Edit tour

Windows Analysis Report
SecuriteInfo.com.Win32.Evo-gen.3521.549.exe

Overview

General Information

Sample name:	SecuriteInfo.com.Win32.Evo-gen.3521.549.exe
Analysis ID:	1519624
MD5:	fada0c33bf7972b910f80e7233a8fd57
SHA1:	6b6ae977d686e446ec8028dbb0c9447c7fdec026
SHA256:	5413944edc2672c6634f665d6c6722cf21220ef49254d8fe42d0d63dc8826988
Tags:	exe
Infos:

Detection

Remcos

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for URL or domain

Contains functionality to bypass UAC (CMSTPLUA)

Detected unpacking (creates a PE file in dynamic memory)

Found malware configuration

Malicious sample detected (through community Yara rule)

Suricata IDS alerts for network traffic

Yara detected Remcos RAT

Yara detected UAC Bypass using CMSTP

AI detected suspicious sample

C2 URLs / IPs found in malware configuration

Contains functionality to detect sleep reduction / modifications

Contains functionality to register a low level keyboard hook

Contains functionality to steal Chrome passwords or cookies

Contains functionality to steal Firefox passwords or cookies

Contains functionalty to change the wallpaper

Delayed program exit found

Drops large PE files

Injects a PE file into a foreign processes

Installs a global keyboard hook

Abnormal high CPU Usage

Contains functionality for read data from the clipboard

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to download and launch executables

Contains functionality to dynamically determine API calls

Contains functionality to enumerate process and check for explorer.exe or svchost.exe (often used for thread injection)

Contains functionality to enumerate running services

Contains functionality to launch a control a shell (cmd.exe)

Contains functionality to modify clipboard data

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to shutdown / reboot the system

Contains functionality to simulate mouse events

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Drops PE files

Extensive use of GetProcAddress (often used to hide API calls)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

Launches processes in debugging mode, may be used to hinder debugging

May check if the current machine is a sandbox (GetTickCount - Sleep)

May sleep (evasive loops) to hinder dynamic analysis

PE file contains sections with non-standard names

Sample file is different than original file name gathered from version info

Sigma detected: CurrentVersion Autorun Keys Modification

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses Microsoft's Enhanced Cryptographic Provider

Uses code obfuscation techniques (call, push, ret)

Yara detected Keylogger Generic

Yara signature match

Classification

Process Tree

System is w10x64

SecuriteInfo.com.Win32.Evo-gen.3521.549.exe (PID: 5532 cmdline: "C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3521.549.exe" MD5: FADA0C33BF7972B910F80E7233A8FD57)

SecuriteInfo.com.Win32.Evo-gen.3521.549.exe (PID: 6540 cmdline: "C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3521.549.exe" MD5: FADA0C33BF7972B910F80E7233A8FD57)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Remcos, RemcosRAT	Remcos (acronym of Remote Control & Surveillance Software) is a commercial Remote Access Tool to remotely control computers.Remcos is advertised as legitimate software which can be used for surveillance and penetration testing purposes, but has been used in numerous hacking campaigns.Remcos, once installed, opens a backdoor on the computer, granting full access to the remote user.Remcos is developed by the cybersecurity company BreakingSecurity.	APT33 The Gorgon Group UAC-0050	http://malware-traffic-analysis.net/2017/12/22/index.html https://0xmrmagnezi.github.io/malware%20analysis/RemcosRAT/ https://asec.ahnlab.com/en/32376/ https://asec.ahnlab.com/ko/25837/ https://asec.ahnlab.com/ko/32101/	https://malpedia.caad.fkie.fraunhofer.de/details/win.remcos

Malware Configuration

Threatname: Remcos

{"Host:Port:Password": "hotsdefender.webredirect.org:2404:1", "Assigned name": "AGOSTO2024", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Disable", "Install path": "AppData", "Copy file": "remcos.exe", "Startup value": "Disable", "Hide file": "Disable", "Mutex": "Ag0s70JwbdycP5ikGBT/VhjSeXFA==-S28M8P", "Keylog flag": "1", "Keylog path": "AppData", "Keylog file": "logs.dat", "Keylog crypt": "Disable", "Hide keylog file": "Enable", "Screenshot flag": "Disable", "Screenshot time": "10", "Take Screenshot option": "Disable", "Take screenshot title": "wikipedia;solitaire;", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5", "Audio path": "AppData", "Audio folder": "MicRecords", "Connect delay": "0", "Copy folder": "remcos", "Keylog folder": "Key"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000003.00000002.4514531527.00000000046A0000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
00000003.00000002.4514531527.00000000046A0000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
00000003.00000002.4514531527.00000000046A0000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
00000003.00000002.4514531527.00000000046A0000.00000040.00000400.00020000.00000000.sdmp	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x6c4b8:$a1: Remcos restarted by watchdog! 0x6ca30:$a3: %02i:%02i:%02i:%03i
00000003.00000002.4514531527.00000000046A0000.00000040.00000400.00020000.00000000.sdmp	REMCOS_RAT_variants	unknown	unknown	0x6650c:$str_a1: C:\Windows\System32\cmd.exe 0x66488:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x66488:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x66988:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x671b8:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x6657c:$str_b2: Executing file: 0x675fc:$str_b3: GetDirectListeningPort 0x66fa8:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x67128:$str_b7: \update.vbs 0x665a4:$str_b9: Downloaded file: 0x66590:$str_b10: Downloading file: 0x66634:$str_b12: Failed to upload file: 0x675c4:$str_b13: StartForward 0x675e4:$str_b14: StopForward 0x67080:$str_b15: fso.DeleteFile " 0x67014:$str_b16: On Error Resume Next 0x670b0:$str_b17: fso.DeleteFolder " 0x66624:$str_b18: Uploaded file: 0x665e4:$str_b19: Unable to delete: 0x67048:$str_b20: while fso.FileExists(" 0x66ac1:$str_c0: [Firefox StoredLogins not found]
00000003.00000002.4514531527.00000000046A0000.00000040.00000400.00020000.00000000.sdmp	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x663f8:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x6638c:$s1: CoGetObject 0x663a0:$s1: CoGetObject 0x663bc:$s1: CoGetObject 0x7035e:$s1: CoGetObject 0x6634c:$s2: Elevation:Administrator!new:
00000003.00000002.4514898457.00000000049A7000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
00000000.00000002.2275798447.000000000051C000.00000040.00000001.01000000.00000003.sdmp	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
00000000.00000002.2275798447.000000000051C000.00000040.00000001.01000000.00000003.sdmp	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
00000000.00000002.2275798447.000000000051C000.00000040.00000001.01000000.00000003.sdmp	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
00000000.00000002.2275798447.000000000051C000.00000040.00000001.01000000.00000003.sdmp	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x6aee6:$a1: Remcos restarted by watchdog! 0x6b45e:$a3: %02i:%02i:%02i:%03i
00000000.00000002.2276278471.0000000006300000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
00000000.00000002.2276278471.0000000006300000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
00000000.00000002.2276278471.0000000006300000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
00000000.00000002.2276278471.0000000006300000.00000040.00001000.00020000.00000000.sdmp	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x6c4b8:$a1: Remcos restarted by watchdog! 0x6ca30:$a3: %02i:%02i:%02i:%03i
00000000.00000002.2276278471.0000000006300000.00000040.00001000.00020000.00000000.sdmp	REMCOS_RAT_variants	unknown	unknown	0x6650c:$str_a1: C:\Windows\System32\cmd.exe 0x66488:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x66488:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x66988:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x671b8:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x6657c:$str_b2: Executing file: 0x675fc:$str_b3: GetDirectListeningPort 0x66fa8:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x67128:$str_b7: \update.vbs 0x665a4:$str_b9: Downloaded file: 0x66590:$str_b10: Downloading file: 0x66634:$str_b12: Failed to upload file: 0x675c4:$str_b13: StartForward 0x675e4:$str_b14: StopForward 0x67080:$str_b15: fso.DeleteFile " 0x67014:$str_b16: On Error Resume Next 0x670b0:$str_b17: fso.DeleteFolder " 0x66624:$str_b18: Uploaded file: 0x665e4:$str_b19: Unable to delete: 0x67048:$str_b20: while fso.FileExists(" 0x66ac1:$str_c0: [Firefox StoredLogins not found]
00000000.00000002.2276278471.0000000006300000.00000040.00001000.00020000.00000000.sdmp	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x663f8:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x6638c:$s1: CoGetObject 0x663a0:$s1: CoGetObject 0x663bc:$s1: CoGetObject 0x7035e:$s1: CoGetObject 0x6634c:$s2: Elevation:Administrator!new:
Process Memory Space: SecuriteInfo.com.Win32.Evo-gen.3521.549.exe PID: 5532	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
Process Memory Space: SecuriteInfo.com.Win32.Evo-gen.3521.549.exe PID: 5532	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
Process Memory Space: SecuriteInfo.com.Win32.Evo-gen.3521.549.exe PID: 5532	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
Process Memory Space: SecuriteInfo.com.Win32.Evo-gen.3521.549.exe PID: 5532	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x72701:$a1: Remcos restarted by watchdog! 0xa8acc:$a1: Remcos restarted by watchdog! 0x72c5b:$a3: %02i:%02i:%02i:%03i 0x7308a:$a3: %02i:%02i:%02i:%03i 0xa9025:$a3: %02i:%02i:%02i:%03i 0xa9454:$a3: %02i:%02i:%02i:%03i
Process Memory Space: SecuriteInfo.com.Win32.Evo-gen.3521.549.exe PID: 6540	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
Process Memory Space: SecuriteInfo.com.Win32.Evo-gen.3521.549.exe PID: 6540	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
Process Memory Space: SecuriteInfo.com.Win32.Evo-gen.3521.549.exe PID: 6540	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
Process Memory Space: SecuriteInfo.com.Win32.Evo-gen.3521.549.exe PID: 6540	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x3b800:$a1: Remcos restarted by watchdog! 0x3bd59:$a3: %02i:%02i:%02i:%03i 0x3c188:$a3: %02i:%02i:%02i:%03i
Click to see the 20 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
0.2.SecuriteInfo.com.Win32.Evo-gen.3521.549.exe.6300000.2.raw.unpack	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
0.2.SecuriteInfo.com.Win32.Evo-gen.3521.549.exe.6300000.2.raw.unpack	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
0.2.SecuriteInfo.com.Win32.Evo-gen.3521.549.exe.6300000.2.raw.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
0.2.SecuriteInfo.com.Win32.Evo-gen.3521.549.exe.6300000.2.raw.unpack	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x6c4b8:$a1: Remcos restarted by watchdog! 0x6ca30:$a3: %02i:%02i:%02i:%03i
0.2.SecuriteInfo.com.Win32.Evo-gen.3521.549.exe.6300000.2.raw.unpack	REMCOS_RAT_variants	unknown	unknown	0x6650c:$str_a1: C:\Windows\System32\cmd.exe 0x66488:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x66488:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x66988:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x671b8:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x6657c:$str_b2: Executing file: 0x675fc:$str_b3: GetDirectListeningPort 0x66fa8:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x67128:$str_b7: \update.vbs 0x665a4:$str_b9: Downloaded file: 0x66590:$str_b10: Downloading file: 0x66634:$str_b12: Failed to upload file: 0x675c4:$str_b13: StartForward 0x675e4:$str_b14: StopForward 0x67080:$str_b15: fso.DeleteFile " 0x67014:$str_b16: On Error Resume Next 0x670b0:$str_b17: fso.DeleteFolder " 0x66624:$str_b18: Uploaded file: 0x665e4:$str_b19: Unable to delete: 0x67048:$str_b20: while fso.FileExists(" 0x66ac1:$str_c0: [Firefox StoredLogins not found]
0.2.SecuriteInfo.com.Win32.Evo-gen.3521.549.exe.6300000.2.raw.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x663f8:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x6638c:$s1: CoGetObject 0x663a0:$s1: CoGetObject 0x663bc:$s1: CoGetObject 0x7035e:$s1: CoGetObject 0x6634c:$s2: Elevation:Administrator!new:
0.2.SecuriteInfo.com.Win32.Evo-gen.3521.549.exe.6300000.2.unpack	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
0.2.SecuriteInfo.com.Win32.Evo-gen.3521.549.exe.6300000.2.unpack	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
0.2.SecuriteInfo.com.Win32.Evo-gen.3521.549.exe.6300000.2.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
0.2.SecuriteInfo.com.Win32.Evo-gen.3521.549.exe.6300000.2.unpack	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x6aab8:$a1: Remcos restarted by watchdog! 0x6b030:$a3: %02i:%02i:%02i:%03i
0.2.SecuriteInfo.com.Win32.Evo-gen.3521.549.exe.6300000.2.unpack	REMCOS_RAT_variants	unknown	unknown	0x64b0c:$str_a1: C:\Windows\System32\cmd.exe 0x64a88:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x64a88:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x64f88:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x657b8:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x64b7c:$str_b2: Executing file: 0x65bfc:$str_b3: GetDirectListeningPort 0x655a8:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x65728:$str_b7: \update.vbs 0x64ba4:$str_b9: Downloaded file: 0x64b90:$str_b10: Downloading file: 0x64c34:$str_b12: Failed to upload file: 0x65bc4:$str_b13: StartForward 0x65be4:$str_b14: StopForward 0x65680:$str_b15: fso.DeleteFile " 0x65614:$str_b16: On Error Resume Next 0x656b0:$str_b17: fso.DeleteFolder " 0x64c24:$str_b18: Uploaded file: 0x64be4:$str_b19: Unable to delete: 0x65648:$str_b20: while fso.FileExists(" 0x650c1:$str_c0: [Firefox StoredLogins not found]
0.2.SecuriteInfo.com.Win32.Evo-gen.3521.549.exe.6300000.2.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x649f8:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x6498c:$s1: CoGetObject 0x649a0:$s1: CoGetObject 0x649bc:$s1: CoGetObject 0x6e95e:$s1: CoGetObject 0x6494c:$s2: Elevation:Administrator!new:
0.2.SecuriteInfo.com.Win32.Evo-gen.3521.549.exe.51c42e.1.raw.unpack	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
0.2.SecuriteInfo.com.Win32.Evo-gen.3521.549.exe.51c42e.1.raw.unpack	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
0.2.SecuriteInfo.com.Win32.Evo-gen.3521.549.exe.51c42e.1.raw.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
0.2.SecuriteInfo.com.Win32.Evo-gen.3521.549.exe.51c42e.1.raw.unpack	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x6aab8:$a1: Remcos restarted by watchdog! 0x6b030:$a3: %02i:%02i:%02i:%03i
0.2.SecuriteInfo.com.Win32.Evo-gen.3521.549.exe.51c42e.1.raw.unpack	REMCOS_RAT_variants	unknown	unknown	0x64b0c:$str_a1: C:\Windows\System32\cmd.exe 0x64a88:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x64a88:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x64f88:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x657b8:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x64b7c:$str_b2: Executing file: 0x65bfc:$str_b3: GetDirectListeningPort 0x655a8:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x65728:$str_b7: \update.vbs 0x64ba4:$str_b9: Downloaded file: 0x64b90:$str_b10: Downloading file: 0x64c34:$str_b12: Failed to upload file: 0x65bc4:$str_b13: StartForward 0x65be4:$str_b14: StopForward 0x65680:$str_b15: fso.DeleteFile " 0x65614:$str_b16: On Error Resume Next 0x656b0:$str_b17: fso.DeleteFolder " 0x64c24:$str_b18: Uploaded file: 0x64be4:$str_b19: Unable to delete: 0x65648:$str_b20: while fso.FileExists(" 0x650c1:$str_c0: [Firefox StoredLogins not found]
0.2.SecuriteInfo.com.Win32.Evo-gen.3521.549.exe.51c42e.1.raw.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x649f8:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x6498c:$s1: CoGetObject 0x649a0:$s1: CoGetObject 0x649bc:$s1: CoGetObject 0x6e95e:$s1: CoGetObject 0x6494c:$s2: Elevation:Administrator!new:
0.2.SecuriteInfo.com.Win32.Evo-gen.3521.549.exe.51c42e.1.unpack	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
0.2.SecuriteInfo.com.Win32.Evo-gen.3521.549.exe.51c42e.1.unpack	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
0.2.SecuriteInfo.com.Win32.Evo-gen.3521.549.exe.51c42e.1.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
0.2.SecuriteInfo.com.Win32.Evo-gen.3521.549.exe.51c42e.1.unpack	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x690b8:$a1: Remcos restarted by watchdog! 0x69630:$a3: %02i:%02i:%02i:%03i
0.2.SecuriteInfo.com.Win32.Evo-gen.3521.549.exe.51c42e.1.unpack	REMCOS_RAT_variants	unknown	unknown	0x6310c:$str_a1: C:\Windows\System32\cmd.exe 0x63088:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x63088:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x63588:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x63db8:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x6317c:$str_b2: Executing file: 0x641fc:$str_b3: GetDirectListeningPort 0x63ba8:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x63d28:$str_b7: \update.vbs 0x631a4:$str_b9: Downloaded file: 0x63190:$str_b10: Downloading file: 0x63234:$str_b12: Failed to upload file: 0x641c4:$str_b13: StartForward 0x641e4:$str_b14: StopForward 0x63c80:$str_b15: fso.DeleteFile " 0x63c14:$str_b16: On Error Resume Next 0x63cb0:$str_b17: fso.DeleteFolder " 0x63224:$str_b18: Uploaded file: 0x631e4:$str_b19: Unable to delete: 0x63c48:$str_b20: while fso.FileExists(" 0x636c1:$str_c0: [Firefox StoredLogins not found]
0.2.SecuriteInfo.com.Win32.Evo-gen.3521.549.exe.51c42e.1.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x62ff8:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x62f8c:$s1: CoGetObject 0x62fa0:$s1: CoGetObject 0x62fbc:$s1: CoGetObject 0x6cf5e:$s1: CoGetObject 0x62f4c:$s2: Elevation:Administrator!new:
3.2.SecuriteInfo.com.Win32.Evo-gen.3521.549.exe.46a0000.1.raw.unpack	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
3.2.SecuriteInfo.com.Win32.Evo-gen.3521.549.exe.46a0000.1.raw.unpack	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
3.2.SecuriteInfo.com.Win32.Evo-gen.3521.549.exe.46a0000.1.raw.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
3.2.SecuriteInfo.com.Win32.Evo-gen.3521.549.exe.46a0000.1.raw.unpack	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x6c4b8:$a1: Remcos restarted by watchdog! 0x6ca30:$a3: %02i:%02i:%02i:%03i
3.2.SecuriteInfo.com.Win32.Evo-gen.3521.549.exe.46a0000.1.raw.unpack	REMCOS_RAT_variants	unknown	unknown	0x6650c:$str_a1: C:\Windows\System32\cmd.exe 0x66488:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x66488:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x66988:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x671b8:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x6657c:$str_b2: Executing file: 0x675fc:$str_b3: GetDirectListeningPort 0x66fa8:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x67128:$str_b7: \update.vbs 0x665a4:$str_b9: Downloaded file: 0x66590:$str_b10: Downloading file: 0x66634:$str_b12: Failed to upload file: 0x675c4:$str_b13: StartForward 0x675e4:$str_b14: StopForward 0x67080:$str_b15: fso.DeleteFile " 0x67014:$str_b16: On Error Resume Next 0x670b0:$str_b17: fso.DeleteFolder " 0x66624:$str_b18: Uploaded file: 0x665e4:$str_b19: Unable to delete: 0x67048:$str_b20: while fso.FileExists(" 0x66ac1:$str_c0: [Firefox StoredLogins not found]
3.2.SecuriteInfo.com.Win32.Evo-gen.3521.549.exe.46a0000.1.raw.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x663f8:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x6638c:$s1: CoGetObject 0x663a0:$s1: CoGetObject 0x663bc:$s1: CoGetObject 0x7035e:$s1: CoGetObject 0x6634c:$s2: Elevation:Administrator!new:
3.2.SecuriteInfo.com.Win32.Evo-gen.3521.549.exe.46a0000.1.unpack	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
3.2.SecuriteInfo.com.Win32.Evo-gen.3521.549.exe.46a0000.1.unpack	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
3.2.SecuriteInfo.com.Win32.Evo-gen.3521.549.exe.46a0000.1.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
3.2.SecuriteInfo.com.Win32.Evo-gen.3521.549.exe.46a0000.1.unpack	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x6aab8:$a1: Remcos restarted by watchdog! 0x6b030:$a3: %02i:%02i:%02i:%03i
3.2.SecuriteInfo.com.Win32.Evo-gen.3521.549.exe.46a0000.1.unpack	REMCOS_RAT_variants	unknown	unknown	0x64b0c:$str_a1: C:\Windows\System32\cmd.exe 0x64a88:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x64a88:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x64f88:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x657b8:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x64b7c:$str_b2: Executing file: 0x65bfc:$str_b3: GetDirectListeningPort 0x655a8:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x65728:$str_b7: \update.vbs 0x64ba4:$str_b9: Downloaded file: 0x64b90:$str_b10: Downloading file: 0x64c34:$str_b12: Failed to upload file: 0x65bc4:$str_b13: StartForward 0x65be4:$str_b14: StopForward 0x65680:$str_b15: fso.DeleteFile " 0x65614:$str_b16: On Error Resume Next 0x656b0:$str_b17: fso.DeleteFolder " 0x64c24:$str_b18: Uploaded file: 0x64be4:$str_b19: Unable to delete: 0x65648:$str_b20: while fso.FileExists(" 0x650c1:$str_c0: [Firefox StoredLogins not found]
3.2.SecuriteInfo.com.Win32.Evo-gen.3521.549.exe.46a0000.1.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x649f8:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x6498c:$s1: CoGetObject 0x649a0:$s1: CoGetObject 0x649bc:$s1: CoGetObject 0x6e95e:$s1: CoGetObject 0x6494c:$s2: Elevation:Administrator!new:
0.2.SecuriteInfo.com.Win32.Evo-gen.3521.549.exe.400000.0.unpack	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
0.2.SecuriteInfo.com.Win32.Evo-gen.3521.549.exe.400000.0.unpack	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
0.2.SecuriteInfo.com.Win32.Evo-gen.3521.549.exe.400000.0.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
0.2.SecuriteInfo.com.Win32.Evo-gen.3521.549.exe.400000.0.unpack	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x1824e6:$a1: Remcos restarted by watchdog! 0x182a5e:$a3: %02i:%02i:%02i:%03i
0.2.SecuriteInfo.com.Win32.Evo-gen.3521.549.exe.400000.0.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x17c426:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x17c3ba:$s1: CoGetObject 0x17c3ce:$s1: CoGetObject 0x17c3ea:$s1: CoGetObject 0x18638c:$s1: CoGetObject 0x17c37a:$s2: Elevation:Administrator!new:
Click to see the 36 entries

Sigma Signatures

System Summary

Sigma detected: CurrentVersion Autorun Keys Modification

Source: Registry Key set

Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\Users\user\Pictures\TermianlConsole\TerminalIll.exe, EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3521.549.exe, ProcessId: 5532, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\AdvancedUpdater

Suricata Signatures

ET JA3 Hash - Remcos 3.x/4.x TLS Connection

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-09-26T18:44:25.569771+0200	2036594	1	Malware Command and Control Activity Detected	192.168.2.5	49708	5.34.182.173	2404	TCP

ETPRO MALWARE Common Downloader Header Pattern HCa

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-09-26T18:44:26.940447+0200	2803304	3	Unknown Traffic	192.168.2.5	49710	178.237.33.50	80	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus detection for URL or domain

Source: hotsdefender.webredirect.org

Avira URL Cloud: Label: malware

Found malware configuration

Source: 00000003.00000002.4514898457.00000000049A7000.00000004.00000020.00020000.00000000.sdmp

Malware Configuration Extractor: Remcos {"Host:Port:Password": "hotsdefender.webredirect.org:2404:1", "Assigned name": "AGOSTO2024", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Disable", "Install path": "AppData", "Copy file": "remcos.exe", "Startup value": "Disable", "Hide file": "Disable", "Mutex": "Ag0s70JwbdycP5ikGBT/VhjSeXFA==-S28M8P", "Keylog flag": "1", "Keylog path": "AppData", "Keylog file": "logs.dat", "Keylog crypt": "Disable", "Hide keylog file": "Enable", "Screenshot flag": "Disable", "Screenshot time": "10", "Take Screenshot option": "Disable", "Take screenshot title": "wikipedia;solitaire;", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5", "Audio path": "AppData", "Audio folder": "MicRecords", "Connect delay": "0", "Copy folder": "remcos", "Keylog folder": "Key"}

Yara detected Remcos RAT

Source: Yara match	File source: 0.2.SecuriteInfo.com.Win32.Evo-gen.3521.549.exe.6300000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Win32.Evo-gen.3521.549.exe.6300000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Win32.Evo-gen.3521.549.exe.51c42e.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Win32.Evo-gen.3521.549.exe.51c42e.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.SecuriteInfo.com.Win32.Evo-gen.3521.549.exe.46a0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.SecuriteInfo.com.Win32.Evo-gen.3521.549.exe.46a0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Win32.Evo-gen.3521.549.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000002.4514531527.00000000046A0000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.4514898457.00000000049A7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2275798447.000000000051C000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2276278471.0000000006300000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: SecuriteInfo.com.Win32.Evo-gen.3521.549.exe PID: 5532, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: SecuriteInfo.com.Win32.Evo-gen.3521.549.exe PID: 6540, type: MEMORYSTR

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3521.549.exe

Code function: 3_2_046D38C8 CryptAcquireContextA,CryptGenRandom,CryptReleaseContext,

3_2_046D38C8

Source: SecuriteInfo.com.Win32.Evo-gen.3521.549.exe

Binary or memory string: -----BEGIN PUBLIC KEY-----

Exploits

Yara detected UAC Bypass using CMSTP

Source: Yara match	File source: 0.2.SecuriteInfo.com.Win32.Evo-gen.3521.549.exe.6300000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Win32.Evo-gen.3521.549.exe.6300000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Win32.Evo-gen.3521.549.exe.51c42e.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Win32.Evo-gen.3521.549.exe.51c42e.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.SecuriteInfo.com.Win32.Evo-gen.3521.549.exe.46a0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.SecuriteInfo.com.Win32.Evo-gen.3521.549.exe.46a0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Win32.Evo-gen.3521.549.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000002.4514531527.00000000046A0000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2275798447.000000000051C000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2276278471.0000000006300000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: SecuriteInfo.com.Win32.Evo-gen.3521.549.exe PID: 5532, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: SecuriteInfo.com.Win32.Evo-gen.3521.549.exe PID: 6540, type: MEMORYSTR

Privilege Escalation

Contains functionality to bypass UAC (CMSTPLUA)

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3521.549.exe

Code function: 3_2_046A7538 _wcslen,CoGetObject,

3_2_046A7538

Compliance

Detected unpacking (creates a PE file in dynamic memory)

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3521.549.exe

Unpacked PE file: 0.2.SecuriteInfo.com.Win32.Evo-gen.3521.549.exe.6300000.2.unpack

Source: SecuriteInfo.com.Win32.Evo-gen.3521.549.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: SecuriteInfo.com.Win32.Evo-gen.3521.549.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE

Source:

Binary string: C:\ReleaseAI\win\Release\stubs\x86\Updater.pdb source: SecuriteInfo.com.Win32.Evo-gen.3521.549.exe, TerminalIll.exe.0.dr

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3521.549.exe	Code function: 0_2_0040F2B0 FindFirstFileW,GetLastError,FindClose,	0_2_0040F2B0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3521.549.exe	Code function: 3_2_0040F2B0 FindFirstFileW,GetLastError,FindClose,	3_2_0040F2B0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3521.549.exe	Code function: 3_2_046A96A0 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,	3_2_046A96A0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3521.549.exe	Code function: 3_2_046A928E __EH_prolog,__CxxThrowException@8,FindFirstFileW,FindNextFileW,FindClose,FindClose,	3_2_046A928E
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3521.549.exe	Code function: 3_2_046BC322 FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,RemoveDirectoryW,FindClose,	3_2_046BC322
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3521.549.exe	Code function: 3_2_046AC388 FindFirstFileW,PathFileExistsW,FindNextFileW,FindClose,FindClose,	3_2_046AC388
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3521.549.exe	Code function: 3_2_046ABD72 FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,	3_2_046ABD72
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3521.549.exe	Code function: 3_2_046A7877 FindFirstFileW,FindNextFileW,	3_2_046A7877
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3521.549.exe	Code function: 3_2_046A8847 __EH_prolog,FindFirstFileW,__CxxThrowException@8,FindNextFileW,FindClose,	3_2_046A8847
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3521.549.exe	Code function: 3_2_046EE8F9 FindFirstFileExA,	3_2_046EE8F9
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3521.549.exe	Code function: 3_2_046ABB6B FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,	3_2_046ABB6B
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3521.549.exe	Code function: 3_2_046B9B86 FindFirstFileW,FindNextFileW,FindNextFileW,	3_2_046B9B86

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3521.549.exe

Code function: 3_2_046A7CD2 SetEvent,GetFileAttributesW,DeleteFileW,ShellExecuteW,GetLogicalDriveStringsA,SetFileAttributesW,DeleteFileA,Sleep,StrToIntA,CreateDirectoryW,

3_2_046A7CD2

Networking

Suricata IDS alerts for network traffic

Source: Network traffic

Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:49708 -> 5.34.182.173:2404

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: hotsdefender.webredirect.org

Source: global traffic

TCP traffic: 192.168.2.5:49708 -> 5.34.182.173:2404

Source: global traffic

HTTP traffic detected: GET /json.gp HTTP/1.1Host: geoplugin.netCache-Control: no-cache

Source: Joe Sandbox View

IP Address: 178.237.33.50 178.237.33.50

Source: Joe Sandbox View

ASN Name: ITLASUA ITLASUA

Source: Network traffic

Suricata IDS: 2803304 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern HCa : 192.168.2.5:49710 -> 178.237.33.50:80

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3521.549.exe

Code function: 3_2_046BB411 InternetOpenW,InternetOpenUrlW,InternetReadFile,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,

3_2_046BB411

Source: global traffic

HTTP traffic detected: GET /json.gp HTTP/1.1Host: geoplugin.netCache-Control: no-cache

Source: global traffic	DNS traffic detected: DNS query: hotsdefender.webredirect.org
Source: global traffic	DNS traffic detected: DNS query: geoplugin.net

Source: SecuriteInfo.com.Win32.Evo-gen.3521.549.exe, 00000003.00000003.2255306822.00000000049F6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://geoplugin.net/json.gp
Source: SecuriteInfo.com.Win32.Evo-gen.3521.549.exe, 00000003.00000002.4514898457.00000000049F6000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.Evo-gen.3521.549.exe, 00000003.00000003.2255306822.00000000049F6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://geoplugin.net/json.gp%
Source: SecuriteInfo.com.Win32.Evo-gen.3521.549.exe, 00000000.00000002.2275798447.000000000051C000.00000040.00000001.01000000.00000003.sdmp, SecuriteInfo.com.Win32.Evo-gen.3521.549.exe, 00000000.00000002.2276278471.0000000006300000.00000040.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Win32.Evo-gen.3521.549.exe, 00000003.00000002.4514531527.00000000046A0000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://geoplugin.net/json.gp/C
Source: SecuriteInfo.com.Win32.Evo-gen.3521.549.exe, 00000003.00000003.2255306822.00000000049F6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://geoplugin.net/json.gpP
Source: SecuriteInfo.com.Win32.Evo-gen.3521.549.exe, 00000003.00000002.4514898457.00000000049A7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://geoplugin.net/json.gpSystem32

Key, Mouse, Clipboard, Microphone and Screen Capturing

Contains functionality to register a low level keyboard hook

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3521.549.exe

Code function: 3_2_046AA2F3 SetWindowsHookExA 0000000D,046AA2DF,00000000

3_2_046AA2F3

Installs a global keyboard hook

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3521.549.exe

Windows user hook set: 0 keyboard low level C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3521.549.exe

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3521.549.exe

Code function: 3_2_046AB749 OpenClipboard,GetClipboardData,CloseClipboard,

3_2_046AB749

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3521.549.exe

Code function: 3_2_046B68FC OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,CloseClipboard,OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,

3_2_046B68FC

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3521.549.exe

Code function: 3_2_046AB749 OpenClipboard,GetClipboardData,CloseClipboard,

3_2_046AB749

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3521.549.exe

Code function: 3_2_046AA41B GetForegroundWindow,GetWindowThreadProcessId,GetKeyboardLayout,GetKeyState,GetKeyboardState,ToUnicodeEx,ToUnicodeEx,ToUnicodeEx,ToUnicodeEx,

3_2_046AA41B

Source: Yara match	File source: 0.2.SecuriteInfo.com.Win32.Evo-gen.3521.549.exe.6300000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Win32.Evo-gen.3521.549.exe.6300000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Win32.Evo-gen.3521.549.exe.51c42e.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Win32.Evo-gen.3521.549.exe.51c42e.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.SecuriteInfo.com.Win32.Evo-gen.3521.549.exe.46a0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.SecuriteInfo.com.Win32.Evo-gen.3521.549.exe.46a0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Win32.Evo-gen.3521.549.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000002.4514531527.00000000046A0000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2275798447.000000000051C000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2276278471.0000000006300000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: SecuriteInfo.com.Win32.Evo-gen.3521.549.exe PID: 5532, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: SecuriteInfo.com.Win32.Evo-gen.3521.549.exe PID: 6540, type: MEMORYSTR

E-Banking Fraud

Yara detected Remcos RAT

Source: Yara match	File source: 0.2.SecuriteInfo.com.Win32.Evo-gen.3521.549.exe.6300000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Win32.Evo-gen.3521.549.exe.6300000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Win32.Evo-gen.3521.549.exe.51c42e.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Win32.Evo-gen.3521.549.exe.51c42e.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.SecuriteInfo.com.Win32.Evo-gen.3521.549.exe.46a0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.SecuriteInfo.com.Win32.Evo-gen.3521.549.exe.46a0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Win32.Evo-gen.3521.549.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000002.4514531527.00000000046A0000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.4514898457.00000000049A7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2275798447.000000000051C000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2276278471.0000000006300000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: SecuriteInfo.com.Win32.Evo-gen.3521.549.exe PID: 5532, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: SecuriteInfo.com.Win32.Evo-gen.3521.549.exe PID: 6540, type: MEMORYSTR

Spam, unwanted Advertisements and Ransom Demands

Contains functionalty to change the wallpaper

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3521.549.exe

Code function: 3_2_046BCA73 SystemParametersInfoW,

3_2_046BCA73

System Summary

Malicious sample detected (through community Yara rule)

Source: 0.2.SecuriteInfo.com.Win32.Evo-gen.3521.549.exe.6300000.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 0.2.SecuriteInfo.com.Win32.Evo-gen.3521.549.exe.6300000.2.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 0.2.SecuriteInfo.com.Win32.Evo-gen.3521.549.exe.6300000.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 0.2.SecuriteInfo.com.Win32.Evo-gen.3521.549.exe.6300000.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 0.2.SecuriteInfo.com.Win32.Evo-gen.3521.549.exe.6300000.2.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 0.2.SecuriteInfo.com.Win32.Evo-gen.3521.549.exe.6300000.2.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 0.2.SecuriteInfo.com.Win32.Evo-gen.3521.549.exe.51c42e.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 0.2.SecuriteInfo.com.Win32.Evo-gen.3521.549.exe.51c42e.1.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 0.2.SecuriteInfo.com.Win32.Evo-gen.3521.549.exe.51c42e.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 0.2.SecuriteInfo.com.Win32.Evo-gen.3521.549.exe.51c42e.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 0.2.SecuriteInfo.com.Win32.Evo-gen.3521.549.exe.51c42e.1.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 0.2.SecuriteInfo.com.Win32.Evo-gen.3521.549.exe.51c42e.1.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 3.2.SecuriteInfo.com.Win32.Evo-gen.3521.549.exe.46a0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 3.2.SecuriteInfo.com.Win32.Evo-gen.3521.549.exe.46a0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 3.2.SecuriteInfo.com.Win32.Evo-gen.3521.549.exe.46a0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 3.2.SecuriteInfo.com.Win32.Evo-gen.3521.549.exe.46a0000.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 3.2.SecuriteInfo.com.Win32.Evo-gen.3521.549.exe.46a0000.1.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 3.2.SecuriteInfo.com.Win32.Evo-gen.3521.549.exe.46a0000.1.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 0.2.SecuriteInfo.com.Win32.Evo-gen.3521.549.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 0.2.SecuriteInfo.com.Win32.Evo-gen.3521.549.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 00000003.00000002.4514531527.00000000046A0000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 00000003.00000002.4514531527.00000000046A0000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 00000003.00000002.4514531527.00000000046A0000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 00000000.00000002.2275798447.000000000051C000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 00000000.00000002.2276278471.0000000006300000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 00000000.00000002.2276278471.0000000006300000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 00000000.00000002.2276278471.0000000006300000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: Process Memory Space: SecuriteInfo.com.Win32.Evo-gen.3521.549.exe PID: 5532, type: MEMORYSTR	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: Process Memory Space: SecuriteInfo.com.Win32.Evo-gen.3521.549.exe PID: 6540, type: MEMORYSTR	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown

Drops large PE files

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3521.549.exe

File dump: TerminalIll.exe.0.dr 989587324

Jump to dropped file

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3521.549.exe

Process Stats: CPU usage > 49%

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3521.549.exe

Code function: 3_2_046B67EF ExitWindowsEx,LoadLibraryA,GetProcAddress,

3_2_046B67EF

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3521.549.exe	Code function: 0_2_004140C0	0_2_004140C0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3521.549.exe	Code function: 0_2_00417933	0_2_00417933
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3521.549.exe	Code function: 0_2_0040B1B0	0_2_0040B1B0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3521.549.exe	Code function: 0_2_0040CA40	0_2_0040CA40
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3521.549.exe	Code function: 0_2_0041C460	0_2_0041C460
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3521.549.exe	Code function: 0_2_0040FC10	0_2_0040FC10
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3521.549.exe	Code function: 0_2_00410660	0_2_00410660
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3521.549.exe	Code function: 0_2_004C7740	0_2_004C7740
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3521.549.exe	Code function: 3_2_004140C0	3_2_004140C0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3521.549.exe	Code function: 3_2_00417933	3_2_00417933
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3521.549.exe	Code function: 3_2_0040B1B0	3_2_0040B1B0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3521.549.exe	Code function: 3_2_0040CA40	3_2_0040CA40
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3521.549.exe	Code function: 3_2_0041C460	3_2_0041C460
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3521.549.exe	Code function: 3_2_0040FC10	3_2_0040FC10
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3521.549.exe	Code function: 3_2_00410660	3_2_00410660
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3521.549.exe	Code function: 3_2_004C7740	3_2_004C7740
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3521.549.exe	Code function: 3_2_046C742E	3_2_046C742E
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3521.549.exe	Code function: 3_2_046D7566	3_2_046D7566
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3521.549.exe	Code function: 3_2_046DE5A8	3_2_046DE5A8
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3521.549.exe	Code function: 3_2_046D87F0	3_2_046D87F0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3521.549.exe	Code function: 3_2_046D706A	3_2_046D706A
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3521.549.exe	Code function: 3_2_046B4005	3_2_046B4005
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3521.549.exe	Code function: 3_2_046DE11C	3_2_046DE11C
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3521.549.exe	Code function: 3_2_046D81E8	3_2_046D81E8
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3521.549.exe	Code function: 3_2_046F41D9	3_2_046F41D9
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3521.549.exe	Code function: 3_2_046BF18B	3_2_046BF18B
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3521.549.exe	Code function: 3_2_046E6270	3_2_046E6270
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3521.549.exe	Code function: 3_2_046DE34B	3_2_046DE34B
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3521.549.exe	Code function: 3_2_046F33AB	3_2_046F33AB
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3521.549.exe	Code function: 3_2_046C7C40	3_2_046C7C40
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3521.549.exe	Code function: 3_2_046D7DB3	3_2_046D7DB3
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3521.549.exe	Code function: 3_2_046DDEED	3_2_046DDEED
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3521.549.exe	Code function: 3_2_046D5EEB	3_2_046D5EEB
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3521.549.exe	Code function: 3_2_046C6E9F	3_2_046C6E9F
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3521.549.exe	Code function: 3_2_046D797E	3_2_046D797E
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3521.549.exe	Code function: 3_2_046D39D7	3_2_046D39D7
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3521.549.exe	Code function: 3_2_046EDA49	3_2_046EDA49
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3521.549.exe	Code function: 3_2_046C7AD7	3_2_046C7AD7
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3521.549.exe	Code function: 3_2_046BDBF3	3_2_046BDBF3

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3521.549.exe	Code function: String function: 046A1E65 appears 34 times
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3521.549.exe	Code function: String function: 004025B0 appears 42 times
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3521.549.exe	Code function: String function: 046D4801 appears 41 times
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3521.549.exe	Code function: String function: 046A2093 appears 50 times
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3521.549.exe	Code function: String function: 046D4E70 appears 54 times

Source: SecuriteInfo.com.Win32.Evo-gen.3521.549.exe	Binary or memory string: OriginalFilename vs SecuriteInfo.com.Win32.Evo-gen.3521.549.exe
Source: SecuriteInfo.com.Win32.Evo-gen.3521.549.exe, 00000000.00000000.2058051661.00000000005E7000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameupdater.exeB vs SecuriteInfo.com.Win32.Evo-gen.3521.549.exe
Source: SecuriteInfo.com.Win32.Evo-gen.3521.549.exe, 00000000.00000002.2276434355.00000000066DC000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameupdater.exeB vs SecuriteInfo.com.Win32.Evo-gen.3521.549.exe
Source: SecuriteInfo.com.Win32.Evo-gen.3521.549.exe, 00000000.00000002.2275932941.0000000000607000.00000080.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameupdater.exeB vs SecuriteInfo.com.Win32.Evo-gen.3521.549.exe
Source: SecuriteInfo.com.Win32.Evo-gen.3521.549.exe, 00000003.00000000.2231279969.00000000005E7000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameupdater.exeB vs SecuriteInfo.com.Win32.Evo-gen.3521.549.exe
Source: SecuriteInfo.com.Win32.Evo-gen.3521.549.exe	Binary or memory string: OriginalFilenameupdater.exeB vs SecuriteInfo.com.Win32.Evo-gen.3521.549.exe

Source: SecuriteInfo.com.Win32.Evo-gen.3521.549.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: 0.2.SecuriteInfo.com.Win32.Evo-gen.3521.549.exe.6300000.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 0.2.SecuriteInfo.com.Win32.Evo-gen.3521.549.exe.6300000.2.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 0.2.SecuriteInfo.com.Win32.Evo-gen.3521.549.exe.6300000.2.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 0.2.SecuriteInfo.com.Win32.Evo-gen.3521.549.exe.6300000.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 0.2.SecuriteInfo.com.Win32.Evo-gen.3521.549.exe.6300000.2.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 0.2.SecuriteInfo.com.Win32.Evo-gen.3521.549.exe.6300000.2.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 0.2.SecuriteInfo.com.Win32.Evo-gen.3521.549.exe.51c42e.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 0.2.SecuriteInfo.com.Win32.Evo-gen.3521.549.exe.51c42e.1.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 0.2.SecuriteInfo.com.Win32.Evo-gen.3521.549.exe.51c42e.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 0.2.SecuriteInfo.com.Win32.Evo-gen.3521.549.exe.51c42e.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 0.2.SecuriteInfo.com.Win32.Evo-gen.3521.549.exe.51c42e.1.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 0.2.SecuriteInfo.com.Win32.Evo-gen.3521.549.exe.51c42e.1.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 3.2.SecuriteInfo.com.Win32.Evo-gen.3521.549.exe.46a0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 3.2.SecuriteInfo.com.Win32.Evo-gen.3521.549.exe.46a0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 3.2.SecuriteInfo.com.Win32.Evo-gen.3521.549.exe.46a0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 3.2.SecuriteInfo.com.Win32.Evo-gen.3521.549.exe.46a0000.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 3.2.SecuriteInfo.com.Win32.Evo-gen.3521.549.exe.46a0000.1.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 3.2.SecuriteInfo.com.Win32.Evo-gen.3521.549.exe.46a0000.1.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 0.2.SecuriteInfo.com.Win32.Evo-gen.3521.549.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 0.2.SecuriteInfo.com.Win32.Evo-gen.3521.549.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 00000003.00000002.4514531527.00000000046A0000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 00000003.00000002.4514531527.00000000046A0000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 00000003.00000002.4514531527.00000000046A0000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 00000000.00000002.2275798447.000000000051C000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 00000000.00000002.2276278471.0000000006300000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 00000000.00000002.2276278471.0000000006300000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 00000000.00000002.2276278471.0000000006300000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: Process Memory Space: SecuriteInfo.com.Win32.Evo-gen.3521.549.exe PID: 5532, type: MEMORYSTR	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: Process Memory Space: SecuriteInfo.com.Win32.Evo-gen.3521.549.exe PID: 6540, type: MEMORYSTR	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23

Source: classification engine

Classification label: mal100.rans.troj.spyw.expl.evad.winEXE@3/3@2/2

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3521.549.exe

Code function: 0_2_0040E400 FormatMessageW,GetLastError,

0_2_0040E400

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3521.549.exe

Code function: 3_2_046B798D GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,

3_2_046B798D

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3521.549.exe

Code function: 3_2_046AF4AF GetModuleFileNameW,CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,CloseHandle,

3_2_046AF4AF

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3521.549.exe

Code function: 0_2_00404240 LoadResource,LockResource,SizeofResource,

0_2_00404240

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3521.549.exe

Code function: 3_2_046BAD09 OpenSCManagerW,OpenServiceW,CloseServiceHandle,ChangeServiceConfigW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,

3_2_046BAD09

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3521.549.exe

File created: C:\Users\user\Pictures\TermianlConsole

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3521.549.exe

Mutant created: \Sessions\1\BaseNamedObjects\Ag0s70JwbdycP5ikGBT/VhjSeXFA==-S28M8P

Source: SecuriteInfo.com.Win32.Evo-gen.3521.549.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3521.549.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: SecuriteInfo.com.Win32.Evo-gen.3521.549.exe	String found in binary or memory: B0x%XMD5SHA256%s %s %s/checknowpurgenotifseenLastModifiedClientConfigPath.datServerConfigPathJustDownloadUpdatesStartMinimizedURLrestartapprestartappcmdstartappfirstNoGUIReducedGUIForceMSIBasicUIchecknowsilentsilentallsilentcritical/install
Source: SecuriteInfo.com.Win32.Evo-gen.3521.549.exe	String found in binary or memory: AUpdater finished. Mode: updater.logRunning updater. Mode: Updater wizard ended. Return code: retryattemptsrememberpasswordloglevelautoupdatepolicyproxydownloadsfolderUpdater-comproxystub.dllSoftware\Caphyon\Advanced Updater\SettingsConfigFilePathNoAutoUpdateCheckNextUpdateCheck/silent/silentall/silentcritical-nofreqcheck-url-minuseractions-licensecheckurl-licenseid-justdownload-startminimized-restartapp-restartappcmd-nogui-reducedgui-showaitdlg-forcemsibasicui-startappfirst/configure/clean/justcheck-dumpdetected-critical-installready-licensendate/runservice/debugservice/installservice/configservice-name/uninstallservice/runserverIPCObjNameBase/set/automation-clsid-registerproxystub-Embedding
Source: SecuriteInfo.com.Win32.Evo-gen.3521.549.exe	String found in binary or memory: AUpdater finished. Mode: updater.logRunning updater. Mode: Updater wizard ended. Return code: retryattemptsrememberpasswordloglevelautoupdatepolicyproxydownloadsfolderUpdater-comproxystub.dllSoftware\Caphyon\Advanced Updater\SettingsConfigFilePathNoAutoUpdateCheckNextUpdateCheck/silent/silentall/silentcritical-nofreqcheck-url-minuseractions-licensecheckurl-licenseid-justdownload-startminimized-restartapp-restartappcmd-nogui-reducedgui-showaitdlg-forcemsibasicui-startappfirst/configure/clean/justcheck-dumpdetected-critical-installready-licensendate/runservice/debugservice/installservice/configservice-name/uninstallservice/runserverIPCObjNameBase/set/automation-clsid-registerproxystub-Embedding
Source: SecuriteInfo.com.Win32.Evo-gen.3521.549.exe	String found in binary or memory: AUpdater finished. Mode: updater.logRunning updater. Mode: Updater wizard ended. Return code: retryattemptsrememberpasswordloglevelautoupdatepolicyproxydownloadsfolderUpdater-comproxystub.dllSoftware\Caphyon\Advanced Updater\SettingsConfigFilePathNoAutoUpdateCheckNextUpdateCheck/silent/silentall/silentcritical-nofreqcheck-url-minuseractions-licensecheckurl-licenseid-justdownload-startminimized-restartapp-restartappcmd-nogui-reducedgui-showaitdlg-forcemsibasicui-startappfirst/configure/clean/justcheck-dumpdetected-critical-installready-licensendate/runservice/debugservice/installservice/configservice-name/uninstallservice/runserverIPCObjNameBase/set/automation-clsid-registerproxystub-Embedding

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3521.549.exe

File read: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3521.549.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3521.549.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3521.549.exe"
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3521.549.exe	Process created: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3521.549.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3521.549.exe"
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3521.549.exe	Process created: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3521.549.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3521.549.exe"	Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3521.549.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3521.549.exe	Section loaded: k7rn7l32.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3521.549.exe	Section loaded: ntd3ll.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3521.549.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3521.549.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3521.549.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3521.549.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3521.549.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3521.549.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3521.549.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3521.549.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3521.549.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3521.549.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3521.549.exe	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3521.549.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3521.549.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3521.549.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3521.549.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3521.549.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3521.549.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3521.549.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3521.549.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3521.549.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3521.549.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3521.549.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3521.549.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3521.549.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3521.549.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3521.549.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3521.549.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3521.549.exe	Section loaded: winnsi.dll	Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3521.549.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32

Jump to behavior

Source: SecuriteInfo.com.Win32.Evo-gen.3521.549.exe

Static file information: File size 2680832 > 1048576

Source: SecuriteInfo.com.Win32.Evo-gen.3521.549.exe

Static PE information: Raw size of .rsrc is bigger than: 0x100000 < 0x16c200

Source: SecuriteInfo.com.Win32.Evo-gen.3521.549.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: SecuriteInfo.com.Win32.Evo-gen.3521.549.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: SecuriteInfo.com.Win32.Evo-gen.3521.549.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: SecuriteInfo.com.Win32.Evo-gen.3521.549.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: SecuriteInfo.com.Win32.Evo-gen.3521.549.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: SecuriteInfo.com.Win32.Evo-gen.3521.549.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: SecuriteInfo.com.Win32.Evo-gen.3521.549.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE

Source: SecuriteInfo.com.Win32.Evo-gen.3521.549.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:

Binary string: C:\ReleaseAI\win\Release\stubs\x86\Updater.pdb source: SecuriteInfo.com.Win32.Evo-gen.3521.549.exe, TerminalIll.exe.0.dr

Source: SecuriteInfo.com.Win32.Evo-gen.3521.549.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: SecuriteInfo.com.Win32.Evo-gen.3521.549.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: SecuriteInfo.com.Win32.Evo-gen.3521.549.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: SecuriteInfo.com.Win32.Evo-gen.3521.549.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: SecuriteInfo.com.Win32.Evo-gen.3521.549.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Data Obfuscation

Detected unpacking (creates a PE file in dynamic memory)

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3521.549.exe

Unpacked PE file: 0.2.SecuriteInfo.com.Win32.Evo-gen.3521.549.exe.6300000.2.unpack

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3521.549.exe

Code function: 0_2_00410070 LoadLibraryW,GetProcAddress,FreeLibrary,FreeLibrary,

0_2_00410070

Source: SecuriteInfo.com.Win32.Evo-gen.3521.549.exe	Static PE information: section name: .didat
Source: TerminalIll.exe.0.dr	Static PE information: section name: .didat

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3521.549.exe	Code function: 3_2_046FE55D push esi; ret	3_2_046FE566
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3521.549.exe	Code function: 3_2_046F7186 push ecx; ret	3_2_046F7199
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3521.549.exe	Code function: 3_2_046D4EB6 push ecx; ret	3_2_046D4EC9
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3521.549.exe	Code function: 3_2_046FC9A2 pushfd ; retf	3_2_046FC9AD
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3521.549.exe	Code function: 3_2_046F7AA8 push eax; ret	3_2_046F7AC6

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3521.549.exe

Code function: 3_2_046A6EEB ShellExecuteW,URLDownloadToFileW,

3_2_046A6EEB

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3521.549.exe

File created: C:\Users\user\Pictures\TermianlConsole\TerminalIll.exe

Jump to dropped file

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3521.549.exe

Code function: 3_2_046BAADB OpenSCManagerW,OpenServiceW,CloseServiceHandle,StartServiceW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,

3_2_046BAADB

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3521.549.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run AdvancedUpdater			Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3521.549.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run AdvancedUpdater			Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3521.549.exe

Code function: 3_2_046BCBE1 LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,

3_2_046BCBE1

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3521.549.exe

Process information set: NOOPENFILEERRORBOX

Jump to behavior

Malware Analysis System Evasion

Contains functionality to detect sleep reduction / modifications

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3521.549.exe	Code function: 0_2_00421890		0_2_00421890
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3521.549.exe	Code function: 3_2_00421890		3_2_00421890

Delayed program exit found

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3521.549.exe

Code function: 3_2_046AF7E2 Sleep,ExitProcess,

3_2_046AF7E2

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3521.549.exe

Code function: OpenSCManagerA,EnumServicesStatusW,GetLastError,EnumServicesStatusW,OpenServiceW,QueryServiceConfigW,GetLastError,QueryServiceConfigW,CloseServiceHandle,CloseServiceHandle,

3_2_046BA7D9

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3521.549.exe	Window / User API: threadDelayed 887	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3521.549.exe	Window / User API: threadDelayed 8617	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3521.549.exe	Window / User API: foregroundWindowGot 1762	Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3521.549.exe

Dropped PE file which has not been started: C:\Users\user\Pictures\TermianlConsole\TerminalIll.exe

Jump to dropped file

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3521.549.exe

API coverage: 8.9 %

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3521.549.exe

Code function: 3_2_00421890

3_2_00421890

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3521.549.exe TID: 5764	Thread sleep count: 223 > 30	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3521.549.exe TID: 5764	Thread sleep time: -111500s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3521.549.exe TID: 5460	Thread sleep count: 887 > 30	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3521.549.exe TID: 5460	Thread sleep time: -2661000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3521.549.exe TID: 5460	Thread sleep count: 8617 > 30	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3521.549.exe TID: 5460	Thread sleep time: -25851000s >= -30000s	Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3521.549.exe	Code function: 0_2_0040F2B0 FindFirstFileW,GetLastError,FindClose,	0_2_0040F2B0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3521.549.exe	Code function: 3_2_0040F2B0 FindFirstFileW,GetLastError,FindClose,	3_2_0040F2B0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3521.549.exe	Code function: 3_2_046A96A0 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,	3_2_046A96A0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3521.549.exe	Code function: 3_2_046A928E __EH_prolog,__CxxThrowException@8,FindFirstFileW,FindNextFileW,FindClose,FindClose,	3_2_046A928E
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3521.549.exe	Code function: 3_2_046BC322 FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,RemoveDirectoryW,FindClose,	3_2_046BC322
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3521.549.exe	Code function: 3_2_046AC388 FindFirstFileW,PathFileExistsW,FindNextFileW,FindClose,FindClose,	3_2_046AC388
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3521.549.exe	Code function: 3_2_046ABD72 FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,	3_2_046ABD72
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3521.549.exe	Code function: 3_2_046A7877 FindFirstFileW,FindNextFileW,	3_2_046A7877
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3521.549.exe	Code function: 3_2_046A8847 __EH_prolog,FindFirstFileW,__CxxThrowException@8,FindNextFileW,FindClose,	3_2_046A8847
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3521.549.exe	Code function: 3_2_046EE8F9 FindFirstFileExA,	3_2_046EE8F9
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3521.549.exe	Code function: 3_2_046ABB6B FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,	3_2_046ABB6B
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3521.549.exe	Code function: 3_2_046B9B86 FindFirstFileW,FindNextFileW,FindNextFileW,	3_2_046B9B86

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3521.549.exe

Code function: 3_2_046A7CD2 SetEvent,GetFileAttributesW,DeleteFileW,ShellExecuteW,GetLogicalDriveStringsA,SetFileAttributesW,DeleteFileA,Sleep,StrToIntA,CreateDirectoryW,

3_2_046A7CD2

Source: SecuriteInfo.com.Win32.Evo-gen.3521.549.exe, 00000003.00000003.2255441723.0000000004A26000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.Evo-gen.3521.549.exe, 00000003.00000002.4514898457.0000000004A05000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.Evo-gen.3521.549.exe, 00000003.00000002.4514898457.00000000049A7000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.Evo-gen.3521.549.exe, 00000003.00000003.2255306822.0000000004A05000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: Hyper-V RAW

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3521.549.exe

API call chain: ExitProcess graph end node

graph_3-62134

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3521.549.exe

Code function: 0_2_0048A530 IsDebuggerPresent,OutputDebugStringW,

0_2_0048A530

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3521.549.exe

Code function: 0_2_00410070 LoadLibraryW,GetProcAddress,FreeLibrary,FreeLibrary,

0_2_00410070

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3521.549.exe

Code function: 3_2_046E3355 mov eax, dword ptr fs:[00000030h]

3_2_046E3355

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3521.549.exe

Code function: 0_2_0048A813 GetProcessHeap,HeapFree,InterlockedPushEntrySList,

0_2_0048A813

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3521.549.exe

Process created: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3521.549.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3521.549.exe"

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3521.549.exe	Code function: 0_2_004A6E63 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_004A6E63
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3521.549.exe	Code function: 3_2_004A6E63 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	3_2_004A6E63
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3521.549.exe	Code function: 3_2_046D503C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	3_2_046D503C
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3521.549.exe	Code function: 3_2_046D4A8A IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	3_2_046D4A8A
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3521.549.exe	Code function: 3_2_046DBB71 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	3_2_046DBB71
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3521.549.exe	Code function: 3_2_046D4BD8 SetUnhandledExceptionFilter,	3_2_046D4BD8

HIPS / PFW / Operating System Protection Evasion

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3521.549.exe

Memory written: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3521.549.exe base: 46A0000 value starts with: 4D5A

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3521.549.exe

Code function: GetCurrentProcessId,OpenMutexA,CloseHandle,CreateThread,CloseHandle,Sleep,OpenProcess, svchost.exe

3_2_046B2132

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3521.549.exe

Code function: 3_2_046B9662 mouse_event,

3_2_046B9662

Source: SecuriteInfo.com.Win32.Evo-gen.3521.549.exe, 00000003.00000002.4514898457.0000000004A05000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.Evo-gen.3521.549.exe, 00000003.00000002.4514898457.00000000049A7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Manager
Source: SecuriteInfo.com.Win32.Evo-gen.3521.549.exe, 00000003.00000002.4514898457.0000000004A05000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Managerr\|
Source: SecuriteInfo.com.Win32.Evo-gen.3521.549.exe, 00000003.00000002.4515084168.0000000004A2C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Managers
Source: SecuriteInfo.com.Win32.Evo-gen.3521.549.exe, 00000003.00000002.4515084168.0000000004A2C000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.Evo-gen.3521.549.exe, 00000003.00000002.4514898457.00000000049E8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \|Program Manager\|
Source: SecuriteInfo.com.Win32.Evo-gen.3521.549.exe, 00000003.00000002.4515084168.0000000004A2C000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.Evo-gen.3521.549.exe, 00000003.00000002.4514898457.00000000049A7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: [Program Manager]

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3521.549.exe

Code function: 3_2_046D4CB6 cpuid

3_2_046D4CB6

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3521.549.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,	0_2_0040C5D0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3521.549.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,	3_2_0040C5D0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3521.549.exe	Code function: GetLocaleInfoA,	3_2_046AF90C
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3521.549.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	3_2_046F24BC
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3521.549.exe	Code function: EnumSystemLocalesW,	3_2_046E8484
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3521.549.exe	Code function: GetLocaleInfoW,	3_2_046F25C3
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3521.549.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	3_2_046F2690
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3521.549.exe	Code function: EnumSystemLocalesW,	3_2_046F201B
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3521.549.exe	Code function: EnumSystemLocalesW,	3_2_046F20B6
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3521.549.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,	3_2_046F2143
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3521.549.exe	Code function: GetLocaleInfoW,	3_2_046F2393
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3521.549.exe	Code function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,	3_2_046F1D58
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3521.549.exe	Code function: EnumSystemLocalesW,	3_2_046F1FD0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3521.549.exe	Code function: GetLocaleInfoW,	3_2_046E896D

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3521.549.exe

Code function: 0_2_0040BEB0 GetSystemTime,SystemTimeToFileTime,GetLastError,

0_2_0040BEB0

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3521.549.exe

Code function: 3_2_046BB69E GetComputerNameExW,GetUserNameW,

3_2_046BB69E

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3521.549.exe

Code function: 3_2_046E9210 _free,_free,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,_free,

3_2_046E9210

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3521.549.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected Remcos RAT

Source: Yara match	File source: 0.2.SecuriteInfo.com.Win32.Evo-gen.3521.549.exe.6300000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Win32.Evo-gen.3521.549.exe.6300000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Win32.Evo-gen.3521.549.exe.51c42e.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Win32.Evo-gen.3521.549.exe.51c42e.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.SecuriteInfo.com.Win32.Evo-gen.3521.549.exe.46a0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.SecuriteInfo.com.Win32.Evo-gen.3521.549.exe.46a0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Win32.Evo-gen.3521.549.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000002.4514531527.00000000046A0000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.4514898457.00000000049A7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2275798447.000000000051C000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2276278471.0000000006300000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: SecuriteInfo.com.Win32.Evo-gen.3521.549.exe PID: 5532, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: SecuriteInfo.com.Win32.Evo-gen.3521.549.exe PID: 6540, type: MEMORYSTR

Contains functionality to steal Chrome passwords or cookies

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3521.549.exe

Code function: \AppData\Local\Google\Chrome\User Data\Default\Login Data

3_2_046ABA4D

Contains functionality to steal Firefox passwords or cookies

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3521.549.exe	Code function: \AppData\Roaming\Mozilla\Firefox\Profiles\		3_2_046ABB6B
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3521.549.exe	Code function: \key3.db		3_2_046ABB6B

Remote Access Functionality

Yara detected Remcos RAT

Source: Yara match	File source: 0.2.SecuriteInfo.com.Win32.Evo-gen.3521.549.exe.6300000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Win32.Evo-gen.3521.549.exe.6300000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Win32.Evo-gen.3521.549.exe.51c42e.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Win32.Evo-gen.3521.549.exe.51c42e.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.SecuriteInfo.com.Win32.Evo-gen.3521.549.exe.46a0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.SecuriteInfo.com.Win32.Evo-gen.3521.549.exe.46a0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Win32.Evo-gen.3521.549.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000002.4514531527.00000000046A0000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.4514898457.00000000049A7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2275798447.000000000051C000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2276278471.0000000006300000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: SecuriteInfo.com.Win32.Evo-gen.3521.549.exe PID: 5532, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: SecuriteInfo.com.Win32.Evo-gen.3521.549.exe PID: 6540, type: MEMORYSTR

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3521.549.exe

Code function: cmd.exe

3_2_046A569A

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Native API	1 DLL Side-Loading	1 DLL Side-Loading	1 Disable or Modify Tools	1 OS Credential Dumping	2 System Time Discovery	Remote Services	11 Archive Collected Data	12 Ingress Tool Transfer	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	12 Command and Scripting Interpreter	1 Windows Service	1 Bypass User Account Control	1 Deobfuscate/Decode Files or Information	211 Input Capture	1 Account Discovery	Remote Desktop Protocol	211 Input Capture	2 Encrypted Channel	Exfiltration Over Bluetooth	1 Defacement
Email Addresses	DNS Server	Domain Accounts	2 Service Execution	1 Registry Run Keys / Startup Folder	1 Access Token Manipulation	2 Obfuscated Files or Information	2 Credentials In Files	1 System Service Discovery	SMB/Windows Admin Shares	3 Clipboard Data	1 Non-Standard Port	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	1 Windows Service	1 Software Packing	NTDS	2 File and Directory Discovery	Distributed Component Object Model	Input Capture	2 Non-Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	112 Process Injection	1 DLL Side-Loading	LSA Secrets	23 System Information Discovery	SSH	Keylogging	12 Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	1 Registry Run Keys / Startup Folder	1 Bypass User Account Control	Cached Domain Credentials	131 Security Software Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 Masquerading	DCSync	1 Virtualization/Sandbox Evasion	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 Virtualization/Sandbox Evasion	Proc Filesystem	2 Process Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	1 Access Token Manipulation	/etc/passwd and /etc/shadow	1 Application Window Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	112 Process Injection	Network Sniffing	1 System Owner/User Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label
http://geoplugin.net/json.gp	0%	URL Reputation	safe
http://geoplugin.net/json.gp/C	0%	URL Reputation	safe
http://geoplugin.net/json.gp%	0%	Avira URL Cloud	safe
http://geoplugin.net/json.gpSystem32	0%	Avira URL Cloud	safe
http://geoplugin.net/json.gpP	0%	Avira URL Cloud	safe
hotsdefender.webredirect.org	100%	Avira URL Cloud	malware

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
hotsdefender.webredirect.org	5.34.182.173	true	true		unknown
geoplugin.net	178.237.33.50	true	false		unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://geoplugin.net/json.gp	false	URL Reputation: safe	unknown
hotsdefender.webredirect.org	true	Avira URL Cloud: malware	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://geoplugin.net/json.gp%	SecuriteInfo.com.Win32.Evo-gen.3521.549.exe, 00000003.00000002.4514898457.00000000049F6000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.Evo-gen.3521.549.exe, 00000003.00000003.2255306822.00000000049F6000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://geoplugin.net/json.gp/C	SecuriteInfo.com.Win32.Evo-gen.3521.549.exe, 00000000.00000002.2275798447.000000000051C000.00000040.00000001.01000000.00000003.sdmp, SecuriteInfo.com.Win32.Evo-gen.3521.549.exe, 00000000.00000002.2276278471.0000000006300000.00000040.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Win32.Evo-gen.3521.549.exe, 00000003.00000002.4514531527.00000000046A0000.00000040.00000400.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://geoplugin.net/json.gpP	SecuriteInfo.com.Win32.Evo-gen.3521.549.exe, 00000003.00000003.2255306822.00000000049F6000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://geoplugin.net/json.gpSystem32	SecuriteInfo.com.Win32.Evo-gen.3521.549.exe, 00000003.00000002.4514898457.00000000049A7000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
5.34.182.173	hotsdefender.webredirect.org	Ukraine		15626	ITLASUA	true
178.237.33.50	geoplugin.net	Netherlands		8455	ATOM86-ASATOM86NL	false

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1519624
Start date and time:	2024-09-26 18:43:14 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 8m 33s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	5
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	SecuriteInfo.com.Win32.Evo-gen.3521.549.exe
Detection:	MAL
Classification:	mal100.rans.troj.spyw.expl.evad.winEXE@3/3@2/2
EGA Information:	Successful, ratio: 50%
HCA Information:	Successful, ratio: 70% Number of executed functions: 38 Number of non-executed functions: 258
Cookbook Comments:	Found application associated with file extension: .exe Override analysis time to 240000 for current running targets taking high CPU consumption

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target SecuriteInfo.com.Win32.Evo-gen.3521.549.exe, PID 5532 because it is empty
Report size getting too big, too many NtQueryValueKey calls found.
VT rate limit hit for: SecuriteInfo.com.Win32.Evo-gen.3521.549.exe

Simulations

Behavior and APIs

Time	Type	Description
12:44:55	API Interceptor	6676053x Sleep call for process: SecuriteInfo.com.Win32.Evo-gen.3521.549.exe modified
18:44:29	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run AdvancedUpdater C:\Users\user\Pictures\TermianlConsole\TerminalIll.exe
18:44:37	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run AdvancedUpdater C:\Users\user\Pictures\TermianlConsole\TerminalIll.exe

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
5.34.182.173	SecuriteInfo.com.Win32.Malware-gen.19796.28131.exe	Get hash	malicious	Remcos	Browse
178.237.33.50	sostener.vbs	Get hash	malicious	Remcos	Browse	geoplugin.net/json.gp
	SecuriteInfo.com.Exploit.CVE-2017-11882.123.31177.14968.rtf	Get hash	malicious	Remcos, PureLog Stealer	Browse	geoplugin.net/json.gp
	6122.scr.exe	Get hash	malicious	Remcos	Browse	geoplugin.net/json.gp
	6122.scr.exe	Get hash	malicious	Remcos	Browse	geoplugin.net/json.gp
	SecuriteInfo.com.Win32.PWSX-gen.9317.6656.exe	Get hash	malicious	Remcos	Browse	geoplugin.net/json.gp
	https://maveuve.github.io/frlpodf/marynewreleasefax.html	Get hash	malicious	Remcos	Browse	geoplugin.net/json.gp
	file.exe	Get hash	malicious	Remcos	Browse	geoplugin.net/json.gp
	SDWLLRJcsY.exe	Get hash	malicious	Remcos, GuLoader	Browse	geoplugin.net/json.gp
	BL.xls	Get hash	malicious	Remcos, PureLog Stealer	Browse	geoplugin.net/json.gp
	z65orderrequest.bat.exe	Get hash	malicious	GuLoader, Remcos	Browse	geoplugin.net/json.gp

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
hotsdefender.webredirect.org	SecuriteInfo.com.Win32.Malware-gen.19796.28131.exe	Get hash	malicious	Remcos	Browse	5.34.182.173
	xffa8yu1wWRN.exe	Get hash	malicious	Remcos	Browse	154.29.75.191
	Demanda_Penal-PDF_parsed.exe	Get hash	malicious	Remcos	Browse	185.225.18.106
geoplugin.net	sostener.vbs	Get hash	malicious	Remcos	Browse	178.237.33.50
	SecuriteInfo.com.Exploit.CVE-2017-11882.123.31177.14968.rtf	Get hash	malicious	Remcos, PureLog Stealer	Browse	178.237.33.50
	6122.scr.exe	Get hash	malicious	Remcos	Browse	178.237.33.50
	6122.scr.exe	Get hash	malicious	Remcos	Browse	178.237.33.50
	SecuriteInfo.com.Win32.PWSX-gen.9317.6656.exe	Get hash	malicious	Remcos	Browse	178.237.33.50
	Marys Organizer 2023 Release.zip	Get hash	malicious	Remcos	Browse	178.237.33.50
	https://maveuve.github.io/frlpodf/marynewreleasefax.html	Get hash	malicious	Remcos	Browse	178.237.33.50
	file.exe	Get hash	malicious	Remcos	Browse	178.237.33.50
	SDWLLRJcsY.exe	Get hash	malicious	Remcos, GuLoader	Browse	178.237.33.50
	BL.xls	Get hash	malicious	Remcos, PureLog Stealer	Browse	178.237.33.50

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
ATOM86-ASATOM86NL	sostener.vbs	Get hash	malicious	Remcos	Browse	178.237.33.50
	SecuriteInfo.com.Exploit.CVE-2017-11882.123.31177.14968.rtf	Get hash	malicious	Remcos, PureLog Stealer	Browse	178.237.33.50
	6122.scr.exe	Get hash	malicious	Remcos	Browse	178.237.33.50
	6122.scr.exe	Get hash	malicious	Remcos	Browse	178.237.33.50
	SecuriteInfo.com.Win32.PWSX-gen.9317.6656.exe	Get hash	malicious	Remcos	Browse	178.237.33.50
	Marys Organizer 2023 Release.zip	Get hash	malicious	Remcos	Browse	178.237.33.50
	https://maveuve.github.io/frlpodf/marynewreleasefax.html	Get hash	malicious	Remcos	Browse	178.237.33.50
	file.exe	Get hash	malicious	Remcos	Browse	178.237.33.50
	SDWLLRJcsY.exe	Get hash	malicious	Remcos, GuLoader	Browse	178.237.33.50
	BL.xls	Get hash	malicious	Remcos, PureLog Stealer	Browse	178.237.33.50
ITLASUA	82vlsZb3ho.exe	Get hash	malicious	AgentTesla	Browse	91.235.128.141
	RFQ_SBR48736_SB-2-COAL_INDO-005_Rev.scr.exe	Get hash	malicious	AgentTesla	Browse	91.235.128.141
	SecuriteInfo.com.Win32.Malware-gen.19796.28131.exe	Get hash	malicious	Remcos	Browse	5.34.182.173
	RFQ-ITB 4422-Hail and Ghasha fields Project-Work_Rev.scr.exe	Get hash	malicious	AgentTesla	Browse	91.235.128.141
	PO-4ADB89.bat	Get hash	malicious	AgentTesla	Browse	91.235.128.141
	RFQ- TK.60104- NDT.scr.exe	Get hash	malicious	AgentTesla	Browse	91.235.128.141
	CV.exe	Get hash	malicious	AgentTesla	Browse	91.235.128.141
	IMG_50711036.exe	Get hash	malicious	Unknown	Browse	5.34.182.232
	copy72210118.exe	Get hash	malicious	Unknown	Browse	5.34.182.232
	copy#5061320.exe	Get hash	malicious	Unknown	Browse	5.34.182.232

Process:	C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3521.549.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	962
Entropy (8bit):	5.013811273052389
Encrypted:	false
SSDEEP:	12:tklu+mnd6CsGkMyGWKyGXPVGArwY307f7aZHI7GZArpv/mOAaNO+ao9W7iN5zzkk:qlu+KdRNuKyGX85jvXhNlT3/7AcV9Wro
MD5:	18BC6D34FABB00C1E30D98E8DAEC814A
SHA1:	D21EF72B8421AA7D1F8E8B1DB1323AA93B884C54
SHA-256:	862D5523F77D193121112B15A36F602C4439791D03E24D97EF25F3A6CBE37ED0
SHA-512:	8DF14178B08AD2EDE670572394244B5224C8B070199A4BD851245B88D4EE3D7324FC7864D180DE85221ADFBBCAACB9EE9D2A77B5931D4E878E27334BF8589D71
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	{. "geoplugin_request":"8.46.123.33",. "geoplugin_status":200,. "geoplugin_delay":"1ms",. "geoplugin_credit":"Some of the returned data includes GeoLite2 data created by MaxMind, available from <a href='https:\/\/www.maxmind.com'>https:\/\/www.maxmind.com<\/a>.",. "geoplugin_city":"New York",. "geoplugin_region":"New York",. "geoplugin_regionCode":"NY",. "geoplugin_regionName":"New York",. "geoplugin_areaCode":"",. "geoplugin_dmaCode":"501",. "geoplugin_countryCode":"US",. "geoplugin_countryName":"United States",. "geoplugin_inEU":0,. "geoplugin_euVATrate":false,. "geoplugin_continentCode":"NA",. "geoplugin_continentName":"North America",. "geoplugin_latitude":"40.7123",. "geoplugin_longitude":"-74.0068",. "geoplugin_locationAccuracyRadius":"20",. "geoplugin_timezone":"America\/New_York",. "geoplugin_currencyCode":"USD",. "geoplugin_currencySymbol":"$",. "geoplugin_currencySymbol_UTF8":"$",. "geoplugin_currencyConverter":0.}

C:\Users\user\AppData\Roaming\Key\logs.dat

Download File

Process:	C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3521.549.exe
File Type:	data
Category:	dropped
Size (bytes):	288
Entropy (8bit):	3.3208960278181134
Encrypted:	false
SSDEEP:	6:6lul1zb5YcIeeDAlOWAAe5q1gWAAe5q1gWAv:6lEzDec0WFe5BWFe5BW+
MD5:	F41A444B60E8D70A3B73227AA560D95D
SHA1:	94FDEC5CA1D8AD5A8B43B79DE640B892C4F7F864
SHA-256:	F17F00E20731F564FE47F8B0457AAF4CCEF7351930E78935CE9C13D83A80D336
SHA-512:	4065E34FC2905AD7B62D9877841C4266AED8EEE02498A4918E7660765FD732C38E5D21A5CA55E80A83E0D49BDAD4EBA284C68621FB7C76C6662FEA26D01604DE
Malicious:	false
Reputation:	low
Preview:	....[.2.0.2.4./.0.9./.2.6. .1.2.:.4.4.:.2.3. .O.f.f.l.i.n.e. .K.e.y.l.o.g.g.e.r. .S.t.a.r.t.e.d.].........[.P.r.o.g.r.a.m. .M.a.n.a.g.e.r.].....[.W.i.n.].r.....[.R.u.n.].........[.P.r.o.g.r.a.m. .M.a.n.a.g.e.r.].....[.W.i.n.].r.....[.R.u.n.].........[.P.r.o.g.r.a.m. .M.a.n.a.g.e.r.].....

C:\Users\user\Pictures\TermianlConsole\TerminalIll.exe

Download File

Process:	C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3521.549.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	989587324
Entropy (8bit):	0.03944305888785394
Encrypted:	false
SSDEEP:
MD5:	15F5D8FB64D019A533C54B04AA06D800
SHA1:	E306EE2C6130949DCAB5EC8F51F02C1EB7649641
SHA-256:	97EA1F93B31260057AB7024DA973979AC23A00F36CCE5E8E15C9986B49420070
SHA-512:	478C41A17519D4718FC45C0608705DB6DA62CF90E0C43C55E463F26890DF7CB7DB7F9C3F80FC50665F3D375FBF3ED73702380CA4C143F9241FAE630CEEBDDD8F
Malicious:	false
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........3.H.].H.].H.]..^.F.]..X..]..Y.\.]..^.P.]..X...]..Y.S.]..[.I.]..\._.].H.\.]..T..]....I.].._.I.].RichH.].................PE..L.....jf.........."....'.............&....... ....@..........................@).....MT)...@..................................-..........0...............h:...p(.<.......p............................d..@............ .......".. ....................text............................... ..`.rdata...)... ...*..................@..@.data...T3...P.......6..............@....didat..H............T..............@....rsrc...0............V..............@..@.reloc..<....p(.......(.............@..B........................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.757992948918612
TrID:	Win32 Executable (generic) a (10002005/4) 98.81% Windows ActiveX control (116523/4) 1.15% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	SecuriteInfo.com.Win32.Evo-gen.3521.549.exe
File size:	2'680'832 bytes
MD5:	fada0c33bf7972b910f80e7233a8fd57
SHA1:	6b6ae977d686e446ec8028dbb0c9447c7fdec026
SHA256:	5413944edc2672c6634f665d6c6722cf21220ef49254d8fe42d0d63dc8826988
SHA512:	b41f4296c4b02828bbb1de630ea20bb5c30fb5f61e22bf38ac59303a98c5334fa158cf16a3a1840bc9279614e61d9a40a1b0d488a05cb75d76747c47dc933d39
SSDEEP:	49152:a8TT5mM8Y2gjw13LJhLPT+l5L5W+u88nHq5H51HQjBQrttD7sfoXSMzPQbQ:aAlx1deTXh
TLSH:	C0C56B613687D027E161C0744239E6FB61397BB51B2B01C76AE4FB6DE43AAC24F38E51
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........3.H.].H.].H.]...^.F.]...X...]...Y.\.]...^.P.]...X...]...Y.S.]...[.I.]...\._.].H.\...]...T...].....I.]..._.I.].RichH.]........

File Icon


Icon Hash:	1c3f77752d2b974c

Static PE Info

General

Entrypoint:	0x4a2610
Entrypoint Section:	.text
Digitally signed:	true
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
Time Stamp:	0x666ADB1D [Thu Jun 13 11:42:21 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	0
File Version Major:	6
File Version Minor:	0
Subsystem Version Major:	6
Subsystem Version Minor:	0
Import Hash:	5c379ea4b0995253e468a3b66ec9d720

Authenticode Signature

Signature Valid:
Signature Issuer:
Signature Validation Error:
Error Number:
Not Before, Not After
Subject Chain
Version:
Thumbprint MD5:
Thumbprint SHA-1:
Thumbprint SHA-256:
Serial:

Entrypoint Preview

Instruction
call 00007F9A8D073500h
jmp 00007F9A8D0CB55Dh
int3
int3
int3
int3
int3
int3
push ecx
lea ecx, dword ptr [esp+08h]
sub ecx, eax
and ecx, 0Fh
add eax, ecx
sbb ecx, ecx
or eax, ecx
pop ecx
jmp 00007F9A8D0CBE8Fh
push ecx
lea ecx, dword ptr [esp+08h]
sub ecx, eax
and ecx, 07h
add eax, ecx
sbb ecx, ecx
or eax, ecx
pop ecx
jmp 00007F9A8D0CBE79h
push ebp
mov ebp, esp
and dword ptr [0051735Ch], 00000000h
sub esp, 24h
or dword ptr [005150D4h], 01h
push 0000000Ah
call dword ptr [004E2280h]
test eax, eax
je 00007F9A8D0CB892h
and dword ptr [ebp-10h], 00000000h
xor eax, eax
push ebx
push esi
push edi
xor ecx, ecx
lea edi, dword ptr [ebp-24h]
push ebx
cpuid
mov esi, ebx
pop ebx
nop
mov dword ptr [edi], eax
mov dword ptr [edi+04h], esi
mov dword ptr [edi+08h], ecx
xor ecx, ecx
mov dword ptr [edi+0Ch], edx
mov eax, dword ptr [ebp-24h]
mov edi, dword ptr [ebp-20h]
mov dword ptr [ebp-0Ch], eax
xor edi, 756E6547h
mov eax, dword ptr [ebp-18h]
xor eax, 49656E69h
mov dword ptr [ebp-04h], eax
mov eax, dword ptr [ebp-1Ch]
xor eax, 6C65746Eh
mov dword ptr [ebp-08h], eax
xor eax, eax
inc eax
push ebx
cpuid
mov esi, ebx
pop ebx
nop
lea ebx, dword ptr [ebp-24h]
mov dword ptr [ebx], eax
mov eax, dword ptr [ebp-04h]
or eax, dword ptr [ebp-08h]
or eax, edi
mov dword ptr [ebx+04h], esi
mov dword ptr [ebx+08h], ecx
mov dword ptr [ebx+0Ch], edx

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x112d94	0xc8	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x11a000	0x16c130	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x198800	0x3a68	.rsrc
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x287000	0xce3c	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0xf9b00	0x70	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0xf9b80	0x18	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0xe64f8	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0xe2000	0x514	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x1122ec	0x120	.rdata
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0xe068a	0xe0800	51109645cc3305a349cc049b5f0eb8aa	False	0.46412057175668153	data	6.683419141543565	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0xe2000	0x329e0	0x32a00	171f5c057ed8a0ca1fa8b0ca629752f8	False	0.3838879243827161	data	4.84005689509976	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x115000	0x3354	0x1e00	0ae37685c3dfc4161e7dc047636cadcd	False	0.18046875	data	3.5924919995961058	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.didat	0x119000	0x148	0x200	1e522a0b4036f6b640a20441a5553340	False	0.373046875	data	2.826900590144351	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x11a000	0x16c130	0x16c200	0deef172a776eba26e7749087ddd1899	False	0.47593961873498114	data	6.63448257050225	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x287000	0xce3c	0xd000	aad1608f12404d99ddcc5159963325b0	False	0.5896559495192307	data	6.596181811565759	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
TYPELIB	0x11aae8	0x1910	data	English	United States	0.41973192019950123
RT_BITMAP	0x11c3f8	0x78c36	PC bitmap, Windows 3.x format, 62538 x 2 x 54, image size 495436, cbSize 494646, bits offset 54			0.7516688702627737
RT_ICON	0x195030	0x42028	Device independent bitmap graphic, 256 x 512 x 32, image size 270336	English	United States	0.14131431783886145
RT_ICON	0x1d7058	0x10828	Device independent bitmap graphic, 128 x 256 x 32, image size 67584	English	United States	0.1808529516148113
RT_ICON	0x1e7880	0x94a8	Device independent bitmap graphic, 96 x 192 x 32, image size 38016	English	United States	0.22863674584822366
RT_ICON	0x1f0d28	0x5488	Device independent bitmap graphic, 72 x 144 x 32, image size 21600	English	United States	0.25087800369685764
RT_ICON	0x1f61b0	0x4228	Device independent bitmap graphic, 64 x 128 x 32, image size 16896	English	United States	0.2449220595181861
RT_ICON	0x1fa3d8	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9600	English	United States	0.2978215767634855
RT_ICON	0x1fc980	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4224	English	United States	0.34122889305816134
RT_ICON	0x1fda28	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 2400	English	United States	0.4065573770491803
RT_ICON	0x1fe3b0	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1088	English	United States	0.475177304964539
RT_MENU	0x1fe818	0x2a	data	English	United States	1.0714285714285714
RT_MENU	0x1fe844	0x4c	data	English	United States	0.9210526315789473
RT_DIALOG	0x1fe890	0xd0	data	English	United States	0.7211538461538461
RT_DIALOG	0x1fe960	0x3b4	data	English	United States	0.4282700421940928
RT_DIALOG	0x1fed14	0x19a	data	English	United States	0.5658536585365853
RT_DIALOG	0x1feeb0	0xf6	data	English	United States	0.6747967479674797
RT_DIALOG	0x1fefa8	0x1b4	data	English	United States	0.5527522935779816
RT_DIALOG	0x1ff15c	0x1a4	data	English	United States	0.6071428571428571
RT_DIALOG	0x1ff300	0xbc	data	English	United States	0.6648936170212766
RT_DIALOG	0x1ff3bc	0x6c	data	English	United States	0.7407407407407407
RT_DIALOG	0x1ff428	0x7c	data	English	United States	0.75
RT_STRING	0x1ff4a4	0x300	data	English	United States	0.4036458333333333
RT_STRING	0x1ff7a4	0x186	data	English	United States	0.5025641025641026
RT_STRING	0x1ff92c	0x1a0	data	English	United States	0.5144230769230769
RT_STRING	0x1ffacc	0x23c	data	English	United States	0.458041958041958
RT_STRING	0x1ffd08	0x3d2	data	English	United States	0.36912065439672803
RT_STRING	0x2000dc	0x350	data	English	United States	0.4339622641509434
RT_STRING	0x20042c	0x55e	data	English	United States	0.41120815138282385
RT_STRING	0x20098c	0x660	data	English	United States	0.2922794117647059
RT_STRING	0x200fec	0x3e	data	English	United States	0.6612903225806451
RT_STRING	0x20102c	0x1f0	Matlab v4 mat-file (little endian) T, numeric, rows 0, columns 0	English	United States	0.4737903225806452
RT_RCDATA	0x20121c	0x3	ASCII text, with no line terminators	English	United States	3.6666666666666665
RT_RCDATA	0x201220	0x1ece	MS Windows icon resource - 3 icons, 32x32, 32 bits/pixel, 24x24, 32 bits/pixel	English	United States	0.31384732437230534
RT_RCDATA	0x2030f0	0x1ece	MS Windows icon resource - 3 icons, 32x32, 32 bits/pixel, 24x24, 32 bits/pixel	English	United States	0.29736241440527517
RT_RCDATA	0x204fc0	0x1ece	MS Windows icon resource - 3 icons, 32x32, 32 bits/pixel, 24x24, 32 bits/pixel	English	United States	0.35011412629977173
RT_RCDATA	0x206e90	0x276	ASCII text, with CRLF line terminators	English	United States	0.3682539682539683
RT_RCDATA	0x207108	0x140	ASCII text	English	United States	0.553125
RT_RCDATA	0x207248	0x119	ASCII text	English	United States	0.5587188612099644
RT_RCDATA	0x207364	0x96	ASCII text	English	United States	0.6333333333333333
RT_RCDATA	0x2073fc	0xbd	ASCII text	English	United States	0.6402116402116402
RT_RCDATA	0x2074bc	0x15d	ASCII text	English	United States	0.46418338108882523
RT_GROUP_ICON	0x20761c	0x84	data	English	United States	0.7196969696969697
RT_VERSION	0x2076a0	0x2f0	SysEx File - IDP	English	United States	0.45611702127659576
RT_ANIICON	0x207990	0xd2da	PC bitmap, Windows 3.x format, 7327 x 2 x 54, image size 54271, cbSize 53978, bits offset 54			0.4145577828004002
RT_ANIICON	0x214c6c	0x7caf	PC bitmap, Windows 3.x format, 4163 x 2 x 51, image size 32591, cbSize 31919, bits offset 54			0.45549672608791003
RT_ANIICON	0x21c91c	0x9617	PC bitmap, Windows 3.x format, 5573 x 2 x 45, image size 39081, cbSize 38423, bits offset 54			0.4408557374489238
RT_ANIICON	0x225f34	0x31c4b	PC bitmap, Windows 3.x format, 25578 x 2 x 42, image size 204096, cbSize 203851, bits offset 54			0.5023423971430113
RT_ANIICON	0x257b80	0x2dd7b	PC bitmap, Windows 3.x format, 24040 x 2 x 45, image size 188091, cbSize 187771, bits offset 54			0.48891468863669046
RT_MANIFEST	0x2858fc	0x834	XML 1.0 document, ASCII text, with CRLF line terminators	English	United States	0.38571428571428573

Imports

DLL	Import
KERNEL32.dll	LoadResource, FindResourceW, FindResourceExW, ReadFile, WideCharToMultiByte, FindClose, GetSystemTime, FindFirstFileW, RemoveDirectoryW, FindNextFileW, GetFileSize, CreateDirectoryW, SetFileAttributesW, GetFileTime, WriteFile, SetFilePointer, SetFileTime, LoadLibraryW, GetProcAddress, GetModuleHandleW, GetWindowsDirectoryW, GetTempPathW, GetTempFileNameW, GetCurrentProcess, GetSystemDirectoryW, LoadLibraryExW, CreateToolhelp32Snapshot, Process32FirstW, OpenProcess, Process32NextW, GetCurrentProcessId, GetExitCodeProcess, WaitForSingleObject, TerminateProcess, FreeLibrary, Sleep, LocalFree, GetTickCount, LocalAlloc, GetUserDefaultUILanguage, FileTimeToLocalFileTime, GetDateFormatW, GetTimeFormatW, GetLocaleInfoW, CreateProcessW, MultiByteToWideChar, FormatMessageW, SetLastError, GetEnvironmentVariableW, GetModuleFileNameW, DeleteCriticalSection, InitializeCriticalSectionEx, lstrcmpiW, VerifyVersionInfoW, VerSetConditionMask, lstrlenW, CompareStringW, GetExitCodeThread, TerminateThread, CreateThread, Wow64DisableWow64FsRedirection, Wow64RevertWow64FsRedirection, EnterCriticalSection, InitializeCriticalSection, LeaveCriticalSection, OutputDebugStringW, GetCurrentThreadId, GetLocalTime, FlushFileBuffers, LockResource, ResetEvent, CreateEventW, SetEvent, GlobalFree, MulDiv, QueryPerformanceFrequency, QueryPerformanceCounter, RaiseException, GetSystemDefaultLangID, GetPrivateProfileStringW, GetPrivateProfileSectionNamesW, WritePrivateProfileStringW, UnmapViewOfFile, ReleaseMutex, CreateFileMappingW, MapViewOfFile, CreateMutexW, OpenFileMappingW, OpenEventW, lstrcpynW, DecodePointer, GetACP, QueryFullProcessImageNameW, SizeofResource, GetProcessHeap, HeapAlloc, HeapFree, SetEndOfFile, WriteConsoleW, ReadConsoleW, SetStdHandle, SetEnvironmentVariableW, FreeEnvironmentStringsW, GetEnvironmentStringsW, GetCommandLineW, GetCommandLineA, GetOEMCP, IsValidCodePage, FindFirstFileExW, GetTimeZoneInformation, EnumSystemLocalesW, GetUserDefaultLCID, IsValidLocale, LCMapStringW, GetFileSizeEx, SetFilePointerEx, GetConsoleMode, GetConsoleOutputCP, GetFileType, GetStdHandle, GetModuleHandleExW, ExitProcess, TlsFree, TlsSetValue, TlsGetValue, TlsAlloc, InitializeCriticalSectionAndSpinCount, RtlUnwind, GetSystemTimeAsFileTime, GetStartupInfoW, SetUnhandledExceptionFilter, UnhandledExceptionFilter, SleepConditionVariableSRW, WakeAllConditionVariable, AcquireSRWLockExclusive, ReleaseSRWLockExclusive, GetCPInfo, CompareStringEx, LCMapStringEx, GetLocaleInfoEx, VirtualFree, VirtualAlloc, IsProcessorFeaturePresent, FlushInstructionCache, InterlockedPushEntrySList, HeapReAlloc, InterlockedPopEntrySList, InitializeSListHead, EncodePointer, IsDebuggerPresent, LoadLibraryExA, VirtualQuery, VirtualProtect, GetSystemInfo, HeapSize, HeapDestroy, CloseHandle, CreateFileW, CopyFileW, MoveFileW, DeleteFileW, CompareFileTime, SystemTimeToFileTime, FileTimeToSystemTime, GetLastError, GetStringTypeW, CopyFileExW
USER32.dll	LoadMenuW, GetSubMenu, TrackPopupMenu, EnableMenuItem, ModifyMenuW, GetMessagePos, SetCursorPos, RemovePropW, SetPropW, GetWindowDC, DrawEdge, GetActiveWindow, LookupIconIdFromDirectoryEx, GetForegroundWindow, MonitorFromPoint, GetPropW, SetWindowPos, MoveWindow, GetWindowThreadProcessId, GetWindowLongW, GetDC, SendMessageW, GetParent, LoadStringW, SetWindowTextW, PeekMessageW, TranslateMessage, DispatchMessageW, LoadImageW, GetSystemMetrics, DestroyMenu, LockWindowUpdate, CreateDialogParamW, GetMessageW, GetClassInfoExW, RegisterClassExW, PostMessageW, KillTimer, SetTimer, GetDesktopWindow, DialogBoxParamW, GetMenuItemID, SetMenuDefaultItem, PostQuitMessage, RegisterWindowMessageW, DrawMenuBar, GetSystemMenu, PostThreadMessageW, EndDialog, MonitorFromWindow, GetMonitorInfoW, GetWindowRect, SetWindowLongW, DefWindowProcW, CallWindowProcW, EnumWindows, CreateIconFromResourceEx, UnregisterClassW, RedrawWindow, IsWindowEnabled, MapWindowPoints, EnableWindow, GetDlgItem, GetWindow, ShowWindow, IsWindowVisible, SetForegroundWindow, GetDlgCtrlID, FillRect, TrackMouseEvent, DestroyWindow, EndPaint, BeginPaint, SetCursor, SetCapture, SetFocus, ReleaseCapture, GetCapture, PtInRect, ScreenToClient, GetCursorPos, UpdateWindow, InvalidateRect, CharNextW, OffsetRect, ReleaseDC, IsWindow, SetRectEmpty, GetWindowTextW, GetWindowTextLengthW, CreateWindowExW, SystemParametersInfoW, LoadCursorW, GetClassNameW, GetClientRect, DrawFocusRect, GetFocus, DrawTextW, GetSysColor, MessageBoxW
GDI32.dll	GetObjectW, PatBlt, DeleteDC, CreateBitmap, CreatePatternBrush, DeleteObject, GetStockObject, CreateFontIndirectW, SelectObject, SetTextColor, SetBkMode, GetDeviceCaps
SHELL32.dll	ShellExecuteW, SHGetSpecialFolderLocation, SHGetPathFromIDListW, SHGetMalloc, ShellExecuteExW, Shell_NotifyIconW, SHGetFolderPathW, SHBrowseForFolderW
ole32.dll	CoInitializeEx, CoTaskMemAlloc, CoTaskMemRealloc, CoResumeClassObjects, CoCreateGuid, CoReleaseServerProcess, CoAddRefServerProcess, CoRegisterClassObject, CoRevokeClassObject, CoCreateInstance, CoUninitialize, CoTaskMemFree, CLSIDFromString
OLEAUT32.dll	SysFreeString, RevokeActiveObject, DispGetIDsOfNames, LoadTypeLib, VarUI4FromStr, DispInvoke, SysAllocString
SHLWAPI.dll	PathIsUNCW, PathAppendW, PathFileExistsW
COMCTL32.dll	CreatePropertySheetPageW, InitCommonControlsEx, PropertySheetW, DestroyPropertySheetPage
UxTheme.dll	EnableThemeDialogTexture, IsAppThemed

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-09-26T18:44:25.569771+0200	2036594	ET JA3 Hash - Remcos 3.x/4.x TLS Connection	1	192.168.2.5	49708	5.34.182.173	2404	TCP
2024-09-26T18:44:26.940447+0200	2803304	ETPRO MALWARE Common Downloader Header Pattern HCa	3	192.168.2.5	49710	178.237.33.50	80	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Sep 26, 2024 18:44:24.818159103 CEST	49708	2404	192.168.2.5	5.34.182.173
Sep 26, 2024 18:44:24.823333025 CEST	2404	49708	5.34.182.173	192.168.2.5
Sep 26, 2024 18:44:24.823522091 CEST	49708	2404	192.168.2.5	5.34.182.173
Sep 26, 2024 18:44:24.831852913 CEST	49708	2404	192.168.2.5	5.34.182.173
Sep 26, 2024 18:44:24.836605072 CEST	2404	49708	5.34.182.173	192.168.2.5
Sep 26, 2024 18:44:25.521392107 CEST	2404	49708	5.34.182.173	192.168.2.5
Sep 26, 2024 18:44:25.569771051 CEST	49708	2404	192.168.2.5	5.34.182.173
Sep 26, 2024 18:44:25.684315920 CEST	2404	49708	5.34.182.173	192.168.2.5
Sep 26, 2024 18:44:25.691148043 CEST	49708	2404	192.168.2.5	5.34.182.173
Sep 26, 2024 18:44:25.695936918 CEST	2404	49708	5.34.182.173	192.168.2.5
Sep 26, 2024 18:44:25.696228027 CEST	49708	2404	192.168.2.5	5.34.182.173
Sep 26, 2024 18:44:25.701123953 CEST	2404	49708	5.34.182.173	192.168.2.5
Sep 26, 2024 18:44:25.701226950 CEST	49708	2404	192.168.2.5	5.34.182.173
Sep 26, 2024 18:44:25.706037998 CEST	2404	49708	5.34.182.173	192.168.2.5
Sep 26, 2024 18:44:26.071811914 CEST	2404	49708	5.34.182.173	192.168.2.5
Sep 26, 2024 18:44:26.073816061 CEST	49708	2404	192.168.2.5	5.34.182.173
Sep 26, 2024 18:44:26.078663111 CEST	2404	49708	5.34.182.173	192.168.2.5
Sep 26, 2024 18:44:26.246503115 CEST	2404	49708	5.34.182.173	192.168.2.5
Sep 26, 2024 18:44:26.288562059 CEST	49708	2404	192.168.2.5	5.34.182.173
Sep 26, 2024 18:44:26.329504967 CEST	49710	80	192.168.2.5	178.237.33.50
Sep 26, 2024 18:44:26.334331989 CEST	80	49710	178.237.33.50	192.168.2.5
Sep 26, 2024 18:44:26.334403038 CEST	49710	80	192.168.2.5	178.237.33.50
Sep 26, 2024 18:44:26.334620953 CEST	49710	80	192.168.2.5	178.237.33.50
Sep 26, 2024 18:44:26.339452028 CEST	80	49710	178.237.33.50	192.168.2.5
Sep 26, 2024 18:44:26.940329075 CEST	80	49710	178.237.33.50	192.168.2.5
Sep 26, 2024 18:44:26.940447092 CEST	49710	80	192.168.2.5	178.237.33.50
Sep 26, 2024 18:44:26.971982002 CEST	49708	2404	192.168.2.5	5.34.182.173
Sep 26, 2024 18:44:26.976917982 CEST	2404	49708	5.34.182.173	192.168.2.5
Sep 26, 2024 18:44:27.940285921 CEST	80	49710	178.237.33.50	192.168.2.5
Sep 26, 2024 18:44:27.941792965 CEST	49710	80	192.168.2.5	178.237.33.50
Sep 26, 2024 18:44:52.353151083 CEST	2404	49708	5.34.182.173	192.168.2.5
Sep 26, 2024 18:44:52.355283976 CEST	49708	2404	192.168.2.5	5.34.182.173
Sep 26, 2024 18:44:52.360184908 CEST	2404	49708	5.34.182.173	192.168.2.5
Sep 26, 2024 18:45:22.387131929 CEST	2404	49708	5.34.182.173	192.168.2.5
Sep 26, 2024 18:45:22.388602972 CEST	49708	2404	192.168.2.5	5.34.182.173
Sep 26, 2024 18:45:22.393459082 CEST	2404	49708	5.34.182.173	192.168.2.5
Sep 26, 2024 18:45:52.427506924 CEST	2404	49708	5.34.182.173	192.168.2.5
Sep 26, 2024 18:45:52.429541111 CEST	49708	2404	192.168.2.5	5.34.182.173
Sep 26, 2024 18:45:52.434495926 CEST	2404	49708	5.34.182.173	192.168.2.5
Sep 26, 2024 18:46:16.289834976 CEST	49710	80	192.168.2.5	178.237.33.50
Sep 26, 2024 18:46:16.726033926 CEST	49710	80	192.168.2.5	178.237.33.50
Sep 26, 2024 18:46:17.429150105 CEST	49710	80	192.168.2.5	178.237.33.50
Sep 26, 2024 18:46:18.726258993 CEST	49710	80	192.168.2.5	178.237.33.50
Sep 26, 2024 18:46:21.140969038 CEST	49710	80	192.168.2.5	178.237.33.50
Sep 26, 2024 18:46:22.479490042 CEST	2404	49708	5.34.182.173	192.168.2.5
Sep 26, 2024 18:46:22.498979092 CEST	49708	2404	192.168.2.5	5.34.182.173
Sep 26, 2024 18:46:22.504635096 CEST	2404	49708	5.34.182.173	192.168.2.5
Sep 26, 2024 18:46:26.038517952 CEST	49710	80	192.168.2.5	178.237.33.50
Sep 26, 2024 18:46:35.687927008 CEST	49710	80	192.168.2.5	178.237.33.50
Sep 26, 2024 18:46:52.520817995 CEST	2404	49708	5.34.182.173	192.168.2.5
Sep 26, 2024 18:46:52.523806095 CEST	49708	2404	192.168.2.5	5.34.182.173
Sep 26, 2024 18:46:52.528786898 CEST	2404	49708	5.34.182.173	192.168.2.5
Sep 26, 2024 18:47:22.567874908 CEST	2404	49708	5.34.182.173	192.168.2.5
Sep 26, 2024 18:47:22.569397926 CEST	49708	2404	192.168.2.5	5.34.182.173
Sep 26, 2024 18:47:22.574466944 CEST	2404	49708	5.34.182.173	192.168.2.5
Sep 26, 2024 18:47:52.612926960 CEST	2404	49708	5.34.182.173	192.168.2.5
Sep 26, 2024 18:47:52.614897013 CEST	49708	2404	192.168.2.5	5.34.182.173
Sep 26, 2024 18:47:52.619745970 CEST	2404	49708	5.34.182.173	192.168.2.5

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Sep 26, 2024 18:44:24.654994011 CEST	62899	53	192.168.2.5	1.1.1.1
Sep 26, 2024 18:44:24.810760021 CEST	53	62899	1.1.1.1	192.168.2.5
Sep 26, 2024 18:44:26.315819025 CEST	50944	53	192.168.2.5	1.1.1.1
Sep 26, 2024 18:44:26.324646950 CEST	53	50944	1.1.1.1	192.168.2.5

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Sep 26, 2024 18:44:24.654994011 CEST	192.168.2.5	1.1.1.1	0xdb75	Standard query (0)	hotsdefender.webredirect.org	A (IP address)	IN (0x0001)	false
Sep 26, 2024 18:44:26.315819025 CEST	192.168.2.5	1.1.1.1	0x864b	Standard query (0)	geoplugin.net	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Sep 26, 2024 18:44:24.810760021 CEST	1.1.1.1	192.168.2.5	0xdb75	No error (0)	hotsdefender.webredirect.org		5.34.182.173	A (IP address)	IN (0x0001)	false
Sep 26, 2024 18:44:26.324646950 CEST	1.1.1.1	192.168.2.5	0x864b	No error (0)	geoplugin.net		178.237.33.50	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

geoplugin.net

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.5	49710	178.237.33.50	80	6540	C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3521.549.exe

Timestamp	Bytes transferred	Direction	Data
Sep 26, 2024 18:44:26.334620953 CEST	71	OUT	GET /json.gp HTTP/1.1 Host: geoplugin.net Cache-Control: no-cache
Sep 26, 2024 18:44:26.940329075 CEST	1170	IN	HTTP/1.1 200 OK date: Thu, 26 Sep 2024 16:44:26 GMT server: Apache content-length: 962 content-type: application/json; charset=utf-8 cache-control: public, max-age=300 access-control-allow-origin: * Data Raw: 7b 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 72 65 71 75 65 73 74 22 3a 22 38 2e 34 36 2e 31 32 33 2e 33 33 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 73 74 61 74 75 73 22 3a 32 30 30 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 64 65 6c 61 79 22 3a 22 31 6d 73 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 63 72 65 64 69 74 22 3a 22 53 6f 6d 65 20 6f 66 20 74 68 65 20 72 65 74 75 72 6e 65 64 20 64 61 74 61 20 69 6e 63 6c 75 64 65 73 20 47 65 6f 4c 69 74 65 32 20 64 61 74 61 20 63 72 65 61 74 65 64 20 62 79 20 4d 61 78 4d 69 6e 64 2c 20 61 76 61 69 6c 61 62 6c 65 20 66 72 6f 6d 20 3c 61 20 68 72 65 66 3d 27 68 74 74 70 73 3a 5c 2f 5c 2f 77 77 77 2e 6d 61 78 6d 69 6e 64 2e 63 6f 6d 27 3e 68 74 74 70 73 3a 5c 2f 5c 2f 77 77 77 2e 6d 61 78 6d 69 6e 64 2e 63 6f 6d 3c 5c 2f 61 3e 2e 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 63 69 74 79 22 3a 22 4e 65 77 20 59 6f 72 6b 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 72 65 67 69 6f 6e 22 3a 22 4e 65 77 20 59 6f 72 6b 22 2c 0a 20 20 22 67 65 6f [TRUNCATED] Data Ascii: { "geoplugin_request":"8.46.123.33", "geoplugin_status":200, "geoplugin_delay":"1ms", "geoplugin_credit":"Some of the returned data includes GeoLite2 data created by MaxMind, available from <a href='https:\/\/www.maxmind.com'>https:\/\/www.maxmind.com<\/a>.", "geoplugin_city":"New York", "geoplugin_region":"New York", "geoplugin_regionCode":"NY", "geoplugin_regionName":"New York", "geoplugin_areaCode":"", "geoplugin_dmaCode":"501", "geoplugin_countryCode":"US", "geoplugin_countryName":"United States", "geoplugin_inEU":0, "geoplugin_euVATrate":false, "geoplugin_continentCode":"NA", "geoplugin_continentName":"North America", "geoplugin_latitude":"40.7123", "geoplugin_longitude":"-74.0068", "geoplugin_locationAccuracyRadius":"20", "geoplugin_timezone":"America\/New_York", "geoplugin_currencyCode":"USD", "geoplugin_currencySymbol":"$", "geoplugin_currencySymbol_UTF8":"$", "geoplugin_currencyConverter":0}

Target ID:	0
Start time:	12:44:05
Start date:	26/09/2024
Path:	C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3521.549.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3521.549.exe"
Imagebase:	0x400000
File size:	2'680'832 bytes
MD5 hash:	FADA0C33BF7972B910F80E7233A8FD57
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 00000000.00000002.2275798447.000000000051C000.00000040.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000000.00000002.2275798447.000000000051C000.00000040.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000000.00000002.2275798447.000000000051C000.00000040.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 00000000.00000002.2275798447.000000000051C000.00000040.00000001.01000000.00000003.sdmp, Author: unknown Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 00000000.00000002.2276278471.0000000006300000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000000.00000002.2276278471.0000000006300000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000000.00000002.2276278471.0000000006300000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 00000000.00000002.2276278471.0000000006300000.00000040.00001000.00020000.00000000.sdmp, Author: unknown Rule: REMCOS_RAT_variants, Description: unknown, Source: 00000000.00000002.2276278471.0000000006300000.00000040.00001000.00020000.00000000.sdmp, Author: unknown Rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM, Description: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003), Source: 00000000.00000002.2276278471.0000000006300000.00000040.00001000.00020000.00000000.sdmp, Author: ditekSHen
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	12:44:23
Start date:	26/09/2024
Path:	C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3521.549.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3521.549.exe"
Imagebase:	0x400000
File size:	2'680'832 bytes
MD5 hash:	FADA0C33BF7972B910F80E7233A8FD57
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 00000003.00000002.4514531527.00000000046A0000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000003.00000002.4514531527.00000000046A0000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000003.00000002.4514531527.00000000046A0000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 00000003.00000002.4514531527.00000000046A0000.00000040.00000400.00020000.00000000.sdmp, Author: unknown Rule: REMCOS_RAT_variants, Description: unknown, Source: 00000003.00000002.4514531527.00000000046A0000.00000040.00000400.00020000.00000000.sdmp, Author: unknown Rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM, Description: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003), Source: 00000003.00000002.4514531527.00000000046A0000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000003.00000002.4514898457.00000000049A7000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	false

Show Windows behavior

Function 004A2610 Relevance: 1.5, APIs: 1, Instructions: 1COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2275647674.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2275629256.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275722846.00000000004E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275753803.0000000000515000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275769085.0000000000516000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275783558.0000000000519000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275798447.000000000051C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275844048.000000000059B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275844048.00000000005D5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275844048.00000000005D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275844048.00000000005E7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275932941.0000000000607000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275932941.000000000060A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275961081.000000000060E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275975208.0000000000616000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275990045.0000000000619000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2276004483.000000000061E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2276019055.0000000000621000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2276033719.0000000000627000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2276047594.000000000062B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2276071545.0000000000659000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2276086109.000000000065D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2276108631.0000000000686000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 218e6e01321ae1f6913fb65158d1174fc887bc0443054b63cfb70506d1f48f27
Instruction ID: f8621364e9b27c9163900e7b08c27a233749dcffe9d7be939d8fd56824f53ee1
Opcode Fuzzy Hash: 218e6e01321ae1f6913fb65158d1174fc887bc0443054b63cfb70506d1f48f27
Instruction Fuzzy Hash:

Non-executed Functions

Function 0041C460 Relevance: 43.9, APIs: 29, Instructions: 417windowCOMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000F0), ref: 0041C48D
SetWindowLongW.USER32(?,000000F0,00000000), ref: 0041C4A5
IsWindow.USER32(?), ref: 0041C4DF
DestroyWindow.USER32(?), ref: 0041C4EC
DeleteObject.GDI32(?), ref: 0041C503
DeleteObject.GDI32(?), ref: 0041C51E
IsWindow.USER32 ref: 0041C578
SendMessageW.USER32(?,00000407,00000000,?), ref: 0041C59D

Part of subcall function 0041C010: GetClassNameW.USER32(?,?,00000008), ref: 0041C075
Part of subcall function 0041C010: lstrcmpiW.KERNEL32(?,static), ref: 0041C088
Part of subcall function 0041C010: GetWindowLongW.USER32(?,000000F0), ref: 0041C096
Part of subcall function 0041C010: SetWindowLongW.USER32(?,000000F0,00000000), ref: 0041C0AD
Part of subcall function 0041C010: GetWindowLongW.USER32(?,000000F0), ref: 0041C0B7
Part of subcall function 0041C010: LoadCursorW.USER32(00000000,00007F89), ref: 0041C0FD

InvalidateRect.USER32(?,00000000,00000001), ref: 0041C606
PtInRect.USER32(?,?,?), ref: 0041C65C
SetCursor.USER32(?,?,?), ref: 0041C669
InvalidateRect.USER32(?,?,00000001,?,?), ref: 0041C68C
UpdateWindow.USER32(?), ref: 0041C695
TrackMouseEvent.USER32 ref: 0041C6BF
InvalidateRect.USER32(?,?,00000001,?,?), ref: 0041C6F6
UpdateWindow.USER32(?), ref: 0041C6FF
PtInRect.USER32(?,?,?), ref: 0041C765
SetFocus.USER32(?,?,?,?), ref: 0041C776
SetCapture.USER32(?,?,?,?), ref: 0041C77F
GetCapture.USER32 ref: 0041C7A1
ReleaseCapture.USER32 ref: 0041C7B0
PtInRect.USER32(?,?,?), ref: 0041C7CA
InvalidateRect.USER32(?,00000000,00000001,?), ref: 0041C8B8
UpdateWindow.USER32(?), ref: 0041C8C1

Memory Dump Source

Source File: 00000000.00000002.2275647674.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2275629256.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275722846.00000000004E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275753803.0000000000515000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275769085.0000000000516000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275783558.0000000000519000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275798447.000000000051C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275844048.000000000059B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275844048.00000000005D5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275844048.00000000005D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275844048.00000000005E7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275932941.0000000000607000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275932941.000000000060A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275961081.000000000060E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275975208.0000000000616000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275990045.0000000000619000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2276004483.000000000061E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2276019055.0000000000621000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2276033719.0000000000627000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2276047594.000000000062B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2276071545.0000000000659000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2276086109.000000000065D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2276108631.0000000000686000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID: Window$Rect$Long$Invalidate$CaptureUpdate$CursorDeleteObject$ClassDestroyEventFocusLoadMessageMouseNameReleaseSendTracklstrcmpi
String ID:
API String ID: 3027185170-0
Opcode ID: c60218be6e99dc0e06fba895591131b84a01a8321079d1cd13fe00a6cec5bd74
Instruction ID: cc6e0afa77325fec2447a9afd9b0d4256c451b4bc2748adb1fc5280de1186ee1
Opcode Fuzzy Hash: c60218be6e99dc0e06fba895591131b84a01a8321079d1cd13fe00a6cec5bd74
Instruction Fuzzy Hash: D0E102326403458BDB319F18DDC47ABBBE5FF41325F00092BF486866A1C7B9E895CB59

Function 0040CA40 Relevance: 27.0, APIs: 11, Strings: 4, Instructions: 764COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(?,00000000,00000001,00000008,?,00000000,00000001,00000000,0DC12AF0), ref: 0040CAB0
GetLastError.KERNEL32(?,00000000,00000001,00000000,0DC12AF0), ref: 0040CAE2
GetLastError.KERNEL32(?,?,00000000,?,00000000,00000001,00000000,0DC12AF0), ref: 0040CB2B

Strings

kernel32.dll, xrefs: 0040D256
open, xrefs: 0040D130
<, xrefs: 0040D10F
GetProcessId, xrefs: 0040D284

Memory Dump Source

Source File: 00000000.00000002.2275647674.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2275629256.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275722846.00000000004E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275753803.0000000000515000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275769085.0000000000516000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275783558.0000000000519000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275798447.000000000051C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275844048.000000000059B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275844048.00000000005D5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275844048.00000000005D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275844048.00000000005E7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275932941.0000000000607000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275932941.000000000060A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275961081.000000000060E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275975208.0000000000616000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275990045.0000000000619000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2276004483.000000000061E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2276019055.0000000000621000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2276033719.0000000000627000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2276047594.000000000062B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2276071545.0000000000659000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2276086109.000000000065D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2276108631.0000000000686000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID: ErrorLast
String ID: <$GetProcessId$kernel32.dll$open
API String ID: 1452528299-2576792382
Opcode ID: 4a2cdf9c4e315269400718ef57f61ea945dab0508b888e11a372e568d6c001b6
Instruction ID: 7620626dd460423cf92409a0719cb9fadcc00bebfcbbca7104388bc6f21c8404
Opcode Fuzzy Hash: 4a2cdf9c4e315269400718ef57f61ea945dab0508b888e11a372e568d6c001b6
Instruction Fuzzy Hash: 6652A071A00209DFDB14DFA9C988BAEB7B5FF48314F10426AE915B73D0DB78A905CB94

Function 00421890 Relevance: 16.1, APIs: 7, Strings: 2, Instructions: 320sleepCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 004218E5
GetLastError.KERNEL32 ref: 00421A2D
GetLastError.KERNEL32 ref: 00421BB9

Part of subcall function 004046F0: GetProcessHeap.KERNEL32 ref: 00404745

GetTickCount.KERNEL32 ref: 00421BD3
Sleep.KERNEL32(000001F4), ref: 00421BEA
GetTickCount.KERNEL32 ref: 00421C0F
GetLastError.KERNEL32 ref: 00421C53

Strings

Unable to open SCM error code: , xrefs: 00421943
OpenService failed error code: , xrefs: 00421A84

Memory Dump Source

Source File: 00000000.00000002.2275647674.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2275629256.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275722846.00000000004E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275753803.0000000000515000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275769085.0000000000516000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275783558.0000000000519000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275798447.000000000051C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275844048.000000000059B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275844048.00000000005D5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275844048.00000000005D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275844048.00000000005E7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275932941.0000000000607000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275932941.000000000060A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275961081.000000000060E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275975208.0000000000616000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275990045.0000000000619000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2276004483.000000000061E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2276019055.0000000000621000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2276033719.0000000000627000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2276047594.000000000062B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2276071545.0000000000659000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2276086109.000000000065D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2276108631.0000000000686000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID: ErrorLast$CountTick$HeapProcessSleep
String ID: OpenService failed error code: $Unable to open SCM error code:
API String ID: 873169069-3695868027
Opcode ID: ad8e24634e67280c8b07371f74fb74923a526a45fd3fc7b59d286bc0252b9e7c
Instruction ID: 39752a2110ee06778517b481096a0b1311fa2d9b37b91275ccf1ec5dd84c5f72
Opcode Fuzzy Hash: ad8e24634e67280c8b07371f74fb74923a526a45fd3fc7b59d286bc0252b9e7c
Instruction Fuzzy Hash: 20C14571B002159FCB00DF68D999B6EBBB5FF88314F14412EE905A7392DB789D01CBA6

Function 0040FC10 Relevance: 12.6, APIs: 6, Strings: 1, Instructions: 349fileCOMMON

Download Yara Rule

APIs

SHGetFolderPathW.SHELL32(00000000,00000024,00000000,00000000,?,0DC12AF0,?), ref: 0040FC6B
GetTempFileNameW.KERNEL32(?,shim_clone,00000000,?,00000000), ref: 0040FDD7
Wow64DisableWow64FsRedirection.KERNEL32(?), ref: 0040FE85
CopyFileW.KERNEL32(?,?,00000000), ref: 0040FEA7
Wow64RevertWow64FsRedirection.KERNEL32(?), ref: 0040FF2F
DeleteFileW.KERNEL32(?,0DC12AF0,?,00000000,004C9200,000000FF,?,80004005,?), ref: 0041003D

Strings

shim_clone, xrefs: 0040FDD1

Memory Dump Source

Source File: 00000000.00000002.2275647674.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2275629256.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275722846.00000000004E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275753803.0000000000515000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275769085.0000000000516000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275783558.0000000000519000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275798447.000000000051C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275844048.000000000059B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275844048.00000000005D5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275844048.00000000005D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275844048.00000000005E7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275932941.0000000000607000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275932941.000000000060A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275961081.000000000060E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275975208.0000000000616000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275990045.0000000000619000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2276004483.000000000061E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2276019055.0000000000621000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2276033719.0000000000627000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2276047594.000000000062B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2276071545.0000000000659000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2276086109.000000000065D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2276108631.0000000000686000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID: Wow64$File$Redirection$CopyDeleteDisableFolderNamePathRevertTemp
String ID: shim_clone
API String ID: 3507832535-3944563459
Opcode ID: 1a7c1ff960a6a06aacd34bb3b24c251c9ea9d718bc5cfe0ac4f7c2925e8cc472
Instruction ID: c08c0a1cd291d88cf78de6f197e1c5732bf27c23d445f8b37fa542b5998dafc0
Opcode Fuzzy Hash: 1a7c1ff960a6a06aacd34bb3b24c251c9ea9d718bc5cfe0ac4f7c2925e8cc472
Instruction Fuzzy Hash: A9C11574A002559FCB24DF24CC45BAA77B4EF55304F0480BEE906E76D2EB789E49CB58

Function 00410070 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 83libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(Shlwapi.dll,?,?,?,?,?,?,?,?,?,0040BE4A,?), ref: 0041008F
GetProcAddress.KERNEL32(00000000,DllGetVersion), ref: 004100A5
FreeLibrary.KERNEL32(00000000), ref: 004100E8
FreeLibrary.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,0040BE4A,?), ref: 00410104

Strings

Shlwapi.dll, xrefs: 00410088
DllGetVersion, xrefs: 0041009F

Memory Dump Source

Source File: 00000000.00000002.2275647674.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2275629256.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275722846.00000000004E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275753803.0000000000515000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275769085.0000000000516000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275783558.0000000000519000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275798447.000000000051C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275844048.000000000059B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275844048.00000000005D5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275844048.00000000005D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275844048.00000000005E7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275932941.0000000000607000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275932941.000000000060A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275961081.000000000060E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275975208.0000000000616000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275990045.0000000000619000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2276004483.000000000061E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2276019055.0000000000621000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2276033719.0000000000627000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2276047594.000000000062B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2276071545.0000000000659000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2276086109.000000000065D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2276108631.0000000000686000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID: Library$Free$AddressLoadProc
String ID: DllGetVersion$Shlwapi.dll
API String ID: 1386263645-2240825258
Opcode ID: 92cc7eca85c45edb07daabbf80d511e2aca987027612cc35edca9dda83a19eb1
Instruction ID: af33f0f334ad32919512d607d30fe81e093b28ce6b82dd8faeb84e95a8bc03d3
Opcode Fuzzy Hash: 92cc7eca85c45edb07daabbf80d511e2aca987027612cc35edca9dda83a19eb1
Instruction Fuzzy Hash: D221D8756003019BC700EF29E98566BBBE4FFD9754F80042EF445C7352EA79D984C7A6

Function 0040C5D0 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 189COMMON

Download Yara Rule

APIs

Part of subcall function 004046F0: GetProcessHeap.KERNEL32 ref: 00404745

GetLocaleInfoW.KERNEL32(00000000,00001004,00000000,00000000,0DC12AF0,?,?,00000000), ref: 0040C705

Part of subcall function 00403700: FindResourceW.KERNEL32(00000000,00000001,00000006,?,00000000,?,?,00000000,0000000E), ref: 00403738

GetLocaleInfoW.KERNEL32(00000000,00001004,00000000,00000000,00000000), ref: 0040C752

Strings

%d.0%d %s, xrefs: 0040C639, 0040C649
%d.%d %s, xrefs: 0040C67A, 0040C68A

Memory Dump Source

Source File: 00000000.00000002.2275647674.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2275629256.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275722846.00000000004E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275753803.0000000000515000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275769085.0000000000516000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275783558.0000000000519000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275798447.000000000051C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275844048.000000000059B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275844048.00000000005D5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275844048.00000000005D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275844048.00000000005E7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275932941.0000000000607000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275932941.000000000060A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275961081.000000000060E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275975208.0000000000616000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275990045.0000000000619000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2276004483.000000000061E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2276019055.0000000000621000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2276033719.0000000000627000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2276047594.000000000062B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2276071545.0000000000659000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2276086109.000000000065D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2276108631.0000000000686000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID: InfoLocale$FindHeapProcessResource
String ID: %d.%d %s$%d.0%d %s
API String ID: 1404449267-1991655823
Opcode ID: 8b4a4db0120ea0a699f96ba4fe436fa533d9055675b9fb7214c960f8a705aa5f
Instruction ID: ed4079b2e3df8ce724cd89c90403f5c8c328d08c1c0417c1c1e5743d1387bba6
Opcode Fuzzy Hash: 8b4a4db0120ea0a699f96ba4fe436fa533d9055675b9fb7214c960f8a705aa5f
Instruction Fuzzy Hash: 79513971A00644AFDB10DF69CD45BAFB7A8EB44324F10467FF901A73C1DBB959048B98

Function 0048A530 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 0041D7C0: InitializeCriticalSectionEx.KERNEL32(00516D54,00000000,00000000,0DC12AF0,00400000,004C93F0,000000FF,?,0048A55F,?,00401D2A,80004005,0DC12AF0), ref: 0041D7E7
Part of subcall function 0041D7C0: GetLastError.KERNEL32(?,0048A55F,?,00401D2A,80004005,0DC12AF0,?,?,?,?,004D3F0D,000000FF), ref: 0041D7F1

IsDebuggerPresent.KERNEL32(?,00401D2A,80004005,0DC12AF0,?,?,?,?,004D3F0D,000000FF), ref: 0048A563
OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,00401D2A,80004005,0DC12AF0,?,?,?,?,004D3F0D,000000FF), ref: 0048A572

Strings

ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 0048A56D

Memory Dump Source

Source File: 00000000.00000002.2275647674.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2275629256.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275722846.00000000004E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275753803.0000000000515000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275769085.0000000000516000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275783558.0000000000519000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275798447.000000000051C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275844048.000000000059B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275844048.00000000005D5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275844048.00000000005D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275844048.00000000005E7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275932941.0000000000607000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275932941.000000000060A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275961081.000000000060E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275975208.0000000000616000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275990045.0000000000619000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2276004483.000000000061E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2276019055.0000000000621000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2276033719.0000000000627000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2276047594.000000000062B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2276071545.0000000000659000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2276086109.000000000065D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2276108631.0000000000686000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID: CriticalDebugDebuggerErrorInitializeLastOutputPresentSectionString
String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
API String ID: 3511171328-631824599
Opcode ID: 9eadf5ae73885e909e7361ae96814371ce1b272e201fbede379bef5dc2813b6a
Instruction ID: 8b525c965a04755b195c1c5c1917d0338b0a8464ce1c5bfcd4f7d066941623c4
Opcode Fuzzy Hash: 9eadf5ae73885e909e7361ae96814371ce1b272e201fbede379bef5dc2813b6a
Instruction Fuzzy Hash: 1CE039706007918AD320AF2AE444346BBE4AB14709F00896FE495D6381EBF8D488CBAA

Function 0040F2B0 Relevance: 4.6, APIs: 3, Instructions: 92fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,?,?), ref: 0040F34F
FindClose.KERNEL32(00000000), ref: 0040F3AE

Memory Dump Source

Source File: 00000000.00000002.2275647674.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2275629256.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275722846.00000000004E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275753803.0000000000515000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275769085.0000000000516000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275783558.0000000000519000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275798447.000000000051C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275844048.000000000059B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275844048.00000000005D5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275844048.00000000005D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275844048.00000000005E7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275932941.0000000000607000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275932941.000000000060A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275961081.000000000060E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275975208.0000000000616000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275990045.0000000000619000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2276004483.000000000061E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2276019055.0000000000621000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2276033719.0000000000627000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2276047594.000000000062B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2276071545.0000000000659000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2276086109.000000000065D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2276108631.0000000000686000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID: Find$CloseFileFirst
String ID:
API String ID: 2295610775-0
Opcode ID: cf019c95397ae3bd7a7d67c982a7413ff889f860bad0fe6215baaad92cf2f5af
Instruction ID: 331a6a5a30f6bc3ab4fcb8330d376e06ed8e305d0fafced4f27d8026cebe2754
Opcode Fuzzy Hash: cf019c95397ae3bd7a7d67c982a7413ff889f860bad0fe6215baaad92cf2f5af
Instruction Fuzzy Hash: 6631BE31904218DBCB34DF55C888B6AB7B4EB45324F20817FED15A7BC0E7795A49CB89

Function 004A6E63 Relevance: 4.6, APIs: 3, Instructions: 77COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32(?,?,?,?,?,00000000), ref: 004A6F5B
SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,00000000), ref: 004A6F65
UnhandledExceptionFilter.KERNEL32(-00000327,?,?,?,?,?,00000000), ref: 004A6F72

Memory Dump Source

Source File: 00000000.00000002.2275647674.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2275629256.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275722846.00000000004E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275753803.0000000000515000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275769085.0000000000516000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275783558.0000000000519000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275798447.000000000051C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275844048.000000000059B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275844048.00000000005D5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275844048.00000000005D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275844048.00000000005E7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275932941.0000000000607000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275932941.000000000060A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275961081.000000000060E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275975208.0000000000616000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275990045.0000000000619000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2276004483.000000000061E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2276019055.0000000000621000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2276033719.0000000000627000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2276047594.000000000062B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2276071545.0000000000659000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2276086109.000000000065D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2276108631.0000000000686000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: 97642c44a0cbb6f6a20732a62bc036de94da881259cb2fe32fbd028ca373d166
Instruction ID: c2d3e8f30271eeb2c703f14c033b72363404c79db3f95efebaded994b794ef09
Opcode Fuzzy Hash: 97642c44a0cbb6f6a20732a62bc036de94da881259cb2fe32fbd028ca373d166
Instruction Fuzzy Hash: D731E575901228ABCB21DF68DD88B8DBBB8BF18350F5041EAF40CA7251E7749F858F48

Function 00404240 Relevance: 4.6, APIs: 3, Instructions: 65COMMON

Download Yara Rule

APIs

LoadResource.KERNEL32(00000000,00000000,0DC12AF0,00000001,00000000,00000000,00000000,004C9440,000000FF,?,004041EC,?,?,00000000,?,00000000), ref: 0040426B
LockResource.KERNEL32(00000000,?,004041EC,?,?,00000000,?,00000000,0000000E,004C92A0,000000FF,?,00403728,?,00000000), ref: 00404276
SizeofResource.KERNEL32(00000000,00000000,?,004041EC,?,?,00000000,?,00000000,0000000E,004C92A0,000000FF,?,00403728,?,00000000), ref: 00404284

Memory Dump Source

Source File: 00000000.00000002.2275647674.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2275629256.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275722846.00000000004E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275753803.0000000000515000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275769085.0000000000516000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275783558.0000000000519000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275798447.000000000051C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275844048.000000000059B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275844048.00000000005D5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275844048.00000000005D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275844048.00000000005E7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275932941.0000000000607000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275932941.000000000060A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275961081.000000000060E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275975208.0000000000616000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275990045.0000000000619000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2276004483.000000000061E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2276019055.0000000000621000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2276033719.0000000000627000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2276047594.000000000062B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2276071545.0000000000659000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2276086109.000000000065D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2276108631.0000000000686000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID: Resource$LoadLockSizeof
String ID:
API String ID: 2853612939-0
Opcode ID: e241c0668d39d682e978da702de004cae881659ab1cddfcb8c31a481a8bad568
Instruction ID: 93ef7e0d7320103cc77a1bcc42c8b63aa6b5e546cd758a360c8bd270cc546454
Opcode Fuzzy Hash: e241c0668d39d682e978da702de004cae881659ab1cddfcb8c31a481a8bad568
Instruction Fuzzy Hash: 34110472B046559BC7248F58DC44B66F7ACEBC9760F004A7FFD1AD3380E639AC008694

Function 0040BEB0 Relevance: 4.5, APIs: 3, Instructions: 43timeCOMMON

Download Yara Rule

APIs

GetSystemTime.KERNEL32(?), ref: 0040BED4
SystemTimeToFileTime.KERNEL32(?,?), ref: 0040BEED
GetLastError.KERNEL32 ref: 0040BEF7

Memory Dump Source

Source File: 00000000.00000002.2275647674.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2275629256.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275722846.00000000004E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275753803.0000000000515000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275769085.0000000000516000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275783558.0000000000519000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275798447.000000000051C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275844048.000000000059B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275844048.00000000005D5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275844048.00000000005D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275844048.00000000005E7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275932941.0000000000607000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275932941.000000000060A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275961081.000000000060E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275975208.0000000000616000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275990045.0000000000619000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2276004483.000000000061E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2276019055.0000000000621000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2276033719.0000000000627000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2276047594.000000000062B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2276071545.0000000000659000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2276086109.000000000065D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2276108631.0000000000686000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID: Time$System$ErrorFileLast
String ID:
API String ID: 2409880431-0
Opcode ID: 471b01fabcc812b117e9dd9e09828e1014e3f514a6bd6dc3df999980ac07c771
Instruction ID: 2076798d4bedf1a59ae96c01cb7bba7240f10231524ee2555f5e7d375d07ceb8
Opcode Fuzzy Hash: 471b01fabcc812b117e9dd9e09828e1014e3f514a6bd6dc3df999980ac07c771
Instruction Fuzzy Hash: FB0175715043099FC300DF38D84559BB7E8EF89324F004B2EFC89D7650EB309A808B86

Function 0048A813 Relevance: 4.5, APIs: 3, Instructions: 19memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,0041BB46,?,0048A979,646A0B74,?,?,0041BB46,?,0DC12AF0), ref: 0048A82B
HeapFree.KERNEL32(00000000,?,0048A979,646A0B74,?,?,0041BB46,?,0DC12AF0), ref: 0048A832
InterlockedPushEntrySList.KERNEL32(00000000,0041BB46,?,0048A979,646A0B74,?,?,0041BB46,?,0DC12AF0), ref: 0048A83B

Memory Dump Source

Source File: 00000000.00000002.2275647674.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2275629256.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275722846.00000000004E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275753803.0000000000515000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275769085.0000000000516000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275783558.0000000000519000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275798447.000000000051C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275844048.000000000059B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275844048.00000000005D5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275844048.00000000005D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275844048.00000000005E7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275932941.0000000000607000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275932941.000000000060A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275961081.000000000060E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275975208.0000000000616000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275990045.0000000000619000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2276004483.000000000061E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2276019055.0000000000621000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2276033719.0000000000627000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2276047594.000000000062B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2276071545.0000000000659000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2276086109.000000000065D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2276108631.0000000000686000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID: Heap$EntryFreeInterlockedListProcessPush
String ID:
API String ID: 1982578398-0
Opcode ID: 8e21b6c2f33f9e6ab3d52abcbff44307213c207b25154c7f5a7f8cbf12b54410
Instruction ID: 58b739b41e28482ca19ef0c37aa6a3011dec2f7affb61a47b09e75de49b60fe6
Opcode Fuzzy Hash: 8e21b6c2f33f9e6ab3d52abcbff44307213c207b25154c7f5a7f8cbf12b54410
Instruction Fuzzy Hash: 97D05E312002089BDB087BA4BD89AAA776CBB58716F00446AF60A8A151CBA6D450C77A

Function 0040E400 Relevance: 3.1, APIs: 2, Instructions: 103windowCOMMON

Download Yara Rule

APIs

FormatMessageW.KERNEL32(00001B00,?,?,00000400,00000000,00000000,00000000,0DC12AF0,?,?,00000000), ref: 0040E458
GetLastError.KERNEL32(?,00000400,00000000,00000000,00000000,0DC12AF0,?,?,00000000), ref: 0040E462

Memory Dump Source

Source File: 00000000.00000002.2275647674.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2275629256.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275722846.00000000004E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275753803.0000000000515000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275769085.0000000000516000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275783558.0000000000519000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275798447.000000000051C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275844048.000000000059B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275844048.00000000005D5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275844048.00000000005D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275844048.00000000005E7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275932941.0000000000607000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275932941.000000000060A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275961081.000000000060E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275975208.0000000000616000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275990045.0000000000619000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2276004483.000000000061E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2276019055.0000000000621000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2276033719.0000000000627000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2276047594.000000000062B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2276071545.0000000000659000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2276086109.000000000065D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2276108631.0000000000686000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID: ErrorFormatLastMessage
String ID:
API String ID: 3479602957-0
Opcode ID: 3b4c6c0844d0dc56628569df1b7946591bcfa4723b830e5ae8d2cc5fc54a8771
Instruction ID: 07f1dc488cf590a7d1d8a50a009b265395bda766f4df29658d065cb7d0fd33f6
Opcode Fuzzy Hash: 3b4c6c0844d0dc56628569df1b7946591bcfa4723b830e5ae8d2cc5fc54a8771
Instruction Fuzzy Hash: 9231A271A002099FDB10DF99CD45BAEB7F8EB44714F10453EE914E73C1EBB999048B95

Function 00410660 Relevance: .7, Instructions: 682COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2275647674.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2275629256.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275722846.00000000004E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275753803.0000000000515000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275769085.0000000000516000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275783558.0000000000519000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275798447.000000000051C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275844048.000000000059B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275844048.00000000005D5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275844048.00000000005D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275844048.00000000005E7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275932941.0000000000607000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275932941.000000000060A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275961081.000000000060E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275975208.0000000000616000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275990045.0000000000619000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2276004483.000000000061E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2276019055.0000000000621000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2276033719.0000000000627000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2276047594.000000000062B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2276071545.0000000000659000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2276086109.000000000065D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2276108631.0000000000686000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1adf5236a2cb7355e06cf26c4f63be86e5465e2b5c2a00430b7b0f06f5eada0e
Instruction ID: 288c19dbd39df3d9549b71fb3ff1c29512fd0c6f20f9ebb5cebf2db4790caaba
Opcode Fuzzy Hash: 1adf5236a2cb7355e06cf26c4f63be86e5465e2b5c2a00430b7b0f06f5eada0e
Instruction Fuzzy Hash: 7722C3B3B543104BD75CCE5DCCA23ADB2D3ABD4218B0E853DB48AC3342EA7DD9598685

Function 004C7740 Relevance: .7, Instructions: 651COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2275647674.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2275629256.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275722846.00000000004E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275753803.0000000000515000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275769085.0000000000516000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275783558.0000000000519000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275798447.000000000051C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275844048.000000000059B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275844048.00000000005D5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275844048.00000000005D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275844048.00000000005E7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275932941.0000000000607000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275932941.000000000060A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275961081.000000000060E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275975208.0000000000616000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275990045.0000000000619000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2276004483.000000000061E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2276019055.0000000000621000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2276033719.0000000000627000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2276047594.000000000062B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2276071545.0000000000659000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2276086109.000000000065D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2276108631.0000000000686000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a935151cf0048679518ffc25f71d524382ba740b23f33936aa9901e4cddeb8cf
Instruction ID: 4bf6a895c9f118d68ab3f3da24b0197bf044c343f9a328ed659d747efd648315
Opcode Fuzzy Hash: a935151cf0048679518ffc25f71d524382ba740b23f33936aa9901e4cddeb8cf
Instruction Fuzzy Hash: 14323825D28F014ED7639638C962336624CAFB73C5F15C73BE816B5AA6EF2D84D38504

Function 0040B1B0 Relevance: .5, Instructions: 510COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2275647674.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2275629256.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275722846.00000000004E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275753803.0000000000515000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275769085.0000000000516000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275783558.0000000000519000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275798447.000000000051C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275844048.000000000059B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275844048.00000000005D5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275844048.00000000005D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275844048.00000000005E7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275932941.0000000000607000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275932941.000000000060A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275961081.000000000060E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275975208.0000000000616000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275990045.0000000000619000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2276004483.000000000061E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2276019055.0000000000621000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2276033719.0000000000627000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2276047594.000000000062B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2276071545.0000000000659000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2276086109.000000000065D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2276108631.0000000000686000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0109c2152581fed7673c4c9b187400e2548b214f7a67be6d8affe5defe7ce769
Instruction ID: df4df0b6b0a9eb2eef3298547a0818a0f0945851f74617012c1ceae8b4462b76
Opcode Fuzzy Hash: 0109c2152581fed7673c4c9b187400e2548b214f7a67be6d8affe5defe7ce769
Instruction Fuzzy Hash: E6F1DD31A00605DFCB14DF58C984BAEB7F5EF58318F10457EE915AB381EB39A901CBA9

Function 00417933 Relevance: .4, Instructions: 394COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2275647674.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2275629256.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275722846.00000000004E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275753803.0000000000515000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275769085.0000000000516000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275783558.0000000000519000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275798447.000000000051C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275844048.000000000059B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275844048.00000000005D5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275844048.00000000005D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275844048.00000000005E7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275932941.0000000000607000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275932941.000000000060A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275961081.000000000060E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275975208.0000000000616000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275990045.0000000000619000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2276004483.000000000061E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2276019055.0000000000621000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2276033719.0000000000627000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2276047594.000000000062B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2276071545.0000000000659000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2276086109.000000000065D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2276108631.0000000000686000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3c24ae45363aa8cb2322f973a667620dc27439f579ada17635cc5f3fa2880fc6
Instruction ID: 8d6045ff85055677b05d4db250989fa27b6ff9d620f729329c5789697308117c
Opcode Fuzzy Hash: 3c24ae45363aa8cb2322f973a667620dc27439f579ada17635cc5f3fa2880fc6
Instruction Fuzzy Hash: 4EE16C72A083058FD708CF19D49056AFBF2AFD8310F59896DE48A57354DA34AD49CB86

Function 004140C0 Relevance: .1, Instructions: 134COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2275647674.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2275629256.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275722846.00000000004E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275753803.0000000000515000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275769085.0000000000516000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275783558.0000000000519000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275798447.000000000051C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275844048.000000000059B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275844048.00000000005D5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275844048.00000000005D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275844048.00000000005E7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275932941.0000000000607000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275932941.000000000060A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275961081.000000000060E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275975208.0000000000616000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275990045.0000000000619000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2276004483.000000000061E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2276019055.0000000000621000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2276033719.0000000000627000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2276047594.000000000062B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2276071545.0000000000659000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2276086109.000000000065D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2276108631.0000000000686000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 45e5cc670ec3ab13275cc1d1085391fc559b7edd6393e15ec102b971803af4ed
Instruction ID: ab90b8563c4670964f1b87f962e3b33d06c8ae89d86231dc25132bfdbc9feb0a
Opcode Fuzzy Hash: 45e5cc670ec3ab13275cc1d1085391fc559b7edd6393e15ec102b971803af4ed
Instruction Fuzzy Hash: 6F41C572B0421A5BC708CF2DDC445BAB3E6ABE5300F55862EF406C7244EB34DA95C6D9

Function 00401F30 Relevance: 44.1, APIs: 22, Strings: 3, Instructions: 396filetimeCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000080,00000000), ref: 00401F8D
GetLastError.KERNEL32 ref: 00401FAB
GetFileTime.KERNEL32(00000000,00000000,00000000,?), ref: 00401FCC
GetLastError.KERNEL32 ref: 00401FD6
CloseHandle.KERNEL32(00000000), ref: 00401FF4
CloseHandle.KERNEL32(00000000), ref: 00402060
FileTimeToSystemTime.KERNEL32(?,?), ref: 00402075
GetLastError.KERNEL32 ref: 0040207F
SystemTimeToFileTime.KERNEL32(?,?), ref: 004020E6
SystemTimeToFileTime.KERNEL32(00000000,004ED624), ref: 00402107
CompareFileTime.KERNEL32(004ED624,?), ref: 0040211D
PathFileExistsW.SHLWAPI(?), ref: 0040218C
CreateFileW.KERNEL32(?,C0000000,00000000,0000000C,00000002,00000080,00000000,S-1-5-18,10000000,00000001,S-1-1-0,10000000,00000001), ref: 00402200
GetLastError.KERNEL32 ref: 00402212
CloseHandle.KERNEL32(00000000), ref: 0040221E
CopyFileExW.KERNEL32(?,?,Function_00001DB0,?,00000000,00000000), ref: 00402256
GetLastError.KERNEL32(?,00000000,00000000), ref: 00402260
DeleteFileW.KERNEL32(?,?,00000000,00000000), ref: 00402309
MoveFileW.KERNEL32(?,?), ref: 00402314
CopyFileW.KERNEL32(?,?,00000000,?,00000000,00000000), ref: 00402324
GetLastError.KERNEL32(?,00000000,00000000), ref: 0040232E

Strings

S-1-1-0, xrefs: 004021BA
S-1-5-18, xrefs: 004021CB
.part, xrefs: 0040215F

Memory Dump Source

Source File: 00000000.00000002.2275647674.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2275629256.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275722846.00000000004E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275753803.0000000000515000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275769085.0000000000516000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275783558.0000000000519000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275798447.000000000051C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275844048.000000000059B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275844048.00000000005D5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275844048.00000000005D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275844048.00000000005E7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275932941.0000000000607000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275932941.000000000060A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275961081.000000000060E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275975208.0000000000616000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275990045.0000000000619000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2276004483.000000000061E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2276019055.0000000000621000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2276033719.0000000000627000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2276047594.000000000062B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2276071545.0000000000659000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2276086109.000000000065D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2276108631.0000000000686000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID: File$Time$ErrorLast$CloseHandleSystem$CopyCreate$CompareDeleteExistsMovePath
String ID: .part$S-1-1-0$S-1-5-18
API String ID: 1792433798-2727065896
Opcode ID: 0e9466f372dea999ad3f76dcdccc64536a99feefd2cd2b80c617ae8057fb602f
Instruction ID: e7e75dc81b18a953d1c93d721810014bf2d56a84cb0d319300e3cf8c54c6109c
Opcode Fuzzy Hash: 0e9466f372dea999ad3f76dcdccc64536a99feefd2cd2b80c617ae8057fb602f
Instruction Fuzzy Hash: A9F18271A002559FDF15DF64CE88BAE7BB8BF08310F14416AE901BB2D1DBB89D41CB99

Function 0041BD40 Relevance: 37.7, APIs: 25, Instructions: 235windowCOMMON

Download Yara Rule

APIs

GetClientRect.USER32(?,?), ref: 0041BDEA
SetBkMode.GDI32(00000000,00000001), ref: 0041BDF5
SelectObject.GDI32(00000000,004CD25D), ref: 0041BE01
DrawTextW.USER32(00000000,00000000,00000000,?,?), ref: 0041BE2A
IsWindowEnabled.USER32(?), ref: 0041BE33
SetTextColor.GDI32(00000000,00000000), ref: 0041BE59
SelectObject.GDI32(00000000,004CD25D), ref: 0041BE82
DrawTextW.USER32(00000000,00000000,00000000,?,?), ref: 0041BE96
SetTextColor.GDI32(00000000,00000000), ref: 0041BEA2
SelectObject.GDI32(00000000,004CD25D), ref: 0041BEAE
DrawTextW.USER32(00000000,00000000,00000000,?,?), ref: 0041BEDF
GetFocus.USER32 ref: 0041BEE5
DrawFocusRect.USER32(00000000,?), ref: 0041BEF7
SetBkMode.GDI32(00000000,00000001), ref: 0041BF0A
IsWindowEnabled.USER32(?), ref: 0041BF13
SetTextColor.GDI32(00000000,00000000), ref: 0041BF39
SelectObject.GDI32(00000000,004CD25D), ref: 0041BF62
GetWindowLongW.USER32(?,000000F0), ref: 0041BF7A
DrawTextW.USER32(00000000,?,000000FF,?,00000000), ref: 0041BFB3
GetFocus.USER32 ref: 0041BFB9
DrawFocusRect.USER32(00000000,?), ref: 0041BFCB
SetTextColor.GDI32(00000000,?), ref: 0041BFD7
SelectObject.GDI32(00000000,?), ref: 0041BFE3

Part of subcall function 0041CA60: lstrlenW.KERNEL32(?,?,?,?,?,0041BDDC,00000000,00000000,00000000,?,?), ref: 0041CAAB
Part of subcall function 0041CA60: CompareStringW.KERNEL32(00000400,00000001,?,00000003,<A>,00000003,?,?,?,?,?,0041BDDC,00000000,00000000,00000000,?), ref: 0041CAE1

Memory Dump Source

Source File: 00000000.00000002.2275647674.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2275629256.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275722846.00000000004E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275753803.0000000000515000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275769085.0000000000516000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275783558.0000000000519000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275798447.000000000051C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275844048.000000000059B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275844048.00000000005D5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275844048.00000000005D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275844048.00000000005E7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275932941.0000000000607000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275932941.000000000060A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275961081.000000000060E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275975208.0000000000616000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275990045.0000000000619000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2276004483.000000000061E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2276019055.0000000000621000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2276033719.0000000000627000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2276047594.000000000062B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2276071545.0000000000659000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2276086109.000000000065D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2276108631.0000000000686000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID: Text$Draw$ObjectSelect$ColorFocus$RectWindow$EnabledMode$ClientCompareLongStringlstrlen
String ID:
API String ID: 516339513-0
Opcode ID: f9cb10e944891a58f2877bd8dc36cbc5baff937ef3f6b2c12a510f4dd16595c0
Instruction ID: 2c980b3703f5cc2d7d0cf76392f31b2ec9cdadedb7d224bd9ed30f3d005f4212
Opcode Fuzzy Hash: f9cb10e944891a58f2877bd8dc36cbc5baff937ef3f6b2c12a510f4dd16595c0
Instruction Fuzzy Hash: 5D917F71800648EFDB159F94CE88BEEBBF9FF04300F144129FA069A6A1D775A881CF94

Function 00422F10 Relevance: 30.1, APIs: 9, Strings: 8, Instructions: 347COMMON

Download Yara Rule

Strings

txt, xrefs: 00422FF8
Unable to retrieve PowerShell output from file: , xrefs: 0042329E
ps1, xrefs: 00422FD4, 00422FE4
powershell.exe -NonInteractive -NoLogo -ExecutionPolicy Unrestricted -WindowStyle Hidden -Command "$host.UI.RawUI.BufferSize = new, xrefs: 0042309D
Unable to create process: , xrefs: 00423142
Unable to find file , xrefs: 00422F46
Unable to get a temp file for script output, temp path: , xrefs: 00423041
Unable to retrieve exit code from process., xrefs: 004232C1

Memory Dump Source

Source File: 00000000.00000002.2275647674.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2275629256.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275722846.00000000004E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275753803.0000000000515000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275769085.0000000000516000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275783558.0000000000519000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275798447.000000000051C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275844048.000000000059B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275844048.00000000005D5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275844048.00000000005D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275844048.00000000005E7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275932941.0000000000607000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275932941.000000000060A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275961081.000000000060E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275975208.0000000000616000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275990045.0000000000619000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2276004483.000000000061E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2276019055.0000000000621000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2276033719.0000000000627000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2276047594.000000000062B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2276071545.0000000000659000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2276086109.000000000065D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2276108631.0000000000686000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID:
String ID: Unable to create process: $Unable to find file $Unable to get a temp file for script output, temp path: $Unable to retrieve PowerShell output from file: $Unable to retrieve exit code from process.$powershell.exe -NonInteractive -NoLogo -ExecutionPolicy Unrestricted -WindowStyle Hidden -Command "$host.UI.RawUI.BufferSize = new$ps1$txt
API String ID: 0-4129021124
Opcode ID: c692b40d92048e3b7a0df00ada8a2a4575ee1fe6ca06f03cbd9019e7215ce75d
Instruction ID: 8fca4b158ec15318c5540a828615c12e9e6b570026fefc036ef6483ce5bf34f2
Opcode Fuzzy Hash: c692b40d92048e3b7a0df00ada8a2a4575ee1fe6ca06f03cbd9019e7215ce75d
Instruction Fuzzy Hash: CCD1B171E00659EFDB10DFA4CD45BAEBBB8EF08314F14815AE511B72D1DB789A01CBA8

Function 0041C010 Relevance: 30.1, APIs: 12, Strings: 5, Instructions: 316stringCOMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000008), ref: 0041C075
lstrcmpiW.KERNEL32(?,static), ref: 0041C088
GetWindowLongW.USER32(?,000000F0), ref: 0041C096
SetWindowLongW.USER32(?,000000F0,00000000), ref: 0041C0AD
GetWindowLongW.USER32(?,000000F0), ref: 0041C0B7
LoadCursorW.USER32(00000000,00007F89), ref: 0041C0FD
SystemParametersInfoW.USER32(0000001F,0000005C,?,00000000), ref: 0041C13A
CreateFontIndirectW.GDI32(?), ref: 0041C147
CreateWindowExW.USER32(00000000,tooltips_class32,00000000,00000000,80000000,80000000,00000000,-00515B9C,?,00000000,00000000), ref: 0041C1A9
GetWindowTextLengthW.USER32(?), ref: 0041C1D1
GetWindowTextW.USER32(?,?,?), ref: 0041C255

Strings

Anchor Color, xrefs: 0041C357
static, xrefs: 0041C07F
tooltips_class32, xrefs: 0041C1A2
Anchor Color Visited, xrefs: 0041C3C5
Software\Microsoft\Internet Explorer\Settings, xrefs: 0041C2FD

Memory Dump Source

Source File: 00000000.00000002.2275647674.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2275629256.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275722846.00000000004E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275753803.0000000000515000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275769085.0000000000516000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275783558.0000000000519000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275798447.000000000051C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275844048.000000000059B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275844048.00000000005D5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275844048.00000000005D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275844048.00000000005E7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275932941.0000000000607000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275932941.000000000060A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275961081.000000000060E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275975208.0000000000616000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275990045.0000000000619000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2276004483.000000000061E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2276019055.0000000000621000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2276033719.0000000000627000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2276047594.000000000062B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2276071545.0000000000659000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2276086109.000000000065D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2276108631.0000000000686000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID: Window$Long$CreateText$ClassCursorFontIndirectInfoLengthLoadNameParametersSystemlstrcmpi
String ID: Anchor Color$Anchor Color Visited$Software\Microsoft\Internet Explorer\Settings$static$tooltips_class32
API String ID: 1715782676-2451883503
Opcode ID: 043b84f6f711704407ea80dfce993d29bf5ac0002511e5b26b5ce181ace7a093
Instruction ID: 725937723d1a965ef6c1e8503389826acca56894c70765643222f210e7e60ed4
Opcode Fuzzy Hash: 043b84f6f711704407ea80dfce993d29bf5ac0002511e5b26b5ce181ace7a093
Instruction Fuzzy Hash: 21C16F71940228EFDB20CF64CD85BEAB7B9FB09710F1042AAE945E7290D774AD84CF59

Function 00422220 Relevance: 23.0, APIs: 3, Strings: 10, Instructions: 227libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(kernel32,IsWow64Process), ref: 00422513
GetProcAddress.KERNEL32(00000000), ref: 0042251A
GetCurrentProcess.KERNEL32(?), ref: 00422551

Strings

CSDVersion, xrefs: 00422468
Software\Microsoft\Windows NT\CurrentVersion, xrefs: 0042228E
CurrentMajorVersionNumber, xrefs: 004222CE
CurrentVersion, xrefs: 00422324
CurrentMinorVersionNumber, xrefs: 004222F1
kernel32, xrefs: 0042250E
IsWow64Process, xrefs: 00422509
@~Q, xrefs: 00422484
CurrentBuildNumber, xrefs: 0042239D
ReleaseId, xrefs: 00422413

Memory Dump Source

Source File: 00000000.00000002.2275647674.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2275629256.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275722846.00000000004E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275753803.0000000000515000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275769085.0000000000516000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275783558.0000000000519000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275798447.000000000051C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275844048.000000000059B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275844048.00000000005D5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275844048.00000000005D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275844048.00000000005E7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275932941.0000000000607000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275932941.000000000060A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275961081.000000000060E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275975208.0000000000616000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275990045.0000000000619000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2276004483.000000000061E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2276019055.0000000000621000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2276033719.0000000000627000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2276047594.000000000062B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2276071545.0000000000659000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2276086109.000000000065D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2276108631.0000000000686000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID: AddressCurrentHandleModuleProcProcess
String ID: @~Q$CSDVersion$CurrentBuildNumber$CurrentMajorVersionNumber$CurrentMinorVersionNumber$CurrentVersion$IsWow64Process$ReleaseId$Software\Microsoft\Windows NT\CurrentVersion$kernel32
API String ID: 4190356694-3447640927
Opcode ID: e2749d38b81d8b4bf75f3840135c3c92b1c3a3e9e9ec64d1ee4cfd8bdcd8ae86
Instruction ID: 1bbe1d699178f18a9e826662ab678ca5a7ec6dc6a39511ee267ccadebd2a30fe
Opcode Fuzzy Hash: e2749d38b81d8b4bf75f3840135c3c92b1c3a3e9e9ec64d1ee4cfd8bdcd8ae86
Instruction Fuzzy Hash: C3A1B67190022CAFDB20CF24DD45BEAB7B9FB54715F4042E6E409A7290D7B95E98CF48

Function 00422B90 Relevance: 21.3, APIs: 8, Strings: 4, Instructions: 311fileCOMMON

Download Yara Rule

APIs

Part of subcall function 004046F0: GetProcessHeap.KERNEL32 ref: 00404745

SHGetFolderPathW.SHELL32(00000000,00000025,00000000,00000000,-00000010,?,?,?,?,004CE548,000000FF), ref: 00422C3C
PathAppendW.SHLWAPI(00000000,WindowsPowerShell\v1.0\powershell.exe,?,?,?,?,004CE548,000000FF), ref: 00422C4F
PathFileExistsW.SHLWAPI(00000000,?,?,?,?,004CE548,000000FF), ref: 00422C5D
CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000,00000000,?,ps1,ps1,?,?,00000000,?,0DC12AF0), ref: 00422DE2
WriteFile.KERNEL32(00000000,0DC12AF0,00000002,00000000,00000000), ref: 00422E28
WriteFile.KERNEL32(00000000,?,?,00000000,00000000), ref: 00422E45
CloseHandle.KERNEL32(00000000), ref: 00422E5F
CloseHandle.KERNEL32(00000000,?,?,00000000,00000000), ref: 00422E9E

Strings

WindowsPowerShell\v1.0\powershell.exe, xrefs: 00422C46
ps1, xrefs: 00422D54, 00422D64, 00422D78
Unable to get temp file , xrefs: 00422DC3
Unable to save script file , xrefs: 00422E6E

Memory Dump Source

Source File: 00000000.00000002.2275647674.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2275629256.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275722846.00000000004E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275753803.0000000000515000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275769085.0000000000516000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275783558.0000000000519000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275798447.000000000051C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275844048.000000000059B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275844048.00000000005D5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275844048.00000000005D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275844048.00000000005E7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275932941.0000000000607000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275932941.000000000060A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275961081.000000000060E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275975208.0000000000616000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275990045.0000000000619000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2276004483.000000000061E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2276019055.0000000000621000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2276033719.0000000000627000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2276047594.000000000062B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2276071545.0000000000659000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2276086109.000000000065D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2276108631.0000000000686000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID: File$Path$CloseHandleWrite$AppendCreateExistsFolderHeapProcess
String ID: Unable to get temp file $Unable to save script file $WindowsPowerShell\v1.0\powershell.exe$ps1
API String ID: 349229100-1956641645
Opcode ID: 7ad45c2368c71d2fe85578560d2da3d39e7b9b3ff89c9399797463821e113581
Instruction ID: d42f0efcad36aa42f27c1db0039ee6102bbf436bb604ab8bbebb73ac5189c64d
Opcode Fuzzy Hash: 7ad45c2368c71d2fe85578560d2da3d39e7b9b3ff89c9399797463821e113581
Instruction Fuzzy Hash: 66A14C71A00245EFDB10DF68DD45BAEB7B8EF44314F14416EE911AB3C2DBB89A05CB98

Function 0040E530 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 86libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(ComCtl32.dll,0DC12AF0,00000000,?,?,80004005), ref: 0040E56A
GetProcAddress.KERNEL32(00000000,LoadIconMetric), ref: 0040E590
GetSystemMetrics.USER32(0000000C), ref: 0040E5D0
GetSystemMetrics.USER32(0000000B), ref: 0040E5E8
LoadImageW.USER32(?,?,00000001,00000000,00000000,8}Q), ref: 0040E5FB
FreeLibrary.KERNEL32(00000000), ref: 0040E619

Strings

ComCtl32.dll, xrefs: 0040E55E
8}Q, xrefs: 0040E54F
LoadIconMetric, xrefs: 0040E58A
8}Q, xrefs: 0040E5EE

Memory Dump Source

Source File: 00000000.00000002.2275647674.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2275629256.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275722846.00000000004E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275753803.0000000000515000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275769085.0000000000516000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275783558.0000000000519000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275798447.000000000051C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275844048.000000000059B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275844048.00000000005D5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275844048.00000000005D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275844048.00000000005E7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275932941.0000000000607000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275932941.000000000060A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275961081.000000000060E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275975208.0000000000616000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275990045.0000000000619000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2276004483.000000000061E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2276019055.0000000000621000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2276033719.0000000000627000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2276047594.000000000062B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2276071545.0000000000659000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2276086109.000000000065D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2276108631.0000000000686000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID: LibraryLoadMetricsSystem$AddressFreeImageProc
String ID: 8}Q$8}Q$ComCtl32.dll$LoadIconMetric
API String ID: 1983857168-2713985652
Opcode ID: dd372ac83a70f1638904b875ca29fd3036f09630c3c4cfa8273b38f887a47247
Instruction ID: 2f6354482e5b4daa6eb24b6bb56d5beb77485f2c9d248e1dd729dfed3153e01b
Opcode Fuzzy Hash: dd372ac83a70f1638904b875ca29fd3036f09630c3c4cfa8273b38f887a47247
Instruction Fuzzy Hash: EF319C71A00259EFDB108FA5CD58BAFBBB8FB44751F10463AE815A73D0E7B94D048BA4

Function 0041D2C0 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 76windowCOMMON

Download Yara Rule

APIs

GetDlgCtrlID.USER32(?), ref: 0041D2DE
GetParent.USER32 ref: 0041D2F3
GetDlgCtrlID.USER32(?), ref: 0041D2FE
SendMessageW.USER32(00000000,0000004E,00000000,?), ref: 0041D30D
GetParent.USER32(?), ref: 0041D326
GetDlgCtrlID.USER32(?), ref: 0041D332
SendMessageW.USER32(00000000,00000111,?,?), ref: 0041D343

Strings

open, xrefs: 0041D35B

Memory Dump Source

Source File: 00000000.00000002.2275647674.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2275629256.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275722846.00000000004E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275753803.0000000000515000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275769085.0000000000516000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275783558.0000000000519000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275798447.000000000051C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275844048.000000000059B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275844048.00000000005D5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275844048.00000000005D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275844048.00000000005E7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275932941.0000000000607000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275932941.000000000060A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275961081.000000000060E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275975208.0000000000616000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275990045.0000000000619000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2276004483.000000000061E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2276019055.0000000000621000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2276033719.0000000000627000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2276047594.000000000062B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2276071545.0000000000659000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2276086109.000000000065D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2276108631.0000000000686000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID: Ctrl$MessageParentSend
String ID: open
API String ID: 1194393872-2758837156
Opcode ID: 7db86b2ee923ae4809a3303b51982e4960cead85fd83c4e4b09c35211e5c9e0c
Instruction ID: c55c276102c4a995057dfe8b7830552e604b44e3d6465a68b9c81adfffe5fed8
Opcode Fuzzy Hash: 7db86b2ee923ae4809a3303b51982e4960cead85fd83c4e4b09c35211e5c9e0c
Instruction Fuzzy Hash: 792183751802417FD3004B14ED46FD5B7ACFB49311F000126FD14C72A0C3F99859DBA5

Function 0041BBF0 Relevance: 16.6, APIs: 11, Instructions: 110windowCOMMON

Download Yara Rule

APIs

SetBkMode.GDI32(00000000,00000001), ref: 0041BC3D
IsWindowEnabled.USER32(?), ref: 0041BC46
SetTextColor.GDI32(00000000,00000000), ref: 0041BC6C
SelectObject.GDI32(00000000,004CD25D), ref: 0041BC95
GetWindowLongW.USER32(?,000000F0), ref: 0041BCAD
DrawTextW.USER32(00000000,?,000000FF,?,00000000), ref: 0041BCE6
GetFocus.USER32 ref: 0041BCEC
DrawFocusRect.USER32(00000000,?), ref: 0041BD01
SetTextColor.GDI32(00000000,?), ref: 0041BD0D
SelectObject.GDI32(00000000,00000000), ref: 0041BD19

Part of subcall function 0041BD40: GetClientRect.USER32(?,?), ref: 0041BDEA
Part of subcall function 0041BD40: SetBkMode.GDI32(00000000,00000001), ref: 0041BDF5
Part of subcall function 0041BD40: SelectObject.GDI32(00000000,004CD25D), ref: 0041BE01
Part of subcall function 0041BD40: DrawTextW.USER32(00000000,00000000,00000000,?,?), ref: 0041BE2A
Part of subcall function 0041BD40: IsWindowEnabled.USER32(?), ref: 0041BE33
Part of subcall function 0041BD40: SetTextColor.GDI32(00000000,00000000), ref: 0041BE59

Memory Dump Source

Source File: 00000000.00000002.2275647674.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2275629256.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275722846.00000000004E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275753803.0000000000515000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275769085.0000000000516000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275783558.0000000000519000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275798447.000000000051C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275844048.000000000059B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275844048.00000000005D5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275844048.00000000005D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275844048.00000000005E7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275932941.0000000000607000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275932941.000000000060A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275961081.000000000060E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275975208.0000000000616000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275990045.0000000000619000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2276004483.000000000061E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2276019055.0000000000621000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2276033719.0000000000627000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2276047594.000000000062B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2276071545.0000000000659000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2276086109.000000000065D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2276108631.0000000000686000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID: Text$ColorDrawObjectSelectWindow$EnabledFocusModeRect$ClientLong
String ID:
API String ID: 1016125553-0
Opcode ID: 9e4610b95e04a6c35fd6d926c90bc0b92e3f67bbdee6171249a2b2498473feb9
Instruction ID: 52404eb7729faf50e17296b4fba035a19130a2e1f7c741a8ba77a03c05a317c8
Opcode Fuzzy Hash: 9e4610b95e04a6c35fd6d926c90bc0b92e3f67bbdee6171249a2b2498473feb9
Instruction Fuzzy Hash: 1041C231100648AFDB158F18CE48BAB7BB5FF04354F10452EF9569A6A0DB79E881CBD4

Function 0041CF00 Relevance: 15.1, APIs: 10, Instructions: 131windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 0041CF6D
SendMessageW.USER32(00000000,00000138,?,?), ref: 0041CF7D
GetClientRect.USER32(?,?), ref: 0041CF98
FillRect.USER32(?,?,?), ref: 0041CFA6

Memory Dump Source

Source File: 00000000.00000002.2275647674.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2275629256.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275722846.00000000004E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275753803.0000000000515000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275769085.0000000000516000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275783558.0000000000519000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275798447.000000000051C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275844048.000000000059B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275844048.00000000005D5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275844048.00000000005D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275844048.00000000005E7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275932941.0000000000607000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275932941.000000000060A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275961081.000000000060E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275975208.0000000000616000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275990045.0000000000619000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2276004483.000000000061E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2276019055.0000000000621000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2276033719.0000000000627000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2276047594.000000000062B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2276071545.0000000000659000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2276086109.000000000065D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2276108631.0000000000686000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID: Rect$ClientFillMessageParentSend
String ID:
API String ID: 425900729-0
Opcode ID: 968f1b406a7bbec655b64d50d5ff44344a441af49ce52c340f625c28c9cf8df9
Instruction ID: 95c8759d1fb51ee54272729ad686b875d4429a9de9c7c3fe2a4429ce54ea2974
Opcode Fuzzy Hash: 968f1b406a7bbec655b64d50d5ff44344a441af49ce52c340f625c28c9cf8df9
Instruction Fuzzy Hash: 45518EB0D00248EFDB11CFA4CE44B9EBBB8FF09314F204269E814A7291D775AA40CF95

Function 0041F991 Relevance: 14.3, APIs: 4, Strings: 4, Instructions: 290libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(?,GetPackagePath), ref: 0041FB1D
GetProcAddress.KERNEL32(?,GetPackagePath), ref: 0041FB86
GetLastError.KERNEL32 ref: 0041FBB0
FreeLibrary.KERNEL32(?), ref: 0041FCB8

Strings

neutral, xrefs: 0041FA22
x64, xrefs: 0041FA06
GetPackagePath, xrefs: 0041FB17, 0041FB80
x86, xrefs: 0041F9D5

Memory Dump Source

Source File: 00000000.00000002.2275647674.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2275629256.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275722846.00000000004E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275753803.0000000000515000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275769085.0000000000516000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275783558.0000000000519000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275798447.000000000051C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275844048.000000000059B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275844048.00000000005D5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275844048.00000000005D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275844048.00000000005E7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275932941.0000000000607000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275932941.000000000060A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275961081.000000000060E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275975208.0000000000616000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275990045.0000000000619000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2276004483.000000000061E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2276019055.0000000000621000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2276033719.0000000000627000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2276047594.000000000062B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2276071545.0000000000659000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2276086109.000000000065D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2276108631.0000000000686000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID: AddressProc$ErrorFreeLastLibrary
String ID: GetPackagePath$neutral$x64$x86
API String ID: 1800271603-1738950451
Opcode ID: 97292470591dba9c5654709f679e543704e5dc5cd21af478cbf61158a8b177c1
Instruction ID: debee1cd04ae6672c277860f6ce81dc62e70c759f4da5711ec818e9a5afa0d24
Opcode Fuzzy Hash: 97292470591dba9c5654709f679e543704e5dc5cd21af478cbf61158a8b177c1
Instruction Fuzzy Hash: EBB17270A00609DFCF04DFA8C994AADBBB1FF49314F14816EE405EB391DB78A946CB55

Function 0048A641 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 58libraryCOMMON

Download Yara Rule

APIs

DecodePointer.KERNEL32(0041BB46,?,?,0048A987,00516D88,?,?,?,0041BB46,?,0DC12AF0), ref: 0048A653
LoadLibraryExA.KERNEL32(atlthunk.dll,00000000,00000800,0041BB46,?,?,0048A987,00516D88,?,?,?,0041BB46,?,0DC12AF0), ref: 0048A668
DecodePointer.KERNEL32(0041BB46,?,?,?,?,?,?,?,?,?,?,0041BB46,?,0DC12AF0), ref: 0048A6E4

Strings

atlthunk.dll, xrefs: 0048A663
AtlThunk_AllocateData, xrefs: 0048A679
AtlThunk_InitData, xrefs: 0048A690
AtlThunk_DataToCode, xrefs: 0048A6A7
AtlThunk_FreeData, xrefs: 0048A6BE

Memory Dump Source

Source File: 00000000.00000002.2275647674.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2275629256.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275722846.00000000004E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275753803.0000000000515000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275769085.0000000000516000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275783558.0000000000519000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275798447.000000000051C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275844048.000000000059B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275844048.00000000005D5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275844048.00000000005D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275844048.00000000005E7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275932941.0000000000607000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275932941.000000000060A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275961081.000000000060E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275975208.0000000000616000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275990045.0000000000619000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2276004483.000000000061E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2276019055.0000000000621000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2276033719.0000000000627000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2276047594.000000000062B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2276071545.0000000000659000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2276086109.000000000065D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2276108631.0000000000686000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID: DecodePointer$LibraryLoad
String ID: AtlThunk_AllocateData$AtlThunk_DataToCode$AtlThunk_FreeData$AtlThunk_InitData$atlthunk.dll
API String ID: 1423960858-1745123996
Opcode ID: 7277a9bf98d1a013ca28f0ade386a6b488443ea67123b5dd480839fe9509e175
Instruction ID: 14f3dc36a5d214969902ae08834b9f2a1073da9fc6ea541ed7746b5307598505
Opcode Fuzzy Hash: 7277a9bf98d1a013ca28f0ade386a6b488443ea67123b5dd480839fe9509e175
Instruction Fuzzy Hash: CB018E60B40280BBEB117711AC0AB8E3B585B01749F1C4457FE817B2DAF6D986749B9E

Function 00406360 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 104libraryloaderCOMMON

Download Yara Rule

APIs

SHGetSpecialFolderLocation.SHELL32(00000000,00000023,?,?), ref: 00406370
LoadLibraryW.KERNEL32(Shell32.dll), ref: 00406383
GetProcAddress.KERNEL32(00000000,SHGetSpecialFolderPathW), ref: 00406393
SHGetPathFromIDListW.SHELL32(?,00000000), ref: 00406422
SHGetMalloc.SHELL32(?), ref: 0040646A

Strings

SHGetSpecialFolderPathW, xrefs: 0040638D
Shell32.dll, xrefs: 0040637E

Memory Dump Source

Source File: 00000000.00000002.2275647674.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2275629256.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275722846.00000000004E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275753803.0000000000515000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275769085.0000000000516000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275783558.0000000000519000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275798447.000000000051C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275844048.000000000059B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275844048.00000000005D5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275844048.00000000005D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275844048.00000000005E7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275932941.0000000000607000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275932941.000000000060A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275961081.000000000060E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275975208.0000000000616000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275990045.0000000000619000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2276004483.000000000061E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2276019055.0000000000621000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2276033719.0000000000627000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2276047594.000000000062B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2276071545.0000000000659000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2276086109.000000000065D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2276108631.0000000000686000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID: AddressFolderFromLibraryListLoadLocationMallocPathProcSpecial
String ID: SHGetSpecialFolderPathW$Shell32.dll
API String ID: 2352187698-2988203397
Opcode ID: f54980111735cdc77347b05e677e9d3c6c7f61fc47580892de74c3fda15638eb
Instruction ID: 32944ae05cac6b1734df2e73548a01801abb7a70ad093a706801a1ec2376c662
Opcode Fuzzy Hash: f54980111735cdc77347b05e677e9d3c6c7f61fc47580892de74c3fda15638eb
Instruction Fuzzy Hash: 1E313571A007019BDB249F28DD45B2B77F5FF84700F05843DE886AB2E0EBB99855CB99

Function 00421340 Relevance: 10.9, APIs: 4, Strings: 3, Instructions: 415COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(Unable to find the service error code: ,00000027,?,80004005), ref: 004213EA
GetLastError.KERNEL32(Unable to set the service status error code: ,0000002D,?,80004005), ref: 004216A3
GetLastError.KERNEL32(Unable to set the service status error code: ,0000002D,?,80004005), ref: 00421560

Part of subcall function 004046F0: GetProcessHeap.KERNEL32 ref: 00404745

Strings

Unable to find the service error code: , xrefs: 004213E0
Unable to set the service status error code: , xrefs: 00421556, 00421699, 004217E4
, xrefs: 00421845

Memory Dump Source

Source File: 00000000.00000002.2275647674.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2275629256.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275722846.00000000004E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275753803.0000000000515000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275769085.0000000000516000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275783558.0000000000519000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275798447.000000000051C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275844048.000000000059B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275844048.00000000005D5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275844048.00000000005D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275844048.00000000005E7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275932941.0000000000607000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275932941.000000000060A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275961081.000000000060E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275975208.0000000000616000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275990045.0000000000619000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2276004483.000000000061E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2276019055.0000000000621000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2276033719.0000000000627000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2276047594.000000000062B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2276071545.0000000000659000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2276086109.000000000065D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2276108631.0000000000686000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID: ErrorLast$HeapProcess
String ID: $Unable to find the service error code: $Unable to set the service status error code:
API String ID: 2107678991-612451267
Opcode ID: 17b990731dc2eabcca0b27cf4be0a8fc97404014e35a54f36e2c43222e0975fd
Instruction ID: d872c1689c442898bada149e1700b74956e8d7452a0374f3ef7bec82a3c8be93
Opcode Fuzzy Hash: 17b990731dc2eabcca0b27cf4be0a8fc97404014e35a54f36e2c43222e0975fd
Instruction Fuzzy Hash: 99F1F274A002199FCB05EF68D99477E7BA1EF48314F14025EE811AB3D2DF789E01CBA9

Function 004029E0 Relevance: 10.9, APIs: 5, Strings: 1, Instructions: 353fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000,0DC12AF0), ref: 00402A2B
GetLastError.KERNEL32 ref: 00402A4D
CloseHandle.KERNEL32(00000000,?,004ED0F4,004ED0FC), ref: 00402BC8

Part of subcall function 00402E20: GetLastError.KERNEL32(?,?,?,0040294D,004ED0F4,004ED0FC), ref: 00402E54

ReadFile.KERNEL32(00000000,00000000,00000400,00000000,00000000,00000400,?,004ED0F4,004ED0FC), ref: 00402ADD

Strings

%02X, xrefs: 00402CC7

Memory Dump Source

Source File: 00000000.00000002.2275647674.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2275629256.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275722846.00000000004E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275753803.0000000000515000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275769085.0000000000516000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275783558.0000000000519000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275798447.000000000051C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275844048.000000000059B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275844048.00000000005D5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275844048.00000000005D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275844048.00000000005E7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275932941.0000000000607000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275932941.000000000060A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275961081.000000000060E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275975208.0000000000616000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275990045.0000000000619000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2276004483.000000000061E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2276019055.0000000000621000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2276033719.0000000000627000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2276047594.000000000062B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2276071545.0000000000659000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2276086109.000000000065D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2276108631.0000000000686000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID: ErrorFileLast$CloseCreateHandleRead
String ID: %02X
API String ID: 3160720760-436463671
Opcode ID: d0edde89f3cb7d724fd97b31411516f368cce4b39f6ccf5b377f344ab533fb73
Instruction ID: 061b468a1e8610420fa16c1a58561871c216eb7a22b23d27ff0b7cce6982789e
Opcode Fuzzy Hash: d0edde89f3cb7d724fd97b31411516f368cce4b39f6ccf5b377f344ab533fb73
Instruction Fuzzy Hash: 7BD1C571900249DFDB14CF68C948B9EBBB4FF48324F10426AE815B73D1D7B9A904CBA4

Function 0041D8A0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 106COMMON

Download Yara Rule

APIs

CallWindowProcW.USER32(?,?,?,?,?), ref: 0041D93F
GetWindowLongW.USER32(?,000000FC), ref: 0041D94E
CallWindowProcW.USER32(?,?,00000082,?,?), ref: 0041D969
GetWindowLongW.USER32(?,000000FC), ref: 0041D983
SetWindowLongW.USER32(?,000000FC,?), ref: 0041D995

Strings

$, xrefs: 0041D8C1

Memory Dump Source

Source File: 00000000.00000002.2275647674.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2275629256.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275722846.00000000004E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275753803.0000000000515000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275769085.0000000000516000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275783558.0000000000519000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275798447.000000000051C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275844048.000000000059B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275844048.00000000005D5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275844048.00000000005D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275844048.00000000005E7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275932941.0000000000607000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275932941.000000000060A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275961081.000000000060E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275975208.0000000000616000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275990045.0000000000619000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2276004483.000000000061E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2276019055.0000000000621000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2276033719.0000000000627000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2276047594.000000000062B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2276071545.0000000000659000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2276086109.000000000065D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2276108631.0000000000686000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID: Window$Long$CallProc
String ID: $
API String ID: 513923721-3993045852
Opcode ID: 2b8f4f7af45cb4b433e2178b9f91cfef87d8fd59ad06ff9372f041f6fc695801
Instruction ID: 89ff05b1361473aa473b813dda564c1dfdb19886c229f09841c05e570a5c1d1a
Opcode Fuzzy Hash: 2b8f4f7af45cb4b433e2178b9f91cfef87d8fd59ad06ff9372f041f6fc695801
Instruction Fuzzy Hash: C0417CB1604706AFC704DF19C984A1AFBF9FF88310F104A1AF995976A0C775E994CF92

Function 00412A00 Relevance: 9.2, APIs: 6, Instructions: 156COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 00412A4A
std::_Lockit::_Lockit.LIBCPMT ref: 00412A6C
std::_Lockit::~_Lockit.LIBCPMT ref: 00412A94
__Getctype.LIBCPMT ref: 00412B75
std::_Facet_Register.LIBCPMT ref: 00412BD7
std::_Lockit::~_Lockit.LIBCPMT ref: 00412C0B

Memory Dump Source

Source File: 00000000.00000002.2275647674.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2275629256.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275722846.00000000004E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275753803.0000000000515000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275769085.0000000000516000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275783558.0000000000519000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275798447.000000000051C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275844048.000000000059B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275844048.00000000005D5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275844048.00000000005D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275844048.00000000005E7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275932941.0000000000607000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275932941.000000000060A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275961081.000000000060E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275975208.0000000000616000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275990045.0000000000619000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2276004483.000000000061E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2276019055.0000000000621000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2276033719.0000000000627000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2276047594.000000000062B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2276071545.0000000000659000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2276086109.000000000065D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2276108631.0000000000686000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_GetctypeRegister
String ID:
API String ID: 1102183713-0
Opcode ID: 7ba3452b8762a86260e5dbee049a9c0fa249b96aedb4adeea9e616c121852b5f
Instruction ID: 3eba87abea37f8d0584aa7dab8c469b36dd0c0480f005e0970b0fba2961f0c3d
Opcode Fuzzy Hash: 7ba3452b8762a86260e5dbee049a9c0fa249b96aedb4adeea9e616c121852b5f
Instruction Fuzzy Hash: CB61CEB0D00649DFDB01DF59CA417AEFBB0FF54314F14825AD804AB391E7B8AA94CB95

Function 00412800 Relevance: 9.1, APIs: 6, Instructions: 142COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 0041283D
std::_Lockit::_Lockit.LIBCPMT ref: 0041285F
std::_Lockit::~_Lockit.LIBCPMT ref: 00412887
__Getcoll.LIBCPMT ref: 00412951
std::_Facet_Register.LIBCPMT ref: 00412996
std::_Lockit::~_Lockit.LIBCPMT ref: 004129D7

Memory Dump Source

Source File: 00000000.00000002.2275647674.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2275629256.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275722846.00000000004E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275753803.0000000000515000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275769085.0000000000516000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275783558.0000000000519000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275798447.000000000051C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275844048.000000000059B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275844048.00000000005D5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275844048.00000000005D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275844048.00000000005E7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275932941.0000000000607000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275932941.000000000060A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275961081.000000000060E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275975208.0000000000616000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275990045.0000000000619000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2276004483.000000000061E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2276019055.0000000000621000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2276033719.0000000000627000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2276047594.000000000062B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2276071545.0000000000659000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2276086109.000000000065D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2276108631.0000000000686000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_GetcollRegister
String ID:
API String ID: 1184649410-0
Opcode ID: 025193a20c3e12a3f6fe6db00f0e80243c9c4dc956fa3572d2fae690a4a8db3b
Instruction ID: 70928be0c3921c25ed63d5178682cdeeae85df315b7d14afd5ac1a4e1d2dd3ac
Opcode Fuzzy Hash: 025193a20c3e12a3f6fe6db00f0e80243c9c4dc956fa3572d2fae690a4a8db3b
Instruction Fuzzy Hash: 68519CB0D00208EFCB01EF98D985BDDBBB0FF54318F20815AE815AB391DB785A55CB95

Function 0040EFC9 Relevance: 9.0, APIs: 2, Strings: 3, Instructions: 229COMMON

Download Yara Rule

APIs

Part of subcall function 004046F0: GetProcessHeap.KERNEL32 ref: 00404745

Part of subcall function 00403700: FindResourceW.KERNEL32(00000000,00000001,00000006,?,00000000,?,?,00000000,0000000E), ref: 00403738

RemoveDirectoryW.KERNEL32(?,00000000,?,\\?\), ref: 0040F041
GetLastError.KERNEL32(?), ref: 0040F086

Strings

LastError= , xrefs: 0040F0FB
\\?\, xrefs: 0040F00B, 0040F01B
Failed to delete directory: , xrefs: 0040F0CB

Memory Dump Source

Source File: 00000000.00000002.2275647674.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2275629256.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275722846.00000000004E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275753803.0000000000515000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275769085.0000000000516000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275783558.0000000000519000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275798447.000000000051C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275844048.000000000059B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275844048.00000000005D5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275844048.00000000005D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275844048.00000000005E7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275932941.0000000000607000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275932941.000000000060A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275961081.000000000060E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275975208.0000000000616000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275990045.0000000000619000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2276004483.000000000061E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2276019055.0000000000621000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2276033719.0000000000627000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2276047594.000000000062B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2276071545.0000000000659000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2276086109.000000000065D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2276108631.0000000000686000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID: DirectoryErrorFindHeapLastProcessRemoveResource
String ID: LastError= $Failed to delete directory: $\\?\
API String ID: 3283955249-2562880348
Opcode ID: a29d16a6fb08d21eccbbd0c78bb0bc845a029675bbbba2e2b8b0c483ef798a03
Instruction ID: 8db81f3fbe3a568239acde54840c6951720591151c312ed29d448c320e665dfd
Opcode Fuzzy Hash: a29d16a6fb08d21eccbbd0c78bb0bc845a029675bbbba2e2b8b0c483ef798a03
Instruction Fuzzy Hash: 9F812434A005459FCB04DFA8C9556AEB7B1EF44314F1841BEE911BB3D2DB39AE02CB98

Function 0041CA60 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 96stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,?,?,?,?,0041BDDC,00000000,00000000,00000000,?,?), ref: 0041CAAB
CompareStringW.KERNEL32(00000400,00000001,?,00000003,<A>,00000003,?,?,?,?,?,0041BDDC,00000000,00000000,00000000,?), ref: 0041CAE1
CompareStringW.KERNEL32(00000400,00000001,?,00000004,</A>,00000004,?,?,?,?,?,0041BDDC,00000000,00000000,00000000,?), ref: 0041CB1E

Strings

</A>, xrefs: 0041CB0F
<A>, xrefs: 0041CAD2

Memory Dump Source

Source File: 00000000.00000002.2275647674.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2275629256.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275722846.00000000004E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275753803.0000000000515000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275769085.0000000000516000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275783558.0000000000519000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275798447.000000000051C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275844048.000000000059B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275844048.00000000005D5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275844048.00000000005D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275844048.00000000005E7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275932941.0000000000607000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275932941.000000000060A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275961081.000000000060E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275975208.0000000000616000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275990045.0000000000619000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2276004483.000000000061E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2276019055.0000000000621000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2276033719.0000000000627000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2276047594.000000000062B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2276071545.0000000000659000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2276086109.000000000065D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2276108631.0000000000686000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID: CompareString$lstrlen
String ID: </A>$<A>
API String ID: 1657112622-2122467442
Opcode ID: bbb5559282663a2cd00074007c2648eafa71258357af84354f7c7004cc1f9b1c
Instruction ID: b8c3fee1d1c18d74c8f8b8c6812a8a51c1f86a6a34ff4ecee4599c3b5796ce11
Opcode Fuzzy Hash: bbb5559282663a2cd00074007c2648eafa71258357af84354f7c7004cc1f9b1c
Instruction Fuzzy Hash: 84318D722483049FD312CF18D881B9BBBE8EF89318F11055AF685AB391C7B5AD85CB65

Function 00420150 Relevance: 7.7, APIs: 5, Instructions: 200COMMON

Download Yara Rule

APIs

GetWindowTextLengthW.USER32 ref: 00420157
GetWindowTextW.USER32(?,?,00000001), ref: 00420188
LoadStringW.USER32(?,00000000,00000100), ref: 00420283

Memory Dump Source

Source File: 00000000.00000002.2275647674.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2275629256.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275722846.00000000004E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275753803.0000000000515000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275769085.0000000000516000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275783558.0000000000519000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275798447.000000000051C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275844048.000000000059B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275844048.00000000005D5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275844048.00000000005D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275844048.00000000005E7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275932941.0000000000607000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275932941.000000000060A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275961081.000000000060E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275975208.0000000000616000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275990045.0000000000619000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2276004483.000000000061E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2276019055.0000000000621000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2276033719.0000000000627000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2276047594.000000000062B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2276071545.0000000000659000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2276086109.000000000065D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2276108631.0000000000686000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID: TextWindow$LengthLoadString
String ID:
API String ID: 4011078827-0
Opcode ID: 63c6858da40c04af897f08390683e31889b08fe45025ad13b3810600929494b1
Instruction ID: a1d38276b81e4065e22de2de7e0a9ccef1fdda1b9dcff5a838a3824bb7fe20d4
Opcode Fuzzy Hash: 63c6858da40c04af897f08390683e31889b08fe45025ad13b3810600929494b1
Instruction Fuzzy Hash: AC51C1B1A001249FDB14CF69EC49AAEBBF9EF58314F10412FE909D7391EB799D008B94

Function 0041D680 Relevance: 7.6, APIs: 5, Instructions: 84windowCOMMON

Download Yara Rule

APIs

VerSetConditionMask.KERNEL32(00000000,00000000,00000002,00000003,00000001,00000003,00000020,00000003,00000100,?,?), ref: 0041D703
VerSetConditionMask.KERNEL32(00000000,?,?,?), ref: 0041D70B
VerSetConditionMask.KERNEL32(00000000,?,?,?,?), ref: 0041D713
VerifyVersionInfoW.KERNEL32(?), ref: 0041D73C
SendMessageW.USER32(?,00000432,00000000,?), ref: 0041D799

Memory Dump Source

Source File: 00000000.00000002.2275647674.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2275629256.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275722846.00000000004E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275753803.0000000000515000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275769085.0000000000516000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275783558.0000000000519000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275798447.000000000051C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275844048.000000000059B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275844048.00000000005D5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275844048.00000000005D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275844048.00000000005E7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275932941.0000000000607000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275932941.000000000060A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275961081.000000000060E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275975208.0000000000616000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275990045.0000000000619000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2276004483.000000000061E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2276019055.0000000000621000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2276033719.0000000000627000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2276047594.000000000062B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2276071545.0000000000659000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2276086109.000000000065D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2276108631.0000000000686000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID: ConditionMask$InfoMessageSendVerifyVersion
String ID:
API String ID: 980217771-0
Opcode ID: 71d6aaaa37dfa392f283e7d2217aef8cb7fe93bce2596d29c0a7b66a92900e1c
Instruction ID: a3a7dd4e9122b95f5a4966f68b6fe96e2f241e87a655c0711d52b32ff49896ad
Opcode Fuzzy Hash: 71d6aaaa37dfa392f283e7d2217aef8cb7fe93bce2596d29c0a7b66a92900e1c
Instruction Fuzzy Hash: 483152B1508344AFE310CF64DD49B9BB7E8FBD9704F00491DF688DA291D7B4D6448B56

Function 0041FCF0 Relevance: 7.4, APIs: 2, Strings: 2, Instructions: 374windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000080,00000001,00000000), ref: 0042012E
SendMessageW.USER32(?,00000080,00000000,00000000), ref: 0042013D

Strings

0.0.0.0, xrefs: 0041FF67
.%d, xrefs: 0041FFE8

Memory Dump Source

Source File: 00000000.00000002.2275647674.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2275629256.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275722846.00000000004E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275753803.0000000000515000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275769085.0000000000516000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275783558.0000000000519000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275798447.000000000051C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275844048.000000000059B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275844048.00000000005D5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275844048.00000000005D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275844048.00000000005E7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275932941.0000000000607000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275932941.000000000060A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275961081.000000000060E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275975208.0000000000616000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275990045.0000000000619000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2276004483.000000000061E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2276019055.0000000000621000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2276033719.0000000000627000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2276047594.000000000062B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2276071545.0000000000659000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2276086109.000000000065D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2276108631.0000000000686000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID: MessageSend
String ID: .%d$0.0.0.0
API String ID: 3850602802-387324962
Opcode ID: e2f1a3e97bffd56164252329b3d71d98e31c1638bd519baba12cde8912d77f80
Instruction ID: a84f164b11da87530df0a0e587b9f6d22807137b6948dff275cf3c839543aca1
Opcode Fuzzy Hash: e2f1a3e97bffd56164252329b3d71d98e31c1638bd519baba12cde8912d77f80
Instruction Fuzzy Hash: 5DD11471A006059FDB04CF68D984BAEB7B5FF44324F14422EE811AB3D2DB79AD46CB94

Function 0041C228 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 129COMMON

Download Yara Rule

APIs

GetWindowTextW.USER32(?,?,?), ref: 0041C255

Strings

Anchor Color, xrefs: 0041C357
Anchor Color Visited, xrefs: 0041C3C5
Software\Microsoft\Internet Explorer\Settings, xrefs: 0041C2FD

Memory Dump Source

Source File: 00000000.00000002.2275647674.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2275629256.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275722846.00000000004E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275753803.0000000000515000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275769085.0000000000516000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275783558.0000000000519000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275798447.000000000051C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275844048.000000000059B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275844048.00000000005D5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275844048.00000000005D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275844048.00000000005E7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275932941.0000000000607000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275932941.000000000060A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275961081.000000000060E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275975208.0000000000616000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275990045.0000000000619000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2276004483.000000000061E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2276019055.0000000000621000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2276033719.0000000000627000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2276047594.000000000062B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2276071545.0000000000659000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2276086109.000000000065D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2276108631.0000000000686000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID: TextWindow
String ID: Anchor Color$Anchor Color Visited$Software\Microsoft\Internet Explorer\Settings
API String ID: 530164218-3433146436
Opcode ID: 0166f835152a65217f3a9e025e0f8233c615a19707b946244d52525dd2c1ef9e
Instruction ID: 220c0db84c52a86a3dc3bbb3b078048f807addca98b3e49de577a4528f53e574
Opcode Fuzzy Hash: 0166f835152a65217f3a9e025e0f8233c615a19707b946244d52525dd2c1ef9e
Instruction Fuzzy Hash: EE512E71A412289BEB21CF54CD94BEEB3B5BB45314F10419AE849A3280D774AEC5CF99

Function 0040C170 Relevance: 6.2, APIs: 4, Instructions: 194timeCOMMON

Download Yara Rule

APIs

GetTimeFormatW.KERNEL32(00000400,00000008,?,00000000,00000000,00000000,0DC12AF0), ref: 0040C1B7
GetLastError.KERNEL32(?,00000000,00000000,00000000,0DC12AF0), ref: 0040C1C3
GetTimeFormatW.KERNEL32(00000400,00000008,00000000,00000000,00000000,00000000), ref: 0040C24A
FileTimeToSystemTime.KERNEL32(0DC12AF0,?,0DC12AF0,00000000), ref: 0040C362

Part of subcall function 004046F0: GetProcessHeap.KERNEL32 ref: 00404745

Memory Dump Source

Source File: 00000000.00000002.2275647674.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2275629256.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275722846.00000000004E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275753803.0000000000515000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275769085.0000000000516000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275783558.0000000000519000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275798447.000000000051C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275844048.000000000059B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275844048.00000000005D5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275844048.00000000005D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275844048.00000000005E7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275932941.0000000000607000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275932941.000000000060A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275961081.000000000060E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275975208.0000000000616000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275990045.0000000000619000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2276004483.000000000061E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2276019055.0000000000621000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2276033719.0000000000627000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2276047594.000000000062B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2276071545.0000000000659000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2276086109.000000000065D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2276108631.0000000000686000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID: Time$Format$ErrorFileHeapLastProcessSystem
String ID:
API String ID: 3572850761-0
Opcode ID: 0d80eeceb3fea141ec053ef2e318ba915091d5439a6d9bf21bea1d25995de0b0
Instruction ID: ab90e6ee6ed07144b10d36d0ce2bd55b1544567e6a0322fe888c039974ec0b56
Opcode Fuzzy Hash: 0d80eeceb3fea141ec053ef2e318ba915091d5439a6d9bf21bea1d25995de0b0
Instruction Fuzzy Hash: 2061B5B1E002459FDB04DFA8DD85BAEBBB8EB48314F10427EE901AB381DB795904CB95

Function 0040BF30 Relevance: 6.2, APIs: 4, Instructions: 194timeCOMMON

Download Yara Rule

APIs

GetDateFormatW.KERNEL32(00000400,00000002,?,00000000,00000000,00000000,0DC12AF0), ref: 0040BF77
GetLastError.KERNEL32(?,00000000,00000000,00000000,0DC12AF0), ref: 0040BF83
GetDateFormatW.KERNEL32(00000400,00000002,00000000,00000000,00000000,00000000), ref: 0040C00A
FileTimeToSystemTime.KERNEL32(0DC12AF0,?,0DC12AF0,00000000), ref: 0040C122

Part of subcall function 004046F0: GetProcessHeap.KERNEL32 ref: 00404745

Memory Dump Source

Source File: 00000000.00000002.2275647674.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2275629256.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275722846.00000000004E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275753803.0000000000515000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275769085.0000000000516000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275783558.0000000000519000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275798447.000000000051C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275844048.000000000059B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275844048.00000000005D5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275844048.00000000005D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275844048.00000000005E7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275932941.0000000000607000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275932941.000000000060A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275961081.000000000060E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275975208.0000000000616000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275990045.0000000000619000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2276004483.000000000061E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2276019055.0000000000621000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2276033719.0000000000627000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2276047594.000000000062B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2276071545.0000000000659000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2276086109.000000000065D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2276108631.0000000000686000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID: DateFormatTime$ErrorFileHeapLastProcessSystem
String ID:
API String ID: 1398366937-0
Opcode ID: 381f5fc61b3aac05d194a8a42fc32f02707e899a4d701fc39785fcbc46836420
Instruction ID: 577b37cc1002b7063be9fb2607aa9d6214f184e7379f71f8723b655a473d830e
Opcode Fuzzy Hash: 381f5fc61b3aac05d194a8a42fc32f02707e899a4d701fc39785fcbc46836420
Instruction Fuzzy Hash: E961B4B1A00249DFDB04DFA8DD95BAEBBB8EB48314F10456EE901B73C1DB795904CBA4

Function 0040EAD0 Relevance: 6.1, APIs: 4, Instructions: 148fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,80000000,00000003,00000000,00000003,00000080,00000000,0DC12AF0,?,?,?,?,?,?,?,004CAEA5), ref: 0040EB19
GetFileSize.KERNEL32(00000000,00000000,?,80000000,00000003,00000000,00000003,00000080,00000000,0DC12AF0), ref: 0040EB41
ReadFile.KERNEL32(?,?,00010000,?,00000000,00010000,?,80000000,00000003,00000000,00000003,00000080,00000000,0DC12AF0), ref: 0040EBBF
CloseHandle.KERNEL32(00000000,?,80000000,00000003,00000000,00000003,00000080,00000000,0DC12AF0), ref: 0040EC76

Memory Dump Source

Source File: 00000000.00000002.2275647674.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2275629256.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275722846.00000000004E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275753803.0000000000515000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275769085.0000000000516000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275783558.0000000000519000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275798447.000000000051C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275844048.000000000059B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275844048.00000000005D5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275844048.00000000005D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275844048.00000000005E7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275932941.0000000000607000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275932941.000000000060A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275961081.000000000060E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275975208.0000000000616000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275990045.0000000000619000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2276004483.000000000061E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2276019055.0000000000621000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2276033719.0000000000627000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2276047594.000000000062B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2276071545.0000000000659000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2276086109.000000000065D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2276108631.0000000000686000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID: File$CloseCreateHandleReadSize
String ID:
API String ID: 3919263394-0
Opcode ID: be8ebe47f5809f5cde052773f63cd624fad6ae55ebf8ae15df65d8f615e2bec8
Instruction ID: 5b2e8734448af97d77a3f8bac80f9c44432a946b287cd7f12b6d0ad93aff6185
Opcode Fuzzy Hash: be8ebe47f5809f5cde052773f63cd624fad6ae55ebf8ae15df65d8f615e2bec8
Instruction Fuzzy Hash: 60512172900248EFEB20CF66C8847EFBBB8EF11314F14452EE815672C1D3B96A09CB55

Function 0041D0B0 Relevance: 6.1, APIs: 4, Instructions: 71COMMON

Download Yara Rule

APIs

DeleteObject.GDI32(?), ref: 0041D0E6
GetStockObject.GDI32(0000000D), ref: 0041D0F9
GetObjectW.GDI32(000000FF,0000005C,?), ref: 0041D122
CreateFontIndirectW.GDI32(?), ref: 0041D153

Memory Dump Source

Source File: 00000000.00000002.2275647674.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2275629256.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275722846.00000000004E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275753803.0000000000515000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275769085.0000000000516000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275783558.0000000000519000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275798447.000000000051C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275844048.000000000059B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275844048.00000000005D5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275844048.00000000005D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275844048.00000000005E7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275932941.0000000000607000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275932941.000000000060A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275961081.000000000060E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275975208.0000000000616000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275990045.0000000000619000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2276004483.000000000061E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2276019055.0000000000621000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2276033719.0000000000627000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2276047594.000000000062B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2276071545.0000000000659000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2276086109.000000000065D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2276108631.0000000000686000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID: Object$CreateDeleteFontIndirectStock
String ID:
API String ID: 1113379131-0
Opcode ID: 147b1fef624ff3c3cbce534a8fa123ca1bcb1c227228250f25a65878341e4b10
Instruction ID: 35a2ec18c7c24c141c7dc3c86682a9f5c10cedb1250f3c650c2bd9db61c0e94b
Opcode Fuzzy Hash: 147b1fef624ff3c3cbce534a8fa123ca1bcb1c227228250f25a65878341e4b10
Instruction Fuzzy Hash: A821A3B1E007889FDB20DFA4DD85B9ABBB8FB04724F00062EE955DB6C1D7B86404CB14

Function 00422910 Relevance: 6.1, APIs: 4, Instructions: 51threadsynchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,?,0DC12AF0,?,?,?,004C9460,000000FF), ref: 00422947
GetExitCodeThread.KERNEL32(?,?,?,?,?,004C9460,000000FF), ref: 00422961
TerminateThread.KERNEL32(?,00000000,?,?,?,004C9460,000000FF), ref: 00422979
CloseHandle.KERNEL32(?,?,?,?,004C9460,000000FF), ref: 00422982

Memory Dump Source

Source File: 00000000.00000002.2275647674.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2275629256.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275722846.00000000004E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275753803.0000000000515000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275769085.0000000000516000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275783558.0000000000519000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275798447.000000000051C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275844048.000000000059B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275844048.00000000005D5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275844048.00000000005D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275844048.00000000005E7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275932941.0000000000607000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275932941.000000000060A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275961081.000000000060E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275975208.0000000000616000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275990045.0000000000619000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2276004483.000000000061E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2276019055.0000000000621000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2276033719.0000000000627000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2276047594.000000000062B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2276071545.0000000000659000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2276086109.000000000065D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2276108631.0000000000686000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID: Thread$CloseCodeExitHandleObjectSingleTerminateWait
String ID:
API String ID: 3774109050-0
Opcode ID: 5de3302758f0544e967f028f1c92224b50188297db1d1717ac7337c39440af57
Instruction ID: a72fb2739dea72347d8a09c60b8f7daec65f08bf6529821842d50a113fd0091c
Opcode Fuzzy Hash: 5de3302758f0544e967f028f1c92224b50188297db1d1717ac7337c39440af57
Instruction Fuzzy Hash: 9911C6B1600759AFD7218F14DD45BABB7ECFB04710F00462EF96592690D7F4A944CB98

Function 004229C0 Relevance: 6.0, APIs: 4, Instructions: 44threadsynchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,?,0DC12AF0,?,?,?,004C9460,000000FF), ref: 004229F7
GetExitCodeThread.KERNEL32(?,?,?,?,?,004C9460,000000FF), ref: 00422A11
TerminateThread.KERNEL32(?,00000000,?,?,?,004C9460,000000FF), ref: 00422A29
CloseHandle.KERNEL32(?,?,?,?,004C9460,000000FF), ref: 00422A32

Memory Dump Source

Source File: 00000000.00000002.2275647674.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2275629256.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275722846.00000000004E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275753803.0000000000515000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275769085.0000000000516000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275783558.0000000000519000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275798447.000000000051C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275844048.000000000059B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275844048.00000000005D5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275844048.00000000005D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275844048.00000000005E7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275932941.0000000000607000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275932941.000000000060A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275961081.000000000060E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275975208.0000000000616000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275990045.0000000000619000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2276004483.000000000061E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2276019055.0000000000621000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2276033719.0000000000627000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2276047594.000000000062B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2276071545.0000000000659000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2276086109.000000000065D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2276108631.0000000000686000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID: Thread$CloseCodeExitHandleObjectSingleTerminateWait
String ID:
API String ID: 3774109050-0
Opcode ID: eedadc4da8ecefe2ab35997f0b06e7358023a456312b104bdd5d8b12e56794cc
Instruction ID: f5de3fbe71789c95c9cffbaf0a05573c9ecabcc694afa44912be807537c252fb
Opcode Fuzzy Hash: eedadc4da8ecefe2ab35997f0b06e7358023a456312b104bdd5d8b12e56794cc
Instruction Fuzzy Hash: A8018071600659EFC7218F54DE49B67B7ECFB08710F00462AE965D2AA0DBB4A800CA58

Function 00422A50 Relevance: 6.0, APIs: 4, Instructions: 39threadsynchronizationCOMMON

Download Yara Rule

APIs

CreateThread.KERNEL32(00000000,00000000,00422B60,?,00000000,?), ref: 00422A75
GetLastError.KERNEL32(?,00000000,?), ref: 00422A82
WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 00422A99
GetExitCodeThread.KERNEL32(?,?), ref: 00422AA7

Memory Dump Source

Source File: 00000000.00000002.2275647674.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2275629256.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275722846.00000000004E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275753803.0000000000515000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275769085.0000000000516000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275783558.0000000000519000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275798447.000000000051C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275844048.000000000059B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275844048.00000000005D5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275844048.00000000005D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275844048.00000000005E7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275932941.0000000000607000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275932941.000000000060A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275961081.000000000060E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275975208.0000000000616000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275990045.0000000000619000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2276004483.000000000061E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2276019055.0000000000621000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2276033719.0000000000627000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2276047594.000000000062B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2276071545.0000000000659000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2276086109.000000000065D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2276108631.0000000000686000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID: Thread$CodeCreateErrorExitLastObjectSingleWait
String ID:
API String ID: 2732711357-0
Opcode ID: 15df48f1ed1bd292581dd3ee7c6b4abffad7b5f2bc51df2335a286f5c26395ed
Instruction ID: 43e8538ae66d20b7fb682a32109c8605be7893efd5d8fd42e8b82c469b6271de
Opcode Fuzzy Hash: 15df48f1ed1bd292581dd3ee7c6b4abffad7b5f2bc51df2335a286f5c26395ed
Instruction Fuzzy Hash: 97F08675504311ABD720DF28EE45F97BBE8AB54711F00452AF989C2290E7B0D908C7A6

Function 0040F4B0 Relevance: 5.6, APIs: 1, Strings: 2, Instructions: 386COMMON

Download Yara Rule

APIs

Part of subcall function 004046F0: GetProcessHeap.KERNEL32 ref: 00404745

PathIsUNCW.SHLWAPI(0040F938,?,?,?,?,00000000,004CB19F,000000FF), ref: 0040F67D

Strings

\\?\, xrefs: 0040F65F, 0040F665
\\?\UNC\, xrefs: 0040F559, 0040F5E1, 0040F5E7

Memory Dump Source

Source File: 00000000.00000002.2275647674.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2275629256.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275722846.00000000004E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275753803.0000000000515000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275769085.0000000000516000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275783558.0000000000519000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275798447.000000000051C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275844048.000000000059B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275844048.00000000005D5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275844048.00000000005D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275844048.00000000005E7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275932941.0000000000607000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275932941.000000000060A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275961081.000000000060E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275975208.0000000000616000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275990045.0000000000619000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2276004483.000000000061E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2276019055.0000000000621000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2276033719.0000000000627000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2276047594.000000000062B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2276071545.0000000000659000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2276086109.000000000065D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2276108631.0000000000686000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID: HeapPathProcess
String ID: \\?\$\\?\UNC\
API String ID: 300331711-3019864461
Opcode ID: 2cfc81dec77a3cb3ad144cba9bdfe924c48e5445d56fd08fc51f6975c68cd85c
Instruction ID: 18bcacf34268819ceea0c25dc35a0ceabb7a555e69038f6d03f4b62b23381f27
Opcode Fuzzy Hash: 2cfc81dec77a3cb3ad144cba9bdfe924c48e5445d56fd08fc51f6975c68cd85c
Instruction Fuzzy Hash: 98D1E271A006059BDB00DBA8CC94BAEB7B9EF48324F14417EE511B73D2DB78AD05CB95

Function 00423610 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 158COMMON

Download Yara Rule

APIs

PathIsUNCW.SHLWAPI(00000000,0DC12AF0), ref: 004236B2

Strings

\\?\UNC\, xrefs: 004236D7, 00423738
\\?\, xrefs: 004237AA, 004237D5

Memory Dump Source

Source File: 00000000.00000002.2275647674.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2275629256.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275722846.00000000004E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275753803.0000000000515000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275769085.0000000000516000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275783558.0000000000519000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275798447.000000000051C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275844048.000000000059B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275844048.00000000005D5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275844048.00000000005D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275844048.00000000005E7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275932941.0000000000607000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275932941.000000000060A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275961081.000000000060E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275975208.0000000000616000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275990045.0000000000619000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2276004483.000000000061E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2276019055.0000000000621000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2276033719.0000000000627000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2276047594.000000000062B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2276071545.0000000000659000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2276086109.000000000065D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2276108631.0000000000686000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID: Path
String ID: \\?\$\\?\UNC\
API String ID: 2875597873-3019864461
Opcode ID: b1358cb6e61c9c2e6c009d1e99b04399078505cf001b9cb965ff294ceb17f8be
Instruction ID: d309495ac15eaf87dd574cb9ba75f7f732aca4d7645a3c4f6b84bf6e1e34881c
Opcode Fuzzy Hash: b1358cb6e61c9c2e6c009d1e99b04399078505cf001b9cb965ff294ceb17f8be
Instruction Fuzzy Hash: 0B51D0F0E00214ABDB20DF68D845BAEB7B4FF95308F50861EE81167380D7796A48CB99

Function 0041AD70 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 77COMMON

Download Yara Rule

APIs

std::_Locinfo::_Locinfo_dtor.LIBCPMT ref: 0041ADA1
std::_Lockit::~_Lockit.LIBCPMT ref: 0041AE54

Strings

y)A, xrefs: 0041AD8B

Memory Dump Source

Source File: 00000000.00000002.2275647674.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2275629256.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275722846.00000000004E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275753803.0000000000515000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275769085.0000000000516000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275783558.0000000000519000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275798447.000000000051C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275844048.000000000059B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275844048.00000000005D5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275844048.00000000005D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275844048.00000000005E7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275932941.0000000000607000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275932941.000000000060A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275961081.000000000060E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275975208.0000000000616000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275990045.0000000000619000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2276004483.000000000061E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2276019055.0000000000621000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2276033719.0000000000627000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2276047594.000000000062B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2276071545.0000000000659000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2276086109.000000000065D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2276108631.0000000000686000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID: std::_$Locinfo::_Locinfo_dtorLockitLockit::~_
String ID: y)A
API String ID: 3286764726-3791414304
Opcode ID: 7569f68325b4044b4c28d43910c5a5f1e8bf808afd5e0507ec2f1ec85f2f2110
Instruction ID: af6d6717d2b5be369cc1d7959c1f604181c66a5d79c13f3823addc34ecf66c65
Opcode Fuzzy Hash: 7569f68325b4044b4c28d43910c5a5f1e8bf808afd5e0507ec2f1ec85f2f2110
Instruction Fuzzy Hash: 3821A2F0E01740DBEB20DF65D906B4BB7E8EB11704F04456EE44597B81E77DEA0887AA

Function 0041AC40 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 0041AC6B
std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 0041ACCE

Strings

bad locale name, xrefs: 0041ACF1

Memory Dump Source

Source File: 00000000.00000002.2275647674.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2275629256.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275722846.00000000004E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275753803.0000000000515000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275769085.0000000000516000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275783558.0000000000519000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275798447.000000000051C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275844048.000000000059B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275844048.00000000005D5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275844048.00000000005D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275844048.00000000005E7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275932941.0000000000607000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275932941.000000000060A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275961081.000000000060E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275975208.0000000000616000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275990045.0000000000619000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2276004483.000000000061E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2276019055.0000000000621000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2276033719.0000000000627000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2276047594.000000000062B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2276071545.0000000000659000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2276086109.000000000065D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2276108631.0000000000686000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID: std::_$Locinfo::_Locinfo_ctorLockitLockit::_
String ID: bad locale name
API String ID: 3988782225-1405518554
Opcode ID: 6371b5aacf1fea5522b90325c21df5ecb7a27a15856e2dd271848ef4ae39ee93
Instruction ID: d8ca28ea7b86cadf5c17d0267d7afe1716a786912d59a6b3a86f560ae672aee9
Opcode Fuzzy Hash: 6371b5aacf1fea5522b90325c21df5ecb7a27a15856e2dd271848ef4ae39ee93
Instruction Fuzzy Hash: CD210070905B80DFD720CF69C904B4BBBE4EF15314F14869EE48587B81D3B9AA08C795

Function 00404180 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 70COMMON

Download Yara Rule

APIs

Part of subcall function 0048A5DF: EnterCriticalSection.KERNEL32(00516D54,?,00000000,?,004041B7,00000000,0DC12AF0,?,00000000,?,00000000,0000000E,004C92A0,000000FF,?,00403728), ref: 0048A5EA
Part of subcall function 0048A5DF: LeaveCriticalSection.KERNEL32(00516D54,?,00000000,?,004041B7,00000000,0DC12AF0,?,00000000,?,00000000,0000000E,004C92A0,000000FF,?,00403728), ref: 0048A616

FindResourceExW.KERNEL32(00000000,00000006,00000000,00000000,00000000,0DC12AF0,?,00000000,?,00000000,0000000E,004C92A0,000000FF,?,00403728), ref: 004041D6

Part of subcall function 00404240: LoadResource.KERNEL32(00000000,00000000,0DC12AF0,00000001,00000000,00000000,00000000,004C9440,000000FF,?,004041EC,?,?,00000000,?,00000000), ref: 0040426B
Part of subcall function 00404240: LockResource.KERNEL32(00000000,?,004041EC,?,?,00000000,?,00000000,0000000E,004C92A0,000000FF,?,00403728,?,00000000), ref: 00404276
Part of subcall function 00404240: SizeofResource.KERNEL32(00000000,00000000,?,004041EC,?,?,00000000,?,00000000,0000000E,004C92A0,000000FF,?,00403728,?,00000000), ref: 00404284

Strings

@mQ, xrefs: 004041F4
@mQ, xrefs: 004041AD

Memory Dump Source

Source File: 00000000.00000002.2275647674.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2275629256.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275722846.00000000004E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275753803.0000000000515000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275769085.0000000000516000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275783558.0000000000519000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275798447.000000000051C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275844048.000000000059B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275844048.00000000005D5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275844048.00000000005D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275844048.00000000005E7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275932941.0000000000607000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275932941.000000000060A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275961081.000000000060E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275975208.0000000000616000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2275990045.0000000000619000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2276004483.000000000061E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2276019055.0000000000621000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2276033719.0000000000627000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2276047594.000000000062B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2276071545.0000000000659000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2276086109.000000000065D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2276108631.0000000000686000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID: Resource$CriticalSection$EnterFindLeaveLoadLockSizeof
String ID: @mQ$@mQ
API String ID: 529824247-4220228057
Opcode ID: 408eb29d9a5e3e1b013c3b571bce9beea6c2bac17e1bdf327da858b4e0882424
Instruction ID: 3f36eeadde0d07e720e7fd8a7e2f237b0106429bc08620d5d509c7d5ec9e112c
Opcode Fuzzy Hash: 408eb29d9a5e3e1b013c3b571bce9beea6c2bac17e1bdf327da858b4e0882424
Instruction Fuzzy Hash: D111E772B446146BE7249B59AC41B7BB7D8F788B64F00027FFE05D77C1EA799C008694

Analysis Process: SecuriteInfo.com.Win32.Evo-gen.3521.549.exePID: 6540, Parent PID: 5532COMMON

Execution Graph

Execution Coverage:	3%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	4.5%
Total number of Nodes:	1392
Total number of Limit Nodes:	60

Executed Functions

Function 046BCBE1 Relevance: 148.9, APIs: 52, Strings: 33, Instructions: 176
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNEL32(Psapi,GetProcessImageFileNameW,?,?,?,?,046AEA1C), ref: 046BCBF6
GetProcAddress.KERNEL32(00000000), ref: 046BCBFF
GetModuleHandleA.KERNEL32(Kernel32,GetProcessImageFileNameW,?,?,?,?,046AEA1C), ref: 046BCC16
GetProcAddress.KERNEL32(00000000), ref: 046BCC19
LoadLibraryA.KERNEL32(shcore,SetProcessDpiAwareness,?,?,?,?,046AEA1C), ref: 046BCC2B
GetProcAddress.KERNEL32(00000000), ref: 046BCC2E
LoadLibraryA.KERNEL32(user32,SetProcessDpiAwareness,?,?,?,?,046AEA1C), ref: 046BCC3F
GetProcAddress.KERNEL32(00000000), ref: 046BCC42
LoadLibraryA.KERNEL32(ntdll,NtUnmapViewOfSection,?,?,?,?,046AEA1C), ref: 046BCC54
GetProcAddress.KERNEL32(00000000), ref: 046BCC57
LoadLibraryA.KERNEL32(kernel32,GlobalMemoryStatusEx,?,?,?,?,046AEA1C), ref: 046BCC63
GetProcAddress.KERNEL32(00000000), ref: 046BCC66
GetModuleHandleA.KERNEL32(kernel32,IsWow64Process,?,?,?,?,046AEA1C), ref: 046BCC77
GetProcAddress.KERNEL32(00000000), ref: 046BCC7A
GetModuleHandleA.KERNEL32(kernel32,GetComputerNameExW,?,?,?,?,046AEA1C), ref: 046BCC8B
GetProcAddress.KERNEL32(00000000), ref: 046BCC8E
LoadLibraryA.KERNEL32(Shell32,IsUserAnAdmin,?,?,?,?,046AEA1C), ref: 046BCC9F
GetProcAddress.KERNEL32(00000000), ref: 046BCCA2
GetModuleHandleA.KERNEL32(kernel32,SetProcessDEPPolicy,?,?,?,?,046AEA1C), ref: 046BCCB3
GetProcAddress.KERNEL32(00000000), ref: 046BCCB6
GetModuleHandleA.KERNEL32(user32,EnumDisplayDevicesW,?,?,?,?,046AEA1C), ref: 046BCCC7
GetProcAddress.KERNEL32(00000000), ref: 046BCCCA
GetModuleHandleA.KERNEL32(user32,EnumDisplayMonitors,?,?,?,?,046AEA1C), ref: 046BCCDB
GetProcAddress.KERNEL32(00000000), ref: 046BCCDE
GetModuleHandleA.KERNEL32(user32,GetMonitorInfoW,?,?,?,?,046AEA1C), ref: 046BCCEF
GetProcAddress.KERNEL32(00000000), ref: 046BCCF2
GetModuleHandleA.KERNEL32(kernel32,GetSystemTimes,?,?,?,?,046AEA1C), ref: 046BCD03
GetProcAddress.KERNEL32(00000000), ref: 046BCD06
LoadLibraryA.KERNEL32(Shlwapi,0000000C,?,?,?,?,046AEA1C), ref: 046BCD14
GetProcAddress.KERNEL32(00000000), ref: 046BCD17
LoadLibraryA.KERNEL32(kernel32,GetConsoleWindow,?,?,?,?,046AEA1C), ref: 046BCD28
GetProcAddress.KERNEL32(00000000), ref: 046BCD2B
GetModuleHandleA.KERNEL32(ntdll,NtSuspendProcess,?,?,?,?,046AEA1C), ref: 046BCD38
GetProcAddress.KERNEL32(00000000), ref: 046BCD3B
GetModuleHandleA.KERNEL32(ntdll,NtResumeProcess,?,?,?,?,046AEA1C), ref: 046BCD48
GetProcAddress.KERNEL32(00000000), ref: 046BCD4B
LoadLibraryA.KERNEL32(Iphlpapi,GetExtendedTcpTable,?,?,?,?,046AEA1C), ref: 046BCD5D
GetProcAddress.KERNEL32(00000000), ref: 046BCD60
LoadLibraryA.KERNEL32(Iphlpapi,GetExtendedUdpTable,?,?,?,?,046AEA1C), ref: 046BCD6D
GetProcAddress.KERNEL32(00000000), ref: 046BCD70
GetModuleHandleA.KERNEL32(ntdll,NtQueryInformationProcess,?,?,?,?,046AEA1C), ref: 046BCD81
GetProcAddress.KERNEL32(00000000), ref: 046BCD84
GetModuleHandleA.KERNEL32(kernel32,GetFinalPathNameByHandleW,?,?,?,?,046AEA1C), ref: 046BCD95
GetProcAddress.KERNEL32(00000000), ref: 046BCD98
LoadLibraryA.KERNEL32(Rstrtmgr,RmStartSession,?,?,?,?,046AEA1C), ref: 046BCDAA
GetProcAddress.KERNEL32(00000000), ref: 046BCDAD
LoadLibraryA.KERNEL32(Rstrtmgr,RmRegisterResources,?,?,?,?,046AEA1C), ref: 046BCDBA
GetProcAddress.KERNEL32(00000000), ref: 046BCDBD
LoadLibraryA.KERNEL32(Rstrtmgr,RmGetList,?,?,?,?,046AEA1C), ref: 046BCDCA
GetProcAddress.KERNEL32(00000000), ref: 046BCDCD
LoadLibraryA.KERNEL32(Rstrtmgr,RmEndSession,?,?,?,?,046AEA1C), ref: 046BCDDA
GetProcAddress.KERNEL32(00000000), ref: 046BCDDD

Strings

Rstrtmgr, xrefs: 046BCD9F, 046BCDA9, 046BCDB4, 046BCDC4, 046BCDD4
NtUnmapViewOfSection, xrefs: 046BCC49
EnumDisplayMonitors, xrefs: 046BCCCC
RmRegisterResources, xrefs: 046BCDAF
GetExtendedTcpTable, xrefs: 046BCD4D
ntdll, xrefs: 046BCC4E, 046BCC53, 046BCD32, 046BCD42, 046BCD77
EnumDisplayDevicesW, xrefs: 046BCCB8
GetProcessImageFileNameW, xrefs: 046BCBEB, 046BCBF0, 046BCC10
IsUserAnAdmin, xrefs: 046BCC90
Shell32, xrefs: 046BCC95
RmGetList, xrefs: 046BCDBF
GetMonitorInfoW, xrefs: 046BCCE0
SetProcessDEPPolicy, xrefs: 046BCCA4
user32, xrefs: 046BCC3A, 046BCCBD, 046BCCD1, 046BCCE5
GetComputerNameExW, xrefs: 046BCC7C
Iphlpapi, xrefs: 046BCD52, 046BCD5C, 046BCD67
RmStartSession, xrefs: 046BCD9A
Psapi, xrefs: 046BCBF1
Kernel32, xrefs: 046BCC11
NtResumeProcess, xrefs: 046BCD3D
NtSuspendProcess, xrefs: 046BCD2D
RmEndSession, xrefs: 046BCDCF
GetExtendedUdpTable, xrefs: 046BCD62
Shlwapi, xrefs: 046BCD0A
GetFinalPathNameByHandleW, xrefs: 046BCD86
NtQueryInformationProcess, xrefs: 046BCD72
GlobalMemoryStatusEx, xrefs: 046BCC59
shcore, xrefs: 046BCC26
kernel32, xrefs: 046BCC5E, 046BCC6D, 046BCC81, 046BCCA9, 046BCCF9, 046BCD1E, 046BCD8B
GetConsoleWindow, xrefs: 046BCD19
GetSystemTimes, xrefs: 046BCCF4
IsWow64Process, xrefs: 046BCC68
SetProcessDpiAwareness, xrefs: 046BCC20, 046BCC25, 046BCC39

Memory Dump Source

Source File: 00000003.00000002.4514531527.00000000046A0000.00000040.00000400.00020000.00000000.sdmp, Offset: 046A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_46a0000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID: AddressProc$LibraryLoad$HandleModule
String ID: EnumDisplayDevicesW$EnumDisplayMonitors$GetComputerNameExW$GetConsoleWindow$GetExtendedTcpTable$GetExtendedUdpTable$GetFinalPathNameByHandleW$GetMonitorInfoW$GetProcessImageFileNameW$GetSystemTimes$GlobalMemoryStatusEx$Iphlpapi$IsUserAnAdmin$IsWow64Process$Kernel32$NtQueryInformationProcess$NtResumeProcess$NtSuspendProcess$NtUnmapViewOfSection$Psapi$RmEndSession$RmGetList$RmRegisterResources$RmStartSession$Rstrtmgr$SetProcessDEPPolicy$SetProcessDpiAwareness$Shell32$Shlwapi$kernel32$ntdll$shcore$user32
API String ID: 4236061018-3687161714
Opcode ID: b7f0da1f0e9235772e06ce319e05e0b0ed161d904cced3fa60981bfd95ae0031
Instruction ID: b42aebcd6c5cacebb84e296a3cb090d9dfce728767b2584d9c087e2857788f2a
Opcode Fuzzy Hash: b7f0da1f0e9235772e06ce319e05e0b0ed161d904cced3fa60981bfd95ae0031
Instruction Fuzzy Hash: C641A1E0E81318BFDA297BB69D4DD5B3EECDA40654341C617B504D7790D9BCAC048EA4

Function 046AA2F3 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 63
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleA.KERNEL32(00000000,00000000), ref: 046AA30E
SetWindowsHookExA.USER32(0000000D,046AA2DF,00000000), ref: 046AA31C
GetLastError.KERNEL32 ref: 046AA328

Part of subcall function 046BB580: GetLocalTime.KERNEL32(00000000), ref: 046BB59A

KiUserCallbackDispatcher.NTDLL(?,00000000,00000000,00000000), ref: 046AA376
TranslateMessage.USER32(?), ref: 046AA385
DispatchMessageA.USER32(?), ref: 046AA390

Strings

Keylogger initialization failure: error , xrefs: 046AA33C

Memory Dump Source

Source File: 00000003.00000002.4514531527.00000000046A0000.00000040.00000400.00020000.00000000.sdmp, Offset: 046A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_46a0000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID: Message$CallbackDispatchDispatcherErrorHandleHookLastLocalModuleTimeTranslateUserWindows
String ID: Keylogger initialization failure: error
API String ID: 941179788-952744263
Opcode ID: ede9a2f4f854eceabb5e74ca78a9cb749a696d4c0cb191b40c8931aba37a1b08
Instruction ID: b0aafc0fadba415f81be310ae47aa61d1b003cfddcab85d3ed980e4a19249747
Opcode Fuzzy Hash: ede9a2f4f854eceabb5e74ca78a9cb749a696d4c0cb191b40c8931aba37a1b08
Instruction Fuzzy Hash: CD11E772610601ABD711BFB59C0895B77ECEF91614B10052EF881C2280FB34BD14CFA2

Function 046BB411 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 69
networkfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

InternetOpenW.WININET(00000000,00000001,00000000,00000000,00000000), ref: 046BB438
InternetOpenUrlW.WININET(00000000,http://geoplugin.net/json.gp,00000000,00000000,80000000,00000000), ref: 046BB44E
InternetReadFile.WININET(00000000,00000000,0000FFFF,00000000), ref: 046BB467
InternetCloseHandle.WININET(00000000), ref: 046BB4AD
InternetCloseHandle.WININET(00000000), ref: 046BB4B0

Strings

http://geoplugin.net/json.gp, xrefs: 046BB448

Memory Dump Source

Source File: 00000003.00000002.4514531527.00000000046A0000.00000040.00000400.00020000.00000000.sdmp, Offset: 046A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_46a0000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID: Internet$CloseHandleOpen$FileRead
String ID: http://geoplugin.net/json.gp
API String ID: 3121278467-91888290
Opcode ID: ee71cf2e977e013cff72c2de728f750e28483dce5d2913a01dacd836a5e52fd8
Instruction ID: e4713ebf1f62e9223a064350b3e4b84c0a40df0fc6dfeb15755d4107d8309537
Opcode Fuzzy Hash: ee71cf2e977e013cff72c2de728f750e28483dce5d2913a01dacd836a5e52fd8
Instruction Fuzzy Hash: 2811C4715063216BD324EE259C48EAF7FDCEF96664F00042DF94592240EB64BC48CAF6

Function 046AF7E2 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 88
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 046B3584: RegOpenKeyExA.KERNEL32(80000001,00000000,00000000,00020019,?), ref: 046B35A4
Part of subcall function 046B3584: RegQueryValueExA.KERNEL32(?,?,00000000,00000000,00000000,?,047152F0), ref: 046B35C2
Part of subcall function 046B3584: RegCloseKey.KERNEL32(?), ref: 046B35CD

Sleep.KERNEL32(00000BB8), ref: 046AF896
ExitProcess.KERNEL32 ref: 046AF905

Strings

override, xrefs: 046AF807
5.1.2 Pro, xrefs: 046AF871, 046AF8DE
pth_unenc, xrefs: 046AF7F8, 046AF83F, 046AF8AC

Memory Dump Source

Source File: 00000003.00000002.4514531527.00000000046A0000.00000040.00000400.00020000.00000000.sdmp, Offset: 046A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_46a0000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID: CloseExitOpenProcessQuerySleepValue
String ID: 5.1.2 Pro$override$pth_unenc
API String ID: 2281282204-3554326054
Opcode ID: edd78fb39f2242a2d2d91cc839f6eb7ca79176476febe60f1d4be1a914216872
Instruction ID: 517982731a00fbc31d991c8e0abdf0e086410c2d8d3f8ef07bbaebb1bda8e8c9
Opcode Fuzzy Hash: edd78fb39f2242a2d2d91cc839f6eb7ca79176476febe60f1d4be1a914216872
Instruction Fuzzy Hash: 1121F8A1B1064067F70CB67888969AE39EAABC1618F40441CF849573C4FE64FD658FEB

Function 046D38C8 Relevance: 4.5, APIs: 3, Instructions: 30encryptionCOMMON

Download Yara Rule

APIs

CryptAcquireContextA.ADVAPI32(00000000,00000000,00000000,00000001,F0000000,?,00000000,046D3550,00000034,?,?,049CE3E0), ref: 046D38DA
CryptGenRandom.ADVAPI32(00000000,?,?,?,?,?,?,?,?,?,?,?,046D35E3,00000000,?,00000000), ref: 046D38F0
CryptReleaseContext.ADVAPI32(00000000,00000000,?,?,?,?,?,?,?,?,?,046D35E3,00000000,?,00000000,046BE2E2), ref: 046D3902

Memory Dump Source

Source File: 00000003.00000002.4514531527.00000000046A0000.00000040.00000400.00020000.00000000.sdmp, Offset: 046A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_46a0000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID: Crypt$Context$AcquireRandomRelease
String ID:
API String ID: 1815803762-0
Opcode ID: 38d053405f8883c94457a975a803637a027c308b63cef1508ed63e6555d7e409
Instruction ID: ce1d84eb3fb3c993112f513b8f36fa50e64df8c54741625db47bbcd784d6afde
Opcode Fuzzy Hash: 38d053405f8883c94457a975a803637a027c308b63cef1508ed63e6555d7e409
Instruction Fuzzy Hash: 52E09231708310BBEB300E11AC08F563A65EB81760F201538F956E41E4F65358859559

Function 046BB69E Relevance: 3.0, APIs: 2, Instructions: 41COMMON

Download Yara Rule

APIs

GetComputerNameExW.KERNEL32(00000001,?,0000002B,047150E4), ref: 046BB6BB
GetUserNameW.ADVAPI32(?,046AF25E), ref: 046BB6D3

Memory Dump Source

Source File: 00000003.00000002.4514531527.00000000046A0000.00000040.00000400.00020000.00000000.sdmp, Offset: 046A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_46a0000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID: Name$ComputerUser
String ID:
API String ID: 4229901323-0
Opcode ID: 9a1183f08bb5e79339aeca30cbcac95816cdf6d4f5d1fe204acee7ee3c09bee9
Instruction ID: 445581b79ac0bc1f45e8f800f84cdfaa4b6336d93f3dd360ab522ad99d76d15f
Opcode Fuzzy Hash: 9a1183f08bb5e79339aeca30cbcac95816cdf6d4f5d1fe204acee7ee3c09bee9
Instruction Fuzzy Hash: CC01FF7190051CABDB15EBD4DC44EDDB7BCEF44309F10415AA505A3160FEB46E99CFA4

Function 046AF90C Relevance: 1.5, APIs: 1, Instructions: 20COMMON

Download Yara Rule

APIs

GetLocaleInfoA.KERNEL32(00000800,0000005A,00000000,00000003,?,?,?,046B5537,04714EE0,04715A00,04714EE0,00000000,04714EE0,00000000,04714EE0,5.1.2 Pro), ref: 046AF920

Memory Dump Source

Source File: 00000003.00000002.4514531527.00000000046A0000.00000040.00000400.00020000.00000000.sdmp, Offset: 046A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_46a0000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID: InfoLocale
String ID:
API String ID: 2299586839-0
Opcode ID: 010219a1e11bf061b060d48325c15b6cef860f4a1e71ac1db02f40a25c68aa1f
Instruction ID: 5b937bf19b752d094bfbbaba2682737f486a8c3359fd74c8becedc0e13aa5013
Opcode Fuzzy Hash: 010219a1e11bf061b060d48325c15b6cef860f4a1e71ac1db02f40a25c68aa1f
Instruction Fuzzy Hash: 88D05B7074411C77E61096959C0AFAA779CD701755F000195BE05D73C0E9E16E148BE1

Function 046AEA00 Relevance: 49.8, APIs: 15, Strings: 13, Instructions: 795
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 046BCBE1: LoadLibraryA.KERNEL32(Psapi,GetProcessImageFileNameW,?,?,?,?,046AEA1C), ref: 046BCBF6
Part of subcall function 046BCBE1: GetProcAddress.KERNEL32(00000000), ref: 046BCBFF
Part of subcall function 046BCBE1: GetModuleHandleA.KERNEL32(Kernel32,GetProcessImageFileNameW,?,?,?,?,046AEA1C), ref: 046BCC16
Part of subcall function 046BCBE1: GetProcAddress.KERNEL32(00000000), ref: 046BCC19
Part of subcall function 046BCBE1: LoadLibraryA.KERNEL32(shcore,SetProcessDpiAwareness,?,?,?,?,046AEA1C), ref: 046BCC2B
Part of subcall function 046BCBE1: GetProcAddress.KERNEL32(00000000), ref: 046BCC2E
Part of subcall function 046BCBE1: LoadLibraryA.KERNEL32(user32,SetProcessDpiAwareness,?,?,?,?,046AEA1C), ref: 046BCC3F
Part of subcall function 046BCBE1: GetProcAddress.KERNEL32(00000000), ref: 046BCC42
Part of subcall function 046BCBE1: LoadLibraryA.KERNEL32(ntdll,NtUnmapViewOfSection,?,?,?,?,046AEA1C), ref: 046BCC54
Part of subcall function 046BCBE1: GetProcAddress.KERNEL32(00000000), ref: 046BCC57
Part of subcall function 046BCBE1: LoadLibraryA.KERNEL32(kernel32,GlobalMemoryStatusEx,?,?,?,?,046AEA1C), ref: 046BCC63
Part of subcall function 046BCBE1: GetProcAddress.KERNEL32(00000000), ref: 046BCC66
Part of subcall function 046BCBE1: GetModuleHandleA.KERNEL32(kernel32,IsWow64Process,?,?,?,?,046AEA1C), ref: 046BCC77
Part of subcall function 046BCBE1: GetProcAddress.KERNEL32(00000000), ref: 046BCC7A
Part of subcall function 046BCBE1: GetModuleHandleA.KERNEL32(kernel32,GetComputerNameExW,?,?,?,?,046AEA1C), ref: 046BCC8B
Part of subcall function 046BCBE1: GetProcAddress.KERNEL32(00000000), ref: 046BCC8E
Part of subcall function 046BCBE1: LoadLibraryA.KERNEL32(Shell32,IsUserAnAdmin,?,?,?,?,046AEA1C), ref: 046BCC9F
Part of subcall function 046BCBE1: GetProcAddress.KERNEL32(00000000), ref: 046BCCA2
Part of subcall function 046BCBE1: GetModuleHandleA.KERNEL32(kernel32,SetProcessDEPPolicy,?,?,?,?,046AEA1C), ref: 046BCCB3
Part of subcall function 046BCBE1: GetProcAddress.KERNEL32(00000000), ref: 046BCCB6
Part of subcall function 046BCBE1: GetModuleHandleA.KERNEL32(user32,EnumDisplayDevicesW,?,?,?,?,046AEA1C), ref: 046BCCC7
Part of subcall function 046BCBE1: GetProcAddress.KERNEL32(00000000), ref: 046BCCCA
Part of subcall function 046BCBE1: GetModuleHandleA.KERNEL32(user32,EnumDisplayMonitors,?,?,?,?,046AEA1C), ref: 046BCCDB
Part of subcall function 046BCBE1: GetProcAddress.KERNEL32(00000000), ref: 046BCCDE
Part of subcall function 046BCBE1: GetModuleHandleA.KERNEL32(user32,GetMonitorInfoW,?,?,?,?,046AEA1C), ref: 046BCCEF
Part of subcall function 046BCBE1: GetProcAddress.KERNEL32(00000000), ref: 046BCCF2
Part of subcall function 046BCBE1: GetModuleHandleA.KERNEL32(kernel32,GetSystemTimes,?,?,?,?,046AEA1C), ref: 046BCD03
Part of subcall function 046BCBE1: GetProcAddress.KERNEL32(00000000), ref: 046BCD06
Part of subcall function 046BCBE1: LoadLibraryA.KERNEL32(Shlwapi,0000000C,?,?,?,?,046AEA1C), ref: 046BCD14

GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3521.549.exe,00000104), ref: 046AEA29

Part of subcall function 046B0F72: __EH_prolog.LIBCMT ref: 046B0F77

Strings

Exe, xrefs: 046AEB4A
C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3521.549.exe, xrefs: 046AEA21, 046AEE4A
User, xrefs: 046AF2C9
license_code.txt, xrefs: 046AEA88
licence, xrefs: 046AEFC3
exepath, xrefs: 046AEECD, 046AEF7B
del, xrefs: 046AF328, 046AF3AA
del, xrefs: 046AF30C
Inj, xrefs: 046AEC10, 046AEC27
Access Level: , xrefs: 046AF2DA
Software\, xrefs: 046AEAFE
Remcos Agent initialized, xrefs: 046AF02A
Administrator, xrefs: 046AF2C2

Memory Dump Source

Source File: 00000003.00000002.4514531527.00000000046A0000.00000040.00000400.00020000.00000000.sdmp, Offset: 046A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_46a0000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID: AddressProc$Module$Handle$LibraryLoad$FileH_prologName
String ID: Access Level: $Administrator$C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3521.549.exe$Exe$Inj$Remcos Agent initialized$Software\$User$del$del$exepath$licence$license_code.txt
API String ID: 2830904901-2780961727
Opcode ID: aa99d611101439481b6339744842eaa67c5ec9f189165bd93451c5e8f3bf2342
Instruction ID: a3a3113eaee912824eebb939dab1e557a3162545009ade15fc127d304c48cfcd
Opcode Fuzzy Hash: aa99d611101439481b6339744842eaa67c5ec9f189165bd93451c5e8f3bf2342
Instruction Fuzzy Hash: 6C323E60B44B806BFB18B774CC65BBE26D99FC264CF40042DA5426B3D1FE58BD218F99

Function 046B4F65 Relevance: 32.3, APIs: 5, Strings: 13, Instructions: 809
sleepnetworkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNEL32(00000000,00000029,047152F0,047150E4,00000000), ref: 046B4FB6
WSAGetLastError.WS2_32(00000000,00000001), ref: 046B51C7
Sleep.KERNEL32(00000000,00000002), ref: 046B5B12

Part of subcall function 046BB580: GetLocalTime.KERNEL32(00000000), ref: 046BB59A

Strings

Connected | , xrefs: 046B5289
name, xrefs: 046B53A1
| , xrefs: 046B514D, 046B528E
5.1.2 Pro, xrefs: 046B5506
C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3521.549.exe, xrefs: 046B53FB
Connection Error: , xrefs: 046B51DA
TLS On , xrefs: 046B512E
%I64u, xrefs: 046B5331
Connecting | , xrefs: 046B5143
hlight, xrefs: 046B53CE
Connection Error: Unable to create socket, xrefs: 046B5225
TLS Off, xrefs: 046B5120
Disconnected, xrefs: 046B5A82

Memory Dump Source

Source File: 00000003.00000002.4514531527.00000000046A0000.00000040.00000400.00020000.00000000.sdmp, Offset: 046A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_46a0000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID: Sleep$ErrorLastLocalTime
String ID: | $%I64u$5.1.2 Pro$C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3521.549.exe$Connected | $Connecting | $Connection Error: $Connection Error: Unable to create socket$Disconnected$TLS Off$TLS On $hlight$name
API String ID: 524882891-4279089871
Opcode ID: 65c95756402f44c8a8301a84f7b8877f1137c08c20a381c5c9eba3416b8cef7b
Instruction ID: 97bb1cbde5e61f5a91b47632c5a21454560da554fe68776c8e2e359b3807a6ce
Opcode Fuzzy Hash: 65c95756402f44c8a8301a84f7b8877f1137c08c20a381c5c9eba3416b8cef7b
Instruction Fuzzy Hash: 51528A71A405249BEB18F734DCA1AEEB3B59F51208F5041ADD50AA72D0FF307EA68E58

Function 046A48C8 Relevance: 19.4, APIs: 4, Strings: 7, Instructions: 144
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

connect.WS2_32(?,?,?), ref: 046A48E0
CreateEventW.KERNEL32(00000000,00000000,00000001,00000000), ref: 046A4A00
CreateEventW.KERNEL32(00000000,00000000,00000001,00000000), ref: 046A4A0E
WSAGetLastError.WS2_32 ref: 046A4A21

Part of subcall function 046BB580: GetLocalTime.KERNEL32(00000000), ref: 046BB59A

Strings

TLS Error 3, xrefs: 046A49D8
Connection Refused, xrefs: 046A4A76
TLS Authentication Failed, xrefs: 046A4999
TLS Error 1, xrefs: 046A4937
TLS Handshake... | , xrefs: 046A4904
Connection Failed: , xrefs: 046A4A43
TLS Error 2, xrefs: 046A4955

Memory Dump Source

Source File: 00000003.00000002.4514531527.00000000046A0000.00000040.00000400.00020000.00000000.sdmp, Offset: 046A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_46a0000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID: CreateEvent$ErrorLastLocalTimeconnect
String ID: Connection Failed: $Connection Refused$TLS Authentication Failed$TLS Error 1$TLS Error 2$TLS Error 3$TLS Handshake... |
API String ID: 994465650-2151626615
Opcode ID: 44575b76a48dae3b04d7c924403f4f58ff919952e47700ddb51c4b1a85295178
Instruction ID: bbf1a786663544b93a0afb5c41322fbc2a1aed97a5615e30d87ae4180d62cc67
Opcode Fuzzy Hash: 44575b76a48dae3b04d7c924403f4f58ff919952e47700ddb51c4b1a85295178
Instruction Fuzzy Hash: D0413AA5B50A01BBFB14FB798D1A47D7A55EB5124CB40416CD80243B85FE52BC348FEB

Function 046AAD11 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 156
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__Init_thread_footer.LIBCMT ref: 046AAD73
Sleep.KERNEL32(000001F4), ref: 046AAD7E
GetForegroundWindow.USER32 ref: 046AAD84
GetWindowTextLengthW.USER32(00000000), ref: 046AAD8D
GetWindowTextW.USER32(00000000,00000000,00000000), ref: 046AADC1
Sleep.KERNEL32(000003E8), ref: 046AAE8F

Part of subcall function 046AA671: SetEvent.KERNEL32(?,?,?,046AB86A,?,?,?,?,?,00000000), ref: 046AA69D

Strings

[, xrefs: 046AAE29
], xrefs: 046AAE23
minutes }, xrefs: 046AAEB5
{ User has been idle for , xrefs: 046AAEC1

Memory Dump Source

Source File: 00000003.00000002.4514531527.00000000046A0000.00000040.00000400.00020000.00000000.sdmp, Offset: 046A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_46a0000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID: Window$SleepText$EventForegroundInit_thread_footerLength
String ID: [${ User has been idle for $ minutes }$]
API String ID: 911427763-3954389425
Opcode ID: def246cd5eff3c7be221753ec3718a6279467fa024fc8652d2d59caeb90d9596
Instruction ID: a8d985e25c00d4177ffb9e7bd4cf08f22837c0462ba82dfe48ae0a56f020adff
Opcode Fuzzy Hash: def246cd5eff3c7be221753ec3718a6279467fa024fc8652d2d59caeb90d9596
Instruction Fuzzy Hash: DC51F571604A809BE714FB74D854ABEB7D5EF8470CF00092EE58692290FF64BD68CF5A

Function 046ADA6F Relevance: 17.6, APIs: 1, Strings: 9, Instructions: 139
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetLongPathNameW.KERNEL32(00000000,?,00000208), ref: 046ADBD5

Strings

Temp, xrefs: 046ADAA1
WinDir, xrefs: 046ADAD6, 046ADAF8, 046ADB4A
ProgramData, xrefs: 046ADB9A
\system32, xrefs: 046ADAE9
UserProfile, xrefs: 046ADB93
AppData, xrefs: 046ADB8C
SystemDrive, xrefs: 046ADACC
\SysWOW64, xrefs: 046ADB3B
ProgramFiles, xrefs: 046ADBA9

Memory Dump Source

Source File: 00000003.00000002.4514531527.00000000046A0000.00000040.00000400.00020000.00000000.sdmp, Offset: 046A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_46a0000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID: LongNamePath
String ID: AppData$ProgramData$ProgramFiles$SystemDrive$Temp$UserProfile$WinDir$\SysWOW64$\system32
API String ID: 82841172-425784914
Opcode ID: eac38665a58c1f22f13b00285f45e67be46e728c729bba0644e4a30771af6f49
Instruction ID: 8270371f89207f5ce6af8ae518ff2ba12a17f8c3d1504f5ede9fc6518937ac09
Opcode Fuzzy Hash: eac38665a58c1f22f13b00285f45e67be46e728c729bba0644e4a30771af6f49
Instruction Fuzzy Hash: 674173B1208A449BE308FA64DD51CEFB3E9AFA1258F00451DB146921E0FF60BD6DCE5A

Function 046BB354 Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 61
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 046BC048: GetCurrentProcess.KERNEL32(?,?,?,046ADAE5,WinDir,00000000,00000000), ref: 046BC059

Part of subcall function 046B35E1: RegOpenKeyExA.KERNEL32(80000001,00000400,00000000,00020019,?), ref: 046B3605
Part of subcall function 046B35E1: RegQueryValueExA.KERNEL32(?,?,00000000,00000000,?,00000400), ref: 046B3622
Part of subcall function 046B35E1: RegCloseKey.KERNEL32(?), ref: 046B362D

StrToIntA.SHLWAPI(00000000,0470CA08,00000000,00000000,00000000,047150E4,00000003,Exe,00000000,0000000E,00000000,047060CC,00000003,00000000), ref: 046BB3CD

Strings

SOFTWARE\Microsoft\Windows NT\CurrentVersion, xrefs: 046BB368, 046BB372, 046BB3B3
ProductName, xrefs: 046BB363
CurrentBuildNumber, xrefs: 046BB3AE
(32 bit), xrefs: 046BB400
(64 bit), xrefs: 046BB3F9

Memory Dump Source

Source File: 00000003.00000002.4514531527.00000000046A0000.00000040.00000400.00020000.00000000.sdmp, Offset: 046A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_46a0000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID: CloseCurrentOpenProcessQueryValue
String ID: (32 bit)$ (64 bit)$CurrentBuildNumber$ProductName$SOFTWARE\Microsoft\Windows NT\CurrentVersion
API String ID: 1866151309-2070987746
Opcode ID: f803b21a2693012684e6870694520d69d43b653c65dae528e0e4c9990b310309
Instruction ID: 169e1c572e58955e7f657e6f90eb974262054df7d0fb72c4d10e0961d45791cc
Opcode Fuzzy Hash: f803b21a2693012684e6870694520d69d43b653c65dae528e0e4c9990b310309
Instruction Fuzzy Hash: A2115CA06412456BE714F368CC96EFE77D9C791204F84422DD442A33D0FA547D9687E5

Function 046AA761 Relevance: 9.2, APIs: 6, Instructions: 163
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNEL32(00001388), ref: 046AA77B

Part of subcall function 046AA6B0: CreateFileW.KERNEL32(00000000,80000000,00000007,00000000,00000003,00000080,00000000,?,?,?,046AA788), ref: 046AA6E6
Part of subcall function 046AA6B0: GetFileSize.KERNEL32(00000000,00000000,?,?,?,046AA788), ref: 046AA6F5
Part of subcall function 046AA6B0: Sleep.KERNEL32(00002710,?,?,?,046AA788), ref: 046AA722
Part of subcall function 046AA6B0: CloseHandle.KERNEL32(00000000,?,?,?,046AA788), ref: 046AA729

CreateDirectoryW.KERNEL32(00000000,00000000), ref: 046AA7B7
GetFileAttributesW.KERNEL32(00000000), ref: 046AA7C8
SetFileAttributesW.KERNEL32(00000000,00000080), ref: 046AA7DF
PathFileExistsW.SHLWAPI(00000000,00000000,00000000,00000012), ref: 046AA859

Part of subcall function 046BC516: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,?,?,?,00000000,046AA87E), ref: 046BC52F

SetFileAttributesW.KERNEL32(00000000,00000006,00000013,04706478,?,00000000,00000000,00000000,00000000,00000000), ref: 046AA962

Memory Dump Source

Source File: 00000003.00000002.4514531527.00000000046A0000.00000040.00000400.00020000.00000000.sdmp, Offset: 046A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_46a0000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID: File$AttributesCreate$Sleep$CloseDirectoryExistsHandlePathSize
String ID:
API String ID: 3795512280-0
Opcode ID: 69eaf0bc0910b78796a069f201601a1b08987898503c81b4cb62bb8334581b44
Instruction ID: 0bd31ff4da1f58e67455017b763286e09868fd5418e3e82f3c6e64feffdbf903
Opcode Fuzzy Hash: 69eaf0bc0910b78796a069f201601a1b08987898503c81b4cb62bb8334581b44
Instruction Fuzzy Hash: F8517071208A445AFB18FB74C864AFE73999F9120CF00452DE582A72D0FF24BD29CE5A

Function 046BC482 Relevance: 7.6, APIs: 5, Instructions: 67
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNEL32(00000000,40000000,00000000,00000000,00000002,00000080,00000000,00000000,00000000,04706478,00000000,00000000,046AD434,00000000,00000000,fso.DeleteFile(Wscript.ScriptFullName)), ref: 046BC4C1
SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002), ref: 046BC4DE
CloseHandle.KERNEL32(00000000), ref: 046BC4EA
WriteFile.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 046BC4FB
CloseHandle.KERNEL32(00000000), ref: 046BC508

Memory Dump Source

Source File: 00000003.00000002.4514531527.00000000046A0000.00000040.00000400.00020000.00000000.sdmp, Offset: 046A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_46a0000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID: File$CloseHandle$CreatePointerWrite
String ID:
API String ID: 1852769593-0
Opcode ID: 630ed9e496521fe2a45267219b2c001927194d96eb72bcc96992685050570e22
Instruction ID: 64c94ef32ef95acd2a04a3faef3f9b8bc33a407966a10517f850984757fece74
Opcode Fuzzy Hash: 630ed9e496521fe2a45267219b2c001927194d96eb72bcc96992685050570e22
Instruction Fuzzy Hash: A111C2B22042157FE7108E24AC88EBB739CEB82369F00862DF591D22D0F664AF4587B1

Function 046AA1B4 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 70
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateThread.KERNEL32(00000000,00000000,046AA2B8,?,00000000,00000000), ref: 046AA239
CreateThread.KERNEL32(00000000,00000000,Function_0000A2A2,?,00000000,00000000), ref: 046AA249
CreateThread.KERNEL32(00000000,00000000,Function_0000A2C4,?,00000000,00000000), ref: 046AA255

Part of subcall function 046AB19F: GetLocalTime.KERNEL32(?,?,00000000), ref: 046AB1AD
Part of subcall function 046AB19F: wsprintfW.USER32 ref: 046AB22E

Strings

Offline Keylogger Started, xrefs: 046AA1D6, 046AA1DD, 046AA20A

Memory Dump Source

Source File: 00000003.00000002.4514531527.00000000046A0000.00000040.00000400.00020000.00000000.sdmp, Offset: 046A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_46a0000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID: CreateThread$LocalTimewsprintf
String ID: Offline Keylogger Started
API String ID: 465354869-4114347211
Opcode ID: 1e12d8e232f207f294864a147a30710deb7bf8d6ea59ffb6b61f0c228b334186
Instruction ID: 121d33ab6e89129fa0480fb319e6f4b46a8752470c06168c8c71b449aef10c56
Opcode Fuzzy Hash: 1e12d8e232f207f294864a147a30710deb7bf8d6ea59ffb6b61f0c228b334186
Instruction Fuzzy Hash: 9B11CAB1200A087FE220BB75CC9ACBF769DDA8159CB44055DF84602241FA617D34CFF6

Function 046A4F51 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58
timethreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetLocalTime.KERNEL32(00000001,04714EE0,04715598,?,?,?,?,046B5D11,?,00000001), ref: 046A4F81
CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,04714EE0,04715598,?,?,?,?,046B5D11,?,00000001), ref: 046A4FCD
CreateThread.KERNEL32(00000000,00000000,Function_00005150,?,00000000,00000000), ref: 046A4FE0

Strings

KeepAlive | Enabled | Timeout: , xrefs: 046A4F94

Memory Dump Source

Source File: 00000003.00000002.4514531527.00000000046A0000.00000040.00000400.00020000.00000000.sdmp, Offset: 046A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_46a0000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID: Create$EventLocalThreadTime
String ID: KeepAlive | Enabled | Timeout:
API String ID: 2532271599-1507639952
Opcode ID: b3afedfd47dadc6f63ee93f3155963c71197f3c4fe62e458c97308918b103dd9
Instruction ID: 9c54df2480545b1f638b4698cac45b2ceab9520ec006061ec23fd2abfc98ce69
Opcode Fuzzy Hash: b3afedfd47dadc6f63ee93f3155963c71197f3c4fe62e458c97308918b103dd9
Instruction Fuzzy Hash: 8111E7719006846AD720AAB69C0DEDB7FA8DBD2714F04504EE48152241FAB47855CFB1

Function 046B37AA Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 38
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegCreateKeyA.ADVAPI32(80000001,00000000,?), ref: 046B37B9
RegSetValueExA.KERNEL32(?,047074C8,00000000,?,00000000,00000000,047152F0,?,?,046AF88E,047074C8,5.1.2 Pro), ref: 046B37E1
RegCloseKey.KERNEL32(?,?,?,046AF88E,047074C8,5.1.2 Pro), ref: 046B37EC

Strings

pth_unenc, xrefs: 046B37AE

Memory Dump Source

Source File: 00000003.00000002.4514531527.00000000046A0000.00000040.00000400.00020000.00000000.sdmp, Offset: 046A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_46a0000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID: CloseCreateValue
String ID: pth_unenc
API String ID: 1818849710-4028850238
Opcode ID: ff709e72fd9bdafb8d3daa13c00b3854ba52f76cbe34cc01c68f326faf9139b6
Instruction ID: c718a4776782bdda0d17dc36040bd9ef75b821a0f5a6ec005f770d24d71cba85
Opcode Fuzzy Hash: ff709e72fd9bdafb8d3daa13c00b3854ba52f76cbe34cc01c68f326faf9139b6
Instruction Fuzzy Hash: 3CF06DB2540118BBDB00AFA0DC45EEA3B6CEF05650F104159FD46A6110FB35AE54DF90

Function 046A4CC3 Relevance: 6.1, APIs: 4, Instructions: 121synchronizationthreadCOMMON

Download Yara Rule

APIs

CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,?,00000000,?,00000000,?,?,000000FF,00000000,?,04714F50), ref: 046A4DB3
CreateThread.KERNEL32(00000000,00000000,?,04714EF8,00000000,00000000), ref: 046A4DC7
WaitForSingleObject.KERNEL32(?,000000FF,?,00000000), ref: 046A4DD2
CloseHandle.KERNEL32(?,?,00000000), ref: 046A4DDB

Memory Dump Source

Source File: 00000003.00000002.4514531527.00000000046A0000.00000040.00000400.00020000.00000000.sdmp, Offset: 046A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_46a0000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID: Create$CloseEventHandleObjectSingleThreadWait
String ID:
API String ID: 3360349984-0
Opcode ID: eed08ad94b358f2deabb715b3c4cf237ae101e8c8e16a85635254d61cbc2fb8d
Instruction ID: 748c7d2147dc28bc45edf38ee58bf60332cb388d34b2ad5dddd034ae4b3f7952
Opcode Fuzzy Hash: eed08ad94b358f2deabb715b3c4cf237ae101e8c8e16a85635254d61cbc2fb8d
Instruction Fuzzy Hash: 1F418E71248741ABDB14FB60CD54EBFB7EDAF95318F00091DF49282290FF64BD298A66

Function 046B35E1 Relevance: 4.5, APIs: 3, Instructions: 44registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.KERNEL32(80000001,00000400,00000000,00020019,?), ref: 046B3605
RegQueryValueExA.KERNEL32(?,?,00000000,00000000,?,00000400), ref: 046B3622
RegCloseKey.KERNEL32(?), ref: 046B362D

Memory Dump Source

Source File: 00000003.00000002.4514531527.00000000046A0000.00000040.00000400.00020000.00000000.sdmp, Offset: 046A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_46a0000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID: CloseOpenQueryValue
String ID:
API String ID: 3677997916-0
Opcode ID: 1a7fb8d69801127af969bca40a37e5b094783ed7ba0ee1231f48ffce9d0e207e
Instruction ID: 324854994f75de900218cef7dc08d053f88884f081b3d4815569d3f928f6c399
Opcode Fuzzy Hash: 1a7fb8d69801127af969bca40a37e5b094783ed7ba0ee1231f48ffce9d0e207e
Instruction Fuzzy Hash: BB0186B6B40128BBCB209A95DC58EEE7FBDDB84750F004159BE45A2300FA745E99DBE0

Function 046B3733 Relevance: 4.5, APIs: 3, Instructions: 42registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.KERNEL32(80000001,00000000,00000000,00020019,00000000,047152F0), ref: 046B374F
RegQueryValueExA.KERNEL32(00000000,00000000,00000000,00000000,00000208,?), ref: 046B3768
RegCloseKey.KERNEL32(00000000), ref: 046B3773

Memory Dump Source

Source File: 00000003.00000002.4514531527.00000000046A0000.00000040.00000400.00020000.00000000.sdmp, Offset: 046A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_46a0000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID: CloseOpenQueryValue
String ID:
API String ID: 3677997916-0
Opcode ID: 33222967131521186844282150ac4eda651e8e619456933f70b1ff4ee1e7627f
Instruction ID: c5047412d7f09bc2d9bea478fb3dd69d010d64a5ff437da06447cc8aa2b83c9f
Opcode Fuzzy Hash: 33222967131521186844282150ac4eda651e8e619456933f70b1ff4ee1e7627f
Instruction Fuzzy Hash: 0A014BB1500129BBDF215F90DC44DEA7F38EF05354F004165BE4962110F73599A9DBD4

Function 046B3584 Relevance: 4.5, APIs: 3, Instructions: 37registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.KERNEL32(80000001,00000000,00000000,00020019,?), ref: 046B35A4
RegQueryValueExA.KERNEL32(?,?,00000000,00000000,00000000,?,047152F0), ref: 046B35C2
RegCloseKey.KERNEL32(?), ref: 046B35CD

Memory Dump Source

Source File: 00000003.00000002.4514531527.00000000046A0000.00000040.00000400.00020000.00000000.sdmp, Offset: 046A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_46a0000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID: CloseOpenQueryValue
String ID:
API String ID: 3677997916-0
Opcode ID: 94471eac03ca792bf8f233eef24bd149c0e43875275b8f1bbcaf31cc93ab4496
Instruction ID: 5e6ad91c8d232fee819f466c30025e8ab7256d95156b4d1cbff27239251c3428
Opcode Fuzzy Hash: 94471eac03ca792bf8f233eef24bd149c0e43875275b8f1bbcaf31cc93ab4496
Instruction Fuzzy Hash: 5EF01DB6A40218BFDF109EA49C45FED7BBCEB04710F108095BE44E6240E6355E589B90

Function 046B353A Relevance: 4.5, APIs: 3, Instructions: 32registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.KERNEL32(80000001,00000000,00000000,00020019,?,00000000,?,?,046AC1D7,04706C58), ref: 046B3551
RegQueryValueExA.KERNEL32(?,?,00000000,00000000,00000000,00000000,?,?,046AC1D7,04706C58), ref: 046B3565
RegCloseKey.KERNEL32(?,?,?,046AC1D7,04706C58), ref: 046B3570

Memory Dump Source

Source File: 00000003.00000002.4514531527.00000000046A0000.00000040.00000400.00020000.00000000.sdmp, Offset: 046A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_46a0000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID: CloseOpenQueryValue
String ID:
API String ID: 3677997916-0
Opcode ID: 36cdfd1a62b866f2b5d9ca566a40805d562416b079ccbaf59226d6f53dc67acd
Instruction ID: 604bee38c57f02bd6bed25b927742980183469f75d8bbe47e4d2c1dc7ff15c15
Opcode Fuzzy Hash: 36cdfd1a62b866f2b5d9ca566a40805d562416b079ccbaf59226d6f53dc67acd
Instruction Fuzzy Hash: 1FE06572902138FBDF204AA29C0DEEB7F6CDF467A0B004144BD4891100E2255E94E6E0

Function 046B38B2 Relevance: 4.5, APIs: 3, Instructions: 30registryCOMMON

Download Yara Rule

APIs

RegCreateKeyA.ADVAPI32(80000001,00000000,047060B4), ref: 046B38C0
RegSetValueExA.KERNEL32(047060B4,000000AF,00000000,00000004,00000001,00000004,?,?,?,046AC18D,04706C58,00000001,000000AF,047060B4), ref: 046B38DB
RegCloseKey.ADVAPI32(047060B4,?,?,?,046AC18D,04706C58,00000001,000000AF,047060B4), ref: 046B38E6

Memory Dump Source

Source File: 00000003.00000002.4514531527.00000000046A0000.00000040.00000400.00020000.00000000.sdmp, Offset: 046A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_46a0000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID: CloseCreateValue
String ID:
API String ID: 1818849710-0
Opcode ID: 45e43a1d5596e11897351f0773731447cd807626af6846eae92b682f944d9f09
Instruction ID: 29208ab287523fe077a61ce123365ed4d34c3476323d83305eb4a6bd4b7c8d0e
Opcode Fuzzy Hash: 45e43a1d5596e11897351f0773731447cd807626af6846eae92b682f944d9f09
Instruction Fuzzy Hash: 8FE06DB2600218FBDF109EA09C06FEA7B6CEF05B50F004159BF48A6240F6359E58EBE1

Function 046BB847 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 17COMMON

Download Yara Rule

APIs

GlobalMemoryStatusEx.KERNEL32(?), ref: 046BB85B

Strings

@, xrefs: 046BB851

Memory Dump Source

Source File: 00000003.00000002.4514531527.00000000046A0000.00000040.00000400.00020000.00000000.sdmp, Offset: 046A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_46a0000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID: GlobalMemoryStatus
String ID: @
API String ID: 1890195054-2766056989
Opcode ID: dc57db35dad9affc37c49d9dc991d991bed13fbaac89b09cdb8b394f9971f5ed
Instruction ID: 889558bafcff7fb9ca907a845d01ef0f09a8362018591a502253bc7d983e2a2b
Opcode Fuzzy Hash: dc57db35dad9affc37c49d9dc991d991bed13fbaac89b09cdb8b394f9971f5ed
Instruction Fuzzy Hash: 0ED017B58023189FC720DFA8E804A8DBBFCFB08210F00416AEC49E3700E774AC008B84

Function 046B5B25 Relevance: 3.2, APIs: 2, Instructions: 163COMMON

Download Yara Rule

APIs

SetEvent.KERNEL32(?,?), ref: 046B5B4A
GetTickCount.KERNEL32 ref: 046B5BC1

Memory Dump Source

Source File: 00000003.00000002.4514531527.00000000046A0000.00000040.00000400.00020000.00000000.sdmp, Offset: 046A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_46a0000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID: CountEventTick
String ID:
API String ID: 180926312-0
Opcode ID: b6b7f5fac6c18f06c3582eaca2f55a90cf9461522b225e887bb235e8a70fcdb5
Instruction ID: f4600a523486b9dae7865c0add0eff9ad0ba829103f87bd8b3a6c799fce377d5
Opcode Fuzzy Hash: b6b7f5fac6c18f06c3582eaca2f55a90cf9461522b225e887bb235e8a70fcdb5
Instruction Fuzzy Hash: 675190316086409AE724FB30D860AFF73E5AF91208F50492EE596572D0FF307D5ACB9A

Function 046E6206 Relevance: 3.0, APIs: 2, Instructions: 44memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 046E6227

Part of subcall function 046E61B8: RtlAllocateHeap.NTDLL(00000000,046D5349,?,?,046D88C7,?,?,pth_unenc,?,?,046ADE9D,046D5349,?,?,?,?), ref: 046E61EA

HeapReAlloc.KERNEL32(00000000,?,00000001,00000000,00000001,?,046B1C0F,?,?,046B1F2B), ref: 046E6263

Memory Dump Source

Source File: 00000003.00000002.4514531527.00000000046A0000.00000040.00000400.00020000.00000000.sdmp, Offset: 046A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_46a0000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID: Heap$AllocAllocate_free
String ID:
API String ID: 2447670028-0
Opcode ID: 8bdcf1fd85f6b7dff2c4240b448b26e8adb1bcac885805b9d9b6e53bb34029e4
Instruction ID: 2b742bc6a930b84584535ab3e6693ec0a9a6a68bf167bb9070c8c5f5018c9f15
Opcode Fuzzy Hash: 8bdcf1fd85f6b7dff2c4240b448b26e8adb1bcac885805b9d9b6e53bb34029e4
Instruction Fuzzy Hash: 09F0FC316431156DEB312A27EC04F7B37D98FF1674B944119EC5466282FF70F8025564

Function 046A482D Relevance: 3.0, APIs: 2, Instructions: 40networkCOMMON

Download Yara Rule

APIs

socket.WS2_32(?,00000001,00000006), ref: 046A4852
CreateEventW.KERNEL32(00000000,00000000,00000001,00000000,?,046A530B,?,?,?,00000000,046AD2DD,?,?,?,?,046A522E), ref: 046A488E

Part of subcall function 046A489E: WSAStartup.WS2_32(00000202,00000000), ref: 046A48B3

Memory Dump Source

Source File: 00000003.00000002.4514531527.00000000046A0000.00000040.00000400.00020000.00000000.sdmp, Offset: 046A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_46a0000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID: CreateEventStartupsocket
String ID:
API String ID: 1953588214-0
Opcode ID: 5b9d99c077a54f2191dc4d971363eabb661126d0ae12cafd2fc73c4a9c491042
Instruction ID: 697c671f2aa9e30548d94566c9345d2a4bc8316e9ff7673305dd1cf8eb5befd7
Opcode Fuzzy Hash: 5b9d99c077a54f2191dc4d971363eabb661126d0ae12cafd2fc73c4a9c491042
Instruction Fuzzy Hash: AE017CB1408B809EE7398F28B8457867FE4AB15304F04899EF4D697B92E7B5A845CF11

Function 046A165E Relevance: 3.0, APIs: 2, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4514531527.00000000046A0000.00000040.00000400.00020000.00000000.sdmp, Offset: 046A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_46a0000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9ebd29a8193938baf2c5ce5f6ec3a3ea5040e3c3e83895a942c6279db0e0dd98
Instruction ID: be9fc91ae4c82703dfce11e8609fc63fb2b57c59b7cc353056b325bc6fd26a10
Opcode Fuzzy Hash: 9ebd29a8193938baf2c5ce5f6ec3a3ea5040e3c3e83895a942c6279db0e0dd98
Instruction Fuzzy Hash: 7DF0BE70B046116ADB0C8F3489506B937954B81225F1C9A2EF02AC61D0FB30ECA58A08

Function 046BBB27 Relevance: 3.0, APIs: 2, Instructions: 26COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32 ref: 046BBB49
GetWindowTextW.USER32(00000000,?,00000100), ref: 046BBB5C

Memory Dump Source

Source File: 00000003.00000002.4514531527.00000000046A0000.00000040.00000400.00020000.00000000.sdmp, Offset: 046A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_46a0000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID: Window$ForegroundText
String ID:
API String ID: 29597999-0
Opcode ID: 5ce4bd7b47f4940371790ce143f83220a751e9fb0619584fe0199654e7a1b2ba
Instruction ID: ab132e640c08602cacad450f9dcdfa102dc0a6a793c7af731635faf56210d5e3
Opcode Fuzzy Hash: 5ce4bd7b47f4940371790ce143f83220a751e9fb0619584fe0199654e7a1b2ba
Instruction Fuzzy Hash: B2E048B6A0032867F724A6A4DC4DFE5776CD744754F000199F51CD21C5FDA46D148BE5

Function 046B4F24 Relevance: 3.0, APIs: 2, Instructions: 21networkCOMMON

Download Yara Rule

APIs

getaddrinfo.WS2_32(00000000,00000000,00000000,04712ADC,047150E4,00000000,046B51C3,00000000,00000001), ref: 046B4F46
WSASetLastError.WS2_32(00000000), ref: 046B4F4B

Part of subcall function 046B4DC1: GetSystemDirectoryA.KERNEL32(?,00000104), ref: 046B4E10
Part of subcall function 046B4DC1: LoadLibraryA.KERNEL32(?), ref: 046B4E52
Part of subcall function 046B4DC1: GetProcAddress.KERNEL32(00000000,getaddrinfo), ref: 046B4E72
Part of subcall function 046B4DC1: FreeLibrary.KERNEL32(00000000), ref: 046B4E79
Part of subcall function 046B4DC1: LoadLibraryA.KERNEL32(?), ref: 046B4EB1
Part of subcall function 046B4DC1: GetProcAddress.KERNEL32(00000000,getaddrinfo), ref: 046B4EC3
Part of subcall function 046B4DC1: FreeLibrary.KERNEL32(00000000), ref: 046B4ECA
Part of subcall function 046B4DC1: GetProcAddress.KERNEL32(00000000,?), ref: 046B4ED9

Memory Dump Source

Source File: 00000003.00000002.4514531527.00000000046A0000.00000040.00000400.00020000.00000000.sdmp, Offset: 046A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_46a0000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID: Library$AddressProc$FreeLoad$DirectoryErrorLastSystemgetaddrinfo
String ID:
API String ID: 1170566393-0
Opcode ID: bc0e6960e312430ae4a05f2f1d977cc7b653c10eac38d2e8edc765ff1dfe5158
Instruction ID: a0c0c4b73aeabc1a6eab6a09b79a06bbd01daf3efcca45d29805a66cfe9c8fa7
Opcode Fuzzy Hash: bc0e6960e312430ae4a05f2f1d977cc7b653c10eac38d2e8edc765ff1dfe5158
Instruction Fuzzy Hash: BED05B322001216FD330665D5C00FFF9A9CDFD5760B114027FC40D3211EA549C4187E1

Function 046AD0A4 Relevance: 3.0, APIs: 2, Instructions: 13synchronizationCOMMON

Download Yara Rule

APIs

CreateMutexA.KERNEL32(00000000,00000001,00000000,046AEC43,0000000D,00000033,00000000,00000032,00000000,Exe,00000000,0000000E,00000000,047060CC,00000003,00000000), ref: 046AD0B3
GetLastError.KERNEL32 ref: 046AD0BE

Memory Dump Source

Source File: 00000003.00000002.4514531527.00000000046A0000.00000040.00000400.00020000.00000000.sdmp, Offset: 046A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_46a0000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID: CreateErrorLastMutex
String ID:
API String ID: 1925916568-0
Opcode ID: 52d303a9b71887eaf0d656966972b36e3cb353c731aece7b9072d1bbdd59cbde
Instruction ID: 423f39365538c1b2a327438de498e8be4c5f7fbf67c3eedb56eb762a0bd1a481
Opcode Fuzzy Hash: 52d303a9b71887eaf0d656966972b36e3cb353c731aece7b9072d1bbdd59cbde
Instruction Fuzzy Hash: 79D080F0715300AFFB0C6BB8D45979C3AA5D744705F80446CF147D59D0EB7C8C948911

Function 046A9E1F Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 046A9E38

Memory Dump Source

Source File: 00000003.00000002.4514531527.00000000046A0000.00000040.00000400.00020000.00000000.sdmp, Offset: 046A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_46a0000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID: _wcslen
String ID:
API String ID: 176396367-0
Opcode ID: 6efe2c6e3f75fec4a24ce4346516148e57aa0e0aa4b990ecba77c756eef2015c
Instruction ID: 476d168c3422d3d911a3e37aef29e43e335a251e6541ec1f962f844c2f8d3953
Opcode Fuzzy Hash: 6efe2c6e3f75fec4a24ce4346516148e57aa0e0aa4b990ecba77c756eef2015c
Instruction Fuzzy Hash: DD1190719006449BDB19EF68E8509EF7BF5AF54218F10441EE806532A0FF34BD25CF98

Function 046E61B8 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,046D5349,?,?,046D88C7,?,?,pth_unenc,?,?,046ADE9D,046D5349,?,?,?,?), ref: 046E61EA

Memory Dump Source

Source File: 00000003.00000002.4514531527.00000000046A0000.00000040.00000400.00020000.00000000.sdmp, Offset: 046A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_46a0000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: cbe3e8a15f9369283789e0b9b3ce22fdd79ad685d2becfdfb652a346a7320c89
Instruction ID: c806fd4de81a1cfeb07a7ac9abb40e070e054859a7cee2dadf33d2ac4838c2ff
Opcode Fuzzy Hash: cbe3e8a15f9369283789e0b9b3ce22fdd79ad685d2becfdfb652a346a7320c89
Instruction Fuzzy Hash: 05E0E531A0322156E7322A6FDC04BFB37D98F713E0F540121AD05A6682FF12F80181E5

Function 046A489E Relevance: 1.5, APIs: 1, Instructions: 15networkCOMMON

Download Yara Rule

APIs

WSAStartup.WS2_32(00000202,00000000), ref: 046A48B3

Memory Dump Source

Source File: 00000003.00000002.4514531527.00000000046A0000.00000040.00000400.00020000.00000000.sdmp, Offset: 046A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_46a0000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID: Startup
String ID:
API String ID: 724789610-0
Opcode ID: d3f03de5b5304c40debaa6630b65a48176a391b73a51db07ed1ddc160be3a857
Instruction ID: 42827499c6cc554848d6d95895d3a2995bf173ea25c77ea13a65aba4f3bcc810
Opcode Fuzzy Hash: d3f03de5b5304c40debaa6630b65a48176a391b73a51db07ed1ddc160be3a857
Instruction Fuzzy Hash: E8D0127255860C4EE730A9B8A80F9E4775CC316615F0047AB6CF5836D3F6441B1CC2A7

Function 046C6D42 Relevance: 1.5, APIs: 1, Instructions: 7networkCOMMON

Download Yara Rule

APIs

recv.WS2_32(?,?,?,?), ref: 046C6D4C

Memory Dump Source

Source File: 00000003.00000002.4514531527.00000000046A0000.00000040.00000400.00020000.00000000.sdmp, Offset: 046A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_46a0000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID: recv
String ID:
API String ID: 1507349165-0
Opcode ID: a4b0eb857beb097382c9296baca52c85b3b79ab839a5471a47a867245dcddb29
Instruction ID: 5b7f8728389eac80bb96758906ddf036c9b794600e4ce70dbc738b3b2235104b
Opcode Fuzzy Hash: a4b0eb857beb097382c9296baca52c85b3b79ab839a5471a47a867245dcddb29
Instruction Fuzzy Hash: 84B092B9208202FF8B054B60C81486ABEA6EBC8381B00881CB58640230E636C864AB21

Function 046C6D59 Relevance: 1.5, APIs: 1, Instructions: 7networkCOMMON

Download Yara Rule

APIs

send.WS2_32(?,?,?,?), ref: 046C6D63

Memory Dump Source

Source File: 00000003.00000002.4514531527.00000000046A0000.00000040.00000400.00020000.00000000.sdmp, Offset: 046A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_46a0000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID: send
String ID:
API String ID: 2809346765-0
Opcode ID: 94a612a2e45aa0c8b3f9a4f96cae27a2ca782c3959f8ebe97bd3e59bf7fe8ed2
Instruction ID: ed08634b9dde170bc5274a3b899e365ffc82f01bc171a1781734bdb5d85f73e8
Opcode Fuzzy Hash: 94a612a2e45aa0c8b3f9a4f96cae27a2ca782c3959f8ebe97bd3e59bf7fe8ed2
Instruction Fuzzy Hash: 23B09B75104301FF97050760C81486A7D65D7C8340F00490C71C741230E535C8505B21

Non-executed Functions

Function 0041C460 Relevance: 43.9, APIs: 29, Instructions: 417windowCOMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000F0), ref: 0041C48D
SetWindowLongW.USER32(?,000000F0,00000000), ref: 0041C4A5
IsWindow.USER32(?), ref: 0041C4DF
DestroyWindow.USER32(?), ref: 0041C4EC
DeleteObject.GDI32(?), ref: 0041C503
DeleteObject.GDI32(?), ref: 0041C51E
IsWindow.USER32 ref: 0041C578
SendMessageW.USER32(?,00000407,00000000,?), ref: 0041C59D

Part of subcall function 0041C010: GetClassNameW.USER32(?,?,00000008), ref: 0041C075
Part of subcall function 0041C010: lstrcmpiW.KERNEL32(?,static), ref: 0041C088
Part of subcall function 0041C010: GetWindowLongW.USER32(?,000000F0), ref: 0041C096
Part of subcall function 0041C010: SetWindowLongW.USER32(?,000000F0,00000000), ref: 0041C0AD
Part of subcall function 0041C010: GetWindowLongW.USER32(?,000000F0), ref: 0041C0B7
Part of subcall function 0041C010: LoadCursorW.USER32(00000000,00007F89), ref: 0041C0FD

InvalidateRect.USER32(?,00000000,00000001), ref: 0041C606
PtInRect.USER32(?,?,?), ref: 0041C65C
SetCursor.USER32(?,?,?), ref: 0041C669
InvalidateRect.USER32(?,?,00000001,?,?), ref: 0041C68C
UpdateWindow.USER32(?), ref: 0041C695
TrackMouseEvent.USER32 ref: 0041C6BF
InvalidateRect.USER32(?,?,00000001,?,?), ref: 0041C6F6
UpdateWindow.USER32(?), ref: 0041C6FF
PtInRect.USER32(?,?,?), ref: 0041C765
SetFocus.USER32(?,?,?,?), ref: 0041C776
SetCapture.USER32(?,?,?,?), ref: 0041C77F
GetCapture.USER32 ref: 0041C7A1
ReleaseCapture.USER32 ref: 0041C7B0
PtInRect.USER32(?,?,?), ref: 0041C7CA
InvalidateRect.USER32(?,00000000,00000001,?), ref: 0041C8B8
UpdateWindow.USER32(?), ref: 0041C8C1

Memory Dump Source

Source File: 00000003.00000002.4514052132.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.4514006504.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4514120748.00000000004E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4514174970.0000000000515000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4514191619.0000000000519000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4514247644.000000000051A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4514247644.000000000059B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4514247644.00000000005D5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4514247644.00000000005D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4514247644.00000000005E7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4514247644.000000000060A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4514247644.0000000000616000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4514247644.000000000061E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4514247644.0000000000627000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4514247644.0000000000659000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Window$Rect$Long$Invalidate$CaptureUpdate$CursorDeleteObject$ClassDestroyEventFocusLoadMessageMouseNameReleaseSendTracklstrcmpi
String ID:
API String ID: 3027185170-0
Opcode ID: c60218be6e99dc0e06fba895591131b84a01a8321079d1cd13fe00a6cec5bd74
Instruction ID: cc6e0afa77325fec2447a9afd9b0d4256c451b4bc2748adb1fc5280de1186ee1
Opcode Fuzzy Hash: c60218be6e99dc0e06fba895591131b84a01a8321079d1cd13fe00a6cec5bd74
Instruction Fuzzy Hash: D0E102326403458BDB319F18DDC47ABBBE5FF41325F00092BF486866A1C7B9E895CB59

Function 046A7CD2 Relevance: 34.1, APIs: 10, Strings: 9, Instructions: 835filesleepCOMMON

Download Yara Rule

APIs

SetEvent.KERNEL32(?,?), ref: 046A7CF4
GetFileAttributesW.KERNEL32(00000000,00000000,?), ref: 046A7DC2
DeleteFileW.KERNEL32(00000000), ref: 046A7DE4

Part of subcall function 046BC322: FindFirstFileW.KERNEL32(?,?,?,?,?,?,?,047152D8,047152F0,00000001), ref: 046BC37D
Part of subcall function 046BC322: FindNextFileW.KERNEL32(00000000,?,?,?,?,?,?,047152D8,047152F0,00000001), ref: 046BC3AD
Part of subcall function 046BC322: RemoveDirectoryW.KERNEL32(?,?,?,?,?,?,047152D8,047152F0,00000001), ref: 046BC402
Part of subcall function 046BC322: FindClose.KERNEL32(00000000,?,?,?,?,?,047152D8,047152F0,00000001), ref: 046BC463
Part of subcall function 046BC322: RemoveDirectoryW.KERNEL32(00000000,?,?,?,?,?,047152D8,047152F0,00000001), ref: 046BC46A

Part of subcall function 046A4AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 046A4B36

Part of subcall function 046BB580: GetLocalTime.KERNEL32(00000000), ref: 046BB59A

Part of subcall function 046A4AA1: WaitForSingleObject.KERNEL32(?,00000000,046A45E6,?,?,00000004,?,?,00000004,046AD2DD,00000000,?), ref: 046A4B47
Part of subcall function 046A4AA1: SetEvent.KERNEL32(?,?,?,00000004,?,?,00000004,046AD2DD,00000000,?,?,?,?,?,?,046A45E6), ref: 046A4B75

ShellExecuteW.SHELL32(00000000,open,00000000,00000000,00000000,00000001), ref: 046A81D2
GetLogicalDriveStringsA.KERNEL32(00000064,?), ref: 046A82B3
SetFileAttributesW.KERNEL32(00000000,?,00000000,00000001), ref: 046A84FF
DeleteFileA.KERNEL32(?), ref: 046A868D

Part of subcall function 046A8847: __EH_prolog.LIBCMT ref: 046A884C
Part of subcall function 046A8847: FindFirstFileW.KERNEL32(00000000,?,04706618,00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 046A8905
Part of subcall function 046A8847: __CxxThrowException@8.LIBVCRUNTIME ref: 046A892D
Part of subcall function 046A8847: FindNextFileW.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 046A893A

Sleep.KERNEL32(000007D0), ref: 046A8733
StrToIntA.SHLWAPI(00000000,00000000), ref: 046A8775

Part of subcall function 046BCA73: SystemParametersInfoW.USER32(00000014,00000000,00000000,00000003), ref: 046BCB68

Strings

Downloading file: , xrefs: 046A7FB8
Failed to download file: , xrefs: 046A80E0
Browsing directory: , xrefs: 046A8273
Deleted file: , xrefs: 046A7E03
Unable to delete: , xrefs: 046A7E42
Executing file: , xrefs: 046A81E8
Unable to rename file!, xrefs: 046A844E
open, xrefs: 046A81CC
Downloaded file: , xrefs: 046A8069

Memory Dump Source

Source File: 00000003.00000002.4514531527.00000000046A0000.00000040.00000400.00020000.00000000.sdmp, Offset: 046A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_46a0000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID: File$Find$AttributesDeleteDirectoryEventFirstNextRemove$CloseDriveException@8ExecuteH_prologInfoLocalLogicalObjectParametersShellSingleSleepStringsSystemThrowTimeWaitsend
String ID: Browsing directory: $Deleted file: $Downloaded file: $Downloading file: $Executing file: $Failed to download file: $Unable to delete: $Unable to rename file!$open
API String ID: 1067849700-1507758755
Opcode ID: 3448c2d0f751fd096159ff4b73f6fbc3c5f8210211dedb4ea65c5e47f0e3f13b
Instruction ID: 50d58c9ef60718278d6862d622b61642adf8276893f2a8f2aaa34d9f22dabd1d
Opcode Fuzzy Hash: 3448c2d0f751fd096159ff4b73f6fbc3c5f8210211dedb4ea65c5e47f0e3f13b
Instruction Fuzzy Hash: D842B471604B406BE608FB74CC65DEE77A5AF91648F80482CE152572D0FE24BE29CF9B

Function 046A569A Relevance: 30.0, APIs: 15, Strings: 2, Instructions: 278pipesleepfileCOMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 046A56E6

Part of subcall function 046A4AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 046A4B36

__Init_thread_footer.LIBCMT ref: 046A5723
CreatePipe.KERNEL32(04716CCC,04716CB4,04716BD8,00000000,047060CC,00000000), ref: 046A57B6
CreatePipe.KERNEL32(04716CB8,04716CD4,04716BD8,00000000), ref: 046A57CC
CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000001,00000000,00000000,00000000,04716BE8,04716CBC), ref: 046A583F
Sleep.KERNEL32(0000012C,00000093,?), ref: 046A5897
PeekNamedPipe.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 046A58BC
ReadFile.KERNEL32(00000000,?,?,00000000), ref: 046A58E9

Part of subcall function 046D4801: __onexit.LIBCMT ref: 046D4807

WriteFile.KERNEL32(00000000,00000000,?,00000000,04714F90,047060D0,00000062,047060B4), ref: 046A59E4
Sleep.KERNEL32(00000064,00000062,047060B4), ref: 046A59FE
TerminateProcess.KERNEL32(00000000), ref: 046A5A17
CloseHandle.KERNEL32 ref: 046A5A23
CloseHandle.KERNEL32 ref: 046A5A2B
CloseHandle.KERNEL32 ref: 046A5A3D
CloseHandle.KERNEL32 ref: 046A5A45

Strings

cmd.exe, xrefs: 046A574D
SystemDrive, xrefs: 046A5761

Memory Dump Source

Source File: 00000003.00000002.4514531527.00000000046A0000.00000040.00000400.00020000.00000000.sdmp, Offset: 046A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_46a0000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID: CloseHandle$CreatePipe$FileInit_thread_footerProcessSleep$NamedPeekReadTerminateWrite__onexitsend
String ID: SystemDrive$cmd.exe
API String ID: 2994406822-3633465311
Opcode ID: c43c15009066aa7653c4a46c0bb591a1164a016f2b81e5e659de39863cf20065
Instruction ID: 36edc342e09be7d5e3710a4e10214865c703cbfdede423cfdaa583973f67f7b7
Opcode Fuzzy Hash: c43c15009066aa7653c4a46c0bb591a1164a016f2b81e5e659de39863cf20065
Instruction Fuzzy Hash: B491E6B1605684BFE710FF28EC50E6E7B99EB40248F00442DF546663A1FE25BC28CF65

Function 046B2132 Relevance: 30.0, APIs: 7, Strings: 10, Instructions: 238threadCOMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32 ref: 046B2141

Part of subcall function 046B38B2: RegCreateKeyA.ADVAPI32(80000001,00000000,047060B4), ref: 046B38C0
Part of subcall function 046B38B2: RegSetValueExA.KERNEL32(047060B4,000000AF,00000000,00000004,00000001,00000004,?,?,?,046AC18D,04706C58,00000001,000000AF,047060B4), ref: 046B38DB
Part of subcall function 046B38B2: RegCloseKey.ADVAPI32(047060B4,?,?,?,046AC18D,04706C58,00000001,000000AF,047060B4), ref: 046B38E6

OpenMutexA.KERNEL32(00100000,00000000,00000000), ref: 046B2181
CloseHandle.KERNEL32(00000000), ref: 046B2190
CreateThread.KERNEL32(00000000,00000000,046B2829,00000000,00000000,00000000), ref: 046B21E6
OpenProcess.KERNEL32(001FFFFF,00000000,?), ref: 046B2455

Strings

Remcos restarted by watchdog!, xrefs: 046B219B
WinDir, xrefs: 046B2256, 046B22AB
Watchdog module activated, xrefs: 046B21BF, 046B2417
rmclient.exe, xrefs: 046B2325
WDH, xrefs: 046B21F0, 046B21F6, 046B245B
Watchdog launch failed!, xrefs: 046B23BE
\SysWOW64\, xrefs: 046B229C
svchost.exe, xrefs: 046B2300
\system32\, xrefs: 046B2244
fsutil.exe, xrefs: 046B234A

Memory Dump Source

Source File: 00000003.00000002.4514531527.00000000046A0000.00000040.00000400.00020000.00000000.sdmp, Offset: 046A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_46a0000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID: CloseCreateOpenProcess$CurrentHandleMutexThreadValue
String ID: Remcos restarted by watchdog!$WDH$Watchdog launch failed!$Watchdog module activated$WinDir$\SysWOW64\$\system32\$fsutil.exe$rmclient.exe$svchost.exe
API String ID: 3018269243-13974260
Opcode ID: 31419650d63ca36ccf92176c829d1b1e3f2e87c56cf87067ec7127f2a727568d
Instruction ID: af804750b6a521658bbf2158182a1e3f1f899aa4739d373d550818fcf9a96dd3
Opcode Fuzzy Hash: 31419650d63ca36ccf92176c829d1b1e3f2e87c56cf87067ec7127f2a727568d
Instruction Fuzzy Hash: 2A71A1716046409BE708FB74DC698EE77E4AF91208F40496CE482522D0FF64BD59CFEA

Function 046ABB6B Relevance: 24.6, APIs: 8, Strings: 6, Instructions: 146fileCOMMON

Download Yara Rule

APIs

FindFirstFileA.KERNEL32(00000000,?,00000000,\AppData\Roaming\Mozilla\Firefox\Profiles\), ref: 046ABBEA
FindClose.KERNEL32(00000000), ref: 046ABC04
FindNextFileA.KERNEL32(00000000,?), ref: 046ABD27
FindClose.KERNEL32(00000000), ref: 046ABD4D

Strings

\AppData\Roaming\Mozilla\Firefox\Profiles\, xrefs: 046ABB8D
[Firefox StoredLogins not found], xrefs: 046ABC0F
[Firefox StoredLogins Cleared!], xrefs: 046ABD3A
UserProfile, xrefs: 046ABB9B
\key3.db, xrefs: 046ABCB1
\logins.json, xrefs: 046ABC6F

Memory Dump Source

Source File: 00000003.00000002.4514531527.00000000046A0000.00000040.00000400.00020000.00000000.sdmp, Offset: 046A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_46a0000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID: Find$CloseFile$FirstNext
String ID: [Firefox StoredLogins Cleared!]$[Firefox StoredLogins not found]$UserProfile$\AppData\Roaming\Mozilla\Firefox\Profiles\$\key3.db$\logins.json
API String ID: 1164774033-3681987949
Opcode ID: c10df9aba2062cb5d14cbb3a276082dab7c1d5232507fee1f3bc1377232a26ca
Instruction ID: 62a7f747d7e9b1285dd9aac26afccb8e819e3466b187e6c5cffd19a6e18ddbfc
Opcode Fuzzy Hash: c10df9aba2062cb5d14cbb3a276082dab7c1d5232507fee1f3bc1377232a26ca
Instruction Fuzzy Hash: CF519E719109199BEB14FBB0DC64EEDB7B8AF11308F14416EE106A22D0FF207E6ACE54

Function 046ABD72 Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 131fileCOMMON

Download Yara Rule

APIs

FindFirstFileA.KERNEL32(00000000,?,00000000,\AppData\Roaming\Mozilla\Firefox\Profiles\), ref: 046ABDEA
FindClose.KERNEL32(00000000), ref: 046ABE04
FindNextFileA.KERNEL32(00000000,?), ref: 046ABEC4
FindClose.KERNEL32(00000000), ref: 046ABEEA
FindClose.KERNEL32(00000000), ref: 046ABF0B

Strings

\AppData\Roaming\Mozilla\Firefox\Profiles\, xrefs: 046ABD8D
[Firefox Cookies not found], xrefs: 046ABE0F, 046ABED7
UserProfile, xrefs: 046ABD9B
[Firefox cookies found, cleared!], xrefs: 046ABF1A
\cookies.sqlite, xrefs: 046ABE67

Memory Dump Source

Source File: 00000003.00000002.4514531527.00000000046A0000.00000040.00000400.00020000.00000000.sdmp, Offset: 046A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_46a0000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID: Find$Close$File$FirstNext
String ID: [Firefox Cookies not found]$[Firefox cookies found, cleared!]$UserProfile$\AppData\Roaming\Mozilla\Firefox\Profiles\$\cookies.sqlite
API String ID: 3527384056-432212279
Opcode ID: 20f81bb69fe2f632766979f91241e677ef2d4fe4a179abe5a771505e35b99c1b
Instruction ID: 0a9d27886fca9c4107e0354d9dd56ad8f45460c6b71a60667cb1c96d031b0fcd
Opcode Fuzzy Hash: 20f81bb69fe2f632766979f91241e677ef2d4fe4a179abe5a771505e35b99c1b
Instruction Fuzzy Hash: F741D371900A199BEB14F7B4DC659ED77B8AF12708F40415DE506A22C0FF207E6ACE94

Function 046B68FC Relevance: 18.1, APIs: 12, Instructions: 80clipboardmemoryCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 046B68FD
EmptyClipboard.USER32 ref: 046B690B
GlobalAlloc.KERNEL32(00002000,-00000002), ref: 046B692B
GlobalLock.KERNEL32(00000000), ref: 046B6934
GlobalUnlock.KERNEL32(00000000), ref: 046B696A
SetClipboardData.USER32(0000000D,00000000), ref: 046B6973
CloseClipboard.USER32 ref: 046B6990
OpenClipboard.USER32 ref: 046B6997
GetClipboardData.USER32(0000000D), ref: 046B69A7
GlobalLock.KERNEL32(00000000), ref: 046B69B0
GlobalUnlock.KERNEL32(00000000), ref: 046B69B9
CloseClipboard.USER32 ref: 046B69BF

Part of subcall function 046A4AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 046A4B36

Memory Dump Source

Source File: 00000003.00000002.4514531527.00000000046A0000.00000040.00000400.00020000.00000000.sdmp, Offset: 046A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_46a0000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID: Clipboard$Global$CloseDataLockOpenUnlock$AllocEmptysend
String ID:
API String ID: 3520204547-0
Opcode ID: aa5dc3b6e0282755cac0b787c5d68e635964cb77141c30666ba5129e363f2efa
Instruction ID: 6c97c4190b30c78885dedf1e589f112342ba4fdd0fef89a38f12b3c563e85daa
Opcode Fuzzy Hash: aa5dc3b6e0282755cac0b787c5d68e635964cb77141c30666ba5129e363f2efa
Instruction Fuzzy Hash: 982151B22046006FE714BBB0DC5CBEE76A9EF95705F00142DF582821D0FE38AC588B66

Function 046AF4AF Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 210processCOMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(00000000,?,00000104,00000000,047150E4,?,04715338), ref: 046AF4C9
CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,?,04715338), ref: 046AF4F4
Process32FirstW.KERNEL32(00000000,0000022C), ref: 046AF510
Process32NextW.KERNEL32(00000000,0000022C), ref: 046AF58F
CloseHandle.KERNEL32(00000000,?,00000000,?,?,04715338), ref: 046AF59E

Part of subcall function 046BC26E: OpenProcess.KERNEL32(00001000,00000000,?,00000000,00000000,00000000), ref: 046BC286
Part of subcall function 046BC26E: OpenProcess.KERNEL32(00000400,00000000,?,?,00000000,00000000,00000000), ref: 046BC299

CloseHandle.KERNEL32(00000000,?,04715338), ref: 046AF6A9

Strings

Inj, xrefs: 046AF7A4
ielowutil.exe, xrefs: 046AF751
C:\Program Files(x86)\Internet Explorer\, xrefs: 046AF6F9
ieinstal.exe, xrefs: 046AF710

Memory Dump Source

Source File: 00000003.00000002.4514531527.00000000046A0000.00000040.00000400.00020000.00000000.sdmp, Offset: 046A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_46a0000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID: CloseHandleOpenProcessProcess32$CreateFileFirstModuleNameNextSnapshotToolhelp32
String ID: C:\Program Files(x86)\Internet Explorer\$Inj$ieinstal.exe$ielowutil.exe
API String ID: 3756808967-1743721670
Opcode ID: a36ae85628910420c76d4bb74226166725531622e540821f4f6a6a2314d763f2
Instruction ID: 05db66a3f9e4fb07b96d5ef99e8193a4af9dcffe803082e8490947884e5c4a58
Opcode Fuzzy Hash: a36ae85628910420c76d4bb74226166725531622e540821f4f6a6a2314d763f2
Instruction Fuzzy Hash: 15714F705087819BE758FB20D8509EEB7E5AF91248F40482DE586432A1FF34BD5ECF9A

Function 00421890 Relevance: 16.1, APIs: 7, Strings: 2, Instructions: 320sleepCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 004218E5
GetLastError.KERNEL32 ref: 00421A2D
GetLastError.KERNEL32 ref: 00421BB9

Part of subcall function 004046F0: GetProcessHeap.KERNEL32 ref: 00404745

GetTickCount.KERNEL32 ref: 00421BD3
Sleep.KERNEL32(000001F4), ref: 00421BEA
GetTickCount.KERNEL32 ref: 00421C0F
GetLastError.KERNEL32 ref: 00421C53

Strings

Unable to open SCM error code: , xrefs: 00421943
OpenService failed error code: , xrefs: 00421A84

Memory Dump Source

Source File: 00000003.00000002.4514052132.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.4514006504.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4514120748.00000000004E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4514174970.0000000000515000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4514191619.0000000000519000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4514247644.000000000051A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4514247644.000000000059B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4514247644.00000000005D5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4514247644.00000000005D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4514247644.00000000005E7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4514247644.000000000060A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4514247644.0000000000616000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4514247644.000000000061E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4514247644.0000000000627000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4514247644.0000000000659000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_SecuriteInfo.jbxd

Similarity

API ID: ErrorLast$CountTick$HeapProcessSleep
String ID: OpenService failed error code: $Unable to open SCM error code:
API String ID: 873169069-3695868027
Opcode ID: ad8e24634e67280c8b07371f74fb74923a526a45fd3fc7b59d286bc0252b9e7c
Instruction ID: 39752a2110ee06778517b481096a0b1311fa2d9b37b91275ccf1ec5dd84c5f72
Opcode Fuzzy Hash: ad8e24634e67280c8b07371f74fb74923a526a45fd3fc7b59d286bc0252b9e7c
Instruction Fuzzy Hash: 20C14571B002159FCB00DF68D999B6EBBB5FF88314F14412EE905A7392DB789D01CBA6

Function 046B9662 Relevance: 16.0, APIs: 1, Strings: 8, Instructions: 206COMMON

Download Yara Rule

Strings

0, xrefs: 046B968C
5, xrefs: 046B9844
6, xrefs: 046B984E
1, xrefs: 046B96D0
2, xrefs: 046B972F
4, xrefs: 046B97F3
3, xrefs: 046B978F
7, xrefs: 046B9865

Memory Dump Source

Source File: 00000003.00000002.4514531527.00000000046A0000.00000040.00000400.00020000.00000000.sdmp, Offset: 046A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_46a0000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID:
String ID: 0$1$2$3$4$5$6$7
API String ID: 0-3177665633
Opcode ID: 9b4f6e8266a465965b1362a831234362a08ad705f2d935e65f7b0e496278b66d
Instruction ID: 646667af690dfd7641b55dc184e19f604a20c1d8b8b934f394851000bf4a7792
Opcode Fuzzy Hash: 9b4f6e8266a465965b1362a831234362a08ad705f2d935e65f7b0e496278b66d
Instruction Fuzzy Hash: 1E718DB0508301AFE718EF20E894BBA7B949F95714F04491DEA92572D0FA70BE4DCB96

Function 046A7538 Relevance: 15.8, APIs: 2, Strings: 7, Instructions: 56COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 046A755C
CoGetObject.OLE32(?,00000024,04706528,00000000), ref: 046A75BD

Strings

[+] CoGetObject SUCCESS, xrefs: 046A75D0
[+] CoGetObject, xrefs: 046A759C
{3E5FC7F9-9A51-4367-9063-A120244FBEC7}, xrefs: 046A7551, 046A7556, 046A7595
Elevation:Administrator!new:, xrefs: 046A757D
[-] CoGetObject FAILURE, xrefs: 046A75C9
$, xrefs: 046A7576
[+] ucmAllocateElevatedObject, xrefs: 046A7543

Memory Dump Source

Source File: 00000003.00000002.4514531527.00000000046A0000.00000040.00000400.00020000.00000000.sdmp, Offset: 046A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_46a0000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID: Object_wcslen
String ID: $$Elevation:Administrator!new:$[+] CoGetObject$[+] CoGetObject SUCCESS$[+] ucmAllocateElevatedObject$[-] CoGetObject FAILURE${3E5FC7F9-9A51-4367-9063-A120244FBEC7}
API String ID: 240030777-3166923314
Opcode ID: 6b44e862a5ee9ac9e00c160c1a853aa2434c2e533123e932a781bed054cdf5c5
Instruction ID: d6c77d5337ddfd3bc1599a3b05012f5566a35ae34599e5d7b88dd4485b2b848a
Opcode Fuzzy Hash: 6b44e862a5ee9ac9e00c160c1a853aa2434c2e533123e932a781bed054cdf5c5
Instruction Fuzzy Hash: 091186B1901218EBE710EBA4C854ADEF7FCDB14715F040069E505A3340FA74FE158EA9

Function 046BA7D9 Relevance: 15.2, APIs: 10, Instructions: 228serviceCOMMON

Download Yara Rule

APIs

OpenSCManagerA.ADVAPI32(00000000,00000000,00000004,047158E8), ref: 046BA7EF
EnumServicesStatusW.ADVAPI32(00000000,0000003B,00000003,?,00000000,?,?,?), ref: 046BA83E
GetLastError.KERNEL32 ref: 046BA84C
EnumServicesStatusW.ADVAPI32(00000000,0000003B,00000003,00000000,?,?,?,?), ref: 046BA884

Memory Dump Source

Source File: 00000003.00000002.4514531527.00000000046A0000.00000040.00000400.00020000.00000000.sdmp, Offset: 046A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_46a0000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID: EnumServicesStatus$ErrorLastManagerOpen
String ID:
API String ID: 3587775597-0
Opcode ID: d9b099ea556a911ae8362ae1a2590af463ec721a762dc9c16831200b77a1e734
Instruction ID: 259c4fa85839eaeb6cbf5035e5c8714af914836e78d7541e08c0f3e883b409b6
Opcode Fuzzy Hash: d9b099ea556a911ae8362ae1a2590af463ec721a762dc9c16831200b77a1e734
Instruction Fuzzy Hash: 24815871108340ABE304EB60D894DAFB7E8FF95208F50081DB58682290FF70BE59CF96

Function 046AC388 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 112fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(00000000,?,\Mozilla\Firefox\Profiles\,00000000), ref: 046AC3D6
FindNextFileW.KERNEL32(00000000,?), ref: 046AC4A9
FindClose.KERNEL32(00000000), ref: 046AC4B8
FindClose.KERNEL32(00000000), ref: 046AC4E3

Strings

\cookies.sqlite, xrefs: 046AC444
AppData, xrefs: 046AC393
\Mozilla\Firefox\Profiles\, xrefs: 046AC3A9

Memory Dump Source

Source File: 00000003.00000002.4514531527.00000000046A0000.00000040.00000400.00020000.00000000.sdmp, Offset: 046A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_46a0000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID: Find$CloseFile$FirstNext
String ID: AppData$\Mozilla\Firefox\Profiles\$\cookies.sqlite
API String ID: 1164774033-405221262
Opcode ID: 24036ebd39860c29435fea74a6de66369d16df290595470f1dbeb116c5e908c1
Instruction ID: feb5ef96cb406de8d09a43316a50570f92889414857eec7ea3fa6d676dcffc26
Opcode Fuzzy Hash: 24036ebd39860c29435fea74a6de66369d16df290595470f1dbeb116c5e908c1
Instruction Fuzzy Hash: 433183719046299ADB18F7A0DC58DFE77F9EF51618F00016DE006A2190FF74BE6ACE48

Function 046BC322 Relevance: 13.6, APIs: 9, Instructions: 106fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,?,?,?,?,?,047152D8,047152F0,00000001), ref: 046BC37D
FindNextFileW.KERNEL32(00000000,?,?,?,?,?,?,047152D8,047152F0,00000001), ref: 046BC3AD
SetFileAttributesW.KERNEL32(?,00000080,?,?,?,?,?,047152D8,047152F0,00000001), ref: 046BC41F
DeleteFileW.KERNEL32(?,?,?,?,?,?,047152D8,047152F0,00000001), ref: 046BC42C

Part of subcall function 046BC322: RemoveDirectoryW.KERNEL32(?,?,?,?,?,?,047152D8,047152F0,00000001), ref: 046BC402

GetLastError.KERNEL32(?,?,?,?,?,047152D8,047152F0,00000001), ref: 046BC44D
FindClose.KERNEL32(00000000,?,?,?,?,?,047152D8,047152F0,00000001), ref: 046BC463
RemoveDirectoryW.KERNEL32(00000000,?,?,?,?,?,047152D8,047152F0,00000001), ref: 046BC46A
FindClose.KERNEL32(00000000,?,?,?,?,?,047152D8,047152F0,00000001), ref: 046BC473

Memory Dump Source

Source File: 00000003.00000002.4514531527.00000000046A0000.00000040.00000400.00020000.00000000.sdmp, Offset: 046A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_46a0000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID: FileFind$CloseDirectoryRemove$AttributesDeleteErrorFirstLastNext
String ID:
API String ID: 2341273852-0
Opcode ID: 41a472a94448e763ee84103c0635305d9041efd1f052258193b8c35c7b2ba304
Instruction ID: 1ccefc94832b526eec7039ac5f8e7316d9584b5edd2ef7678e4071506e1567f2
Opcode Fuzzy Hash: 41a472a94448e763ee84103c0635305d9041efd1f052258193b8c35c7b2ba304
Instruction Fuzzy Hash: 8631557290031C9AEB24DAA0DC48FEA777CEF55304F4405AEE59AD2150FB35ABC88B95

Function 0040FC10 Relevance: 12.6, APIs: 6, Strings: 1, Instructions: 349fileCOMMON

Download Yara Rule

APIs

SHGetFolderPathW.SHELL32(00000000,00000024,00000000,00000000,?,BB40E64E,?), ref: 0040FC6B
GetTempFileNameW.KERNEL32(?,shim_clone,00000000,?,00000000), ref: 0040FDD7
Wow64DisableWow64FsRedirection.KERNEL32(?), ref: 0040FE85
CopyFileW.KERNEL32(?,?,00000000), ref: 0040FEA7
Wow64RevertWow64FsRedirection.KERNEL32(?), ref: 0040FF2F
DeleteFileW.KERNEL32(?,BB40E64E,?,00000000,004C9200,000000FF,?,80004005,?), ref: 0041003D

Strings

shim_clone, xrefs: 0040FDD1

Memory Dump Source

Source File: 00000003.00000002.4514052132.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.4514006504.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4514120748.00000000004E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4514174970.0000000000515000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4514191619.0000000000519000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4514247644.000000000051A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4514247644.000000000059B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4514247644.00000000005D5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4514247644.00000000005D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4514247644.00000000005E7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4514247644.000000000060A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4514247644.0000000000616000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4514247644.000000000061E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4514247644.0000000000627000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4514247644.0000000000659000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Wow64$File$Redirection$CopyDeleteDisableFolderNamePathRevertTemp
String ID: shim_clone
API String ID: 3507832535-3944563459
Opcode ID: 1a7c1ff960a6a06aacd34bb3b24c251c9ea9d718bc5cfe0ac4f7c2925e8cc472
Instruction ID: c08c0a1cd291d88cf78de6f197e1c5732bf27c23d445f8b37fa542b5998dafc0
Opcode Fuzzy Hash: 1a7c1ff960a6a06aacd34bb3b24c251c9ea9d718bc5cfe0ac4f7c2925e8cc472
Instruction Fuzzy Hash: A9C11574A002559FCB24DF24CC45BAA77B4EF55304F0480BEE906E76D2EB789E49CB58

Function 046AA41B Relevance: 12.1, APIs: 8, Instructions: 112keyboardthreadCOMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(?,?,047150F0), ref: 046AA451
GetWindowThreadProcessId.USER32(00000000,?), ref: 046AA45D
GetKeyboardLayout.USER32(00000000), ref: 046AA464
GetKeyState.USER32(00000010), ref: 046AA46E
GetKeyboardState.USER32(?,?,047150F0), ref: 046AA479
ToUnicodeEx.USER32(04715144,?,?,?,00000010,00000000,00000000), ref: 046AA49C
ToUnicodeEx.USER32(?,?,00000010,00000000,00000000), ref: 046AA4FC
ToUnicodeEx.USER32(04715144,?,?,?,00000010,00000000,00000000), ref: 046AA535

Memory Dump Source

Source File: 00000003.00000002.4514531527.00000000046A0000.00000040.00000400.00020000.00000000.sdmp, Offset: 046A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_46a0000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID: Unicode$KeyboardStateWindow$ForegroundLayoutProcessThread
String ID:
API String ID: 1888522110-0
Opcode ID: 2e5076aa4f6faf791242acb04051e6a36da34764034469e7dc662ef93f1cfebe
Instruction ID: fdebfd91c04aa5ecfefafaedfd73edfec3b42b1bd413e0f6cfd9770cd0a47210
Opcode Fuzzy Hash: 2e5076aa4f6faf791242acb04051e6a36da34764034469e7dc662ef93f1cfebe
Instruction Fuzzy Hash: D8314EB2544708BFD710DA94DC44FDB77EDEB88744F00082AF285961A0E6B5B959CBA2

Function 046B4005 Relevance: 10.9, APIs: 4, Strings: 2, Instructions: 382registrylibraryloaderCOMMON

Download Yara Rule

APIs

RegCreateKeyExW.ADVAPI32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000001), ref: 046B40D8
RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,?,00000001), ref: 046B40E4

Part of subcall function 046A4AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 046A4B36

LoadLibraryA.KERNEL32(Shlwapi.dll,SHDeleteKeyW,00000000,00000001), ref: 046B42A5
GetProcAddress.KERNEL32(00000000), ref: 046B42AC

Strings

SHDeleteKeyW, xrefs: 046B429B
Shlwapi.dll, xrefs: 046B42A0

Memory Dump Source

Source File: 00000003.00000002.4514531527.00000000046A0000.00000040.00000400.00020000.00000000.sdmp, Offset: 046A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_46a0000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID: AddressCloseCreateLibraryLoadProcsend
String ID: SHDeleteKeyW$Shlwapi.dll
API String ID: 2127411465-314212984
Opcode ID: 893b472060b0558bb4c812efb0493eefc7c5c19e05e035ce60a54adca37f8c82
Instruction ID: e3b6cc109e2d637c722507480915b26be96b6c03dd9e902ec5b3d66d7c50c972
Opcode Fuzzy Hash: 893b472060b0558bb4c812efb0493eefc7c5c19e05e035ce60a54adca37f8c82
Instruction Fuzzy Hash: 1AB12971B047006BEA18FB74CC658EF36A8AF92548F40051CE952972D1FE25BD68CBDA

Function 046E9210 Relevance: 10.9, APIs: 7, Instructions: 370timeCOMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 046E9292
_free.LIBCMT ref: 046E92B6
_free.LIBCMT ref: 046E943D
GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,046FF244), ref: 046E944F
WideCharToMultiByte.KERNEL32(00000000,00000000,04712764,000000FF,00000000,0000003F,00000000,?,?), ref: 046E94C7
WideCharToMultiByte.KERNEL32(00000000,00000000,047127B8,000000FF,?,0000003F,00000000,?), ref: 046E94F4
_free.LIBCMT ref: 046E9609

Memory Dump Source

Source File: 00000003.00000002.4514531527.00000000046A0000.00000040.00000400.00020000.00000000.sdmp, Offset: 046A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_46a0000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID: _free$ByteCharMultiWide$InformationTimeZone
String ID:
API String ID: 314583886-0
Opcode ID: cb894764bd8e0c77dce5a809b7a84dd897551f86a8b54702eca2ba5af50f4140
Instruction ID: 251282a0e22307b2353c50d440a74da7361685c20dfd1109009df05730edefd2
Opcode Fuzzy Hash: cb894764bd8e0c77dce5a809b7a84dd897551f86a8b54702eca2ba5af50f4140
Instruction Fuzzy Hash: 86C106B1A02244AFEB24AF7AC840AFA7BF8EF55314F14419ED59497391F730AE06CB54

Function 046ABA4D Relevance: 10.5, APIs: 2, Strings: 4, Instructions: 49fileCOMMON

Download Yara Rule

APIs

DeleteFileA.KERNEL32(00000000,\AppData\Local\Google\Chrome\User Data\Default\Login Data), ref: 046ABA89
GetLastError.KERNEL32 ref: 046ABA93

Strings

\AppData\Local\Google\Chrome\User Data\Default\Login Data, xrefs: 046ABA54
[Chrome StoredLogins found, cleared!], xrefs: 046ABAB9
UserProfile, xrefs: 046ABA59
[Chrome StoredLogins not found], xrefs: 046ABAAD

Memory Dump Source

Source File: 00000003.00000002.4514531527.00000000046A0000.00000040.00000400.00020000.00000000.sdmp, Offset: 046A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_46a0000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID: DeleteErrorFileLast
String ID: [Chrome StoredLogins found, cleared!]$[Chrome StoredLogins not found]$UserProfile$\AppData\Local\Google\Chrome\User Data\Default\Login Data
API String ID: 2018770650-1062637481
Opcode ID: 1cac1634b8537f73f128b897891a02dd38b5c7c56e619483f210be56eb7cca89
Instruction ID: c3c261f3ed16f44e5b55c9d6d73f4725fa8a89b25e59b3c362ea444bb504c0f6
Opcode Fuzzy Hash: 1cac1634b8537f73f128b897891a02dd38b5c7c56e619483f210be56eb7cca89
Instruction Fuzzy Hash: A501A271A954095B9B04BBB8DC268BE77A4E922908B40011DD602527C0FE117D398F96

Function 046B798D Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 33COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(00000028,?), ref: 046B799A
OpenProcessToken.ADVAPI32(00000000), ref: 046B79A1
LookupPrivilegeValueA.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 046B79B3
AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000), ref: 046B79D2
GetLastError.KERNEL32 ref: 046B79D8

Strings

SeShutdownPrivilege, xrefs: 046B79AD

Memory Dump Source

Source File: 00000003.00000002.4514531527.00000000046A0000.00000040.00000400.00020000.00000000.sdmp, Offset: 046A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_46a0000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID: ProcessToken$AdjustCurrentErrorLastLookupOpenPrivilegePrivilegesValue
String ID: SeShutdownPrivilege
API String ID: 3534403312-3733053543
Opcode ID: b25116a6975cb6d19dc7201dd678332ea11c011d6ce2a849eeb46ca3b20123e9
Instruction ID: eb003b289fa7568db90bc1f27b82e10d65a186cc1c1d0a1a4790aae5b5ff1841
Opcode Fuzzy Hash: b25116a6975cb6d19dc7201dd678332ea11c011d6ce2a849eeb46ca3b20123e9
Instruction Fuzzy Hash: 67F0B2B1902129ABDB10ABA9AD4DEEFBABCEF05315F105058B945A1144E6785E08CAA1

Function 046A928E Relevance: 9.3, APIs: 6, Instructions: 293fileCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 046A9293

Part of subcall function 046A48C8: connect.WS2_32(?,?,?), ref: 046A48E0

Part of subcall function 046A4AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 046A4B36

__CxxThrowException@8.LIBVCRUNTIME ref: 046A932F
FindFirstFileW.KERNEL32(00000000,?,?,?,00000064), ref: 046A938D
FindNextFileW.KERNEL32(00000000,?), ref: 046A93E5
FindClose.KERNEL32(00000000), ref: 046A93FC

Part of subcall function 046A4E26: WaitForSingleObject.KERNEL32(?,000000FF,00000000,04714EF8,?,00000000,04714EF8,046A4CA8,00000000,?,?,00000000,04714EF8,046A4AC9), ref: 046A4E38
Part of subcall function 046A4E26: SetEvent.KERNEL32(?,?,00000000,04714EF8,046A4CA8,00000000,?,?,00000000,04714EF8,046A4AC9), ref: 046A4E43
Part of subcall function 046A4E26: CloseHandle.KERNEL32(?,?,00000000,04714EF8,046A4CA8,00000000,?,?,00000000,04714EF8,046A4AC9), ref: 046A4E4C

FindClose.KERNEL32(00000000), ref: 046A95F4

Part of subcall function 046A4AA1: WaitForSingleObject.KERNEL32(?,00000000,046A45E6,?,?,00000004,?,?,00000004,046AD2DD,00000000,?), ref: 046A4B47
Part of subcall function 046A4AA1: SetEvent.KERNEL32(?,?,?,00000004,?,?,00000004,046AD2DD,00000000,?,?,?,?,?,?,046A45E6), ref: 046A4B75

Memory Dump Source

Source File: 00000003.00000002.4514531527.00000000046A0000.00000040.00000400.00020000.00000000.sdmp, Offset: 046A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_46a0000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID: Find$Close$EventFileObjectSingleWait$Exception@8FirstH_prologHandleNextThrowconnectsend
String ID:
API String ID: 1824512719-0
Opcode ID: 62db55d03bacaef1b7bea665e6035e7dae18bd49243ffa0613450910f06ca4d0
Instruction ID: 56917bf2693ee92ac00dd223293af12dc7de6515c98d5dc66c3cbdb646bb6424
Opcode Fuzzy Hash: 62db55d03bacaef1b7bea665e6035e7dae18bd49243ffa0613450910f06ca4d0
Instruction Fuzzy Hash: 8BB1AFB29005189BEB14EBA0DC51AEDB7B9AF14308F50455DE506A7290FF30BF69CF94

Function 046BAD09 Relevance: 9.1, APIs: 6, Instructions: 67serviceCOMMON

Download Yara Rule

APIs

OpenSCManagerW.ADVAPI32(00000000,00000000,00000002,00000000,00000000,?,?,?,046BA41F,00000000), ref: 046BAD19
OpenServiceW.ADVAPI32(00000000,00000000,00000002,?,?,?,046BA41F,00000000), ref: 046BAD2D
CloseServiceHandle.ADVAPI32(00000000,?,?,?,046BA41F,00000000), ref: 046BAD3A
ChangeServiceConfigW.ADVAPI32(00000000,000000FF,00000004,000000FF,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,046BA41F,00000000), ref: 046BAD6F
CloseServiceHandle.ADVAPI32(00000000,?,?,?,046BA41F,00000000), ref: 046BAD81
CloseServiceHandle.ADVAPI32(00000000,?,?,?,046BA41F,00000000), ref: 046BAD84

Memory Dump Source

Source File: 00000003.00000002.4514531527.00000000046A0000.00000040.00000400.00020000.00000000.sdmp, Offset: 046A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_46a0000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID: Service$CloseHandle$Open$ChangeConfigManager
String ID:
API String ID: 493672254-0
Opcode ID: fb1f45e99551f27cca9bfde46a5f83093bb6b911f42ddd5f9498a7a5ef698847
Instruction ID: 79298505a73a258e2dca3abbd34bd370e9f4b72bf7054eb302ab420babc3234d
Opcode Fuzzy Hash: fb1f45e99551f27cca9bfde46a5f83093bb6b911f42ddd5f9498a7a5ef698847
Instruction Fuzzy Hash: 94012D711451147AD7105AB85C4EFFA3B6CDB43371F00030FFEA5962C0FAA4AE8996E1

Function 046BAADB Relevance: 9.0, APIs: 6, Instructions: 39serviceCOMMON

Download Yara Rule

APIs

OpenSCManagerW.ADVAPI32(00000000,00000000,00000010,00000000,00000001,?,046BA731,00000000), ref: 046BAAE4
OpenServiceW.ADVAPI32(00000000,00000000,00000010,?,046BA731,00000000), ref: 046BAAF9
CloseServiceHandle.ADVAPI32(00000000,?,046BA731,00000000), ref: 046BAB06
StartServiceW.ADVAPI32(00000000,00000000,00000000,?,046BA731,00000000), ref: 046BAB11
CloseServiceHandle.ADVAPI32(00000000,?,046BA731,00000000), ref: 046BAB23
CloseServiceHandle.ADVAPI32(00000000,?,046BA731,00000000), ref: 046BAB26

Memory Dump Source

Source File: 00000003.00000002.4514531527.00000000046A0000.00000040.00000400.00020000.00000000.sdmp, Offset: 046A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_46a0000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID: Service$CloseHandle$Open$ManagerStart
String ID:
API String ID: 276877138-0
Opcode ID: 6c7dcd7c910160bacd2f16b543596fe792412d02baa20dc232a72071ba847ed5
Instruction ID: add21bf1347fb9fc63ac61a1a394877fd8a798d891134f1707b83d313e5be264
Opcode Fuzzy Hash: 6c7dcd7c910160bacd2f16b543596fe792412d02baa20dc232a72071ba847ed5
Instruction Fuzzy Hash: E6F089B11411246FE3155A609C88EFF2BACDF86755B00141DFC8592140FB689D8DAAB1

Function 046B67EF Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 97libraryloadershutdownCOMMON

Download Yara Rule

APIs

Part of subcall function 046B798D: GetCurrentProcess.KERNEL32(00000028,?), ref: 046B799A
Part of subcall function 046B798D: OpenProcessToken.ADVAPI32(00000000), ref: 046B79A1
Part of subcall function 046B798D: LookupPrivilegeValueA.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 046B79B3
Part of subcall function 046B798D: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000), ref: 046B79D2
Part of subcall function 046B798D: GetLastError.KERNEL32 ref: 046B79D8

ExitWindowsEx.USER32(00000000,00000001), ref: 046B6891
LoadLibraryA.KERNEL32(PowrProf.dll,SetSuspendState,00000000,00000000,00000000), ref: 046B68A6
GetProcAddress.KERNEL32(00000000), ref: 046B68AD

Strings

SetSuspendState, xrefs: 046B689C
PowrProf.dll, xrefs: 046B68A1

Memory Dump Source

Source File: 00000003.00000002.4514531527.00000000046A0000.00000040.00000400.00020000.00000000.sdmp, Offset: 046A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_46a0000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID: ProcessToken$AddressAdjustCurrentErrorExitLastLibraryLoadLookupOpenPrivilegePrivilegesProcValueWindows
String ID: PowrProf.dll$SetSuspendState
API String ID: 1589313981-1420736420
Opcode ID: a26faed97b3eb21d5453c6434f38a05b52ce6367f3ec811cee73edfcf872dd58
Instruction ID: cc7424133c9e212977e429cd43d2de80e5384b717b042f82a1e5be85a2e6d95f
Opcode Fuzzy Hash: a26faed97b3eb21d5453c6434f38a05b52ce6367f3ec811cee73edfcf872dd58
Instruction Fuzzy Hash: 592196607047059BFB14FBF0C864AFE2399AF9264DF40482D6192572C4FE24FC69CB6A

Function 046F24BC Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 86COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32(FDE8FE81,2000000B,00000000,00000002,00000000,?,?,?,046F27DB,?,00000000), ref: 046F2555
GetLocaleInfoW.KERNEL32(FDE8FE81,20001004,00000000,00000002,00000000,?,?,?,046F27DB,?,00000000), ref: 046F257E
GetACP.KERNEL32(?,?,046F27DB,?,00000000), ref: 046F2593

Strings

ACP, xrefs: 046F24DA
OCP, xrefs: 046F2510

Memory Dump Source

Source File: 00000003.00000002.4514531527.00000000046A0000.00000040.00000400.00020000.00000000.sdmp, Offset: 046A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_46a0000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID: InfoLocale
String ID: ACP$OCP
API String ID: 2299586839-711371036
Opcode ID: eef8054cef598f8559b4f0e79d6fc5d31a3147affabb8ec13cf49bb579c15766
Instruction ID: b7ccd55c193772410feb5e9c1ba77f222064feaa0beaa6d51036456588e438f7
Opcode Fuzzy Hash: eef8054cef598f8559b4f0e79d6fc5d31a3147affabb8ec13cf49bb579c15766
Instruction Fuzzy Hash: 2C21B2A2700105A6DB34CF54CC31A9B73A6EB54B24B4684A4EA89D7214F733FD41CB90

Function 046A96A0 Relevance: 7.7, APIs: 5, Instructions: 222fileCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 046A96A5
FindFirstFileW.KERNEL32(00000000,?,00000000,00000000,?), ref: 046A971D
FindNextFileW.KERNEL32(00000000,?), ref: 046A9746
FindClose.KERNEL32(000000FF,?,?,?,?,?,?), ref: 046A975D

Memory Dump Source

Source File: 00000003.00000002.4514531527.00000000046A0000.00000040.00000400.00020000.00000000.sdmp, Offset: 046A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_46a0000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID: Find$File$CloseFirstH_prologNext
String ID:
API String ID: 1157919129-0
Opcode ID: 2c47a2ab4e4acba40a735e0547430291c6cd836ac5f95fd026ff4fff9098662a
Instruction ID: 2ccf9bc189f927c13ef2678de3f3fb71d100cdc6e7fdac76b246ce29e0086ede
Opcode Fuzzy Hash: 2c47a2ab4e4acba40a735e0547430291c6cd836ac5f95fd026ff4fff9098662a
Instruction Fuzzy Hash: A5814D729005189BEB15EBA0DC909EDB7B8AF15308F24466ED406A7190FF30BF69CF54

Function 046F2690 Relevance: 7.7, APIs: 5, Instructions: 188COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 046E8295: GetLastError.KERNEL32(?,00000000,046E1CC5,?,046BBA44,-04716D2C,?,?,?,?,04706478,046AD248,.vbs), ref: 046E8299
Part of subcall function 046E8295: _free.LIBCMT ref: 046E82CC
Part of subcall function 046E8295: SetLastError.KERNEL32(00000000,?,046BBA44,-04716D2C,?,?,?,?,04706478,046AD248,.vbs), ref: 046E830D
Part of subcall function 046E8295: _abort.LIBCMT ref: 046E8313

Part of subcall function 046E8295: _free.LIBCMT ref: 046E82F4
Part of subcall function 046E8295: SetLastError.KERNEL32(00000000,?,046BBA44,-04716D2C,?,?,?,?,04706478,046AD248,.vbs), ref: 046E8301

GetUserDefaultLCID.KERNEL32(?,?,?), ref: 046F279C
IsValidCodePage.KERNEL32(00000000), ref: 046F27F7
IsValidLocale.KERNEL32(?,00000001), ref: 046F2806
GetLocaleInfoW.KERNEL32(?,00001001,046E4AED,00000040,?,046E4C0D,00000055,00000000,?,?,00000055,00000000), ref: 046F284E
GetLocaleInfoW.KERNEL32(?,00001002,046E4B6D,00000040), ref: 046F286D

Memory Dump Source

Source File: 00000003.00000002.4514531527.00000000046A0000.00000040.00000400.00020000.00000000.sdmp, Offset: 046A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_46a0000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID: ErrorLastLocale$InfoValid_free$CodeDefaultPageUser_abort
String ID:
API String ID: 745075371-0
Opcode ID: 2df7ebcf1910e6098842256cc60679c6934473f176773911aecc189fe56c189d
Instruction ID: 78c8d34f6ea828e3d19200f6cacf7f2bd9722080ca82a7edb43a48c2f00ea217
Opcode Fuzzy Hash: 2df7ebcf1910e6098842256cc60679c6934473f176773911aecc189fe56c189d
Instruction Fuzzy Hash: 58516371A006059BEB10EFA5CC54BBA73B8EF14704F0444A9EA94EB290F776B944CFA1

Function 046A8847 Relevance: 7.7, APIs: 5, Instructions: 186fileCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 046A884C
FindFirstFileW.KERNEL32(00000000,?,04706618,00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 046A8905
__CxxThrowException@8.LIBVCRUNTIME ref: 046A892D
FindNextFileW.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 046A893A
FindClose.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 046A8A50

Memory Dump Source

Source File: 00000003.00000002.4514531527.00000000046A0000.00000040.00000400.00020000.00000000.sdmp, Offset: 046A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_46a0000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID: Find$File$CloseException@8FirstH_prologNextThrow
String ID:
API String ID: 1771804793-0
Opcode ID: cf85bed0c4bf34eaae87452c8170d47b9f40f9a17bcb4ac8b6be01f0370c1ddd
Instruction ID: c2d4df4edbb31643ae7abd3d54d20865e3285a5250d8308836df1753010f2c5f
Opcode Fuzzy Hash: cf85bed0c4bf34eaae87452c8170d47b9f40f9a17bcb4ac8b6be01f0370c1ddd
Instruction Fuzzy Hash: 505192729016089AEB04FBA4DC559EDBBB8AF11348F50455DA806A3190FF34BF69CF85

Function 046A6EEB Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 222filenetworkCOMMON

Download Yara Rule

APIs

ShellExecuteW.SHELL32(00000000,open,00000000,00000000,00000000,00000001), ref: 046A6FF7
URLDownloadToFileW.URLMON(00000000,00000000,00000004,00000000,00000000), ref: 046A70DB

Strings

C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3521.549.exe, xrefs: 046A7042, 046A716A
open, xrefs: 046A6FF1

Memory Dump Source

Source File: 00000003.00000002.4514531527.00000000046A0000.00000040.00000400.00020000.00000000.sdmp, Offset: 046A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_46a0000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID: DownloadExecuteFileShell
String ID: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3521.549.exe$open
API String ID: 2825088817-4014454409
Opcode ID: 7c37c590bfd488b567959b8c65b9dc657f786517d57d41fc3bd00ac01f8cb21e
Instruction ID: ea5efbcb5e1349c3f9abe76e0e99033266d52e589095cb1667e2c973eecfe7fd
Opcode Fuzzy Hash: 7c37c590bfd488b567959b8c65b9dc657f786517d57d41fc3bd00ac01f8cb21e
Instruction Fuzzy Hash: 5A61B171B04A00A7EA14FB74C8659BE37E5AF92648F40091CE552572C1FE24FD39CF9A

Function 0040C5D0 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 189COMMON

Download Yara Rule

APIs

Part of subcall function 004046F0: GetProcessHeap.KERNEL32 ref: 00404745

GetLocaleInfoW.KERNEL32(00000000,00001004,00000000,00000000,BB40E64E,?,?,00000000), ref: 0040C705

Part of subcall function 00403700: FindResourceW.KERNEL32(00000000,00000001,00000006,?,00000000,?,?,00000000,0000000E), ref: 00403738

GetLocaleInfoW.KERNEL32(00000000,00001004,00000000,00000000,00000000), ref: 0040C752

Strings

%d.%d %s, xrefs: 0040C67A, 0040C68A
%d.0%d %s, xrefs: 0040C639, 0040C649

Memory Dump Source

Source File: 00000003.00000002.4514052132.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.4514006504.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4514120748.00000000004E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4514174970.0000000000515000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4514191619.0000000000519000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4514247644.000000000051A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4514247644.000000000059B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4514247644.00000000005D5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4514247644.00000000005D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4514247644.00000000005E7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4514247644.000000000060A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4514247644.0000000000616000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4514247644.000000000061E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4514247644.0000000000627000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4514247644.0000000000659000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_SecuriteInfo.jbxd

Similarity

API ID: InfoLocale$FindHeapProcessResource
String ID: %d.%d %s$%d.0%d %s
API String ID: 1404449267-1991655823
Opcode ID: 8b4a4db0120ea0a699f96ba4fe436fa533d9055675b9fb7214c960f8a705aa5f
Instruction ID: ed4079b2e3df8ce724cd89c90403f5c8c328d08c1c0417c1c1e5743d1387bba6
Opcode Fuzzy Hash: 8b4a4db0120ea0a699f96ba4fe436fa533d9055675b9fb7214c960f8a705aa5f
Instruction Fuzzy Hash: 79513971A00644AFDB10DF69CD45BAFB7A8EB44324F10467FF901A73C1DBB959048B98

Function 046BCA73 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 83COMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00000014,00000000,00000000,00000003), ref: 046BCB68

Part of subcall function 046B37AA: RegCreateKeyA.ADVAPI32(80000001,00000000,?), ref: 046B37B9
Part of subcall function 046B37AA: RegSetValueExA.KERNEL32(?,047074C8,00000000,?,00000000,00000000,047152F0,?,?,046AF88E,047074C8,5.1.2 Pro), ref: 046B37E1
Part of subcall function 046B37AA: RegCloseKey.KERNEL32(?,?,?,046AF88E,047074C8,5.1.2 Pro), ref: 046B37EC

Strings

WallpaperStyle, xrefs: 046BCAB3, 046BCAE6, 046BCB36
TileWallpaper, xrefs: 046BCB52
Control Panel\Desktop, xrefs: 046BCAAE, 046BCAE1, 046BCB31

Memory Dump Source

Source File: 00000003.00000002.4514531527.00000000046A0000.00000040.00000400.00020000.00000000.sdmp, Offset: 046A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_46a0000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID: CloseCreateInfoParametersSystemValue
String ID: Control Panel\Desktop$TileWallpaper$WallpaperStyle
API String ID: 4127273184-3576401099
Opcode ID: a01b889646db855657edf8df6c03119daf5c316e5aca8af45c3758fcf15c2b94
Instruction ID: e9a52a1396143976f8a2328f6e84a4d62b9a375e5452d04ea589a15bc7b496d9
Opcode Fuzzy Hash: a01b889646db855657edf8df6c03119daf5c316e5aca8af45c3758fcf15c2b94
Instruction Fuzzy Hash: 241148A2BC1240B7F81D31398D67FAE29469352B60F40466CEA422A7C5F4C37BA147DA

Function 046F1D58 Relevance: 6.2, APIs: 4, Instructions: 236COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 046E8295: GetLastError.KERNEL32(?,00000000,046E1CC5,?,046BBA44,-04716D2C,?,?,?,?,04706478,046AD248,.vbs), ref: 046E8299
Part of subcall function 046E8295: _free.LIBCMT ref: 046E82CC
Part of subcall function 046E8295: SetLastError.KERNEL32(00000000,?,046BBA44,-04716D2C,?,?,?,?,04706478,046AD248,.vbs), ref: 046E830D
Part of subcall function 046E8295: _abort.LIBCMT ref: 046E8313

IsValidCodePage.KERNEL32(00000000,?,?,?,?,?,?,046E4AF4,?,?,?,?,046E454B,?,00000004), ref: 046F1E3A
_wcschr.LIBVCRUNTIME ref: 046F1ECA
_wcschr.LIBVCRUNTIME ref: 046F1ED8
GetLocaleInfoW.KERNEL32(00000000,?,?,00000078,046E4AF4,00000000,046E4C14), ref: 046F1F7B

Memory Dump Source

Source File: 00000003.00000002.4514531527.00000000046A0000.00000040.00000400.00020000.00000000.sdmp, Offset: 046A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_46a0000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID: ErrorLast_wcschr$CodeInfoLocalePageValid_abort_free
String ID:
API String ID: 4212172061-0
Opcode ID: 83e3899852d9b0ace3e4cb34e5f4ebcd06ac36cf7c2667d2227ffc3de19d3908
Instruction ID: 9d9140216fe2bdaebd85b75d37c21091fe947e1661dad6809a1faabaec4c0bdd
Opcode Fuzzy Hash: 83e3899852d9b0ace3e4cb34e5f4ebcd06ac36cf7c2667d2227ffc3de19d3908
Instruction Fuzzy Hash: 7D61F671A01206EAE724AB75CC45AF673E8EF06784F04056EEB85DB280FB71FD4087A4

Function 046E3355 Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(00000003,?,046E332B,00000003,0470E958,0000000C,046E3482,00000003,00000002,00000000,?,046E61B7,00000003), ref: 046E3376
TerminateProcess.KERNEL32(00000000,?,046E332B,00000003,0470E958,0000000C,046E3482,00000003,00000002,00000000,?,046E61B7,00000003), ref: 046E337D
ExitProcess.KERNEL32 ref: 046E338F

Memory Dump Source

Source File: 00000003.00000002.4514531527.00000000046A0000.00000040.00000400.00020000.00000000.sdmp, Offset: 046A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_46a0000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: af0e73c5dcfc5eba6b7ebe2ee35f462030cbbf790e504f201c7427708f55f250
Instruction ID: 93bf2adb3a123417ee40b8ac30fed4d2a20a85eb7effce7c6b173c0cb9d51aa2
Opcode Fuzzy Hash: af0e73c5dcfc5eba6b7ebe2ee35f462030cbbf790e504f201c7427708f55f250
Instruction Fuzzy Hash: F7E0B675012148ABCF116F96DA08E687BAAEF90355F004018FC858B361EB79ED86CB80

Function 046AB749 Relevance: 4.5, APIs: 3, Instructions: 19clipboardCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32(00000000), ref: 046AB74C
GetClipboardData.USER32(0000000D), ref: 046AB758
CloseClipboard.USER32 ref: 046AB760

Memory Dump Source

Source File: 00000003.00000002.4514531527.00000000046A0000.00000040.00000400.00020000.00000000.sdmp, Offset: 046A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_46a0000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID: Clipboard$CloseDataOpen
String ID:
API String ID: 2058664381-0
Opcode ID: 941cf39ce5bed1e28675c6e6f3dd29cd1f041ea43957289d47fddd916fd38609
Instruction ID: dba0d8ab0913ce5c3e740b9b0c6915cb10ba2f77a23e5e4fc62c7de74573a967
Opcode Fuzzy Hash: 941cf39ce5bed1e28675c6e6f3dd29cd1f041ea43957289d47fddd916fd38609
Instruction Fuzzy Hash: 59E0C276309720AFC720AA60D85CF9A7790DF50F51F008018B545A62E0FBB0FC248FA0

Function 046D4CB6 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 134COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32(0000000A,00000000), ref: 046D4CCF

Strings

, xrefs: 046D4E36

Memory Dump Source

Source File: 00000003.00000002.4514531527.00000000046A0000.00000040.00000400.00020000.00000000.sdmp, Offset: 046A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_46a0000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID: FeaturePresentProcessor
String ID:
API String ID: 2325560087-3916222277
Opcode ID: 9242ae4a4d45f1b8a660740c284a11cdcacf0c8c83b782d94d79822bb91567d7
Instruction ID: 97ddf1af9704406722b712ebba5767a72fe07708c49011018e21775b100c903a
Opcode Fuzzy Hash: 9242ae4a4d45f1b8a660740c284a11cdcacf0c8c83b782d94d79822bb91567d7
Instruction Fuzzy Hash: DE517B71D00208AFEB24CF69D5856AABBF4FB58314F15C56AD415EB254E778A900CF90

Function 046B8EB1 Relevance: 49.3, APIs: 27, Strings: 1, Instructions: 328windowmemoryCOMMON

Download Yara Rule

APIs

CreateDCA.GDI32(DISPLAY,00000000,00000000,00000000), ref: 046B8ECB
CreateCompatibleDC.GDI32(00000000), ref: 046B8ED8

Part of subcall function 046B9360: EnumDisplaySettingsW.USER32(?,000000FF,?), ref: 046B9390

CreateCompatibleBitmap.GDI32(00000000,?), ref: 046B8F4E
DeleteDC.GDI32(00000000), ref: 046B8F65
DeleteDC.GDI32(00000000), ref: 046B8F68
DeleteObject.GDI32(00000000), ref: 046B8F6B
SelectObject.GDI32(00000000,00000000), ref: 046B8F8C
DeleteDC.GDI32(00000000), ref: 046B8F9D
DeleteDC.GDI32(00000000), ref: 046B8FA0
StretchBlt.GDI32(00000000,00000000,00000000,?,?,00000000,?,?,?,?,00CC0020), ref: 046B8FC4
GetIconInfo.USER32(?,?), ref: 046B8FF8
DeleteObject.GDI32(?), ref: 046B9027
DeleteObject.GDI32(?), ref: 046B9034
DrawIcon.USER32(00000000,?,?,?), ref: 046B9041
BitBlt.GDI32(00000000,00000000,00000000,?,?,?,00000000,00000000,00660046), ref: 046B9077
GetObjectA.GDI32(00000000,00000018,?), ref: 046B90A3
LocalAlloc.KERNEL32(00000040,00000001), ref: 046B9110
GlobalAlloc.KERNEL32(00000000,?), ref: 046B917F
GetDIBits.GDI32(00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 046B91A3
DeleteDC.GDI32(?), ref: 046B91B7
DeleteDC.GDI32(00000000), ref: 046B91BA
DeleteObject.GDI32(00000000), ref: 046B91BD
GlobalFree.KERNEL32(?), ref: 046B91C8
DeleteObject.GDI32(00000000), ref: 046B927C
GlobalFree.KERNEL32(?), ref: 046B9283
DeleteDC.GDI32(?), ref: 046B9293
DeleteDC.GDI32(00000000), ref: 046B929E

Strings

DISPLAY, xrefs: 046B8EC4

Memory Dump Source

Source File: 00000003.00000002.4514531527.00000000046A0000.00000040.00000400.00020000.00000000.sdmp, Offset: 046A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_46a0000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID: Delete$Object$CreateGlobal$AllocCompatibleFreeIcon$BitmapBitsDisplayDrawEnumInfoLocalSelectSettingsStretch
String ID: DISPLAY
API String ID: 479521175-865373369
Opcode ID: a69eec76e7c296ba7609c962b725857e6da92aa7e8dfb941fa107bc908f578d8
Instruction ID: 8848149b08daab7ce0397e8bbf7276f5c44a1c6b0c7d667fe68837608dd31c6a
Opcode Fuzzy Hash: a69eec76e7c296ba7609c962b725857e6da92aa7e8dfb941fa107bc908f578d8
Instruction Fuzzy Hash: 44C14DB1508340AFD724DF24D844BABBBE9EF88754F00481DF9C997350EB35A949CBA6

Function 046B812A Relevance: 47.5, APIs: 22, Strings: 5, Instructions: 289libraryloaderthreadCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(ntdll,ZwCreateSection,00000000,00000000), ref: 046B8171
GetProcAddress.KERNEL32(00000000), ref: 046B8174
GetModuleHandleA.KERNEL32(ntdll,ZwMapViewOfSection), ref: 046B8185
GetProcAddress.KERNEL32(00000000), ref: 046B8188
GetModuleHandleA.KERNEL32(ntdll,ZwUnmapViewOfSection), ref: 046B8199
GetProcAddress.KERNEL32(00000000), ref: 046B819C
GetModuleHandleA.KERNEL32(ntdll,ZwClose), ref: 046B81AD
GetProcAddress.KERNEL32(00000000), ref: 046B81B0
CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000004,00000000,00000000,?,?), ref: 046B8252
VirtualAlloc.KERNEL32(00000000,00000004,00001000,00000004), ref: 046B826A
GetThreadContext.KERNEL32(?,00000000), ref: 046B8280
ReadProcessMemory.KERNEL32(?,?,?,00000004,?), ref: 046B82A6
VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 046B8328
TerminateProcess.KERNEL32(?,00000000), ref: 046B833C
GetCurrentProcess.KERNEL32(?,00000000,00000000,00000000,?,00000001,00000000,00000040), ref: 046B837C
WriteProcessMemory.KERNEL32(?,?,?,00000004,00000000), ref: 046B8446
SetThreadContext.KERNEL32(?,00000000), ref: 046B8463
ResumeThread.KERNEL32(?), ref: 046B8470
VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 046B8487
GetCurrentProcess.KERNEL32(?), ref: 046B8492
TerminateProcess.KERNEL32(?,00000000), ref: 046B84AD
GetLastError.KERNEL32 ref: 046B84B5

Strings

ZwUnmapViewOfSection, xrefs: 046B818A
ZwClose, xrefs: 046B819E
ntdll, xrefs: 046B815C, 046B817B, 046B818F, 046B81A3
ZwMapViewOfSection, xrefs: 046B8176
ZwCreateSection, xrefs: 046B8157

Memory Dump Source

Source File: 00000003.00000002.4514531527.00000000046A0000.00000040.00000400.00020000.00000000.sdmp, Offset: 046A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_46a0000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID: Process$AddressHandleModuleProc$ThreadVirtual$ContextCurrentFreeMemoryTerminate$AllocCreateErrorLastReadResumeWrite
String ID: ZwClose$ZwCreateSection$ZwMapViewOfSection$ZwUnmapViewOfSection$ntdll
API String ID: 4188446516-3035715614
Opcode ID: 3859b948e90cdf2cc186e5abd2af23dc0d6f0b82b5eec293130cd71b5f0e5838
Instruction ID: 4e7b97087542f5d30b51638f6238c8f567a226107c750c2648e8c49c0a762f9b
Opcode Fuzzy Hash: 3859b948e90cdf2cc186e5abd2af23dc0d6f0b82b5eec293130cd71b5f0e5838
Instruction Fuzzy Hash: 70A14AB1604301AFEB10DF64DC89BAABBE8FB48744F00592DF685D7291E778E844CB55

Function 00401F30 Relevance: 44.1, APIs: 22, Strings: 3, Instructions: 396filetimeCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000080,00000000), ref: 00401F8D
GetLastError.KERNEL32 ref: 00401FAB
GetFileTime.KERNEL32(00000000,00000000,00000000,?), ref: 00401FCC
GetLastError.KERNEL32 ref: 00401FD6
CloseHandle.KERNEL32(00000000), ref: 00401FF4
CloseHandle.KERNEL32(00000000), ref: 00402060
FileTimeToSystemTime.KERNEL32(?,?), ref: 00402075
GetLastError.KERNEL32 ref: 0040207F
SystemTimeToFileTime.KERNEL32(?,?), ref: 004020E6
SystemTimeToFileTime.KERNEL32(00000000,004ED624), ref: 00402107
CompareFileTime.KERNEL32(004ED624,?), ref: 0040211D
PathFileExistsW.SHLWAPI(?), ref: 0040218C
CreateFileW.KERNEL32(?,C0000000,00000000,0000000C,00000002,00000080,00000000,S-1-5-18,10000000,00000001,S-1-1-0,10000000,00000001), ref: 00402200
GetLastError.KERNEL32 ref: 00402212
CloseHandle.KERNEL32(00000000), ref: 0040221E
CopyFileExW.KERNEL32(?,?,Function_00001DB0,?,00000000,00000000), ref: 00402256
GetLastError.KERNEL32(?,00000000,00000000), ref: 00402260
DeleteFileW.KERNEL32(?,?,00000000,00000000), ref: 00402309
MoveFileW.KERNEL32(?,?), ref: 00402314
CopyFileW.KERNEL32(?,?,00000000,?,00000000,00000000), ref: 00402324
GetLastError.KERNEL32(?,00000000,00000000), ref: 0040232E

Strings

S-1-5-18, xrefs: 004021CB
.part, xrefs: 0040215F
S-1-1-0, xrefs: 004021BA

Memory Dump Source

Source File: 00000003.00000002.4514052132.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.4514006504.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4514120748.00000000004E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4514174970.0000000000515000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4514191619.0000000000519000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4514247644.000000000051A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4514247644.000000000059B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4514247644.00000000005D5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4514247644.00000000005D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4514247644.00000000005E7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4514247644.000000000060A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4514247644.0000000000616000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4514247644.000000000061E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4514247644.0000000000627000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4514247644.0000000000659000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_SecuriteInfo.jbxd

Similarity

API ID: File$Time$ErrorLast$CloseHandleSystem$CopyCreate$CompareDeleteExistsMovePath
String ID: .part$S-1-1-0$S-1-5-18
API String ID: 1792433798-2727065896
Opcode ID: 0e9466f372dea999ad3f76dcdccc64536a99feefd2cd2b80c617ae8057fb602f
Instruction ID: e7e75dc81b18a953d1c93d721810014bf2d56a84cb0d319300e3cf8c54c6109c
Opcode Fuzzy Hash: 0e9466f372dea999ad3f76dcdccc64536a99feefd2cd2b80c617ae8057fb602f
Instruction Fuzzy Hash: A9F18271A002559FDF15DF64CE88BAE7BB8BF08310F14416AE901BB2D1DBB89D41CB99

Function 046AD45B Relevance: 38.8, APIs: 6, Strings: 16, Instructions: 282registryCOMMON

Download Yara Rule

APIs

Part of subcall function 046B288B: TerminateProcess.KERNEL32(00000000,pth_unenc,046AF903), ref: 046B289B
Part of subcall function 046B288B: WaitForSingleObject.KERNEL32(000000FF), ref: 046B28AE

GetModuleFileNameW.KERNEL32(00000000,?,00000208,?,?,00000000), ref: 046AD558
RegDeleteKeyA.ADVAPI32(80000001,00000000), ref: 046AD56B
SetFileAttributesW.KERNEL32(?,00000080,?,?,00000000), ref: 046AD584
SetFileAttributesW.KERNEL32(00000000,00000080,?,?,00000000), ref: 046AD5B4

Part of subcall function 046AB8E7: TerminateThread.KERNEL32(046AA2B8,00000000,047152F0,pth_unenc,046AD0F3,047152D8,047152F0,?,pth_unenc), ref: 046AB8F6
Part of subcall function 046AB8E7: UnhookWindowsHookEx.USER32(047150F0), ref: 046AB902
Part of subcall function 046AB8E7: TerminateThread.KERNEL32(046AA2A2,00000000,?,pth_unenc), ref: 046AB910

Part of subcall function 046BC482: CreateFileW.KERNEL32(00000000,40000000,00000000,00000000,00000002,00000080,00000000,00000000,00000000,04706478,00000000,00000000,046AD434,00000000,00000000,fso.DeleteFile(Wscript.ScriptFullName)), ref: 046BC4C1

ShellExecuteW.SHELL32(00000000,open,00000000,04706478,04706478,00000000), ref: 046AD7FF
ExitProcess.KERNEL32 ref: 046AD80B

Strings

CreateObject("WScript.Shell").Run "cmd /c "", xrefs: 046AD73C
wend, xrefs: 046AD6C4
On Error Resume Next, xrefs: 046AD5F4
fso.DeleteFile(Wscript.ScriptFullName), xrefs: 046AD7AE
fso.DeleteFile ", xrefs: 046AD675
open, xrefs: 046AD7F9
\update.vbs, xrefs: 046AD5B6
Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\, xrefs: 046AD4FD
exepath, xrefs: 046AD532
Temp, xrefs: 046AD5BB
fso.DeleteFolder ", xrefs: 046AD6E6
while fso.FileExists(", xrefs: 046AD627
Software\Microsoft\Windows\CurrentVersion\Run\, xrefs: 046AD4AC
""", 0, xrefs: 046AD722
Set fso = CreateObject("Scripting.FileSystemObject"), xrefs: 046AD5E5
"), xrefs: 046AD610

Memory Dump Source

Source File: 00000003.00000002.4514531527.00000000046A0000.00000040.00000400.00020000.00000000.sdmp, Offset: 046A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_46a0000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID: File$Terminate$AttributesProcessThread$CreateDeleteExecuteExitHookModuleNameObjectShellSingleUnhookWaitWindows
String ID: """, 0$")$CreateObject("WScript.Shell").Run "cmd /c ""$On Error Resume Next$Set fso = CreateObject("Scripting.FileSystemObject")$Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\$Software\Microsoft\Windows\CurrentVersion\Run\$Temp$\update.vbs$exepath$fso.DeleteFile "$fso.DeleteFile(Wscript.ScriptFullName)$fso.DeleteFolder "$open$wend$while fso.FileExists("
API String ID: 1861856835-1536747724
Opcode ID: 9c568b62b1b72e911ebf5c8ac22914682710a2866bd032a4d5df7a5f6f55413d
Instruction ID: 91482e420a8d8374d8aa5a6cae98773995a76517ec2d7937fb7b753b3d19f3a7
Opcode Fuzzy Hash: 9c568b62b1b72e911ebf5c8ac22914682710a2866bd032a4d5df7a5f6f55413d
Instruction Fuzzy Hash: 3591A4712047405BE318FB64D8609EF73E9AFD5608F50442DA48A932E0FF64BD59CF9A

Function 046B24B0 Relevance: 38.7, APIs: 17, Strings: 5, Instructions: 190synchronizationsleepfileCOMMON

Download Yara Rule

APIs

CreateMutexA.KERNEL32(00000000,00000001,00000000,00000000,047150E4,00000003), ref: 046B24CF
ExitProcess.KERNEL32(00000000), ref: 046B24DB
CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 046B2555
OpenProcess.KERNEL32(00100000,00000000,00000000), ref: 046B2564
WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 046B256F
CloseHandle.KERNEL32(00000000), ref: 046B2576
GetCurrentProcessId.KERNEL32 ref: 046B257C
PathFileExistsW.SHLWAPI(?), ref: 046B25AD
GetTempPathW.KERNEL32(00000104,?), ref: 046B2610
GetTempFileNameW.KERNEL32(?,temp_,00000000,?), ref: 046B262A
lstrcatW.KERNEL32(?,.exe), ref: 046B263C

Part of subcall function 046BC482: CreateFileW.KERNEL32(00000000,40000000,00000000,00000000,00000002,00000080,00000000,00000000,00000000,04706478,00000000,00000000,046AD434,00000000,00000000,fso.DeleteFile(Wscript.ScriptFullName)), ref: 046BC4C1

ShellExecuteW.SHELL32(00000000,open,?,00000000,00000000,00000001), ref: 046B267C
Sleep.KERNEL32(000001F4), ref: 046B26BD
OpenProcess.KERNEL32(00100000,00000000,00000000), ref: 046B26D2
WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 046B26DD
CloseHandle.KERNEL32(00000000), ref: 046B26E4
GetCurrentProcessId.KERNEL32 ref: 046B26EA

Strings

temp_, xrefs: 046B261E
WDH, xrefs: 046B2583, 046B26F1
.exe, xrefs: 046B2630
open, xrefs: 046B2676
exepath, xrefs: 046B2507

Memory Dump Source

Source File: 00000003.00000002.4514531527.00000000046A0000.00000040.00000400.00020000.00000000.sdmp, Offset: 046A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_46a0000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID: Process$File$Create$CloseCurrentHandleObjectOpenPathSingleTempWait$ExecuteExistsExitMutexNameShellSleeplstrcat
String ID: .exe$WDH$exepath$open$temp_
API String ID: 2649220323-3088914985
Opcode ID: 5abd8fe8f2c42360e2681da3938827ac4b1ecf5210e4f7b34bee9c8abc83a3b2
Instruction ID: 0f4d8c34a5124ee89276a1bdeda162c6e66a3690ea24d6e50acb15892051b8b3
Opcode Fuzzy Hash: 5abd8fe8f2c42360e2681da3938827ac4b1ecf5210e4f7b34bee9c8abc83a3b2
Instruction Fuzzy Hash: 5251A8B1A402156BEB14ABA0DC59FEE33ACDB45358F004199F941A72D0FF78BE858B94

Function 046BB0D8 Relevance: 38.7, APIs: 12, Strings: 10, Instructions: 180synchronizationCOMMON

Download Yara Rule

APIs

mciSendStringW.WINMM(00000000,00000000,00000000,00000000), ref: 046BB1CD
mciSendStringA.WINMM(play audio,00000000,00000000,00000000), ref: 046BB1E1
CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,000000A9,047060B4), ref: 046BB209
PathFileExistsW.SHLWAPI(00000000,00000000,00000000,04714EE0,00000000), ref: 046BB21F
mciSendStringA.WINMM(pause audio,00000000,00000000,00000000), ref: 046BB260
mciSendStringA.WINMM(resume audio,00000000,00000000,00000000), ref: 046BB278
mciSendStringA.WINMM(status audio mode,?,00000014,00000000), ref: 046BB28D
SetEvent.KERNEL32 ref: 046BB2AA
WaitForSingleObject.KERNEL32(000001F4), ref: 046BB2BB
CloseHandle.KERNEL32 ref: 046BB2CB
mciSendStringA.WINMM(stop audio,00000000,00000000,00000000), ref: 046BB2ED
mciSendStringA.WINMM(close audio,00000000,00000000,00000000), ref: 046BB2F7

Strings

" type , xrefs: 046BB166
alias audio, xrefs: 046BB149
stopped, xrefs: 046BB293
stop audio, xrefs: 046BB2E8
pause audio, xrefs: 046BB25B
play audio, xrefs: 046BB1DC
open ", xrefs: 046BB161
resume audio, xrefs: 046BB273
close audio, xrefs: 046BB2F2
status audio mode, xrefs: 046BB288

Memory Dump Source

Source File: 00000003.00000002.4514531527.00000000046A0000.00000040.00000400.00020000.00000000.sdmp, Offset: 046A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_46a0000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID: SendString$Event$CloseCreateExistsFileHandleObjectPathSingleWait
String ID: alias audio$" type $close audio$open "$pause audio$play audio$resume audio$status audio mode$stop audio$stopped
API String ID: 738084811-1354618412
Opcode ID: f432dfdc4bba8f97c37e104c8f7d6e68fc1b8f3330958cc557a83350301e0d24
Instruction ID: c400f83e8ce06eac3cca339a530f63cfa15063f8ce38241a89ff078df20575a6
Opcode Fuzzy Hash: f432dfdc4bba8f97c37e104c8f7d6e68fc1b8f3330958cc557a83350301e0d24
Instruction Fuzzy Hash: 2751A3B1244244AFE718BB34DC91EFF779CDB91658F00452DB18652690FE20BD58CBAA

Function 0041BD40 Relevance: 37.7, APIs: 25, Instructions: 235windowCOMMON

Download Yara Rule

APIs

GetClientRect.USER32(?,?), ref: 0041BDEA
SetBkMode.GDI32(00000000,00000001), ref: 0041BDF5
SelectObject.GDI32(00000000,004CD25D), ref: 0041BE01
DrawTextW.USER32(00000000,00000000,00000000,?,?), ref: 0041BE2A
IsWindowEnabled.USER32(?), ref: 0041BE33
SetTextColor.GDI32(00000000,00000000), ref: 0041BE59
SelectObject.GDI32(00000000,004CD25D), ref: 0041BE82
DrawTextW.USER32(00000000,00000000,00000000,?,?), ref: 0041BE96
SetTextColor.GDI32(00000000,00000000), ref: 0041BEA2
SelectObject.GDI32(00000000,004CD25D), ref: 0041BEAE
DrawTextW.USER32(00000000,00000000,00000000,?,?), ref: 0041BEDF
GetFocus.USER32 ref: 0041BEE5
DrawFocusRect.USER32(00000000,?), ref: 0041BEF7
SetBkMode.GDI32(00000000,00000001), ref: 0041BF0A
IsWindowEnabled.USER32(?), ref: 0041BF13
SetTextColor.GDI32(00000000,00000000), ref: 0041BF39
SelectObject.GDI32(00000000,004CD25D), ref: 0041BF62
GetWindowLongW.USER32(?,000000F0), ref: 0041BF7A
DrawTextW.USER32(00000000,?,000000FF,?,00000000), ref: 0041BFB3
GetFocus.USER32 ref: 0041BFB9
DrawFocusRect.USER32(00000000,?), ref: 0041BFCB
SetTextColor.GDI32(00000000,?), ref: 0041BFD7
SelectObject.GDI32(00000000,?), ref: 0041BFE3

Part of subcall function 0041CA60: lstrlenW.KERNEL32(?,?,?,?,?,0041BDDC,00000000,00000000,00000000,?,?), ref: 0041CAAB
Part of subcall function 0041CA60: CompareStringW.KERNEL32(00000400,00000001,?,00000003,<A>,00000003,?,?,?,?,?,0041BDDC,00000000,00000000,00000000,?), ref: 0041CAE1

Memory Dump Source

Source File: 00000003.00000002.4514052132.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.4514006504.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4514120748.00000000004E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4514174970.0000000000515000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4514191619.0000000000519000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4514247644.000000000051A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4514247644.000000000059B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4514247644.00000000005D5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4514247644.00000000005D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4514247644.00000000005E7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4514247644.000000000060A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4514247644.0000000000616000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4514247644.000000000061E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4514247644.0000000000627000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4514247644.0000000000659000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Text$Draw$ObjectSelect$ColorFocus$RectWindow$EnabledMode$ClientCompareLongStringlstrlen
String ID:
API String ID: 516339513-0
Opcode ID: f9cb10e944891a58f2877bd8dc36cbc5baff937ef3f6b2c12a510f4dd16595c0
Instruction ID: 2c980b3703f5cc2d7d0cf76392f31b2ec9cdadedb7d224bd9ed30f3d005f4212
Opcode Fuzzy Hash: f9cb10e944891a58f2877bd8dc36cbc5baff937ef3f6b2c12a510f4dd16595c0
Instruction Fuzzy Hash: 5D917F71800648EFDB159F94CE88BEEBBF9FF04300F144129FA069A6A1D775A881CF94

Function 046AD0D1 Relevance: 37.0, APIs: 6, Strings: 15, Instructions: 260registryCOMMON

Download Yara Rule

APIs

Part of subcall function 046B288B: TerminateProcess.KERNEL32(00000000,pth_unenc,046AF903), ref: 046B289B
Part of subcall function 046B288B: WaitForSingleObject.KERNEL32(000000FF), ref: 046B28AE

GetModuleFileNameW.KERNEL32(00000000,?,00000208,?,?,?,?,?,047152F0,?,pth_unenc), ref: 046AD1E0
RegDeleteKeyA.ADVAPI32(80000001,00000000), ref: 046AD1F3
SetFileAttributesW.KERNEL32(00000000,00000080,?,?,?,?,?,047152F0,?,pth_unenc), ref: 046AD223
SetFileAttributesW.KERNEL32(?,00000080,?,?,?,?,?,047152F0,?,pth_unenc), ref: 046AD232

Part of subcall function 046AB8E7: TerminateThread.KERNEL32(046AA2B8,00000000,047152F0,pth_unenc,046AD0F3,047152D8,047152F0,?,pth_unenc), ref: 046AB8F6
Part of subcall function 046AB8E7: UnhookWindowsHookEx.USER32(047150F0), ref: 046AB902
Part of subcall function 046AB8E7: TerminateThread.KERNEL32(046AA2A2,00000000,?,pth_unenc), ref: 046AB910

Part of subcall function 046BBA09: GetCurrentProcessId.KERNEL32(00000000,75923530,00000000,?,?,?,?,04706478,046AD248,.vbs,?,?,?,?,?,047152F0), ref: 046BBA30

ShellExecuteW.SHELL32(00000000,open,00000000,04706478,04706478,00000000), ref: 046AD44D
ExitProcess.KERNEL32 ref: 046AD454

Strings

wend, xrefs: 046AD39F
On Error Resume Next, xrefs: 046AD2CF
fso.DeleteFile(Wscript.ScriptFullName), xrefs: 046AD3FC
pth_unenc, xrefs: 046AD0D7
fso.DeleteFile ", xrefs: 046AD350
open, xrefs: 046AD447
.vbs, xrefs: 046AD23C
Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\, xrefs: 046AD173
exepath, xrefs: 046AD1BC
Temp, xrefs: 046AD281
fso.DeleteFolder ", xrefs: 046AD3C5
while fso.FileExists(", xrefs: 046AD303
Software\Microsoft\Windows\CurrentVersion\Run\, xrefs: 046AD122
Set fso = CreateObject("Scripting.FileSystemObject"), xrefs: 046AD2C0
"), xrefs: 046AD2EC

Memory Dump Source

Source File: 00000003.00000002.4514531527.00000000046A0000.00000040.00000400.00020000.00000000.sdmp, Offset: 046A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_46a0000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID: FileProcessTerminate$AttributesThread$CurrentDeleteExecuteExitHookModuleNameObjectShellSingleUnhookWaitWindows
String ID: ")$.vbs$On Error Resume Next$Set fso = CreateObject("Scripting.FileSystemObject")$Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\$Software\Microsoft\Windows\CurrentVersion\Run\$Temp$exepath$fso.DeleteFile "$fso.DeleteFile(Wscript.ScriptFullName)$fso.DeleteFolder "$open$pth_unenc$wend$while fso.FileExists("
API String ID: 3797177996-3018399277
Opcode ID: ca695aa9fe2b314591eedba3621bb7243828fe3a879e8bd5bab90c433f30b6db
Instruction ID: 4b0459db0cc492782fb07d692369f279710528473ae3833d10554cbbd15d2d06
Opcode Fuzzy Hash: ca695aa9fe2b314591eedba3621bb7243828fe3a879e8bd5bab90c433f30b6db
Instruction Fuzzy Hash: C281C1716087405BE318FB64D8609EF73E9AF92208F10482DE486572E0FF64BD59CF9A

Function 046A1A6D Relevance: 35.2, APIs: 16, Strings: 4, Instructions: 156fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(00000000,40000000,00000000), ref: 046A1AD9
WriteFile.KERNEL32(00000000,RIFF,00000004,?,00000000), ref: 046A1B03
WriteFile.KERNEL32(00000000,00000000,00000004,00000000,00000000), ref: 046A1B13
WriteFile.KERNEL32(00000000,WAVE,00000004,00000000,00000000), ref: 046A1B23
WriteFile.KERNEL32(00000000,fmt ,00000004,00000000,00000000), ref: 046A1B33
WriteFile.KERNEL32(00000000,?,00000004,00000000,00000000), ref: 046A1B43
WriteFile.KERNEL32(00000000,?,00000002,00000000,00000000), ref: 046A1B54
WriteFile.KERNEL32(00000000,04712AAA,00000002,00000000,00000000), ref: 046A1B65
WriteFile.KERNEL32(00000000,04712AAC,00000004,00000000,00000000), ref: 046A1B75
WriteFile.KERNEL32(00000000,00000001,00000004,00000000,00000000), ref: 046A1B85
WriteFile.KERNEL32(00000000,?,00000002,00000000,00000000), ref: 046A1B96
WriteFile.KERNEL32(00000000,04712AB6,00000002,00000000,00000000), ref: 046A1BA7
WriteFile.KERNEL32(00000000,data,00000004,00000000,00000000), ref: 046A1BB7
WriteFile.KERNEL32(00000000,?,00000004,00000000,00000000), ref: 046A1BC7

Strings

fmt , xrefs: 046A1B2D
data, xrefs: 046A1BB1
WAVE, xrefs: 046A1B1D
RIFF, xrefs: 046A1AFD

Memory Dump Source

Source File: 00000003.00000002.4514531527.00000000046A0000.00000040.00000400.00020000.00000000.sdmp, Offset: 046A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_46a0000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID: File$Write$Create
String ID: RIFF$WAVE$data$fmt
API String ID: 1602526932-4212202414
Opcode ID: aae025fb5c0398e0a706e718f5c093c1a39c7c5e052c9c54475d1176534543ff
Instruction ID: 5e89f9c048dd7d0830ae5d52f25e5fae4bf25993b4255370d743d8475c0bbaa5
Opcode Fuzzy Hash: aae025fb5c0398e0a706e718f5c093c1a39c7c5e052c9c54475d1176534543ff
Instruction Fuzzy Hash: 2D4160B26442087FE210DA51DC85FBB7FECEB85F50F40441AFA44D6181E7A4A909DBB3

Function 046A72AB Relevance: 35.1, APIs: 12, Strings: 8, Instructions: 62libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(ntdll.dll,RtlInitUnicodeString,00000000,C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3521.549.exe,00000001,046A7688,C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3521.549.exe,00000003,046A76B0,047152D8,046A7709), ref: 046A72BF
GetProcAddress.KERNEL32(00000000), ref: 046A72C8
GetModuleHandleW.KERNEL32(ntdll.dll,NtAllocateVirtualMemory), ref: 046A72DD
GetProcAddress.KERNEL32(00000000), ref: 046A72E0
GetModuleHandleW.KERNEL32(ntdll.dll,NtFreeVirtualMemory), ref: 046A72F1
GetProcAddress.KERNEL32(00000000), ref: 046A72F4
GetModuleHandleW.KERNEL32(ntdll.dll,RtlAcquirePebLock), ref: 046A7305
GetProcAddress.KERNEL32(00000000), ref: 046A7308
GetModuleHandleW.KERNEL32(ntdll.dll,RtlReleasePebLock), ref: 046A7319
GetProcAddress.KERNEL32(00000000), ref: 046A731C
GetModuleHandleW.KERNEL32(ntdll.dll,LdrEnumerateLoadedModules), ref: 046A732D
GetProcAddress.KERNEL32(00000000), ref: 046A7330

Strings

ntdll.dll, xrefs: 046A72B3, 046A72BE, 046A72DC, 046A72F0, 046A7304, 046A7318, 046A732C
RtlAcquirePebLock, xrefs: 046A72FF
C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3521.549.exe, xrefs: 046A72AC
NtFreeVirtualMemory, xrefs: 046A72EB
NtAllocateVirtualMemory, xrefs: 046A72D7
LdrEnumerateLoadedModules, xrefs: 046A7327
RtlInitUnicodeString, xrefs: 046A72B9
RtlReleasePebLock, xrefs: 046A7313

Memory Dump Source

Source File: 00000003.00000002.4514531527.00000000046A0000.00000040.00000400.00020000.00000000.sdmp, Offset: 046A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_46a0000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID: AddressHandleModuleProc
String ID: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3521.549.exe$LdrEnumerateLoadedModules$NtAllocateVirtualMemory$NtFreeVirtualMemory$RtlAcquirePebLock$RtlInitUnicodeString$RtlReleasePebLock$ntdll.dll
API String ID: 1646373207-350061843
Opcode ID: c41a211ed7bde23614f435e2bed2a75b4a2f1d0b1b1bead9d00967de89f339a0
Instruction ID: 12eab0dcc6a5819692693408cee852abd3a1ab38b9ae4eb50d518ee5a7aa5e3e
Opcode Fuzzy Hash: c41a211ed7bde23614f435e2bed2a75b4a2f1d0b1b1bead9d00967de89f339a0
Instruction Fuzzy Hash: 3501B1F0F41716A69B216B7AAC64D0B6EEDDF502553008867B800E2353FEBCEC10CE64

Function 00422F10 Relevance: 30.1, APIs: 9, Strings: 8, Instructions: 347COMMON

Download Yara Rule

Strings

ps1, xrefs: 00422FD4, 00422FE4
txt, xrefs: 00422FF8
Unable to find file , xrefs: 00422F46
Unable to get a temp file for script output, temp path: , xrefs: 00423041
Unable to retrieve exit code from process., xrefs: 004232C1
Unable to retrieve PowerShell output from file: , xrefs: 0042329E
Unable to create process: , xrefs: 00423142
powershell.exe -NonInteractive -NoLogo -ExecutionPolicy Unrestricted -WindowStyle Hidden -Command "$host.UI.RawUI.BufferSize = new, xrefs: 0042309D

Memory Dump Source

Source File: 00000003.00000002.4514052132.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.4514006504.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4514120748.00000000004E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4514174970.0000000000515000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4514191619.0000000000519000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4514247644.000000000051A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4514247644.000000000059B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4514247644.00000000005D5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4514247644.00000000005D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4514247644.00000000005E7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4514247644.000000000060A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4514247644.0000000000616000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4514247644.000000000061E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4514247644.0000000000627000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4514247644.0000000000659000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: Unable to create process: $Unable to find file $Unable to get a temp file for script output, temp path: $Unable to retrieve PowerShell output from file: $Unable to retrieve exit code from process.$powershell.exe -NonInteractive -NoLogo -ExecutionPolicy Unrestricted -WindowStyle Hidden -Command "$host.UI.RawUI.BufferSize = new$ps1$txt
API String ID: 0-4129021124
Opcode ID: c692b40d92048e3b7a0df00ada8a2a4575ee1fe6ca06f03cbd9019e7215ce75d
Instruction ID: 8fca4b158ec15318c5540a828615c12e9e6b570026fefc036ef6483ce5bf34f2
Opcode Fuzzy Hash: c692b40d92048e3b7a0df00ada8a2a4575ee1fe6ca06f03cbd9019e7215ce75d
Instruction Fuzzy Hash: CCD1B171E00659EFDB10DFA4CD45BAEBBB8EF08314F14815AE511B72D1DB789A01CBA8

Function 0041C010 Relevance: 30.1, APIs: 12, Strings: 5, Instructions: 316stringCOMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000008), ref: 0041C075
lstrcmpiW.KERNEL32(?,static), ref: 0041C088
GetWindowLongW.USER32(?,000000F0), ref: 0041C096
SetWindowLongW.USER32(?,000000F0,00000000), ref: 0041C0AD
GetWindowLongW.USER32(?,000000F0), ref: 0041C0B7
LoadCursorW.USER32(00000000,00007F89), ref: 0041C0FD
SystemParametersInfoW.USER32(0000001F,0000005C,?,00000000), ref: 0041C13A
CreateFontIndirectW.GDI32(?), ref: 0041C147
CreateWindowExW.USER32(00000000,tooltips_class32,00000000,00000000,80000000,80000000,00000000,-00515B9C,?,00000000,00000000), ref: 0041C1A9
GetWindowTextLengthW.USER32(?), ref: 0041C1D1
GetWindowTextW.USER32(?,?,?), ref: 0041C255

Strings

static, xrefs: 0041C07F
Anchor Color Visited, xrefs: 0041C3C5
Anchor Color, xrefs: 0041C357
Software\Microsoft\Internet Explorer\Settings, xrefs: 0041C2FD
tooltips_class32, xrefs: 0041C1A2

Memory Dump Source

Source File: 00000003.00000002.4514052132.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.4514006504.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4514120748.00000000004E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4514174970.0000000000515000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4514191619.0000000000519000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4514247644.000000000051A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4514247644.000000000059B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4514247644.00000000005D5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4514247644.00000000005D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4514247644.00000000005E7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4514247644.000000000060A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4514247644.0000000000616000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4514247644.000000000061E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4514247644.0000000000627000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4514247644.0000000000659000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Window$Long$CreateText$ClassCursorFontIndirectInfoLengthLoadNameParametersSystemlstrcmpi
String ID: Anchor Color$Anchor Color Visited$Software\Microsoft\Internet Explorer\Settings$static$tooltips_class32
API String ID: 1715782676-2451883503
Opcode ID: 043b84f6f711704407ea80dfce993d29bf5ac0002511e5b26b5ce181ace7a093
Instruction ID: 725937723d1a965ef6c1e8503389826acca56894c70765643222f210e7e60ed4
Opcode Fuzzy Hash: 043b84f6f711704407ea80dfce993d29bf5ac0002511e5b26b5ce181ace7a093
Instruction Fuzzy Hash: 21C16F71940228EFDB20CF64CD85BEAB7B9FB09710F1042AAE945E7290D774AD84CF59

Function 046ACE34 Relevance: 28.2, APIs: 12, Strings: 4, Instructions: 203fileCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 046ACE42
CreateDirectoryW.KERNEL32(00000000,00000000,00000000,00000000,?,047150E4,0000000E,00000027,0000000D,00000033,00000000,00000032,00000000,Exe,00000000,0000000E), ref: 046ACE5B
CopyFileW.KERNEL32(C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3521.549.exe,00000000,00000000,00000000,00000000,00000000,?,047150E4,0000000E,00000027,0000000D,00000033,00000000,00000032,00000000,Exe), ref: 046ACF0B
_wcslen.LIBCMT ref: 046ACF21
CreateDirectoryW.KERNEL32(00000000,00000000,00000000), ref: 046ACFA9
CopyFileW.KERNEL32(C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3521.549.exe,00000000,00000000), ref: 046ACFBF
SetFileAttributesW.KERNEL32(00000000,00000007), ref: 046ACFFE
_wcslen.LIBCMT ref: 046AD001
SetFileAttributesW.KERNEL32(00000000,00000007), ref: 046AD018
CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,047150E4,0000000E), ref: 046AD068
ShellExecuteW.SHELL32(00000000,open,00000000,04706478,04706478,00000001), ref: 046AD086
ExitProcess.KERNEL32 ref: 046AD09D

Strings

del, xrefs: 046AD030
C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3521.549.exe, xrefs: 046ACECC, 046ACED1, 046ACF04, 046ACFB9, 046ACFBE, 046ACFC5, 046AD026
open, xrefs: 046AD07F
6, xrefs: 046ACF15

Memory Dump Source

Source File: 00000003.00000002.4514531527.00000000046A0000.00000040.00000400.00020000.00000000.sdmp, Offset: 046A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_46a0000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID: File$_wcslen$AttributesCopyCreateDirectory$CloseExecuteExitHandleProcessShell
String ID: 6$C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3521.549.exe$del$open
API String ID: 1579085052-1754265594
Opcode ID: b0ef6e7a64aecb3bf2c94f496171afa2e20f0254bbf4fe0d7c842c66a1597a83
Instruction ID: 2021082dd1894bfa1f8f0f076d7b6d3160295e85b93ad892f4e0463e9bdfe24d
Opcode Fuzzy Hash: b0ef6e7a64aecb3bf2c94f496171afa2e20f0254bbf4fe0d7c842c66a1597a83
Instruction Fuzzy Hash: 8E51CEA1208B806BF718BB389C50EBE67D9AF9161DF40041CF54697290FF54BD258F6E

Function 046BC0AC Relevance: 28.1, APIs: 15, Strings: 1, Instructions: 139stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?), ref: 046BC0C7
_memcmp.LIBVCRUNTIME ref: 046BC0DF
lstrlenW.KERNEL32(?), ref: 046BC0F8
FindFirstVolumeW.KERNEL32(?,00000104,?), ref: 046BC133
GetLastError.KERNEL32(?,?,?,?,?,?,?), ref: 046BC146
QueryDosDeviceW.KERNEL32(?,?,00000064), ref: 046BC18A
lstrcmpW.KERNEL32(?,?), ref: 046BC1A5
FindNextVolumeW.KERNEL32(?,0000003F,00000104), ref: 046BC1BD
_wcslen.LIBCMT ref: 046BC1CC
FindVolumeClose.KERNEL32(?), ref: 046BC1EC
GetLastError.KERNEL32 ref: 046BC204
GetVolumePathNamesForVolumeNameW.KERNEL32(?,?,?,?), ref: 046BC231
lstrcatW.KERNEL32(?,?), ref: 046BC24A
lstrcpyW.KERNEL32(?,?), ref: 046BC259
GetLastError.KERNEL32 ref: 046BC261

Strings

?, xrefs: 046BC15E

Memory Dump Source

Source File: 00000003.00000002.4514531527.00000000046A0000.00000040.00000400.00020000.00000000.sdmp, Offset: 046A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_46a0000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID: Volume$ErrorFindLast$lstrlen$CloseDeviceFirstNameNamesNextPathQuery_memcmp_wcslenlstrcatlstrcmplstrcpy
String ID: ?
API String ID: 3941738427-1684325040
Opcode ID: 6720b9dfff4b15cf8fe8ff3e783221aac96cc5db913726820f2dfb4cc6717084
Instruction ID: 0b58b8009c60028ff55107a71f6e84a8326bacae8a8a95fb8ba13e50f1fd1882
Opcode Fuzzy Hash: 6720b9dfff4b15cf8fe8ff3e783221aac96cc5db913726820f2dfb4cc6717084
Instruction Fuzzy Hash: 434151B15083069BD720DFA4D848ADBB7ECEB95754F00092EF685D2250F774EA89C7E2

Function 046EF4AD Relevance: 25.9, APIs: 17, Instructions: 419COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 046EF53F
_free.LIBCMT ref: 046EF565
_free.LIBCMT ref: 046EF58E
_free.LIBCMT ref: 046EF5C6
_free.LIBCMT ref: 046EF5F7
_free.LIBCMT ref: 046EF638
SetEnvironmentVariableA.KERNEL32(00000000,00000000), ref: 046EF6B9
_free.LIBCMT ref: 046EF6D2
_wcschr.LIBVCRUNTIME ref: 046EF70F
_free.LIBCMT ref: 046EF77B
_free.LIBCMT ref: 046EF7A1
_free.LIBCMT ref: 046EF7CA
_free.LIBCMT ref: 046EF7FF
_free.LIBCMT ref: 046EF830
_free.LIBCMT ref: 046EF871
SetEnvironmentVariableW.KERNEL32(00000000,?,?,?,?,?,00000000,00000000,00000000,00000000,00000000,00000000), ref: 046EF8F6
_free.LIBCMT ref: 046EF90F

Memory Dump Source

Source File: 00000003.00000002.4514531527.00000000046A0000.00000040.00000400.00020000.00000000.sdmp, Offset: 046A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_46a0000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID: _free$EnvironmentVariable$_wcschr
String ID:
API String ID: 3899193279-0
Opcode ID: 49284d20bdf2a764558782ef479e71e4bc95940dfbb6356bd78ad1b055e1150a
Instruction ID: ec808a18959dc86ebe8ccde930b86b127cd0fbe41b819782b995c2b8f3487add
Opcode Fuzzy Hash: 49284d20bdf2a764558782ef479e71e4bc95940dfbb6356bd78ad1b055e1150a
Instruction Fuzzy Hash: F8D119B1A03300BBEB28AF7AD850ABA77E4DF25314F4441ADE945A7381F735B9028794

Function 046B4DC1 Relevance: 24.6, APIs: 9, Strings: 5, Instructions: 109libraryloaderCOMMON

Download Yara Rule

APIs

GetSystemDirectoryA.KERNEL32(?,00000104), ref: 046B4E10
LoadLibraryA.KERNEL32(?), ref: 046B4E52
GetProcAddress.KERNEL32(00000000,getaddrinfo), ref: 046B4E72
FreeLibrary.KERNEL32(00000000), ref: 046B4E79
LoadLibraryA.KERNEL32(?), ref: 046B4EB1
GetProcAddress.KERNEL32(00000000,getaddrinfo), ref: 046B4EC3
FreeLibrary.KERNEL32(00000000), ref: 046B4ECA
GetProcAddress.KERNEL32(00000000,?), ref: 046B4ED9
FreeLibrary.KERNEL32(00000000), ref: 046B4EF0

Strings

\ws2_32, xrefs: 046B4E3A
getaddrinfo, xrefs: 046B4DCE, 046B4E6C, 046B4EBD
getnameinfo, xrefs: 046B4DDD
\wship6, xrefs: 046B4E99
freeaddrinfo, xrefs: 046B4DED

Memory Dump Source

Source File: 00000003.00000002.4514531527.00000000046A0000.00000040.00000400.00020000.00000000.sdmp, Offset: 046A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_46a0000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID: Library$AddressFreeProc$Load$DirectorySystem
String ID: \ws2_32$\wship6$freeaddrinfo$getaddrinfo$getnameinfo
API String ID: 2490988753-744132762
Opcode ID: 8c7f6d1ee9f32ad64c0ae55c0d018c894d8d6c7baac944a7d69316e8cc90dfdf
Instruction ID: 016873dd9736e12d0ec62f1847ab3f57f5197ac991faafda863c3f1f835d0c1c
Opcode Fuzzy Hash: 8c7f6d1ee9f32ad64c0ae55c0d018c894d8d6c7baac944a7d69316e8cc90dfdf
Instruction Fuzzy Hash: 4231F3B1802315ABD321DF58CC88EDB77DCEB84754F000618E88497341EB34F9858BE6

Function 00422220 Relevance: 23.0, APIs: 3, Strings: 10, Instructions: 227libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(kernel32,IsWow64Process), ref: 00422513
GetProcAddress.KERNEL32(00000000), ref: 0042251A
GetCurrentProcess.KERNEL32(?), ref: 00422551

Strings

Software\Microsoft\Windows NT\CurrentVersion, xrefs: 0042228E
kernel32, xrefs: 0042250E
CSDVersion, xrefs: 00422468
@~Q, xrefs: 00422484
CurrentMajorVersionNumber, xrefs: 004222CE
ReleaseId, xrefs: 00422413
CurrentVersion, xrefs: 00422324
CurrentBuildNumber, xrefs: 0042239D
IsWow64Process, xrefs: 00422509
CurrentMinorVersionNumber, xrefs: 004222F1

Memory Dump Source

Source File: 00000003.00000002.4514052132.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.4514006504.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4514120748.00000000004E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4514174970.0000000000515000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4514191619.0000000000519000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4514247644.000000000051A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4514247644.000000000059B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4514247644.00000000005D5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4514247644.00000000005D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4514247644.00000000005E7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4514247644.000000000060A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4514247644.0000000000616000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4514247644.000000000061E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4514247644.0000000000627000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4514247644.0000000000659000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_SecuriteInfo.jbxd

Similarity

API ID: AddressCurrentHandleModuleProcProcess
String ID: @~Q$CSDVersion$CurrentBuildNumber$CurrentMajorVersionNumber$CurrentMinorVersionNumber$CurrentVersion$IsWow64Process$ReleaseId$Software\Microsoft\Windows NT\CurrentVersion$kernel32
API String ID: 4190356694-3447640927
Opcode ID: e2749d38b81d8b4bf75f3840135c3c92b1c3a3e9e9ec64d1ee4cfd8bdcd8ae86
Instruction ID: 1bbe1d699178f18a9e826662ab678ca5a7ec6dc6a39511ee267ccadebd2a30fe
Opcode Fuzzy Hash: e2749d38b81d8b4bf75f3840135c3c92b1c3a3e9e9ec64d1ee4cfd8bdcd8ae86
Instruction Fuzzy Hash: C3A1B67190022CAFDB20CF24DD45BEAB7B9FB54715F4042E6E409A7290D7B95E98CF48

Function 046BC720 Relevance: 23.0, APIs: 6, Strings: 7, Instructions: 214registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.ADVAPI32(80000002,Software\Microsoft\Windows\CurrentVersion\Uninstall,00000000,00020019,?), ref: 046BC742
RegEnumKeyExA.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,00000000), ref: 046BC786
RegCloseKey.ADVAPI32(?), ref: 046BCA50

Strings

DisplayVersion, xrefs: 046BC7F9
Publisher, xrefs: 046BC7E2
UninstallString, xrefs: 046BC835
Software\Microsoft\Windows\CurrentVersion\Uninstall, xrefs: 046BC738
InstallLocation, xrefs: 046BC80D
InstallDate, xrefs: 046BC821
DisplayName, xrefs: 046BC7CD

Memory Dump Source

Source File: 00000003.00000002.4514531527.00000000046A0000.00000040.00000400.00020000.00000000.sdmp, Offset: 046A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_46a0000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID: CloseEnumOpen
String ID: DisplayName$DisplayVersion$InstallDate$InstallLocation$Publisher$Software\Microsoft\Windows\CurrentVersion\Uninstall$UninstallString
API String ID: 1332880857-3714951968
Opcode ID: 0d32311487e5ee96220fb4baf8fa82fe064dfa1bc4345dfd264733d63dcd4469
Instruction ID: 8439e8d11a9db4eb6876dc5105a7d6818e0a071bc9aded7f7b98f5ec56fa2e99
Opcode Fuzzy Hash: 0d32311487e5ee96220fb4baf8fa82fe064dfa1bc4345dfd264733d63dcd4469
Instruction Fuzzy Hash: CD8110711086409BE725EB10D850EEFB3E9BF95308F50492DA5C982290FF30BE59CF96

Function 046BD620 Relevance: 22.8, APIs: 12, Strings: 1, Instructions: 74windowCOMMON

Download Yara Rule

APIs

DefWindowProcA.USER32(?,00000401,?,?), ref: 046BD66B
GetCursorPos.USER32(?), ref: 046BD67A
SetForegroundWindow.USER32(?), ref: 046BD683
TrackPopupMenu.USER32(00000000,?,?,00000000,?,00000000), ref: 046BD69D
Shell_NotifyIconA.SHELL32(00000002,04714B48), ref: 046BD6EE
ExitProcess.KERNEL32 ref: 046BD6F6
CreatePopupMenu.USER32 ref: 046BD6FC
AppendMenuA.USER32(00000000,00000000,00000000,Close), ref: 046BD711

Strings

Close, xrefs: 046BD702

Memory Dump Source

Source File: 00000003.00000002.4514531527.00000000046A0000.00000040.00000400.00020000.00000000.sdmp, Offset: 046A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_46a0000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID: Menu$PopupWindow$AppendCreateCursorExitForegroundIconNotifyProcProcessShell_Track
String ID: Close
API String ID: 1657328048-3535843008
Opcode ID: c86356ef3bc1f6be614f9ea5f56612741a4cc641176a62291149f9455f25bd4c
Instruction ID: a8048874f08c04b23fb81394c6d9344e5c63bcfff347b1b3391049bbfa75d28b
Opcode Fuzzy Hash: c86356ef3bc1f6be614f9ea5f56612741a4cc641176a62291149f9455f25bd4c
Instruction Fuzzy Hash: E62117B2200209EFDB195FA4ED1EFE93F75EB14301F005124B686991B0F779ADA4EB50

Function 046E5DD7 Relevance: 22.8, APIs: 15, Instructions: 296COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 046E5E47
_free.LIBCMT ref: 046E5E5D
_free.LIBCMT ref: 046E5E6E
_free.LIBCMT ref: 046E5E7F
_free.LIBCMT ref: 046E5E96
GetCPInfo.KERNEL32(?,?), ref: 046E5EDE

Part of subcall function 046F2EF4: _free.LIBCMT ref: 046F2F5F

_free.LIBCMT ref: 046E608A
_free.LIBCMT ref: 046E609D
_free.LIBCMT ref: 046E60AB
_free.LIBCMT ref: 046E60B6
_free.LIBCMT ref: 046E60F8
_free.LIBCMT ref: 046E6100
_free.LIBCMT ref: 046E6108
_free.LIBCMT ref: 046E6110
_free.LIBCMT ref: 046E611E

Memory Dump Source

Source File: 00000003.00000002.4514531527.00000000046A0000.00000040.00000400.00020000.00000000.sdmp, Offset: 046A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_46a0000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID: _free$Info
String ID:
API String ID: 2509303402-0
Opcode ID: 10b31e6a9385a547b0288795f8e672ce8f940d8b400f220365a60d257b87bb03
Instruction ID: dc69e3b1f0c0eb9f67ed311a77da0fdf4b8d39061c712845194307981f1a480b
Opcode Fuzzy Hash: 10b31e6a9385a547b0288795f8e672ce8f940d8b400f220365a60d257b87bb03
Instruction Fuzzy Hash: FDB1C071902205AFEB21DFAAC880BFEBBF4BF28304F54456DE495A7341E775A8418B64

Function 00422B90 Relevance: 21.3, APIs: 8, Strings: 4, Instructions: 311fileCOMMON

Download Yara Rule

APIs

Part of subcall function 004046F0: GetProcessHeap.KERNEL32 ref: 00404745

SHGetFolderPathW.SHELL32(00000000,00000025,00000000,00000000,-00000010,?,?,?,?,004CE548,000000FF), ref: 00422C3C
PathAppendW.SHLWAPI(00000000,WindowsPowerShell\v1.0\powershell.exe,?,?,?,?,004CE548,000000FF), ref: 00422C4F
PathFileExistsW.SHLWAPI(00000000,?,?,?,?,004CE548,000000FF), ref: 00422C5D
CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000,00000000,?,ps1,ps1,?,?,00000000,?,BB40E64E), ref: 00422DE2
WriteFile.KERNEL32(00000000,BB40E64E,00000002,00000000,00000000), ref: 00422E28
WriteFile.KERNEL32(00000000,?,?,00000000,00000000), ref: 00422E45
CloseHandle.KERNEL32(00000000), ref: 00422E5F
CloseHandle.KERNEL32(00000000,?,?,00000000,00000000), ref: 00422E9E

Strings

Unable to get temp file , xrefs: 00422DC3
ps1, xrefs: 00422D54, 00422D64, 00422D78
WindowsPowerShell\v1.0\powershell.exe, xrefs: 00422C46
Unable to save script file , xrefs: 00422E6E

Memory Dump Source

Source File: 00000003.00000002.4514052132.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.4514006504.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4514120748.00000000004E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4514174970.0000000000515000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4514191619.0000000000519000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4514247644.000000000051A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4514247644.000000000059B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4514247644.00000000005D5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4514247644.00000000005D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4514247644.00000000005E7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4514247644.000000000060A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4514247644.0000000000616000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4514247644.000000000061E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4514247644.0000000000627000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4514247644.0000000000659000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_SecuriteInfo.jbxd

Similarity

API ID: File$Path$CloseHandleWrite$AppendCreateExistsFolderHeapProcess
String ID: Unable to get temp file $Unable to save script file $WindowsPowerShell\v1.0\powershell.exe$ps1
API String ID: 349229100-1956641645
Opcode ID: 7ad45c2368c71d2fe85578560d2da3d39e7b9b3ff89c9399797463821e113581
Instruction ID: d42f0efcad36aa42f27c1db0039ee6102bbf436bb604ab8bbebb73ac5189c64d
Opcode Fuzzy Hash: 7ad45c2368c71d2fe85578560d2da3d39e7b9b3ff89c9399797463821e113581
Instruction Fuzzy Hash: 66A14C71A00245EFDB10DF68DD45BAEB7B8EF44314F14416EE911AB3C2DBB89A05CB98

Function 046F1346 Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE

Download Yara Rule

APIs

___free_lconv_mon.LIBCMT ref: 046F138A

Part of subcall function 046F0582: _free.LIBCMT ref: 046F059F
Part of subcall function 046F0582: _free.LIBCMT ref: 046F05B1
Part of subcall function 046F0582: _free.LIBCMT ref: 046F05C3
Part of subcall function 046F0582: _free.LIBCMT ref: 046F05D5
Part of subcall function 046F0582: _free.LIBCMT ref: 046F05E7
Part of subcall function 046F0582: _free.LIBCMT ref: 046F05F9
Part of subcall function 046F0582: _free.LIBCMT ref: 046F060B
Part of subcall function 046F0582: _free.LIBCMT ref: 046F061D
Part of subcall function 046F0582: _free.LIBCMT ref: 046F062F
Part of subcall function 046F0582: _free.LIBCMT ref: 046F0641
Part of subcall function 046F0582: _free.LIBCMT ref: 046F0653
Part of subcall function 046F0582: _free.LIBCMT ref: 046F0665
Part of subcall function 046F0582: _free.LIBCMT ref: 046F0677

_free.LIBCMT ref: 046F137F

Part of subcall function 046E6802: RtlFreeHeap.NTDLL(00000000,00000000,?,046F0CEF,00000000,00000000,00000000,00000000,?,046F0F93,00000000,00000007,00000000,?,046F14DE,00000000), ref: 046E6818
Part of subcall function 046E6802: GetLastError.KERNEL32(00000000,?,046F0CEF,00000000,00000000,00000000,00000000,?,046F0F93,00000000,00000007,00000000,?,046F14DE,00000000,00000000), ref: 046E682A

_free.LIBCMT ref: 046F13A1
_free.LIBCMT ref: 046F13B6
_free.LIBCMT ref: 046F13C1
_free.LIBCMT ref: 046F13E3
_free.LIBCMT ref: 046F13F6
_free.LIBCMT ref: 046F1404
_free.LIBCMT ref: 046F140F
_free.LIBCMT ref: 046F1447
_free.LIBCMT ref: 046F144E
_free.LIBCMT ref: 046F146B
_free.LIBCMT ref: 046F1483

Memory Dump Source

Source File: 00000003.00000002.4514531527.00000000046A0000.00000040.00000400.00020000.00000000.sdmp, Offset: 046A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_46a0000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID: _free$ErrorFreeHeapLast___free_lconv_mon
String ID:
API String ID: 161543041-0
Opcode ID: 995f4781f2097ad0a06e5ff7a1a045ae814a33debc7706cb378cbc51c9d29182
Instruction ID: b31de653d808ade7b5c15cf1a334edd28fd0761f9c835a5b8bbd92112b4d1c16
Opcode Fuzzy Hash: 995f4781f2097ad0a06e5ff7a1a045ae814a33debc7706cb378cbc51c9d29182
Instruction Fuzzy Hash: 16316E72501700DEFB249E3ADC45BAA73E8AB52394FA0892DE5D8D6250FB70BD408B24

Function 046A8BB5 Relevance: 19.6, APIs: 8, Strings: 3, Instructions: 328fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000,000000B6), ref: 046A8D1E
GetFileSizeEx.KERNEL32(00000000,?), ref: 046A8D56
__aulldiv.LIBCMT ref: 046A8D88

Part of subcall function 046A4AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 046A4B36

Part of subcall function 046BB580: GetLocalTime.KERNEL32(00000000), ref: 046BB59A

SetFilePointerEx.KERNEL32(00000000,?,?,00000000,00000000), ref: 046A8EAB
ReadFile.KERNEL32(00000000,00000000,?,?,00000000), ref: 046A8EC6
CloseHandle.KERNEL32(00000000), ref: 046A8F9F
CloseHandle.KERNEL32(00000000,00000052), ref: 046A8FE9
CloseHandle.KERNEL32(00000000), ref: 046A9037

Strings

SetFilePointerEx error, xrefs: 046A900F
Uploading file to Controller: , xrefs: 046A8E10
ReadFile error, xrefs: 046A9003

Memory Dump Source

Source File: 00000003.00000002.4514531527.00000000046A0000.00000040.00000400.00020000.00000000.sdmp, Offset: 046A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_46a0000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID: File$CloseHandle$CreateLocalPointerReadSizeTime__aulldivsend
String ID: ReadFile error$SetFilePointerEx error$Uploading file to Controller:
API String ID: 3086580692-2596673759
Opcode ID: b87abc1015207b1c4d35e559f70aaca5e3675c155062c66135c3f0ea006d8fcb
Instruction ID: 2465de5cd7b036b8d4988197d98e009731a58e971d522a995e70cfc5acbbec29
Opcode Fuzzy Hash: b87abc1015207b1c4d35e559f70aaca5e3675c155062c66135c3f0ea006d8fcb
Instruction Fuzzy Hash: EEB1AD716087409BE314FB24C890AAFB7E5AF94258F40491DF58A43290FF70BD69CF9A

Function 046F0680 Relevance: 18.4, APIs: 12, Instructions: 376COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 046F06C8
_free.LIBCMT ref: 046F06EC
_free.LIBCMT ref: 046F06F9
_free.LIBCMT ref: 046F071E
_free.LIBCMT ref: 046F072B
_free.LIBCMT ref: 046F0734
_free.LIBCMT ref: 046F0A12
_free.LIBCMT ref: 046F0A1A

Memory Dump Source

Source File: 00000003.00000002.4514531527.00000000046A0000.00000040.00000400.00020000.00000000.sdmp, Offset: 046A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_46a0000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: e55f75b7104339ee0a4b2cd8842c8e7924c58613233ff64221896d2527e67b64
Instruction ID: cb87be54870f368c914237a5df21aa154400c1b9da37de268abf34d33b061779
Opcode Fuzzy Hash: e55f75b7104339ee0a4b2cd8842c8e7924c58613233ff64221896d2527e67b64
Instruction Fuzzy Hash: 35C13572E41204ABEB20DBA8DC42FAF77F8AB14704F544165FB44FB282F670AD459B64

Function 046A4E26 Relevance: 18.1, APIs: 12, Instructions: 65synchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000000FF,00000000,04714EF8,?,00000000,04714EF8,046A4CA8,00000000,?,?,00000000,04714EF8,046A4AC9), ref: 046A4E38
SetEvent.KERNEL32(?,?,00000000,04714EF8,046A4CA8,00000000,?,?,00000000,04714EF8,046A4AC9), ref: 046A4E43
CloseHandle.KERNEL32(?,?,00000000,04714EF8,046A4CA8,00000000,?,?,00000000,04714EF8,046A4AC9), ref: 046A4E4C
closesocket.WS2_32(?), ref: 046A4E5A
WaitForSingleObject.KERNEL32(?,000000FF,?,00000000,04714EF8,046A4CA8,00000000,?,?,00000000,04714EF8,046A4AC9), ref: 046A4E91
SetEvent.KERNEL32(?,?,00000000,04714EF8,046A4CA8,00000000,?,?,00000000,04714EF8,046A4AC9), ref: 046A4EA2
WaitForSingleObject.KERNEL32(?,000000FF,?,00000000,04714EF8,046A4CA8,00000000,?,?,00000000,04714EF8,046A4AC9), ref: 046A4EA9
SetEvent.KERNEL32(?,?,00000000,04714EF8,046A4CA8,00000000,?,?,00000000,04714EF8,046A4AC9), ref: 046A4EBA
CloseHandle.KERNEL32(?,?,00000000,04714EF8,046A4CA8,00000000,?,?,00000000,04714EF8,046A4AC9), ref: 046A4EBF
CloseHandle.KERNEL32(?,?,00000000,04714EF8,046A4CA8,00000000,?,?,00000000,04714EF8,046A4AC9), ref: 046A4EC4
SetEvent.KERNEL32(?,?,00000000,04714EF8,046A4CA8,00000000,?,?,00000000,04714EF8,046A4AC9), ref: 046A4ED1
CloseHandle.KERNEL32(?,?,00000000,04714EF8,046A4CA8,00000000,?,?,00000000,04714EF8,046A4AC9), ref: 046A4ED6

Memory Dump Source

Source File: 00000003.00000002.4514531527.00000000046A0000.00000040.00000400.00020000.00000000.sdmp, Offset: 046A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_46a0000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID: CloseEventHandle$ObjectSingleWait$closesocket
String ID:
API String ID: 3658366068-0
Opcode ID: 58e8827699ab631feec72469a08b1c7d6da3f2ae834f3bf204dd9fd7f93b9ece
Instruction ID: dbeea141318408de71ccc3a5a5ba3218285790d244c4e32ad4ccf029b1f5dabd
Opcode Fuzzy Hash: 58e8827699ab631feec72469a08b1c7d6da3f2ae834f3bf204dd9fd7f93b9ece
Instruction Fuzzy Hash: E9212C71154B009FDB316B25DD48B26BBA1FF40329F114A1DE1E201AF0DB65BC25DF54

Function 046B2AEF Relevance: 18.0, APIs: 9, Strings: 1, Instructions: 482sleepfileCOMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 046B2B08

Part of subcall function 046BBA09: GetCurrentProcessId.KERNEL32(00000000,75923530,00000000,?,?,?,?,04706478,046AD248,.vbs,?,?,?,?,?,047152F0), ref: 046BBA30

Part of subcall function 046B85A3: CloseHandle.KERNEL32(046A40F5,?,?,046A40F5,04705E84), ref: 046B85B9
Part of subcall function 046B85A3: CloseHandle.KERNEL32(04705E84,?,?,046A40F5,04705E84), ref: 046B85C2

Sleep.KERNEL32(0000000A,04705E84), ref: 046B2C5A
Sleep.KERNEL32(0000000A,04705E84,04705E84), ref: 046B2CFC
Sleep.KERNEL32(0000000A,04705E84,04705E84,04705E84), ref: 046B2D9E
DeleteFileW.KERNEL32(00000000,04705E84,04705E84,04705E84), ref: 046B2E00
DeleteFileW.KERNEL32(00000000,04705E84,04705E84,04705E84), ref: 046B2E37
DeleteFileW.KERNEL32(00000000,04705E84,04705E84,04705E84), ref: 046B2E73
Sleep.KERNEL32(000001F4,04705E84,04705E84,04705E84), ref: 046B2E8D
Sleep.KERNEL32(00000064), ref: 046B2ECF

Part of subcall function 046A4AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 046A4B36

Strings

/stext ", xrefs: 046B2BE5, 046B2C87, 046B2D29

Memory Dump Source

Source File: 00000003.00000002.4514531527.00000000046A0000.00000040.00000400.00020000.00000000.sdmp, Offset: 046A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_46a0000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID: Sleep$File$Delete$CloseHandle$CurrentModuleNameProcesssend
String ID: /stext "
API String ID: 1223786279-3856184850
Opcode ID: d70fc1ff97203559ae3979d5b155f8b7fb9c6f44327d2074e0279de54bfc246a
Instruction ID: 9d18120ad3497c4a6083138d509ca5f05e80f56ec87d99d55e30e6276e693006
Opcode Fuzzy Hash: d70fc1ff97203559ae3979d5b155f8b7fb9c6f44327d2074e0279de54bfc246a
Instruction Fuzzy Hash: DF0234315487808AE328FB60D8A0AEFB3E5AF95208F50491DD48A47190FF707E9DCF5A

Function 046F5C5B Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 272COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 046F5929: CreateFileW.KERNEL32(00000000,00000000,?,046F5D04,?,?,00000000,?,046F5D04,00000000,0000000C), ref: 046F5946

GetLastError.KERNEL32 ref: 046F5D6F
__dosmaperr.LIBCMT ref: 046F5D76
GetFileType.KERNEL32(00000000), ref: 046F5D82
GetLastError.KERNEL32 ref: 046F5D8C
__dosmaperr.LIBCMT ref: 046F5D95
CloseHandle.KERNEL32(00000000), ref: 046F5DB5
CloseHandle.KERNEL32(?), ref: 046F5EFF
GetLastError.KERNEL32 ref: 046F5F31
__dosmaperr.LIBCMT ref: 046F5F38

Strings

H, xrefs: 046F5EBD

Memory Dump Source

Source File: 00000003.00000002.4514531527.00000000046A0000.00000040.00000400.00020000.00000000.sdmp, Offset: 046A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_46a0000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
String ID: H
API String ID: 4237864984-2852464175
Opcode ID: 1cb0ffd48ea96c8a70e1b43a52817ddf6c36abbfe54fa88ef0db496eefb86605
Instruction ID: ac2c47c3000c13ecf9e32003b03c12e8d5aa61cf638bfcca6018980f493a4a97
Opcode Fuzzy Hash: 1cb0ffd48ea96c8a70e1b43a52817ddf6c36abbfe54fa88ef0db496eefb86605
Instruction Fuzzy Hash: 1AA14432A14148AFDF19DF68DC547AE7BE0EB06324F14414DE992AB392EB34AC12CB55

Function 046B4BEB Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 158COMMON

Download Yara Rule

Strings

65535, xrefs: 046B4BEE
udp, xrefs: 046B4C9B, 046B4CA3, 046B4CA7

Memory Dump Source

Source File: 00000003.00000002.4514531527.00000000046A0000.00000040.00000400.00020000.00000000.sdmp, Offset: 046A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_46a0000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID:
String ID: 65535$udp
API String ID: 0-1267037602
Opcode ID: 416c75957ce8c706a5ba7d2fbbd71f3016cea37f680ea6aaec130a8be406b616
Instruction ID: e1eefc82dcc79c1be25407585ab3a8a8694cdeca4ad2bb452f05eedb18b48576
Opcode Fuzzy Hash: 416c75957ce8c706a5ba7d2fbbd71f3016cea37f680ea6aaec130a8be406b616
Instruction Fuzzy Hash: EF51C271605301BBD7259A14C908BFA77E8EF94B44F04062EF9C196382FF24E8C197D2

Function 046AD83A Relevance: 17.6, APIs: 3, Strings: 7, Instructions: 148COMMON

Download Yara Rule

APIs

Part of subcall function 046B288B: TerminateProcess.KERNEL32(00000000,pth_unenc,046AF903), ref: 046B289B
Part of subcall function 046B288B: WaitForSingleObject.KERNEL32(000000FF), ref: 046B28AE

Part of subcall function 046B3733: RegOpenKeyExA.KERNEL32(80000001,00000000,00000000,00020019,00000000,047152F0), ref: 046B374F
Part of subcall function 046B3733: RegQueryValueExA.KERNEL32(00000000,00000000,00000000,00000000,00000208,?), ref: 046B3768
Part of subcall function 046B3733: RegCloseKey.KERNEL32(00000000), ref: 046B3773

GetModuleFileNameW.KERNEL32(00000000,?,00000208), ref: 046AD894
ShellExecuteW.SHELL32(00000000,open,00000000,04706478,04706478,00000000), ref: 046AD9F3
ExitProcess.KERNEL32 ref: 046AD9FF

Strings

Temp, xrefs: 046AD8D5
CreateObject("WScript.Shell").Run "cmd /c "", xrefs: 046AD934
""", 0, xrefs: 046AD91C
open, xrefs: 046AD9ED
CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName), xrefs: 046AD9A2
.vbs, xrefs: 046AD89A
exepath, xrefs: 046AD86C

Memory Dump Source

Source File: 00000003.00000002.4514531527.00000000046A0000.00000040.00000400.00020000.00000000.sdmp, Offset: 046A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_46a0000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID: Process$CloseExecuteExitFileModuleNameObjectOpenQueryShellSingleTerminateValueWait
String ID: """, 0$.vbs$CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)$CreateObject("WScript.Shell").Run "cmd /c ""$Temp$exepath$open
API String ID: 1913171305-2411266221
Opcode ID: 31b21b6fa224f01f7d5f10059a6ab99e31fb23dfa9ebe5951f381f4d61b06846
Instruction ID: b097d5ab091404587cee82a37a93f5dae3a368dcfe1d6570f2642c77dfb8840b
Opcode Fuzzy Hash: 31b21b6fa224f01f7d5f10059a6ab99e31fb23dfa9ebe5951f381f4d61b06846
Instruction Fuzzy Hash: D64162719005589BEB18F764DC55DFEB3B9AF51608F40416DE406A3290FF207EAACE98

Function 0040E530 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 86libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(ComCtl32.dll,BB40E64E,00000000,?,?,80004005), ref: 0040E56A
GetProcAddress.KERNEL32(00000000,LoadIconMetric), ref: 0040E590
GetSystemMetrics.USER32(0000000C), ref: 0040E5D0
GetSystemMetrics.USER32(0000000B), ref: 0040E5E8
LoadImageW.USER32(?,?,00000001,00000000,00000000,8}Q), ref: 0040E5FB
FreeLibrary.KERNEL32(00000000), ref: 0040E619

Strings

LoadIconMetric, xrefs: 0040E58A
ComCtl32.dll, xrefs: 0040E55E
8}Q, xrefs: 0040E5EE
8}Q, xrefs: 0040E54F

Memory Dump Source

Source File: 00000003.00000002.4514052132.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.4514006504.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4514120748.00000000004E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4514174970.0000000000515000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4514191619.0000000000519000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4514247644.000000000051A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4514247644.000000000059B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4514247644.00000000005D5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4514247644.00000000005D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4514247644.00000000005E7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4514247644.000000000060A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4514247644.0000000000616000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4514247644.000000000061E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4514247644.0000000000627000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4514247644.0000000000659000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_SecuriteInfo.jbxd

Similarity

API ID: LibraryLoadMetricsSystem$AddressFreeImageProc
String ID: 8}Q$8}Q$ComCtl32.dll$LoadIconMetric
API String ID: 1983857168-2713985652
Opcode ID: dd372ac83a70f1638904b875ca29fd3036f09630c3c4cfa8273b38f887a47247
Instruction ID: 2f6354482e5b4daa6eb24b6bb56d5beb77485f2c9d248e1dd729dfed3153e01b
Opcode Fuzzy Hash: dd372ac83a70f1638904b875ca29fd3036f09630c3c4cfa8273b38f887a47247
Instruction Fuzzy Hash: EF319C71A00259EFDB108FA5CD58BAFBBB8FB44751F10463AE815A73D0E7B94D048BA4

Function 0041D2C0 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 76windowCOMMON

Download Yara Rule

APIs

GetDlgCtrlID.USER32(?), ref: 0041D2DE
GetParent.USER32 ref: 0041D2F3
GetDlgCtrlID.USER32(?), ref: 0041D2FE
SendMessageW.USER32(00000000,0000004E,00000000,?), ref: 0041D30D
GetParent.USER32(?), ref: 0041D326
GetDlgCtrlID.USER32(?), ref: 0041D332
SendMessageW.USER32(00000000,00000111,?,?), ref: 0041D343

Strings

open, xrefs: 0041D35B

Memory Dump Source

Source File: 00000003.00000002.4514052132.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.4514006504.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4514120748.00000000004E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4514174970.0000000000515000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4514191619.0000000000519000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4514247644.000000000051A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4514247644.000000000059B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4514247644.00000000005D5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4514247644.00000000005D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4514247644.00000000005E7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4514247644.000000000060A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4514247644.0000000000616000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4514247644.000000000061E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4514247644.0000000000627000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4514247644.0000000000659000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Ctrl$MessageParentSend
String ID: open
API String ID: 1194393872-2758837156
Opcode ID: 7db86b2ee923ae4809a3303b51982e4960cead85fd83c4e4b09c35211e5c9e0c
Instruction ID: c55c276102c4a995057dfe8b7830552e604b44e3d6465a68b9c81adfffe5fed8
Opcode Fuzzy Hash: 7db86b2ee923ae4809a3303b51982e4960cead85fd83c4e4b09c35211e5c9e0c
Instruction Fuzzy Hash: 792183751802417FD3004B14ED46FD5B7ACFB49311F000126FD14C72A0C3F99859DBA5

Function 046DA8BA Relevance: 16.6, APIs: 11, Instructions: 116COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000000,00000050,000000FF,00000000,00000000,?,?,?,046A1D55,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 046DA912
GetLastError.KERNEL32(?,?,046A1D55,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 046DA91F
__dosmaperr.LIBCMT ref: 046DA926
MultiByteToWideChar.KERNEL32(?,00000000,00000050,000000FF,00000000,00000000,?,?,?,046A1D55,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 046DA952
GetLastError.KERNEL32(?,?,?,046A1D55,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 046DA95C
__dosmaperr.LIBCMT ref: 046DA963
WideCharToMultiByte.KERNEL32(?,00000000,00000000,000000FF,00000000,?,00000000,00000000,?,?,?,?,?,?,046A1D55,?), ref: 046DA9A6
GetLastError.KERNEL32(?,?,?,?,?,?,046A1D55,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 046DA9B0
__dosmaperr.LIBCMT ref: 046DA9B7
_free.LIBCMT ref: 046DA9C3
_free.LIBCMT ref: 046DA9CA

Memory Dump Source

Source File: 00000003.00000002.4514531527.00000000046A0000.00000040.00000400.00020000.00000000.sdmp, Offset: 046A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_46a0000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID: ByteCharErrorLastMultiWide__dosmaperr$_free
String ID:
API String ID: 2441525078-0
Opcode ID: 683d7620541b2563f181e776d450de67f85fd1be1ec4a2c07fd535f71520814c
Instruction ID: d6eb506719415935954b1238b6773afc36a71e96fd783846b9359f4e90d1ec95
Opcode Fuzzy Hash: 683d7620541b2563f181e776d450de67f85fd1be1ec4a2c07fd535f71520814c
Instruction Fuzzy Hash: 0F319172D0920AABEF11AFE9CC44DAE3BA8EF05324B154119F9105A294FB35ED51DBA0

Function 0041BBF0 Relevance: 16.6, APIs: 11, Instructions: 110windowCOMMON

Download Yara Rule

APIs

SetBkMode.GDI32(00000000,00000001), ref: 0041BC3D
IsWindowEnabled.USER32(?), ref: 0041BC46
SetTextColor.GDI32(00000000,00000000), ref: 0041BC6C
SelectObject.GDI32(00000000,004CD25D), ref: 0041BC95
GetWindowLongW.USER32(?,000000F0), ref: 0041BCAD
DrawTextW.USER32(00000000,?,000000FF,?,00000000), ref: 0041BCE6
GetFocus.USER32 ref: 0041BCEC
DrawFocusRect.USER32(00000000,?), ref: 0041BD01
SetTextColor.GDI32(00000000,?), ref: 0041BD0D
SelectObject.GDI32(00000000,00000000), ref: 0041BD19

Part of subcall function 0041BD40: GetClientRect.USER32(?,?), ref: 0041BDEA
Part of subcall function 0041BD40: SetBkMode.GDI32(00000000,00000001), ref: 0041BDF5
Part of subcall function 0041BD40: SelectObject.GDI32(00000000,004CD25D), ref: 0041BE01
Part of subcall function 0041BD40: DrawTextW.USER32(00000000,00000000,00000000,?,?), ref: 0041BE2A
Part of subcall function 0041BD40: IsWindowEnabled.USER32(?), ref: 0041BE33
Part of subcall function 0041BD40: SetTextColor.GDI32(00000000,00000000), ref: 0041BE59

Memory Dump Source

Source File: 00000003.00000002.4514052132.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.4514006504.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4514120748.00000000004E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4514174970.0000000000515000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4514191619.0000000000519000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4514247644.000000000051A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4514247644.000000000059B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4514247644.00000000005D5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4514247644.00000000005D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4514247644.00000000005E7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4514247644.000000000060A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4514247644.0000000000616000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4514247644.000000000061E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4514247644.0000000000627000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4514247644.0000000000659000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Text$ColorDrawObjectSelectWindow$EnabledFocusModeRect$ClientLong
String ID:
API String ID: 1016125553-0
Opcode ID: 9e4610b95e04a6c35fd6d926c90bc0b92e3f67bbdee6171249a2b2498473feb9
Instruction ID: 52404eb7729faf50e17296b4fba035a19130a2e1f7c741a8ba77a03c05a317c8
Opcode Fuzzy Hash: 9e4610b95e04a6c35fd6d926c90bc0b92e3f67bbdee6171249a2b2498473feb9
Instruction Fuzzy Hash: 1041C231100648AFDB158F18CE48BAB7BB5FF04354F10452EF9569A6A0DB79E881CBD4

Function 046A54A0 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 155windowmemoryCOMMON

Download Yara Rule

APIs

SetEvent.KERNEL32(?,?), ref: 046A54BF
GetMessageA.USER32(?,00000000,00000000,00000000), ref: 046A556F
TranslateMessage.USER32(?), ref: 046A557E
DispatchMessageA.USER32(?), ref: 046A5589
HeapCreate.KERNEL32(00000000,00000000,00000000,00000074,04714F78), ref: 046A5641
HeapFree.KERNEL32(00000000,00000000,0000003B,0000003B,?,00000000), ref: 046A5679

Part of subcall function 046A4AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 046A4B36

Strings

DisplayMessage, xrefs: 046A55EC
GetMessage, xrefs: 046A55F8
CloseChat, xrefs: 046A5609

Memory Dump Source

Source File: 00000003.00000002.4514531527.00000000046A0000.00000040.00000400.00020000.00000000.sdmp, Offset: 046A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_46a0000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID: Message$Heap$CreateDispatchEventFreeTranslatesend
String ID: CloseChat$DisplayMessage$GetMessage
API String ID: 2956720200-749203953
Opcode ID: 9979de9a1dd78963e53891227278cef25d1ee48525c6ab15d700afd5d964189c
Instruction ID: 65254d9e9a38bfd80692304ab95aca1b80edf8af8f54bcc6de983194ede1c76d
Opcode Fuzzy Hash: 9979de9a1dd78963e53891227278cef25d1ee48525c6ab15d700afd5d964189c
Instruction Fuzzy Hash: BF41C372604A00ABEB14FB74DC549AF37E9AF86604F40492DF55293290FF38AD19CF96

Function 046B330D Relevance: 15.2, APIs: 10, Instructions: 153fileCOMMON

Download Yara Rule

APIs

CreateFileMappingW.KERNEL32(?,00000000,00000002,00000000,00000000,00000000), ref: 046B3452
MapViewOfFile.KERNEL32(00000000,00000004,00000000,00000000,00000000), ref: 046B3460
GetFileSize.KERNEL32(?,00000000), ref: 046B346D
UnmapViewOfFile.KERNEL32(00000000), ref: 046B348D
CloseHandle.KERNEL32(00000000), ref: 046B349A
CloseHandle.KERNEL32(?), ref: 046B34A0

Memory Dump Source

Source File: 00000003.00000002.4514531527.00000000046A0000.00000040.00000400.00020000.00000000.sdmp, Offset: 046A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_46a0000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID: File$CloseHandleView$CreateMappingSizeUnmap
String ID:
API String ID: 297527592-0
Opcode ID: 27bb3fefda5164c53e294956fd18049107925e6dcf7a10957a7f93606d6c22da
Instruction ID: 384f6b69edade16d5a4ebaf870433c720f870c5ee6811b2fd38a7ebb78259717
Opcode Fuzzy Hash: 27bb3fefda5164c53e294956fd18049107925e6dcf7a10957a7f93606d6c22da
Instruction Fuzzy Hash: 3341E571604340BFE7219F64DC49FAB3BACEF85768F10052DF985D6290FA34E98487A5

Function 0041CF00 Relevance: 15.1, APIs: 10, Instructions: 131windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 0041CF6D
SendMessageW.USER32(00000000,00000138,?,?), ref: 0041CF7D
GetClientRect.USER32(?,?), ref: 0041CF98
FillRect.USER32(?,?,?), ref: 0041CFA6

Memory Dump Source

Source File: 00000003.00000002.4514052132.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.4514006504.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4514120748.00000000004E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4514174970.0000000000515000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4514191619.0000000000519000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4514247644.000000000051A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4514247644.000000000059B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4514247644.00000000005D5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4514247644.00000000005D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4514247644.00000000005E7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4514247644.000000000060A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4514247644.0000000000616000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4514247644.000000000061E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4514247644.0000000000627000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4514247644.0000000000659000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Rect$ClientFillMessageParentSend
String ID:
API String ID: 425900729-0
Opcode ID: 968f1b406a7bbec655b64d50d5ff44344a441af49ce52c340f625c28c9cf8df9
Instruction ID: 95c8759d1fb51ee54272729ad686b875d4429a9de9c7c3fe2a4429ce54ea2974
Opcode Fuzzy Hash: 968f1b406a7bbec655b64d50d5ff44344a441af49ce52c340f625c28c9cf8df9
Instruction Fuzzy Hash: 45518EB0D00248EFDB11CFA4CE44B9EBBB8FF09314F204269E814A7291D775AA40CF95

Function 046BAB9E Relevance: 15.1, APIs: 10, Instructions: 66serviceCOMMON

Download Yara Rule

APIs

OpenSCManagerW.ADVAPI32(00000000,00000000,00000011,00000000,00000001,?,?,?,?,?,?,046BA517,00000000), ref: 046BABAD
OpenServiceW.ADVAPI32(00000000,00000000,000F003F,?,?,?,?,?,?,046BA517,00000000), ref: 046BABC4
CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,046BA517,00000000), ref: 046BABD1
ControlService.ADVAPI32(00000000,00000001,?,?,?,?,?,?,?,046BA517,00000000), ref: 046BABE0
CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,046BA517,00000000), ref: 046BABF1
CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,046BA517,00000000), ref: 046BABF4

Memory Dump Source

Source File: 00000003.00000002.4514531527.00000000046A0000.00000040.00000400.00020000.00000000.sdmp, Offset: 046A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_46a0000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID: Service$CloseHandle$Open$ControlManager
String ID:
API String ID: 221034970-0
Opcode ID: 2d31ea07f6b753281de18f26a85e48e69c9a11787060d716a909d048b05bbdf7
Instruction ID: 0df74e4f1c9011d58e410f11fc99b20f6255d06fd9a6909f929921b69c8b323a
Opcode Fuzzy Hash: 2d31ea07f6b753281de18f26a85e48e69c9a11787060d716a909d048b05bbdf7
Instruction Fuzzy Hash: 9D11E5B19401187FD711AF649C88EFF3B6CDB82365B00101DFD8692140FB285D8AAAF1

Function 046E81A1 Relevance: 15.1, APIs: 10, Instructions: 54COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 046E81B5

Part of subcall function 046E6802: RtlFreeHeap.NTDLL(00000000,00000000,?,046F0CEF,00000000,00000000,00000000,00000000,?,046F0F93,00000000,00000007,00000000,?,046F14DE,00000000), ref: 046E6818
Part of subcall function 046E6802: GetLastError.KERNEL32(00000000,?,046F0CEF,00000000,00000000,00000000,00000000,?,046F0F93,00000000,00000007,00000000,?,046F14DE,00000000,00000000), ref: 046E682A

_free.LIBCMT ref: 046E81C1
_free.LIBCMT ref: 046E81CC
_free.LIBCMT ref: 046E81D7
_free.LIBCMT ref: 046E81E2
_free.LIBCMT ref: 046E81ED
_free.LIBCMT ref: 046E81F8
_free.LIBCMT ref: 046E8203
_free.LIBCMT ref: 046E820E
_free.LIBCMT ref: 046E821C

Memory Dump Source

Source File: 00000003.00000002.4514531527.00000000046A0000.00000040.00000400.00020000.00000000.sdmp, Offset: 046A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_46a0000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: cae114f30d8a528af438f61d929f92c7d5e6d0f6c0ef0e039cebfa0b6cb10446
Instruction ID: b0210b7b61bb7993304b0ef93e55a0ca18c4df7cb54a901347663c68c87fc33f
Opcode Fuzzy Hash: cae114f30d8a528af438f61d929f92c7d5e6d0f6c0ef0e039cebfa0b6cb10446
Instruction Fuzzy Hash: 1411E9B6502108BFEB45EF56C851CEA3BA5FF14354B814498FA488F220F771EA519B94

Function 0041F991 Relevance: 14.3, APIs: 4, Strings: 4, Instructions: 290libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(?,GetPackagePath), ref: 0041FB1D
GetProcAddress.KERNEL32(?,GetPackagePath), ref: 0041FB86
GetLastError.KERNEL32 ref: 0041FBB0
FreeLibrary.KERNEL32(?), ref: 0041FCB8

Strings

GetPackagePath, xrefs: 0041FB17, 0041FB80
neutral, xrefs: 0041FA22
x86, xrefs: 0041F9D5
x64, xrefs: 0041FA06

Memory Dump Source

Source File: 00000003.00000002.4514052132.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.4514006504.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4514120748.00000000004E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4514174970.0000000000515000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4514191619.0000000000519000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4514247644.000000000051A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4514247644.000000000059B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4514247644.00000000005D5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4514247644.00000000005D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4514247644.00000000005E7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4514247644.000000000060A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4514247644.0000000000616000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4514247644.000000000061E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4514247644.0000000000627000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4514247644.0000000000659000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_SecuriteInfo.jbxd

Similarity

API ID: AddressProc$ErrorFreeLastLibrary
String ID: GetPackagePath$neutral$x64$x86
API String ID: 1800271603-1738950451
Opcode ID: 97292470591dba9c5654709f679e543704e5dc5cd21af478cbf61158a8b177c1
Instruction ID: debee1cd04ae6672c277860f6ce81dc62e70c759f4da5711ec818e9a5afa0d24
Opcode Fuzzy Hash: 97292470591dba9c5654709f679e543704e5dc5cd21af478cbf61158a8b177c1
Instruction Fuzzy Hash: EBB17270A00609DFCF04DFA8C994AADBBB1FF49314F14816EE405EB391DB78A946CB55

Function 046BA045 Relevance: 14.2, APIs: 6, Strings: 2, Instructions: 176sleeptimeCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 046BA04A
GdiplusStartup.GDIPLUS(04714ACC,?,00000000), ref: 046BA07C
CreateDirectoryW.KERNEL32(00000000,00000000,00000000,0000001A,00000019), ref: 046BA108
Sleep.KERNEL32(000003E8), ref: 046BA18E
GetLocalTime.KERNEL32(?), ref: 046BA196
Sleep.KERNEL32(00000000,00000018,00000000), ref: 046BA285

Strings

time_%04i%02i%02i_%02i%02i%02i, xrefs: 046BA130
wnd_%04i%02i%02i_%02i%02i%02i, xrefs: 046BA12B, 046BA14C, 046BA1BA

Memory Dump Source

Source File: 00000003.00000002.4514531527.00000000046A0000.00000040.00000400.00020000.00000000.sdmp, Offset: 046A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_46a0000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID: Sleep$CreateDirectoryGdiplusH_prologLocalStartupTime
String ID: time_%04i%02i%02i_%02i%02i%02i$wnd_%04i%02i%02i_%02i%02i%02i
API String ID: 489098229-3790400642
Opcode ID: 9210a6fd6efcc500f14e51ec105b4e970dceb74123b39d9a654515bc77468046
Instruction ID: b63d342536666dfe6e381c5797f6676ca1f6a935b573465082d8a05301e770a5
Opcode Fuzzy Hash: 9210a6fd6efcc500f14e51ec105b4e970dceb74123b39d9a654515bc77468046
Instruction Fuzzy Hash: 0F519070A006589AFB18FBB4CC50AFD77A9AF55208F44402DE545A7290FF34BE95CBA8

Function 046F5F84 Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 154COMMONLIBRARYCODE

Download Yara Rule

APIs

DecodePointer.KERNEL32(?,?,?,?,?,?,?,?,?,?,046F707F), ref: 046F5FA7

Strings

log, xrefs: 046F604D, 046F6059
sqrt, xrefs: 046F612B
acos, xrefs: 046F611F
log10, xrefs: 046F5FF1, 046F6041
pow, xrefs: 046F608B, 046F6137, 046F614A
asin, xrefs: 046F6113
exp, xrefs: 046F606C, 046F60CE

Memory Dump Source

Source File: 00000003.00000002.4514531527.00000000046A0000.00000040.00000400.00020000.00000000.sdmp, Offset: 046A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_46a0000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID: DecodePointer
String ID: acos$asin$exp$log$log10$pow$sqrt
API String ID: 3527080286-3064271455
Opcode ID: e151639e94c94a5c885654ef69bad40e3ffc47d23a3da0e3af99adc4dbd8ec2a
Instruction ID: 142784e608378d5415a3cd047e0f9d2dc92ccf30914a461ff8617102ca23b311
Opcode Fuzzy Hash: e151639e94c94a5c885654ef69bad40e3ffc47d23a3da0e3af99adc4dbd8ec2a
Instruction Fuzzy Hash: 6B518C70A0110ADBDF10DF68EE486ADBBB0FB1A314F104195D6C1B73A5FB31A92ACB15

Function 046B74D0 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 104sleepfileCOMMON

Download Yara Rule

APIs

ShellExecuteW.SHELL32(00000000,open,dxdiag,00000000,00000000,00000000), ref: 046B7530

Part of subcall function 046BC516: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,?,?,?,00000000,046AA87E), ref: 046BC52F

Sleep.KERNEL32(00000064), ref: 046B755C
DeleteFileW.KERNEL32(00000000), ref: 046B7590

Strings

/t , xrefs: 046B750F
temp, xrefs: 046B74E0
dxdiag, xrefs: 046B7525
\sysinfo.txt, xrefs: 046B74DB
open, xrefs: 046B752A

Memory Dump Source

Source File: 00000003.00000002.4514531527.00000000046A0000.00000040.00000400.00020000.00000000.sdmp, Offset: 046A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_46a0000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID: File$CreateDeleteExecuteShellSleep
String ID: /t $\sysinfo.txt$dxdiag$open$temp
API String ID: 1462127192-2001430897
Opcode ID: bc4b77b10301026db38ce5947e41e1792ad21e23dc9bd43cb0d49308d36d53b4
Instruction ID: 391e4d75f1fe517a230aaefc4bfa756dc98b42e4d8e2fd2a514c78c3645ad129
Opcode Fuzzy Hash: bc4b77b10301026db38ce5947e41e1792ad21e23dc9bd43cb0d49308d36d53b4
Instruction Fuzzy Hash: A83160719405189AEB08FBA4DC95EEDB7B8AF11209F00416DE506671D0FF607EAECF98

Function 046A73E7 Relevance: 14.1, APIs: 2, Strings: 6, Instructions: 99COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(04712B14,00000000,047152D8,00003000,00000004,00000000,00000001), ref: 046A7418
GetCurrentProcess.KERNEL32(04712B14,00000000,00008000,?,00000000,00000001,00000000,046A7691,C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3521.549.exe), ref: 046A74D9

Strings

[+] NtAllocateVirtualMemory Success, xrefs: 046A744B
explorer.exe, xrefs: 046A748B, 046A74B6
[-] NtAllocateVirtualMemory Error, xrefs: 046A7478
PEB: %x, xrefs: 046A74EA
\explorer.exe, xrefs: 046A743B
windir, xrefs: 046A7425

Memory Dump Source

Source File: 00000003.00000002.4514531527.00000000046A0000.00000040.00000400.00020000.00000000.sdmp, Offset: 046A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_46a0000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID: CurrentProcess
String ID: PEB: %x$[+] NtAllocateVirtualMemory Success$[-] NtAllocateVirtualMemory Error$\explorer.exe$explorer.exe$windir
API String ID: 2050909247-4242073005
Opcode ID: 2820df92c89470bf05246174630a0550962f4b4f35c4f3c62f28f735fdff712a
Instruction ID: 17325cd945ba9ab25f6ba118fd9e69c01db899c051f1de719b16de8736ecfd9f
Opcode Fuzzy Hash: 2820df92c89470bf05246174630a0550962f4b4f35c4f3c62f28f735fdff712a
Instruction Fuzzy Hash: 2A3181B1341700AFE324EF68EC55F9A7BB9EB4460AF008469F501A6261FB78FC118F65

Function 0048A641 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 58libraryCOMMON

Download Yara Rule

APIs

DecodePointer.KERNEL32(0041BB46,?,?,0048A987,00516D88,?,?,?,0041BB46,?,BB40E64E), ref: 0048A653
LoadLibraryExA.KERNEL32(atlthunk.dll,00000000,00000800,0041BB46,?,?,0048A987,00516D88,?,?,?,0041BB46,?,BB40E64E), ref: 0048A668
DecodePointer.KERNEL32(0041BB46,?,?,?,?,?,?,?,?,?,?,0041BB46,?,BB40E64E), ref: 0048A6E4

Strings

AtlThunk_FreeData, xrefs: 0048A6BE
AtlThunk_DataToCode, xrefs: 0048A6A7
AtlThunk_InitData, xrefs: 0048A690
atlthunk.dll, xrefs: 0048A663
AtlThunk_AllocateData, xrefs: 0048A679

Memory Dump Source

Source File: 00000003.00000002.4514052132.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.4514006504.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4514120748.00000000004E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4514174970.0000000000515000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4514191619.0000000000519000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4514247644.000000000051A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4514247644.000000000059B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4514247644.00000000005D5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4514247644.00000000005D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4514247644.00000000005E7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4514247644.000000000060A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4514247644.0000000000616000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4514247644.000000000061E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4514247644.0000000000627000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4514247644.0000000000659000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_SecuriteInfo.jbxd

Similarity

API ID: DecodePointer$LibraryLoad
String ID: AtlThunk_AllocateData$AtlThunk_DataToCode$AtlThunk_FreeData$AtlThunk_InitData$atlthunk.dll
API String ID: 1423960858-1745123996
Opcode ID: 7277a9bf98d1a013ca28f0ade386a6b488443ea67123b5dd480839fe9509e175
Instruction ID: 14f3dc36a5d214969902ae08834b9f2a1073da9fc6ea541ed7746b5307598505
Opcode Fuzzy Hash: 7277a9bf98d1a013ca28f0ade386a6b488443ea67123b5dd480839fe9509e175
Instruction Fuzzy Hash: CB018E60B40280BBEB117711AC0AB8E3B585B01749F1C4457FE817B2DAF6D986749B9E

Function 046BD4EE Relevance: 14.0, APIs: 7, Strings: 1, Instructions: 48windowstringCOMMON

Download Yara Rule

APIs

GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 046BD507

Part of subcall function 046BD5A0: RegisterClassExA.USER32(00000030), ref: 046BD5EC
Part of subcall function 046BD5A0: CreateWindowExA.USER32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,000000FD,00000000,00000000,00000000), ref: 046BD607
Part of subcall function 046BD5A0: GetLastError.KERNEL32 ref: 046BD611

ExtractIconA.SHELL32(00000000,?,00000000), ref: 046BD53E
lstrcpynA.KERNEL32(04714B60,Remcos,00000080), ref: 046BD558
Shell_NotifyIconA.SHELL32(00000000,04714B48), ref: 046BD56E
TranslateMessage.USER32(?), ref: 046BD57A
DispatchMessageA.USER32(?), ref: 046BD584
GetMessageA.USER32(?,00000000,00000000,00000000), ref: 046BD591

Strings

Remcos, xrefs: 046BD549

Memory Dump Source

Source File: 00000003.00000002.4514531527.00000000046A0000.00000040.00000400.00020000.00000000.sdmp, Offset: 046A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_46a0000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID: Message$Icon$ClassCreateDispatchErrorExtractFileLastModuleNameNotifyRegisterShell_TranslateWindowlstrcpyn
String ID: Remcos
API String ID: 1970332568-165870891
Opcode ID: 0b9c0596930c8c25a7f9beed7433a9804fc089e063ddb622390f80ed4a594d86
Instruction ID: b887b24a15303d5b677c96ebc6ea8fc0942852b9fec847ab488d184d1ab45c3c
Opcode Fuzzy Hash: 0b9c0596930c8c25a7f9beed7433a9804fc089e063ddb622390f80ed4a594d86
Instruction Fuzzy Hash: 15010CB2900248ABD7209FA9EC4CFDABBBCEB85704F008119F551961A0E7BC5C49CF60

Function 046ECE00 Relevance: 13.8, APIs: 9, Instructions: 300COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4514531527.00000000046A0000.00000040.00000400.00020000.00000000.sdmp, Offset: 046A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_46a0000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 88e72b082246b3249d5ad1d50cf8279f70ca90dae192dad039d9be52e8bddc92
Instruction ID: 1862922cf32fbd29dfbc1e760eb1a28c685ec8b288c9d2511e2a667a4f876c4e
Opcode Fuzzy Hash: 88e72b082246b3249d5ad1d50cf8279f70ca90dae192dad039d9be52e8bddc92
Instruction Fuzzy Hash: 01C1F770E0524AAFDF11DFAAD840BFD7BF0AF19300F084189E950AB391E775A946CB64

Function 046F3E03 Relevance: 13.8, APIs: 9, Instructions: 268COMMON

Download Yara Rule

APIs

GetCPInfo.KERNEL32(00000000,00000001,?,7FFFFFFF,?,?,046F40DC,00000000,00000000,?,00000001,?,?,?,?,00000001), ref: 046F3EAF
MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000001,00000000,00000000,?,046F40DC,00000000,00000000,?,00000001,?,?,?,?), ref: 046F3F32
__alloca_probe_16.LIBCMT ref: 046F3F6A
MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000001,00000000,046F40DC,?,046F40DC,00000000,00000000,?,00000001,?,?,?,?), ref: 046F3FC5
__alloca_probe_16.LIBCMT ref: 046F4014
MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000000,00000000,00000000,?,046F40DC,00000000,00000000,?,00000001,?,?,?,?), ref: 046F3FDC

Part of subcall function 046E61B8: RtlAllocateHeap.NTDLL(00000000,046D5349,?,?,046D88C7,?,?,pth_unenc,?,?,046ADE9D,046D5349,?,?,?,?), ref: 046E61EA

MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000000,00000000,00000000,?,046F40DC,00000000,00000000,?,00000001,?,?,?,?), ref: 046F4058
__freea.LIBCMT ref: 046F4083
__freea.LIBCMT ref: 046F408F

Memory Dump Source

Source File: 00000003.00000002.4514531527.00000000046A0000.00000040.00000400.00020000.00000000.sdmp, Offset: 046A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_46a0000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID: ByteCharMultiWide$__alloca_probe_16__freea$AllocateHeapInfo
String ID:
API String ID: 201697637-0
Opcode ID: acaa68f893aa1a71ffc963921e0672349b89b66e53697908b0be3cb0475af5bf
Instruction ID: f962770001983f15f99a86de9d54572f2040428922646fa7e90f3ba47d46ca48
Opcode Fuzzy Hash: acaa68f893aa1a71ffc963921e0672349b89b66e53697908b0be3cb0475af5bf
Instruction Fuzzy Hash: A491B472E042169ADF208F65CC40EEFBBB5AF69754F14055AEE81E7381FB35E8818760

Function 046E51FA Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 266COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 046E8295: GetLastError.KERNEL32(?,00000000,046E1CC5,?,046BBA44,-04716D2C,?,?,?,?,04706478,046AD248,.vbs), ref: 046E8299
Part of subcall function 046E8295: _free.LIBCMT ref: 046E82CC
Part of subcall function 046E8295: SetLastError.KERNEL32(00000000,?,046BBA44,-04716D2C,?,?,?,?,04706478,046AD248,.vbs), ref: 046E830D
Part of subcall function 046E8295: _abort.LIBCMT ref: 046E8313

_memcmp.LIBVCRUNTIME ref: 046E54A4
_free.LIBCMT ref: 046E5515
_free.LIBCMT ref: 046E552E
_free.LIBCMT ref: 046E5560
_free.LIBCMT ref: 046E5569
_free.LIBCMT ref: 046E5575

Strings

C, xrefs: 046E5362

Memory Dump Source

Source File: 00000003.00000002.4514531527.00000000046A0000.00000040.00000400.00020000.00000000.sdmp, Offset: 046A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_46a0000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID: _free$ErrorLast$_abort_memcmp
String ID: C
API String ID: 1679612858-1037565863
Opcode ID: 9802e114b8dd796ec19a6a2da2dd58f593d9a69996d429bd2ac842e419b48258
Instruction ID: 47803c5d73077ef4a3883ac130c1d25ee58eb7ac02f65628f48f4a37585995b0
Opcode Fuzzy Hash: 9802e114b8dd796ec19a6a2da2dd58f593d9a69996d429bd2ac842e419b48258
Instruction Fuzzy Hash: B0B13B75A02219EFDB24DF59C884AADB7F4FB18308F50459AD90AA7350E770BE91CF40

Function 046B4945 Relevance: 12.5, APIs: 5, Strings: 2, Instructions: 225COMMON

Download Yara Rule

Strings

tcp, xrefs: 046B4AAE
udp, xrefs: 046B4A81

Memory Dump Source

Source File: 00000003.00000002.4514531527.00000000046A0000.00000040.00000400.00020000.00000000.sdmp, Offset: 046A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_46a0000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID:
String ID: tcp$udp
API String ID: 0-3725065008
Opcode ID: e3449a0a4889ea14047428ec54552789f91fdceb797528f0fb355a0f5f8f2484
Instruction ID: 3873d6fd7e06669a376a56b5e30785bc92db7e4aa2d2698174d4beb679cb61a5
Opcode Fuzzy Hash: e3449a0a4889ea14047428ec54552789f91fdceb797528f0fb355a0f5f8f2484
Instruction Fuzzy Hash: 31716A706083028FDB28DE54C8847AAB7E4EBA4344F14486EE9C587356FB74E985CBD2

Function 046B1530 Relevance: 12.4, APIs: 2, Strings: 5, Instructions: 191COMMON

Download Yara Rule

APIs

SetEvent.KERNEL32(?,?), ref: 046B154F
inet_ntoa.WS2_32(?), ref: 046B15EA

Strings

StartForward, xrefs: 046B16AE
StopForward, xrefs: 046B16CB
StartReverse, xrefs: 046B16BA
StopReverse, xrefs: 046B16DC
GetDirectListeningPort, xrefs: 046B16ED

Memory Dump Source

Source File: 00000003.00000002.4514531527.00000000046A0000.00000040.00000400.00020000.00000000.sdmp, Offset: 046A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_46a0000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID: Eventinet_ntoa
String ID: GetDirectListeningPort$StartForward$StartReverse$StopForward$StopReverse
API String ID: 3578746661-168337528
Opcode ID: dd961673afd9b42fc8e0e0d3b0e343dc8de67160926bfd17842830ed8d36d06a
Instruction ID: 9cd1b392ea37135120aabdc48dbe2668511ed094268b7c4112b2efb7460609fe
Opcode Fuzzy Hash: dd961673afd9b42fc8e0e0d3b0e343dc8de67160926bfd17842830ed8d36d06a
Instruction Fuzzy Hash: A251E431B046406BE714FB38C828AEE37E5AB82244F40456DE481976E1FF28BD59CBC6

Function 046B7D1A Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 108filesynchronizationCOMMON

Download Yara Rule

APIs

Part of subcall function 046B7F67: __EH_prolog.LIBCMT ref: 046B7F6C

WaitForSingleObject.KERNEL32(00000000,000000FF,00000070,047060B4), ref: 046B7E17
CloseHandle.KERNEL32(00000000), ref: 046B7E20
DeleteFileA.KERNEL32(00000000), ref: 046B7E2F
ShellExecuteExA.SHELL32(0000003C,00000000,00000010,?,?,?), ref: 046B7DE3

Part of subcall function 046A4AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 046A4B36

Strings

@, xrefs: 046B7DC5
Temp, xrefs: 046B7D3B
<, xrefs: 046B7DBE

Memory Dump Source

Source File: 00000003.00000002.4514531527.00000000046A0000.00000040.00000400.00020000.00000000.sdmp, Offset: 046A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_46a0000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID: CloseDeleteExecuteFileH_prologHandleObjectShellSingleWaitsend
String ID: <$@$Temp
API String ID: 1704390241-1032778388
Opcode ID: b4cf103910281ac3a4068e36e02403d8bd3494e9afdd8c5440860073438392e5
Instruction ID: 44f134aa74da0f7c697ceb9e8855ef9a9749f1d6787db6d18aa0cfd5d079f714
Opcode Fuzzy Hash: b4cf103910281ac3a4068e36e02403d8bd3494e9afdd8c5440860073438392e5
Instruction Fuzzy Hash: 2E41AE319406089BEB14FB60DC61AEDB7B4AF51318F40416CE10A662D0FF346EAACF94

Function 00406360 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 104libraryloaderCOMMON

Download Yara Rule

APIs

SHGetSpecialFolderLocation.SHELL32(00000000,00000023,?,?), ref: 00406370
LoadLibraryW.KERNEL32(Shell32.dll), ref: 00406383
GetProcAddress.KERNEL32(00000000,SHGetSpecialFolderPathW), ref: 00406393
SHGetPathFromIDListW.SHELL32(?,00000000), ref: 00406422
SHGetMalloc.SHELL32(?), ref: 0040646A

Strings

Shell32.dll, xrefs: 0040637E
SHGetSpecialFolderPathW, xrefs: 0040638D

Memory Dump Source

Source File: 00000003.00000002.4514052132.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.4514006504.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4514120748.00000000004E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4514174970.0000000000515000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4514191619.0000000000519000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4514247644.000000000051A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4514247644.000000000059B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4514247644.00000000005D5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4514247644.00000000005D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4514247644.00000000005E7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4514247644.000000000060A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4514247644.0000000000616000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4514247644.000000000061E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4514247644.0000000000627000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4514247644.0000000000659000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_SecuriteInfo.jbxd

Similarity

API ID: AddressFolderFromLibraryListLoadLocationMallocPathProcSpecial
String ID: SHGetSpecialFolderPathW$Shell32.dll
API String ID: 2352187698-2988203397
Opcode ID: f54980111735cdc77347b05e677e9d3c6c7f61fc47580892de74c3fda15638eb
Instruction ID: 32944ae05cac6b1734df2e73548a01801abb7a70ad093a706801a1ec2376c662
Opcode Fuzzy Hash: f54980111735cdc77347b05e677e9d3c6c7f61fc47580892de74c3fda15638eb
Instruction Fuzzy Hash: 1E313571A007019BDB249F28DD45B2B77F5FF84700F05843DE886AB2E0EBB99855CB99

Function 046A799E Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 102fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(00000000,00000004,00000000,00000000,00000002,00000080,00000000,00000000,04714EE0,04705FB4,?,00000000,046A8037,00000000), ref: 046A7A00
WriteFile.KERNEL32(00000000,?,00000000,000186A0,00000000,?,000186A0,?,?,00000000,046A8037,00000000,?,?,0000000A,00000000), ref: 046A7A48

Part of subcall function 046A4AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 046A4B36

CloseHandle.KERNEL32(00000000,?,00000000,046A8037,00000000,?,?,0000000A,00000000), ref: 046A7A88
MoveFileW.KERNEL32(00000000,00000000), ref: 046A7AA5
CloseHandle.KERNEL32(00000000,00000057,?,00000008,?,?,?,?,?,?,?,0000000A,00000000), ref: 046A7AD0
DeleteFileW.KERNEL32(00000000,?,?,?,?,?,?,?,0000000A,00000000), ref: 046A7AE0

Part of subcall function 046A4B96: WaitForSingleObject.KERNEL32(?,000000FF,00000000,04714EF8,046A4C49,00000000,?,?,00000000,04714EF8,046A4AC9), ref: 046A4BA5
Part of subcall function 046A4B96: SetEvent.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,046A548B), ref: 046A4BC3

Strings

.part, xrefs: 046A79C4

Memory Dump Source

Source File: 00000003.00000002.4514531527.00000000046A0000.00000040.00000400.00020000.00000000.sdmp, Offset: 046A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_46a0000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID: File$CloseHandle$CreateDeleteEventMoveObjectSingleWaitWritesend
String ID: .part
API String ID: 1303771098-3499674018
Opcode ID: 4f0a3730da029d672e6cd7a50470be04f4d983ff2eb48cfa22f6a156d42de4e0
Instruction ID: 9309922458987ff22e8758a0e783316eaa8c3d5d943117b85a55b35523182825
Opcode Fuzzy Hash: 4f0a3730da029d672e6cd7a50470be04f4d983ff2eb48cfa22f6a156d42de4e0
Instruction Fuzzy Hash: E6319C71508740AFD310EA60D8449DBB3E8FF9431AF00491DB68692150FB74FE48CF9A

Function 046EACC9 Relevance: 12.2, APIs: 8, Instructions: 216COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,046DEA74,046DEA74,?,?,?,046EAF1A,00000001,00000001,A4E85006), ref: 046EAD23
__alloca_probe_16.LIBCMT ref: 046EAD5B
MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,046EAF1A,00000001,00000001,A4E85006,?,?,?), ref: 046EADA9
__alloca_probe_16.LIBCMT ref: 046EAE40
WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,A4E85006,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 046EAEA3
__freea.LIBCMT ref: 046EAEB0

Part of subcall function 046E61B8: RtlAllocateHeap.NTDLL(00000000,046D5349,?,?,046D88C7,?,?,pth_unenc,?,?,046ADE9D,046D5349,?,?,?,?), ref: 046E61EA

__freea.LIBCMT ref: 046EAEB9
__freea.LIBCMT ref: 046EAEDE

Memory Dump Source

Source File: 00000003.00000002.4514531527.00000000046A0000.00000040.00000400.00020000.00000000.sdmp, Offset: 046A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_46a0000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID: ByteCharMultiWide__freea$__alloca_probe_16$AllocateHeap
String ID:
API String ID: 3864826663-0
Opcode ID: 05cd466162273136dc91c87f082ed3e6e19ed3c05901a3d0ad3f8a1048e3cf54
Instruction ID: 7d3b6f08cbff8e6b3baa5ecfcdbe2322f1b6dfd5f2cc9525c1bd0ae0ae479b96
Opcode Fuzzy Hash: 05cd466162273136dc91c87f082ed3e6e19ed3c05901a3d0ad3f8a1048e3cf54
Instruction Fuzzy Hash: 5B51E272A02216AFEF258FA6CC44EBB77EAEB54750B144669FD04D7280FB74FC409690

Function 046B99DB Relevance: 12.1, APIs: 8, Instructions: 117keyboardCOMMON

Download Yara Rule

APIs

SendInput.USER32 ref: 046B9A25
SendInput.USER32(00000001,?,0000001C,00000000), ref: 046B9A4D
SendInput.USER32(00000001,0000001C,0000001C), ref: 046B9A74
SendInput.USER32(00000001,0000001C,0000001C), ref: 046B9A92
SendInput.USER32(00000001,0000001C,0000001C), ref: 046B9AB2
SendInput.USER32(00000001,0000001C,0000001C), ref: 046B9AD7
SendInput.USER32(00000001,0000001C,0000001C), ref: 046B9AF9
SendInput.USER32(00000001,00000000,0000001C), ref: 046B9B1C

Part of subcall function 046B99CE: MapVirtualKeyA.USER32(00000000,00000000), ref: 046B99D4

Memory Dump Source

Source File: 00000003.00000002.4514531527.00000000046A0000.00000040.00000400.00020000.00000000.sdmp, Offset: 046A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_46a0000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID: InputSend$Virtual
String ID:
API String ID: 1167301434-0
Opcode ID: 53e2e4678cb7bd008f763c1bab87aab9bc0e71d2ad08c551945b2e34033c754d
Instruction ID: 4f0fbe56e9dfc9b2c645c153e829f778c17ed36bd066e8e43db54bd040cdf618
Opcode Fuzzy Hash: 53e2e4678cb7bd008f763c1bab87aab9bc0e71d2ad08c551945b2e34033c754d
Instruction Fuzzy Hash: 1D315361248349A9E211EFA5DC40BDFFBEC9F99B44F04080FB6C457190DAA1999C87A7

Function 046B697B Relevance: 12.0, APIs: 8, Instructions: 46clipboardCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 046B697C
EmptyClipboard.USER32 ref: 046B698A
CloseClipboard.USER32 ref: 046B6990
OpenClipboard.USER32 ref: 046B6997
GetClipboardData.USER32(0000000D), ref: 046B69A7
GlobalLock.KERNEL32(00000000), ref: 046B69B0
GlobalUnlock.KERNEL32(00000000), ref: 046B69B9
CloseClipboard.USER32 ref: 046B69BF

Part of subcall function 046A4AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 046A4B36

Memory Dump Source

Source File: 00000003.00000002.4514531527.00000000046A0000.00000040.00000400.00020000.00000000.sdmp, Offset: 046A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_46a0000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID: Clipboard$CloseGlobalOpen$DataEmptyLockUnlocksend
String ID:
API String ID: 2172192267-0
Opcode ID: 19f729b757b5c817bdc47a8a6df01466160f2b2b2f730e1b1ccf152d2688183c
Instruction ID: 37c442ba96a0067619ad6303e853a9437b8771d44b250c06268db9fdea37b035
Opcode Fuzzy Hash: 19f729b757b5c817bdc47a8a6df01466160f2b2b2f730e1b1ccf152d2688183c
Instruction Fuzzy Hash: 49014CB22046109FE714BB70D85CBAA77A5EFD4705F40142EE586821D0FF38AC588B61

Function 00421340 Relevance: 10.9, APIs: 4, Strings: 3, Instructions: 415COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(Unable to find the service error code: ,00000027,?,80004005), ref: 004213EA
GetLastError.KERNEL32(Unable to set the service status error code: ,0000002D,?,80004005), ref: 004216A3
GetLastError.KERNEL32(Unable to set the service status error code: ,0000002D,?,80004005), ref: 00421560

Part of subcall function 004046F0: GetProcessHeap.KERNEL32 ref: 00404745

Strings

Unable to find the service error code: , xrefs: 004213E0
Unable to set the service status error code: , xrefs: 00421556, 00421699, 004217E4
, xrefs: 00421845

Memory Dump Source

Source File: 00000003.00000002.4514052132.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.4514006504.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4514120748.00000000004E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4514174970.0000000000515000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4514191619.0000000000519000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4514247644.000000000051A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4514247644.000000000059B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4514247644.00000000005D5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4514247644.00000000005D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4514247644.00000000005E7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4514247644.000000000060A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4514247644.0000000000616000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4514247644.000000000061E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4514247644.0000000000627000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4514247644.0000000000659000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_SecuriteInfo.jbxd

Similarity

API ID: ErrorLast$HeapProcess
String ID: $Unable to find the service error code: $Unable to set the service status error code:
API String ID: 2107678991-612451267
Opcode ID: 17b990731dc2eabcca0b27cf4be0a8fc97404014e35a54f36e2c43222e0975fd
Instruction ID: d872c1689c442898bada149e1700b74956e8d7452a0374f3ef7bec82a3c8be93
Opcode Fuzzy Hash: 17b990731dc2eabcca0b27cf4be0a8fc97404014e35a54f36e2c43222e0975fd
Instruction Fuzzy Hash: 99F1F274A002199FCB05EF68D99477E7BA1EF48314F14025EE811AB3D2DF789E01CBA9

Function 004029E0 Relevance: 10.9, APIs: 5, Strings: 1, Instructions: 353fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000,BB40E64E), ref: 00402A2B
GetLastError.KERNEL32 ref: 00402A4D
CloseHandle.KERNEL32(00000000,?,004ED0F4,004ED0FC), ref: 00402BC8

Part of subcall function 00402E20: GetLastError.KERNEL32(?,?,?,0040294D,004ED0F4,004ED0FC), ref: 00402E54

ReadFile.KERNEL32(00000000,00000000,00000400,00000000,00000000,00000400,?,004ED0F4,004ED0FC), ref: 00402ADD

Strings

%02X, xrefs: 00402CC7

Memory Dump Source

Source File: 00000003.00000002.4514052132.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.4514006504.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4514120748.00000000004E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4514174970.0000000000515000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4514191619.0000000000519000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4514247644.000000000051A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4514247644.000000000059B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4514247644.00000000005D5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4514247644.00000000005D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4514247644.00000000005E7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4514247644.000000000060A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4514247644.0000000000616000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4514247644.000000000061E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4514247644.0000000000627000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4514247644.0000000000659000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_SecuriteInfo.jbxd

Similarity

API ID: ErrorFileLast$CloseCreateHandleRead
String ID: %02X
API String ID: 3160720760-436463671
Opcode ID: d0edde89f3cb7d724fd97b31411516f368cce4b39f6ccf5b377f344ab533fb73
Instruction ID: 061b468a1e8610420fa16c1a58561871c216eb7a22b23d27ff0b7cce6982789e
Opcode Fuzzy Hash: d0edde89f3cb7d724fd97b31411516f368cce4b39f6ccf5b377f344ab533fb73
Instruction Fuzzy Hash: 7BD1C571900249DFDB14CF68C948B9EBBB4FF48324F10426AE815B73D1D7B9A904CBA4

Function 046F0AA5 Relevance: 10.7, APIs: 7, Instructions: 204COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 046F0B14
_free.LIBCMT ref: 046F0B22
_free.LIBCMT ref: 046F0C50
_free.LIBCMT ref: 046F0C5B

Memory Dump Source

Source File: 00000003.00000002.4514531527.00000000046A0000.00000040.00000400.00020000.00000000.sdmp, Offset: 046A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_46a0000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 600c55d28d99aacce38a8a273f9892f0fc6c26f6e89a9f65a479375afb35ebad
Instruction ID: 5f03cbe8267e18b808a4646105d3cd306e46f945c84cefcf78d03080a7526ae2
Opcode Fuzzy Hash: 600c55d28d99aacce38a8a273f9892f0fc6c26f6e89a9f65a479375afb35ebad
Instruction Fuzzy Hash: DD61B1B1901205AFEB20CF69CC41BAABBF5EF19710F5441A9EA84EB342F770BD419B54

Function 046EB43C Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetConsoleCP.KERNEL32(FF8BC35D,00000000,?,?,?,?,?,?,?,046EBBB1,?,00000000,FF8BC35D,00000000,00000000,FF8BC369), ref: 046EB47E
__fassign.LIBCMT ref: 046EB4F9
__fassign.LIBCMT ref: 046EB514
WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000001,FF8BC35D,00000005,00000000,00000000), ref: 046EB53A
WriteFile.KERNEL32(?,FF8BC35D,00000000,046EBBB1,00000000,?,?,?,?,?,?,?,?,?,046EBBB1,?), ref: 046EB559
WriteFile.KERNEL32(?,?,00000001,046EBBB1,00000000,?,?,?,?,?,?,?,?,?,046EBBB1,?), ref: 046EB592

Memory Dump Source

Source File: 00000003.00000002.4514531527.00000000046A0000.00000040.00000400.00020000.00000000.sdmp, Offset: 046A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_46a0000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID: FileWrite__fassign$ByteCharConsoleMultiWide
String ID:
API String ID: 1324828854-0
Opcode ID: 76ce2eb9b7e5947942af77a002fe770959328bdbdf69de2f81cb2a20165554ca
Instruction ID: 0827d9b494e05b444ad8c1b583c49c2432b58ea8e726164d3926349c1b3f7e4c
Opcode Fuzzy Hash: 76ce2eb9b7e5947942af77a002fe770959328bdbdf69de2f81cb2a20165554ca
Instruction Fuzzy Hash: FC51AEB1A01249AFDB10CFA9D885AEEBBF8EF09700F14455AE955E7291F630BD41CF60

Function 0041D8A0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 106COMMON

Download Yara Rule

APIs

CallWindowProcW.USER32(?,?,?,?,?), ref: 0041D93F
GetWindowLongW.USER32(?,000000FC), ref: 0041D94E
CallWindowProcW.USER32(?,?,00000082,?,?), ref: 0041D969
GetWindowLongW.USER32(?,000000FC), ref: 0041D983
SetWindowLongW.USER32(?,000000FC,?), ref: 0041D995

Strings

$, xrefs: 0041D8C1

Memory Dump Source

Source File: 00000003.00000002.4514052132.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.4514006504.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4514120748.00000000004E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4514174970.0000000000515000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4514191619.0000000000519000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4514247644.000000000051A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4514247644.000000000059B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4514247644.00000000005D5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4514247644.00000000005D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4514247644.00000000005E7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4514247644.000000000060A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4514247644.0000000000616000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4514247644.000000000061E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4514247644.0000000000627000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4514247644.0000000000659000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Window$Long$CallProc
String ID: $
API String ID: 513923721-3993045852
Opcode ID: 2b8f4f7af45cb4b433e2178b9f91cfef87d8fd59ad06ff9372f041f6fc695801
Instruction ID: 89ff05b1361473aa473b813dda564c1dfdb19886c229f09841c05e570a5c1d1a
Opcode Fuzzy Hash: 2b8f4f7af45cb4b433e2178b9f91cfef87d8fd59ad06ff9372f041f6fc695801
Instruction Fuzzy Hash: C0417CB1604706AFC704DF19C984A1AFBF9FF88310F104A1AF995976A0C775E994CF92

Function 046A1D0B Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 89COMMON

Download Yara Rule

APIs

_strftime.LIBCMT ref: 046A1D50

Part of subcall function 046A1A6D: CreateFileW.KERNEL32(00000000,40000000,00000000), ref: 046A1AD9

waveInUnprepareHeader.WINMM(04712A88,00000020,00000000,?), ref: 046A1E02
waveInPrepareHeader.WINMM(04712A88,00000020), ref: 046A1E40
waveInAddBuffer.WINMM(04712A88,00000020), ref: 046A1E4F

Strings

.wav, xrefs: 046A1D69
%Y-%m-%d %H.%M, xrefs: 046A1D41

Memory Dump Source

Source File: 00000003.00000002.4514531527.00000000046A0000.00000040.00000400.00020000.00000000.sdmp, Offset: 046A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_46a0000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID: wave$Header$BufferCreateFilePrepareUnprepare_strftime
String ID: %Y-%m-%d %H.%M$.wav
API String ID: 3809562944-3597965672
Opcode ID: 159df40aa4d6e70abf2f08aa9abb8fc6b0f62069bd6abf845e89c702cf0381ef
Instruction ID: 81212937d7dc9bb68003d963635fb8d924f0e8213d339c06e3f416b836259ff9
Opcode Fuzzy Hash: 159df40aa4d6e70abf2f08aa9abb8fc6b0f62069bd6abf845e89c702cf0381ef
Instruction Fuzzy Hash: A9319E715147409FE324EB24D811ADAB7E9FB55315F00842EA589922A0FF34BD28CF59

Function 046ABF24 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 87COMMON

Download Yara Rule

APIs

Part of subcall function 046B35E1: RegOpenKeyExA.KERNEL32(80000001,00000400,00000000,00020019,?), ref: 046B3605
Part of subcall function 046B35E1: RegQueryValueExA.KERNEL32(?,?,00000000,00000000,?,00000400), ref: 046B3622
Part of subcall function 046B35E1: RegCloseKey.KERNEL32(?), ref: 046B362D

ExpandEnvironmentStringsA.KERNEL32(00000000,?,00000104,00000000), ref: 046ABFA6
PathFileExistsA.SHLWAPI(?), ref: 046ABFB3

Strings

[IE cookies not found], xrefs: 046ABF7B
[IE cookies cleared!], xrefs: 046AC000, 046AC025
Cookies, xrefs: 046ABF38
Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders, xrefs: 046ABF3D

Memory Dump Source

Source File: 00000003.00000002.4514531527.00000000046A0000.00000040.00000400.00020000.00000000.sdmp, Offset: 046A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_46a0000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID: CloseEnvironmentExistsExpandFileOpenPathQueryStringsValue
String ID: [IE cookies cleared!]$[IE cookies not found]$Cookies$Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
API String ID: 1133728706-4073444585
Opcode ID: a8995612a2071c35e26694674f67e67518b3c96cc5335423b4ef69682dbb7367
Instruction ID: 6d8e0a764ea2ba4b0c109d3a672a68f53cebc6793783d231823cf9b362064496
Opcode Fuzzy Hash: a8995612a2071c35e26694674f67e67518b3c96cc5335423b4ef69682dbb7367
Instruction Fuzzy Hash: 2E218CB1A41918ABEB14FBF4CC659EE77A8AF11608F80005CD50267280FA21BE69CF95

Function 00410070 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 83libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(Shlwapi.dll,?,?,?,?,?,?,?,?,?,0040BE4A,?), ref: 0041008F
GetProcAddress.KERNEL32(00000000,DllGetVersion), ref: 004100A5
FreeLibrary.KERNEL32(00000000), ref: 004100E8
FreeLibrary.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,0040BE4A,?), ref: 00410104

Strings

Shlwapi.dll, xrefs: 00410088
DllGetVersion, xrefs: 0041009F

Memory Dump Source

Source File: 00000003.00000002.4514052132.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.4514006504.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4514120748.00000000004E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4514174970.0000000000515000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4514191619.0000000000519000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4514247644.000000000051A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4514247644.000000000059B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4514247644.00000000005D5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4514247644.00000000005D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4514247644.00000000005E7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4514247644.000000000060A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4514247644.0000000000616000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4514247644.000000000061E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4514247644.0000000000627000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4514247644.0000000000659000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Library$Free$AddressLoadProc
String ID: DllGetVersion$Shlwapi.dll
API String ID: 1386263645-2240825258
Opcode ID: 92cc7eca85c45edb07daabbf80d511e2aca987027612cc35edca9dda83a19eb1
Instruction ID: af33f0f334ad32919512d607d30fe81e093b28ce6b82dd8faeb84e95a8bc03d3
Opcode Fuzzy Hash: 92cc7eca85c45edb07daabbf80d511e2aca987027612cc35edca9dda83a19eb1
Instruction Fuzzy Hash: D221D8756003019BC700EF29E98566BBBE4FFD9754F80042EF445C7352EA79D984C7A6

Function 046F6BD3 Relevance: 10.6, APIs: 7, Instructions: 80COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4514531527.00000000046A0000.00000040.00000400.00020000.00000000.sdmp, Offset: 046A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_46a0000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 51d359ae33f240833349507cb651c6e23eff30463fad8a90954934b5fc6e6950
Instruction ID: a749f5750b65e34b66c8b6d4884fad9f2d9677895656d032941392a34799e9d2
Opcode Fuzzy Hash: 51d359ae33f240833349507cb651c6e23eff30463fad8a90954934b5fc6e6950
Instruction Fuzzy Hash: F5110DF2615114BBEB206FB6DC04A6B3BDCEF827347104519F9D5D7250FA34A8028770

Function 046F0F7A Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 046F0CC1: _free.LIBCMT ref: 046F0CEA

_free.LIBCMT ref: 046F0FC8

Part of subcall function 046E6802: RtlFreeHeap.NTDLL(00000000,00000000,?,046F0CEF,00000000,00000000,00000000,00000000,?,046F0F93,00000000,00000007,00000000,?,046F14DE,00000000), ref: 046E6818
Part of subcall function 046E6802: GetLastError.KERNEL32(00000000,?,046F0CEF,00000000,00000000,00000000,00000000,?,046F0F93,00000000,00000007,00000000,?,046F14DE,00000000,00000000), ref: 046E682A

_free.LIBCMT ref: 046F0FD3
_free.LIBCMT ref: 046F0FDE
_free.LIBCMT ref: 046F1032
_free.LIBCMT ref: 046F103D
_free.LIBCMT ref: 046F1048
_free.LIBCMT ref: 046F1053

Memory Dump Source

Source File: 00000003.00000002.4514531527.00000000046A0000.00000040.00000400.00020000.00000000.sdmp, Offset: 046A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_46a0000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 5e629f50e4f6999c0b477f1519b6f3e41be6fc4275a29973627e91760813f884
Instruction ID: 0ae8b591d8cccb9f49542fc5178f31785f615e39eb6be45cf50a08371098e1ee
Opcode Fuzzy Hash: 5e629f50e4f6999c0b477f1519b6f3e41be6fc4275a29973627e91760813f884
Instruction Fuzzy Hash: 1311AFB1503B44AAF620BBB2CC16FCB77DC9F01B04F808C2CABD9A6251FBB4B5119654

Function 046DA3DA Relevance: 10.6, APIs: 7, Instructions: 60COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,046DA3D1,046D933E), ref: 046DA3E8
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 046DA3F6
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 046DA40F
SetLastError.KERNEL32(00000000,?,046DA3D1,046D933E), ref: 046DA461

Memory Dump Source

Source File: 00000003.00000002.4514531527.00000000046A0000.00000040.00000400.00020000.00000000.sdmp, Offset: 046A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_46a0000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: 4b37337e442c2ca703ac161d2b6a228a1abf8bd1fc94daf1b6c1f4bd75cbe419
Instruction ID: db9412b5f1db88abfc8e199b075ed682b3adfcc25c13e27feb11e64f190b935b
Opcode Fuzzy Hash: 4b37337e442c2ca703ac161d2b6a228a1abf8bd1fc94daf1b6c1f4bd75cbe419
Instruction Fuzzy Hash: B601D832E0D3255EB7142AF9AC9C6BB2B89DB162B8320833DE528496E0FF556C015544

Function 046A75EB Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 59COMMON

Download Yara Rule

APIs

CoInitializeEx.OLE32(00000000,00000002,00000000,C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3521.549.exe), ref: 046A760B

Part of subcall function 046A7538: _wcslen.LIBCMT ref: 046A755C
Part of subcall function 046A7538: CoGetObject.OLE32(?,00000024,04706528,00000000), ref: 046A75BD

CoUninitialize.OLE32 ref: 046A7664

Strings

[+] ShellExec success, xrefs: 046A7649
[+] ucmCMLuaUtilShellExecMethod, xrefs: 046A75F0
C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3521.549.exe, xrefs: 046A75EB, 046A75EE, 046A7640
[+] before ShellExec, xrefs: 046A762C

Memory Dump Source

Source File: 00000003.00000002.4514531527.00000000046A0000.00000040.00000400.00020000.00000000.sdmp, Offset: 046A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_46a0000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID: InitializeObjectUninitialize_wcslen
String ID: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3521.549.exe$[+] ShellExec success$[+] before ShellExec$[+] ucmCMLuaUtilShellExecMethod
API String ID: 3851391207-2341407809
Opcode ID: d646384eb9e7aa00ebf7623d1288cf997de61b60188f64f0b13e9b7ed2c5cfb3
Instruction ID: ec06a70e6eb1986b2fea8cdaa1ca96b0052248b643aad3fb90739295b9c640d6
Opcode Fuzzy Hash: d646384eb9e7aa00ebf7623d1288cf997de61b60188f64f0b13e9b7ed2c5cfb3
Instruction Fuzzy Hash: 8401B5B2301B156FF3286F54EC5AF6B7788DF51A2AF14012EF50186281FBA1FC114EA5

Function 046ABADC Relevance: 10.5, APIs: 2, Strings: 4, Instructions: 49fileCOMMON

Download Yara Rule

APIs

DeleteFileA.KERNEL32(00000000,\AppData\Local\Google\Chrome\User Data\Default\Cookies), ref: 046ABB18
GetLastError.KERNEL32 ref: 046ABB22

Strings

[Chrome Cookies not found], xrefs: 046ABB3C
UserProfile, xrefs: 046ABAE8
[Chrome Cookies found, cleared!], xrefs: 046ABB48
\AppData\Local\Google\Chrome\User Data\Default\Cookies, xrefs: 046ABAE3

Memory Dump Source

Source File: 00000003.00000002.4514531527.00000000046A0000.00000040.00000400.00020000.00000000.sdmp, Offset: 046A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_46a0000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID: DeleteErrorFileLast
String ID: [Chrome Cookies found, cleared!]$[Chrome Cookies not found]$UserProfile$\AppData\Local\Google\Chrome\User Data\Default\Cookies
API String ID: 2018770650-304995407
Opcode ID: 6e46766453ba6d08745f80e7afb0b59a5913265b437eba87e8922fc7f2748c08
Instruction ID: 83e13faf9a85e635bca6779cba5d76e6f85723031049f94f0e865490df9073f3
Opcode Fuzzy Hash: 6e46766453ba6d08745f80e7afb0b59a5913265b437eba87e8922fc7f2748c08
Instruction Fuzzy Hash: 0F01D6B1A858089B9B14F7B9CC368FEB7A4A922518B40415DD503533C4FE027E3E8ED6

Function 046BCE2C Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 48memoryCOMMON

Download Yara Rule

APIs

AllocConsole.KERNEL32(04715338), ref: 046BCE35
ShowWindow.USER32(00000000,00000000), ref: 046BCE4E
SetConsoleOutputCP.KERNEL32(000004E4), ref: 046BCE73

Strings

Remcos v, xrefs: 046BCE8E
5.1.2 Pro, xrefs: 046BCE9C
CONOUT$, xrefs: 046BCE61

Memory Dump Source

Source File: 00000003.00000002.4514531527.00000000046A0000.00000040.00000400.00020000.00000000.sdmp, Offset: 046A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_46a0000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID: Console$AllocOutputShowWindow
String ID: Remcos v$5.1.2 Pro$CONOUT$
API String ID: 2425139147-1584637518
Opcode ID: 601fb84f7ab9f44c97d73d43170fc2f51dadc9d325faaf1504b1aa0482a7e0d8
Instruction ID: 7de415849f22dac80b597bf3b4e141f8a5c992541a67ce52a472d2db01a72d26
Opcode Fuzzy Hash: 601fb84f7ab9f44c97d73d43170fc2f51dadc9d325faaf1504b1aa0482a7e0d8
Instruction Fuzzy Hash: E40171F2982308ABE710FBF19C4AFDDB7EC9B15B05F400519B604A71C4F678B9048AA5

Function 046DAB5C Relevance: 9.3, APIs: 6, Instructions: 284COMMON

Download Yara Rule

APIs

__allrem.LIBCMT ref: 046DACE9
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 046DAD05
__allrem.LIBCMT ref: 046DAD1C
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 046DAD3A
__allrem.LIBCMT ref: 046DAD51
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 046DAD6F

Memory Dump Source

Source File: 00000003.00000002.4514531527.00000000046A0000.00000040.00000400.00020000.00000000.sdmp, Offset: 046A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_46a0000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@
String ID:
API String ID: 1992179935-0
Opcode ID: 3b7debe300bd30616e6d17b60b5e1d5511deed8aaa3e59a787e888dcedb96ab2
Instruction ID: 0af26d3aeda4d3b654d9da22d885b6095c5dc66ebdfa0325cd60d0457884ff8a
Opcode Fuzzy Hash: 3b7debe300bd30616e6d17b60b5e1d5511deed8aaa3e59a787e888dcedb96ab2
Instruction Fuzzy Hash: 7C8109B2E05705ABF7209EB9CC40B6A73E9AF90724F14452EE552D7380FBB4F9018754

Function 046B1D39 Relevance: 9.2, APIs: 6, Instructions: 206memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 046B17D7: SetLastError.KERNEL32(0000000D,046B1D57,00000000,?,?,?,?,?,?,?,?,?,?,?,?,046B1D35), ref: 046B17DD

SetLastError.KERNEL32(000000C1,00000000,?,?,?,?,?,?,?,?,?,?,?,?,046B1D35), ref: 046B1D72
GetNativeSystemInfo.KERNEL32(?,046AD2DD,00000000,?,?,?,?,?,?,?,?,?,?,?,?,046B1D35), ref: 046B1DE0
SetLastError.KERNEL32(0000000E,?,?,?,?,?,?,?,?,?), ref: 046B1E04

Part of subcall function 046B1CDE: VirtualAlloc.KERNEL32(00000040,00000040,00000040,00000040,046B1E22,?,00000000,00003000,00000040,00000000,?,?), ref: 046B1CEE

GetProcessHeap.KERNEL32(00000008,00000040,?,?,?,?,?), ref: 046B1E4B
HeapAlloc.KERNEL32(00000000,?,?,?,?,?), ref: 046B1E52
SetLastError.KERNEL32(0000045A,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 046B1F65

Part of subcall function 046B20B2: GetProcessHeap.KERNEL32(00000000,00000000,?,00000000,046B1F72,?,?,?,?,?), ref: 046B2122
Part of subcall function 046B20B2: HeapFree.KERNEL32(00000000,?,?,?,?,?), ref: 046B2129

Memory Dump Source

Source File: 00000003.00000002.4514531527.00000000046A0000.00000040.00000400.00020000.00000000.sdmp, Offset: 046A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_46a0000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID: ErrorHeapLast$AllocProcess$FreeInfoNativeSystemVirtual
String ID:
API String ID: 3950776272-0
Opcode ID: c3a7436f4b3240d74bb9b6327bd74ef6ce8d6ba229da1b6a2f3c5bf5c49a744c
Instruction ID: 871066736018a69a130fc0edb10139aa29dd0485e2acd570ec202175ae700abe
Opcode Fuzzy Hash: c3a7436f4b3240d74bb9b6327bd74ef6ce8d6ba229da1b6a2f3c5bf5c49a744c
Instruction Fuzzy Hash: 3261BD70600601BBD7219F65C9A0BEA7BE9AB46784F04412AED858B381FB74F8C5CBD5

Function 046E597A Relevance: 9.2, APIs: 6, Instructions: 200COMMONLIBRARYCODE

Download Yara Rule

APIs

__cftoe.LIBCMT ref: 046E59A6
__cftoe.LIBCMT ref: 046E59D8

Memory Dump Source

Source File: 00000003.00000002.4514531527.00000000046A0000.00000040.00000400.00020000.00000000.sdmp, Offset: 046A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_46a0000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID: __cftoe
String ID:
API String ID: 4189289331-0
Opcode ID: 044084c359e90e1cd06bddc9232ca6cd81f4535f88e45e6f6e484db8a1126be2
Instruction ID: 0cdd337cc90c77c44fa4577ddd7dcd56e21b80a355f22539e6010c273c9c8d00
Opcode Fuzzy Hash: 044084c359e90e1cd06bddc9232ca6cd81f4535f88e45e6f6e484db8a1126be2
Instruction Fuzzy Hash: DC510D31903205BBEB249BEE8C84EBE77E8AF5433CF24421DE91696291FB31F5019664

Function 00412A00 Relevance: 9.2, APIs: 6, Instructions: 156COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 00412A4A
std::_Lockit::_Lockit.LIBCPMT ref: 00412A6C
std::_Lockit::~_Lockit.LIBCPMT ref: 00412A94
__Getctype.LIBCPMT ref: 00412B75
std::_Facet_Register.LIBCPMT ref: 00412BD7
std::_Lockit::~_Lockit.LIBCPMT ref: 00412C0B

Memory Dump Source

Source File: 00000003.00000002.4514052132.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.4514006504.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4514120748.00000000004E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4514174970.0000000000515000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4514191619.0000000000519000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4514247644.000000000051A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4514247644.000000000059B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4514247644.00000000005D5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4514247644.00000000005D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4514247644.00000000005E7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4514247644.000000000060A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4514247644.0000000000616000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4514247644.000000000061E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4514247644.0000000000627000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4514247644.0000000000659000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_SecuriteInfo.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_GetctypeRegister
String ID:
API String ID: 1102183713-0
Opcode ID: 7ba3452b8762a86260e5dbee049a9c0fa249b96aedb4adeea9e616c121852b5f
Instruction ID: 3eba87abea37f8d0584aa7dab8c469b36dd0c0480f005e0970b0fba2961f0c3d
Opcode Fuzzy Hash: 7ba3452b8762a86260e5dbee049a9c0fa249b96aedb4adeea9e616c121852b5f
Instruction Fuzzy Hash: CB61CEB0D00649DFDB01DF59CA417AEFBB0FF54314F14825AD804AB391E7B8AA94CB95

Function 00412800 Relevance: 9.1, APIs: 6, Instructions: 142COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 0041283D
std::_Lockit::_Lockit.LIBCPMT ref: 0041285F
std::_Lockit::~_Lockit.LIBCPMT ref: 00412887
__Getcoll.LIBCPMT ref: 00412951
std::_Facet_Register.LIBCPMT ref: 00412996
std::_Lockit::~_Lockit.LIBCPMT ref: 004129D7

Memory Dump Source

Source File: 00000003.00000002.4514052132.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.4514006504.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4514120748.00000000004E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4514174970.0000000000515000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4514191619.0000000000519000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4514247644.000000000051A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4514247644.000000000059B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4514247644.00000000005D5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4514247644.00000000005D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4514247644.00000000005E7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4514247644.000000000060A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4514247644.0000000000616000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4514247644.000000000061E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4514247644.0000000000627000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4514247644.0000000000659000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_SecuriteInfo.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_GetcollRegister
String ID:
API String ID: 1184649410-0
Opcode ID: 025193a20c3e12a3f6fe6db00f0e80243c9c4dc956fa3572d2fae690a4a8db3b
Instruction ID: 70928be0c3921c25ed63d5178682cdeeae85df315b7d14afd5ac1a4e1d2dd3ac
Opcode Fuzzy Hash: 025193a20c3e12a3f6fe6db00f0e80243c9c4dc956fa3572d2fae690a4a8db3b
Instruction Fuzzy Hash: 68519CB0D00208EFCB01EF98D985BDDBBB0FF54318F20815AE815AB391DB785A55CB95

Function 046E75F1 Relevance: 9.1, APIs: 3, Strings: 2, Instructions: 389COMMONLIBRARYCODE

Download Yara Rule

APIs

__alloca_probe_16.LIBCMT ref: 046E76F9
__freea.LIBCMT ref: 046E77A3
__freea.LIBCMT ref: 046E77C1

Part of subcall function 046D5ECD: _free.LIBCMT ref: 046D5EE3

Strings

am/pm, xrefs: 046E7824
a/p, xrefs: 046E7888

Memory Dump Source

Source File: 00000003.00000002.4514531527.00000000046A0000.00000040.00000400.00020000.00000000.sdmp, Offset: 046A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_46a0000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID: __freea$__alloca_probe_16_free
String ID: a/p$am/pm
API String ID: 2936374016-3206640213
Opcode ID: 234249ca0a67f45745cfc77c37d99b081753efe63669aef101b419cc337e9827
Instruction ID: 46d2d34ab86370427f55c1b78b8f39a138740c12c4dc5e7c920d7ee6149c5164
Opcode Fuzzy Hash: 234249ca0a67f45745cfc77c37d99b081753efe63669aef101b419cc337e9827
Instruction Fuzzy Hash: 39D12975A02206DBDB299F6EC854BBAB7F0FF25302F144159E501AB354F335BA42DB90

Function 046B0E9C Relevance: 9.1, APIs: 6, Instructions: 75COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 046B0EA9
int.LIBCPMT ref: 046B0EBC

Part of subcall function 046AE0FC: std::_Lockit::_Lockit.LIBCPMT ref: 046AE10D
Part of subcall function 046AE0FC: std::_Lockit::~_Lockit.LIBCPMT ref: 046AE127

std::_Facet_Register.LIBCPMT ref: 046B0EFC
std::_Lockit::~_Lockit.LIBCPMT ref: 046B0F05
__CxxThrowException@8.LIBVCRUNTIME ref: 046B0F23
__Init_thread_footer.LIBCMT ref: 046B0F64

Memory Dump Source

Source File: 00000003.00000002.4514531527.00000000046A0000.00000040.00000400.00020000.00000000.sdmp, Offset: 046A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_46a0000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_Init_thread_footerRegisterThrow
String ID:
API String ID: 3815856325-0
Opcode ID: 6bea56474430ff69cfe5302eaf7cce39b32eaa5a34b4b815de11da22e8aed577
Instruction ID: be19c1b3593f6efaf36f3fbde02812294d2b8da956a17cbb8d38e11f9eb232d3
Opcode Fuzzy Hash: 6bea56474430ff69cfe5302eaf7cce39b32eaa5a34b4b815de11da22e8aed577
Instruction Fuzzy Hash: F121F932A04514ABEB14EBA8D844CDE7BA9DF44324B21415EE801A7390FF71BE918BD9

Function 046E8295 Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,00000000,046E1CC5,?,046BBA44,-04716D2C,?,?,?,?,04706478,046AD248,.vbs), ref: 046E8299
_free.LIBCMT ref: 046E82CC
_free.LIBCMT ref: 046E82F4
SetLastError.KERNEL32(00000000,?,046BBA44,-04716D2C,?,?,?,?,04706478,046AD248,.vbs), ref: 046E8301
SetLastError.KERNEL32(00000000,?,046BBA44,-04716D2C,?,?,?,?,04706478,046AD248,.vbs), ref: 046E830D
_abort.LIBCMT ref: 046E8313

Memory Dump Source

Source File: 00000003.00000002.4514531527.00000000046A0000.00000040.00000400.00020000.00000000.sdmp, Offset: 046A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_46a0000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID: ErrorLast$_free$_abort
String ID:
API String ID: 3160817290-0
Opcode ID: b8fc17557f97b1aab5d1bfd7542d7e71375d54f4f90b27723545b36a70073e0c
Instruction ID: 78b24b4a491d1de677ead1a96b65b2a9eefe8cb450e8d6d945735f65d9297ec8
Opcode Fuzzy Hash: b8fc17557f97b1aab5d1bfd7542d7e71375d54f4f90b27723545b36a70073e0c
Instruction Fuzzy Hash: CDF0F475103A002BE716326BAC08F7B26EACBD2768F21001CFD14973C2FF24E8038168

Function 046BAC3B Relevance: 9.0, APIs: 6, Instructions: 45serviceCOMMON

Download Yara Rule

APIs

OpenSCManagerW.ADVAPI32(00000000,00000000,00000040,00000000,00000001,?,?,?,?,?,?,046BA634,00000000), ref: 046BAC4A
OpenServiceW.ADVAPI32(00000000,00000000,00000040,?,?,?,?,?,?,046BA634,00000000), ref: 046BAC5E
CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,046BA634,00000000), ref: 046BAC6B
ControlService.ADVAPI32(00000000,00000002,?,?,?,?,?,?,?,046BA634,00000000), ref: 046BAC7A
CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,046BA634,00000000), ref: 046BAC8C
CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,046BA634,00000000), ref: 046BAC8F

Memory Dump Source

Source File: 00000003.00000002.4514531527.00000000046A0000.00000040.00000400.00020000.00000000.sdmp, Offset: 046A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_46a0000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID: Service$CloseHandle$Open$ControlManager
String ID:
API String ID: 221034970-0
Opcode ID: 97018e956164538cf11a7270f69c58b2bd765b70ad0a6a740ea8a8fdc841828b
Instruction ID: b38eb3592bdf80f4cb6dd0c0a73b891d7a4c5d8fa85b1c410b35740afb938b46
Opcode Fuzzy Hash: 97018e956164538cf11a7270f69c58b2bd765b70ad0a6a740ea8a8fdc841828b
Instruction Fuzzy Hash: 9FF0F6B16001187FD3116A74AC49EFF3BACDB86354F00001EFE4992140FB389D499AF4

Function 046BACA2 Relevance: 9.0, APIs: 6, Instructions: 45serviceCOMMON

Download Yara Rule

APIs

OpenSCManagerW.ADVAPI32(00000000,00000000,00000040,00000000,00000001,?,?,?,?,?,?,046BA5B4,00000000), ref: 046BACB1
OpenServiceW.ADVAPI32(00000000,00000000,00000040,?,?,?,?,?,?,046BA5B4,00000000), ref: 046BACC5
CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,046BA5B4,00000000), ref: 046BACD2
ControlService.ADVAPI32(00000000,00000003,?,?,?,?,?,?,?,046BA5B4,00000000), ref: 046BACE1
CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,046BA5B4,00000000), ref: 046BACF3
CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,046BA5B4,00000000), ref: 046BACF6

Memory Dump Source

Source File: 00000003.00000002.4514531527.00000000046A0000.00000040.00000400.00020000.00000000.sdmp, Offset: 046A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_46a0000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID: Service$CloseHandle$Open$ControlManager
String ID:
API String ID: 221034970-0
Opcode ID: 4d6338c8a4172f5012df0d632645cbe8a54b4e15ec35933879483126c8207874
Instruction ID: 742143792749f17f2ac8c84d08778c210ccfd1805fda49b5117dbc33206e8029
Opcode Fuzzy Hash: 4d6338c8a4172f5012df0d632645cbe8a54b4e15ec35933879483126c8207874
Instruction Fuzzy Hash: 4AF0F6B16401187BD3116A64AC49EFF3BACDB86355F00001DFE4992140FB389D8A9AF4

Function 046BAB37 Relevance: 9.0, APIs: 6, Instructions: 45serviceCOMMON

Download Yara Rule

APIs

OpenSCManagerW.ADVAPI32(00000000,00000000,00000020,00000000,00000001,?,?,?,?,?,?,046BA6B4,00000000), ref: 046BAB46
OpenServiceW.ADVAPI32(00000000,00000000,00000020,?,?,?,?,?,?,046BA6B4,00000000), ref: 046BAB5A
CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,046BA6B4,00000000), ref: 046BAB67
ControlService.ADVAPI32(00000000,00000001,?,?,?,?,?,?,?,046BA6B4,00000000), ref: 046BAB76
CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,046BA6B4,00000000), ref: 046BAB88
CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,046BA6B4,00000000), ref: 046BAB8B

Memory Dump Source

Source File: 00000003.00000002.4514531527.00000000046A0000.00000040.00000400.00020000.00000000.sdmp, Offset: 046A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_46a0000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID: Service$CloseHandle$Open$ControlManager
String ID:
API String ID: 221034970-0
Opcode ID: dd99697c7ddded31f0d7f4a5be3247983f8d401730292806f12b0a6e2f2a4e2e
Instruction ID: 819299908f350db69738755511e2ca6c887d834f9d840ff69f371bbb71cefc38
Opcode Fuzzy Hash: dd99697c7ddded31f0d7f4a5be3247983f8d401730292806f12b0a6e2f2a4e2e
Instruction Fuzzy Hash: 53F0F6715002187BD7106A789C49EFF3BACDB86364F00001AFD4982140FB289D898AF0

Function 0040EFC9 Relevance: 9.0, APIs: 2, Strings: 3, Instructions: 229COMMON

Download Yara Rule

APIs

Part of subcall function 004046F0: GetProcessHeap.KERNEL32 ref: 00404745

Part of subcall function 00403700: FindResourceW.KERNEL32(00000000,00000001,00000006,?,00000000,?,?,00000000,0000000E), ref: 00403738

RemoveDirectoryW.KERNEL32(?,00000000,?,\\?\), ref: 0040F041
GetLastError.KERNEL32(?), ref: 0040F086

Strings

\\?\, xrefs: 0040F00B, 0040F01B
LastError= , xrefs: 0040F0FB
Failed to delete directory: , xrefs: 0040F0CB

Memory Dump Source

Source File: 00000003.00000002.4514052132.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.4514006504.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4514120748.00000000004E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4514174970.0000000000515000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4514191619.0000000000519000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4514247644.000000000051A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4514247644.000000000059B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4514247644.00000000005D5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4514247644.00000000005D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4514247644.00000000005E7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4514247644.000000000060A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4514247644.0000000000616000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4514247644.000000000061E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4514247644.0000000000627000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4514247644.0000000000659000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_SecuriteInfo.jbxd

Similarity

API ID: DirectoryErrorFindHeapLastProcessRemoveResource
String ID: LastError= $Failed to delete directory: $\\?\
API String ID: 3283955249-2562880348
Opcode ID: a29d16a6fb08d21eccbbd0c78bb0bc845a029675bbbba2e2b8b0c483ef798a03
Instruction ID: 8db81f3fbe3a568239acde54840c6951720591151c312ed29d448c320e665dfd
Opcode Fuzzy Hash: a29d16a6fb08d21eccbbd0c78bb0bc845a029675bbbba2e2b8b0c483ef798a03
Instruction Fuzzy Hash: 9F812434A005459FCB04DFA8C9556AEB7B1EF44314F1841BEE911BB3D2DB39AE02CB98

Function 0041CA60 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 96stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,?,?,?,?,0041BDDC,00000000,00000000,00000000,?,?), ref: 0041CAAB
CompareStringW.KERNEL32(00000400,00000001,?,00000003,<A>,00000003,?,?,?,?,?,0041BDDC,00000000,00000000,00000000,?), ref: 0041CAE1
CompareStringW.KERNEL32(00000400,00000001,?,00000004,</A>,00000004,?,?,?,?,?,0041BDDC,00000000,00000000,00000000,?), ref: 0041CB1E

Strings

<A>, xrefs: 0041CAD2
</A>, xrefs: 0041CB0F

Memory Dump Source

Source File: 00000003.00000002.4514052132.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.4514006504.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4514120748.00000000004E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4514174970.0000000000515000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4514191619.0000000000519000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4514247644.000000000051A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4514247644.000000000059B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4514247644.00000000005D5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4514247644.00000000005D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4514247644.00000000005E7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4514247644.000000000060A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4514247644.0000000000616000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4514247644.000000000061E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4514247644.0000000000627000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4514247644.0000000000659000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_SecuriteInfo.jbxd

Similarity

API ID: CompareString$lstrlen
String ID: </A>$<A>
API String ID: 1657112622-2122467442
Opcode ID: bbb5559282663a2cd00074007c2648eafa71258357af84354f7c7004cc1f9b1c
Instruction ID: b8c3fee1d1c18d74c8f8b8c6812a8a51c1f86a6a34ff4ecee4599c3b5796ce11
Opcode Fuzzy Hash: bbb5559282663a2cd00074007c2648eafa71258357af84354f7c7004cc1f9b1c
Instruction Fuzzy Hash: 84318D722483049FD312CF18D881B9BBBE8EF89318F11055AF685AB391C7B5AD85CB65

Function 046BB71B Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 91COMMON

Download Yara Rule

APIs

Part of subcall function 046B3656: RegOpenKeyExW.ADVAPI32(80000001,00000400,00000000,00020019,?,047150E4), ref: 046B3678
Part of subcall function 046B3656: RegQueryValueExW.ADVAPI32(?,046AF34E,00000000,00000000,?,00000400), ref: 046B3697
Part of subcall function 046B3656: RegCloseKey.ADVAPI32(?), ref: 046B36A0

Part of subcall function 046BC048: GetCurrentProcess.KERNEL32(?,?,?,046ADAE5,WinDir,00000000,00000000), ref: 046BC059

_wcslen.LIBCMT ref: 046BB7F4

Strings

.exe, xrefs: 046BB746
program files (x86)\, xrefs: 046BB7EE
http\shell\open\command, xrefs: 046BB72B
program files\, xrefs: 046BB7DA, 046BB7E1, 046BB7F3

Memory Dump Source

Source File: 00000003.00000002.4514531527.00000000046A0000.00000040.00000400.00020000.00000000.sdmp, Offset: 046A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_46a0000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID: CloseCurrentOpenProcessQueryValue_wcslen
String ID: .exe$http\shell\open\command$program files (x86)\$program files\
API String ID: 37874593-4246244872
Opcode ID: ad4f38408ca929742f0e009adae4002de6c86d1da37004977005bdc373115c10
Instruction ID: 44de7b8053569b7d3a7f02c2cc87fd2d2894164fb0f80e51b860e77beaafa116
Opcode Fuzzy Hash: ad4f38408ca929742f0e009adae4002de6c86d1da37004977005bdc373115c10
Instruction Fuzzy Hash: 5F21B8A2B001046BEB18BAB48C909FD77AD9F49528F10057DE446A7380FE24BD588BAC

Function 046BD5A0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 57registryCOMMON

Download Yara Rule

APIs

RegisterClassExA.USER32(00000030), ref: 046BD5EC
CreateWindowExA.USER32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,000000FD,00000000,00000000,00000000), ref: 046BD607
GetLastError.KERNEL32 ref: 046BD611

Strings

0, xrefs: 046BD5BC
MsgWindowClass, xrefs: 046BD5B7

Memory Dump Source

Source File: 00000003.00000002.4514531527.00000000046A0000.00000040.00000400.00020000.00000000.sdmp, Offset: 046A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_46a0000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID: ClassCreateErrorLastRegisterWindow
String ID: 0$MsgWindowClass
API String ID: 2877667751-2410386613
Opcode ID: 1b7b85bf6ec592de45816da7fcd057eb6df10b50a860435e281b0a65bc367295
Instruction ID: afbd8628905946ceba47d49e500d24587ec039b21f0657c1b7730a1bc59b0e02
Opcode Fuzzy Hash: 1b7b85bf6ec592de45816da7fcd057eb6df10b50a860435e281b0a65bc367295
Instruction Fuzzy Hash: 470148B1E0021CAFEB01DFE5DC84DEFBBBCFB04354F40152AF954A6240EA7569088BA0

Function 046A7790 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 43processCOMMON

Download Yara Rule

APIs

CreateProcessA.KERNEL32(C:\Windows\System32\cmd.exe,/k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f,00000000,00000000,00000000,08000000,00000000,00000000,?,?), ref: 046A77D6
CloseHandle.KERNEL32(?), ref: 046A77E5
CloseHandle.KERNEL32(?), ref: 046A77EA

Strings

/k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f, xrefs: 046A77CC
C:\Windows\System32\cmd.exe, xrefs: 046A77D1

Memory Dump Source

Source File: 00000003.00000002.4514531527.00000000046A0000.00000040.00000400.00020000.00000000.sdmp, Offset: 046A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_46a0000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID: CloseHandle$CreateProcess
String ID: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f$C:\Windows\System32\cmd.exe
API String ID: 2922976086-4183131282
Opcode ID: 6524cc080cb05516cac9482d73db5482c0c3c988096ded36636cbbab0c9eac16
Instruction ID: c694acfd14b9e6f31c312951eced6e124eeacf55f18abc0dd9a6c4e40db9bda0
Opcode Fuzzy Hash: 6524cc080cb05516cac9482d73db5482c0c3c988096ded36636cbbab0c9eac16
Instruction Fuzzy Hash: FAF090B2D4029C7ADB20AAD6DC0DEDF7F7CEBC2B10F00051AFA04A2144EA706514CAB0

Function 046E33DA Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,046E338B,00000003,?,046E332B,00000003,0470E958,0000000C,046E3482,00000003,00000002), ref: 046E33FA
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 046E340D
FreeLibrary.KERNEL32(00000000,?,?,?,046E338B,00000003,?,046E332B,00000003,0470E958,0000000C,046E3482,00000003,00000002,00000000), ref: 046E3430

Strings

mscoree.dll, xrefs: 046E33F3
CorExitProcess, xrefs: 046E3405

Memory Dump Source

Source File: 00000003.00000002.4514531527.00000000046A0000.00000040.00000400.00020000.00000000.sdmp, Offset: 046A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_46a0000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: a1edea1e568ff7bf00d99cb513055fffaaf2ebabdc291bf0b330f1c0b39d7cba
Instruction ID: c1bb69dd7bf26c25da9e0ff916e4cf4949d78c3f2a3f2359e5efabebc53931d1
Opcode Fuzzy Hash: a1edea1e568ff7bf00d99cb513055fffaaf2ebabdc291bf0b330f1c0b39d7cba
Instruction Fuzzy Hash: 4BF0A431911208FBCB119FA5DC08BADBFB4EB08755F014058E905A3250FB786E44CE90

Function 046A50E4 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 35synchronizationCOMMON

Download Yara Rule

APIs

CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,04714EF8,046A4E7A,00000001,?,00000000,04714EF8,046A4CA8,00000000,?,?,00000000), ref: 046A5120
SetEvent.KERNEL32(?,?,00000000,04714EF8,046A4CA8,00000000,?,?,00000000), ref: 046A512C
WaitForSingleObject.KERNEL32(?,000000FF,?,00000000,04714EF8,046A4CA8,00000000,?,?,00000000), ref: 046A5137
CloseHandle.KERNEL32(?,?,00000000,04714EF8,046A4CA8,00000000,?,?,00000000), ref: 046A5140

Part of subcall function 046BB580: GetLocalTime.KERNEL32(00000000), ref: 046BB59A

Strings

KeepAlive | Disabled, xrefs: 046A50F9

Memory Dump Source

Source File: 00000003.00000002.4514531527.00000000046A0000.00000040.00000400.00020000.00000000.sdmp, Offset: 046A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_46a0000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID: Event$CloseCreateHandleLocalObjectSingleTimeWait
String ID: KeepAlive | Disabled
API String ID: 2993684571-305739064
Opcode ID: bf0cd38b314e5a8022f2da6e4c5ebdb0bade7081b923e50606e0d67bcf7ce6b4
Instruction ID: 0368504e26f49f6ca07069e094c4652f22dffb9fdb716605ccfb3319b2def8dc
Opcode Fuzzy Hash: bf0cd38b314e5a8022f2da6e4c5ebdb0bade7081b923e50606e0d67bcf7ce6b4
Instruction Fuzzy Hash: 3CF062F1954701BFE7107BB48D0EABA7EA4AB1231CF00195DE4C3417A1F5656C648F92

Function 046BAE51 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 30sleepCOMMON

Download Yara Rule

APIs

Part of subcall function 046BB580: GetLocalTime.KERNEL32(00000000), ref: 046BB59A

GetModuleHandleA.KERNEL32(00000000,00020009), ref: 046BAE83
PlaySoundW.WINMM(00000000,00000000), ref: 046BAE91
Sleep.KERNEL32(00002710), ref: 046BAE98
PlaySoundW.WINMM(00000000,00000000,00000000), ref: 046BAEA1

Strings

Alarm triggered, xrefs: 046BAE5A

Memory Dump Source

Source File: 00000003.00000002.4514531527.00000000046A0000.00000040.00000400.00020000.00000000.sdmp, Offset: 046A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_46a0000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID: PlaySound$HandleLocalModuleSleepTime
String ID: Alarm triggered
API String ID: 614609389-2816303416
Opcode ID: b7b331cf9b086c9ca03db90d644223fcbebcb136c6ed6fc7835749b3f9ca5b21
Instruction ID: 2eb670e4c460f3f730a2962234920c350c56983b0529aec2fd8b467cd5549ebf
Opcode Fuzzy Hash: b7b331cf9b086c9ca03db90d644223fcbebcb136c6ed6fc7835749b3f9ca5b21
Instruction Fuzzy Hash: 71E01AA6A911207B6A2036BA6D1ED6F3E29CAC2B64701416DFA4656281E9442C258AF3

Function 046BCDE9 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 27COMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(000000F5,00000000,?,?,?,?,?,?,046BCE7E), ref: 046BCDF3
GetConsoleScreenBufferInfo.KERNEL32(00000000,?,?,?,?,?,?,?,046BCE7E), ref: 046BCE00
SetConsoleTextAttribute.KERNEL32(00000000,0000000C,?,?,?,?,?,?,046BCE7E), ref: 046BCE0D
SetConsoleTextAttribute.KERNEL32(00000000,?,?,?,?,?,?,?,046BCE7E), ref: 046BCE20

Strings

______ (_____ \ _____) )_____ ____ ____ ___ ___ | __ /| ___ | \ / ___) _ \ /___)| | \ \| ____| | | ( (__| |_| |___ ||_| |_|_____)_|_|_|\____)___/(___/ , xrefs: 046BCE13

Memory Dump Source

Source File: 00000003.00000002.4514531527.00000000046A0000.00000040.00000400.00020000.00000000.sdmp, Offset: 046A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_46a0000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID: Console$AttributeText$BufferHandleInfoScreen
String ID: ______ (_____ \ _____) )_____ ____ ____ ___ ___ | __ /| ___ | \ / ___) _ \ /___)| | \ \| ____| | | ( (__| |_| |___ ||_| |_|_____)_|_|_|\____)___/(___/
API String ID: 3024135584-2418719853
Opcode ID: feadd1a90de4b26a9eeff6c1697ba5e29f1afd689c7e296e48a5687bf37e9b69
Instruction ID: d563c739b6362ce52302ffaebe8f6bd781a5bfed9faef2e7bf5f185c50facb6c
Opcode Fuzzy Hash: feadd1a90de4b26a9eeff6c1697ba5e29f1afd689c7e296e48a5687bf37e9b69
Instruction Fuzzy Hash: 9AE04FB2500308ABD310ABB5AC4DDAB7B6CE786B22B001265FA5281182BA745C55CAB1

Function 046BB539 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 25COMMON

Download Yara Rule

APIs

FindResourceA.KERNEL32(SETTINGS,0000000A,00000000), ref: 046BB54A
LoadResource.KERNEL32(00000000,?,?,046AF419,00000000), ref: 046BB55E
LockResource.KERNEL32(00000000,?,?,046AF419,00000000), ref: 046BB565
SizeofResource.KERNEL32(00000000,?,?,046AF419,00000000), ref: 046BB574

Strings

SETTINGS, xrefs: 046BB53D

Memory Dump Source

Source File: 00000003.00000002.4514531527.00000000046A0000.00000040.00000400.00020000.00000000.sdmp, Offset: 046A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_46a0000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID: Resource$FindLoadLockSizeof
String ID: SETTINGS
API String ID: 3473537107-594951305
Opcode ID: c3db097b12eec81abba40022c99dd61bd5e93b8031d3ccdf80ad9936e6c7a3eb
Instruction ID: 83ed1b0e74a158700245110d1142402f9d80bc6b19ffc8f7223316447ad5abeb
Opcode Fuzzy Hash: c3db097b12eec81abba40022c99dd61bd5e93b8031d3ccdf80ad9936e6c7a3eb
Instruction Fuzzy Hash: 52E01AB6600350ABCB295BA9EC4CE863F69F7C9B6270040A4F581A67A0E6398C04DB51

Function 046E13EA Relevance: 7.7, APIs: 5, Instructions: 222COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4514531527.00000000046A0000.00000040.00000400.00020000.00000000.sdmp, Offset: 046A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_46a0000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 93bfcbfe2c6c4f221791ad60eabe6f8469e3131d5d5e731bc17b56fc6b101c28
Instruction ID: 73ef33757fa55b4b9c8edc314d4e7b019a93bc2b581b440cbd297b8335bb96ee
Opcode Fuzzy Hash: 93bfcbfe2c6c4f221791ad60eabe6f8469e3131d5d5e731bc17b56fc6b101c28
Instruction Fuzzy Hash: DA719271A02216DBDB218F56C884AFFBBF5EF57310F184129E455A7280F770AD46EBA0

Function 046A4371 Relevance: 7.7, APIs: 1, Strings: 4, Instructions: 206sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00000000,046AD29D), ref: 046A44C4

Part of subcall function 046A4607: __EH_prolog.LIBCMT ref: 046A460C

Strings

CloseCamera, xrefs: 046A458E
OpenCamera, xrefs: 046A4582
GetFrame, xrefs: 046A459F
FreeFrame, xrefs: 046A45B0

Memory Dump Source

Source File: 00000003.00000002.4514531527.00000000046A0000.00000040.00000400.00020000.00000000.sdmp, Offset: 046A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_46a0000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID: H_prologSleep
String ID: CloseCamera$FreeFrame$GetFrame$OpenCamera
API String ID: 3469354165-3547787478
Opcode ID: 99c5b8f9dce727673cb8f4bb2c86c04131bf14907b835e8ca435230259fb47e0
Instruction ID: d58c4eb09c778f77dc0f08269c303d9947c4af70d692f4e615b61db024a74712
Opcode Fuzzy Hash: 99c5b8f9dce727673cb8f4bb2c86c04131bf14907b835e8ca435230259fb47e0
Instruction Fuzzy Hash: 89512631B04A006BEB24FB389C646AE3B95EF81648F00446DE80157790FF64BD25CF9A

Function 00420150 Relevance: 7.7, APIs: 5, Instructions: 200COMMON

Download Yara Rule

APIs

GetWindowTextLengthW.USER32 ref: 00420157
GetWindowTextW.USER32(?,?,00000001), ref: 00420188
LoadStringW.USER32(?,00000000,00000100), ref: 00420283

Memory Dump Source

Source File: 00000003.00000002.4514052132.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.4514006504.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4514120748.00000000004E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4514174970.0000000000515000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4514191619.0000000000519000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4514247644.000000000051A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4514247644.000000000059B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4514247644.00000000005D5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4514247644.00000000005D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4514247644.00000000005E7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4514247644.000000000060A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4514247644.0000000000616000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4514247644.000000000061E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4514247644.0000000000627000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4514247644.0000000000659000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_SecuriteInfo.jbxd

Similarity

API ID: TextWindow$LengthLoadString
String ID:
API String ID: 4011078827-0
Opcode ID: 63c6858da40c04af897f08390683e31889b08fe45025ad13b3810600929494b1
Instruction ID: a1d38276b81e4065e22de2de7e0a9ccef1fdda1b9dcff5a838a3824bb7fe20d4
Opcode Fuzzy Hash: 63c6858da40c04af897f08390683e31889b08fe45025ad13b3810600929494b1
Instruction Fuzzy Hash: AC51C1B1A001249FDB14CF69EC49AAEBBF9EF58314F10412FE909D7391EB799D008B94

Function 046E4D7C Relevance: 7.7, APIs: 5, Instructions: 187COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 046E61B8: RtlAllocateHeap.NTDLL(00000000,046D5349,?,?,046D88C7,?,?,pth_unenc,?,?,046ADE9D,046D5349,?,?,?,?), ref: 046E61EA

_free.LIBCMT ref: 046E4E87
_free.LIBCMT ref: 046E4E9E
_free.LIBCMT ref: 046E4EBD
_free.LIBCMT ref: 046E4ED8
_free.LIBCMT ref: 046E4EEF

Memory Dump Source

Source File: 00000003.00000002.4514531527.00000000046A0000.00000040.00000400.00020000.00000000.sdmp, Offset: 046A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_46a0000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID: _free$AllocateHeap
String ID:
API String ID: 3033488037-0
Opcode ID: 177b55bc10a47d5bbbc7c17c6ed35a3e289db9850326af245f4d6b78ab0a5888
Instruction ID: ee87ac38f452d36a436b544d30c431d698e98a6ee60d7fa1f7b4313dd77bf6b9
Opcode Fuzzy Hash: 177b55bc10a47d5bbbc7c17c6ed35a3e289db9850326af245f4d6b78ab0a5888
Instruction Fuzzy Hash: C851BF71A02704ABEB20DF6AC941A7A77F4EF58728B14466DE90AD7250FB31B9018B94

Function 046E93E5 Relevance: 7.7, APIs: 5, Instructions: 171timeCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,046FF244), ref: 046E944F
WideCharToMultiByte.KERNEL32(00000000,00000000,04712764,000000FF,00000000,0000003F,00000000,?,?), ref: 046E94C7
WideCharToMultiByte.KERNEL32(00000000,00000000,047127B8,000000FF,?,0000003F,00000000,?), ref: 046E94F4
_free.LIBCMT ref: 046E943D

Part of subcall function 046E6802: RtlFreeHeap.NTDLL(00000000,00000000,?,046F0CEF,00000000,00000000,00000000,00000000,?,046F0F93,00000000,00000007,00000000,?,046F14DE,00000000), ref: 046E6818
Part of subcall function 046E6802: GetLastError.KERNEL32(00000000,?,046F0CEF,00000000,00000000,00000000,00000000,?,046F0F93,00000000,00000007,00000000,?,046F14DE,00000000,00000000), ref: 046E682A

_free.LIBCMT ref: 046E9609

Memory Dump Source

Source File: 00000003.00000002.4514531527.00000000046A0000.00000040.00000400.00020000.00000000.sdmp, Offset: 046A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_46a0000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID: ByteCharMultiWide_free$ErrorFreeHeapInformationLastTimeZone
String ID:
API String ID: 1286116820-0
Opcode ID: d37f1ac024214d4c17170c7a51b01bbce28547b3749ccc87498ef0d8e6c4f1a4
Instruction ID: 7756525f2826e03dea6ed8925447a831595f7b5e72c08cf542f08061c973af1c
Opcode Fuzzy Hash: d37f1ac024214d4c17170c7a51b01bbce28547b3749ccc87498ef0d8e6c4f1a4
Instruction Fuzzy Hash: C251D7B1901209EFEB10EF6ADC809BEB7FCEF54724B1042AAD554A7290F730AE458B54

Function 046AF938 Relevance: 7.6, APIs: 5, Instructions: 132processCOMMON

Download Yara Rule

APIs

Part of subcall function 046BC048: GetCurrentProcess.KERNEL32(?,?,?,046ADAE5,WinDir,00000000,00000000), ref: 046BC059

CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 046AF956
Process32FirstW.KERNEL32(00000000,?), ref: 046AF97A
Process32NextW.KERNEL32(00000000,0000022C), ref: 046AF989
CloseHandle.KERNEL32(00000000), ref: 046AFB40

Part of subcall function 046BC076: OpenProcess.KERNEL32(00000400,00000000,?,?,00000000,046AF634,00000000,?,?,04715338), ref: 046BC08B

Part of subcall function 046BC26E: OpenProcess.KERNEL32(00001000,00000000,?,00000000,00000000,00000000), ref: 046BC286
Part of subcall function 046BC26E: OpenProcess.KERNEL32(00000400,00000000,?,?,00000000,00000000,00000000), ref: 046BC299

Process32NextW.KERNEL32(00000000,0000022C), ref: 046AFB31

Memory Dump Source

Source File: 00000003.00000002.4514531527.00000000046A0000.00000040.00000400.00020000.00000000.sdmp, Offset: 046A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_46a0000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID: Process$OpenProcess32$Next$CloseCreateCurrentFirstHandleSnapshotToolhelp32
String ID:
API String ID: 4269425633-0
Opcode ID: 76756fc2879e0a4605c30c178aa8e935cf735eba199d2169fd180c9d591fe08f
Instruction ID: 3b706c2c7f77c9357e9da820d840acc8cf5d2b5846d97cce4bba344ff45e740c
Opcode Fuzzy Hash: 76756fc2879e0a4605c30c178aa8e935cf735eba199d2169fd180c9d591fe08f
Instruction Fuzzy Hash: 644116311086905BE329FB21D850AEFB3E5AF95309F50492DE48A82190FF347E5ACF56

Function 046E3E99 Relevance: 7.6, APIs: 5, Instructions: 129COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 046E3F0B
_free.LIBCMT ref: 046E3F2B

Memory Dump Source

Source File: 00000003.00000002.4514531527.00000000046A0000.00000040.00000400.00020000.00000000.sdmp, Offset: 046A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_46a0000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 679130731b8a8332fc56be70ae4983767cb8a15ca5e304fbecc6cf0e4a400901
Instruction ID: 536a51ddd602c138c81d1d9450bda838a47f242b31d84f428391bf6cb3c63eec
Opcode Fuzzy Hash: 679130731b8a8332fc56be70ae4983767cb8a15ca5e304fbecc6cf0e4a400901
Instruction Fuzzy Hash: 8341B072E01210AFDB14DF69C880A6AB7F5EF88714F1585A9E955EB381EB31BD41CB80

Function 046F11AC Relevance: 7.6, APIs: 5, Instructions: 110COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000000,?,?,00000000,00000000,046DF918,?,00000000,?,00000001,?,?,00000001,046DF918,?), ref: 046F11F9
__alloca_probe_16.LIBCMT ref: 046F1231
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 046F1282
GetStringTypeW.KERNEL32(?,00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,046DAF04,?), ref: 046F1294
__freea.LIBCMT ref: 046F129D

Part of subcall function 046E61B8: RtlAllocateHeap.NTDLL(00000000,046D5349,?,?,046D88C7,?,?,pth_unenc,?,?,046ADE9D,046D5349,?,?,?,?), ref: 046E61EA

Memory Dump Source

Source File: 00000003.00000002.4514531527.00000000046A0000.00000040.00000400.00020000.00000000.sdmp, Offset: 046A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_46a0000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID: ByteCharMultiWide$AllocateHeapStringType__alloca_probe_16__freea
String ID:
API String ID: 313313983-0
Opcode ID: 489e5e19f58978437073ba755027f2d58013ad1d9bae621ea1497f33e891d6e4
Instruction ID: 25d81ac36203db195df44e4827f8f9af9ba99569d98d0cd6cfe3baeb7dae7cd0
Opcode Fuzzy Hash: 489e5e19f58978437073ba755027f2d58013ad1d9bae621ea1497f33e891d6e4
Instruction Fuzzy Hash: 0B31CE72A0020AEBDF249FE8CC80DEE7BA5EB52750B044128ED44D6290F735EC91CB90

Function 0041D680 Relevance: 7.6, APIs: 5, Instructions: 84windowCOMMON

Download Yara Rule

APIs

VerSetConditionMask.KERNEL32(00000000,00000000,00000002,00000003,00000001,00000003,00000020,00000003,00000100,?,?), ref: 0041D703
VerSetConditionMask.KERNEL32(00000000,?,?,?), ref: 0041D70B
VerSetConditionMask.KERNEL32(00000000,?,?,?,?), ref: 0041D713
VerifyVersionInfoW.KERNEL32(?), ref: 0041D73C
SendMessageW.USER32(?,00000432,00000000,?), ref: 0041D799

Memory Dump Source

Source File: 00000003.00000002.4514052132.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.4514006504.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4514120748.00000000004E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4514174970.0000000000515000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4514191619.0000000000519000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4514247644.000000000051A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4514247644.000000000059B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4514247644.00000000005D5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4514247644.00000000005D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4514247644.00000000005E7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4514247644.000000000060A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4514247644.0000000000616000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4514247644.000000000061E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4514247644.0000000000627000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4514247644.0000000000659000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_SecuriteInfo.jbxd

Similarity

API ID: ConditionMask$InfoMessageSendVerifyVersion
String ID:
API String ID: 980217771-0
Opcode ID: 71d6aaaa37dfa392f283e7d2217aef8cb7fe93bce2596d29c0a7b66a92900e1c
Instruction ID: a3a7dd4e9122b95f5a4966f68b6fe96e2f241e87a655c0711d52b32ff49896ad
Opcode Fuzzy Hash: 71d6aaaa37dfa392f283e7d2217aef8cb7fe93bce2596d29c0a7b66a92900e1c
Instruction Fuzzy Hash: 483152B1508344AFE310CF64DD49B9BB7E8FBD9704F00491DF688DA291D7B4D6448B56

Function 046A1BE9 Relevance: 7.6, APIs: 5, Instructions: 71COMMON

Download Yara Rule

APIs

CreateDirectoryW.KERNEL32(00000000,00000000), ref: 046A1BF9
waveInOpen.WINMM(04712AC0,000000FF,04712AA8,Function_00001D0B,00000000,00000000,00000024), ref: 046A1C8F
waveInPrepareHeader.WINMM(04712A88,00000020), ref: 046A1CE3
waveInAddBuffer.WINMM(04712A88,00000020), ref: 046A1CF2
waveInStart.WINMM ref: 046A1CFE

Memory Dump Source

Source File: 00000003.00000002.4514531527.00000000046A0000.00000040.00000400.00020000.00000000.sdmp, Offset: 046A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_46a0000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID: wave$BufferCreateDirectoryHeaderOpenPrepareStart
String ID:
API String ID: 1356121797-0
Opcode ID: 55764136568d4f28f8da128f2734e37420dd9c0665a240f2381100f1eb5ce78f
Instruction ID: 4ecff5d4537687be2274545756abb75df9e35658fa60cc5a23ef6f931b16e997
Opcode Fuzzy Hash: 55764136568d4f28f8da128f2734e37420dd9c0665a240f2381100f1eb5ce78f
Instruction Fuzzy Hash: 5C218B716146009FD7389F6DE8045957BA5FB95714B0080AFA905E67B2EB385C10CF18

Function 046EF3DA Relevance: 7.6, APIs: 5, Instructions: 68COMMON

Download Yara Rule

APIs

GetEnvironmentStringsW.KERNEL32 ref: 046EF3E3
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 046EF406

Part of subcall function 046E61B8: RtlAllocateHeap.NTDLL(00000000,046D5349,?,?,046D88C7,?,?,pth_unenc,?,?,046ADE9D,046D5349,?,?,?,?), ref: 046E61EA

WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 046EF42C
_free.LIBCMT ref: 046EF43F
FreeEnvironmentStringsW.KERNEL32(00000000), ref: 046EF44E

Memory Dump Source

Source File: 00000003.00000002.4514531527.00000000046A0000.00000040.00000400.00020000.00000000.sdmp, Offset: 046A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_46a0000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
String ID:
API String ID: 336800556-0
Opcode ID: 429a641f63ceda8af206fbc48d9f3c1e6b490c1608738ba1688084f81dafe4f0
Instruction ID: 442951b923c59cf4d6e8fcdb77ac81000b2ed89ea3ee71df95eeb047d3d99d2d
Opcode Fuzzy Hash: 429a641f63ceda8af206fbc48d9f3c1e6b490c1608738ba1688084f81dafe4f0
Instruction Fuzzy Hash: 5501D4B2603315BF27259ABB5C8CC7B6AEDDEC6FA43940129FD04D2301FA64AD0391B0

Function 046B119E Relevance: 7.6, APIs: 5, Instructions: 61COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 046B11AB
int.LIBCPMT ref: 046B11BE

Part of subcall function 046AE0FC: std::_Lockit::_Lockit.LIBCPMT ref: 046AE10D
Part of subcall function 046AE0FC: std::_Lockit::~_Lockit.LIBCPMT ref: 046AE127

std::_Facet_Register.LIBCPMT ref: 046B11FE
std::_Lockit::~_Lockit.LIBCPMT ref: 046B1207
__CxxThrowException@8.LIBVCRUNTIME ref: 046B1225

Memory Dump Source

Source File: 00000003.00000002.4514531527.00000000046A0000.00000040.00000400.00020000.00000000.sdmp, Offset: 046A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_46a0000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_RegisterThrow
String ID:
API String ID: 2536120697-0
Opcode ID: 2a402622da9ab68f97f7dd73a3e8b137d8c1553160d74ccccf8aa9e162415c44
Instruction ID: 94daaf372cd038b847492703161eee3a4dcc861be4f5a368176badc83850e88f
Opcode Fuzzy Hash: 2a402622da9ab68f97f7dd73a3e8b137d8c1553160d74ccccf8aa9e162415c44
Instruction Fuzzy Hash: 35110672A00118B7DB14EBA8D814CDEBB79DF40264B21455EE845E7390FB31BE918BD4

Function 046E8319 Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(047152D8,00000000,00000000,046DBCD6,00000000,?,?,046DBD5A,00000000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 046E831E
_free.LIBCMT ref: 046E8353
_free.LIBCMT ref: 046E837A
SetLastError.KERNEL32(00000000,?,046AF83F), ref: 046E8387
SetLastError.KERNEL32(00000000,?,046AF83F), ref: 046E8390

Memory Dump Source

Source File: 00000003.00000002.4514531527.00000000046A0000.00000040.00000400.00020000.00000000.sdmp, Offset: 046A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_46a0000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID: ErrorLast$_free
String ID:
API String ID: 3170660625-0
Opcode ID: ffc49fe32b4b2479709193ac5da53c1fc419897904b03f9976936a083878c241
Instruction ID: fed1b29f2778ee3b1e0c272fcb2dca1cab8322b3d3ea87f63200925c4511bdbe
Opcode Fuzzy Hash: ffc49fe32b4b2479709193ac5da53c1fc419897904b03f9976936a083878c241
Instruction Fuzzy Hash: C201F9762037002BA71576ABEC48E7B22EADBD22B4725552DFD15E3390FF74EC065124

Function 046F0A3C Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 046F0A54

Part of subcall function 046E6802: RtlFreeHeap.NTDLL(00000000,00000000,?,046F0CEF,00000000,00000000,00000000,00000000,?,046F0F93,00000000,00000007,00000000,?,046F14DE,00000000), ref: 046E6818
Part of subcall function 046E6802: GetLastError.KERNEL32(00000000,?,046F0CEF,00000000,00000000,00000000,00000000,?,046F0F93,00000000,00000007,00000000,?,046F14DE,00000000,00000000), ref: 046E682A

_free.LIBCMT ref: 046F0A66
_free.LIBCMT ref: 046F0A78
_free.LIBCMT ref: 046F0A8A
_free.LIBCMT ref: 046F0A9C

Memory Dump Source

Source File: 00000003.00000002.4514531527.00000000046A0000.00000040.00000400.00020000.00000000.sdmp, Offset: 046A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_46a0000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 57f315ce65e2a0f9462091edbcb3a99bfabffff6963b667314340261924f5405
Instruction ID: 216083aa32503f8f04b91568cf5ff23ebb7583f4dcec51fab55d6905989a03d8
Opcode Fuzzy Hash: 57f315ce65e2a0f9462091edbcb3a99bfabffff6963b667314340261924f5405
Instruction Fuzzy Hash: DEF01272506200AB9764EA5DE882C67B3E9EB247107F4CC19F689DB643F774FC805668

Function 046E40E8 Relevance: 7.5, APIs: 5, Instructions: 30COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 046E4106

Part of subcall function 046E6802: RtlFreeHeap.NTDLL(00000000,00000000,?,046F0CEF,00000000,00000000,00000000,00000000,?,046F0F93,00000000,00000007,00000000,?,046F14DE,00000000), ref: 046E6818
Part of subcall function 046E6802: GetLastError.KERNEL32(00000000,?,046F0CEF,00000000,00000000,00000000,00000000,?,046F0F93,00000000,00000007,00000000,?,046F14DE,00000000,00000000), ref: 046E682A

_free.LIBCMT ref: 046E4118
_free.LIBCMT ref: 046E412B
_free.LIBCMT ref: 046E413C
_free.LIBCMT ref: 046E414D

Memory Dump Source

Source File: 00000003.00000002.4514531527.00000000046A0000.00000040.00000400.00020000.00000000.sdmp, Offset: 046A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_46a0000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: a06c53876ec69ba22869b68ebef04ee57761ba1f6968358a7b8d90aea70626d2
Instruction ID: 1bfc0949cf1482b8b87b5ae8e8f895d499cfb95177b30d25fb79a3bea7957f6c
Opcode Fuzzy Hash: a06c53876ec69ba22869b68ebef04ee57761ba1f6968358a7b8d90aea70626d2
Instruction Fuzzy Hash: 8BF06D719021208FA735AF2DF8028A637E1E7287203D8C49BE81076771E7395C42CBD6

Function 0041FCF0 Relevance: 7.4, APIs: 2, Strings: 2, Instructions: 374windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000080,00000001,00000000), ref: 0042012E
SendMessageW.USER32(?,00000080,00000000,00000000), ref: 0042013D

Strings

.%d, xrefs: 0041FFE8
0.0.0.0, xrefs: 0041FF67

Memory Dump Source

Source File: 00000003.00000002.4514052132.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.4514006504.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4514120748.00000000004E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4514174970.0000000000515000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4514191619.0000000000519000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4514247644.000000000051A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4514247644.000000000059B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4514247644.00000000005D5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4514247644.00000000005D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4514247644.00000000005E7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4514247644.000000000060A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4514247644.0000000000616000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4514247644.000000000061E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4514247644.0000000000627000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4514247644.0000000000659000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_SecuriteInfo.jbxd

Similarity

API ID: MessageSend
String ID: .%d$0.0.0.0
API String ID: 3850602802-387324962
Opcode ID: e2f1a3e97bffd56164252329b3d71d98e31c1638bd519baba12cde8912d77f80
Instruction ID: a84f164b11da87530df0a0e587b9f6d22807137b6948dff275cf3c839543aca1
Opcode Fuzzy Hash: e2f1a3e97bffd56164252329b3d71d98e31c1638bd519baba12cde8912d77f80
Instruction Fuzzy Hash: 5DD11471A006059FDB04CF68D984BAEB7B5FF44324F14422EE811AB3D2DB79AD46CB94

Function 046B3A90 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 179registryCOMMON

Download Yara Rule

APIs

RegQueryInfoKeyW.ADVAPI32(?,?,00000104,00000000,?,?,?,?,?,?,?,?), ref: 046B3AF7
RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000104,00000000,?,?,?,?), ref: 046B3B26
RegEnumValueW.ADVAPI32(?,00000000,?,00003FFF,00000000,?,?,00002710,?,?,?,?,?,?,?,?), ref: 046B3BC6

Strings

[regsplt], xrefs: 046B3C52

Memory Dump Source

Source File: 00000003.00000002.4514531527.00000000046A0000.00000040.00000400.00020000.00000000.sdmp, Offset: 046A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_46a0000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID: Enum$InfoQueryValue
String ID: [regsplt]
API String ID: 3554306468-4262303796
Opcode ID: 6a839a632874d8749cf0daf5c69b8d966e57a6b169a862f742552dccad2e8c03
Instruction ID: 2ebce01da25f69161a273e1a760ee2e439abe59fa39de3685c14adb82bd8c4ff
Opcode Fuzzy Hash: 6a839a632874d8749cf0daf5c69b8d966e57a6b169a862f742552dccad2e8c03
Instruction Fuzzy Hash: F0511CB1900119AAEB15EB95DC91EEEB7BDAF14208F100169E905E2290FF707E58CFA4

Function 046EE769 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 168COMMON

Download Yara Rule

APIs

_strpbrk.LIBCMT ref: 046EE7B8
_free.LIBCMT ref: 046EE8D5

Part of subcall function 046DBD68: IsProcessorFeaturePresent.KERNEL32(00000017,046DBD3A,046AF83F,?,?,00000000,046AF83F,00000000,?,?,046DBD5A,00000000,00000000,00000000,00000000,00000000), ref: 046DBD6A
Part of subcall function 046DBD68: GetCurrentProcess.KERNEL32(C0000417,?,046AF83F), ref: 046DBD8C
Part of subcall function 046DBD68: TerminateProcess.KERNEL32(00000000,?,046AF83F), ref: 046DBD93

Strings

., xrefs: 046EEA8C
*?, xrefs: 046EE7AC

Memory Dump Source

Source File: 00000003.00000002.4514531527.00000000046A0000.00000040.00000400.00020000.00000000.sdmp, Offset: 046A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_46a0000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID: Process$CurrentFeaturePresentProcessorTerminate_free_strpbrk
String ID: *?$.
API String ID: 2812119850-3972193922
Opcode ID: 425935087bf6a06ef5f668eca0c2840133b7cce1b1476d2e54c501535b2ee598
Instruction ID: 59c46e3b9a9c2836957d6cc48fe238b3960fd96e06c0a898bba7bcc400c3e98d
Opcode Fuzzy Hash: 425935087bf6a06ef5f668eca0c2840133b7cce1b1476d2e54c501535b2ee598
Instruction Fuzzy Hash: 74517E75E01219AFDF14DFAAC880ABEB7F5EF58314F24416AD854E7340F672AA02CB54

Function 0041C228 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 129COMMON

Download Yara Rule

APIs

GetWindowTextW.USER32(?,?,?), ref: 0041C255

Strings

Anchor Color Visited, xrefs: 0041C3C5
Anchor Color, xrefs: 0041C357
Software\Microsoft\Internet Explorer\Settings, xrefs: 0041C2FD

Memory Dump Source

Source File: 00000003.00000002.4514052132.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.4514006504.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4514120748.00000000004E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4514174970.0000000000515000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4514191619.0000000000519000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4514247644.000000000051A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4514247644.000000000059B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4514247644.00000000005D5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4514247644.00000000005D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4514247644.00000000005E7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4514247644.000000000060A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4514247644.0000000000616000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4514247644.000000000061E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4514247644.0000000000627000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4514247644.0000000000659000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_SecuriteInfo.jbxd

Similarity

API ID: TextWindow
String ID: Anchor Color$Anchor Color Visited$Software\Microsoft\Internet Explorer\Settings
API String ID: 530164218-3433146436
Opcode ID: 0166f835152a65217f3a9e025e0f8233c615a19707b946244d52525dd2c1ef9e
Instruction ID: 220c0db84c52a86a3dc3bbb3b078048f807addca98b3e49de577a4528f53e574
Opcode Fuzzy Hash: 0166f835152a65217f3a9e025e0f8233c615a19707b946244d52525dd2c1ef9e
Instruction Fuzzy Hash: EE512E71A412289BEB21CF54CD94BEEB3B5BB45314F10419AE849A3280D774AEC5CF99

Function 046E34D5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 116COMMON

Download Yara Rule

APIs

GetModuleFileNameA.KERNEL32(00000000,C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3521.549.exe,00000104), ref: 046E3515
_free.LIBCMT ref: 046E35E0
_free.LIBCMT ref: 046E35EA

Strings

C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3521.549.exe, xrefs: 046E350C, 046E3513, 046E3542, 046E357A

Memory Dump Source

Source File: 00000003.00000002.4514531527.00000000046A0000.00000040.00000400.00020000.00000000.sdmp, Offset: 046A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_46a0000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID: _free$FileModuleName
String ID: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3521.549.exe
API String ID: 2506810119-3812247042
Opcode ID: 7ded71362a79f75769d507e45422f3dc8b7d55253e2b6330ac36f90e5a283bfe
Instruction ID: 98831f52a3cd3ec15416dff63887083252f18ee9f983fa07e97641c214d22afd
Opcode Fuzzy Hash: 7ded71362a79f75769d507e45422f3dc8b7d55253e2b6330ac36f90e5a283bfe
Instruction Fuzzy Hash: 503165B1A02254EFDB31DF5AD8849BEBBF8EB94314F1440AAE80597311F671AE81CB50

Function 046AC627 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 72COMMON

Download Yara Rule

APIs

Part of subcall function 046AC4FE: PathFileExistsW.SHLWAPI(00000000,\AppData\Local\Google\Chrome\,00000000), ref: 046AC531

PathFileExistsW.SHLWAPI(00000000), ref: 046AC658
PathFileExistsW.SHLWAPI(00000000,-00000011,?,00000000,00000000), ref: 046AC6C3

Strings

User Data\Profile ?\Network\Cookies, xrefs: 046AC670
User Data\Default\Network\Cookies, xrefs: 046AC63E

Memory Dump Source

Source File: 00000003.00000002.4514531527.00000000046A0000.00000040.00000400.00020000.00000000.sdmp, Offset: 046A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_46a0000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID: ExistsFilePath
String ID: User Data\Default\Network\Cookies$User Data\Profile ?\Network\Cookies
API String ID: 1174141254-1980882731
Opcode ID: 2a6570decccbe73b906ae17dd43b5f804f15396e527440b6287e561226664c31
Instruction ID: bf9a16a248888a2115af777112d171465e6b8321e284e040d8c609d4944c7b55
Opcode Fuzzy Hash: 2a6570decccbe73b906ae17dd43b5f804f15396e527440b6287e561226664c31
Instruction Fuzzy Hash: 912133719005099ADB04FBA1DC59CEEBBBDEE51619F44041DE502A3190FF20BD6ACEE4

Function 046AC6F6 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 72COMMON

Download Yara Rule

APIs

Part of subcall function 046AC561: PathFileExistsW.SHLWAPI(00000000,\AppData\Local\Microsoft\Edge\,00000000), ref: 046AC594

PathFileExistsW.SHLWAPI(00000000), ref: 046AC727
PathFileExistsW.SHLWAPI(00000000,-00000011,?,00000000,00000000), ref: 046AC792

Strings

User Data\Profile ?\Network\Cookies, xrefs: 046AC73F
User Data\Default\Network\Cookies, xrefs: 046AC70D

Memory Dump Source

Source File: 00000003.00000002.4514531527.00000000046A0000.00000040.00000400.00020000.00000000.sdmp, Offset: 046A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_46a0000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID: ExistsFilePath
String ID: User Data\Default\Network\Cookies$User Data\Profile ?\Network\Cookies
API String ID: 1174141254-1980882731
Opcode ID: 6e37fde19718eda867be6d0cb4c4603254b94ea416bfa5b9afc245a4cd04744e
Instruction ID: 7d12c3cfd256a4817b0d50618e6db80d237b2521b4917a2a222cb68a056f32f4
Opcode Fuzzy Hash: 6e37fde19718eda867be6d0cb4c4603254b94ea416bfa5b9afc245a4cd04744e
Instruction Fuzzy Hash: 412130719006099ADF04FBA1DC55CEEBBBDEE51219F40002DE502A3190FF20BD6ACED4

Function 046AB19F Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 68timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?,?,00000000), ref: 046AB1AD
wsprintfW.USER32 ref: 046AB22E

Part of subcall function 046AA671: SetEvent.KERNEL32(?,?,?,046AB86A,?,?,?,?,?,00000000), ref: 046AA69D

Strings

], xrefs: 046AB1BB
[%04i/%02i/%02i %02i:%02i:%02i , xrefs: 046AB1B6

Memory Dump Source

Source File: 00000003.00000002.4514531527.00000000046A0000.00000040.00000400.00020000.00000000.sdmp, Offset: 046A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_46a0000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID: EventLocalTimewsprintf
String ID: [%04i/%02i/%02i %02i:%02i:%02i $]
API String ID: 1497725170-1359877963
Opcode ID: 9e22b019faaa0ba7df53e47091a85a214524cf8b4cb3defc150c37e53d212587
Instruction ID: 52dde2dd1f2a90e3192d48ca4d62682e464547aef5e805b295c774aff7de929b
Opcode Fuzzy Hash: 9e22b019faaa0ba7df53e47091a85a214524cf8b4cb3defc150c37e53d212587
Instruction Fuzzy Hash: C2117F72404118AADB08FBA4EC508FE77FCEE48615B00011EF40692190FF78BE95CAAC

Function 046AAF29 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 65threadCOMMON

Download Yara Rule

APIs

Part of subcall function 046AB19F: GetLocalTime.KERNEL32(?,?,00000000), ref: 046AB1AD
Part of subcall function 046AB19F: wsprintfW.USER32 ref: 046AB22E

Part of subcall function 046BB580: GetLocalTime.KERNEL32(00000000), ref: 046BB59A

CreateThread.KERNEL32(00000000,00000000,Function_0000A2A2,?,00000000,00000000), ref: 046AAFA9
CreateThread.KERNEL32(00000000,00000000,Function_0000A2C4,?,00000000,00000000), ref: 046AAFB5
CreateThread.KERNEL32(00000000,00000000,046AA2D0,?,00000000,00000000), ref: 046AAFC1

Strings

Online Keylogger Started, xrefs: 046AAF3E, 046AAF47, 046AAF71

Memory Dump Source

Source File: 00000003.00000002.4514531527.00000000046A0000.00000040.00000400.00020000.00000000.sdmp, Offset: 046A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_46a0000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID: CreateThread$LocalTime$wsprintf
String ID: Online Keylogger Started
API String ID: 112202259-1258561607
Opcode ID: 36ae7a40c866c947ed9e14c03a75e3b1ed31218542d11ad366735c17feb9425e
Instruction ID: be2edc006e9444674c07c8d0a3211b5adf86b3fbf6c65bca8245121c758ef814
Opcode Fuzzy Hash: 36ae7a40c866c947ed9e14c03a75e3b1ed31218542d11ad366735c17feb9425e
Instruction Fuzzy Hash: BC0126A0701A183EF6207AB58C9ADBF7AADCB8119CF40006DF54112641F9553C35CFF6

Function 046A6A9E Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 53libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(crypt32,CryptUnprotectData), ref: 046A6ABD
GetProcAddress.KERNEL32(00000000), ref: 046A6AC4

Strings

CryptUnprotectData, xrefs: 046A6AB3
crypt32, xrefs: 046A6AB8

Memory Dump Source

Source File: 00000003.00000002.4514531527.00000000046A0000.00000040.00000400.00020000.00000000.sdmp, Offset: 046A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_46a0000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID: AddressLibraryLoadProc
String ID: CryptUnprotectData$crypt32
API String ID: 2574300362-2380590389
Opcode ID: 78cffca314c00f593ebe8e31a3579fa523eff427ff75e9afd155ab46c52f6262
Instruction ID: a4ee55415dbcac92741554df0376a0603c1dd044cd6c184b4c889f32bdb51970
Opcode Fuzzy Hash: 78cffca314c00f593ebe8e31a3579fa523eff427ff75e9afd155ab46c52f6262
Instruction Fuzzy Hash: AA01D875A04206ABCB18CFADD9549AE7BB8EF54310B0441AEE995D3341EA74BD14CFA0

Function 046A515C Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 46synchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000003E8,?,?,?,046A5159), ref: 046A5173
CloseHandle.KERNEL32(?), ref: 046A51CA
SetEvent.KERNEL32(?), ref: 046A51D9

Strings

Connection Timeout, xrefs: 046A5198

Memory Dump Source

Source File: 00000003.00000002.4514531527.00000000046A0000.00000040.00000400.00020000.00000000.sdmp, Offset: 046A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_46a0000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID: CloseEventHandleObjectSingleWait
String ID: Connection Timeout
API String ID: 2055531096-499159329
Opcode ID: f6be4270a7152814ed58aa9cef47a9be3f5001894182e8112af03a680da95386
Instruction ID: 1bd3041b62e67f1de8273f6329ac3b6145c8a9153b26485b4d4f12717fc91245
Opcode Fuzzy Hash: f6be4270a7152814ed58aa9cef47a9be3f5001894182e8112af03a680da95386
Instruction Fuzzy Hash: 3F01B175691F40BFE725AB359C9946ABBE0EF10609704096DD1C342BA1FA64BC20CF51

Function 046AE800 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 45COMMON

Download Yara Rule

APIs

__CxxThrowException@8.LIBVCRUNTIME ref: 046AE86E

Strings

ios_base::badbit set, xrefs: 046AE82A
ios_base::eofbit set, xrefs: 046AE85D
ios_base::failbit set, xrefs: 046AE850

Memory Dump Source

Source File: 00000003.00000002.4514531527.00000000046A0000.00000040.00000400.00020000.00000000.sdmp, Offset: 046A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_46a0000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID: Exception@8Throw
String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
API String ID: 2005118841-1866435925
Opcode ID: 2a457da6a68db311cd80e063b9b3f19585dd49b1f8da3dbce37a429b553150cf
Instruction ID: 45837a186764f1994efc91ca58f11bb1c2ec6ccdb852d47e6f988df2961fa2f8
Opcode Fuzzy Hash: 2a457da6a68db311cd80e063b9b3f19585dd49b1f8da3dbce37a429b553150cf
Instruction Fuzzy Hash: 8001D6A0AC0B486BFB18E694DC42FBD73989B20704F008469A911555C0FA637E25CE67

Function 046A729B Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 40COMMON

Download Yara Rule

Strings

C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3521.549.exe, xrefs: 046A76FF

Memory Dump Source

Source File: 00000003.00000002.4514531527.00000000046A0000.00000040.00000400.00020000.00000000.sdmp, Offset: 046A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_46a0000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID:
String ID: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3521.549.exe
API String ID: 0-3812247042
Opcode ID: dc4d114ea7df10f214517561096a715b323f8e2b98a81a2ac91f91db2348c5c4
Instruction ID: c6d0636f4fc43d44988442eb828b40bb65ad1c4e2f7e30d96af6a828afc2a26c
Opcode Fuzzy Hash: dc4d114ea7df10f214517561096a715b323f8e2b98a81a2ac91f91db2348c5c4
Instruction Fuzzy Hash: 5AF02BB17119509BFF147B7899287E83795D78534FF440478E042EA3B1FB54EC218B14

Function 046ADFE1 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 39COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 046ADFEC
std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 046AE02B

Part of subcall function 046D56CD: _Yarn.LIBCPMT ref: 046D56EC
Part of subcall function 046D56CD: _Yarn.LIBCPMT ref: 046D5710

__CxxThrowException@8.LIBVCRUNTIME ref: 046AE051

Strings

bad locale name, xrefs: 046AE03B

Memory Dump Source

Source File: 00000003.00000002.4514531527.00000000046A0000.00000040.00000400.00020000.00000000.sdmp, Offset: 046A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_46a0000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID: Yarnstd::_$Exception@8Locinfo::_Locinfo_ctorLockitLockit::_Throw
String ID: bad locale name
API String ID: 3628047217-1405518554
Opcode ID: c05273986ba6232fb99eb493373f553726f7c7c056881217a892e3a9bf6f6cbb
Instruction ID: 21576aa96fdf7ffed65fdff1ea332b5d6dbf63605ecc81809794d935f8306c0d
Opcode Fuzzy Hash: c05273986ba6232fb99eb493373f553726f7c7c056881217a892e3a9bf6f6cbb
Instruction Fuzzy Hash: 86F0AF31540A08ABE32CFB60D8A1DDAB7B49F24248F4085ADD44646490FF20BE2CCECA

Function 046B384F Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 39registryCOMMON

Download Yara Rule

APIs

RegCreateKeyW.ADVAPI32(80000001,00000000,047152D8), ref: 046B385A
RegSetValueExW.ADVAPI32(047152D8,?,00000000,00000001,00000000,00000000,047152F0,?,046AF85E,pth_unenc,047152D8), ref: 046B3888
RegCloseKey.ADVAPI32(047152D8,?,046AF85E,pth_unenc,047152D8), ref: 046B3893

Strings

pth_unenc, xrefs: 046B3853

Memory Dump Source

Source File: 00000003.00000002.4514531527.00000000046A0000.00000040.00000400.00020000.00000000.sdmp, Offset: 046A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_46a0000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID: CloseCreateValue
String ID: pth_unenc
API String ID: 1818849710-4028850238
Opcode ID: 4a53b130244d82eb13bd1cd8b80e938f484103b3d734f7d30c72875fb0e1766c
Instruction ID: 3993f7c80183f617bc364d537d21f5c2c8daa0421c8e3de4bedb8b735716e4ee
Opcode Fuzzy Hash: 4a53b130244d82eb13bd1cd8b80e938f484103b3d734f7d30c72875fb0e1766c
Instruction Fuzzy Hash: FAF0A9B1540118BBDF009FA0EC45BEA376CEB00754F004119BC4696240FB35AE18DB90

Function 046B6129 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 27COMMON

Download Yara Rule

APIs

ShellExecuteW.SHELL32(00000000,open,cmd.exe,00000000,00000000,00000000), ref: 046B616B

Strings

/C , xrefs: 046B6149
open, xrefs: 046B6165
cmd.exe, xrefs: 046B6160

Memory Dump Source

Source File: 00000003.00000002.4514531527.00000000046A0000.00000040.00000400.00020000.00000000.sdmp, Offset: 046A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_46a0000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID: ExecuteShell
String ID: /C $cmd.exe$open
API String ID: 587946157-3896048727
Opcode ID: ef2adfa86a3dc64a302c1e01d4824dc421a6d611a1f7662ff15f704b19ec78a0
Instruction ID: bdb8c9c7631f12500234b1a0be6f3cca99cac26cc5147c9581d6206f428dda55
Opcode Fuzzy Hash: ef2adfa86a3dc64a302c1e01d4824dc421a6d611a1f7662ff15f704b19ec78a0
Instruction Fuzzy Hash: ACE0C0B1208744AFE609E664CC94CEB72EDAE51608F40581C714292190FF64BD19CE59

Function 046AB8E7 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 20threadCOMMON

Download Yara Rule

APIs

TerminateThread.KERNEL32(046AA2B8,00000000,047152F0,pth_unenc,046AD0F3,047152D8,047152F0,?,pth_unenc), ref: 046AB8F6
UnhookWindowsHookEx.USER32(047150F0), ref: 046AB902
TerminateThread.KERNEL32(046AA2A2,00000000,?,pth_unenc), ref: 046AB910

Strings

pth_unenc, xrefs: 046AB8E7

Memory Dump Source

Source File: 00000003.00000002.4514531527.00000000046A0000.00000040.00000400.00020000.00000000.sdmp, Offset: 046A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_46a0000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID: TerminateThread$HookUnhookWindows
String ID: pth_unenc
API String ID: 3123878439-4028850238
Opcode ID: dfc9a186fdabcb38d5a8670a6dcfd93a07ad47f8ce897a55abc42c99afb098a5
Instruction ID: 665e79e9fe4e065efef77b7f99d431020a393cfaf018ca98eea651fefbd29303
Opcode Fuzzy Hash: dfc9a186fdabcb38d5a8670a6dcfd93a07ad47f8ce897a55abc42c99afb098a5
Instruction Fuzzy Hash: 31E0C2B2304B11EFD7240FD098888657AAEEA02789308052DF3C241225E6752C64CF50

Function 046A140A Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 7libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(User32.dll,GetCursorInfo), ref: 046A1414
GetProcAddress.KERNEL32(00000000), ref: 046A141B

Strings

User32.dll, xrefs: 046A140F
GetCursorInfo, xrefs: 046A140A

Memory Dump Source

Source File: 00000003.00000002.4514531527.00000000046A0000.00000040.00000400.00020000.00000000.sdmp, Offset: 046A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_46a0000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID: AddressHandleModuleProc
String ID: GetCursorInfo$User32.dll
API String ID: 1646373207-2714051624
Opcode ID: 5f40a7a14c96730f0df45dd8971ecb49fe23f61a82ab3d7fe5d278feba896b01
Instruction ID: 6ba7b2da9c2c68168bd4038d3ec5582aa00ae36a5d4cd07099d3d894a5d44b1b
Opcode Fuzzy Hash: 5f40a7a14c96730f0df45dd8971ecb49fe23f61a82ab3d7fe5d278feba896b01
Instruction Fuzzy Hash: B9B092F0592300EFAF191BF4AA0EA093AA9F7847123009214F242952C0EBB8A8049E29

Function 046A14AF Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 7libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(User32.dll,GetLastInputInfo), ref: 046A14B9
GetProcAddress.KERNEL32(00000000), ref: 046A14C0

Strings

User32.dll, xrefs: 046A14B4
GetLastInputInfo, xrefs: 046A14AF

Memory Dump Source

Source File: 00000003.00000002.4514531527.00000000046A0000.00000040.00000400.00020000.00000000.sdmp, Offset: 046A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_46a0000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID: AddressLibraryLoadProc
String ID: GetLastInputInfo$User32.dll
API String ID: 2574300362-1519888992
Opcode ID: c7f1fceb60d20b9fe20f5b7c3d39327c79025b4888d60d02c651302bf72d0f10
Instruction ID: 86d15f04466f049f87d13268358bc6ba38ca624d26c4ddd35b965fc4eae15075
Opcode Fuzzy Hash: c7f1fceb60d20b9fe20f5b7c3d39327c79025b4888d60d02c651302bf72d0f10
Instruction Fuzzy Hash: 57B092F05A2300EF8B191FE4A90EA0D3AE8E7947173009645F541C12C0EBB898049F15

Function 046EA084 Relevance: 6.3, APIs: 4, Instructions: 305COMMONLIBRARYCODE

Download Yara Rule

APIs

_strrchr.LIBCMT ref: 046EA10F
__alldvrm.LIBCMT ref: 046EA310
__alldvrm.LIBCMT ref: 046EA332

Memory Dump Source

Source File: 00000003.00000002.4514531527.00000000046A0000.00000040.00000400.00020000.00000000.sdmp, Offset: 046A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_46a0000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID: __alldvrm$_strrchr
String ID:
API String ID: 1036877536-0
Opcode ID: 741cce58a8cf82a0672f857150eda12be5e673117a3cfe047addc8b2d3899a0b
Instruction ID: 2d154865b868fe9f4b2a682759d81b3ddb67c3a89eca6283ff165e9345809c69
Opcode Fuzzy Hash: 741cce58a8cf82a0672f857150eda12be5e673117a3cfe047addc8b2d3899a0b
Instruction Fuzzy Hash: 18A18B71A023869FE721CFAAC8807BEBBE1EF61354F18416DD5959B381F239B942C750

Function 0040C170 Relevance: 6.2, APIs: 4, Instructions: 194timeCOMMON

Download Yara Rule

APIs

GetTimeFormatW.KERNEL32(00000400,00000008,?,00000000,00000000,00000000,BB40E64E), ref: 0040C1B7
GetLastError.KERNEL32(?,00000000,00000000,00000000,BB40E64E), ref: 0040C1C3
GetTimeFormatW.KERNEL32(00000400,00000008,00000000,00000000,00000000,00000000), ref: 0040C24A
FileTimeToSystemTime.KERNEL32(BB40E64E,?,BB40E64E,00000000), ref: 0040C362

Part of subcall function 004046F0: GetProcessHeap.KERNEL32 ref: 00404745

Memory Dump Source

Source File: 00000003.00000002.4514052132.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.4514006504.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4514120748.00000000004E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4514174970.0000000000515000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4514191619.0000000000519000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4514247644.000000000051A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4514247644.000000000059B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4514247644.00000000005D5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4514247644.00000000005D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4514247644.00000000005E7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4514247644.000000000060A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4514247644.0000000000616000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4514247644.000000000061E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4514247644.0000000000627000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4514247644.0000000000659000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Time$Format$ErrorFileHeapLastProcessSystem
String ID:
API String ID: 3572850761-0
Opcode ID: 0d80eeceb3fea141ec053ef2e318ba915091d5439a6d9bf21bea1d25995de0b0
Instruction ID: ab90e6ee6ed07144b10d36d0ce2bd55b1544567e6a0322fe888c039974ec0b56
Opcode Fuzzy Hash: 0d80eeceb3fea141ec053ef2e318ba915091d5439a6d9bf21bea1d25995de0b0
Instruction Fuzzy Hash: 2061B5B1E002459FDB04DFA8DD85BAEBBB8EB48314F10427EE901AB381DB795904CB95

Function 0040BF30 Relevance: 6.2, APIs: 4, Instructions: 194timeCOMMON

Download Yara Rule

APIs

GetDateFormatW.KERNEL32(00000400,00000002,?,00000000,00000000,00000000,BB40E64E), ref: 0040BF77
GetLastError.KERNEL32(?,00000000,00000000,00000000,BB40E64E), ref: 0040BF83
GetDateFormatW.KERNEL32(00000400,00000002,00000000,00000000,00000000,00000000), ref: 0040C00A
FileTimeToSystemTime.KERNEL32(BB40E64E,?,BB40E64E,00000000), ref: 0040C122

Part of subcall function 004046F0: GetProcessHeap.KERNEL32 ref: 00404745

Memory Dump Source

Source File: 00000003.00000002.4514052132.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.4514006504.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4514120748.00000000004E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4514174970.0000000000515000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4514191619.0000000000519000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4514247644.000000000051A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4514247644.000000000059B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4514247644.00000000005D5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4514247644.00000000005D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4514247644.00000000005E7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4514247644.000000000060A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4514247644.0000000000616000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4514247644.000000000061E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4514247644.0000000000627000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4514247644.0000000000659000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_SecuriteInfo.jbxd

Similarity

API ID: DateFormatTime$ErrorFileHeapLastProcessSystem
String ID:
API String ID: 1398366937-0
Opcode ID: 381f5fc61b3aac05d194a8a42fc32f02707e899a4d701fc39785fcbc46836420
Instruction ID: 577b37cc1002b7063be9fb2607aa9d6214f184e7379f71f8723b655a473d830e
Opcode Fuzzy Hash: 381f5fc61b3aac05d194a8a42fc32f02707e899a4d701fc39785fcbc46836420
Instruction Fuzzy Hash: E961B4B1A00249DFDB04DFA8DD95BAEBBB8EB48314F10456EE901B73C1DB795904CBA4

Function 046F6C9A Relevance: 6.2, APIs: 4, Instructions: 152COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 046F6DC9

Memory Dump Source

Source File: 00000003.00000002.4514531527.00000000046A0000.00000040.00000400.00020000.00000000.sdmp, Offset: 046A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_46a0000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 09a8dcbdbc4cf90ee0efafc7a2b28b34a0bf69176284e68a82af61ffb0e74d96
Instruction ID: b565c3b15aa913ddddaa71662d7b42b5e56ad2548105d4535b7f00788146bdd1
Opcode Fuzzy Hash: 09a8dcbdbc4cf90ee0efafc7a2b28b34a0bf69176284e68a82af61ffb0e74d96
Instruction Fuzzy Hash: 76414871B01110AAEB246FBADC44B7E3BF9EF45774F14021EF6A8D7290FAB478024665

Function 0040EAD0 Relevance: 6.1, APIs: 4, Instructions: 148fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,80000000,00000003,00000000,00000003,00000080,00000000,BB40E64E,?,?,?,?,?,?,?,004CAEA5), ref: 0040EB19
GetFileSize.KERNEL32(00000000,00000000,?,80000000,00000003,00000000,00000003,00000080,00000000,BB40E64E), ref: 0040EB41
ReadFile.KERNEL32(?,?,00010000,?,00000000,00010000,?,80000000,00000003,00000000,00000003,00000080,00000000,BB40E64E), ref: 0040EBBF
CloseHandle.KERNEL32(00000000,?,80000000,00000003,00000000,00000003,00000080,00000000,BB40E64E), ref: 0040EC76

Memory Dump Source

Source File: 00000003.00000002.4514052132.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.4514006504.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4514120748.00000000004E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4514174970.0000000000515000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4514191619.0000000000519000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4514247644.000000000051A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4514247644.000000000059B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4514247644.00000000005D5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4514247644.00000000005D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4514247644.00000000005E7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4514247644.000000000060A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4514247644.0000000000616000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4514247644.000000000061E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4514247644.0000000000627000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4514247644.0000000000659000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_SecuriteInfo.jbxd

Similarity

API ID: File$CloseCreateHandleReadSize
String ID:
API String ID: 3919263394-0
Opcode ID: be8ebe47f5809f5cde052773f63cd624fad6ae55ebf8ae15df65d8f615e2bec8
Instruction ID: 5b2e8734448af97d77a3f8bac80f9c44432a946b287cd7f12b6d0ad93aff6185
Opcode Fuzzy Hash: be8ebe47f5809f5cde052773f63cd624fad6ae55ebf8ae15df65d8f615e2bec8
Instruction Fuzzy Hash: 60512172900248EFEB20CF66C8847EFBBB8EF11314F14452EE815672C1D3B96A09CB55

Function 046E2851 Relevance: 6.1, APIs: 4, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4514531527.00000000046A0000.00000040.00000400.00020000.00000000.sdmp, Offset: 046A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_46a0000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 59daa74bcd54b1ee890d95eeb2730f48b8ffdd3f9fa4ddc13781e833ef276777
Instruction ID: 69ae7f60fca79c965f9ed33a33239ace3cf61da0879bc9f9993de3123ee16a48
Opcode Fuzzy Hash: 59daa74bcd54b1ee890d95eeb2730f48b8ffdd3f9fa4ddc13781e833ef276777
Instruction Fuzzy Hash: 83410871A01704AFE7249F79CC50B7A7BEDEB88714F10466EE145DB280F771B9068794

Function 046AC047 Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 103sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32 ref: 046AC05C
Sleep.KERNEL32(00001388), ref: 046AC0E4

Strings

Cleared browsers logins and cookies., xrefs: 046AC130
[Cleared browsers logins and cookies.], xrefs: 046AC11F

Memory Dump Source

Source File: 00000003.00000002.4514531527.00000000046A0000.00000040.00000400.00020000.00000000.sdmp, Offset: 046A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_46a0000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID: Sleep
String ID: [Cleared browsers logins and cookies.]$Cleared browsers logins and cookies.
API String ID: 3472027048-1236744412
Opcode ID: fca78234b811d8f903ab41a1d37a4e58ee9b1a846b04533c30070360bd13f468
Instruction ID: c4e91e80923e61ca8b8a8f1bb7d39b4f63e70fe41610d8831121943acc989258
Opcode Fuzzy Hash: fca78234b811d8f903ab41a1d37a4e58ee9b1a846b04533c30070360bd13f468
Instruction Fuzzy Hash: 09319605749B806EF7256BB814657EB7BC24F63548F08809CA8C417383F9537C289F67

Function 046AA564 Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 71sleepCOMMON

Download Yara Rule

APIs

Part of subcall function 046BC5E2: GetForegroundWindow.USER32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 046BC5F2
Part of subcall function 046BC5E2: GetWindowTextLengthW.USER32(00000000), ref: 046BC5FB
Part of subcall function 046BC5E2: GetWindowTextW.USER32(00000000,00000000,00000001), ref: 046BC625

Sleep.KERNEL32(000001F4), ref: 046AA5AE
Sleep.KERNEL32(00000064), ref: 046AA638

Strings

[ , xrefs: 046AA5CA
], xrefs: 046AA5B6

Memory Dump Source

Source File: 00000003.00000002.4514531527.00000000046A0000.00000040.00000400.00020000.00000000.sdmp, Offset: 046A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_46a0000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID: Window$SleepText$ForegroundLength
String ID: [ $ ]
API String ID: 3309952895-93608704
Opcode ID: a88a7c6b866a94b182f7043a39db44c4a2196e98dc58d32932d72ce4a325e14c
Instruction ID: a64bc294609d195909fe84852db1f0b9e9142893b1f81d4399206592c23d4c6b
Opcode Fuzzy Hash: a88a7c6b866a94b182f7043a39db44c4a2196e98dc58d32932d72ce4a325e14c
Instruction Fuzzy Hash: 4C11F032614A005BE218FBB4CC12DAF77E8AF51208F40052EE482521D1FF65BE28CFDA

Function 0041D0B0 Relevance: 6.1, APIs: 4, Instructions: 71COMMON

Download Yara Rule

APIs

DeleteObject.GDI32(?), ref: 0041D0E6
GetStockObject.GDI32(0000000D), ref: 0041D0F9
GetObjectW.GDI32(000000FF,0000005C,?), ref: 0041D122
CreateFontIndirectW.GDI32(?), ref: 0041D153

Memory Dump Source

Source File: 00000003.00000002.4514052132.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.4514006504.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4514120748.00000000004E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4514174970.0000000000515000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4514191619.0000000000519000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4514247644.000000000051A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4514247644.000000000059B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4514247644.00000000005D5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4514247644.00000000005D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4514247644.00000000005E7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4514247644.000000000060A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4514247644.0000000000616000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4514247644.000000000061E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4514247644.0000000000627000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4514247644.0000000000659000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Object$CreateDeleteFontIndirectStock
String ID:
API String ID: 1113379131-0
Opcode ID: 147b1fef624ff3c3cbce534a8fa123ca1bcb1c227228250f25a65878341e4b10
Instruction ID: 35a2ec18c7c24c141c7dc3c86682a9f5c10cedb1250f3c650c2bd9db61c0e94b
Opcode Fuzzy Hash: 147b1fef624ff3c3cbce534a8fa123ca1bcb1c227228250f25a65878341e4b10
Instruction Fuzzy Hash: A821A3B1E007889FDB20DFA4DD85B9ABBB8FB04724F00062EE955DB6C1D7B86404CB14

Function 046E3AD3 Relevance: 6.1, APIs: 4, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4514531527.00000000046A0000.00000040.00000400.00020000.00000000.sdmp, Offset: 046A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_46a0000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ce8b8bca34f6a60c3a4430091010bffab579b87fb6a1bb4c3e9f4f7346b22be5
Instruction ID: d9a453da47cc5978b13d42d6d032bbc11734847268e2c9b0f61607a1d50d179a
Opcode Fuzzy Hash: ce8b8bca34f6a60c3a4430091010bffab579b87fb6a1bb4c3e9f4f7346b22be5
Instruction Fuzzy Hash: 3D01F7B220B3157EF720197A6CC0F7763DDCB617B8B210329B822623D0FB64AC824164

Function 046E3B52 Relevance: 6.1, APIs: 4, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4514531527.00000000046A0000.00000040.00000400.00020000.00000000.sdmp, Offset: 046A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_46a0000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 31dc9a46f76808487e3d2af5b2414f5d5c1c5ac022d2b6c5ca11651423d863a0
Instruction ID: 268326602852ead107df1c2de5bcf8aca73a578f8bb82258f7f68e708de0ccb4
Opcode Fuzzy Hash: 31dc9a46f76808487e3d2af5b2414f5d5c1c5ac022d2b6c5ca11651423d863a0
Instruction Fuzzy Hash: 1401ADB260B2127ABB20197E6CC0D3762CCDF613B83250329F822663D4FF24AC864160

Function 046AA6B0 Relevance: 6.1, APIs: 4, Instructions: 58sleepfileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(00000000,80000000,00000007,00000000,00000003,00000080,00000000,?,?,?,046AA788), ref: 046AA6E6
GetFileSize.KERNEL32(00000000,00000000,?,?,?,046AA788), ref: 046AA6F5
Sleep.KERNEL32(00002710,?,?,?,046AA788), ref: 046AA722
CloseHandle.KERNEL32(00000000,?,?,?,046AA788), ref: 046AA729

Memory Dump Source

Source File: 00000003.00000002.4514531527.00000000046A0000.00000040.00000400.00020000.00000000.sdmp, Offset: 046A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_46a0000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID: File$CloseCreateHandleSizeSleep
String ID:
API String ID: 1958988193-0
Opcode ID: 6ce4d3927921aa77cddb06a07e75609998dc184a18e30fdb07a3e4afe5cb6877
Instruction ID: 132952ed6cd15b2d1b10fab9fbecc21eeade2ba97f13cfb480e464753d1585c0
Opcode Fuzzy Hash: 6ce4d3927921aa77cddb06a07e75609998dc184a18e30fdb07a3e4afe5cb6877
Instruction Fuzzy Hash: 75110174240A407AEB26D6A8948862F7BA9DB91759F44040FD1C246692E615BC24CF25

Function 046E85E6 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,00000800,00000000,00000000,00000000,?,046E858D,00000000,00000000,00000000,00000000,?,046E88B9,00000006,FlsSetValue), ref: 046E8618
GetLastError.KERNEL32(?,046E858D,00000000,00000000,00000000,00000000,?,046E88B9,00000006,FlsSetValue,046FF170,046FF178,00000000,00000364,?,046E8367), ref: 046E8624
LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,046E858D,00000000,00000000,00000000,00000000,?,046E88B9,00000006,FlsSetValue,046FF170,046FF178,00000000), ref: 046E8632

Memory Dump Source

Source File: 00000003.00000002.4514531527.00000000046A0000.00000040.00000400.00020000.00000000.sdmp, Offset: 046A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_46a0000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID: LibraryLoad$ErrorLast
String ID:
API String ID: 3177248105-0
Opcode ID: 338da06edb562f23ea4f8c30f049846f833d4fccf4708edae990ca3ff17ecd25
Instruction ID: c41d9f189e5ffc05afbd9e5b0a5b53f559be54869bfaa0f1f2af9f3a4e398c54
Opcode Fuzzy Hash: 338da06edb562f23ea4f8c30f049846f833d4fccf4708edae990ca3ff17ecd25
Instruction Fuzzy Hash: B701D472313222DBCB21AABADC44A667BD8EB557A1B110D20F946D7281F725EC01C6E4

Function 00422910 Relevance: 6.1, APIs: 4, Instructions: 51threadsynchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,?,BB40E64E,?,?,?,004C9460,000000FF), ref: 00422947
GetExitCodeThread.KERNEL32(?,?,?,?,?,004C9460,000000FF), ref: 00422961
TerminateThread.KERNEL32(?,00000000,?,?,?,004C9460,000000FF), ref: 00422979
CloseHandle.KERNEL32(?,?,?,?,004C9460,000000FF), ref: 00422982

Memory Dump Source

Source File: 00000003.00000002.4514052132.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.4514006504.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4514120748.00000000004E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4514174970.0000000000515000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4514191619.0000000000519000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4514247644.000000000051A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4514247644.000000000059B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4514247644.00000000005D5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4514247644.00000000005D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4514247644.00000000005E7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4514247644.000000000060A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4514247644.0000000000616000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4514247644.000000000061E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4514247644.0000000000627000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4514247644.0000000000659000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Thread$CloseCodeExitHandleObjectSingleTerminateWait
String ID:
API String ID: 3774109050-0
Opcode ID: 5de3302758f0544e967f028f1c92224b50188297db1d1717ac7337c39440af57
Instruction ID: a72fb2739dea72347d8a09c60b8f7daec65f08bf6529821842d50a113fd0091c
Opcode Fuzzy Hash: 5de3302758f0544e967f028f1c92224b50188297db1d1717ac7337c39440af57
Instruction Fuzzy Hash: 9911C6B1600759AFD7218F14DD45BABB7ECFB04710F00462EF96592690D7F4A944CB98

Function 046BC516 Relevance: 6.0, APIs: 4, Instructions: 50fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,?,?,?,00000000,046AA87E), ref: 046BC52F
GetFileSize.KERNEL32(00000000,00000000), ref: 046BC543
ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 046BC568
CloseHandle.KERNEL32(00000000), ref: 046BC576

Memory Dump Source

Source File: 00000003.00000002.4514531527.00000000046A0000.00000040.00000400.00020000.00000000.sdmp, Offset: 046A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_46a0000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID: File$CloseCreateHandleReadSize
String ID:
API String ID: 3919263394-0
Opcode ID: 23385b137ad614bbc3ec1f72b3a6bc294a687ffefbc370ff63a26efa1be21fa0
Instruction ID: e99d125283dbd3237a927a3b15360f0513c03ccb9be3e933c84329b3d38766ec
Opcode Fuzzy Hash: 23385b137ad614bbc3ec1f72b3a6bc294a687ffefbc370ff63a26efa1be21fa0
Instruction Fuzzy Hash: 78F0F6B22012087FF7101E24AD84FFB379CDBC77A8F00522EF881A22C0FA255D595671

Function 046BC26E Relevance: 6.0, APIs: 4, Instructions: 48COMMON

Download Yara Rule

APIs

OpenProcess.KERNEL32(00001000,00000000,?,00000000,00000000,00000000), ref: 046BC286
OpenProcess.KERNEL32(00000400,00000000,?,?,00000000,00000000,00000000), ref: 046BC299
CloseHandle.KERNEL32(00000000,?,00000000,00000000,00000000), ref: 046BC2C4
CloseHandle.KERNEL32(00000000,?,00000000,00000000,00000000), ref: 046BC2CC

Memory Dump Source

Source File: 00000003.00000002.4514531527.00000000046A0000.00000040.00000400.00020000.00000000.sdmp, Offset: 046A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_46a0000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID: CloseHandleOpenProcess
String ID:
API String ID: 39102293-0
Opcode ID: 45ce9b00ce8457392e92066e77eb4ef141844cddd420ae0272f108316687dd57
Instruction ID: 5b7295fd8fcd6fc9242bc1de070ce06c8d2592d16dd9499a1a8b318b592b8a21
Opcode Fuzzy Hash: 45ce9b00ce8457392e92066e77eb4ef141844cddd420ae0272f108316687dd57
Instruction Fuzzy Hash: FA0149722002156BE71066D49C4DFF7B27CCB80749F00012DFAC4D22A0FEB0AE854BE1

Function 046D98E3 Relevance: 6.0, APIs: 4, Instructions: 48COMMONLIBRARYCODE

Download Yara Rule

APIs

___BuildCatchObject.LIBVCRUNTIME ref: 046D98FA

Part of subcall function 046D9F32: ___AdjustPointer.LIBCMT ref: 046D9F7C

_UnwindNestedFrames.LIBCMT ref: 046D9911
___FrameUnwindToState.LIBVCRUNTIME ref: 046D9923
CallCatchBlock.LIBVCRUNTIME ref: 046D9947

Memory Dump Source

Source File: 00000003.00000002.4514531527.00000000046A0000.00000040.00000400.00020000.00000000.sdmp, Offset: 046A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_46a0000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID: CatchUnwind$AdjustBlockBuildCallFrameFramesNestedObjectPointerState
String ID:
API String ID: 2633735394-0
Opcode ID: f1135f3da04ba3a0995d0d42191a6de0eafd24a9b56dad318990318c05e81e44
Instruction ID: efd468e7c55cb64b2249af219f8a67256387ab3ec62f8e8b2ebf5bc3e71c1324
Opcode Fuzzy Hash: f1135f3da04ba3a0995d0d42191a6de0eafd24a9b56dad318990318c05e81e44
Instruction Fuzzy Hash: 7C01E972800109BBDF125F95CC00EDA3BBAFF59754F058118F95866120E336E465DBA4

Function 004229C0 Relevance: 6.0, APIs: 4, Instructions: 44threadsynchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,?,BB40E64E,?,?,?,004C9460,000000FF), ref: 004229F7
GetExitCodeThread.KERNEL32(?,?,?,?,?,004C9460,000000FF), ref: 00422A11
TerminateThread.KERNEL32(?,00000000,?,?,?,004C9460,000000FF), ref: 00422A29
CloseHandle.KERNEL32(?,?,?,?,004C9460,000000FF), ref: 00422A32

Memory Dump Source

Source File: 00000003.00000002.4514052132.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.4514006504.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4514120748.00000000004E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4514174970.0000000000515000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4514191619.0000000000519000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4514247644.000000000051A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4514247644.000000000059B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4514247644.00000000005D5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4514247644.00000000005D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4514247644.00000000005E7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4514247644.000000000060A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4514247644.0000000000616000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4514247644.000000000061E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4514247644.0000000000627000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4514247644.0000000000659000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Thread$CloseCodeExitHandleObjectSingleTerminateWait
String ID:
API String ID: 3774109050-0
Opcode ID: eedadc4da8ecefe2ab35997f0b06e7358023a456312b104bdd5d8b12e56794cc
Instruction ID: f5de3fbe71789c95c9cffbaf0a05573c9ecabcc694afa44912be807537c252fb
Opcode Fuzzy Hash: eedadc4da8ecefe2ab35997f0b06e7358023a456312b104bdd5d8b12e56794cc
Instruction Fuzzy Hash: A8018071600659EFC7218F54DE49B67B7ECFB08710F00462AE965D2AA0DBB4A800CA58

Function 046B941E Relevance: 6.0, APIs: 4, Instructions: 43COMMON

Download Yara Rule

APIs

GetSystemMetrics.USER32(0000004C), ref: 046B942B
GetSystemMetrics.USER32(0000004D), ref: 046B9431
GetSystemMetrics.USER32(0000004E), ref: 046B9437
GetSystemMetrics.USER32(0000004F), ref: 046B943D

Memory Dump Source

Source File: 00000003.00000002.4514531527.00000000046A0000.00000040.00000400.00020000.00000000.sdmp, Offset: 046A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_46a0000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID: MetricsSystem
String ID:
API String ID: 4116985748-0
Opcode ID: 5429d697a93cfd591dd576e91cad060073d903dfcbad77a8592a1f87fd2b1d99
Instruction ID: a16927cfdcef1bad6aa423234d529d5b15e619bf1fd749cb24a3cb229b05c49f
Opcode Fuzzy Hash: 5429d697a93cfd591dd576e91cad060073d903dfcbad77a8592a1f87fd2b1d99
Instruction Fuzzy Hash: D4F0A4A2B003154BD740EE748C80A6B6AD9DBC4364F10443EE78887281FEA4EC498BC0

Function 00422A50 Relevance: 6.0, APIs: 4, Instructions: 39threadsynchronizationCOMMON

Download Yara Rule

APIs

CreateThread.KERNEL32(00000000,00000000,00422B60,?,00000000,?), ref: 00422A75
GetLastError.KERNEL32(?,00000000,?), ref: 00422A82
WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 00422A99
GetExitCodeThread.KERNEL32(?,?), ref: 00422AA7

Memory Dump Source

Source File: 00000003.00000002.4514052132.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.4514006504.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4514120748.00000000004E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4514174970.0000000000515000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4514191619.0000000000519000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4514247644.000000000051A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4514247644.000000000059B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4514247644.00000000005D5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4514247644.00000000005D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4514247644.00000000005E7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4514247644.000000000060A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4514247644.0000000000616000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4514247644.000000000061E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4514247644.0000000000627000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4514247644.0000000000659000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Thread$CodeCreateErrorExitLastObjectSingleWait
String ID:
API String ID: 2732711357-0
Opcode ID: 15df48f1ed1bd292581dd3ee7c6b4abffad7b5f2bc51df2335a286f5c26395ed
Instruction ID: 43e8538ae66d20b7fb682a32109c8605be7893efd5d8fd42e8b82c469b6271de
Opcode Fuzzy Hash: 15df48f1ed1bd292581dd3ee7c6b4abffad7b5f2bc51df2335a286f5c26395ed
Instruction Fuzzy Hash: 97F08675504311ABD720DF28EE45F97BBE8AB54711F00452AF989C2290E7B0D908C7A6

Function 046D8FB1 Relevance: 6.0, APIs: 4, Instructions: 14COMMON

Download Yara Rule

APIs

___vcrt_initialize_pure_virtual_call_handler.LIBVCRUNTIME ref: 046D8FB1
___vcrt_initialize_winapi_thunks.LIBVCRUNTIME ref: 046D8FB6
___vcrt_initialize_locks.LIBVCRUNTIME ref: 046D8FBB

Part of subcall function 046DA4BA: ___vcrt_InitializeCriticalSectionEx.LIBVCRUNTIME ref: 046DA4CB

___vcrt_uninitialize_locks.LIBVCRUNTIME ref: 046D8FD0

Memory Dump Source

Source File: 00000003.00000002.4514531527.00000000046A0000.00000040.00000400.00020000.00000000.sdmp, Offset: 046A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_46a0000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID: CriticalInitializeSection___vcrt____vcrt_initialize_locks___vcrt_initialize_pure_virtual_call_handler___vcrt_initialize_winapi_thunks___vcrt_uninitialize_locks
String ID:
API String ID: 1761009282-0
Opcode ID: 37419d0d218480942dadea5656795116f0d18a982b1fc86bcd770d00ce79fbb1
Instruction ID: cbbc7d548d126ffdf8abf4eefdf547d8969c4c9195a4232b2b1bb09a346a34cb
Opcode Fuzzy Hash: 37419d0d218480942dadea5656795116f0d18a982b1fc86bcd770d00ce79fbb1
Instruction Fuzzy Hash: 6DC04C54C08381557D587EF4134C1EE03431DB62CC78024DD89B057E077D19310B503A

Function 0040F4B0 Relevance: 5.6, APIs: 1, Strings: 2, Instructions: 386COMMON

Download Yara Rule

APIs

Part of subcall function 004046F0: GetProcessHeap.KERNEL32 ref: 00404745

PathIsUNCW.SHLWAPI(0040F938,?,?,?,?,00000000,004CB19F,000000FF), ref: 0040F67D

Strings

\\?\, xrefs: 0040F65F, 0040F665
\\?\UNC\, xrefs: 0040F559, 0040F5E1, 0040F5E7

Memory Dump Source

Source File: 00000003.00000002.4514052132.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.4514006504.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4514120748.00000000004E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4514174970.0000000000515000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4514191619.0000000000519000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4514247644.000000000051A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4514247644.000000000059B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4514247644.00000000005D5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4514247644.00000000005D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4514247644.00000000005E7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4514247644.000000000060A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4514247644.0000000000616000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4514247644.000000000061E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4514247644.0000000000627000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4514247644.0000000000659000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_SecuriteInfo.jbxd

Similarity

API ID: HeapPathProcess
String ID: \\?\$\\?\UNC\
API String ID: 300331711-3019864461
Opcode ID: 2cfc81dec77a3cb3ad144cba9bdfe924c48e5445d56fd08fc51f6975c68cd85c
Instruction ID: 18bcacf34268819ceea0c25dc35a0ceabb7a555e69038f6d03f4b62b23381f27
Opcode Fuzzy Hash: 2cfc81dec77a3cb3ad144cba9bdfe924c48e5445d56fd08fc51f6975c68cd85c
Instruction Fuzzy Hash: 98D1E271A006059BDB00DBA8CC94BAEB7B9EF48324F14417EE511B73D2DB78AD05CB95

Function 046E2CAD Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 189COMMON

Download Yara Rule

APIs

__startOneArgErrorHandling.LIBCMT ref: 046E2D3D

Strings

pow, xrefs: 046E2D15, 046E2D32

Memory Dump Source

Source File: 00000003.00000002.4514531527.00000000046A0000.00000040.00000400.00020000.00000000.sdmp, Offset: 046A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_46a0000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID: ErrorHandling__start
String ID: pow
API String ID: 3213639722-2276729525
Opcode ID: fdab4af67ec310637340a2006f14cb8c4907fc3fba9f5e0b34475108715cbfbd
Instruction ID: da20caf8fc086cd20046245c7f76c2ef44b0e5a21b697f8f687fe255c576ecca
Opcode Fuzzy Hash: fdab4af67ec310637340a2006f14cb8c4907fc3fba9f5e0b34475108715cbfbd
Instruction Fuzzy Hash: 31519CA1A1720396D716BB16CD5037E37DDEB10700F204DDAE1D6823E9FB34E8969B85

Function 00423610 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 158COMMON

Download Yara Rule

APIs

PathIsUNCW.SHLWAPI(00000000,BB40E64E), ref: 004236B2

Strings

\\?\UNC\, xrefs: 004236D7, 00423738
\\?\, xrefs: 004237AA, 004237D5

Memory Dump Source

Source File: 00000003.00000002.4514052132.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.4514006504.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4514120748.00000000004E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4514174970.0000000000515000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4514191619.0000000000519000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4514247644.000000000051A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4514247644.000000000059B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4514247644.00000000005D5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4514247644.00000000005D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4514247644.00000000005E7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4514247644.000000000060A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4514247644.0000000000616000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4514247644.000000000061E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4514247644.0000000000627000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4514247644.0000000000659000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Path
String ID: \\?\$\\?\UNC\
API String ID: 2875597873-3019864461
Opcode ID: b1358cb6e61c9c2e6c009d1e99b04399078505cf001b9cb965ff294ceb17f8be
Instruction ID: d309495ac15eaf87dd574cb9ba75f7f732aca4d7645a3c4f6b84bf6e1e34881c
Opcode Fuzzy Hash: b1358cb6e61c9c2e6c009d1e99b04399078505cf001b9cb965ff294ceb17f8be
Instruction Fuzzy Hash: 0B51D0F0E00214ABDB20DF68D845BAEB7B4FF95308F50861EE81167380D7796A48CB99

Function 046A404C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 93sleepCOMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 046A4066

Part of subcall function 046BBA09: GetCurrentProcessId.KERNEL32(00000000,75923530,00000000,?,?,?,?,04706478,046AD248,.vbs,?,?,?,?,?,047152F0), ref: 046BBA30

Part of subcall function 046B85A3: CloseHandle.KERNEL32(046A40F5,?,?,046A40F5,04705E84), ref: 046B85B9
Part of subcall function 046B85A3: CloseHandle.KERNEL32(04705E84,?,?,046A40F5,04705E84), ref: 046B85C2

Part of subcall function 046BC516: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,?,?,?,00000000,046AA87E), ref: 046BC52F

Sleep.KERNEL32(000000FA,04705E84), ref: 046A4138

Strings

/sort "Visit Time" /stext ", xrefs: 046A40B2

Memory Dump Source

Source File: 00000003.00000002.4514531527.00000000046A0000.00000040.00000400.00020000.00000000.sdmp, Offset: 046A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_46a0000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID: CloseFileHandle$CreateCurrentModuleNameProcessSleep
String ID: /sort "Visit Time" /stext "
API String ID: 368326130-1573945896
Opcode ID: b0337d388b91c50acdd9c6fe1693b75c99aa589968c08d184a8d03809d435626
Instruction ID: 6f7b61bb640d67371ee53d8c2a03a392c15d4ed6078f2795367ebdd703a91958
Opcode Fuzzy Hash: b0337d388b91c50acdd9c6fe1693b75c99aa589968c08d184a8d03809d435626
Instruction Fuzzy Hash: 66316F31A105585BEB14FAB4DC949FEB3B6AF91208F40006DE50AA7190FF607E6ACF94

Function 046AB783 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 88COMMON

Download Yara Rule

APIs

Part of subcall function 046D4801: __onexit.LIBCMT ref: 046D4807

__Init_thread_footer.LIBCMT ref: 046AB7D2

Strings

[Text copied to clipboard], xrefs: 046AB821
[End of clipboard], xrefs: 046AB814

Memory Dump Source

Source File: 00000003.00000002.4514531527.00000000046A0000.00000040.00000400.00020000.00000000.sdmp, Offset: 046A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_46a0000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID: Init_thread_footer__onexit
String ID: [End of clipboard]$[Text copied to clipboard]
API String ID: 1881088180-3686566968
Opcode ID: fdb351aee45ffcd9943a7a1ab1dfef2aafa3d818be98086b125c9ad60388e0ea
Instruction ID: 41778fedca0c0408bbfc26b0fe2945929c44a2e2ebb87fb609596817a27edfeb
Opcode Fuzzy Hash: fdb351aee45ffcd9943a7a1ab1dfef2aafa3d818be98086b125c9ad60388e0ea
Instruction Fuzzy Hash: 7D219E31A10A088BEF04FBA4E8909EDB3B5AF51618F10407DD50667290FF30BD6ACE98

Function 046F1BB7 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 88COMMONLIBRARYCODE

Download Yara Rule

APIs

GetACP.KERNEL32(?,20001004,?,00000002,00000000,00000050,00000050,?,046F1E12,?,00000050,?,?,?,?,?), ref: 046F1C92

Strings

ACP, xrefs: 046F1BD5
OCP, xrefs: 046F1C0B

Memory Dump Source

Source File: 00000003.00000002.4514531527.00000000046A0000.00000040.00000400.00020000.00000000.sdmp, Offset: 046A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_46a0000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID:
String ID: ACP$OCP
API String ID: 0-711371036
Opcode ID: 20c69ba058a926422b78342c4113d8bd72ff1a8efba5a8a74202bfc1500eaf75
Instruction ID: 070b478a97f47d867698397c5c6022c603fb0b574f3e892c9b657b543f93574c
Opcode Fuzzy Hash: 20c69ba058a926422b78342c4113d8bd72ff1a8efba5a8a74202bfc1500eaf75
Instruction Fuzzy Hash: 1A21A7E2A00108E6E7348E55CD41BE773A6DB66BA5F468428DB8AD7304F736FD41C350

Function 0041AD70 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 77COMMON

Download Yara Rule

APIs

std::_Locinfo::_Locinfo_dtor.LIBCPMT ref: 0041ADA1
std::_Lockit::~_Lockit.LIBCPMT ref: 0041AE54

Strings

y)A, xrefs: 0041AD8B

Memory Dump Source

Source File: 00000003.00000002.4514052132.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.4514006504.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4514120748.00000000004E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4514174970.0000000000515000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4514191619.0000000000519000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4514247644.000000000051A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4514247644.000000000059B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4514247644.00000000005D5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4514247644.00000000005D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4514247644.00000000005E7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4514247644.000000000060A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4514247644.0000000000616000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4514247644.000000000061E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4514247644.0000000000627000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4514247644.0000000000659000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_SecuriteInfo.jbxd

Similarity

API ID: std::_$Locinfo::_Locinfo_dtorLockitLockit::~_
String ID: y)A
API String ID: 3286764726-3791414304
Opcode ID: 7569f68325b4044b4c28d43910c5a5f1e8bf808afd5e0507ec2f1ec85f2f2110
Instruction ID: af6d6717d2b5be369cc1d7959c1f604181c66a5d79c13f3823addc34ecf66c65
Opcode Fuzzy Hash: 7569f68325b4044b4c28d43910c5a5f1e8bf808afd5e0507ec2f1ec85f2f2110
Instruction Fuzzy Hash: 3821A2F0E01740DBEB20DF65D906B4BB7E8EB11704F04456EE44597B81E77DEA0887AA

Function 0041AC40 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 0041AC6B
std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 0041ACCE

Strings

bad locale name, xrefs: 0041ACF1

Memory Dump Source

Source File: 00000003.00000002.4514052132.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.4514006504.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4514120748.00000000004E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4514174970.0000000000515000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4514191619.0000000000519000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4514247644.000000000051A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4514247644.000000000059B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4514247644.00000000005D5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4514247644.00000000005D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4514247644.00000000005E7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4514247644.000000000060A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4514247644.0000000000616000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4514247644.000000000061E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4514247644.0000000000627000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4514247644.0000000000659000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_SecuriteInfo.jbxd

Similarity

API ID: std::_$Locinfo::_Locinfo_ctorLockitLockit::_
String ID: bad locale name
API String ID: 3988782225-1405518554
Opcode ID: 6371b5aacf1fea5522b90325c21df5ecb7a27a15856e2dd271848ef4ae39ee93
Instruction ID: d8ca28ea7b86cadf5c17d0267d7afe1716a786912d59a6b3a86f560ae672aee9
Opcode Fuzzy Hash: 6371b5aacf1fea5522b90325c21df5ecb7a27a15856e2dd271848ef4ae39ee93
Instruction Fuzzy Hash: CD210070905B80DFD720CF69C904B4BBBE4EF15314F14869EE48587B81D3B9AA08C795

Function 00404180 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 70COMMON

Download Yara Rule

APIs

Part of subcall function 0048A5DF: EnterCriticalSection.KERNEL32(00516D54,?,00000000,?,004041B7,00000000,BB40E64E,?,00000000,?,00000000,0000000E,004C92A0,000000FF,?,00403728), ref: 0048A5EA
Part of subcall function 0048A5DF: LeaveCriticalSection.KERNEL32(00516D54,?,00000000,?,004041B7,00000000,BB40E64E,?,00000000,?,00000000,0000000E,004C92A0,000000FF,?,00403728), ref: 0048A616

FindResourceExW.KERNEL32(00000000,00000006,00000000,00000000,00000000,BB40E64E,?,00000000,?,00000000,0000000E,004C92A0,000000FF,?,00403728), ref: 004041D6

Part of subcall function 00404240: LoadResource.KERNEL32(00000000,00000000,BB40E64E,00000001,00000000,00000000,00000000,004C9440,000000FF,?,004041EC,?,?,00000000,?,00000000), ref: 0040426B
Part of subcall function 00404240: LockResource.KERNEL32(00000000,?,004041EC,?,?,00000000,?,00000000,0000000E,004C92A0,000000FF,?,00403728,?,00000000), ref: 00404276
Part of subcall function 00404240: SizeofResource.KERNEL32(00000000,00000000,?,004041EC,?,?,00000000,?,00000000,0000000E,004C92A0,000000FF,?,00403728,?,00000000), ref: 00404284

Strings

@mQ, xrefs: 004041AD
@mQ, xrefs: 004041F4

Memory Dump Source

Source File: 00000003.00000002.4514052132.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.4514006504.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4514120748.00000000004E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4514174970.0000000000515000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4514191619.0000000000519000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4514247644.000000000051A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4514247644.000000000059B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4514247644.00000000005D5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4514247644.00000000005D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4514247644.00000000005E7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4514247644.000000000060A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4514247644.0000000000616000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4514247644.000000000061E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4514247644.0000000000627000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4514247644.0000000000659000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Resource$CriticalSection$EnterFindLeaveLoadLockSizeof
String ID: @mQ$@mQ
API String ID: 529824247-4220228057
Opcode ID: 408eb29d9a5e3e1b013c3b571bce9beea6c2bac17e1bdf327da858b4e0882424
Instruction ID: 3f36eeadde0d07e720e7fd8a7e2f237b0106429bc08620d5d509c7d5ec9e112c
Opcode Fuzzy Hash: 408eb29d9a5e3e1b013c3b571bce9beea6c2bac17e1bdf327da858b4e0882424
Instruction Fuzzy Hash: D111E772B446146BE7249B59AC41B7BB7D8F788B64F00027FFE05D77C1EA799C008694

Function 046A4FF4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 67timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?,04715598,?,00000000,?,?,?,?,?,?,046B5D04,?,00000001,0000004C,00000000), ref: 046A5030

Part of subcall function 046BB580: GetLocalTime.KERNEL32(00000000), ref: 046BB59A

GetLocalTime.KERNEL32(?,04715598,?,00000000,?,?,?,?,?,?,046B5D04,?,00000001,0000004C,00000000), ref: 046A5087

Strings

KeepAlive | Enabled | Timeout: , xrefs: 046A501F

Memory Dump Source

Source File: 00000003.00000002.4514531527.00000000046A0000.00000040.00000400.00020000.00000000.sdmp, Offset: 046A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_46a0000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID: LocalTime
String ID: KeepAlive | Enabled | Timeout:
API String ID: 481472006-1507639952
Opcode ID: 19f49487b726f5f863b2137fce211f7a7800bf815625168468b82f714cc851eb
Instruction ID: 11f20f354475a53b450e4f69acfd7df2f4809d89c7ae59e3dfdc4e0208aba6e6
Opcode Fuzzy Hash: 19f49487b726f5f863b2137fce211f7a7800bf815625168468b82f714cc851eb
Instruction Fuzzy Hash: F421F6A29102807BE708FA38D8587AE7B94E7A170CF04455CD48207261FB297E68CFE7

Function 046BB580 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 59timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(00000000), ref: 046BB59A

Strings

| , xrefs: 046BB5CD
%02i:%02i:%02i:%03i , xrefs: 046BB5AF

Memory Dump Source

Source File: 00000003.00000002.4514531527.00000000046A0000.00000040.00000400.00020000.00000000.sdmp, Offset: 046A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_46a0000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID: LocalTime
String ID: | $%02i:%02i:%02i:%03i
API String ID: 481472006-2430845779
Opcode ID: 0ba1bb74ad20cc1573d2e83add1869fdf37773b7e3d4b55cab7a21d129c84b91
Instruction ID: 72143f36ebd230cac84d5ef2a07557fad46d4de2070b4d6369d940d3b9ddd594
Opcode Fuzzy Hash: 0ba1bb74ad20cc1573d2e83add1869fdf37773b7e3d4b55cab7a21d129c84b91
Instruction Fuzzy Hash: B9118E714086409AD304EB65D8508FEB3E8AB44208F400A2DF485821D0FF28FE69CA5A

Function 046AB08C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 48COMMON

Download Yara Rule

APIs

Part of subcall function 046AB19F: GetLocalTime.KERNEL32(?,?,00000000), ref: 046AB1AD
Part of subcall function 046AB19F: wsprintfW.USER32 ref: 046AB22E

Part of subcall function 046BB580: GetLocalTime.KERNEL32(00000000), ref: 046BB59A

CloseHandle.KERNEL32(?), ref: 046AB0EF
UnhookWindowsHookEx.USER32 ref: 046AB102

Strings

Online Keylogger Stopped, xrefs: 046AB09C, 046AB0A4, 046AB0CB

Memory Dump Source

Source File: 00000003.00000002.4514531527.00000000046A0000.00000040.00000400.00020000.00000000.sdmp, Offset: 046A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_46a0000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID: LocalTime$CloseHandleHookUnhookWindowswsprintf
String ID: Online Keylogger Stopped
API String ID: 1623830855-1496645233
Opcode ID: 9d81a960ef71a12fdc38f54c4229b5d8947b10eea62a2b1354dadf5e7d9cc175
Instruction ID: 328872cdca1d920fc263d43c69ae167cb579be0ce9d217744f67715ca91cc4f9
Opcode Fuzzy Hash: 9d81a960ef71a12fdc38f54c4229b5d8947b10eea62a2b1354dadf5e7d9cc175
Instruction Fuzzy Hash: 0001D8356009009BE721BB34C81A7BE7BB59B51614F40045DD58202799FB653C75DFD6

Function 046AC4FE Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMON

Download Yara Rule

APIs

PathFileExistsW.SHLWAPI(00000000,\AppData\Local\Google\Chrome\,00000000), ref: 046AC531

Strings

UserProfile, xrefs: 046AC505
\AppData\Local\Google\Chrome\, xrefs: 046AC51B

Memory Dump Source

Source File: 00000003.00000002.4514531527.00000000046A0000.00000040.00000400.00020000.00000000.sdmp, Offset: 046A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_46a0000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID: ExistsFilePath
String ID: UserProfile$\AppData\Local\Google\Chrome\
API String ID: 1174141254-4188645398
Opcode ID: 1e88713e7fe30efa8579b5a53e7f4a16aba2160a0a8fabf9aa41dbd9398f77fb
Instruction ID: 7ab4b6d3ffa4d01c11e901ff9bd3b5113f4b895f5dab2cd1753b89b8823929f6
Opcode Fuzzy Hash: 1e88713e7fe30efa8579b5a53e7f4a16aba2160a0a8fabf9aa41dbd9398f77fb
Instruction Fuzzy Hash: 46F05E71A0461996DB04B6A8DC168FF7BA89A10658B40012EA60592280FE50BD798ED5

Function 046AC561 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMON

Download Yara Rule

APIs

PathFileExistsW.SHLWAPI(00000000,\AppData\Local\Microsoft\Edge\,00000000), ref: 046AC594

Strings

\AppData\Local\Microsoft\Edge\, xrefs: 046AC57E
UserProfile, xrefs: 046AC568

Memory Dump Source

Source File: 00000003.00000002.4514531527.00000000046A0000.00000040.00000400.00020000.00000000.sdmp, Offset: 046A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_46a0000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID: ExistsFilePath
String ID: UserProfile$\AppData\Local\Microsoft\Edge\
API String ID: 1174141254-2800177040
Opcode ID: e76bebf67585e1ad25bb4f008ec51d311c84e49cbdc026b8e0b1edcec2f4d613
Instruction ID: 3019b48fb38546f9c3551d98f760ef1d5cf048286810f929e197c8c0b4eb73bd
Opcode Fuzzy Hash: e76bebf67585e1ad25bb4f008ec51d311c84e49cbdc026b8e0b1edcec2f4d613
Instruction Fuzzy Hash: 16F05E71A0461996DB04B6B4DC1A8FEBBA89A10554B40011AA905922C0FE50BD658EE5

Function 046AC5C4 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMON

Download Yara Rule

APIs

PathFileExistsW.SHLWAPI(00000000,\Opera Software\Opera Stable\,00000000), ref: 046AC5F7

Strings

\Opera Software\Opera Stable\, xrefs: 046AC5E1
AppData, xrefs: 046AC5CB

Memory Dump Source

Source File: 00000003.00000002.4514531527.00000000046A0000.00000040.00000400.00020000.00000000.sdmp, Offset: 046A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_46a0000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID: ExistsFilePath
String ID: AppData$\Opera Software\Opera Stable\
API String ID: 1174141254-1629609700
Opcode ID: bdf646c129a02cfdfc1ad184c8ca40e3a763d7a0544a2407627c7093b361fde4
Instruction ID: ae8e46b73925a57a0330ca48dd52503391b74c99234d850681d6b1321c54293c
Opcode Fuzzy Hash: bdf646c129a02cfdfc1ad184c8ca40e3a763d7a0544a2407627c7093b361fde4
Instruction Fuzzy Hash: B4F05E71A05629969B04FAA4DC5A8FE7BA89A10555F004159B501A2280FE50BC65CEE9

Function 046AB681 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 32keyboardCOMMON

Download Yara Rule

APIs

GetKeyState.USER32(00000011), ref: 046AB686

Part of subcall function 046AA41B: GetForegroundWindow.USER32(?,?,047150F0), ref: 046AA451
Part of subcall function 046AA41B: GetWindowThreadProcessId.USER32(00000000,?), ref: 046AA45D
Part of subcall function 046AA41B: GetKeyboardLayout.USER32(00000000), ref: 046AA464
Part of subcall function 046AA41B: GetKeyState.USER32(00000010), ref: 046AA46E
Part of subcall function 046AA41B: GetKeyboardState.USER32(?,?,047150F0), ref: 046AA479
Part of subcall function 046AA41B: ToUnicodeEx.USER32(04715144,?,?,?,00000010,00000000,00000000), ref: 046AA49C
Part of subcall function 046AA41B: ToUnicodeEx.USER32(?,?,00000010,00000000,00000000), ref: 046AA4FC

Part of subcall function 046AA671: SetEvent.KERNEL32(?,?,?,046AB86A,?,?,?,?,?,00000000), ref: 046AA69D

Strings

[AltL], xrefs: 046AB6C8
[AltR], xrefs: 046AB6BC

Memory Dump Source

Source File: 00000003.00000002.4514531527.00000000046A0000.00000040.00000400.00020000.00000000.sdmp, Offset: 046A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_46a0000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID: State$KeyboardUnicodeWindow$EventForegroundLayoutProcessThread
String ID: [AltL]$[AltR]
API String ID: 2738857842-2658077756
Opcode ID: b3fe830035d616107fad0e224974ed347170174c7e60b9a85fae9a94eb637d3a
Instruction ID: 655566dad3f8c9c5e478c5f0b56a179f4b4df6b67f212d92e6c384f13b772e29
Opcode Fuzzy Hash: b3fe830035d616107fad0e224974ed347170174c7e60b9a85fae9a94eb637d3a
Instruction Fuzzy Hash: 85E02B21B00E20038958363C693A6BD2D518B42E60B45104DE5438B7D4F8457D718FCA

Function 046AB6DB Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 24keyboardCOMMON

Download Yara Rule

APIs

GetKeyState.USER32(00000012), ref: 046AB6E0

Strings

[CtrlL], xrefs: 046AB70E
[CtrlR], xrefs: 046AB6FD

Memory Dump Source

Source File: 00000003.00000002.4514531527.00000000046A0000.00000040.00000400.00020000.00000000.sdmp, Offset: 046A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_46a0000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID: State
String ID: [CtrlL]$[CtrlR]
API String ID: 1649606143-2446555240
Opcode ID: 0640735690229032996e24df4a88d7d6e20e86ea4877a7b0f6b49c3f6ab47fee
Instruction ID: ae7861883c47bf0c55dd212fa217b3f5be3a70f684dec2b3bf6cbf2b6e70a05e
Opcode Fuzzy Hash: 0640735690229032996e24df4a88d7d6e20e86ea4877a7b0f6b49c3f6ab47fee
Instruction Fuzzy Hash: 8DE04F21700A205386243D79663A67929509742A64F44015DE5824B795F9C6BD305FA2

Function 046B3A5E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 23registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.ADVAPI32(80000002,Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\,00000000,00000002,?,80000002,80000002,046AD17F,00000000,047152D8,047152F0,?,pth_unenc), ref: 046B3A6C
RegDeleteValueW.ADVAPI32(?,?,?,pth_unenc), ref: 046B3A80

Strings

Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\, xrefs: 046B3A6A

Memory Dump Source

Source File: 00000003.00000002.4514531527.00000000046A0000.00000040.00000400.00020000.00000000.sdmp, Offset: 046A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_46a0000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID: DeleteOpenValue
String ID: Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\
API String ID: 2654517830-1051519024
Opcode ID: 98cdeb6e28deedcb8fe880cc3151217533db5d193a88b0791ce5c2e448f32851
Instruction ID: dc74f78a9d5abb787c3dfeeee515a7dd3baeb9f2b34ea0bf73dd655990c06f72
Opcode Fuzzy Hash: 98cdeb6e28deedcb8fe880cc3151217533db5d193a88b0791ce5c2e448f32851
Instruction Fuzzy Hash: 19E0C271344208FBDF104E71DD06FFA7B2CDB02B00F100298BE0692281E6269E4897A0

Function 046AB8A4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22fileCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNEL32(00000000,?,pth_unenc), ref: 046AB8B1
RemoveDirectoryW.KERNEL32(00000000,?,pth_unenc), ref: 046AB8DC

Strings

pth_unenc, xrefs: 046AB8A4

Memory Dump Source

Source File: 00000003.00000002.4514531527.00000000046A0000.00000040.00000400.00020000.00000000.sdmp, Offset: 046A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_46a0000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID: DeleteDirectoryFileRemove
String ID: pth_unenc
API String ID: 3325800564-4028850238
Opcode ID: d3264fb1f6be33999c53b32208a4838eae72df11dff3d75adee1543c0b497f14
Instruction ID: 5612b52d1ac429f588aa65edfda6f1712a13e48461b435bb0054de150bb8ed65
Opcode Fuzzy Hash: d3264fb1f6be33999c53b32208a4838eae72df11dff3d75adee1543c0b497f14
Instruction Fuzzy Hash: 58E08C71011A208BE718BB748898BDA3398AF0521AF00091EE4E393250FF24FD6DDA94

Function 0048A530 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 0041D7C0: InitializeCriticalSectionEx.KERNEL32(00516D54,00000000,00000000,BB40E64E,00400000,004C93F0,000000FF,?,0048A55F,?,00401D2A,80004005,BB40E64E), ref: 0041D7E7
Part of subcall function 0041D7C0: GetLastError.KERNEL32(?,0048A55F,?,00401D2A,80004005,BB40E64E,?,?,?,?,004D3F0D,000000FF), ref: 0041D7F1

IsDebuggerPresent.KERNEL32(?,00401D2A,80004005,BB40E64E,?,?,?,?,004D3F0D,000000FF), ref: 0048A563
OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,00401D2A,80004005,BB40E64E,?,?,?,?,004D3F0D,000000FF), ref: 0048A572

Strings

ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 0048A56D

Memory Dump Source

Source File: 00000003.00000002.4514052132.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.4514006504.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4514120748.00000000004E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4514174970.0000000000515000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4514191619.0000000000519000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4514247644.000000000051A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4514247644.000000000059B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4514247644.00000000005D5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4514247644.00000000005D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4514247644.00000000005E7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4514247644.000000000060A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4514247644.0000000000616000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4514247644.000000000061E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4514247644.0000000000627000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4514247644.0000000000659000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_SecuriteInfo.jbxd

Similarity

API ID: CriticalDebugDebuggerErrorInitializeLastOutputPresentSectionString
String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
API String ID: 3511171328-631824599
Opcode ID: 9eadf5ae73885e909e7361ae96814371ce1b272e201fbede379bef5dc2813b6a
Instruction ID: 8b525c965a04755b195c1c5c1917d0338b0a8464ce1c5bfcd4f7d066941623c4
Opcode Fuzzy Hash: 9eadf5ae73885e909e7361ae96814371ce1b272e201fbede379bef5dc2813b6a
Instruction Fuzzy Hash: 1CE039706007918AD320AF2AE444346BBE4AB14709F00896FE495D6381EBF8D488CBAA

Function 046B288B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 13synchronizationCOMMON

Download Yara Rule

APIs

TerminateProcess.KERNEL32(00000000,pth_unenc,046AF903), ref: 046B289B
WaitForSingleObject.KERNEL32(000000FF), ref: 046B28AE

Strings

pth_unenc, xrefs: 046B288B

Memory Dump Source

Source File: 00000003.00000002.4514531527.00000000046A0000.00000040.00000400.00020000.00000000.sdmp, Offset: 046A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_46a0000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID: ObjectProcessSingleTerminateWait
String ID: pth_unenc
API String ID: 1872346434-4028850238
Opcode ID: 835d1a86668881cc405226e18745891b0c1569bdd0345f02143955f9d7461521
Instruction ID: 15f56a121943ccfd2f443a7ab8b80d937d91edabc543e64c694ab19030f2b161
Opcode Fuzzy Hash: 835d1a86668881cc405226e18745891b0c1569bdd0345f02143955f9d7461521
Instruction Fuzzy Hash: 35D01274259352AFD7350BA8ED48B843B5AD705325F105381F4F1612F1D72D4C58AB14

Function 046E0CE1 Relevance: 5.1, APIs: 4, Instructions: 139COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000009,?,00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000,046A1D55), ref: 046E0D77
GetLastError.KERNEL32 ref: 046E0D85
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 046E0DE0

Memory Dump Source

Source File: 00000003.00000002.4514531527.00000000046A0000.00000040.00000400.00020000.00000000.sdmp, Offset: 046A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_46a0000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID: ByteCharMultiWide$ErrorLast
String ID:
API String ID: 1717984340-0
Opcode ID: 2d94b54fa8abc0f55acd85230ea8dff1bdccd7ddd5f97dfd0e43e561cd444d4a
Instruction ID: 77afbdc66335aff9b4d04b50441309ec863dbb569e951b1c4bae3b4c5bb555fd
Opcode Fuzzy Hash: 2d94b54fa8abc0f55acd85230ea8dff1bdccd7ddd5f97dfd0e43e561cd444d4a
Instruction Fuzzy Hash: DD410A31A06226AFDF218F66C8447BABBE5EF11310F1541A9E9599B3A0F7B0F942C750

Function 046B1B9A Relevance: 5.1, APIs: 4, Instructions: 119COMMON

Download Yara Rule

APIs

IsBadReadPtr.KERNEL32(?,00000014), ref: 046B1BC7
IsBadReadPtr.KERNEL32(?,00000014), ref: 046B1C93
SetLastError.KERNEL32(0000007F,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 046B1CB5
SetLastError.KERNEL32(0000007E,046B1F2B), ref: 046B1CCC

Memory Dump Source

Source File: 00000003.00000002.4514531527.00000000046A0000.00000040.00000400.00020000.00000000.sdmp, Offset: 046A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_46a0000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID: ErrorLastRead
String ID:
API String ID: 4100373531-0
Opcode ID: 2cc03086d7c3c6d7ee7b25f86853158c26ce5f9cd84b88165956a1f6b74462e7
Instruction ID: e42e8b44c7c5c40325f2f7b8ef096027a2bdcce362e848913804c6866a856874
Opcode Fuzzy Hash: 2cc03086d7c3c6d7ee7b25f86853158c26ce5f9cd84b88165956a1f6b74462e7
Instruction Fuzzy Hash: DA419DB1644305AFE7258F19D894BE6B3E4FF45754F00042DEA8A86751FB38F845CB91

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse the Windows service control manager to execute malicious commands or payloads. The Windows service control manager ( `services.exe` ) is an interface to manage and manipulate services.The service control manager is accessible to users via GUI components as well as system utilities such as `sc.exe` and Net .
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Traffic Flow, Process: Process Creation, Service: Service Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may create or modify Windows services to repeatedly execute malicious payloads as part of persistence. When Windows boots up, it starts programs or applications called services that perform background system functions.Windows service configuration information, including the file path to the service's executable or recovery programs/commands, is stored in the Windows Registry.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Driver: Driver Load, File: File Metadata, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Creation, Service: Service Creation, Service: Service Modification, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may bypass UAC mechanisms to elevate process privileges on system. Windows User Account Control (UAC) allows a program to elevate its privileges (tracked as integrity levels ranging from low to high) to perform a task under administrator-level permissions, possibly by prompting the user for confirmation. The impact to the user ranges from denying the operation under high enforcement to allowing the user to perform the action if they are in the local administrators group and click through the prompt or allowing them to enter an administrator password to complete the action.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Command: Command Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local file systems and remote file shares for files containing insecurely stored credentials. These can be files created by users to store their own credentials, shared credential stores for a group of individuals, configuration files containing passwords for a system or service, or source code/binary files containing embedded passwords.
Tactics:	Credential Access
Data Sources:	Command: Command Execution, File: File Access, Process: Process Creation
Platforms:	Containers, IaaS, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. This information can help adversaries determine which accounts exist, which can aid in follow-on behavior such as brute-forcing, spear-phishing attacks, or account takeovers (e.g., Valid Accounts ).
Tactics:	Discovery
Data Sources:	Command: Command Execution, File: File Access, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report SecuriteInfo.com.Win32.Evo-gen.3521.549.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Remcos

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Exploits

Privilege Escalation

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

E-Banking Fraud

Spam, unwanted Advertisements and Ransom Demands

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\json[1].json

C:\Users\user\AppData\Roaming\Key\logs.dat

C:\Users\user\Pictures\TermianlConsole\TerminalIll.exe

Static File Info

General

File Icon

Static PE Info

General

Windows Analysis Report
SecuriteInfo.com.Win32.Evo-gen.3521.549.exe

Description:	Adversaries may try to gather information about registered local system services. Adversaries may obtain information about services using tools as well as OS utility commands such as `sc query` , `tasklist /svc` , `systemctl --type=service` , and `net start` .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre