(00000000,00000000,00000006,00000004,00000000,00000000,00000000,00000000), ref: 2413360B
SetEntriesInAclA.ADVAPI32(00000001,00000000,00000000,?), ref: 24133651
LocalFree.KERNEL32(?,00000000,00000006,00000004,00000000,00000000), ref: 24133666
LocalFree.KERNEL32(00000000,00000000,00000006,00000004,00000000,00000000), ref: 24133677
SetSecurityInfo.ADVAPI32(00000000,00000006,00000004,00000000,00000000,00000002,00000000,00000000,00000006,00000004,00000000,00000000), ref: 2413368C
LocalFree.KERNEL32(?,00000000,00000006,00000004,00000000,00000000,00000002,00000000,00000000,00000006,00000004,00000000,00000000), ref: 241336A1
LocalFree.KERNEL32(00000000,00000000,00000006,00000004,00000000,00000000,00000002,00000000,00000000,00000006,00000004,00000000,00000000), ref: 241336B2

Strings

CURRENT_USER, xrefs: 2413363B

Memory Dump Source

Source File: 0000000A.00000002.2519483566.00000000240F0000.00000040.00000400.00020000.00000000.sdmp, Offset: 240F0000, based on PE: true

Associated: 0000000A.00000002.2519483566.0000000024144000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2519483566.000000002414B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_240f0000_3ClBcOpPUX.jbxd

Yara matches

Similarity

API ID: FreeLocal$InfoSecurity$Entries
String ID: CURRENT_USER
API String ID: 3140748100-382982459
Opcode ID: 78b3ad13c6273b4630525833365623b4a906c0bcfa728375a3912d8b01a19b38
Instruction ID: 44dfcf215874cccc62ef7c0ed617e7507759b9aca8ed44f262b1fe7120887a0a
Opcode Fuzzy Hash: 78b3ad13c6273b4630525833365623b4a906c0bcfa728375a3912d8b01a19b38
Instruction Fuzzy Hash: A23101B0608304AFE711DF64CC85B9B7BD8AB94744F008869F684C7295D7B5DA84CB67

Function 2410E9EC Relevance: 15.9, APIs: 1, Strings: 8, Instructions: 146COMMON

Download Yara Rule

APIs

ExitProcess.KERNEL32(00000000,00000000,2410EBCE), ref: 2410EA5D

Strings

GetMSNStatus, xrefs: 2410EB37
SetMSNStatus, xrefs: 2410EB27
Mozilla3_5Password, xrefs: 2410EB07
EnviarStream, xrefs: 2410EB77
GetContactList, xrefs: 2410EB17
GetCurrentMSNSettings, xrefs: 2410EB47
StartHttpProxy, xrefs: 2410EB67
GetChromePass, xrefs: 2410EB57

Memory Dump Source

Source File: 0000000A.00000002.2519483566.00000000240F0000.00000040.00000400.00020000.00000000.sdmp, Offset: 240F0000, based on PE: true

Associated: 0000000A.00000002.2519483566.0000000024144000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2519483566.000000002414B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_240f0000_3ClBcOpPUX.jbxd

Yara matches

Similarity

API ID: ExitProcess
String ID: EnviarStream$GetChromePass$GetContactList$GetCurrentMSNSettings$GetMSNStatus$Mozilla3_5Password$SetMSNStatus$StartHttpProxy
API String ID: 621844428-2405909186
Opcode ID: 4d99dc32f47aa2bb2f12483a4655e7d38ec9fb567f68e734061c0df9688d2d2c
Instruction ID: ea66e061aba04361e68079239fbd75fdba2c9d01ddbdd9cd3932bdd17acd7de6
Opcode Fuzzy Hash: 4d99dc32f47aa2bb2f12483a4655e7d38ec9fb567f68e734061c0df9688d2d2c
Instruction Fuzzy Hash: 1551A471A04209EFE701DF66CCD1AAEBBF8FB55214B43D075E814F6204EB789B418B95

Function 2411D600 Relevance: 15.9, APIs: 2, Strings: 7, Instructions: 132libraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 2411D15C: RegOpenKeyExA.ADVAPI32(?,00000000,00000000,00000001,?,00000000,2411D228), ref: 2411D194
Part of subcall function 2411D15C: RegQueryValueExA.ADVAPI32(?,00000000,00000000,?,00000000,?,?,00000000,00000000,00000001,?,00000000,2411D228), ref: 2411D1B8
Part of subcall function 2411D15C: RegQueryValueExA.ADVAPI32(?,00000000,00000000,?,00000000,?,?,00000000,00000000,?,00000000,?,?,00000000,00000000,00000001), ref: 2411D1E2
Part of subcall function 2411D15C: RegCloseKey.ADVAPI32(?,?,00000000,00000000,?,00000000,?,?,00000000,00000000,?,00000000,?,?,00000000,00000000), ref: 2411D1FC

LoadLibraryA.KERNEL32(00000000,SteamDecryptDataForThisMachine,?,00000000,?,?,00000000,2411D7AC,?,00000000,2411D7D9,?,?,?,?,00000000), ref: 2411D75A
GetProcAddress.KERNEL32(00000000,00000000), ref: 2411D760

Strings

/ClientRegistry.Blob, xrefs: 2411D65D
Phrase, xrefs: 2411D6F0
SteamPath, xrefs: 2411D639
SteamDecryptDataForThisMachine, xrefs: 2411D739
\steam.dll, xrefs: 2411D741
\ClientRegistry.blob, xrefs: 2411D68B
Software\Valve\Steam\, xrefs: 2411D63E

Memory Dump Source

Source File: 0000000A.00000002.2519483566.00000000240F0000.00000040.00000400.00020000.00000000.sdmp, Offset: 240F0000, based on PE: true

Associated: 0000000A.00000002.2519483566.0000000024144000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2519483566.000000002414B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_240f0000_3ClBcOpPUX.jbxd

Yara matches

Similarity

API ID: QueryValue$AddressCloseLibraryLoadOpenProc
String ID: /ClientRegistry.Blob$Phrase$Software\Valve\Steam\$SteamDecryptDataForThisMachine$SteamPath$\ClientRegistry.blob$\steam.dll
API String ID: 2859330212-1198945235
Opcode ID: d3d585771ce96164ff2e908c7199eb263af1078e405f13ca4a554f2da80f4e53
Instruction ID: dc5459f8b1ed535dbcc9966f4b4522088c56f732161ecb14c6e5ef4585279a8c
Opcode Fuzzy Hash: d3d585771ce96164ff2e908c7199eb263af1078e405f13ca4a554f2da80f4e53
Instruction Fuzzy Hash: 264183727082049FE704DF69D8D095EFBA9EB58354B5240B5F804F7348EA78EE81CB58

Function 2410158C Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 131libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll), ref: 241015AB
GetProcAddress.KERNEL32(00000000,GlobalMemoryStatusEx), ref: 241015BC
FreeLibrary.KERNEL32(00000000,00000000,GlobalMemoryStatusEx,kernel32.dll), ref: 241015C6

Strings

kernel32.dll, xrefs: 241015A6
GlobalMemoryStatusEx, xrefs: 241015B6
@, xrefs: 241015E7
, xrefs: 241016BC

Memory Dump Source

Source File: 0000000A.00000002.2519483566.00000000240F0000.00000040.00000400.00020000.00000000.sdmp, Offset: 240F0000, based on PE: true

Associated: 0000000A.00000002.2519483566.0000000024144000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2519483566.000000002414B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_240f0000_3ClBcOpPUX.jbxd

Yara matches

Similarity

API ID: Library$AddressFreeLoadProc
String ID: $@$GlobalMemoryStatusEx$kernel32.dll
API String ID: 145871493-802862622
Opcode ID: 7ec2693c1a71313d8b8fa56188ef193370d9429ec34e7c254d64a69b2304aa94
Instruction ID: 527c266e3d8a25cc564cebfdacd23d9a1300b764176a60f4c7634abd75d7d131
Opcode Fuzzy Hash: 7ec2693c1a71313d8b8fa56188ef193370d9429ec34e7c254d64a69b2304aa94
Instruction Fuzzy Hash: E5519774A08301AF9341CF2AC880A0BBBE1AFC8764F55D96DF8A8C7354E739D9418F52

Function 240F180C Relevance: 15.1, APIs: 10, Instructions: 129fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000), ref: 240F1894
GetFileSize.KERNEL32(?,00000000,00000000,80000000,00000001,00000000,00000003,00000080,00000000), ref: 240F18B8
SetFilePointer.KERNEL32(?,-00000080,00000000,00000000,?,00000000,00000000,80000000,00000001,00000000,00000003,00000080,00000000), ref: 240F18D4
ReadFile.KERNEL32(?,?,00000080,?,00000000,00000000,?,-00000080,00000000,00000000,?,00000000,00000000,80000000,00000001,00000000), ref: 240F18F5
SetFilePointer.KERNEL32(?,00000000,00000000,00000002), ref: 240F191E
SetEndOfFile.KERNEL32(?,?,00000000,00000000,00000002), ref: 240F192C
GetStdHandle.KERNEL32(000000F5), ref: 240F1967
GetFileType.KERNEL32(?,000000F5), ref: 240F197D
CloseHandle.KERNEL32(?,?,000000F5), ref: 240F1998
GetLastError.KERNEL32(000000F5), ref: 240F19B0

Memory Dump Source

Source File: 0000000A.00000002.2519483566.00000000240F0000.00000040.00000400.00020000.00000000.sdmp, Offset: 240F0000, based on PE: true

Associated: 0000000A.00000002.2519483566.0000000024144000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2519483566.000000002414B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_240f0000_3ClBcOpPUX.jbxd

Yara matches

Similarity

API ID: File$HandlePointer$CloseCreateErrorLastReadSizeType
String ID:
API String ID: 1694776339-0
Opcode ID: 9c8645bdce33a65cdf9198f78138e9363998eaec938cc069b47d231b9e783e1e
Instruction ID: 4f651fe4297a0d055572b2e1de19f1e7b8df9f01040d10097d8ea164f88810d7
Opcode Fuzzy Hash: 9c8645bdce33a65cdf9198f78138e9363998eaec938cc069b47d231b9e783e1e
Instruction Fuzzy Hash: 9641D4305087019AF7238F20CD00B667AE5EF40754F228E3DD5DA8E9DCEE659DC18792

Function 2411DC10 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 66COMMON

Download Yara Rule

APIs

FindWindowA.USER32(Shell_TrayWnd,00000000), ref: 2411DC3D
GetWindow.USER32(00000000,00000005), ref: 2411DC45
GetClassNameA.USER32(00000000,?,00000080), ref: 2411DC5D
GetWindow.USER32(00000000,00000002), ref: 2411DCAE

Part of subcall function 240F5948: CharUpperA.USER32(?,00000000,240F59BD,?,241432F8,24143310,00000008,?,?,24131C03,00000010,00000000,24131D9B,?,24143304,2414330C), ref: 240F5986

ShowWindow.USER32(00000000,00000001,Shell_TrayWnd,00000000,00000000,2411DCDA), ref: 2411DC9C
ShowWindow.USER32(00000000,00000000,Shell_TrayWnd,00000000,00000000,2411DCDA), ref: 2411DCA6

Strings

BUTTON, xrefs: 2411DC88
Shell_TrayWnd, xrefs: 2411DC38

Memory Dump Source

Source File: 0000000A.00000002.2519483566.00000000240F0000.00000040.00000400.00020000.00000000.sdmp, Offset: 240F0000, based on PE: true

Associated: 0000000A.00000002.2519483566.0000000024144000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2519483566.000000002414B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_240f0000_3ClBcOpPUX.jbxd

Yara matches

Similarity

API ID: Window$Show$CharClassFindNameUpper
String ID: BUTTON$Shell_TrayWnd
API String ID: 1958926019-3627955571
Opcode ID: 81960d50aa4d618749c8099aa868a476b77773b21e2b3cc9a366c27739985873
Instruction ID: 48a599d920d892ac2a4cec61c662c0eb93d3b53c08006d49b5d69082e1204558
Opcode Fuzzy Hash: 81960d50aa4d618749c8099aa868a476b77773b21e2b3cc9a366c27739985873
Instruction Fuzzy Hash: 3011E6309006286BE732D761CD91FCD7668AF55314F8388F4E908F2185EEB4BF854B95

Function 24134028 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 53libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(kernel32,Sleep,00000000,241340C6), ref: 24134057
GetProcAddress.KERNEL32(00000000,kernel32), ref: 2413405D
GetModuleHandleA.KERNEL32(kernel32,LoadLibraryA,00000000,kernel32,Sleep,00000000,241340C6), ref: 2413406F
GetProcAddress.KERNEL32(00000000,kernel32), ref: 24134075

Part of subcall function 24133EC0: VirtualAllocEx.KERNEL32(?,00000000,00000001,00003000,00000040,00000000,24133F3E,?,?,?,?,00000000,00000000,00000000), ref: 24133EFC
Part of subcall function 24133EC0: WriteProcessMemory.KERNEL32(?,00000000,?,00000001,?,?,00000000,00000001,00003000,00000040,00000000,24133F3E), ref: 24133F1E

Part of subcall function 24133F80: CreateRemoteThread.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,?), ref: 24133FBE
Part of subcall function 24133F80: WaitForSingleObject.KERNEL32(00000000,000000FF,?,00000000,00000000,00000000,00000000,00000000,?), ref: 24133FCE
Part of subcall function 24133F80: ReadProcessMemory.KERNEL32(?,00000000,?,?,00000000,00000000,000000FF,?,00000000,00000000,00000000,00000000,00000000,?), ref: 24133FE1

CloseHandle.KERNEL32(00000000,00000000,kernel32,LoadLibraryA,00000000,kernel32,Sleep,00000000,241340C6), ref: 241340A9

Strings

Sleep, xrefs: 2413404D
LoadLibraryA, xrefs: 24134065
kernel32, xrefs: 24134052, 2413406A

Memory Dump Source

Source File: 0000000A.00000002.2519483566.00000000240F0000.00000040.00000400.00020000.00000000.sdmp, Offset: 240F0000, based on PE: true

Associated: 0000000A.00000002.2519483566.0000000024144000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2519483566.000000002414B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_240f0000_3ClBcOpPUX.jbxd

Yara matches

Similarity

API ID: Handle$AddressMemoryModuleProcProcess$AllocCloseCreateObjectReadRemoteSingleThreadVirtualWaitWrite
String ID: LoadLibraryA$Sleep$kernel32
API String ID: 3487503967-1813742806
Opcode ID: 8abe58aae467ca840bafb4dd5acd9d7b4aa57ddce9e3b311ea94dfb92e41ab68
Instruction ID: 2345b90ac93eaa336d49e0c5f1db0c0a9f2632d41a7074ea9a8f570604afd6dd
Opcode Fuzzy Hash: 8abe58aae467ca840bafb4dd5acd9d7b4aa57ddce9e3b311ea94dfb92e41ab68
Instruction Fuzzy Hash: B6019670B04604BFEB20EFB58CD1F9E7EA8AF54254B924475E800E7249DE749F448A59

Function 2410BDD4 Relevance: 13.6, APIs: 9, Instructions: 135registryCOMMON

Download Yara Rule

APIs

RegEnumValueA.ADVAPI32(?,00000000,00000000,00000200,00000000,?,?,00002000,00000000,2410BF43,?,00000000,2410BF60), ref: 2410BE4E
RegSetValueExA.ADVAPI32(?,00000000,00000000,?,?,00002000,?,00000000,00000000,00000200,00000000,?,?,00002000,00000000,2410BF43), ref: 2410BE74
RegDeleteValueA.ADVAPI32(?,00000000,?,00000000,00000000,?,?,00002000,?,00000000,00000000,00000200,00000000,?,?,00002000), ref: 2410BE85
RegEnumKeyExA.ADVAPI32(?,00000000,00000000,00000200,00000000,?,00002000,00000000,?,00000000,00000000,00000200,00000000,?,?,00002000), ref: 2410BEB9
RegCreateKeyA.ADVAPI32(?,00000000,?), ref: 2410BED5
RegCreateKeyA.ADVAPI32(?,00000000,?), ref: 2410BEEE
RegCloseKey.ADVAPI32(?,?,00000000,?,?,00000000,?,?,00000000,00000000,00000200,00000000,?,00002000,00000000), ref: 2410BF08
RegDeleteKeyA.ADVAPI32(?,00000000), ref: 2410BF17
RegCloseKey.ADVAPI32(?,?,00000000,?,?,00000000,?,?,00000000,00000000,00000200,00000000,?,00002000,00000000), ref: 2410BF20

Memory Dump Source

Source File: 0000000A.00000002.2519483566.00000000240F0000.00000040.00000400.00020000.00000000.sdmp, Offset: 240F0000, based on PE: true

Associated: 0000000A.00000002.2519483566.0000000024144000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2519483566.000000002414B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_240f0000_3ClBcOpPUX.jbxd

Yara matches

Similarity

API ID: Value$CloseCreateDeleteEnum
String ID:
API String ID: 925550085-0
Opcode ID: e82c8c10248cd29e259fc3c1cd749b3032d90ff585ed922bf698f8883ca543c7
Instruction ID: 0e4177308dd4ee5a179a1e11a9db0e6db4c0679373d0d1351749842ee1eb94ea
Opcode Fuzzy Hash: e82c8c10248cd29e259fc3c1cd749b3032d90ff585ed922bf698f8883ca543c7
Instruction Fuzzy Hash: 8341E0B1A002096FEB01DBD5CD81EEFB7FDEB69604F414074EA10E7244DB78AA458B60

Function 24103A08 Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 149libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(00000000,?,00000001,00000000,24103BD1,?,00000000,?,00000000,?,24103F76,?,00004550,00004550,?,00000000), ref: 24103A62
IsBadReadPtr.KERNEL32(?,00000014), ref: 24103BA2

Strings

BuildImportTable: can't load library: , xrefs: 24103A8E
BuildImportTable: ReallocMemory failed, xrefs: 24103AD6
BuildImportTable: GetProcAddress failed, xrefs: 24103B7D

Memory Dump Source

Source File: 0000000A.00000002.2519483566.00000000240F0000.00000040.00000400.00020000.00000000.sdmp, Offset: 240F0000, based on PE: true

Associated: 0000000A.00000002.2519483566.0000000024144000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2519483566.000000002414B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_240f0000_3ClBcOpPUX.jbxd

Yara matches

Similarity

API ID: LibraryLoadRead
String ID: BuildImportTable: GetProcAddress failed$BuildImportTable: ReallocMemory failed$BuildImportTable: can't load library:
API String ID: 1452896035-1384308123
Opcode ID: 416a70612c42c73dbe90b79ee500e265aab13493176230192c7359575393da95
Instruction ID: fbc7f864d8c61e367f3dd7af349c9300ab23ee8f1ba1daa8c2a763e98070ee7a
Opcode Fuzzy Hash: 416a70612c42c73dbe90b79ee500e265aab13493176230192c7359575393da95
Instruction Fuzzy Hash: 82514C70A0821DAFDB10CFA8C8C0B9DB7B4BF09318F41D5A6D814E7345DBB4EA858B94

Function 2410DD70 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 63networkCOMMON

Download Yara Rule

APIs

WSAStartup.WS2_32(00000101,?), ref: 2410DDB0
inet_addr.WS2_32(00000000), ref: 2410DDCF
WSACleanup.WS2_32 ref: 2410DDDD

Strings

localhost, xrefs: 2410DD98
127.0.0.1, xrefs: 2410DD8A

Memory Dump Source

Source File: 0000000A.00000002.2519483566.00000000240F0000.00000040.00000400.00020000.00000000.sdmp, Offset: 240F0000, based on PE: true

Associated: 0000000A.00000002.2519483566.0000000024144000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2519483566.000000002414B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_240f0000_3ClBcOpPUX.jbxd

Yara matches

Similarity

API ID: CleanupStartupinet_addr
String ID: 127.0.0.1$localhost
API String ID: 4189620951-2339935011
Opcode ID: c9451c2bed2c3ec085d2ea5efc2c3726fdafa79b62e3b9d1f5235f642661c02d
Instruction ID: 28441754119c733f03daa2935cfc0bdad21d7f101c02a91a8fbb5fd91619011f
Opcode Fuzzy Hash: c9451c2bed2c3ec085d2ea5efc2c3726fdafa79b62e3b9d1f5235f642661c02d
Instruction Fuzzy Hash: 1F1149317142046BF740ABFC4CE09EA72DC9F68624B42E5B6EE04D7289EEB6CF514691

Function 240F14F4 Relevance: 11.4, APIs: 9, Instructions: 109COMMON

Download Yara Rule

APIs

CharNextA.USER32(00000000,?,00000000,00000000,?,240F1626,?,?,2413B97C,24134C34,00000000,24134C9D,?,?,00000000,00000000), ref: 240F152B
CharNextA.USER32(00000000,00000000,?,00000000,00000000,?,240F1626,?,?,2413B97C,24134C34,00000000,24134C9D,?,?,00000000), ref: 240F1535
CharNextA.USER32(00000000,00000000,?,00000000,00000000,?,240F1626,?,?,2413B97C,24134C34,00000000,24134C9D,?,?,00000000), ref: 240F1552
CharNextA.USER32(00000000,?,00000000,00000000,?,240F1626,?,?,2413B97C,24134C34,00000000,24134C9D,?,?,00000000,00000000), ref: 240F155C
CharNextA.USER32(00000000,00000000,?,00000000,00000000,?,240F1626,?,?,2413B97C,24134C34,00000000,24134C9D,?,?,00000000), ref: 240F1585
CharNextA.USER32(00000000,00000000,00000000,?,00000000,00000000,?,240F1626,?,?,2413B97C,24134C34,00000000,24134C9D), ref: 240F158F
CharNextA.USER32(00000000,00000000,00000000,?,00000000,00000000,?,240F1626,?,?,2413B97C,24134C34,00000000,24134C9D), ref: 240F15B3
CharNextA.USER32(00000000,00000000,?,00000000,00000000,?,240F1626,?,?,2413B97C,24134C34,00000000,24134C9D,?,?,00000000), ref: 240F15BD

Memory Dump Source

Source File: 0000000A.00000002.2519483566.00000000240F0000.00000040.00000400.00020000.00000000.sdmp, Offset: 240F0000, based on PE: true

Associated: 0000000A.00000002.2519483566.0000000024144000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2519483566.000000002414B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_240f0000_3ClBcOpPUX.jbxd

Yara matches

Similarity

API ID: CharNext
String ID:
API String ID: 3213498283-0
Opcode ID: 53bc9808c7aaaf10bef2a0b4c7be660ee445fb4df034681d114db59d401db64d
Instruction ID: 5cb70370d5e4b9d116f1b296ec62d6b95c73f6925901a5bc65ab3e8d59a03610
Opcode Fuzzy Hash: 53bc9808c7aaaf10bef2a0b4c7be660ee445fb4df034681d114db59d401db64d
Instruction Fuzzy Hash: DE212288B483C19AEB2339F86CC07497BCA4B5A848B5714B4C583CF20BDC64ACC68366

Function 2411C858 Relevance: 10.6, APIs: 7, Instructions: 89serviceCOMMON

Download Yara Rule

APIs

OpenSCManagerA.ADVAPI32(00000000,00000000,000F003F,00000000,2411C93E), ref: 2411C89D
OpenServiceA.ADVAPI32(00000000,00000000,00000020,00000000,00000000,000F003F,00000000,2411C93E), ref: 2411C8CD
StartServiceA.ADVAPI32(00000000,00000000,?,00000000,00000000,00000020,00000000,00000000,000F003F,00000000,2411C93E), ref: 2411C8F5
ControlService.ADVAPI32(00000000,00000001,?,00000000,00000000,00000020,00000000,00000000,000F003F,00000000,2411C93E), ref: 2411C903
QueryServiceStatus.ADVAPI32(00000000,?,00000000,00000000,00000020,00000000,00000000,000F003F,00000000,2411C93E), ref: 2411C90D
CloseServiceHandle.ADVAPI32(00000000,00000000,?,00000000,00000000,00000020,00000000,00000000,000F003F,00000000,2411C93E), ref: 2411C913
CloseServiceHandle.ADVAPI32(00000000,00000000,00000000,00000020,00000000,00000000,000F003F,00000000,2411C93E), ref: 2411C919

Memory Dump Source

Source File: 0000000A.00000002.2519483566.00000000240F0000.00000040.00000400.00020000.00000000.sdmp, Offset: 240F0000, based on PE: true

Associated: 0000000A.00000002.2519483566.0000000024144000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2519483566.000000002414B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_240f0000_3ClBcOpPUX.jbxd

Yara matches

Similarity

API ID: Service$CloseHandleOpen$ControlManagerQueryStartStatus
String ID:
API String ID: 1698138069-0
Opcode ID: dcc2cef72e683e7149f28ba273d574b800220e370ec5634c56bab518f9faca29
Instruction ID: 4bf5768489b506f3682925d22a21971a3e0dfb2f84982b8c2831e091a5a0863e
Opcode Fuzzy Hash: dcc2cef72e683e7149f28ba273d574b800220e370ec5634c56bab518f9faca29
Instruction Fuzzy Hash: F6219271E00218AEEB41DB788CC4FEEB7BDDB69A24F114475E408E3244FA759B41EA64

Function 2411F494 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 88COMMON

Download Yara Rule

APIs

IsWindow.USER32(00000000), ref: 2411F51F
SetPropA.USER32(?,OBJECT), ref: 2411F532
SetWindowLongA.USER32(?,000000FC,Function_0002F404), ref: 2411F542
SetPropA.USER32(?,WNDPROC,00000000), ref: 2411F551

Strings

OBJECT, xrefs: 2411F529
WNDPROC, xrefs: 2411F548

Memory Dump Source

Source File: 0000000A.00000002.2519483566.00000000240F0000.00000040.00000400.00020000.00000000.sdmp, Offset: 240F0000, based on PE: true

Associated: 0000000A.00000002.2519483566.0000000024144000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2519483566.000000002414B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_240f0000_3ClBcOpPUX.jbxd

Yara matches

Similarity

API ID: PropWindow$Long
String ID: OBJECT$WNDPROC
API String ID: 109861939-55689305
Opcode ID: 9b6a92978ac5ae73473477540457b56ac656adbc0e64dbe62c3a0735dc9899b8
Instruction ID: 7d9222bed19195124dc730dd926e4e11155ce6ec0332fb68523414b758274531
Opcode Fuzzy Hash: 9b6a92978ac5ae73473477540457b56ac656adbc0e64dbe62c3a0735dc9899b8
Instruction Fuzzy Hash: C7317176A002489FD740CFA9CCC0D5EB7F9EB4D214B518174B909EB349DB74ED458B60

Function 2413352C Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 19libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(ntdll.dll,2413394B,2413B980,?,24133A12,24136642,SQLite3.dll,241367CC,?,logs.dat,241367CC,?,00000000,00000000,Function_000451BC,00000000), ref: 24133531
GetProcAddress.KERNEL32(00000000,RtlInitUnicodeString), ref: 24133552
GetProcAddress.KERNEL32(00000000,ZwOpenSection), ref: 24133567

Strings

RtlInitUnicodeString, xrefs: 24133547
ntdll.dll, xrefs: 2413352C
ZwOpenSection, xrefs: 2413355C

Memory Dump Source

Source File: 0000000A.00000002.2519483566.00000000240F0000.00000040.00000400.00020000.00000000.sdmp, Offset: 240F0000, based on PE: true

Associated: 0000000A.00000002.2519483566.0000000024144000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2519483566.000000002414B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_240f0000_3ClBcOpPUX.jbxd

Yara matches

Similarity

API ID: AddressProc$LibraryLoad
String ID: RtlInitUnicodeString$ZwOpenSection$ntdll.dll
API String ID: 2238633743-2527063403
Opcode ID: f70b4c1b073bdf257a111a211318434b1739d3cde2ee8bfd775852c55b188102
Instruction ID: 217ba0910ee173a84509e587d988d3df6e1e274803861fae233155b02225e8f6
Opcode Fuzzy Hash: f70b4c1b073bdf257a111a211318434b1739d3cde2ee8bfd775852c55b188102
Instruction Fuzzy Hash: C0E0ECB2B152049FE7009F76CA94A0D3F94F7A5249B820868F408B7989DB7D81449F54

Function 2410B3CC Relevance: 9.2, APIs: 6, Instructions: 202registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.ADVAPI32(00000000,00000000,00000000,00020006,?,?,?,?,00000000,2410B63D,?,?,00000003,00000000,00000000), ref: 2410B4CE
RegDeleteKeyA.ADVAPI32(?,00000000), ref: 2410B4F1
RegCloseKey.ADVAPI32(?,?,00000000,00000000,00000000,00000000,00000002,?,?,?,00000000,2410B63D,?,?,00000003,00000000), ref: 2410B615

Part of subcall function 2410A9BC: RegOpenKeyExA.ADVAPI32(00000000,?,00000000,?,00000000,00000008,?,00000000,2410AB1D), ref: 2410AA71
Part of subcall function 2410A9BC: RegEnumKeyExA.ADVAPI32(?,00000000,00000000,000000FF,00000000,00000000,00000000,?,00000000,?,00000000,?,00000000,00000008,?,00000000), ref: 2410AAD4
Part of subcall function 2410A9BC: RegCloseKey.ADVAPI32(?,?,00000001,00000000,000000FF,00000000,00000000,00000000,?,?,00000000,00000000,000000FF,00000000,00000000,00000000), ref: 2410AAE1

RegDeleteKeyA.ADVAPI32(?,00000000), ref: 2410B58E
RegOpenKeyExA.ADVAPI32(00000000,00000000,00000000,00000002,?,?,?,00000000,2410B63D,?,?,00000003,00000000,00000000), ref: 2410B5F5
RegDeleteValueA.ADVAPI32(?,00000000,00000000,00000000,00000000,00000002,?,?,?,00000000,2410B63D,?,?,00000003,00000000,00000000), ref: 2410B607

Memory Dump Source

Source File: 0000000A.00000002.2519483566.00000000240F0000.00000040.00000400.00020000.00000000.sdmp, Offset: 240F0000, based on PE: true

Associated: 0000000A.00000002.2519483566.0000000024144000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2519483566.000000002414B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_240f0000_3ClBcOpPUX.jbxd

Yara matches

Similarity

API ID: DeleteOpen$Close$EnumValue
String ID:
API String ID: 1347035672-0
Opcode ID: 6297b7789687b60b8f720b9dd849c9c29bc87fd75186d03c50acbdd97e83bcec
Instruction ID: 18a441e748e7aeb3e352abff50e53ff99ece9dc7fc8c3e200c6e49715cd773c5
Opcode Fuzzy Hash: 6297b7789687b60b8f720b9dd849c9c29bc87fd75186d03c50acbdd97e83bcec
Instruction Fuzzy Hash: AB611171A001099BEB40EBE4DD80AEEB7F9FF68218F519471E910E7258EE74EE448B50

Function 2410BC2C Relevance: 9.1, APIs: 6, Instructions: 138registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.ADVAPI32(00000000,00000000,?,00000000,0002001B,?,?,00000000,2410BD96,?,?,?,?,00000000,00000000), ref: 2410BCEF
RegQueryValueExA.ADVAPI32(?,?,00000000,?,00000000,?,00000000,00000000,?,00000000,0002001B,?,?,00000000,2410BD96), ref: 2410BD09
RegQueryValueExA.ADVAPI32(?,?,00000000,?,00000000,?,?,?,00000000,?,00000000,?,00000000,00000000,?,00000000), ref: 2410BD2C
RegSetValueExA.ADVAPI32(?,?,00000000,?,00000000,?,?,?,00000000,?,00000000,?,?,?,00000000,?), ref: 2410BD48
RegDeleteValueA.ADVAPI32(?,?,?,?,00000000,?,00000000,?,?,?,00000000,?,00000000,?,?), ref: 2410BD56
RegCloseKey.ADVAPI32(?,00000000,00000000,?,00000000,0002001B,?,?,00000000,2410BD96,?,?,?,?,00000000,00000000), ref: 2410BD6E

Memory Dump Source

Source File: 0000000A.00000002.2519483566.00000000240F0000.00000040.00000400.00020000.00000000.sdmp, Offset: 240F0000, based on PE: true

Associated: 0000000A.00000002.2519483566.0000000024144000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2519483566.000000002414B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_240f0000_3ClBcOpPUX.jbxd

Yara matches

Similarity

API ID: Value$Query$CloseDeleteOpen
String ID:
API String ID: 2877093821-0
Opcode ID: c2e1492d56e57d1ba8781bf1a1731e0f236002eb4be432e85ca611a0b7749c16
Instruction ID: 0f328a4e1666480984c2926be10c0227c774cbbf6bd2519dccf48f4ba82c67f3
Opcode Fuzzy Hash: c2e1492d56e57d1ba8781bf1a1731e0f236002eb4be432e85ca611a0b7749c16
Instruction Fuzzy Hash: DB41F176A00118ABEB01DAE4CD80EEFF7BDEF58614F118466E900E7254EE74EE418B60

Function 2411CEFC Relevance: 9.1, APIs: 6, Instructions: 69clipboardCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 2411CF15
GetClipboardData.USER32(00000001), ref: 2411CF32
GlobalSize.KERNEL32(00000000), ref: 2411CF52
GlobalLock.KERNEL32(00000000), ref: 2411CF5C
GlobalUnlock.KERNEL32(00000000), ref: 2411CF7D
CloseClipboard.USER32 ref: 2411CFAD

Memory Dump Source

Source File: 0000000A.00000002.2519483566.00000000240F0000.00000040.00000400.00020000.00000000.sdmp, Offset: 240F0000, based on PE: true

Associated: 0000000A.00000002.2519483566.0000000024144000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2519483566.000000002414B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_240f0000_3ClBcOpPUX.jbxd

Yara matches

Similarity

API ID: ClipboardGlobal$CloseDataLockOpenSizeUnlock
String ID:
API String ID: 1964585863-0
Opcode ID: 440252957ee3157b1bdea645ef3a49cae56cde3a53a3d34c58e029789d3572a3
Instruction ID: b82e28efe2fd86b7b408c1b2ff402cf89cd2fb3a9a3522e2baf2a40663299797
Opcode Fuzzy Hash: 440252957ee3157b1bdea645ef3a49cae56cde3a53a3d34c58e029789d3572a3
Instruction Fuzzy Hash: C311B434904204BFEB11DBB9CCA1A9EBBE8EB59714F9344B1E804D3655EE799A00DA60

Function 24122DC8 Relevance: 9.0, APIs: 2, Strings: 3, Instructions: 268sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00000032,?,00000000,241231F8,?,?,?,?,00000000,00000000), ref: 24122E74

Part of subcall function 24122DC8: GetTickCount.KERNEL32 ref: 24123070

Strings

ALL, xrefs: 24122E39
.tmp, xrefs: 2412308A
*.*, xrefs: 241230F3

Memory Dump Source

Source File: 0000000A.00000002.2519483566.00000000240F0000.00000040.00000400.00020000.00000000.sdmp, Offset: 240F0000, based on PE: true

Associated: 0000000A.00000002.2519483566.0000000024144000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2519483566.000000002414B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_240f0000_3ClBcOpPUX.jbxd

Yara matches

Similarity

API ID: CountSleepTick
String ID: *.*$.tmp$ALL
API String ID: 2804873075-513194922
Opcode ID: e9b6951eb69824657e20d054449e66f4962b5f1110cc1787bffe1d4667a71d13
Instruction ID: 0f57592d7731e4a2e45022a7715b7f43a6bcba0df39851049281ee177d3c31be
Opcode Fuzzy Hash: e9b6951eb69824657e20d054449e66f4962b5f1110cc1787bffe1d4667a71d13
Instruction Fuzzy Hash: AEB19E30A0062D9BEB15DB60CC90AEEB3B5EB95318F5284F5D804E7258DFB5EF858B50

Function 241300AC Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 160fileCOMMON

Download Yara Rule

APIs

GetTickCount.KERNEL32 ref: 24130124
CopyFileA.KERNEL32(00000000,00000000,00000000), ref: 24130162
SetFileAttributesA.KERNEL32(00000000,00000080,00000000,00000000,00000000,.txt,?,00000000,00000000,?,00000000,241302D7,?,?,00000000,00000000), ref: 2413016D

Part of subcall function 24102134: InternetOpenA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 241021C0
Part of subcall function 24102134: InternetConnectA.WININET(00000000,00000000,00000000,00000000,00000000,00000001,08000000,00000000), ref: 241021F8

Part of subcall function 241023C4: FtpOpenFileA.WININET(00000000,00000000,40000000,00000002,00000000), ref: 24102431
Part of subcall function 241023C4: InternetWriteFile.WININET(00000000,?,00000001,?), ref: 2410248F
Part of subcall function 241023C4: InternetCloseHandle.WININET(00000000), ref: 241024DE

Strings

.txt, xrefs: 24130138
___, xrefs: 241301F4

Memory Dump Source

Source File: 0000000A.00000002.2519483566.00000000240F0000.00000040.00000400.00020000.00000000.sdmp, Offset: 240F0000, based on PE: true

Associated: 0000000A.00000002.2519483566.0000000024144000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2519483566.000000002414B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_240f0000_3ClBcOpPUX.jbxd

Yara matches

Similarity

API ID: FileInternet$Open$AttributesCloseConnectCopyCountHandleTickWrite
String ID: .txt$___
API String ID: 3003208719-4103982732
Opcode ID: a536039d023c2b76ae7fab1105f0e0d4c2eb55ac6a88eb871de8771ea9d40cc9
Instruction ID: 44c41f59fc5f4afff6b21ff36d5bf8281ea0cc42d09195fc59ab3e1eabc39db2
Opcode Fuzzy Hash: a536039d023c2b76ae7fab1105f0e0d4c2eb55ac6a88eb871de8771ea9d40cc9
Instruction Fuzzy Hash: 44510830A00209AFEB01EBA5DDD0F9D7FF6EF68604F524475E500A7259CE79AE858F50

Function 2411F404 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 52COMMON

Download Yara Rule

APIs

GetPropA.USER32(?,WNDPROC), ref: 2411F41C
CallWindowProcA.USER32(00000000,?,?,?,?), ref: 2411F429
GetPropA.USER32(?,OBJECT), ref: 2411F437

Strings

OBJECT, xrefs: 2411F431
WNDPROC, xrefs: 2411F416

Memory Dump Source

Source File: 0000000A.00000002.2519483566.00000000240F0000.00000040.00000400.00020000.00000000.sdmp, Offset: 240F0000, based on PE: true

Associated: 0000000A.00000002.2519483566.0000000024144000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2519483566.000000002414B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_240f0000_3ClBcOpPUX.jbxd

Yara matches

Similarity

API ID: Prop$CallProcWindow
String ID: OBJECT$WNDPROC
API String ID: 1345539330-55689305
Opcode ID: 8348d3d0837fbf42b6ad2942b1b84abfff0e2d55f04af329e747bae7096479bc
Instruction ID: 82bc1d2e31e5cd27ebfbad23d337ce1b832a82b0e1d3e4175eac465c212d11ce
Opcode Fuzzy Hash: 8348d3d0837fbf42b6ad2942b1b84abfff0e2d55f04af329e747bae7096479bc
Instruction Fuzzy Hash: B60144B1A00209AB9B10CFA5CD848DFBBBDEF85250B118265A905A7605DA309F00CBF1

Function 24134594 Relevance: 7.7, APIs: 5, Instructions: 177memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNEL32(?,?,00002000,00000001), ref: 241345EB
VirtualAlloc.KERNEL32(?,?,00001000,00000004,?,?,00002000,00000001), ref: 24134611
VirtualProtect.KERNEL32(?,?,00000002,?,?,?,00001000,00000004,?,?,00002000,00000001), ref: 2413463B
VirtualAlloc.KERNEL32(?,?,00001000,00000004,?,?,00000002,?,?,?,00001000,00000004,?,?,00002000,00000001), ref: 24134693
VirtualProtect.KERNEL32(?,?,00000000,?,00000001), ref: 24134756

Memory Dump Source

Source File: 0000000A.00000002.2519483566.00000000240F0000.00000040.00000400.00020000.00000000.sdmp, Offset: 240F0000, based on PE: true

Associated: 0000000A.00000002.2519483566.0000000024144000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2519483566.000000002414B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_240f0000_3ClBcOpPUX.jbxd

Yara matches

Similarity

API ID: Virtual$Alloc$Protect
String ID:
API String ID: 655996629-0
Opcode ID: b699cdd7bc206e5ba009274c54cd050503c0e4d50f8bdc436202f7b92cd5b323
Instruction ID: 1810af5d2519482fb5b53f63461b979fadf6355addecdc091a6150828b87032e
Opcode Fuzzy Hash: b699cdd7bc206e5ba009274c54cd050503c0e4d50f8bdc436202f7b92cd5b323
Instruction Fuzzy Hash: 9071D175A00208AFDB50CFA9D9C1EAEBBF9FF48314F1580A5E904EB255D674EE44CB60

Function 24121FE4 Relevance: 7.7, APIs: 1, Strings: 4, Instructions: 152sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(000003E8,audio,241222BC,241222BC,resposta,|Y|,00000000,241220D2,?,00000000,24122222,?,00000000,24122284), ref: 241220E1

Strings

|Y|, xrefs: 24122080
resposta, xrefs: 24122085
audiogetbuffer, xrefs: 241220A4
audio, xrefs: 2412209A

Memory Dump Source

Source File: 0000000A.00000002.2519483566.00000000240F0000.00000040.00000400.00020000.00000000.sdmp, Offset: 240F0000, based on PE: true

Associated: 0000000A.00000002.2519483566.0000000024144000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2519483566.000000002414B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_240f0000_3ClBcOpPUX.jbxd

Yara matches

Similarity

API ID: Sleep
String ID: audio$audiogetbuffer$resposta$|Y|
API String ID: 3472027048-441611841
Opcode ID: df5906f36d469ff1dfd9af4ac3877a524138bc9276a09137f3b9715c9fc553d8
Instruction ID: 488aa52959354f3dd87f1f709a6d209a059d5a7fbe189dabe988527d4d55955c
Opcode Fuzzy Hash: df5906f36d469ff1dfd9af4ac3877a524138bc9276a09137f3b9715c9fc553d8
Instruction Fuzzy Hash: 7A515834700A599FD305CF66EC90E99B7F0FB68304B5284B5F804EBB14E7BA9A40CB54

Function 2411ADC0 Relevance: 7.6, APIs: 3, Strings: 2, Instructions: 139sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(000003E8,2411B060,?,?,?,?,2411B060,2413B98C,2411B060,resposta,|Y|,2413B8DC,00000000,2411B027), ref: 2411AECC

Part of subcall function 24102B24: getpeername.WS2_32(?,?), ref: 24102B3B
Part of subcall function 24102B24: inet_ntoa.WS2_32(?), ref: 24102B44

Part of subcall function 24102B58: getpeername.WS2_32(?,?), ref: 24102B6C
Part of subcall function 24102B58: htons.WS2_32(?), ref: 24102B77

Part of subcall function 24102908: socket.WS2_32(00000002,00000001,00000006), ref: 24102959
Part of subcall function 24102908: htons.WS2_32(?), ref: 24102968
Part of subcall function 24102908: inet_addr.WS2_32(00000000), ref: 24102975
Part of subcall function 24102908: gethostbyname.WS2_32(00000000), ref: 241029A2
Part of subcall function 24102908: connect.WS2_32(00000002,00000002,00000010), ref: 241029CD

Sleep.KERNEL32(0000000A,00000000,2411B027), ref: 2411AE54
Sleep.KERNEL32(00000001,00000000,2411AFAD,?,000003E8,2411B060,?,?,?,?,2411B060,2413B98C,2411B060,resposta,|Y|,2413B8DC), ref: 2411AF33

Part of subcall function 24102CEC: send.WS2_32(?,00000000,00000000,00000000), ref: 24102CF8
Part of subcall function 24102CEC: WSAGetLastError.WS2_32(00000000,?,24102D4C,?,?,24118FD9,24119060,24119054,?,00000000,?,00000000,24119016,?,?,00000000), ref: 24102D04

Strings

|Y|, xrefs: 2411AE6F
resposta, xrefs: 2411AE74

Memory Dump Source

Source File: 0000000A.00000002.2519483566.00000000240F0000.00000040.00000400.00020000.00000000.sdmp, Offset: 240F0000, based on PE: true

Associated: 0000000A.00000002.2519483566.0000000024144000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2519483566.000000002414B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_240f0000_3ClBcOpPUX.jbxd

Yara matches

Similarity

API ID: Sleep$getpeernamehtons$ErrorLastconnectgethostbynameinet_addrinet_ntoasendsocket
String ID: resposta$|Y|
API String ID: 3039588340-3743483372
Opcode ID: d8059ce728f18c91712550a2f3597c32bb96a7b730f4831530d9e41a728b8d3b
Instruction ID: bc5ba9f2acab84a8b193f4253df8eb39e24d0c7ec1731f0c4d4402b629e8cdf6
Opcode Fuzzy Hash: d8059ce728f18c91712550a2f3597c32bb96a7b730f4831530d9e41a728b8d3b
Instruction Fuzzy Hash: AD517E70A002199FEB11DF65CCC0ACDBBB5FF99344F4184B5E448AA298DB34AF918B60

Function 24102908 Relevance: 7.6, APIs: 5, Instructions: 92networkCOMMON

Download Yara Rule

APIs

Part of subcall function 24102A38: shutdown.WS2_32(?,00000002), ref: 24102A83
Part of subcall function 24102A38: closesocket.WS2_32(?), ref: 24102AB1

socket.WS2_32(00000002,00000001,00000006), ref: 24102959
htons.WS2_32(?), ref: 24102968
inet_addr.WS2_32(00000000), ref: 24102975
gethostbyname.WS2_32(00000000), ref: 241029A2
connect.WS2_32(00000002,00000002,00000010), ref: 241029CD

Memory Dump Source

Source File: 0000000A.00000002.2519483566.00000000240F0000.00000040.00000400.00020000.00000000.sdmp, Offset: 240F0000, based on PE: true

Associated: 0000000A.00000002.2519483566.0000000024144000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2519483566.000000002414B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_240f0000_3ClBcOpPUX.jbxd

Yara matches

Similarity

API ID: closesocketconnectgethostbynamehtonsinet_addrshutdownsocket
String ID:
API String ID: 1626636048-0
Opcode ID: 7fae2a1c8b1106020e3576fbb04a0c52f70fd469eafc3dc536fd010da5b444a3
Instruction ID: 9cb9abfafff7c17c54066bbc51c1ff144407a18406ce530d3aedba5ded8c5764
Opcode Fuzzy Hash: 7fae2a1c8b1106020e3576fbb04a0c52f70fd469eafc3dc536fd010da5b444a3
Instruction Fuzzy Hash: 5231AF30604344DFEB19CF64DCA0A6ABBE8EB09310B5298A5EC04DF655E774DE10DB60

Function 2411CDE0 Relevance: 7.6, APIs: 5, Instructions: 72clipboardfileCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32(00000000), ref: 2411CE11
GetClipboardData.USER32(0000000F), ref: 2411CE26
DragQueryFile.SHELL32(00000000,000000FF,00000000,00000000), ref: 2411CE38
DragQueryFile.SHELL32(00000000,00000000,00000000,00000105), ref: 2411CE6B
CloseClipboard.USER32 ref: 2411CEB6

Memory Dump Source

Source File: 0000000A.00000002.2519483566.00000000240F0000.00000040.00000400.00020000.00000000.sdmp, Offset: 240F0000, based on PE: true

Associated: 0000000A.00000002.2519483566.0000000024144000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2519483566.000000002414B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_240f0000_3ClBcOpPUX.jbxd

Yara matches

Similarity

API ID: Clipboard$DragFileQuery$CloseDataOpen
String ID:
API String ID: 3062564445-0
Opcode ID: 326f68bae02ee6de6795abc8569cd418972459aff74613e19d3ce650772ecc3f
Instruction ID: 68c40cdb43536765418632fed7ffaeeee8f2ce2f1042c3bfe20a591cb0c046d2
Opcode Fuzzy Hash: 326f68bae02ee6de6795abc8569cd418972459aff74613e19d3ce650772ecc3f
Instruction Fuzzy Hash: 102120306046587FF72197688CD1FDF7EB9DB59B54F4200F4E508A2285FAB54A409A61

Function 24135DD4 Relevance: 7.6, APIs: 5, Instructions: 66sleepCOMMON

Download Yara Rule

APIs

OpenProcess.KERNEL32(001F0FFF,00000000,?,00000000,24135EB7), ref: 24135E37
GetCurrentProcessId.KERNEL32(001F0FFF,00000000,?,00000000,24135EB7), ref: 24135E50
CloseHandle.KERNEL32(00000000,001F0FFF,00000000,?,00000000,24135EB7), ref: 24135E78
CloseHandle.KERNEL32(00000000,00000000,001F0FFF,00000000,?,00000000,24135EB7), ref: 24135E8B
Sleep.KERNEL32(00000064,00000000,00000000,001F0FFF,00000000,?,00000000,24135EB7), ref: 24135E92

Memory Dump Source

Source File: 0000000A.00000002.2519483566.00000000240F0000.00000040.00000400.00020000.00000000.sdmp, Offset: 240F0000, based on PE: true

Associated: 0000000A.00000002.2519483566.0000000024144000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2519483566.000000002414B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_240f0000_3ClBcOpPUX.jbxd

Yara matches

Similarity

API ID: CloseHandleProcess$CurrentOpenSleep
String ID:
API String ID: 4261582699-0
Opcode ID: 7923038193c7d8631632e64b127d7b40788c70ba7d58118d1f3845ebb11f2c13
Instruction ID: 7d4c2e9da77aaec62133d0b964530c559a7bc2614d286d03e052a6e871724c10
Opcode Fuzzy Hash: 7923038193c7d8631632e64b127d7b40788c70ba7d58118d1f3845ebb11f2c13
Instruction Fuzzy Hash: 3111C4307006056BE3109B79CCC0A8FFBEDAF65A14F920570A804E7649EF74FE8687A4

Function 24117D20 Relevance: 7.6, APIs: 3, Strings: 2, Instructions: 61sleepCOMMON

Download Yara Rule

APIs

Part of subcall function 24102908: socket.WS2_32(00000002,00000001,00000006), ref: 24102959
Part of subcall function 24102908: htons.WS2_32(?), ref: 24102968
Part of subcall function 24102908: inet_addr.WS2_32(00000000), ref: 24102975
Part of subcall function 24102908: gethostbyname.WS2_32(00000000), ref: 241029A2
Part of subcall function 24102908: connect.WS2_32(00000002,00000002,00000010), ref: 241029CD

Sleep.KERNEL32(0000000A,00000000,24117E17,?,?,?,?,00000000,00000000), ref: 24117D73
Sleep.KERNEL32(000003E8,0000000A,00000000,24117E17,?,?,?,?,00000000,00000000), ref: 24117DBD
Sleep.KERNEL32(0000EA60,000003E8,0000000A,00000000,24117E17,?,?,?,?,00000000,00000000), ref: 24117DF5

Strings

resposta, xrefs: 24117D89
|Y|, xrefs: 24117D84

Memory Dump Source

Source File: 0000000A.00000002.2519483566.00000000240F0000.00000040.00000400.00020000.00000000.sdmp, Offset: 240F0000, based on PE: true

Associated: 0000000A.00000002.2519483566.0000000024144000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2519483566.000000002414B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_240f0000_3ClBcOpPUX.jbxd

Yara matches

Similarity

API ID: Sleep$connectgethostbynamehtonsinet_addrsocket
String ID: resposta$|Y|
API String ID: 1101491793-3743483372
Opcode ID: 5050fdb0eb540220ded3bf061d0cfe60bf4046690208fd17ee434c43d72c2c04
Instruction ID: 6389e2aabaf570ed10801ed46322fe098e602502855f099894802bf4f6ca0d7f
Opcode Fuzzy Hash: 5050fdb0eb540220ded3bf061d0cfe60bf4046690208fd17ee434c43d72c2c04
Instruction Fuzzy Hash: F111C131304708BFE7119B66CCE1F1EBBA9EB59708F124435F908B6748E978AE908A51

Function 2410BFE4 Relevance: 7.6, APIs: 5, Instructions: 58registryCOMMON

Download Yara Rule

APIs

RegOpenKeyA.ADVAPI32(?,00000000,?), ref: 2410C022
RegCreateKeyA.ADVAPI32(?,00000000,?), ref: 2410C039
RegCloseKey.ADVAPI32(?,?,00000000,?,00000000,2410C081), ref: 2410C051
RegCloseKey.ADVAPI32(?,?,?,00000000,?,00000000,2410C081), ref: 2410C05A
RegDeleteKeyA.ADVAPI32(?,00000000), ref: 2410C061

Part of subcall function 2410BDD4: RegEnumValueA.ADVAPI32(?,00000000,00000000,00000200,00000000,?,?,00002000,00000000,2410BF43,?,00000000,2410BF60), ref: 2410BE4E
Part of subcall function 2410BDD4: RegSetValueExA.ADVAPI32(?,00000000,00000000,?,?,00002000,?,00000000,00000000,00000200,00000000,?,?,00002000,00000000,2410BF43), ref: 2410BE74
Part of subcall function 2410BDD4: RegDeleteValueA.ADVAPI32(?,00000000,?,00000000,00000000,?,?,00002000,?,00000000,00000000,00000200,00000000,?,?,00002000), ref: 2410BE85
Part of subcall function 2410BDD4: RegEnumKeyExA.ADVAPI32(?,00000000,00000000,00000200,00000000,?,00002000,00000000,?,00000000,00000000,00000200,00000000,?,?,00002000), ref: 2410BEB9
Part of subcall function 2410BDD4: RegCreateKeyA.ADVAPI32(?,00000000,?), ref: 2410BED5

Memory Dump Source

Source File: 0000000A.00000002.2519483566.00000000240F0000.00000040.00000400.00020000.00000000.sdmp, Offset: 240F0000, based on PE: true

Associated: 0000000A.00000002.2519483566.0000000024144000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2519483566.000000002414B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_240f0000_3ClBcOpPUX.jbxd

Yara matches

Similarity

API ID: Value$CloseCreateDeleteEnum$Open
String ID:
API String ID: 3917402359-0
Opcode ID: f20c292c29519b0b7fa60001a7cd78a1e1ba38f941514fbdea19f4a41a534d15
Instruction ID: d1eccac7becc5d59312521a0b3d9e994984fbf0ad6e28d896c254cccb38ec42a
Opcode Fuzzy Hash: f20c292c29519b0b7fa60001a7cd78a1e1ba38f941514fbdea19f4a41a534d15
Instruction Fuzzy Hash: E01112B5900208BFEB11DBA5DD80D9FB7FDEF58254B525575B814D3208EA38EE44CB60

Function 2411C950 Relevance: 7.5, APIs: 5, Instructions: 49serviceCOMMON

Download Yara Rule

APIs

OpenSCManagerA.ADVAPI32(00000000,00000000,000F003F,00000000,2411C9CF), ref: 2411C97B
OpenServiceA.ADVAPI32(00000000,00000000,00010000,00000000,00000000,000F003F,00000000,2411C9CF), ref: 2411C995
DeleteService.ADVAPI32(00000000,00000000,00000000,00010000,00000000,00000000,000F003F,00000000,2411C9CF), ref: 2411C9A1
CloseServiceHandle.ADVAPI32(00000000,00000000,00000000,00000000,00010000,00000000,00000000,000F003F,00000000,2411C9CF), ref: 2411C9AE
CloseServiceHandle.ADVAPI32(00000000,00000000,00000000,00010000,00000000,00000000,000F003F,00000000,2411C9CF), ref: 2411C9B4

Memory Dump Source

Source File: 0000000A.00000002.2519483566.00000000240F0000.00000040.00000400.00020000.00000000.sdmp, Offset: 240F0000, based on PE: true

Associated: 0000000A.00000002.2519483566.0000000024144000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2519483566.000000002414B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_240f0000_3ClBcOpPUX.jbxd

Yara matches

Similarity

API ID: Service$CloseHandleOpen$DeleteManager
String ID:
API String ID: 204194956-0
Opcode ID: 99557236cc6420885ecb78406d02a6caef7aadc1629097a31dce3623d0e6a68f
Instruction ID: eeeb2cb1c1ae1165ce4ffe8f25f8694807128e0b06da2ecf0f828f1e40307936
Opcode Fuzzy Hash: 99557236cc6420885ecb78406d02a6caef7aadc1629097a31dce3623d0e6a68f
Instruction Fuzzy Hash: 4C01F4B06007087AF712DB358CD1FAF769CDF65A50F420471B908A6288FEB49F00F4A4

Function 2410E4F8 Relevance: 7.3, APIs: 1, Strings: 3, Instructions: 276COMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32(00000000,2410E8B6,?,?,?,?,00000010,00000000,00000000), ref: 2410E51E

Part of subcall function 2410DD70: WSAStartup.WS2_32(00000101,?), ref: 2410DDB0
Part of subcall function 2410DD70: inet_addr.WS2_32(00000000), ref: 2410DDCF
Part of subcall function 2410DD70: WSACleanup.WS2_32 ref: 2410DDDD

Part of subcall function 2410DD70: gethostbyaddr.WS2_32(000000FF,00000004,00000002), ref: 2410DDF1
Part of subcall function 2410DD70: WSACleanup.WS2_32 ref: 2410DE12

Part of subcall function 240F3790: SysFreeString.OLEAUT32(?), ref: 240F37A3

Part of subcall function 240F3778: SysFreeString.OLEAUT32(?), ref: 240F3786

Strings

UDP, xrefs: 2410E707
TCP, xrefs: 2410E56E
Unknown, xrefs: 2410E60F, 2410E77E

Memory Dump Source

Source File: 0000000A.00000002.2519483566.00000000240F0000.00000040.00000400.00020000.00000000.sdmp, Offset: 240F0000, based on PE: true

Associated: 0000000A.00000002.2519483566.0000000024144000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2519483566.000000002414B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_240f0000_3ClBcOpPUX.jbxd

Yara matches

Similarity

API ID: CleanupFreeString$CurrentProcessStartupgethostbyaddrinet_addr
String ID: TCP$UDP$Unknown
API String ID: 3668935989-2456960297
Opcode ID: c45f4b49acf9eff77db4d8063fe71a3b6001112f1437c166c17d051cca57fb84
Instruction ID: 17f1da4666d72fc50c1bff7315648c01946c52e51ace6766a757d4fe35ae1133
Opcode Fuzzy Hash: c45f4b49acf9eff77db4d8063fe71a3b6001112f1437c166c17d051cca57fb84
Instruction Fuzzy Hash: 72B1287091420DABEB10DB96CCC0ADEBBBAFF54314F119576E900B7218DA75AE86CF50

Function 241206F0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 142shareCOMMON

Download Yara Rule

APIs

WNetOpenEnumA.MPR(00000002,00000000,00000000,?,?), ref: 2412074D
WNetEnumResourceA.MPR(?,FFFFFFFF,?,00004020), ref: 24120890
WNetCloseEnum.MPR(?), ref: 241208AE

Strings

@, xrefs: 2412076F

Memory Dump Source

Source File: 0000000A.00000002.2519483566.00000000240F0000.00000040.00000400.00020000.00000000.sdmp, Offset: 240F0000, based on PE: true

Associated: 0000000A.00000002.2519483566.0000000024144000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2519483566.000000002414B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_240f0000_3ClBcOpPUX.jbxd

Yara matches

Similarity

API ID: Enum$CloseOpenResource
String ID: @
API String ID: 1269649575-2726393805
Opcode ID: 2e2f40a4f191adc06d821f79182eeaadf54b7754ef090dca3d23d66ae8cb8091
Instruction ID: a91f98dc169279402d5922bb83c58ba6a25d72dc1c3d2dd5d8b6e411c40ead21
Opcode Fuzzy Hash: 2e2f40a4f191adc06d821f79182eeaadf54b7754ef090dca3d23d66ae8cb8091
Instruction Fuzzy Hash: BD4181B1D40A28ABEB11CF55CCC0B8ABFB9FB54314F5242E5EB04F624DDA749B408E94

Function 24122A48 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 86windowCOMMON

Download Yara Rule

APIs

GetWindowTextA.USER32(?,00000000,00000000), ref: 24122A8E
IsWindowVisible.USER32(?), ref: 24122A9E

Strings

*@*@, xrefs: 24122AFE

Memory Dump Source

Source File: 0000000A.00000002.2519483566.00000000240F0000.00000040.00000400.00020000.00000000.sdmp, Offset: 240F0000, based on PE: true

Associated: 0000000A.00000002.2519483566.0000000024144000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2519483566.000000002414B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_240f0000_3ClBcOpPUX.jbxd

Yara matches

Similarity

API ID: Window$TextVisible
String ID: *@*@
API String ID: 1670992164-2280034366
Opcode ID: 760ad0d0c04e71c23185a12b6151988ab76eddb5a8ba8d1f1d6682463a33e06f
Instruction ID: 8a6348c73891afedc6aefd1bf2d0b994a808ee4083e8646cc47859fd1feac1fc
Opcode Fuzzy Hash: 760ad0d0c04e71c23185a12b6151988ab76eddb5a8ba8d1f1d6682463a33e06f
Instruction Fuzzy Hash: A821D170A00508BFEB15DEA0DCD1FAEBB69EB54304FA240B1B500FA549DA75DF448A18

Function 241336D0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 77COMMON

Download Yara Rule

APIs

GetVersionExA.KERNEL32(24143704), ref: 241336E3

Strings

\Device\PhysicalMemory, xrefs: 2413371B

Memory Dump Source

Source File: 0000000A.00000002.2519483566.00000000240F0000.00000040.00000400.00020000.00000000.sdmp, Offset: 240F0000, based on PE: true

Associated: 0000000A.00000002.2519483566.0000000024144000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2519483566.000000002414B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_240f0000_3ClBcOpPUX.jbxd

Yara matches

Similarity

API ID: Version
String ID: \Device\PhysicalMemory
API String ID: 1889659487-2007344781
Opcode ID: 992b73057bf1bc6c4dd5bcdf606e47d40729b299bc0a2e722d09e44970f93001
Instruction ID: 709dafd845588567b884403b8878ad452c841fe339f22e7982c09e414f50182d
Opcode Fuzzy Hash: 992b73057bf1bc6c4dd5bcdf606e47d40729b299bc0a2e722d09e44970f93001
Instruction Fuzzy Hash: C7215EB6708209AFD340CF75CDC8F4A7EE5E788285F114C29F549D6680E7B8D6848B15

Function 2411B3FC Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 60threadCOMMON

Download Yara Rule

APIs

Part of subcall function 240F15E0: GetModuleFileNameA.KERNEL32(00000000,?,00000105,?,?,2413B97C,24134C34,00000000,24134C9D,?,?,00000000,00000000), ref: 240F1604

FindWindowA.USER32(Shell_TrayWnd,00000000), ref: 2411B439
GetWindowThreadProcessId.USER32(00000000,?), ref: 2411B43F
OpenProcess.KERNEL32(001F0FFF,00000000,?,00000000,2411B4AE), ref: 2411B44F

Part of subcall function 2411B308: VirtualAllocEx.KERNEL32(00000000,00000000,00000000,00003000,00000040), ref: 2411B320
Part of subcall function 2411B308: VirtualProtectEx.KERNEL32(00000000,00000000,00000000,00000040,00000040,00000000,00000000,00000000,00003000,00000040), ref: 2411B331
Part of subcall function 2411B308: WriteProcessMemory.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00000000,00000000,00000040,00000040,00000000,00000000,00000000,00003000,00000040), ref: 2411B33F

Part of subcall function 2411B354: GetModuleHandleA.KERNEL32(00000000), ref: 2411B36C
Part of subcall function 2411B354: VirtualFreeEx.KERNEL32(00000000,?,00000000,00008000,?,00000000), ref: 2411B396
Part of subcall function 2411B354: VirtualAllocEx.KERNEL32(00000000,?,?,00003000,00000040,00000000,?,00000000,00008000,?,00000000), ref: 2411B3A5
Part of subcall function 2411B354: GetModuleHandleA.KERNEL32(00000000,?,?,00000000,?,?,00003000,00000040,00000000,?,00000000,00008000,?,00000000), ref: 2411B3B8
Part of subcall function 2411B354: WriteProcessMemory.KERNEL32(00000000,?,00000000,00000000,?,?,00000000,?,?,00003000,00000040,00000000,?,00000000,00008000), ref: 2411B3C0
Part of subcall function 2411B354: CreateRemoteThread.KERNEL32(00000000,00000000,00000000,?,?,00000000,00000000), ref: 2411B3E1
Part of subcall function 2411B354: CloseHandle.KERNEL32(00000000,00000000,?,00000000,00000000,?,?,00000000,?,?,00003000,00000040,00000000,?,00000000,00008000), ref: 2411B3E7

Strings

Shell_TrayWnd, xrefs: 2411B434

Memory Dump Source

Source File: 0000000A.00000002.2519483566.00000000240F0000.00000040.00000400.00020000.00000000.sdmp, Offset: 240F0000, based on PE: true

Associated: 0000000A.00000002.2519483566.0000000024144000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2519483566.000000002414B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_240f0000_3ClBcOpPUX.jbxd

Yara matches

Similarity

API ID: ProcessVirtual$HandleModule$AllocMemoryThreadWindowWrite$CloseCreateFileFindFreeNameOpenProtectRemote
String ID: Shell_TrayWnd
API String ID: 1977168033-2988720461
Opcode ID: 03a7260d88b046805293d1054fe5de511928ebd80afcf7569e7430b3f68e95e8
Instruction ID: 2cd9d146f3f825f28fbbeb0437dce0bc45982ddd05282bb61fe5af92856b7b06
Opcode Fuzzy Hash: 03a7260d88b046805293d1054fe5de511928ebd80afcf7569e7430b3f68e95e8
Instruction Fuzzy Hash: E611CA71B002086FEB40DBB8CCD0A9EB7E9EF48210F524535E515E7348EE78EE048B54

Function 240F61A0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 39libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(urlmon.dll,URLDownloadToFileA,00000000,240F6200,?,?,?,00000000,?,2411862A,00000000,00000000,00000000,2411867F,?,.tmp), ref: 240F61CD
GetProcAddress.KERNEL32(00000000,urlmon.dll), ref: 240F61D3

Strings

urlmon.dll, xrefs: 240F61C8
URLDownloadToFileA, xrefs: 240F61C3

Memory Dump Source

Source File: 0000000A.00000002.2519483566.00000000240F0000.00000040.00000400.00020000.00000000.sdmp, Offset: 240F0000, based on PE: true

Associated: 0000000A.00000002.2519483566.0000000024144000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2519483566.000000002414B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_240f0000_3ClBcOpPUX.jbxd

Yara matches

Similarity

API ID: AddressLibraryLoadProc
String ID: URLDownloadToFileA$urlmon.dll
API String ID: 2574300362-892269089
Opcode ID: 3d6d03a3e4aaf58d04fb40c9e047b8c6686512c9d4b34fece13cb1c5aa88eea8
Instruction ID: b3a979267c4442ce197c571bd92ce809fe0f743666d2954628414ec1d4547f77
Opcode Fuzzy Hash: 3d6d03a3e4aaf58d04fb40c9e047b8c6686512c9d4b34fece13cb1c5aa88eea8
Instruction Fuzzy Hash: 3FF09075604A04BFA710CBE6CC90D5E7BECEF8D6103538874B804D3218DE34AE418AA4

Function 24100B6C Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 34libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(KERNEL32.DLL,GetProductInfo,00000000,24100BD9), ref: 24100B9B
GetProcAddress.KERNEL32(00000000,KERNEL32.DLL), ref: 24100BA1

Part of subcall function 240FF870: GetVersionExW.KERNEL32(0000011C), ref: 240FF8DA
Part of subcall function 240FF870: GetVersionExW.KERNEL32(00000094,0000011C), ref: 240FF8F6
Part of subcall function 240FF870: GetSystemInfo.KERNEL32(?,0000011C), ref: 240FF95C

Strings

GetProductInfo, xrefs: 24100B91
KERNEL32.DLL, xrefs: 24100B96

Memory Dump Source

Source File: 0000000A.00000002.2519483566.00000000240F0000.00000040.00000400.00020000.00000000.sdmp, Offset: 240F0000, based on PE: true

Associated: 0000000A.00000002.2519483566.0000000024144000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2519483566.000000002414B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_240f0000_3ClBcOpPUX.jbxd

Yara matches

Similarity

API ID: Version$AddressHandleInfoModuleProcSystem
String ID: GetProductInfo$KERNEL32.DLL
API String ID: 335284197-4189171773
Opcode ID: 7b4d04bb2933842433bf66461d93572b7c1d8d4216938ce4bc849cc679d2ee19
Instruction ID: 8c7679b6e2f65de714661a65c9efb6237de77d71b592c2d862c5df37c479c4bb
Opcode Fuzzy Hash: 7b4d04bb2933842433bf66461d93572b7c1d8d4216938ce4bc849cc679d2ee19
Instruction Fuzzy Hash: 83F096356142045F9711DF61DCE0C8E7BE8EB597287935132EC01B2658EE359D818DA4

Function 24101904 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 26libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(AVICAP32.dll,capGetDriverDescriptionA), ref: 2410191A
GetProcAddress.KERNEL32(00000000,AVICAP32.dll), ref: 24101920

Strings

capGetDriverDescriptionA, xrefs: 24101910
AVICAP32.dll, xrefs: 24101915

Memory Dump Source

Source File: 0000000A.00000002.2519483566.00000000240F0000.00000040.00000400.00020000.00000000.sdmp, Offset: 240F0000, based on PE: true

Associated: 0000000A.00000002.2519483566.0000000024144000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2519483566.000000002414B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_240f0000_3ClBcOpPUX.jbxd

Yara matches

Similarity

API ID: AddressLibraryLoadProc
String ID: AVICAP32.dll$capGetDriverDescriptionA
API String ID: 2574300362-2465018903
Opcode ID: 923c4ca97b63bed19ee6a7f4598ad5f35352d60679e31f00216a0024b30cf205
Instruction ID: be3fe581dcf446c700e424f9da186c87d8f208ab8b4cc01554f5f7bcb56128bd
Opcode Fuzzy Hash: 923c4ca97b63bed19ee6a7f4598ad5f35352d60679e31f00216a0024b30cf205
Instruction Fuzzy Hash: 30D012762045143B6720A5DB9CC4D9BBB5CDEE5575312D126B9089310AD8759D0587F0

Function 2411B624 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 24windowCOMMON

Download Yara Rule

APIs

SendMessageA.USER32(?,0000040B,00000000,00000000), ref: 2411B65D
UnregisterClassA.USER32(MainForm,?), ref: 2411B674

Strings

Video, xrefs: 2411B63F
MainForm, xrefs: 2411B66F

Memory Dump Source

Source File: 0000000A.00000002.2519483566.00000000240F0000.00000040.00000400.00020000.00000000.sdmp, Offset: 240F0000, based on PE: true

Associated: 0000000A.00000002.2519483566.0000000024144000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2519483566.000000002414B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_240f0000_3ClBcOpPUX.jbxd

Yara matches

Similarity

API ID: ClassMessageSendUnregister
String ID: MainForm$Video
API String ID: 3339218838-2964836702
Opcode ID: bde51fac205a959067ae6d615af25686e7a712586f0b1b47f21e87b9bee9744c
Instruction ID: 5b2adb21908d63c5346446f8296a40cf847345e4c64dba7030c95f818ccd1233
Opcode Fuzzy Hash: bde51fac205a959067ae6d615af25686e7a712586f0b1b47f21e87b9bee9744c
Instruction Fuzzy Hash: 2CE09AB27803407BF650DB6A8C82F153AA4D754B14F524020F708BA5C4F5B476908F18

Function 240F6E48 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,GetSystemDirectoryA,?,?,240F6F52,00000000,240F6F93), ref: 240F6E58
GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 240F6E5E

Strings

GetSystemDirectoryA, xrefs: 240F6E4E
kernel32.dll, xrefs: 240F6E53

Memory Dump Source

Source File: 0000000A.00000002.2519483566.00000000240F0000.00000040.00000400.00020000.00000000.sdmp, Offset: 240F0000, based on PE: true

Associated: 0000000A.00000002.2519483566.0000000024144000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2519483566.000000002414B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_240f0000_3ClBcOpPUX.jbxd

Yara matches

Similarity

API ID: AddressLibraryLoadProc
String ID: GetSystemDirectoryA$kernel32.dll
API String ID: 2574300362-261809815
Opcode ID: 8e3c5bf4f21989bd2679ca569eed970311a9c8b17c9951c1c28e5836e9ef04de
Instruction ID: 3933b5585c8e4387a91c6303d44fd40ea84175658bc6987338b780a941d86627
Opcode Fuzzy Hash: 8e3c5bf4f21989bd2679ca569eed970311a9c8b17c9951c1c28e5836e9ef04de
Instruction Fuzzy Hash: 12C09B936516203B773075F6DCD4D9F454CCE754673030871B915E314BDD564D8505F0

Function 240F6E90 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,GetWindowsDirectoryA,?,?,240F6FDE,00000000,240F701F,?,?,?,240F7083,?,00000000,240F70AB,?,00000000), ref: 240F6EA0
GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 240F6EA6

Strings

kernel32.dll, xrefs: 240F6E9B
GetWindowsDirectoryA, xrefs: 240F6E96

Memory Dump Source

Source File: 0000000A.00000002.2519483566.00000000240F0000.00000040.00000400.00020000.00000000.sdmp, Offset: 240F0000, based on PE: true

Associated: 0000000A.00000002.2519483566.0000000024144000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2519483566.000000002414B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_240f0000_3ClBcOpPUX.jbxd

Yara matches

Similarity

API ID: AddressLibraryLoadProc
String ID: GetWindowsDirectoryA$kernel32.dll
API String ID: 2574300362-157430550
Opcode ID: 1799f65bf402dd11a46f98e7382fb403c3ec7bc44e438658788134b01c1581c7
Instruction ID: a2b25f4dd6b6e14ae3e5275cba677e863393416088eb04899637a398183ca9f3
Opcode Fuzzy Hash: 1799f65bf402dd11a46f98e7382fb403c3ec7bc44e438658788134b01c1581c7
Instruction Fuzzy Hash: 74C09B93541A203B773076F69CD4D9F454CCDA546B30308717D14E210E9D554D8945F0

Function 240F6EDC Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,GetTempPathA,?,?,240F704D,?,24118525,00000000,24118DD5,?,?,?,?,0000000B,00000000,00000000), ref: 240F6EEC
GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 240F6EF2

Strings

GetTempPathA, xrefs: 240F6EE2
kernel32.dll, xrefs: 240F6EE7

Memory Dump Source

Source File: 0000000A.00000002.2519483566.00000000240F0000.00000040.00000400.00020000.00000000.sdmp, Offset: 240F0000, based on PE: true

Associated: 0000000A.00000002.2519483566.0000000024144000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2519483566.000000002414B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_240f0000_3ClBcOpPUX.jbxd

Yara matches

Similarity

API ID: AddressLibraryLoadProc
String ID: GetTempPathA$kernel32.dll
API String ID: 2574300362-3269217876
Opcode ID: 68a924575e68bf557c481814eed861a11145bb5aec1a692e6b18e634632282a6
Instruction ID: ef01eba50549746e78e504e0bdfbff2d2ec6c585ba901ee07059cc5bb4a0799b
Opcode Fuzzy Hash: 68a924575e68bf557c481814eed861a11145bb5aec1a692e6b18e634632282a6
Instruction Fuzzy Hash: A3C09B915456203B773065F65CD4E9F454CDE654A77130C717914E210FDC545D8915F4

Function 2413493C Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(ntdll.dll,ZwUnmapViewOfSection,?,00000000,24134A7E,?,?,?,00000004,?,?,00010002), ref: 2413494C
GetProcAddress.KERNEL32(00000000,ntdll.dll), ref: 24134952

Strings

ZwUnmapViewOfSection, xrefs: 24134942
ntdll.dll, xrefs: 24134947

Memory Dump Source

Source File: 0000000A.00000002.2519483566.00000000240F0000.00000040.00000400.00020000.00000000.sdmp, Offset: 240F0000, based on PE: true

Associated: 0000000A.00000002.2519483566.0000000024144000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2519483566.000000002414B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_240f0000_3ClBcOpPUX.jbxd

Yara matches

Similarity

API ID: AddressLibraryLoadProc
String ID: ZwUnmapViewOfSection$ntdll.dll
API String ID: 2574300362-452462277
Opcode ID: 5361bf6e8c37b2124288b457131ace43eacffa2b20801686c577f034760a0f7a
Instruction ID: babda2a78de179b0fe65e9a5f13c489be3a5cada94efd8b87b063a605d61180c
Opcode Fuzzy Hash: 5361bf6e8c37b2124288b457131ace43eacffa2b20801686c577f034760a0f7a
Instruction Fuzzy Hash: 1BC04C916416243A6630E5FA5CD5E9B594C8DA907A30304617914E210A99585D4446F0

Function 240F5E80 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 11libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(shell32.dll,SHFileOperationA), ref: 240F5E8D
GetProcAddress.KERNEL32(00000000,shell32.dll), ref: 240F5E93

Strings

shell32.dll, xrefs: 240F5E88
SHFileOperationA, xrefs: 240F5E83

Memory Dump Source

Source File: 0000000A.00000002.2519483566.00000000240F0000.00000040.00000400.00020000.00000000.sdmp, Offset: 240F0000, based on PE: true

Associated: 0000000A.00000002.2519483566.0000000024144000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2519483566.000000002414B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_240f0000_3ClBcOpPUX.jbxd

Yara matches

Similarity

API ID: AddressLibraryLoadProc
String ID: SHFileOperationA$shell32.dll
API String ID: 2574300362-1445012119
Opcode ID: 04eb4ba3e7a2be5fe124bd427f8afc22954089021653e967de022679f8b34e53
Instruction ID: 15358971611d1af0d0a0b349a06618a6fb9606482aa7874c40b3fc6eba75c049
Opcode Fuzzy Hash: 04eb4ba3e7a2be5fe124bd427f8afc22954089021653e967de022679f8b34e53
Instruction Fuzzy Hash: 08B092A0141A113E673426F28CD0E1E004D5EA400738304303800E100B8D285A880460

Function 24122750 Relevance: 6.1, APIs: 4, Instructions: 81sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(000001F4,00000000,24122867,?,?,?,?,00000000,00000000), ref: 24122777
SetWindowPos.USER32(?,000000FF,00000000,00000000,00000000,00000000,00000013,2412288C,2412288C,2412288C,24122880,?,000001F4,00000000,24122867), ref: 24122814
GetForegroundWindow.USER32(?,000000FF,00000000,00000000,00000000,00000000,00000013,2412288C,2412288C,2412288C,24122880,?,000001F4,00000000,24122867), ref: 24122819
SetForegroundWindow.USER32(?), ref: 24122828

Memory Dump Source

Source File: 0000000A.00000002.2519483566.00000000240F0000.00000040.00000400.00020000.00000000.sdmp, Offset: 240F0000, based on PE: true

Associated: 0000000A.00000002.2519483566.0000000024144000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2519483566.000000002414B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_240f0000_3ClBcOpPUX.jbxd

Yara matches

Similarity

API ID: Window$Foreground$Sleep
String ID:
API String ID: 1564942233-0
Opcode ID: 759706081a733db9b3e9303fb426d359f96beb565d5d0774a169d44cf1ed0b17
Instruction ID: a2eae39c19139ae7dc5058db030bbf263f187e89c05e5cb86e0fb53d2edd0613
Opcode Fuzzy Hash: 759706081a733db9b3e9303fb426d359f96beb565d5d0774a169d44cf1ed0b17
Instruction Fuzzy Hash: AA21A130740619AFF715DB55DCD0F8D7BE4EB19310F6201A1F604AB6A8CBB4EA41CB55

Function 2411D15C Relevance: 6.1, APIs: 4, Instructions: 79registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.ADVAPI32(?,00000000,00000000,00000001,?,00000000,2411D228), ref: 2411D194
RegQueryValueExA.ADVAPI32(?,00000000,00000000,?,00000000,?,?,00000000,00000000,00000001,?,00000000,2411D228), ref: 2411D1B8
RegQueryValueExA.ADVAPI32(?,00000000,00000000,?,00000000,?,?,00000000,00000000,?,00000000,?,?,00000000,00000000,00000001), ref: 2411D1E2
RegCloseKey.ADVAPI32(?,?,00000000,00000000,?,00000000,?,?,00000000,00000000,?,00000000,?,?,00000000,00000000), ref: 2411D1FC

Memory Dump Source

Source File: 0000000A.00000002.2519483566.00000000240F0000.00000040.00000400.00020000.00000000.sdmp, Offset: 240F0000, based on PE: true

Associated: 0000000A.00000002.2519483566.0000000024144000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2519483566.000000002414B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_240f0000_3ClBcOpPUX.jbxd

Yara matches

Similarity

API ID: QueryValue$CloseOpen
String ID:
API String ID: 1586453840-0
Opcode ID: f59ecaf1b3f1c5caf6da81aaee94a3b1ecc25af142968281546b601553d7f663
Instruction ID: ce05d9b22eb31817258225f969daaeb6450e073f34a1f414b01b662d0be6c6f5
Opcode Fuzzy Hash: f59ecaf1b3f1c5caf6da81aaee94a3b1ecc25af142968281546b601553d7f663
Instruction Fuzzy Hash: 52212C75A00148AFEB00DBA9DC81EAFF7FDEF98654F520475B504E7244DE78AE408B61

Function 2410435C Relevance: 6.1, APIs: 4, Instructions: 69memoryCOMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?), ref: 241043BC
VirtualFree.KERNEL32(?,00000000,00008000), ref: 241043E5
GetProcessHeap.KERNEL32(00000000,?), ref: 241043EF
HeapFree.KERNEL32(00000000,00000000,?), ref: 241043F5

Memory Dump Source

Source File: 0000000A.00000002.2519483566.00000000240F0000.00000040.00000400.00020000.00000000.sdmp, Offset: 240F0000, based on PE: true

Associated: 0000000A.00000002.2519483566.0000000024144000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2519483566.000000002414B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_240f0000_3ClBcOpPUX.jbxd

Yara matches

Similarity

API ID: Free$Heap$LibraryProcessVirtual
String ID:
API String ID: 548792435-0
Opcode ID: 327151f7bebc56f7355ee985beca54bda8cd7dd0ae24fdd1ad7be8b3eac1ed1b
Instruction ID: e9c6f4b854e4756b62e3a2d7325f563c1afbb5d0d0b30b740febde78f5f5ca2b
Opcode Fuzzy Hash: 327151f7bebc56f7355ee985beca54bda8cd7dd0ae24fdd1ad7be8b3eac1ed1b
Instruction Fuzzy Hash: 471184716042149FEB10CF69CCC1B4AB7A8EF54324F259195ED18DF296DB70EE50CBA4

Function 24121684 Relevance: 6.1, APIs: 4, Instructions: 59registryCOMMON

Download Yara Rule

APIs

GetClassInfoA.USER32(240F0000,241215A0,?), ref: 241216A5
UnregisterClassA.USER32(241215A0,240F0000), ref: 241216CE
RegisterClassA.USER32(2413AA5C), ref: 241216D8
SetWindowLongA.USER32(00000000,000000FC,00000000), ref: 24121723

Memory Dump Source

Source File: 0000000A.00000002.2519483566.00000000240F0000.00000040.00000400.00020000.00000000.sdmp, Offset: 240F0000, based on PE: true

Associated: 0000000A.00000002.2519483566.0000000024144000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2519483566.000000002414B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_240f0000_3ClBcOpPUX.jbxd

Yara matches

Similarity

API ID: Class$InfoLongRegisterUnregisterWindow
String ID:
API String ID: 4025006896-0
Opcode ID: bd81dc49f60972dda91baca62fa1c10a1bbbd514d1edd948e7f79f57cabb769c
Instruction ID: 5dad8c7099cfacaf5e87ae1c0080b16b0d28f40b774dd58ac7a6c8cc4f2af081
Opcode Fuzzy Hash: bd81dc49f60972dda91baca62fa1c10a1bbbd514d1edd948e7f79f57cabb769c
Instruction Fuzzy Hash: 8401DBB2700614ABDB10EAA9CCC0F9E7F9CF719104F514320F514F72C6EA76DA408750

Function 24133B80 Relevance: 6.1, APIs: 4, Instructions: 59registryCOMMON

Download Yara Rule

APIs

GetClassInfoA.USER32(240F0000,24133AB0,?), ref: 24133BA1
UnregisterClassA.USER32(24133AB0,240F0000), ref: 24133BCA
RegisterClassA.USER32(2413AAC4), ref: 24133BD4
SetWindowLongA.USER32(00000000,000000FC,00000000), ref: 24133C1F

Memory Dump Source

Source File: 0000000A.00000002.2519483566.00000000240F0000.00000040.00000400.00020000.00000000.sdmp, Offset: 240F0000, based on PE: true

Associated: 0000000A.00000002.2519483566.0000000024144000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2519483566.000000002414B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_240f0000_3ClBcOpPUX.jbxd

Yara matches

Similarity

API ID: Class$InfoLongRegisterUnregisterWindow
String ID:
API String ID: 4025006896-0
Opcode ID: 60b2ebdd4dedda600b790eee50decdd6cf240ef99aae791e27aeab5058e58d06
Instruction ID: cad3e4576a5777f7cdbda470dd2b2add2870a1ea64faa7cacf28e1f769d49e6b
Opcode Fuzzy Hash: 60b2ebdd4dedda600b790eee50decdd6cf240ef99aae791e27aeab5058e58d06
Instruction Fuzzy Hash: 51019BB2700204ABDB10EAA9CCC1F9E7F9CE75C115F114351F618F72C6EA75D9408794

Function 240F5DF8 Relevance: 6.0, APIs: 4, Instructions: 39timefileCOMMON

Download Yara Rule

APIs

FindNextFileA.KERNEL32(?,?), ref: 240F5E08
GetLastError.KERNEL32(?,?), ref: 240F5E11
FileTimeToLocalFileTime.KERNEL32(?), ref: 240F5E25
FileTimeToDosDateTime.KERNEL32(?,?,?), ref: 240F5E34

Memory Dump Source

Source File: 0000000A.00000002.2519483566.00000000240F0000.00000040.00000400.00020000.00000000.sdmp, Offset: 240F0000, based on PE: true

Associated: 0000000A.00000002.2519483566.0000000024144000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2519483566.000000002414B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_240f0000_3ClBcOpPUX.jbxd

Yara matches

Similarity

API ID: FileTime$DateErrorFindLastLocalNext
String ID:
API String ID: 2103556486-0
Opcode ID: 279fd369aea94373d2c4810311f26676bf52d26d4f3dd90bf34f948f5bf4a313
Instruction ID: 6dcab7d4d7eea1fc2c8297bf330abde5642eae9d01ca730f6c6de37c62bed0df
Opcode Fuzzy Hash: 279fd369aea94373d2c4810311f26676bf52d26d4f3dd90bf34f948f5bf4a313
Instruction Fuzzy Hash: F2F031762042009FDB44CFA4CCC1C8B33ECAF5821470645B2AD18CF24EEA34E594CBA1

Function 240F5AC8 Relevance: 6.0, APIs: 4, Instructions: 25windowsleepCOMMON

Download Yara Rule

APIs

PeekMessageA.USER32(?,00000000,00000000,00000000,00000001), ref: 240F5AD7
TranslateMessage.USER32 ref: 240F5AE9
DispatchMessageA.USER32 ref: 240F5AEF
Sleep.KERNEL32(00000001,?,00000000,00000000,00000000,00000001,?,00000000,240F5B0A), ref: 240F5AF6

Memory Dump Source

Source File: 0000000A.00000002.2519483566.00000000240F0000.00000040.00000400.00020000.00000000.sdmp, Offset: 240F0000, based on PE: true

Associated: 0000000A.00000002.2519483566.0000000024144000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2519483566.000000002414B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_240f0000_3ClBcOpPUX.jbxd

Yara matches

Similarity

API ID: Message$DispatchPeekSleepTranslate
String ID:
API String ID: 3768732053-0
Opcode ID: 3dee2935046c145a20310657923f066b4c1650418999a03fa847e1f3cf1e7d93
Instruction ID: 189187c9d97b81bc8e49ffec4a9cc332852c60682371e595b3dd377a29b0cd38
Opcode Fuzzy Hash: 3dee2935046c145a20310657923f066b4c1650418999a03fa847e1f3cf1e7d93
Instruction Fuzzy Hash: 01E0123138372039F73056A40C81F9E55C84F2264EF534135B2016A0C6CEC5698041A9

Function 240F548A Relevance: 6.0, APIs: 4, Instructions: 12memoryCOMMON

Download Yara Rule

APIs

GlobalHandle.KERNEL32 ref: 240F548F
GlobalUnlock.KERNEL32(00000000), ref: 240F5496
GlobalReAlloc.KERNEL32(00000000,00000000), ref: 240F549B
GlobalLock.KERNEL32(00000000), ref: 240F54A1

Memory Dump Source

Source File: 0000000A.00000002.2519483566.00000000240F0000.00000040.00000400.00020000.00000000.sdmp, Offset: 240F0000, based on PE: true

Associated: 0000000A.00000002.2519483566.0000000024144000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2519483566.000000002414B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_240f0000_3ClBcOpPUX.jbxd

Yara matches

Similarity

API ID: Global$AllocHandleLockUnlock
String ID:
API String ID: 2167344118-0
Opcode ID: 505157e451beb4b904f6f62bc6a33cc31f1955a287db27c020f03c767c2bc075
Instruction ID: 760b1d66a9600ed246e36338de1036906f327c1ae28052553bfb8e50e61488f5
Opcode Fuzzy Hash: 505157e451beb4b904f6f62bc6a33cc31f1955a287db27c020f03c767c2bc075
Instruction Fuzzy Hash: 3AB002C49906043DBB342BF45C19D3F045C9FB450A78749743C00D200ADC689C9840B5

Function 24123548 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 194COMMON

Download Yara Rule

APIs

GetTickCount.KERNEL32 ref: 24123671

Strings

.tmp, xrefs: 2412368B
*.*, xrefs: 2412371C

Memory Dump Source

Source File: 0000000A.00000002.2519483566.00000000240F0000.00000040.00000400.00020000.00000000.sdmp, Offset: 240F0000, based on PE: true

Associated: 0000000A.00000002.2519483566.0000000024144000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2519483566.000000002414B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_240f0000_3ClBcOpPUX.jbxd

Yara matches

Similarity

API ID: CountTick
String ID: *.*$.tmp
API String ID: 536389180-2468557045
Opcode ID: c592e23dd23208e9b1fa803cc722a6cd88a8ca390ce7d95b9a7db82204ca3e2b
Instruction ID: 96643a18eb715c37bc83f665c22407245a58cecbc927331d2bae7c01d21e16c0
Opcode Fuzzy Hash: c592e23dd23208e9b1fa803cc722a6cd88a8ca390ce7d95b9a7db82204ca3e2b
Instruction Fuzzy Hash: 6C716B30A0462CAFEB11CF61CC90ADEBBB9EB59314F9281F5D808E2254DE759F85CE50

Function 24123260 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 160COMMON

Download Yara Rule

APIs

GetTickCount.KERNEL32 ref: 2412337A

Strings

.tmp, xrefs: 24123394
*.*, xrefs: 241232E9, 241233FD

Memory Dump Source

Source File: 0000000A.00000002.2519483566.00000000240F0000.00000040.00000400.00020000.00000000.sdmp, Offset: 240F0000, based on PE: true

Associated: 0000000A.00000002.2519483566.0000000024144000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2519483566.000000002414B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_240f0000_3ClBcOpPUX.jbxd

Yara matches

Similarity

API ID: CountTick
String ID: *.*$.tmp
API String ID: 536389180-2468557045
Opcode ID: 63d52e6fe477d4d3b0e5e5b4fef0a76f2ae6bd8e1314016d46a18282695258dc
Instruction ID: d4121f95a71cfca49ef88ed1494bfaf7db208c9da68a27eb54aedf39b7482917
Opcode Fuzzy Hash: 63d52e6fe477d4d3b0e5e5b4fef0a76f2ae6bd8e1314016d46a18282695258dc
Instruction Fuzzy Hash: FC515F30A08A5C9FEB25CB70DC90ADEBBB5EB54314F9240F59808E2254DF759F85CE50

Function 24120224 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 108threadCOMMON

Download Yara Rule

APIs

IsWindow.USER32 ref: 2412024A
GetWindowThreadProcessId.USER32(?,FFFFFFFF), ref: 24120263

Strings

#|#, xrefs: 2412029A, 241202C9, 241202F1, 24120321

Memory Dump Source

Source File: 0000000A.00000002.2519483566.00000000240F0000.00000040.00000400.00020000.00000000.sdmp, Offset: 240F0000, based on PE: true

Associated: 0000000A.00000002.2519483566.0000000024144000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2519483566.000000002414B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_240f0000_3ClBcOpPUX.jbxd

Yara matches

Similarity

API ID: Window$ProcessThread
String ID: #|#
API String ID: 3635926707-3836175907
Opcode ID: d4c0c905e9ee50ce995b8dac4a3562bc58a5ec78e13d99ac7c80253221852852
Instruction ID: 39fcb2ee464125acb6a8ccda19681892865138feaa69f670138fc97903511bc3
Opcode Fuzzy Hash: d4c0c905e9ee50ce995b8dac4a3562bc58a5ec78e13d99ac7c80253221852852
Instruction Fuzzy Hash: 3531C470604508AFFB05DBA4CD909AFBBBDEB98314F524276E900E3748EE74EF458960

Function 24103CEC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 75memoryCOMMON

Download Yara Rule

APIs

VirtualFree.KERNEL32(?,00000000,00004000,?,00000000,?,00000000,?,?,24103F92,?,?,00004550,00004550,?,00000000), ref: 24103D26
VirtualProtect.KERNEL32(?,00000000,00000000,?,?,?,00000000,?,00000000,?,?,24103F92,?,?,00004550,00004550), ref: 24103D80

Strings

FinalizeSections: VirtualProtect failed, xrefs: 24103D8E

Memory Dump Source

Source File: 0000000A.00000002.2519483566.00000000240F0000.00000040.00000400.00020000.00000000.sdmp, Offset: 240F0000, based on PE: true

Associated: 0000000A.00000002.2519483566.0000000024144000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2519483566.000000002414B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_240f0000_3ClBcOpPUX.jbxd

Yara matches

Similarity

API ID: Virtual$FreeProtect
String ID: FinalizeSections: VirtualProtect failed
API String ID: 2581862158-3584865983
Opcode ID: 48f97ceb7ab0abb48088ae0c2970b1d0370b178ebcfb0e24eed38587f7c47017
Instruction ID: e0ae39f0c3013b6cec754fbc2534d14236b637014591e2b1153fd5b8b660b29e
Opcode Fuzzy Hash: 48f97ceb7ab0abb48088ae0c2970b1d0370b178ebcfb0e24eed38587f7c47017
Instruction Fuzzy Hash: 0F215E72708208AFE710CF59C9C4F867BE9AF59694F429191FE48DF35AD6B0EE408750

Function 241179F4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 62fileCOMMON

Download Yara Rule

APIs

GetTickCount.KERNEL32 ref: 24117A4F
DeleteFileA.KERNEL32(00000000,.bmp,?,00000000,00000000,?,00000000,00000000,00000000,24117AB6), ref: 24117A7C

Strings

.bmp, xrefs: 24117A63

Memory Dump Source

Source File: 0000000A.00000002.2519483566.00000000240F0000.00000040.00000400.00020000.00000000.sdmp, Offset: 240F0000, based on PE: true

Associated: 0000000A.00000002.2519483566.0000000024144000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2519483566.000000002414B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_240f0000_3ClBcOpPUX.jbxd

Yara matches

Similarity

API ID: CountDeleteFileTick
String ID: .bmp
API String ID: 3334397753-2863430793
Opcode ID: cbb12b75e087a94b73b8d654df7d40483b7cb335676ef8f0854db625440f8549
Instruction ID: f8b221e5f2241f919ffb2bb42b02699255a8a8d9663ffbb2a027686e299464b0
Opcode Fuzzy Hash: cbb12b75e087a94b73b8d654df7d40483b7cb335676ef8f0854db625440f8549
Instruction Fuzzy Hash: 72119030A00108AFEB00DFA8DC90A9EB7B9EF58304F5244B6E818E7358DF74AF458A50

Function 24102BF4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 51networkCOMMON

Download Yara Rule

APIs

ioctlsocket.WS2_32(?,4004667F), ref: 24102C0D

Part of subcall function 24102A38: shutdown.WS2_32(?,00000002), ref: 24102A83
Part of subcall function 24102A38: closesocket.WS2_32(?), ref: 24102AB1

WSAGetLastError.WS2_32(?,00000000,?,00000000,?,?,00000000,?,24102CBD,?,?,2411964C,00000000,2411A33B), ref: 24102C52

Strings

3', xrefs: 24102C5A

Memory Dump Source

Source File: 0000000A.00000002.2519483566.00000000240F0000.00000040.00000400.00020000.00000000.sdmp, Offset: 240F0000, based on PE: true

Associated: 0000000A.00000002.2519483566.0000000024144000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2519483566.000000002414B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_240f0000_3ClBcOpPUX.jbxd

Yara matches

Similarity

API ID: ErrorLastclosesocketioctlsocketshutdown
String ID: 3'
API String ID: 3350378930-280543908
Opcode ID: 67953cbbeb681437e6c178f8ece78b732fd211c46b4f13365584b73cdd77e0fc
Instruction ID: b1d36972e4a55a15029397ec120f63a8763fedd73b554cec310f5e8a6c6c0622
Opcode Fuzzy Hash: 67953cbbeb681437e6c178f8ece78b732fd211c46b4f13365584b73cdd77e0fc
Instruction Fuzzy Hash: D001B1742086009BD31C6A388EC4ABB7698AB55370F11EA68B9E49F295D634CF418751

Description:	Adversaries may move onto systems, possibly those on disconnected or air-gapped networks, by copying malware to removable media and taking advantage of Autorun features when the media is inserted into a system and executes. In the case of Lateral Movement, this may occur through modification of executable files stored on removable media or by copying malware and renaming it to look like a legitimate file to trick users into executing it on a separate system. In the case of Initial Access, this may occur through manual manipulation of the media, modification of systems used to initially format the media, or modification to the media's firmware itself.
Tactics:	Initial Access, Lateral Movement
Data Sources:	Drive: Drive Creation, File: File Access, File: File Creation, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse the Windows service control manager to execute malicious commands or payloads. The Windows service control manager ( `services.exe` ) is an interface to manage and manipulate services.The service control manager is accessible to users via GUI components as well as system utilities such as `sc.exe` and Net .
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Traffic Flow, Process: Process Creation, Service: Service Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may create or modify Windows services to repeatedly execute malicious payloads as part of persistence. When Windows boots up, it starts programs or applications called services that perform background system functions.Windows service configuration information, including the file path to the service's executable or recovery programs/commands, is stored in the Windows Registry.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Driver: Driver Load, File: File Metadata, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Creation, Service: Service Creation, Service: Service Modification, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to gather information about attached peripheral devices and components connected to a computer system.Peripheral devices could include auxiliary resources that support a variety of functionalities such as keyboards, printers, cameras, smart card readers, or removable storage. The information may be used to enhance their awareness of the system and network environment or may be used for further actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. This information can help adversaries determine which accounts exist, which can aid in follow-on behavior such as brute-forcing, spear-phishing attacks, or account takeovers (e.g., Valid Accounts ).
Tactics:	Discovery
Data Sources:	Command: Command Execution, File: File Access, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may try to gather information about registered local system services. Adversaries may obtain information about services using tools as well as OS utility commands such as `sc query` , `tasklist /svc` , `systemctl --type=service` , and `net start` .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report 3ClBcOpPUX.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: CyberGate

Yara Signatures

Initial Sample

Dropped Files

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

E-Banking Fraud

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_svchost.exe_73eb877722a7a4e6c3285f964f520f8d841e3c_e18b091b_e03f20cc-fcef-4cf7-af63-2fc7398c0d83\Report.wer

C:\ProgramData\Microsoft\Windows\WER\Temp\WERA78E.tmp.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WERA85A.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WERA88A.tmp.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WERA898.tmp.csv

C:\ProgramData\Microsoft\Windows\WER\Temp\WERA8F7.tmp.txt

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\57C8EDB95DF3F0AD4EE2DC2B8CFD4157

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157

C:\Users\user\AppData\Local\Temp\UuU.uUu

C:\Users\user\AppData\Local\Temp\XX--XX--XX.txt

C:\Users\user\AppData\Local\Temp\XxX.xXx

Windows Analysis Report
3ClBcOpPUX.exe

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to take screen captures of the desktop to gather information over the course of an operation. Screen capturing functionality may be included as a feature of a remote access tool used in post-compromise operations. Taking a screenshot is also typically possible through native utilities or API calls, such as `CopyFromScreen` , `xwd` , or `screencapture` .
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine or network device. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer or network device via Network Device CLI (e.g. `reload` ).
Tactics:	Impact
Data Sources:	Command: Command Execution, Process: Process Creation, Sensor Health: Host Status
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre